tortls.c 54 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723
  1. /* Copyright (c) 2003, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2011, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file tortls.c
  7. * \brief Wrapper functions to present a consistent interface to
  8. * TLS, SSL, and X.509 functions from OpenSSL.
  9. **/
  10. /* (Unlike other tor functions, these
  11. * are prefixed with tor_ in order to avoid conflicting with OpenSSL
  12. * functions and variables.)
  13. */
  14. #include "orconfig.h"
  15. #if defined (WINCE)
  16. #include <WinSock2.h>
  17. #endif
  18. #include <assert.h>
  19. #ifdef MS_WINDOWS /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  20. #define WIN32_WINNT 0x400
  21. #define _WIN32_WINNT 0x400
  22. #define WIN32_LEAN_AND_MEAN
  23. #if defined(_MSC_VER) && (_MSC_VER < 1300)
  24. #include <winsock.h>
  25. #else
  26. #include <winsock2.h>
  27. #include <ws2tcpip.h>
  28. #endif
  29. #endif
  30. #include <openssl/ssl.h>
  31. #include <openssl/ssl3.h>
  32. #include <openssl/err.h>
  33. #include <openssl/tls1.h>
  34. #include <openssl/asn1.h>
  35. #include <openssl/bio.h>
  36. #include <openssl/opensslv.h>
  37. #if OPENSSL_VERSION_NUMBER < 0x00907000l
  38. #error "We require OpenSSL >= 0.9.7"
  39. #endif
  40. #define CRYPTO_PRIVATE /* to import prototypes from crypto.h */
  41. #include "crypto.h"
  42. #include "tortls.h"
  43. #include "util.h"
  44. #include "torlog.h"
  45. #include "container.h"
  46. #include "ht.h"
  47. #include <string.h>
  48. /* Enable the "v2" TLS handshake.
  49. */
  50. #define V2_HANDSHAKE_SERVER
  51. #define V2_HANDSHAKE_CLIENT
  52. /* Copied from or.h */
  53. #define LEGAL_NICKNAME_CHARACTERS \
  54. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  55. /** How long do identity certificates live? (sec) */
  56. #define IDENTITY_CERT_LIFETIME (365*24*60*60)
  57. #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
  58. /* We redefine these so that we can run correctly even if the vendor gives us
  59. * a version of OpenSSL that does not match its header files. (Apple: I am
  60. * looking at you.)
  61. */
  62. #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  63. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
  64. #endif
  65. #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  66. #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
  67. #endif
  68. /** Does the run-time openssl version look like we need
  69. * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
  70. static int use_unsafe_renegotiation_op = 0;
  71. /** Does the run-time openssl version look like we need
  72. * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
  73. static int use_unsafe_renegotiation_flag = 0;
  74. /** Holds a SSL_CTX object and related state used to configure TLS
  75. * connections.
  76. */
  77. typedef struct tor_tls_context_t {
  78. int refcnt;
  79. SSL_CTX *ctx;
  80. X509 *my_cert;
  81. X509 *my_id_cert;
  82. crypto_pk_env_t *key;
  83. } tor_tls_context_t;
  84. /** Holds a SSL object and its associated data. Members are only
  85. * accessed from within tortls.c.
  86. */
  87. struct tor_tls_t {
  88. HT_ENTRY(tor_tls_t) node;
  89. tor_tls_context_t *context; /** A link to the context object for this tls. */
  90. SSL *ssl; /**< An OpenSSL SSL object. */
  91. int socket; /**< The underlying file descriptor for this TLS connection. */
  92. char *address; /**< An address to log when describing this connection. */
  93. enum {
  94. TOR_TLS_ST_HANDSHAKE, TOR_TLS_ST_OPEN, TOR_TLS_ST_GOTCLOSE,
  95. TOR_TLS_ST_SENTCLOSE, TOR_TLS_ST_CLOSED, TOR_TLS_ST_RENEGOTIATE,
  96. } state : 3; /**< The current SSL state, depending on which operations have
  97. * completed successfully. */
  98. unsigned int isServer:1; /**< True iff this is a server-side connection */
  99. unsigned int wasV2Handshake:1; /**< True iff the original handshake for
  100. * this connection used the updated version
  101. * of the connection protocol (client sends
  102. * different cipher list, server sends only
  103. * one certificate). */
  104. /** True iff we should call negotiated_callback when we're done reading. */
  105. unsigned int got_renegotiate:1;
  106. size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
  107. * time. */
  108. /** Last values retrieved from BIO_number_read()/write(); see
  109. * tor_tls_get_n_raw_bytes() for usage.
  110. */
  111. unsigned long last_write_count;
  112. unsigned long last_read_count;
  113. /** If set, a callback to invoke whenever the client tries to renegotiate
  114. * the handshake. */
  115. void (*negotiated_callback)(tor_tls_t *tls, void *arg);
  116. /** Argument to pass to negotiated_callback. */
  117. void *callback_arg;
  118. };
  119. #ifdef V2_HANDSHAKE_CLIENT
  120. /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
  121. * in client mode into advertising the ciphers we want. See
  122. * rectify_client_ciphers() for details. */
  123. static SSL_CIPHER *CLIENT_CIPHER_DUMMIES = NULL;
  124. /** A stack of SSL_CIPHER objects, some real, some fake.
  125. * See rectify_client_ciphers() for details. */
  126. static STACK_OF(SSL_CIPHER) *CLIENT_CIPHER_STACK = NULL;
  127. #endif
  128. /** Helper: compare tor_tls_t objects by its SSL. */
  129. static INLINE int
  130. tor_tls_entries_eq(const tor_tls_t *a, const tor_tls_t *b)
  131. {
  132. return a->ssl == b->ssl;
  133. }
  134. /** Helper: return a hash value for a tor_tls_t by its SSL. */
  135. static INLINE unsigned int
  136. tor_tls_entry_hash(const tor_tls_t *a)
  137. {
  138. #if SIZEOF_INT == SIZEOF_VOID_P
  139. return ((unsigned int)(uintptr_t)a->ssl);
  140. #else
  141. return (unsigned int) ((((uint64_t)a->ssl)>>2) & UINT_MAX);
  142. #endif
  143. }
  144. /** Map from SSL* pointers to tor_tls_t objects using those pointers.
  145. */
  146. static HT_HEAD(tlsmap, tor_tls_t) tlsmap_root = HT_INITIALIZER();
  147. HT_PROTOTYPE(tlsmap, tor_tls_t, node, tor_tls_entry_hash,
  148. tor_tls_entries_eq)
  149. HT_GENERATE(tlsmap, tor_tls_t, node, tor_tls_entry_hash,
  150. tor_tls_entries_eq, 0.6, malloc, realloc, free)
  151. /** Helper: given a SSL* pointer, return the tor_tls_t object using that
  152. * pointer. */
  153. static INLINE tor_tls_t *
  154. tor_tls_get_by_ssl(const SSL *ssl)
  155. {
  156. tor_tls_t search, *result;
  157. memset(&search, 0, sizeof(search));
  158. search.ssl = (SSL*)ssl;
  159. result = HT_FIND(tlsmap, &tlsmap_root, &search);
  160. return result;
  161. }
  162. static void tor_tls_context_decref(tor_tls_context_t *ctx);
  163. static void tor_tls_context_incref(tor_tls_context_t *ctx);
  164. static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
  165. crypto_pk_env_t *rsa_sign,
  166. const char *cname,
  167. const char *cname_sign,
  168. unsigned int lifetime);
  169. static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
  170. static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  171. crypto_pk_env_t *identity,
  172. unsigned int key_lifetime);
  173. static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity,
  174. unsigned int key_lifetime);
  175. /** Global TLS contexts. We keep them here because nobody else needs
  176. * to touch them. */
  177. static tor_tls_context_t *server_tls_context = NULL;
  178. static tor_tls_context_t *client_tls_context = NULL;
  179. /** True iff tor_tls_init() has been called. */
  180. static int tls_library_is_initialized = 0;
  181. /* Module-internal error codes. */
  182. #define _TOR_TLS_SYSCALL (_MIN_TOR_TLS_ERROR_VAL - 2)
  183. #define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
  184. #include "tortls_states.h"
  185. /** Return the symbolic name of an OpenSSL state. */
  186. static const char *
  187. ssl_state_to_string(int ssl_state)
  188. {
  189. static char buf[40];
  190. int i;
  191. for (i = 0; state_map[i].name; ++i) {
  192. if (state_map[i].state == ssl_state)
  193. return state_map[i].name;
  194. }
  195. tor_snprintf(buf, sizeof(buf), "Unknown state %d", ssl_state);
  196. return buf;
  197. }
  198. /** Log all pending tls errors at level <b>severity</b>. Use
  199. * <b>doing</b> to describe our current activities.
  200. */
  201. static void
  202. tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
  203. {
  204. const char *state = NULL;
  205. int st;
  206. unsigned long err;
  207. const char *msg, *lib, *func, *addr;
  208. addr = tls ? tls->address : NULL;
  209. st = (tls && tls->ssl) ? tls->ssl->state : -1;
  210. while ((err = ERR_get_error()) != 0) {
  211. msg = (const char*)ERR_reason_error_string(err);
  212. lib = (const char*)ERR_lib_error_string(err);
  213. func = (const char*)ERR_func_error_string(err);
  214. if (!state)
  215. state = (st>=0)?ssl_state_to_string(st):"---";
  216. if (!msg) msg = "(null)";
  217. if (!lib) lib = "(null)";
  218. if (!func) func = "(null)";
  219. if (doing) {
  220. log(severity, domain, "TLS error while %s%s%s: %s (in %s:%s:%s)",
  221. doing, addr?" with ":"", addr?addr:"",
  222. msg, lib, func, state);
  223. } else {
  224. log(severity, domain, "TLS error%s%s: %s (in %s:%s:%s)",
  225. addr?" with ":"", addr?addr:"",
  226. msg, lib, func, state);
  227. }
  228. }
  229. }
  230. /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
  231. * code. */
  232. static int
  233. tor_errno_to_tls_error(int e)
  234. {
  235. #if defined(MS_WINDOWS)
  236. switch (e) {
  237. case WSAECONNRESET: // most common
  238. return TOR_TLS_ERROR_CONNRESET;
  239. case WSAETIMEDOUT:
  240. return TOR_TLS_ERROR_TIMEOUT;
  241. case WSAENETUNREACH:
  242. case WSAEHOSTUNREACH:
  243. return TOR_TLS_ERROR_NO_ROUTE;
  244. case WSAECONNREFUSED:
  245. return TOR_TLS_ERROR_CONNREFUSED; // least common
  246. default:
  247. return TOR_TLS_ERROR_MISC;
  248. }
  249. #else
  250. switch (e) {
  251. case ECONNRESET: // most common
  252. return TOR_TLS_ERROR_CONNRESET;
  253. case ETIMEDOUT:
  254. return TOR_TLS_ERROR_TIMEOUT;
  255. case EHOSTUNREACH:
  256. case ENETUNREACH:
  257. return TOR_TLS_ERROR_NO_ROUTE;
  258. case ECONNREFUSED:
  259. return TOR_TLS_ERROR_CONNREFUSED; // least common
  260. default:
  261. return TOR_TLS_ERROR_MISC;
  262. }
  263. #endif
  264. }
  265. /** Given a TOR_TLS_* error code, return a string equivalent. */
  266. const char *
  267. tor_tls_err_to_string(int err)
  268. {
  269. if (err >= 0)
  270. return "[Not an error.]";
  271. switch (err) {
  272. case TOR_TLS_ERROR_MISC: return "misc error";
  273. case TOR_TLS_ERROR_IO: return "unexpected close";
  274. case TOR_TLS_ERROR_CONNREFUSED: return "connection refused";
  275. case TOR_TLS_ERROR_CONNRESET: return "connection reset";
  276. case TOR_TLS_ERROR_NO_ROUTE: return "host unreachable";
  277. case TOR_TLS_ERROR_TIMEOUT: return "connection timed out";
  278. case TOR_TLS_CLOSE: return "closed";
  279. case TOR_TLS_WANTREAD: return "want to read";
  280. case TOR_TLS_WANTWRITE: return "want to write";
  281. default: return "(unknown error code)";
  282. }
  283. }
  284. #define CATCH_SYSCALL 1
  285. #define CATCH_ZERO 2
  286. /** Given a TLS object and the result of an SSL_* call, use
  287. * SSL_get_error to determine whether an error has occurred, and if so
  288. * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
  289. * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
  290. * reporting syscall errors. If extra&CATCH_ZERO is true, return
  291. * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
  292. *
  293. * If an error has occurred, log it at level <b>severity</b> and describe the
  294. * current action as <b>doing</b>.
  295. */
  296. static int
  297. tor_tls_get_error(tor_tls_t *tls, int r, int extra,
  298. const char *doing, int severity, int domain)
  299. {
  300. int err = SSL_get_error(tls->ssl, r);
  301. int tor_error = TOR_TLS_ERROR_MISC;
  302. switch (err) {
  303. case SSL_ERROR_NONE:
  304. return TOR_TLS_DONE;
  305. case SSL_ERROR_WANT_READ:
  306. return TOR_TLS_WANTREAD;
  307. case SSL_ERROR_WANT_WRITE:
  308. return TOR_TLS_WANTWRITE;
  309. case SSL_ERROR_SYSCALL:
  310. if (extra&CATCH_SYSCALL)
  311. return _TOR_TLS_SYSCALL;
  312. if (r == 0) {
  313. log(severity, LD_NET, "TLS error: unexpected close while %s (%s)",
  314. doing, ssl_state_to_string(tls->ssl->state));
  315. tor_error = TOR_TLS_ERROR_IO;
  316. } else {
  317. int e = tor_socket_errno(tls->socket);
  318. log(severity, LD_NET,
  319. "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
  320. doing, e, tor_socket_strerror(e),
  321. ssl_state_to_string(tls->ssl->state));
  322. tor_error = tor_errno_to_tls_error(e);
  323. }
  324. tls_log_errors(tls, severity, domain, doing);
  325. return tor_error;
  326. case SSL_ERROR_ZERO_RETURN:
  327. if (extra&CATCH_ZERO)
  328. return _TOR_TLS_ZERORETURN;
  329. log(severity, LD_NET, "TLS connection closed while %s in state %s",
  330. doing, ssl_state_to_string(tls->ssl->state));
  331. tls_log_errors(tls, severity, domain, doing);
  332. return TOR_TLS_CLOSE;
  333. default:
  334. tls_log_errors(tls, severity, domain, doing);
  335. return TOR_TLS_ERROR_MISC;
  336. }
  337. }
  338. /** Initialize OpenSSL, unless it has already been initialized.
  339. */
  340. static void
  341. tor_tls_init(void)
  342. {
  343. if (!tls_library_is_initialized) {
  344. long version;
  345. SSL_library_init();
  346. SSL_load_error_strings();
  347. version = SSLeay();
  348. /* OpenSSL 0.9.8l introduced SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  349. * here, but without thinking too hard about it: it turns out that the
  350. * flag in question needed to be set at the last minute, and that it
  351. * conflicted with an existing flag number that had already been added
  352. * in the OpenSSL 1.0.0 betas. OpenSSL 0.9.8m thoughtfully replaced
  353. * the flag with an option and (it seems) broke anything that used
  354. * SSL3_FLAGS_* for the purpose. So we need to know how to do both,
  355. * and we mustn't use the SSL3_FLAGS option with anything besides
  356. * OpenSSL 0.9.8l.
  357. *
  358. * No, we can't just set flag 0x0010 everywhere. It breaks Tor with
  359. * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to
  360. * set option 0x00040000L everywhere.
  361. *
  362. * No, we can't simply detect whether the flag or the option is present
  363. * in the headers at build-time: some vendors (notably Apple) like to
  364. * leave their headers out of sync with their libraries.
  365. *
  366. * Yes, it _is_ almost as if the OpenSSL developers decided that no
  367. * program should be allowed to use renegotiation unless it first passed
  368. * a test of intelligence and determination.
  369. */
  370. if (version >= 0x009080c0L && version < 0x009080d0L) {
  371. log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l; "
  372. "I will try SSL3_FLAGS to enable renegotation.",
  373. SSLeay_version(SSLEAY_VERSION));
  374. use_unsafe_renegotiation_flag = 1;
  375. use_unsafe_renegotiation_op = 1;
  376. } else if (version >= 0x009080d0L) {
  377. log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8m or later; "
  378. "I will try SSL_OP to enable renegotiation",
  379. SSLeay_version(SSLEAY_VERSION));
  380. use_unsafe_renegotiation_op = 1;
  381. } else if (version < 0x009080c0L) {
  382. log_notice(LD_GENERAL, "OpenSSL %s [%lx] looks like it's older than "
  383. "0.9.8l, but some vendors have backported 0.9.8l's "
  384. "renegotiation code to earlier versions, and some have "
  385. "backported the code from 0.9.8m or 0.9.8n. I'll set both "
  386. "SSL3_FLAGS and SSL_OP just to be safe.",
  387. SSLeay_version(SSLEAY_VERSION), version);
  388. use_unsafe_renegotiation_flag = 1;
  389. use_unsafe_renegotiation_op = 1;
  390. } else {
  391. log_info(LD_GENERAL, "OpenSSL %s has version %lx",
  392. SSLeay_version(SSLEAY_VERSION), version);
  393. }
  394. tls_library_is_initialized = 1;
  395. }
  396. }
  397. /** Free all global TLS structures. */
  398. void
  399. tor_tls_free_all(void)
  400. {
  401. if (server_tls_context) {
  402. tor_tls_context_t *ctx = server_tls_context;
  403. server_tls_context = NULL;
  404. tor_tls_context_decref(ctx);
  405. }
  406. if (client_tls_context) {
  407. tor_tls_context_t *ctx = client_tls_context;
  408. client_tls_context = NULL;
  409. tor_tls_context_decref(ctx);
  410. }
  411. if (!HT_EMPTY(&tlsmap_root)) {
  412. log_warn(LD_MM, "Still have entries in the tlsmap at shutdown.");
  413. }
  414. HT_CLEAR(tlsmap, &tlsmap_root);
  415. #ifdef V2_HANDSHAKE_CLIENT
  416. if (CLIENT_CIPHER_DUMMIES)
  417. tor_free(CLIENT_CIPHER_DUMMIES);
  418. if (CLIENT_CIPHER_STACK)
  419. sk_SSL_CIPHER_free(CLIENT_CIPHER_STACK);
  420. #endif
  421. }
  422. /** We need to give OpenSSL a callback to verify certificates. This is
  423. * it: We always accept peer certs and complete the handshake. We
  424. * don't validate them until later.
  425. */
  426. static int
  427. always_accept_verify_cb(int preverify_ok,
  428. X509_STORE_CTX *x509_ctx)
  429. {
  430. (void) preverify_ok;
  431. (void) x509_ctx;
  432. return 1;
  433. }
  434. /** Return a newly allocated X509 name with commonName <b>cname</b>. */
  435. static X509_NAME *
  436. tor_x509_name_new(const char *cname)
  437. {
  438. int nid;
  439. X509_NAME *name;
  440. if (!(name = X509_NAME_new()))
  441. return NULL;
  442. if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
  443. if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
  444. (unsigned char*)cname, -1, -1, 0)))
  445. goto error;
  446. return name;
  447. error:
  448. X509_NAME_free(name);
  449. return NULL;
  450. }
  451. /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
  452. * signed by the private key <b>rsa_sign</b>. The commonName of the
  453. * certificate will be <b>cname</b>; the commonName of the issuer will be
  454. * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
  455. * starting from now. Return a certificate on success, NULL on
  456. * failure.
  457. */
  458. static X509 *
  459. tor_tls_create_certificate(crypto_pk_env_t *rsa,
  460. crypto_pk_env_t *rsa_sign,
  461. const char *cname,
  462. const char *cname_sign,
  463. unsigned int cert_lifetime)
  464. {
  465. time_t start_time, end_time;
  466. EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
  467. X509 *x509 = NULL;
  468. X509_NAME *name = NULL, *name_issuer=NULL;
  469. tor_tls_init();
  470. start_time = time(NULL);
  471. tor_assert(rsa);
  472. tor_assert(cname);
  473. tor_assert(rsa_sign);
  474. tor_assert(cname_sign);
  475. if (!(sign_pkey = _crypto_pk_env_get_evp_pkey(rsa_sign,1)))
  476. goto error;
  477. if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,0)))
  478. goto error;
  479. if (!(x509 = X509_new()))
  480. goto error;
  481. if (!(X509_set_version(x509, 2)))
  482. goto error;
  483. if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
  484. goto error;
  485. if (!(name = tor_x509_name_new(cname)))
  486. goto error;
  487. if (!(X509_set_subject_name(x509, name)))
  488. goto error;
  489. if (!(name_issuer = tor_x509_name_new(cname_sign)))
  490. goto error;
  491. if (!(X509_set_issuer_name(x509, name_issuer)))
  492. goto error;
  493. if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
  494. goto error;
  495. end_time = start_time + cert_lifetime;
  496. if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
  497. goto error;
  498. if (!X509_set_pubkey(x509, pkey))
  499. goto error;
  500. if (!X509_sign(x509, sign_pkey, EVP_sha1()))
  501. goto error;
  502. goto done;
  503. error:
  504. if (x509) {
  505. X509_free(x509);
  506. x509 = NULL;
  507. }
  508. done:
  509. tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
  510. if (sign_pkey)
  511. EVP_PKEY_free(sign_pkey);
  512. if (pkey)
  513. EVP_PKEY_free(pkey);
  514. if (name)
  515. X509_NAME_free(name);
  516. if (name_issuer)
  517. X509_NAME_free(name_issuer);
  518. return x509;
  519. }
  520. /** List of ciphers that servers should select from.*/
  521. #define SERVER_CIPHER_LIST \
  522. (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
  523. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
  524. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
  525. /* Note: to set up your own private testing network with link crypto
  526. * disabled, set your Tors' cipher list to
  527. * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
  528. * with any of the "real" Tors, though. */
  529. #ifdef V2_HANDSHAKE_CLIENT
  530. #define CIPHER(id, name) name ":"
  531. #define XCIPHER(id, name)
  532. /** List of ciphers that clients should advertise, omitting items that
  533. * our OpenSSL doesn't know about. */
  534. static const char CLIENT_CIPHER_LIST[] =
  535. #include "./ciphers.inc"
  536. ;
  537. #undef CIPHER
  538. #undef XCIPHER
  539. /** Holds a cipher that we want to advertise, and its 2-byte ID. */
  540. typedef struct cipher_info_t { unsigned id; const char *name; } cipher_info_t;
  541. /** A list of all the ciphers that clients should advertise, including items
  542. * that OpenSSL might not know about. */
  543. static const cipher_info_t CLIENT_CIPHER_INFO_LIST[] = {
  544. #define CIPHER(id, name) { id, name },
  545. #define XCIPHER(id, name) { id, #name },
  546. #include "./ciphers.inc"
  547. #undef CIPHER
  548. #undef XCIPHER
  549. };
  550. /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
  551. static const int N_CLIENT_CIPHERS =
  552. sizeof(CLIENT_CIPHER_INFO_LIST)/sizeof(CLIENT_CIPHER_INFO_LIST[0]);
  553. #endif
  554. #ifndef V2_HANDSHAKE_CLIENT
  555. #undef CLIENT_CIPHER_LIST
  556. #define CLIENT_CIPHER_LIST (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
  557. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
  558. #endif
  559. /** Remove a reference to <b>ctx</b>, and free it if it has no more
  560. * references. */
  561. static void
  562. tor_tls_context_decref(tor_tls_context_t *ctx)
  563. {
  564. tor_assert(ctx);
  565. if (--ctx->refcnt == 0) {
  566. SSL_CTX_free(ctx->ctx);
  567. X509_free(ctx->my_cert);
  568. X509_free(ctx->my_id_cert);
  569. crypto_free_pk_env(ctx->key);
  570. tor_free(ctx);
  571. }
  572. }
  573. /** Increase the reference count of <b>ctx</b>. */
  574. static void
  575. tor_tls_context_incref(tor_tls_context_t *ctx)
  576. {
  577. ++ctx->refcnt;
  578. }
  579. /** Create new global client and server TLS contexts.
  580. *
  581. * If <b>server_identity</b> is NULL, this will not generate a server
  582. * TLS context. If <b>is_public_server</b> is non-zero, this will use
  583. * the same TLS context for incoming and outgoing connections, and
  584. * ignore <b>client_identity</b>. */
  585. int
  586. tor_tls_context_init(int is_public_server,
  587. crypto_pk_env_t *client_identity,
  588. crypto_pk_env_t *server_identity,
  589. unsigned int key_lifetime)
  590. {
  591. int rv1 = 0;
  592. int rv2 = 0;
  593. if (is_public_server) {
  594. tor_tls_context_t *new_ctx;
  595. tor_tls_context_t *old_ctx;
  596. tor_assert(server_identity != NULL);
  597. rv1 = tor_tls_context_init_one(&server_tls_context,
  598. server_identity,
  599. key_lifetime);
  600. if (rv1 >= 0) {
  601. new_ctx = server_tls_context;
  602. tor_tls_context_incref(new_ctx);
  603. old_ctx = client_tls_context;
  604. client_tls_context = new_ctx;
  605. if (old_ctx != NULL) {
  606. tor_tls_context_decref(old_ctx);
  607. }
  608. }
  609. } else {
  610. if (server_identity != NULL) {
  611. rv1 = tor_tls_context_init_one(&server_tls_context,
  612. server_identity,
  613. key_lifetime);
  614. } else {
  615. tor_tls_context_t *old_ctx = server_tls_context;
  616. server_tls_context = NULL;
  617. if (old_ctx != NULL) {
  618. tor_tls_context_decref(old_ctx);
  619. }
  620. }
  621. rv2 = tor_tls_context_init_one(&client_tls_context,
  622. client_identity,
  623. key_lifetime);
  624. }
  625. return MIN(rv1, rv2);
  626. }
  627. /** Create a new global TLS context.
  628. *
  629. * You can call this function multiple times. Each time you call it,
  630. * it generates new certificates; all new connections will use
  631. * the new SSL context.
  632. */
  633. static int
  634. tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  635. crypto_pk_env_t *identity,
  636. unsigned int key_lifetime)
  637. {
  638. tor_tls_context_t *new_ctx = tor_tls_context_new(identity,
  639. key_lifetime);
  640. tor_tls_context_t *old_ctx = *ppcontext;
  641. if (new_ctx != NULL) {
  642. *ppcontext = new_ctx;
  643. /* Free the old context if one existed. */
  644. if (old_ctx != NULL) {
  645. /* This is safe even if there are open connections: we reference-
  646. * count tor_tls_context_t objects. */
  647. tor_tls_context_decref(old_ctx);
  648. }
  649. }
  650. return ((new_ctx != NULL) ? 0 : -1);
  651. }
  652. /** Create a new TLS context for use with Tor TLS handshakes.
  653. * <b>identity</b> should be set to the identity key used to sign the
  654. * certificate.
  655. */
  656. static tor_tls_context_t *
  657. tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
  658. {
  659. crypto_pk_env_t *rsa = NULL;
  660. EVP_PKEY *pkey = NULL;
  661. tor_tls_context_t *result = NULL;
  662. X509 *cert = NULL, *idcert = NULL;
  663. char *nickname = NULL, *nn2 = NULL;
  664. tor_tls_init();
  665. nickname = crypto_random_hostname(8, 20, "www.", ".net");
  666. nn2 = crypto_random_hostname(8, 20, "www.", ".net");
  667. /* Generate short-term RSA key. */
  668. if (!(rsa = crypto_new_pk_env()))
  669. goto error;
  670. if (crypto_pk_generate_key(rsa)<0)
  671. goto error;
  672. /* Create certificate signed by identity key. */
  673. cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
  674. key_lifetime);
  675. /* Create self-signed certificate for identity key. */
  676. idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
  677. IDENTITY_CERT_LIFETIME);
  678. if (!cert || !idcert) {
  679. log(LOG_WARN, LD_CRYPTO, "Error creating certificate");
  680. goto error;
  681. }
  682. result = tor_malloc_zero(sizeof(tor_tls_context_t));
  683. result->refcnt = 1;
  684. result->my_cert = X509_dup(cert);
  685. result->my_id_cert = X509_dup(idcert);
  686. result->key = crypto_pk_dup_key(rsa);
  687. #ifdef EVERYONE_HAS_AES
  688. /* Tell OpenSSL to only use TLS1 */
  689. if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
  690. goto error;
  691. #else
  692. /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
  693. if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
  694. goto error;
  695. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  696. #endif
  697. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
  698. #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  699. SSL_CTX_set_options(result->ctx,
  700. SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  701. #endif
  702. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  703. * as authenticating any earlier-received data.
  704. */
  705. if (use_unsafe_renegotiation_op) {
  706. SSL_CTX_set_options(result->ctx,
  707. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  708. }
  709. /* Don't actually allow compression; it uses ram and time, but the data
  710. * we transmit is all encrypted anyway. */
  711. if (result->ctx->comp_methods)
  712. result->ctx->comp_methods = NULL;
  713. #ifdef SSL_MODE_RELEASE_BUFFERS
  714. SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
  715. #endif
  716. if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
  717. goto error;
  718. X509_free(cert); /* We just added a reference to cert. */
  719. cert=NULL;
  720. if (idcert) {
  721. X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
  722. tor_assert(s);
  723. X509_STORE_add_cert(s, idcert);
  724. X509_free(idcert); /* The context now owns the reference to idcert */
  725. idcert = NULL;
  726. }
  727. SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
  728. tor_assert(rsa);
  729. if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
  730. goto error;
  731. if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
  732. goto error;
  733. EVP_PKEY_free(pkey);
  734. pkey = NULL;
  735. if (!SSL_CTX_check_private_key(result->ctx))
  736. goto error;
  737. {
  738. crypto_dh_env_t *dh = crypto_dh_new();
  739. SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh));
  740. crypto_dh_free(dh);
  741. }
  742. SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
  743. always_accept_verify_cb);
  744. /* let us realloc bufs that we're writing from */
  745. SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
  746. if (rsa)
  747. crypto_free_pk_env(rsa);
  748. tor_free(nickname);
  749. tor_free(nn2);
  750. return result;
  751. error:
  752. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating TLS context");
  753. tor_free(nickname);
  754. tor_free(nn2);
  755. if (pkey)
  756. EVP_PKEY_free(pkey);
  757. if (rsa)
  758. crypto_free_pk_env(rsa);
  759. if (result)
  760. tor_tls_context_decref(result);
  761. if (cert)
  762. X509_free(cert);
  763. if (idcert)
  764. X509_free(idcert);
  765. return NULL;
  766. }
  767. #ifdef V2_HANDSHAKE_SERVER
  768. /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
  769. * a list that indicates that the client knows how to do the v2 TLS connection
  770. * handshake. */
  771. static int
  772. tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address)
  773. {
  774. int i;
  775. SSL_SESSION *session;
  776. /* If we reached this point, we just got a client hello. See if there is
  777. * a cipher list. */
  778. if (!(session = SSL_get_session((SSL *)ssl))) {
  779. log_info(LD_NET, "No session on TLS?");
  780. return 0;
  781. }
  782. if (!session->ciphers) {
  783. log_info(LD_NET, "No ciphers on session");
  784. return 0;
  785. }
  786. /* Now we need to see if there are any ciphers whose presence means we're
  787. * dealing with an updated Tor. */
  788. for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
  789. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
  790. const char *ciphername = SSL_CIPHER_get_name(cipher);
  791. if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
  792. strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
  793. strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
  794. strcmp(ciphername, "(NONE)")) {
  795. log_debug(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
  796. // return 1;
  797. goto dump_list;
  798. }
  799. }
  800. return 0;
  801. dump_list:
  802. {
  803. smartlist_t *elts = smartlist_create();
  804. char *s;
  805. for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
  806. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
  807. const char *ciphername = SSL_CIPHER_get_name(cipher);
  808. smartlist_add(elts, (char*)ciphername);
  809. }
  810. s = smartlist_join_strings(elts, ":", 0, NULL);
  811. log_debug(LD_NET, "Got a non-version-1 cipher list from %s. It is: '%s'",
  812. address, s);
  813. tor_free(s);
  814. smartlist_free(elts);
  815. }
  816. return 1;
  817. }
  818. /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
  819. * changes state. We use this:
  820. * <ul><li>To alter the state of the handshake partway through, so we
  821. * do not send or request extra certificates in v2 handshakes.</li>
  822. * <li>To detect renegotiation</li></ul>
  823. */
  824. static void
  825. tor_tls_server_info_callback(const SSL *ssl, int type, int val)
  826. {
  827. tor_tls_t *tls;
  828. (void) val;
  829. if (type != SSL_CB_ACCEPT_LOOP)
  830. return;
  831. if (ssl->state != SSL3_ST_SW_SRVR_HELLO_A)
  832. return;
  833. tls = tor_tls_get_by_ssl(ssl);
  834. if (tls) {
  835. /* Check whether we're watching for renegotiates. If so, this is one! */
  836. if (tls->negotiated_callback)
  837. tls->got_renegotiate = 1;
  838. } else {
  839. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  840. }
  841. /* Now check the cipher list. */
  842. if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) {
  843. /*XXXX_TLS keep this from happening more than once! */
  844. /* Yes, we're casting away the const from ssl. This is very naughty of us.
  845. * Let's hope openssl doesn't notice! */
  846. /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
  847. SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
  848. /* Don't send a hello request. */
  849. SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
  850. if (tls) {
  851. tls->wasV2Handshake = 1;
  852. } else {
  853. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  854. }
  855. }
  856. }
  857. #endif
  858. /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
  859. * a list designed to mimic a common web browser. Some of the ciphers in the
  860. * list won't actually be implemented by OpenSSL: that's okay so long as the
  861. * server doesn't select them, and the server won't select anything besides
  862. * what's in SERVER_CIPHER_LIST.
  863. *
  864. * [If the server <b>does</b> select a bogus cipher, we won't crash or
  865. * anything; we'll just fail later when we try to look up the cipher in
  866. * ssl->cipher_list_by_id.]
  867. */
  868. static void
  869. rectify_client_ciphers(STACK_OF(SSL_CIPHER) **ciphers)
  870. {
  871. #ifdef V2_HANDSHAKE_CLIENT
  872. if (PREDICT_UNLIKELY(!CLIENT_CIPHER_STACK)) {
  873. /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
  874. * we want.*/
  875. int i = 0, j = 0;
  876. /* First, create a dummy SSL_CIPHER for every cipher. */
  877. CLIENT_CIPHER_DUMMIES =
  878. tor_malloc_zero(sizeof(SSL_CIPHER)*N_CLIENT_CIPHERS);
  879. for (i=0; i < N_CLIENT_CIPHERS; ++i) {
  880. CLIENT_CIPHER_DUMMIES[i].valid = 1;
  881. CLIENT_CIPHER_DUMMIES[i].id = CLIENT_CIPHER_INFO_LIST[i].id | (3<<24);
  882. CLIENT_CIPHER_DUMMIES[i].name = CLIENT_CIPHER_INFO_LIST[i].name;
  883. }
  884. CLIENT_CIPHER_STACK = sk_SSL_CIPHER_new_null();
  885. tor_assert(CLIENT_CIPHER_STACK);
  886. log_debug(LD_NET, "List was: %s", CLIENT_CIPHER_LIST);
  887. for (j = 0; j < sk_SSL_CIPHER_num(*ciphers); ++j) {
  888. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(*ciphers, j);
  889. log_debug(LD_NET, "Cipher %d: %lx %s", j, cipher->id, cipher->name);
  890. }
  891. /* Then copy as many ciphers as we can from the good list, inserting
  892. * dummies as needed. */
  893. j=0;
  894. for (i = 0; i < N_CLIENT_CIPHERS; ) {
  895. SSL_CIPHER *cipher = NULL;
  896. if (j < sk_SSL_CIPHER_num(*ciphers))
  897. cipher = sk_SSL_CIPHER_value(*ciphers, j);
  898. if (cipher && ((cipher->id >> 24) & 0xff) != 3) {
  899. log_debug(LD_NET, "Skipping v2 cipher %s", cipher->name);
  900. ++j;
  901. } else if (cipher &&
  902. (cipher->id & 0xffff) == CLIENT_CIPHER_INFO_LIST[i].id) {
  903. log_debug(LD_NET, "Found cipher %s", cipher->name);
  904. sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, cipher);
  905. ++j;
  906. ++i;
  907. } else {
  908. log_debug(LD_NET, "Inserting fake %s", CLIENT_CIPHER_DUMMIES[i].name);
  909. sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, &CLIENT_CIPHER_DUMMIES[i]);
  910. ++i;
  911. }
  912. }
  913. }
  914. sk_SSL_CIPHER_free(*ciphers);
  915. *ciphers = sk_SSL_CIPHER_dup(CLIENT_CIPHER_STACK);
  916. tor_assert(*ciphers);
  917. #else
  918. (void)ciphers;
  919. #endif
  920. }
  921. /** Create a new TLS object from a file descriptor, and a flag to
  922. * determine whether it is functioning as a server.
  923. */
  924. tor_tls_t *
  925. tor_tls_new(int sock, int isServer)
  926. {
  927. BIO *bio = NULL;
  928. tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
  929. tor_tls_context_t *context = isServer ? server_tls_context :
  930. client_tls_context;
  931. tor_assert(context); /* make sure somebody made it first */
  932. if (!(result->ssl = SSL_new(context->ctx))) {
  933. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating SSL object");
  934. tor_free(result);
  935. return NULL;
  936. }
  937. #ifdef SSL_set_tlsext_host_name
  938. /* Browsers use the TLS hostname extension, so we should too. */
  939. if (!isServer) {
  940. char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
  941. SSL_set_tlsext_host_name(result->ssl, fake_hostname);
  942. tor_free(fake_hostname);
  943. }
  944. #endif
  945. if (!SSL_set_cipher_list(result->ssl,
  946. isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
  947. tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  948. #ifdef SSL_set_tlsext_host_name
  949. SSL_set_tlsext_host_name(result->ssl, NULL);
  950. #endif
  951. SSL_free(result->ssl);
  952. tor_free(result);
  953. return NULL;
  954. }
  955. if (!isServer)
  956. rectify_client_ciphers(&result->ssl->cipher_list);
  957. result->socket = sock;
  958. bio = BIO_new_socket(sock, BIO_NOCLOSE);
  959. if (! bio) {
  960. tls_log_errors(NULL, LOG_WARN, LD_NET, "opening BIO");
  961. #ifdef SSL_set_tlsext_host_name
  962. SSL_set_tlsext_host_name(result->ssl, NULL);
  963. #endif
  964. SSL_free(result->ssl);
  965. tor_free(result);
  966. return NULL;
  967. }
  968. HT_INSERT(tlsmap, &tlsmap_root, result);
  969. SSL_set_bio(result->ssl, bio, bio);
  970. tor_tls_context_incref(context);
  971. result->context = context;
  972. result->state = TOR_TLS_ST_HANDSHAKE;
  973. result->isServer = isServer;
  974. result->wantwrite_n = 0;
  975. result->last_write_count = BIO_number_written(bio);
  976. result->last_read_count = BIO_number_read(bio);
  977. if (result->last_write_count || result->last_read_count) {
  978. log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
  979. result->last_read_count, result->last_write_count);
  980. }
  981. #ifdef V2_HANDSHAKE_SERVER
  982. if (isServer) {
  983. SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
  984. }
  985. #endif
  986. /* Not expected to get called. */
  987. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
  988. return result;
  989. }
  990. /** Make future log messages about <b>tls</b> display the address
  991. * <b>address</b>.
  992. */
  993. void
  994. tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
  995. {
  996. tor_assert(tls);
  997. tor_free(tls->address);
  998. tls->address = tor_strdup(address);
  999. }
  1000. /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
  1001. * next gets a client-side renegotiate in the middle of a read. Do not
  1002. * invoke this function until <em>after</em> initial handshaking is done!
  1003. */
  1004. void
  1005. tor_tls_set_renegotiate_callback(tor_tls_t *tls,
  1006. void (*cb)(tor_tls_t *, void *arg),
  1007. void *arg)
  1008. {
  1009. tls->negotiated_callback = cb;
  1010. tls->callback_arg = arg;
  1011. tls->got_renegotiate = 0;
  1012. #ifdef V2_HANDSHAKE_SERVER
  1013. if (cb) {
  1014. SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
  1015. } else {
  1016. SSL_set_info_callback(tls->ssl, NULL);
  1017. }
  1018. #endif
  1019. }
  1020. /** If this version of openssl requires it, turn on renegotiation on
  1021. * <b>tls</b>.
  1022. */
  1023. static void
  1024. tor_tls_unblock_renegotiation(tor_tls_t *tls)
  1025. {
  1026. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1027. * as authenticating any earlier-received data. */
  1028. if (use_unsafe_renegotiation_flag) {
  1029. tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1030. }
  1031. if (use_unsafe_renegotiation_op) {
  1032. SSL_set_options(tls->ssl,
  1033. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1034. }
  1035. }
  1036. /** If this version of openssl supports it, turn off renegotiation on
  1037. * <b>tls</b>. (Our protocol never requires this for security, but it's nice
  1038. * to use belt-and-suspenders here.)
  1039. */
  1040. void
  1041. tor_tls_block_renegotiation(tor_tls_t *tls)
  1042. {
  1043. tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1044. }
  1045. /** Return whether this tls initiated the connect (client) or
  1046. * received it (server). */
  1047. int
  1048. tor_tls_is_server(tor_tls_t *tls)
  1049. {
  1050. tor_assert(tls);
  1051. return tls->isServer;
  1052. }
  1053. /** Release resources associated with a TLS object. Does not close the
  1054. * underlying file descriptor.
  1055. */
  1056. void
  1057. tor_tls_free(tor_tls_t *tls)
  1058. {
  1059. tor_tls_t *removed;
  1060. if (!tls)
  1061. return;
  1062. tor_assert(tls->ssl);
  1063. removed = HT_REMOVE(tlsmap, &tlsmap_root, tls);
  1064. if (!removed) {
  1065. log_warn(LD_BUG, "Freeing a TLS that was not in the ssl->tls map.");
  1066. }
  1067. #ifdef SSL_set_tlsext_host_name
  1068. SSL_set_tlsext_host_name(tls->ssl, NULL);
  1069. #endif
  1070. SSL_free(tls->ssl);
  1071. tls->ssl = NULL;
  1072. tls->negotiated_callback = NULL;
  1073. if (tls->context)
  1074. tor_tls_context_decref(tls->context);
  1075. tor_free(tls->address);
  1076. tor_free(tls);
  1077. }
  1078. /** Underlying function for TLS reading. Reads up to <b>len</b>
  1079. * characters from <b>tls</b> into <b>cp</b>. On success, returns the
  1080. * number of characters read. On failure, returns TOR_TLS_ERROR,
  1081. * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1082. */
  1083. int
  1084. tor_tls_read(tor_tls_t *tls, char *cp, size_t len)
  1085. {
  1086. int r, err;
  1087. tor_assert(tls);
  1088. tor_assert(tls->ssl);
  1089. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1090. tor_assert(len<INT_MAX);
  1091. r = SSL_read(tls->ssl, cp, (int)len);
  1092. if (r > 0) {
  1093. #ifdef V2_HANDSHAKE_SERVER
  1094. if (tls->got_renegotiate) {
  1095. /* Renegotiation happened! */
  1096. log_info(LD_NET, "Got a TLS renegotiation from %s", ADDR(tls));
  1097. if (tls->negotiated_callback)
  1098. tls->negotiated_callback(tls, tls->callback_arg);
  1099. tls->got_renegotiate = 0;
  1100. }
  1101. #endif
  1102. return r;
  1103. }
  1104. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading", LOG_DEBUG, LD_NET);
  1105. if (err == _TOR_TLS_ZERORETURN || err == TOR_TLS_CLOSE) {
  1106. log_debug(LD_NET,"read returned r=%d; TLS is closed",r);
  1107. tls->state = TOR_TLS_ST_CLOSED;
  1108. return TOR_TLS_CLOSE;
  1109. } else {
  1110. tor_assert(err != TOR_TLS_DONE);
  1111. log_debug(LD_NET,"read returned r=%d, err=%d",r,err);
  1112. return err;
  1113. }
  1114. }
  1115. /** Underlying function for TLS writing. Write up to <b>n</b>
  1116. * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
  1117. * number of characters written. On failure, returns TOR_TLS_ERROR,
  1118. * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1119. */
  1120. int
  1121. tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
  1122. {
  1123. int r, err;
  1124. tor_assert(tls);
  1125. tor_assert(tls->ssl);
  1126. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1127. tor_assert(n < INT_MAX);
  1128. if (n == 0)
  1129. return 0;
  1130. if (tls->wantwrite_n) {
  1131. /* if WANTWRITE last time, we must use the _same_ n as before */
  1132. tor_assert(n >= tls->wantwrite_n);
  1133. log_debug(LD_NET,"resuming pending-write, (%d to flush, reusing %d)",
  1134. (int)n, (int)tls->wantwrite_n);
  1135. n = tls->wantwrite_n;
  1136. tls->wantwrite_n = 0;
  1137. }
  1138. r = SSL_write(tls->ssl, cp, (int)n);
  1139. err = tor_tls_get_error(tls, r, 0, "writing", LOG_INFO, LD_NET);
  1140. if (err == TOR_TLS_DONE) {
  1141. return r;
  1142. }
  1143. if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
  1144. tls->wantwrite_n = n;
  1145. }
  1146. return err;
  1147. }
  1148. /** Perform initial handshake on <b>tls</b>. When finished, returns
  1149. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1150. * or TOR_TLS_WANTWRITE.
  1151. */
  1152. int
  1153. tor_tls_handshake(tor_tls_t *tls)
  1154. {
  1155. int r;
  1156. int oldstate;
  1157. tor_assert(tls);
  1158. tor_assert(tls->ssl);
  1159. tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE);
  1160. check_no_tls_errors();
  1161. oldstate = tls->ssl->state;
  1162. if (tls->isServer) {
  1163. log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls,
  1164. ssl_state_to_string(tls->ssl->state));
  1165. r = SSL_accept(tls->ssl);
  1166. } else {
  1167. log_debug(LD_HANDSHAKE, "About to call SSL_connect on %p (%s)", tls,
  1168. ssl_state_to_string(tls->ssl->state));
  1169. r = SSL_connect(tls->ssl);
  1170. }
  1171. if (oldstate != tls->ssl->state)
  1172. log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
  1173. tls, ssl_state_to_string(tls->ssl->state));
  1174. /* We need to call this here and not earlier, since OpenSSL has a penchant
  1175. * for clearing its flags when you say accept or connect. */
  1176. tor_tls_unblock_renegotiation(tls);
  1177. r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
  1178. if (ERR_peek_error() != 0) {
  1179. tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
  1180. "handshaking");
  1181. return TOR_TLS_ERROR_MISC;
  1182. }
  1183. if (r == TOR_TLS_DONE) {
  1184. tls->state = TOR_TLS_ST_OPEN;
  1185. if (tls->isServer) {
  1186. SSL_set_info_callback(tls->ssl, NULL);
  1187. SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
  1188. /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
  1189. tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
  1190. #ifdef V2_HANDSHAKE_SERVER
  1191. if (tor_tls_client_is_using_v2_ciphers(tls->ssl, ADDR(tls))) {
  1192. /* This check is redundant, but back when we did it in the callback,
  1193. * we might have not been able to look up the tor_tls_t if the code
  1194. * was buggy. Fixing that. */
  1195. if (!tls->wasV2Handshake) {
  1196. log_warn(LD_BUG, "For some reason, wasV2Handshake didn't"
  1197. " get set. Fixing that.");
  1198. }
  1199. tls->wasV2Handshake = 1;
  1200. log_debug(LD_HANDSHAKE,
  1201. "Completed V2 TLS handshake with client; waiting "
  1202. "for renegotiation.");
  1203. } else {
  1204. tls->wasV2Handshake = 0;
  1205. }
  1206. #endif
  1207. } else {
  1208. #ifdef V2_HANDSHAKE_CLIENT
  1209. /* If we got no ID cert, we're a v2 handshake. */
  1210. X509 *cert = SSL_get_peer_certificate(tls->ssl);
  1211. STACK_OF(X509) *chain = SSL_get_peer_cert_chain(tls->ssl);
  1212. int n_certs = sk_X509_num(chain);
  1213. if (n_certs > 1 || (n_certs == 1 && cert != sk_X509_value(chain, 0))) {
  1214. log_debug(LD_HANDSHAKE, "Server sent back multiple certificates; it "
  1215. "looks like a v1 handshake on %p", tls);
  1216. tls->wasV2Handshake = 0;
  1217. } else {
  1218. log_debug(LD_HANDSHAKE,
  1219. "Server sent back a single certificate; looks like "
  1220. "a v2 handshake on %p.", tls);
  1221. tls->wasV2Handshake = 1;
  1222. }
  1223. if (cert)
  1224. X509_free(cert);
  1225. #endif
  1226. if (SSL_set_cipher_list(tls->ssl, SERVER_CIPHER_LIST) == 0) {
  1227. tls_log_errors(NULL, LOG_WARN, LD_HANDSHAKE, "re-setting ciphers");
  1228. r = TOR_TLS_ERROR_MISC;
  1229. }
  1230. }
  1231. }
  1232. return r;
  1233. }
  1234. /** Client only: Renegotiate a TLS session. When finished, returns
  1235. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
  1236. * TOR_TLS_WANTWRITE.
  1237. */
  1238. int
  1239. tor_tls_renegotiate(tor_tls_t *tls)
  1240. {
  1241. int r;
  1242. tor_assert(tls);
  1243. /* We could do server-initiated renegotiation too, but that would be tricky.
  1244. * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
  1245. tor_assert(!tls->isServer);
  1246. if (tls->state != TOR_TLS_ST_RENEGOTIATE) {
  1247. int r = SSL_renegotiate(tls->ssl);
  1248. if (r <= 0) {
  1249. return tor_tls_get_error(tls, r, 0, "renegotiating", LOG_WARN,
  1250. LD_HANDSHAKE);
  1251. }
  1252. tls->state = TOR_TLS_ST_RENEGOTIATE;
  1253. }
  1254. r = SSL_do_handshake(tls->ssl);
  1255. if (r == 1) {
  1256. tls->state = TOR_TLS_ST_OPEN;
  1257. return TOR_TLS_DONE;
  1258. } else
  1259. return tor_tls_get_error(tls, r, 0, "renegotiating handshake", LOG_INFO,
  1260. LD_HANDSHAKE);
  1261. }
  1262. /** Shut down an open tls connection <b>tls</b>. When finished, returns
  1263. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1264. * or TOR_TLS_WANTWRITE.
  1265. */
  1266. int
  1267. tor_tls_shutdown(tor_tls_t *tls)
  1268. {
  1269. int r, err;
  1270. char buf[128];
  1271. tor_assert(tls);
  1272. tor_assert(tls->ssl);
  1273. while (1) {
  1274. if (tls->state == TOR_TLS_ST_SENTCLOSE) {
  1275. /* If we've already called shutdown once to send a close message,
  1276. * we read until the other side has closed too.
  1277. */
  1278. do {
  1279. r = SSL_read(tls->ssl, buf, 128);
  1280. } while (r>0);
  1281. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading to shut down",
  1282. LOG_INFO, LD_NET);
  1283. if (err == _TOR_TLS_ZERORETURN) {
  1284. tls->state = TOR_TLS_ST_GOTCLOSE;
  1285. /* fall through... */
  1286. } else {
  1287. return err;
  1288. }
  1289. }
  1290. r = SSL_shutdown(tls->ssl);
  1291. if (r == 1) {
  1292. /* If shutdown returns 1, the connection is entirely closed. */
  1293. tls->state = TOR_TLS_ST_CLOSED;
  1294. return TOR_TLS_DONE;
  1295. }
  1296. err = tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO, "shutting down",
  1297. LOG_INFO, LD_NET);
  1298. if (err == _TOR_TLS_SYSCALL) {
  1299. /* The underlying TCP connection closed while we were shutting down. */
  1300. tls->state = TOR_TLS_ST_CLOSED;
  1301. return TOR_TLS_DONE;
  1302. } else if (err == _TOR_TLS_ZERORETURN) {
  1303. /* The TLS connection says that it sent a shutdown record, but
  1304. * isn't done shutting down yet. Make sure that this hasn't
  1305. * happened before, then go back to the start of the function
  1306. * and try to read.
  1307. */
  1308. if (tls->state == TOR_TLS_ST_GOTCLOSE ||
  1309. tls->state == TOR_TLS_ST_SENTCLOSE) {
  1310. log(LOG_WARN, LD_NET,
  1311. "TLS returned \"half-closed\" value while already half-closed");
  1312. return TOR_TLS_ERROR_MISC;
  1313. }
  1314. tls->state = TOR_TLS_ST_SENTCLOSE;
  1315. /* fall through ... */
  1316. } else {
  1317. return err;
  1318. }
  1319. } /* end loop */
  1320. }
  1321. /** Return true iff this TLS connection is authenticated.
  1322. */
  1323. int
  1324. tor_tls_peer_has_cert(tor_tls_t *tls)
  1325. {
  1326. X509 *cert;
  1327. cert = SSL_get_peer_certificate(tls->ssl);
  1328. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  1329. if (!cert)
  1330. return 0;
  1331. X509_free(cert);
  1332. return 1;
  1333. }
  1334. /** Warn that a certificate lifetime extends through a certain range. */
  1335. static void
  1336. log_cert_lifetime(X509 *cert, const char *problem)
  1337. {
  1338. BIO *bio = NULL;
  1339. BUF_MEM *buf;
  1340. char *s1=NULL, *s2=NULL;
  1341. char mytime[33];
  1342. time_t now = time(NULL);
  1343. struct tm tm;
  1344. if (problem)
  1345. log_warn(LD_GENERAL,
  1346. "Certificate %s: is your system clock set incorrectly?",
  1347. problem);
  1348. if (!(bio = BIO_new(BIO_s_mem()))) {
  1349. log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
  1350. }
  1351. if (!(ASN1_TIME_print(bio, X509_get_notBefore(cert)))) {
  1352. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1353. goto end;
  1354. }
  1355. BIO_get_mem_ptr(bio, &buf);
  1356. s1 = tor_strndup(buf->data, buf->length);
  1357. (void)BIO_reset(bio);
  1358. if (!(ASN1_TIME_print(bio, X509_get_notAfter(cert)))) {
  1359. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  1360. goto end;
  1361. }
  1362. BIO_get_mem_ptr(bio, &buf);
  1363. s2 = tor_strndup(buf->data, buf->length);
  1364. strftime(mytime, 32, "%b %d %H:%M:%S %Y GMT", tor_gmtime_r(&now, &tm));
  1365. log_warn(LD_GENERAL,
  1366. "(certificate lifetime runs from %s through %s. Your time is %s.)",
  1367. s1,s2,mytime);
  1368. end:
  1369. /* Not expected to get invoked */
  1370. tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
  1371. if (bio)
  1372. BIO_free(bio);
  1373. tor_free(s1);
  1374. tor_free(s2);
  1375. }
  1376. /** Helper function: try to extract a link certificate and an identity
  1377. * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
  1378. * *<b>id_cert_out</b> respectively. Log all messages at level
  1379. * <b>severity</b>.
  1380. *
  1381. * Note that a reference is added to cert_out, so it needs to be
  1382. * freed. id_cert_out doesn't. */
  1383. static void
  1384. try_to_extract_certs_from_tls(int severity, tor_tls_t *tls,
  1385. X509 **cert_out, X509 **id_cert_out)
  1386. {
  1387. X509 *cert = NULL, *id_cert = NULL;
  1388. STACK_OF(X509) *chain = NULL;
  1389. int num_in_chain, i;
  1390. *cert_out = *id_cert_out = NULL;
  1391. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  1392. return;
  1393. *cert_out = cert;
  1394. if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
  1395. return;
  1396. num_in_chain = sk_X509_num(chain);
  1397. /* 1 means we're receiving (server-side), and it's just the id_cert.
  1398. * 2 means we're connecting (client-side), and it's both the link
  1399. * cert and the id_cert.
  1400. */
  1401. if (num_in_chain < 1) {
  1402. log_fn(severity,LD_PROTOCOL,
  1403. "Unexpected number of certificates in chain (%d)",
  1404. num_in_chain);
  1405. return;
  1406. }
  1407. for (i=0; i<num_in_chain; ++i) {
  1408. id_cert = sk_X509_value(chain, i);
  1409. if (X509_cmp(id_cert, cert) != 0)
  1410. break;
  1411. }
  1412. *id_cert_out = id_cert;
  1413. }
  1414. /** If the provided tls connection is authenticated and has a
  1415. * certificate chain that is currently valid and signed, then set
  1416. * *<b>identity_key</b> to the identity certificate's key and return
  1417. * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
  1418. */
  1419. int
  1420. tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key)
  1421. {
  1422. X509 *cert = NULL, *id_cert = NULL;
  1423. EVP_PKEY *id_pkey = NULL;
  1424. RSA *rsa;
  1425. int r = -1;
  1426. *identity_key = NULL;
  1427. try_to_extract_certs_from_tls(severity, tls, &cert, &id_cert);
  1428. if (!cert)
  1429. goto done;
  1430. if (!id_cert) {
  1431. log_fn(severity,LD_PROTOCOL,"No distinct identity certificate found");
  1432. goto done;
  1433. }
  1434. if (!(id_pkey = X509_get_pubkey(id_cert)) ||
  1435. X509_verify(cert, id_pkey) <= 0) {
  1436. log_fn(severity,LD_PROTOCOL,"X509_verify on cert and pkey returned <= 0");
  1437. tls_log_errors(tls, severity, LD_HANDSHAKE, "verifying certificate");
  1438. goto done;
  1439. }
  1440. rsa = EVP_PKEY_get1_RSA(id_pkey);
  1441. if (!rsa)
  1442. goto done;
  1443. *identity_key = _crypto_new_pk_env_rsa(rsa);
  1444. r = 0;
  1445. done:
  1446. if (cert)
  1447. X509_free(cert);
  1448. if (id_pkey)
  1449. EVP_PKEY_free(id_pkey);
  1450. /* This should never get invoked, but let's make sure in case OpenSSL
  1451. * acts unexpectedly. */
  1452. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "finishing tor_tls_verify");
  1453. return r;
  1454. }
  1455. /** Check whether the certificate set on the connection <b>tls</b> is
  1456. * expired or not-yet-valid, give or take <b>tolerance</b>
  1457. * seconds. Return 0 for valid, -1 for failure.
  1458. *
  1459. * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
  1460. */
  1461. int
  1462. tor_tls_check_lifetime(tor_tls_t *tls, int tolerance)
  1463. {
  1464. time_t now, t;
  1465. X509 *cert;
  1466. int r = -1;
  1467. now = time(NULL);
  1468. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  1469. goto done;
  1470. t = now + tolerance;
  1471. if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
  1472. log_cert_lifetime(cert, "not yet valid");
  1473. goto done;
  1474. }
  1475. t = now - tolerance;
  1476. if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
  1477. log_cert_lifetime(cert, "already expired");
  1478. goto done;
  1479. }
  1480. r = 0;
  1481. done:
  1482. if (cert)
  1483. X509_free(cert);
  1484. /* Not expected to get invoked */
  1485. tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
  1486. return r;
  1487. }
  1488. /** Return the number of bytes available for reading from <b>tls</b>.
  1489. */
  1490. int
  1491. tor_tls_get_pending_bytes(tor_tls_t *tls)
  1492. {
  1493. tor_assert(tls);
  1494. return SSL_pending(tls->ssl);
  1495. }
  1496. /** If <b>tls</b> requires that the next write be of a particular size,
  1497. * return that size. Otherwise, return 0. */
  1498. size_t
  1499. tor_tls_get_forced_write_size(tor_tls_t *tls)
  1500. {
  1501. return tls->wantwrite_n;
  1502. }
  1503. /** Sets n_read and n_written to the number of bytes read and written,
  1504. * respectively, on the raw socket used by <b>tls</b> since the last time this
  1505. * function was called on <b>tls</b>. */
  1506. void
  1507. tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
  1508. {
  1509. BIO *wbio, *tmpbio;
  1510. unsigned long r, w;
  1511. r = BIO_number_read(SSL_get_rbio(tls->ssl));
  1512. /* We want the number of bytes actually for real written. Unfortunately,
  1513. * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
  1514. * which makes the answer turn out wrong. Let's cope with that. Note
  1515. * that this approach will fail if we ever replace tls->ssl's BIOs with
  1516. * buffering bios for reasons of our own. As an alternative, we could
  1517. * save the original BIO for tls->ssl in the tor_tls_t structure, but
  1518. * that would be tempting fate. */
  1519. wbio = SSL_get_wbio(tls->ssl);
  1520. if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
  1521. wbio = tmpbio;
  1522. w = BIO_number_written(wbio);
  1523. /* We are ok with letting these unsigned ints go "negative" here:
  1524. * If we wrapped around, this should still give us the right answer, unless
  1525. * we wrapped around by more than ULONG_MAX since the last time we called
  1526. * this function.
  1527. */
  1528. *n_read = (size_t)(r - tls->last_read_count);
  1529. *n_written = (size_t)(w - tls->last_write_count);
  1530. if (*n_read > INT_MAX || *n_written > INT_MAX) {
  1531. log_warn(LD_BUG, "Preposterously large value in tor_tls_get_n_raw_bytes. "
  1532. "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
  1533. r, tls->last_read_count, w, tls->last_write_count);
  1534. }
  1535. tls->last_read_count = r;
  1536. tls->last_write_count = w;
  1537. }
  1538. /** Implement check_no_tls_errors: If there are any pending OpenSSL
  1539. * errors, log an error message. */
  1540. void
  1541. _check_no_tls_errors(const char *fname, int line)
  1542. {
  1543. if (ERR_peek_error() == 0)
  1544. return;
  1545. log(LOG_WARN, LD_CRYPTO, "Unhandled OpenSSL errors found at %s:%d: ",
  1546. tor_fix_source_file(fname), line);
  1547. tls_log_errors(NULL, LOG_WARN, LD_NET, NULL);
  1548. }
  1549. /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
  1550. * TLS handshake. Output is undefined if the handshake isn't finished. */
  1551. int
  1552. tor_tls_used_v1_handshake(tor_tls_t *tls)
  1553. {
  1554. if (tls->isServer) {
  1555. #ifdef V2_HANDSHAKE_SERVER
  1556. return ! tls->wasV2Handshake;
  1557. #endif
  1558. } else {
  1559. #ifdef V2_HANDSHAKE_CLIENT
  1560. return ! tls->wasV2Handshake;
  1561. #endif
  1562. }
  1563. return 1;
  1564. }
  1565. /** Examine the amount of memory used and available for buffers in <b>tls</b>.
  1566. * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
  1567. * buffer and *<b>rbuf_bytes</b> to the amount actually used.
  1568. * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
  1569. * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
  1570. void
  1571. tor_tls_get_buffer_sizes(tor_tls_t *tls,
  1572. size_t *rbuf_capacity, size_t *rbuf_bytes,
  1573. size_t *wbuf_capacity, size_t *wbuf_bytes)
  1574. {
  1575. if (tls->ssl->s3->rbuf.buf)
  1576. *rbuf_capacity = tls->ssl->s3->rbuf.len;
  1577. else
  1578. *rbuf_capacity = 0;
  1579. if (tls->ssl->s3->wbuf.buf)
  1580. *wbuf_capacity = tls->ssl->s3->wbuf.len;
  1581. else
  1582. *wbuf_capacity = 0;
  1583. *rbuf_bytes = tls->ssl->s3->rbuf.left;
  1584. *wbuf_bytes = tls->ssl->s3->wbuf.left;
  1585. }