tortls.c 90 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822
  1. /* Copyright (c) 2003, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2013, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file tortls.c
  7. * \brief Wrapper functions to present a consistent interface to
  8. * TLS, SSL, and X.509 functions from OpenSSL.
  9. **/
  10. /* (Unlike other tor functions, these
  11. * are prefixed with tor_ in order to avoid conflicting with OpenSSL
  12. * functions and variables.)
  13. */
  14. #include "orconfig.h"
  15. #if defined (WINCE)
  16. #include <WinSock2.h>
  17. #endif
  18. #include <assert.h>
  19. #ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
  20. #ifndef _WIN32_WINNT
  21. #define _WIN32_WINNT 0x0501
  22. #endif
  23. #define WIN32_LEAN_AND_MEAN
  24. #if defined(_MSC_VER) && (_MSC_VER < 1300)
  25. #include <winsock.h>
  26. #else
  27. #include <winsock2.h>
  28. #include <ws2tcpip.h>
  29. #endif
  30. #endif
  31. #include <openssl/ssl.h>
  32. #include <openssl/ssl3.h>
  33. #include <openssl/err.h>
  34. #include <openssl/tls1.h>
  35. #include <openssl/asn1.h>
  36. #include <openssl/bio.h>
  37. #include <openssl/opensslv.h>
  38. #ifdef USE_BUFFEREVENTS
  39. #include <event2/bufferevent_ssl.h>
  40. #include <event2/buffer.h>
  41. #include <event2/event.h>
  42. #include "compat_libevent.h"
  43. #endif
  44. #include "crypto.h"
  45. #include "tortls.h"
  46. #include "util.h"
  47. #include "torlog.h"
  48. #include "container.h"
  49. #include <string.h>
  50. #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(0,9,8)
  51. #error "We require OpenSSL >= 0.9.8"
  52. #endif
  53. /* Enable the "v2" TLS handshake.
  54. */
  55. #define V2_HANDSHAKE_SERVER
  56. #define V2_HANDSHAKE_CLIENT
  57. /* Copied from or.h */
  58. #define LEGAL_NICKNAME_CHARACTERS \
  59. "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  60. /** How long do identity certificates live? (sec) */
  61. #define IDENTITY_CERT_LIFETIME (365*24*60*60)
  62. #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
  63. #if (OPENSSL_VERSION_NUMBER < OPENSSL_V(0,9,8,'s') || \
  64. (OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(0,9,9) && \
  65. OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f')))
  66. /* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have
  67. * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
  68. * SSL3 safely at the same time.
  69. */
  70. #define DISABLE_SSL3_HANDSHAKE
  71. #endif
  72. /* We redefine these so that we can run correctly even if the vendor gives us
  73. * a version of OpenSSL that does not match its header files. (Apple: I am
  74. * looking at you.)
  75. */
  76. #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  77. #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
  78. #endif
  79. #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  80. #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
  81. #endif
  82. /** Does the run-time openssl version look like we need
  83. * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
  84. static int use_unsafe_renegotiation_op = 0;
  85. /** Does the run-time openssl version look like we need
  86. * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
  87. static int use_unsafe_renegotiation_flag = 0;
  88. /** Structure that we use for a single certificate. */
  89. struct tor_cert_t {
  90. X509 *cert;
  91. uint8_t *encoded;
  92. size_t encoded_len;
  93. unsigned pkey_digests_set : 1;
  94. digests_t cert_digests;
  95. digests_t pkey_digests;
  96. };
  97. /** Holds a SSL_CTX object and related state used to configure TLS
  98. * connections.
  99. */
  100. typedef struct tor_tls_context_t {
  101. int refcnt;
  102. SSL_CTX *ctx;
  103. tor_cert_t *my_link_cert;
  104. tor_cert_t *my_id_cert;
  105. tor_cert_t *my_auth_cert;
  106. crypto_pk_t *link_key;
  107. crypto_pk_t *auth_key;
  108. } tor_tls_context_t;
  109. /** Return values for tor_tls_classify_client_ciphers.
  110. *
  111. * @{
  112. */
  113. /** An error occurred when examining the client ciphers */
  114. #define CIPHERS_ERR -1
  115. /** The client cipher list indicates that a v1 handshake was in use. */
  116. #define CIPHERS_V1 1
  117. /** The client cipher list indicates that the client is using the v2 or the
  118. * v3 handshake, but that it is (probably!) lying about what ciphers it
  119. * supports */
  120. #define CIPHERS_V2 2
  121. /** The client cipher list indicates that the client is using the v2 or the
  122. * v3 handshake, and that it is telling the truth about what ciphers it
  123. * supports */
  124. #define CIPHERS_UNRESTRICTED 3
  125. /** @} */
  126. #define TOR_TLS_MAGIC 0x71571571
  127. typedef enum {
  128. TOR_TLS_ST_HANDSHAKE, TOR_TLS_ST_OPEN, TOR_TLS_ST_GOTCLOSE,
  129. TOR_TLS_ST_SENTCLOSE, TOR_TLS_ST_CLOSED, TOR_TLS_ST_RENEGOTIATE,
  130. TOR_TLS_ST_BUFFEREVENT
  131. } tor_tls_state_t;
  132. /** Holds a SSL object and its associated data. Members are only
  133. * accessed from within tortls.c.
  134. */
  135. struct tor_tls_t {
  136. uint32_t magic;
  137. tor_tls_context_t *context; /** A link to the context object for this tls. */
  138. SSL *ssl; /**< An OpenSSL SSL object. */
  139. int socket; /**< The underlying file descriptor for this TLS connection. */
  140. char *address; /**< An address to log when describing this connection. */
  141. ENUM_BF(tor_tls_state_t) state : 3; /**< The current SSL state,
  142. * depending on which operations
  143. * have completed successfully. */
  144. unsigned int isServer:1; /**< True iff this is a server-side connection */
  145. unsigned int wasV2Handshake:1; /**< True iff the original handshake for
  146. * this connection used the updated version
  147. * of the connection protocol (client sends
  148. * different cipher list, server sends only
  149. * one certificate). */
  150. /** True iff we should call negotiated_callback when we're done reading. */
  151. unsigned int got_renegotiate:1;
  152. /** Return value from tor_tls_classify_client_ciphers, or 0 if we haven't
  153. * called that function yet. */
  154. int8_t client_cipher_list_type;
  155. /** Incremented every time we start the server side of a handshake. */
  156. uint8_t server_handshake_count;
  157. size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
  158. * time. */
  159. /** Last values retrieved from BIO_number_read()/write(); see
  160. * tor_tls_get_n_raw_bytes() for usage.
  161. */
  162. unsigned long last_write_count;
  163. unsigned long last_read_count;
  164. /** If set, a callback to invoke whenever the client tries to renegotiate
  165. * the handshake. */
  166. void (*negotiated_callback)(tor_tls_t *tls, void *arg);
  167. /** Argument to pass to negotiated_callback. */
  168. void *callback_arg;
  169. };
  170. #ifdef V2_HANDSHAKE_CLIENT
  171. /** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
  172. * in client mode into advertising the ciphers we want. See
  173. * rectify_client_ciphers() for details. */
  174. static SSL_CIPHER *CLIENT_CIPHER_DUMMIES = NULL;
  175. /** A stack of SSL_CIPHER objects, some real, some fake.
  176. * See rectify_client_ciphers() for details. */
  177. static STACK_OF(SSL_CIPHER) *CLIENT_CIPHER_STACK = NULL;
  178. #endif
  179. /** The ex_data index in which we store a pointer to an SSL object's
  180. * corresponding tor_tls_t object. */
  181. static int tor_tls_object_ex_data_index = -1;
  182. /** Helper: Allocate tor_tls_object_ex_data_index. */
  183. static void
  184. tor_tls_allocate_tor_tls_object_ex_data_index(void)
  185. {
  186. if (tor_tls_object_ex_data_index == -1) {
  187. tor_tls_object_ex_data_index =
  188. SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
  189. tor_assert(tor_tls_object_ex_data_index != -1);
  190. }
  191. }
  192. /** Helper: given a SSL* pointer, return the tor_tls_t object using that
  193. * pointer. */
  194. static INLINE tor_tls_t *
  195. tor_tls_get_by_ssl(const SSL *ssl)
  196. {
  197. tor_tls_t *result = SSL_get_ex_data(ssl, tor_tls_object_ex_data_index);
  198. if (result)
  199. tor_assert(result->magic == TOR_TLS_MAGIC);
  200. return result;
  201. }
  202. static void tor_tls_context_decref(tor_tls_context_t *ctx);
  203. static void tor_tls_context_incref(tor_tls_context_t *ctx);
  204. static X509* tor_tls_create_certificate(crypto_pk_t *rsa,
  205. crypto_pk_t *rsa_sign,
  206. const char *cname,
  207. const char *cname_sign,
  208. unsigned int cert_lifetime);
  209. static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  210. crypto_pk_t *identity,
  211. unsigned int key_lifetime,
  212. unsigned int flags,
  213. int is_client);
  214. static tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
  215. unsigned int key_lifetime,
  216. unsigned int flags,
  217. int is_client);
  218. static int check_cert_lifetime_internal(int severity, const X509 *cert,
  219. int past_tolerance, int future_tolerance);
  220. /** Global TLS contexts. We keep them here because nobody else needs
  221. * to touch them.
  222. *
  223. * @{ */
  224. static tor_tls_context_t *server_tls_context = NULL;
  225. static tor_tls_context_t *client_tls_context = NULL;
  226. /**@}*/
  227. /** True iff tor_tls_init() has been called. */
  228. static int tls_library_is_initialized = 0;
  229. /* Module-internal error codes. */
  230. #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
  231. #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
  232. /** Write a description of the current state of <b>tls</b> into the
  233. * <b>sz</b>-byte buffer at <b>buf</b>. */
  234. void
  235. tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
  236. {
  237. const char *ssl_state;
  238. const char *tortls_state;
  239. if (PREDICT_UNLIKELY(!tls || !tls->ssl)) {
  240. strlcpy(buf, "(No SSL object)", sz);
  241. return;
  242. }
  243. ssl_state = SSL_state_string_long(tls->ssl);
  244. switch (tls->state) {
  245. #define CASE(st) case TOR_TLS_ST_##st: tortls_state = " in "#st ; break
  246. CASE(HANDSHAKE);
  247. CASE(OPEN);
  248. CASE(GOTCLOSE);
  249. CASE(SENTCLOSE);
  250. CASE(CLOSED);
  251. CASE(RENEGOTIATE);
  252. #undef CASE
  253. case TOR_TLS_ST_BUFFEREVENT:
  254. tortls_state = "";
  255. break;
  256. default:
  257. tortls_state = " in unknown TLS state";
  258. break;
  259. }
  260. tor_snprintf(buf, sz, "%s%s", ssl_state, tortls_state);
  261. }
  262. /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
  263. * received while performing an operation <b>doing</b> on <b>tls</b>. Log
  264. * the message at <b>severity</b>, in log domain <b>domain</b>. */
  265. void
  266. tor_tls_log_one_error(tor_tls_t *tls, unsigned long err,
  267. int severity, int domain, const char *doing)
  268. {
  269. const char *state = NULL, *addr;
  270. const char *msg, *lib, *func;
  271. state = (tls && tls->ssl)?SSL_state_string_long(tls->ssl):"---";
  272. addr = tls ? tls->address : NULL;
  273. /* Some errors are known-benign, meaning they are the fault of the other
  274. * side of the connection. The caller doesn't know this, so override the
  275. * priority for those cases. */
  276. switch (ERR_GET_REASON(err)) {
  277. case SSL_R_HTTP_REQUEST:
  278. case SSL_R_HTTPS_PROXY_REQUEST:
  279. case SSL_R_RECORD_LENGTH_MISMATCH:
  280. case SSL_R_RECORD_TOO_LARGE:
  281. case SSL_R_UNKNOWN_PROTOCOL:
  282. case SSL_R_UNSUPPORTED_PROTOCOL:
  283. severity = LOG_INFO;
  284. break;
  285. default:
  286. break;
  287. }
  288. msg = (const char*)ERR_reason_error_string(err);
  289. lib = (const char*)ERR_lib_error_string(err);
  290. func = (const char*)ERR_func_error_string(err);
  291. if (!msg) msg = "(null)";
  292. if (!lib) lib = "(null)";
  293. if (!func) func = "(null)";
  294. if (doing) {
  295. tor_log(severity, domain, "TLS error while %s%s%s: %s (in %s:%s:%s)",
  296. doing, addr?" with ":"", addr?addr:"",
  297. msg, lib, func, state);
  298. } else {
  299. tor_log(severity, domain, "TLS error%s%s: %s (in %s:%s:%s)",
  300. addr?" with ":"", addr?addr:"",
  301. msg, lib, func, state);
  302. }
  303. }
  304. /** Log all pending tls errors at level <b>severity</b> in log domain
  305. * <b>domain</b>. Use <b>doing</b> to describe our current activities.
  306. */
  307. static void
  308. tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
  309. {
  310. unsigned long err;
  311. while ((err = ERR_get_error()) != 0) {
  312. tor_tls_log_one_error(tls, err, severity, domain, doing);
  313. }
  314. }
  315. /** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
  316. * code. */
  317. static int
  318. tor_errno_to_tls_error(int e)
  319. {
  320. switch (e) {
  321. case SOCK_ERRNO(ECONNRESET): // most common
  322. return TOR_TLS_ERROR_CONNRESET;
  323. case SOCK_ERRNO(ETIMEDOUT):
  324. return TOR_TLS_ERROR_TIMEOUT;
  325. case SOCK_ERRNO(EHOSTUNREACH):
  326. case SOCK_ERRNO(ENETUNREACH):
  327. return TOR_TLS_ERROR_NO_ROUTE;
  328. case SOCK_ERRNO(ECONNREFUSED):
  329. return TOR_TLS_ERROR_CONNREFUSED; // least common
  330. default:
  331. return TOR_TLS_ERROR_MISC;
  332. }
  333. }
  334. /** Given a TOR_TLS_* error code, return a string equivalent. */
  335. const char *
  336. tor_tls_err_to_string(int err)
  337. {
  338. if (err >= 0)
  339. return "[Not an error.]";
  340. switch (err) {
  341. case TOR_TLS_ERROR_MISC: return "misc error";
  342. case TOR_TLS_ERROR_IO: return "unexpected close";
  343. case TOR_TLS_ERROR_CONNREFUSED: return "connection refused";
  344. case TOR_TLS_ERROR_CONNRESET: return "connection reset";
  345. case TOR_TLS_ERROR_NO_ROUTE: return "host unreachable";
  346. case TOR_TLS_ERROR_TIMEOUT: return "connection timed out";
  347. case TOR_TLS_CLOSE: return "closed";
  348. case TOR_TLS_WANTREAD: return "want to read";
  349. case TOR_TLS_WANTWRITE: return "want to write";
  350. default: return "(unknown error code)";
  351. }
  352. }
  353. #define CATCH_SYSCALL 1
  354. #define CATCH_ZERO 2
  355. /** Given a TLS object and the result of an SSL_* call, use
  356. * SSL_get_error to determine whether an error has occurred, and if so
  357. * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
  358. * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
  359. * reporting syscall errors. If extra&CATCH_ZERO is true, return
  360. * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
  361. *
  362. * If an error has occurred, log it at level <b>severity</b> and describe the
  363. * current action as <b>doing</b>.
  364. */
  365. static int
  366. tor_tls_get_error(tor_tls_t *tls, int r, int extra,
  367. const char *doing, int severity, int domain)
  368. {
  369. int err = SSL_get_error(tls->ssl, r);
  370. int tor_error = TOR_TLS_ERROR_MISC;
  371. switch (err) {
  372. case SSL_ERROR_NONE:
  373. return TOR_TLS_DONE;
  374. case SSL_ERROR_WANT_READ:
  375. return TOR_TLS_WANTREAD;
  376. case SSL_ERROR_WANT_WRITE:
  377. return TOR_TLS_WANTWRITE;
  378. case SSL_ERROR_SYSCALL:
  379. if (extra&CATCH_SYSCALL)
  380. return TOR_TLS_SYSCALL_;
  381. if (r == 0) {
  382. tor_log(severity, LD_NET, "TLS error: unexpected close while %s (%s)",
  383. doing, SSL_state_string_long(tls->ssl));
  384. tor_error = TOR_TLS_ERROR_IO;
  385. } else {
  386. int e = tor_socket_errno(tls->socket);
  387. tor_log(severity, LD_NET,
  388. "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
  389. doing, e, tor_socket_strerror(e),
  390. SSL_state_string_long(tls->ssl));
  391. tor_error = tor_errno_to_tls_error(e);
  392. }
  393. tls_log_errors(tls, severity, domain, doing);
  394. return tor_error;
  395. case SSL_ERROR_ZERO_RETURN:
  396. if (extra&CATCH_ZERO)
  397. return TOR_TLS_ZERORETURN_;
  398. tor_log(severity, LD_NET, "TLS connection closed while %s in state %s",
  399. doing, SSL_state_string_long(tls->ssl));
  400. tls_log_errors(tls, severity, domain, doing);
  401. return TOR_TLS_CLOSE;
  402. default:
  403. tls_log_errors(tls, severity, domain, doing);
  404. return TOR_TLS_ERROR_MISC;
  405. }
  406. }
  407. /** Initialize OpenSSL, unless it has already been initialized.
  408. */
  409. static void
  410. tor_tls_init(void)
  411. {
  412. if (!tls_library_is_initialized) {
  413. long version;
  414. SSL_library_init();
  415. SSL_load_error_strings();
  416. version = SSLeay();
  417. /* OpenSSL 0.9.8l introduced SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  418. * here, but without thinking too hard about it: it turns out that the
  419. * flag in question needed to be set at the last minute, and that it
  420. * conflicted with an existing flag number that had already been added
  421. * in the OpenSSL 1.0.0 betas. OpenSSL 0.9.8m thoughtfully replaced
  422. * the flag with an option and (it seems) broke anything that used
  423. * SSL3_FLAGS_* for the purpose. So we need to know how to do both,
  424. * and we mustn't use the SSL3_FLAGS option with anything besides
  425. * OpenSSL 0.9.8l.
  426. *
  427. * No, we can't just set flag 0x0010 everywhere. It breaks Tor with
  428. * OpenSSL 1.0.0beta3 and later. On the other hand, we might be able to
  429. * set option 0x00040000L everywhere.
  430. *
  431. * No, we can't simply detect whether the flag or the option is present
  432. * in the headers at build-time: some vendors (notably Apple) like to
  433. * leave their headers out of sync with their libraries.
  434. *
  435. * Yes, it _is_ almost as if the OpenSSL developers decided that no
  436. * program should be allowed to use renegotiation unless it first passed
  437. * a test of intelligence and determination.
  438. */
  439. if (version > OPENSSL_V(0,9,8,'k') && version <= OPENSSL_V(0,9,8,'l')) {
  440. log_info(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l, but "
  441. "some vendors have backported renegotiation code from "
  442. "0.9.8m without updating the version number. "
  443. "I will try SSL3_FLAGS and SSL_OP to enable renegotation.",
  444. SSLeay_version(SSLEAY_VERSION));
  445. use_unsafe_renegotiation_flag = 1;
  446. use_unsafe_renegotiation_op = 1;
  447. } else if (version > OPENSSL_V(0,9,8,'l')) {
  448. log_info(LD_GENERAL, "OpenSSL %s looks like version 0.9.8m or later; "
  449. "I will try SSL_OP to enable renegotiation",
  450. SSLeay_version(SSLEAY_VERSION));
  451. use_unsafe_renegotiation_op = 1;
  452. } else if (version <= OPENSSL_V(0,9,8,'k')) {
  453. log_info(LD_GENERAL, "OpenSSL %s [%lx] looks like it's older than "
  454. "0.9.8l, but some vendors have backported 0.9.8l's "
  455. "renegotiation code to earlier versions, and some have "
  456. "backported the code from 0.9.8m or 0.9.8n. I'll set both "
  457. "SSL3_FLAGS and SSL_OP just to be safe.",
  458. SSLeay_version(SSLEAY_VERSION), version);
  459. use_unsafe_renegotiation_flag = 1;
  460. use_unsafe_renegotiation_op = 1;
  461. } else {
  462. /* this is dead code, yes? */
  463. log_info(LD_GENERAL, "OpenSSL %s has version %lx",
  464. SSLeay_version(SSLEAY_VERSION), version);
  465. }
  466. #if (SIZEOF_VOID_P >= 8 && \
  467. !defined(OPENSSL_NO_EC) && \
  468. OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
  469. if (version >= OPENSSL_V_SERIES(1,0,1)) {
  470. /* Warn if we could *almost* be running with much faster ECDH.
  471. If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
  472. don't have one of the built-in __uint128-based speedups, we are
  473. just one build operation away from an accelerated handshake.
  474. (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
  475. doing this test, but that gives compile-time options, not runtime
  476. behavior.)
  477. */
  478. EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
  479. const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL;
  480. const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL;
  481. const int warn = (m == EC_GFp_simple_method() ||
  482. m == EC_GFp_mont_method() ||
  483. m == EC_GFp_nist_method());
  484. EC_KEY_free(key);
  485. if (warn)
  486. log_notice(LD_GENERAL, "We were built to run on a 64-bit CPU, with "
  487. "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
  488. "that apparently lacks accelerated support for the NIST "
  489. "P-224 and P-256 groups. Building openssl with such "
  490. "support (using the enable-ec_nistp_64_gcc_128 option "
  491. "when configuring it) would make ECDH much faster.");
  492. }
  493. #endif
  494. tor_tls_allocate_tor_tls_object_ex_data_index();
  495. tls_library_is_initialized = 1;
  496. }
  497. }
  498. /** Free all global TLS structures. */
  499. void
  500. tor_tls_free_all(void)
  501. {
  502. if (server_tls_context) {
  503. tor_tls_context_t *ctx = server_tls_context;
  504. server_tls_context = NULL;
  505. tor_tls_context_decref(ctx);
  506. }
  507. if (client_tls_context) {
  508. tor_tls_context_t *ctx = client_tls_context;
  509. client_tls_context = NULL;
  510. tor_tls_context_decref(ctx);
  511. }
  512. #ifdef V2_HANDSHAKE_CLIENT
  513. if (CLIENT_CIPHER_DUMMIES)
  514. tor_free(CLIENT_CIPHER_DUMMIES);
  515. if (CLIENT_CIPHER_STACK)
  516. sk_SSL_CIPHER_free(CLIENT_CIPHER_STACK);
  517. #endif
  518. }
  519. /** We need to give OpenSSL a callback to verify certificates. This is
  520. * it: We always accept peer certs and complete the handshake. We
  521. * don't validate them until later.
  522. */
  523. static int
  524. always_accept_verify_cb(int preverify_ok,
  525. X509_STORE_CTX *x509_ctx)
  526. {
  527. (void) preverify_ok;
  528. (void) x509_ctx;
  529. return 1;
  530. }
  531. /** Return a newly allocated X509 name with commonName <b>cname</b>. */
  532. static X509_NAME *
  533. tor_x509_name_new(const char *cname)
  534. {
  535. int nid;
  536. X509_NAME *name;
  537. if (!(name = X509_NAME_new()))
  538. return NULL;
  539. if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
  540. if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
  541. (unsigned char*)cname, -1, -1, 0)))
  542. goto error;
  543. return name;
  544. error:
  545. X509_NAME_free(name);
  546. return NULL;
  547. }
  548. /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
  549. * signed by the private key <b>rsa_sign</b>. The commonName of the
  550. * certificate will be <b>cname</b>; the commonName of the issuer will be
  551. * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
  552. * seconds, starting from some time in the past.
  553. *
  554. * Return a certificate on success, NULL on failure.
  555. */
  556. static X509 *
  557. tor_tls_create_certificate(crypto_pk_t *rsa,
  558. crypto_pk_t *rsa_sign,
  559. const char *cname,
  560. const char *cname_sign,
  561. unsigned int cert_lifetime)
  562. {
  563. /* OpenSSL generates self-signed certificates with random 64-bit serial
  564. * numbers, so let's do that too. */
  565. #define SERIAL_NUMBER_SIZE 8
  566. time_t start_time, end_time;
  567. BIGNUM *serial_number = NULL;
  568. unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
  569. EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
  570. X509 *x509 = NULL;
  571. X509_NAME *name = NULL, *name_issuer=NULL;
  572. tor_tls_init();
  573. /* Make sure we're part-way through the certificate lifetime, rather
  574. * than having it start right now. Don't choose quite uniformly, since
  575. * then we might pick a time where we're about to expire. Lastly, be
  576. * sure to start on a day boundary. */
  577. start_time = time(NULL) - crypto_rand_int(cert_lifetime) + 2*24*3600;
  578. start_time -= start_time % (24*3600);
  579. tor_assert(rsa);
  580. tor_assert(cname);
  581. tor_assert(rsa_sign);
  582. tor_assert(cname_sign);
  583. if (!(sign_pkey = crypto_pk_get_evp_pkey_(rsa_sign,1)))
  584. goto error;
  585. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,0)))
  586. goto error;
  587. if (!(x509 = X509_new()))
  588. goto error;
  589. if (!(X509_set_version(x509, 2)))
  590. goto error;
  591. { /* our serial number is 8 random bytes. */
  592. if (crypto_rand((char *)serial_tmp, sizeof(serial_tmp)) < 0)
  593. goto error;
  594. if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
  595. goto error;
  596. if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
  597. goto error;
  598. }
  599. if (!(name = tor_x509_name_new(cname)))
  600. goto error;
  601. if (!(X509_set_subject_name(x509, name)))
  602. goto error;
  603. if (!(name_issuer = tor_x509_name_new(cname_sign)))
  604. goto error;
  605. if (!(X509_set_issuer_name(x509, name_issuer)))
  606. goto error;
  607. if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
  608. goto error;
  609. end_time = start_time + cert_lifetime;
  610. if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
  611. goto error;
  612. if (!X509_set_pubkey(x509, pkey))
  613. goto error;
  614. if (!X509_sign(x509, sign_pkey, EVP_sha1()))
  615. goto error;
  616. goto done;
  617. error:
  618. if (x509) {
  619. X509_free(x509);
  620. x509 = NULL;
  621. }
  622. done:
  623. tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
  624. if (sign_pkey)
  625. EVP_PKEY_free(sign_pkey);
  626. if (pkey)
  627. EVP_PKEY_free(pkey);
  628. if (serial_number)
  629. BN_free(serial_number);
  630. if (name)
  631. X509_NAME_free(name);
  632. if (name_issuer)
  633. X509_NAME_free(name_issuer);
  634. return x509;
  635. #undef SERIAL_NUMBER_SIZE
  636. }
  637. /** List of ciphers that servers should select from when the client might be
  638. * claiming extra unsupported ciphers in order to avoid fingerprinting. */
  639. #define SERVER_CIPHER_LIST \
  640. (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" \
  641. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
  642. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
  643. /** List of ciphers that servers should select from when we actually have
  644. * our choice of what cipher to use. */
  645. const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
  646. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CHC_SHA
  647. TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
  648. #endif
  649. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  650. TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
  651. #endif
  652. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
  653. TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
  654. #endif
  655. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
  656. TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
  657. #endif
  658. #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  659. TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  660. #endif
  661. //#if TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
  662. // TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":"
  663. //#endif
  664. /* These next two are mandatory. */
  665. TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
  666. TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
  667. #ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
  668. TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
  669. #endif
  670. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
  671. /* Note: to set up your own private testing network with link crypto
  672. * disabled, set your Tors' cipher list to
  673. * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
  674. * with any of the "real" Tors, though. */
  675. #ifdef V2_HANDSHAKE_CLIENT
  676. #define CIPHER(id, name) name ":"
  677. #define XCIPHER(id, name)
  678. /** List of ciphers that clients should advertise, omitting items that
  679. * our OpenSSL doesn't know about. */
  680. static const char CLIENT_CIPHER_LIST[] =
  681. #include "./ciphers.inc"
  682. /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
  683. * of any cipher we say. */
  684. "!SSLv2"
  685. ;
  686. #undef CIPHER
  687. #undef XCIPHER
  688. /** Holds a cipher that we want to advertise, and its 2-byte ID. */
  689. typedef struct cipher_info_t { unsigned id; const char *name; } cipher_info_t;
  690. /** A list of all the ciphers that clients should advertise, including items
  691. * that OpenSSL might not know about. */
  692. static const cipher_info_t CLIENT_CIPHER_INFO_LIST[] = {
  693. #define CIPHER(id, name) { id, name },
  694. #define XCIPHER(id, name) { id, #name },
  695. #include "./ciphers.inc"
  696. #undef CIPHER
  697. #undef XCIPHER
  698. };
  699. /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
  700. static const int N_CLIENT_CIPHERS =
  701. sizeof(CLIENT_CIPHER_INFO_LIST)/sizeof(CLIENT_CIPHER_INFO_LIST[0]);
  702. #endif
  703. #ifndef V2_HANDSHAKE_CLIENT
  704. #undef CLIENT_CIPHER_LIST
  705. #define CLIENT_CIPHER_LIST (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \
  706. SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
  707. #endif
  708. /** Free all storage held in <b>cert</b> */
  709. void
  710. tor_cert_free(tor_cert_t *cert)
  711. {
  712. if (! cert)
  713. return;
  714. if (cert->cert)
  715. X509_free(cert->cert);
  716. tor_free(cert->encoded);
  717. memwipe(cert, 0x03, sizeof(*cert));
  718. tor_free(cert);
  719. }
  720. /**
  721. * Allocate a new tor_cert_t to hold the certificate "x509_cert".
  722. *
  723. * Steals a reference to x509_cert.
  724. */
  725. static tor_cert_t *
  726. tor_cert_new(X509 *x509_cert)
  727. {
  728. tor_cert_t *cert;
  729. EVP_PKEY *pkey;
  730. RSA *rsa;
  731. int length;
  732. unsigned char *buf = NULL;
  733. if (!x509_cert)
  734. return NULL;
  735. length = i2d_X509(x509_cert, &buf);
  736. cert = tor_malloc_zero(sizeof(tor_cert_t));
  737. if (length <= 0 || buf == NULL) {
  738. tor_free(cert);
  739. log_err(LD_CRYPTO, "Couldn't get length of encoded x509 certificate");
  740. X509_free(x509_cert);
  741. return NULL;
  742. }
  743. cert->encoded_len = (size_t) length;
  744. cert->encoded = tor_malloc(length);
  745. memcpy(cert->encoded, buf, length);
  746. OPENSSL_free(buf);
  747. cert->cert = x509_cert;
  748. crypto_digest_all(&cert->cert_digests,
  749. (char*)cert->encoded, cert->encoded_len);
  750. if ((pkey = X509_get_pubkey(x509_cert)) &&
  751. (rsa = EVP_PKEY_get1_RSA(pkey))) {
  752. crypto_pk_t *pk = crypto_new_pk_from_rsa_(rsa);
  753. crypto_pk_get_all_digests(pk, &cert->pkey_digests);
  754. cert->pkey_digests_set = 1;
  755. crypto_pk_free(pk);
  756. EVP_PKEY_free(pkey);
  757. }
  758. return cert;
  759. }
  760. /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
  761. * from a <b>certificate</b>. Return a newly allocated tor_cert_t on success
  762. * and NULL on failure. */
  763. tor_cert_t *
  764. tor_cert_decode(const uint8_t *certificate, size_t certificate_len)
  765. {
  766. X509 *x509;
  767. const unsigned char *cp = (const unsigned char *)certificate;
  768. tor_cert_t *newcert;
  769. tor_assert(certificate);
  770. if (certificate_len > INT_MAX)
  771. return NULL;
  772. x509 = d2i_X509(NULL, &cp, (int)certificate_len);
  773. if (!x509)
  774. return NULL; /* Couldn't decode */
  775. if (cp - certificate != (int)certificate_len) {
  776. X509_free(x509);
  777. return NULL; /* Didn't use all the bytes */
  778. }
  779. newcert = tor_cert_new(x509);
  780. if (!newcert) {
  781. return NULL;
  782. }
  783. if (newcert->encoded_len != certificate_len ||
  784. fast_memneq(newcert->encoded, certificate, certificate_len)) {
  785. /* Cert wasn't in DER */
  786. tor_cert_free(newcert);
  787. return NULL;
  788. }
  789. return newcert;
  790. }
  791. /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
  792. * representation and length, respectively. */
  793. void
  794. tor_cert_get_der(const tor_cert_t *cert,
  795. const uint8_t **encoded_out, size_t *size_out)
  796. {
  797. tor_assert(cert);
  798. tor_assert(encoded_out);
  799. tor_assert(size_out);
  800. *encoded_out = cert->encoded;
  801. *size_out = cert->encoded_len;
  802. }
  803. /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
  804. * cert's public key is not one we know how to take the digest of. */
  805. const digests_t *
  806. tor_cert_get_id_digests(const tor_cert_t *cert)
  807. {
  808. if (cert->pkey_digests_set)
  809. return &cert->pkey_digests;
  810. else
  811. return NULL;
  812. }
  813. /** Return a set of digests for the public key in <b>cert</b>. */
  814. const digests_t *
  815. tor_cert_get_cert_digests(const tor_cert_t *cert)
  816. {
  817. return &cert->cert_digests;
  818. }
  819. /** Remove a reference to <b>ctx</b>, and free it if it has no more
  820. * references. */
  821. static void
  822. tor_tls_context_decref(tor_tls_context_t *ctx)
  823. {
  824. tor_assert(ctx);
  825. if (--ctx->refcnt == 0) {
  826. SSL_CTX_free(ctx->ctx);
  827. tor_cert_free(ctx->my_link_cert);
  828. tor_cert_free(ctx->my_id_cert);
  829. tor_cert_free(ctx->my_auth_cert);
  830. crypto_pk_free(ctx->link_key);
  831. crypto_pk_free(ctx->auth_key);
  832. tor_free(ctx);
  833. }
  834. }
  835. /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
  836. * and ID certificate that we're currently using for our V3 in-protocol
  837. * handshake's certificate chain. If <b>server</b> is true, provide the certs
  838. * that we use in server mode; otherwise, provide the certs that we use in
  839. * client mode. */
  840. int
  841. tor_tls_get_my_certs(int server,
  842. const tor_cert_t **link_cert_out,
  843. const tor_cert_t **id_cert_out)
  844. {
  845. tor_tls_context_t *ctx = server ? server_tls_context : client_tls_context;
  846. if (! ctx)
  847. return -1;
  848. if (link_cert_out)
  849. *link_cert_out = server ? ctx->my_link_cert : ctx->my_auth_cert;
  850. if (id_cert_out)
  851. *id_cert_out = ctx->my_id_cert;
  852. return 0;
  853. }
  854. /**
  855. * Return the authentication key that we use to authenticate ourselves as a
  856. * client in the V3 in-protocol handshake.
  857. */
  858. crypto_pk_t *
  859. tor_tls_get_my_client_auth_key(void)
  860. {
  861. if (! client_tls_context)
  862. return NULL;
  863. return client_tls_context->auth_key;
  864. }
  865. /**
  866. * Return a newly allocated copy of the public key that a certificate
  867. * certifies. Return NULL if the cert's key is not RSA.
  868. */
  869. crypto_pk_t *
  870. tor_tls_cert_get_key(tor_cert_t *cert)
  871. {
  872. crypto_pk_t *result = NULL;
  873. EVP_PKEY *pkey = X509_get_pubkey(cert->cert);
  874. RSA *rsa;
  875. if (!pkey)
  876. return NULL;
  877. rsa = EVP_PKEY_get1_RSA(pkey);
  878. if (!rsa) {
  879. EVP_PKEY_free(pkey);
  880. return NULL;
  881. }
  882. result = crypto_new_pk_from_rsa_(rsa);
  883. EVP_PKEY_free(pkey);
  884. return result;
  885. }
  886. /** Return true iff the other side of <b>tls</b> has authenticated to us, and
  887. * the key certified in <b>cert</b> is the same as the key they used to do it.
  888. */
  889. int
  890. tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert)
  891. {
  892. X509 *peercert = SSL_get_peer_certificate(tls->ssl);
  893. EVP_PKEY *link_key = NULL, *cert_key = NULL;
  894. int result;
  895. if (!peercert)
  896. return 0;
  897. link_key = X509_get_pubkey(peercert);
  898. cert_key = X509_get_pubkey(cert->cert);
  899. result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
  900. X509_free(peercert);
  901. if (link_key)
  902. EVP_PKEY_free(link_key);
  903. if (cert_key)
  904. EVP_PKEY_free(cert_key);
  905. return result;
  906. }
  907. /** Check whether <b>cert</b> is well-formed, currently live, and correctly
  908. * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
  909. * make sure that it has an RSA key with 1024 bits; otherwise, just check that
  910. * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
  911. * we couldn't check it. */
  912. int
  913. tor_tls_cert_is_valid(int severity,
  914. const tor_cert_t *cert,
  915. const tor_cert_t *signing_cert,
  916. int check_rsa_1024)
  917. {
  918. EVP_PKEY *cert_key;
  919. EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
  920. int r, key_ok = 0;
  921. if (!signing_key)
  922. return 0;
  923. r = X509_verify(cert->cert, signing_key);
  924. EVP_PKEY_free(signing_key);
  925. if (r <= 0)
  926. return 0;
  927. /* okay, the signature checked out right. Now let's check the check the
  928. * lifetime. */
  929. if (check_cert_lifetime_internal(severity, cert->cert,
  930. 48*60*60, 30*24*60*60) < 0)
  931. return 0;
  932. cert_key = X509_get_pubkey(cert->cert);
  933. if (check_rsa_1024 && cert_key) {
  934. RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
  935. if (rsa && BN_num_bits(rsa->n) == 1024)
  936. key_ok = 1;
  937. if (rsa)
  938. RSA_free(rsa);
  939. } else if (cert_key) {
  940. int min_bits = 1024;
  941. #ifdef EVP_PKEY_EC
  942. if (EVP_PKEY_type(cert_key->type) == EVP_PKEY_EC)
  943. min_bits = 128;
  944. #endif
  945. if (EVP_PKEY_bits(cert_key) >= min_bits)
  946. key_ok = 1;
  947. }
  948. EVP_PKEY_free(cert_key);
  949. if (!key_ok)
  950. return 0;
  951. /* XXXX compare DNs or anything? */
  952. return 1;
  953. }
  954. /** Increase the reference count of <b>ctx</b>. */
  955. static void
  956. tor_tls_context_incref(tor_tls_context_t *ctx)
  957. {
  958. ++ctx->refcnt;
  959. }
  960. /** Create new global client and server TLS contexts.
  961. *
  962. * If <b>server_identity</b> is NULL, this will not generate a server
  963. * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  964. * the same TLS context for incoming and outgoing connections, and
  965. * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
  966. * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
  967. * the default ECDHE group. */
  968. int
  969. tor_tls_context_init(unsigned flags,
  970. crypto_pk_t *client_identity,
  971. crypto_pk_t *server_identity,
  972. unsigned int key_lifetime)
  973. {
  974. int rv1 = 0;
  975. int rv2 = 0;
  976. const int is_public_server = flags & TOR_TLS_CTX_IS_PUBLIC_SERVER;
  977. if (is_public_server) {
  978. tor_tls_context_t *new_ctx;
  979. tor_tls_context_t *old_ctx;
  980. tor_assert(server_identity != NULL);
  981. rv1 = tor_tls_context_init_one(&server_tls_context,
  982. server_identity,
  983. key_lifetime, flags, 0);
  984. if (rv1 >= 0) {
  985. new_ctx = server_tls_context;
  986. tor_tls_context_incref(new_ctx);
  987. old_ctx = client_tls_context;
  988. client_tls_context = new_ctx;
  989. if (old_ctx != NULL) {
  990. tor_tls_context_decref(old_ctx);
  991. }
  992. }
  993. } else {
  994. if (server_identity != NULL) {
  995. rv1 = tor_tls_context_init_one(&server_tls_context,
  996. server_identity,
  997. key_lifetime,
  998. flags,
  999. 0);
  1000. } else {
  1001. tor_tls_context_t *old_ctx = server_tls_context;
  1002. server_tls_context = NULL;
  1003. if (old_ctx != NULL) {
  1004. tor_tls_context_decref(old_ctx);
  1005. }
  1006. }
  1007. rv2 = tor_tls_context_init_one(&client_tls_context,
  1008. client_identity,
  1009. key_lifetime,
  1010. flags,
  1011. 1);
  1012. }
  1013. return MIN(rv1, rv2);
  1014. }
  1015. /** Create a new global TLS context.
  1016. *
  1017. * You can call this function multiple times. Each time you call it,
  1018. * it generates new certificates; all new connections will use
  1019. * the new SSL context.
  1020. */
  1021. static int
  1022. tor_tls_context_init_one(tor_tls_context_t **ppcontext,
  1023. crypto_pk_t *identity,
  1024. unsigned int key_lifetime,
  1025. unsigned int flags,
  1026. int is_client)
  1027. {
  1028. tor_tls_context_t *new_ctx = tor_tls_context_new(identity,
  1029. key_lifetime,
  1030. flags,
  1031. is_client);
  1032. tor_tls_context_t *old_ctx = *ppcontext;
  1033. if (new_ctx != NULL) {
  1034. *ppcontext = new_ctx;
  1035. /* Free the old context if one existed. */
  1036. if (old_ctx != NULL) {
  1037. /* This is safe even if there are open connections: we reference-
  1038. * count tor_tls_context_t objects. */
  1039. tor_tls_context_decref(old_ctx);
  1040. }
  1041. }
  1042. return ((new_ctx != NULL) ? 0 : -1);
  1043. }
  1044. /** Create a new TLS context for use with Tor TLS handshakes.
  1045. * <b>identity</b> should be set to the identity key used to sign the
  1046. * certificate.
  1047. */
  1048. static tor_tls_context_t *
  1049. tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
  1050. unsigned flags, int is_client)
  1051. {
  1052. crypto_pk_t *rsa = NULL, *rsa_auth = NULL;
  1053. EVP_PKEY *pkey = NULL;
  1054. tor_tls_context_t *result = NULL;
  1055. X509 *cert = NULL, *idcert = NULL, *authcert = NULL;
  1056. char *nickname = NULL, *nn2 = NULL;
  1057. tor_tls_init();
  1058. nickname = crypto_random_hostname(8, 20, "www.", ".net");
  1059. #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
  1060. nn2 = crypto_random_hostname(8, 20, "www.", ".net");
  1061. #else
  1062. nn2 = crypto_random_hostname(8, 20, "www.", ".com");
  1063. #endif
  1064. /* Generate short-term RSA key for use with TLS. */
  1065. if (!(rsa = crypto_pk_new()))
  1066. goto error;
  1067. if (crypto_pk_generate_key(rsa)<0)
  1068. goto error;
  1069. if (!is_client) {
  1070. /* Generate short-term RSA key for use in the in-protocol ("v3")
  1071. * authentication handshake. */
  1072. if (!(rsa_auth = crypto_pk_new()))
  1073. goto error;
  1074. if (crypto_pk_generate_key(rsa_auth)<0)
  1075. goto error;
  1076. /* Create a link certificate signed by identity key. */
  1077. cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
  1078. key_lifetime);
  1079. /* Create self-signed certificate for identity key. */
  1080. idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
  1081. IDENTITY_CERT_LIFETIME);
  1082. /* Create an authentication certificate signed by identity key. */
  1083. authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2,
  1084. key_lifetime);
  1085. if (!cert || !idcert || !authcert) {
  1086. log_warn(LD_CRYPTO, "Error creating certificate");
  1087. goto error;
  1088. }
  1089. }
  1090. result = tor_malloc_zero(sizeof(tor_tls_context_t));
  1091. result->refcnt = 1;
  1092. if (!is_client) {
  1093. result->my_link_cert = tor_cert_new(X509_dup(cert));
  1094. result->my_id_cert = tor_cert_new(X509_dup(idcert));
  1095. result->my_auth_cert = tor_cert_new(X509_dup(authcert));
  1096. if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert)
  1097. goto error;
  1098. result->link_key = crypto_pk_dup_key(rsa);
  1099. result->auth_key = crypto_pk_dup_key(rsa_auth);
  1100. }
  1101. #if 0
  1102. /* Tell OpenSSL to only use TLS1. This may have subtly different results
  1103. * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
  1104. * investigation before we consider adjusting it. It should be compatible
  1105. * with existing Tors. */
  1106. if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
  1107. goto error;
  1108. #endif
  1109. /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
  1110. if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
  1111. goto error;
  1112. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
  1113. /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
  1114. * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
  1115. * June 2012), wherein renegotiating while using one of these TLS
  1116. * protocols will cause the client to send a TLS 1.0 ServerHello
  1117. * rather than a ServerHello written with the appropriate protocol
  1118. * version. Once some version of OpenSSL does TLS1.1 and TLS1.2
  1119. * renegotiation properly, we can turn them back on when built with
  1120. * that version. */
  1121. #if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,1,'e')
  1122. #ifdef SSL_OP_NO_TLSv1_2
  1123. SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
  1124. #endif
  1125. #ifdef SSL_OP_NO_TLSv1_1
  1126. SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
  1127. #endif
  1128. #endif
  1129. /* Disable TLS tickets if they're supported. We never want to use them;
  1130. * using them can make our perfect forward secrecy a little worse, *and*
  1131. * create an opportunity to fingerprint us (since it's unusual to use them
  1132. * with TLS sessions turned off).
  1133. *
  1134. * In 0.2.4, clients advertise support for them though, to avoid a TLS
  1135. * distinguishability vector. This can give us worse PFS, though, if we
  1136. * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
  1137. * be few such servers by the time 0.2.4 is more stable.
  1138. */
  1139. #ifdef SSL_OP_NO_TICKET
  1140. if (! is_client) {
  1141. SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
  1142. }
  1143. #endif
  1144. if (
  1145. #ifdef DISABLE_SSL3_HANDSHAKE
  1146. 1 ||
  1147. #endif
  1148. SSLeay() < OPENSSL_V(0,9,8,'s') ||
  1149. (SSLeay() >= OPENSSL_V_SERIES(0,9,9) &&
  1150. SSLeay() < OPENSSL_V(1,0,0,'f'))) {
  1151. /* And not SSL3 if it's subject to CVE-2011-4576. */
  1152. log_info(LD_NET, "Disabling SSLv3 because this OpenSSL version "
  1153. "might otherwise be vulnerable to CVE-2011-4576 "
  1154. "(compile-time version %08lx (%s); "
  1155. "runtime version %08lx (%s))",
  1156. (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
  1157. (unsigned long)SSLeay(), SSLeay_version(SSLEAY_VERSION));
  1158. SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
  1159. }
  1160. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
  1161. SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
  1162. #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  1163. SSL_CTX_set_options(result->ctx,
  1164. SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
  1165. #endif
  1166. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1167. * as authenticating any earlier-received data.
  1168. */
  1169. if (use_unsafe_renegotiation_op) {
  1170. SSL_CTX_set_options(result->ctx,
  1171. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1172. }
  1173. /* Don't actually allow compression; it uses ram and time, but the data
  1174. * we transmit is all encrypted anyway. */
  1175. if (result->ctx->comp_methods)
  1176. result->ctx->comp_methods = NULL;
  1177. #ifdef SSL_MODE_RELEASE_BUFFERS
  1178. SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
  1179. #endif
  1180. if (! is_client) {
  1181. if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
  1182. goto error;
  1183. X509_free(cert); /* We just added a reference to cert. */
  1184. cert=NULL;
  1185. if (idcert) {
  1186. X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
  1187. tor_assert(s);
  1188. X509_STORE_add_cert(s, idcert);
  1189. X509_free(idcert); /* The context now owns the reference to idcert */
  1190. idcert = NULL;
  1191. }
  1192. }
  1193. SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
  1194. if (!is_client) {
  1195. tor_assert(rsa);
  1196. if (!(pkey = crypto_pk_get_evp_pkey_(rsa,1)))
  1197. goto error;
  1198. if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
  1199. goto error;
  1200. EVP_PKEY_free(pkey);
  1201. pkey = NULL;
  1202. if (!SSL_CTX_check_private_key(result->ctx))
  1203. goto error;
  1204. }
  1205. {
  1206. crypto_dh_t *dh = crypto_dh_new(DH_TYPE_TLS);
  1207. tor_assert(dh);
  1208. SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
  1209. crypto_dh_free(dh);
  1210. }
  1211. #if (!defined(OPENSSL_NO_EC) && \
  1212. OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0))
  1213. if (! is_client) {
  1214. int nid;
  1215. EC_KEY *ec_key;
  1216. if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
  1217. nid = NID_secp224r1;
  1218. else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
  1219. nid = NID_X9_62_prime256v1;
  1220. else
  1221. nid = NID_X9_62_prime256v1;
  1222. /* Use P-256 for ECDHE. */
  1223. ec_key = EC_KEY_new_by_curve_name(nid);
  1224. if (ec_key != NULL) /*XXXX Handle errors? */
  1225. SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
  1226. EC_KEY_free(ec_key);
  1227. }
  1228. #else
  1229. (void)flags;
  1230. #endif
  1231. SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
  1232. always_accept_verify_cb);
  1233. /* let us realloc bufs that we're writing from */
  1234. SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
  1235. if (rsa)
  1236. crypto_pk_free(rsa);
  1237. if (rsa_auth)
  1238. crypto_pk_free(rsa_auth);
  1239. X509_free(authcert);
  1240. tor_free(nickname);
  1241. tor_free(nn2);
  1242. return result;
  1243. error:
  1244. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating TLS context");
  1245. tor_free(nickname);
  1246. tor_free(nn2);
  1247. if (pkey)
  1248. EVP_PKEY_free(pkey);
  1249. if (rsa)
  1250. crypto_pk_free(rsa);
  1251. if (rsa_auth)
  1252. crypto_pk_free(rsa_auth);
  1253. if (result)
  1254. tor_tls_context_decref(result);
  1255. if (cert)
  1256. X509_free(cert);
  1257. if (idcert)
  1258. X509_free(idcert);
  1259. if (authcert)
  1260. X509_free(authcert);
  1261. return NULL;
  1262. }
  1263. /** Invoked when a TLS state changes: log the change at severity 'debug' */
  1264. static void
  1265. tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
  1266. {
  1267. log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
  1268. ssl, SSL_state_string_long(ssl), type, val);
  1269. }
  1270. /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
  1271. const char *
  1272. tor_tls_get_ciphersuite_name(tor_tls_t *tls)
  1273. {
  1274. return SSL_get_cipher(tls->ssl);
  1275. }
  1276. #ifdef V2_HANDSHAKE_SERVER
  1277. /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
  1278. * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
  1279. * that it claims to support. We'll prune this list to remove the ciphers
  1280. * *we* don't recognize. */
  1281. static uint16_t v2_cipher_list[] = {
  1282. 0xc00a, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */
  1283. 0xc014, /* TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA */
  1284. 0x0039, /* TLS1_TXT_DHE_RSA_WITH_AES_256_SHA */
  1285. 0x0038, /* TLS1_TXT_DHE_DSS_WITH_AES_256_SHA */
  1286. 0xc00f, /* TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA */
  1287. 0xc005, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA */
  1288. 0x0035, /* TLS1_TXT_RSA_WITH_AES_256_SHA */
  1289. 0xc007, /* TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA */
  1290. 0xc009, /* TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */
  1291. 0xc011, /* TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA */
  1292. 0xc013, /* TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA */
  1293. 0x0033, /* TLS1_TXT_DHE_RSA_WITH_AES_128_SHA */
  1294. 0x0032, /* TLS1_TXT_DHE_DSS_WITH_AES_128_SHA */
  1295. 0xc00c, /* TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA */
  1296. 0xc00e, /* TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA */
  1297. 0xc002, /* TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA */
  1298. 0xc004, /* TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA */
  1299. 0x0004, /* SSL3_TXT_RSA_RC4_128_MD5 */
  1300. 0x0005, /* SSL3_TXT_RSA_RC4_128_SHA */
  1301. 0x002f, /* TLS1_TXT_RSA_WITH_AES_128_SHA */
  1302. 0xc008, /* TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA */
  1303. 0xc012, /* TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA */
  1304. 0x0016, /* SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA */
  1305. 0x0013, /* SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA */
  1306. 0xc00d, /* TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA */
  1307. 0xc003, /* TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA */
  1308. 0xfeff, /* SSL3_TXT_RSA_FIPS_WITH_3DES_EDE_CBC_SHA */
  1309. 0x000a, /* SSL3_TXT_RSA_DES_192_CBC3_SHA */
  1310. 0
  1311. };
  1312. /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
  1313. static int v2_cipher_list_pruned = 0;
  1314. /** Remove from v2_cipher_list every cipher that we don't support, so that
  1315. * comparing v2_cipher_list to a client's cipher list will give a sensible
  1316. * result. */
  1317. static void
  1318. prune_v2_cipher_list(void)
  1319. {
  1320. uint16_t *inp, *outp;
  1321. const SSL_METHOD *m = SSLv23_method();
  1322. inp = outp = v2_cipher_list;
  1323. while (*inp) {
  1324. unsigned char cipherid[2];
  1325. const SSL_CIPHER *cipher;
  1326. /* Is there no better way to do this? */
  1327. set_uint16(cipherid, htons(*inp));
  1328. cipher = m->get_cipher_by_char(cipherid);
  1329. if (cipher) {
  1330. tor_assert((cipher->id & 0xffff) == *inp);
  1331. *outp++ = *inp++;
  1332. } else {
  1333. inp++;
  1334. }
  1335. }
  1336. *outp = 0;
  1337. v2_cipher_list_pruned = 1;
  1338. }
  1339. /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
  1340. * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
  1341. * CIPHERS_UNRESTRICTED.
  1342. **/
  1343. static int
  1344. tor_tls_classify_client_ciphers(const SSL *ssl,
  1345. STACK_OF(SSL_CIPHER) *peer_ciphers)
  1346. {
  1347. int i, res;
  1348. tor_tls_t *tor_tls;
  1349. if (PREDICT_UNLIKELY(!v2_cipher_list_pruned))
  1350. prune_v2_cipher_list();
  1351. tor_tls = tor_tls_get_by_ssl(ssl);
  1352. if (tor_tls && tor_tls->client_cipher_list_type)
  1353. return tor_tls->client_cipher_list_type;
  1354. /* If we reached this point, we just got a client hello. See if there is
  1355. * a cipher list. */
  1356. if (!peer_ciphers) {
  1357. log_info(LD_NET, "No ciphers on session");
  1358. res = CIPHERS_ERR;
  1359. goto done;
  1360. }
  1361. /* Now we need to see if there are any ciphers whose presence means we're
  1362. * dealing with an updated Tor. */
  1363. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1364. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1365. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1366. if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
  1367. strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
  1368. strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
  1369. strcmp(ciphername, "(NONE)")) {
  1370. log_debug(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
  1371. // return 1;
  1372. goto v2_or_higher;
  1373. }
  1374. }
  1375. res = CIPHERS_V1;
  1376. goto done;
  1377. v2_or_higher:
  1378. {
  1379. const uint16_t *v2_cipher = v2_cipher_list;
  1380. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1381. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1382. uint16_t id = cipher->id & 0xffff;
  1383. if (id == 0x00ff) /* extended renegotiation indicator. */
  1384. continue;
  1385. if (!id || id != *v2_cipher) {
  1386. res = CIPHERS_UNRESTRICTED;
  1387. goto dump_ciphers;
  1388. }
  1389. ++v2_cipher;
  1390. }
  1391. if (*v2_cipher != 0) {
  1392. res = CIPHERS_UNRESTRICTED;
  1393. goto dump_ciphers;
  1394. }
  1395. res = CIPHERS_V2;
  1396. }
  1397. dump_ciphers:
  1398. {
  1399. smartlist_t *elts = smartlist_new();
  1400. char *s;
  1401. for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
  1402. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
  1403. const char *ciphername = SSL_CIPHER_get_name(cipher);
  1404. smartlist_add(elts, (char*)ciphername);
  1405. }
  1406. s = smartlist_join_strings(elts, ":", 0, NULL);
  1407. log_debug(LD_NET, "Got a %s V2/V3 cipher list from %s. It is: '%s'",
  1408. (res == CIPHERS_V2) ? "fictitious" : "real", ADDR(tor_tls), s);
  1409. tor_free(s);
  1410. smartlist_free(elts);
  1411. }
  1412. done:
  1413. if (tor_tls)
  1414. return tor_tls->client_cipher_list_type = res;
  1415. return res;
  1416. }
  1417. /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
  1418. * a list that indicates that the client knows how to do the v2 TLS connection
  1419. * handshake. */
  1420. static int
  1421. tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
  1422. {
  1423. SSL_SESSION *session;
  1424. if (!(session = SSL_get_session((SSL *)ssl))) {
  1425. log_info(LD_NET, "No session on TLS?");
  1426. return CIPHERS_ERR;
  1427. }
  1428. return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2;
  1429. }
  1430. /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
  1431. * changes state. We use this:
  1432. * <ul><li>To alter the state of the handshake partway through, so we
  1433. * do not send or request extra certificates in v2 handshakes.</li>
  1434. * <li>To detect renegotiation</li></ul>
  1435. */
  1436. static void
  1437. tor_tls_server_info_callback(const SSL *ssl, int type, int val)
  1438. {
  1439. tor_tls_t *tls;
  1440. (void) val;
  1441. tor_tls_debug_state_callback(ssl, type, val);
  1442. if (type != SSL_CB_ACCEPT_LOOP)
  1443. return;
  1444. if ((ssl->state != SSL3_ST_SW_SRVR_HELLO_A) &&
  1445. (ssl->state != SSL3_ST_SW_SRVR_HELLO_B))
  1446. return;
  1447. tls = tor_tls_get_by_ssl(ssl);
  1448. if (tls) {
  1449. /* Check whether we're watching for renegotiates. If so, this is one! */
  1450. if (tls->negotiated_callback)
  1451. tls->got_renegotiate = 1;
  1452. if (tls->server_handshake_count < 127) /*avoid any overflow possibility*/
  1453. ++tls->server_handshake_count;
  1454. } else {
  1455. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1456. return;
  1457. }
  1458. /* Now check the cipher list. */
  1459. if (tor_tls_client_is_using_v2_ciphers(ssl)) {
  1460. if (tls->wasV2Handshake)
  1461. return; /* We already turned this stuff off for the first handshake;
  1462. * This is a renegotiation. */
  1463. /* Yes, we're casting away the const from ssl. This is very naughty of us.
  1464. * Let's hope openssl doesn't notice! */
  1465. /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
  1466. SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
  1467. /* Don't send a hello request. */
  1468. SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
  1469. if (tls) {
  1470. tls->wasV2Handshake = 1;
  1471. #ifdef USE_BUFFEREVENTS
  1472. if (use_unsafe_renegotiation_flag)
  1473. tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1474. #endif
  1475. } else {
  1476. log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  1477. }
  1478. }
  1479. }
  1480. #endif
  1481. #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0)
  1482. /** Callback to get invoked on a server after we've read the list of ciphers
  1483. * the client supports, but before we pick our own ciphersuite.
  1484. *
  1485. * We can't abuse an info_cb for this, since by the time one of the
  1486. * client_hello info_cbs is called, we've already picked which ciphersuite to
  1487. * use.
  1488. *
  1489. * Technically, this function is an abuse of this callback, since the point of
  1490. * a session_secret_cb is to try to set up and/or verify a shared-secret for
  1491. * authentication on the fly. But as long as we return 0, we won't actually be
  1492. * setting up a shared secret, and all will be fine.
  1493. */
  1494. static int
  1495. tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
  1496. STACK_OF(SSL_CIPHER) *peer_ciphers,
  1497. SSL_CIPHER **cipher, void *arg)
  1498. {
  1499. (void) secret;
  1500. (void) secret_len;
  1501. (void) peer_ciphers;
  1502. (void) cipher;
  1503. (void) arg;
  1504. if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
  1505. CIPHERS_UNRESTRICTED) {
  1506. SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
  1507. }
  1508. SSL_set_session_secret_cb(ssl, NULL, NULL);
  1509. return 0;
  1510. }
  1511. static void
  1512. tor_tls_setup_session_secret_cb(tor_tls_t *tls)
  1513. {
  1514. SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
  1515. }
  1516. #else
  1517. #define tor_tls_setup_session_secret_cb(tls) STMT_NIL
  1518. #endif
  1519. /** Explain which ciphers we're missing. */
  1520. static void
  1521. log_unsupported_ciphers(smartlist_t *unsupported)
  1522. {
  1523. char *joined;
  1524. log_notice(LD_NET, "We weren't able to find support for all of the "
  1525. "TLS ciphersuites that we wanted to advertise. This won't "
  1526. "hurt security, but it might make your Tor (if run as a client) "
  1527. "more easy for censors to block.");
  1528. if (SSLeay() < 0x10000000L) {
  1529. log_notice(LD_NET, "To correct this, use a more recent OpenSSL, "
  1530. "built without disabling any secure ciphers or features.");
  1531. } else {
  1532. log_notice(LD_NET, "To correct this, use a version of OpenSSL "
  1533. "built with none of its ciphers disabled.");
  1534. }
  1535. joined = smartlist_join_strings(unsupported, ":", 0, NULL);
  1536. log_info(LD_NET, "The unsupported ciphers were: %s", joined);
  1537. tor_free(joined);
  1538. }
  1539. /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
  1540. * a list designed to mimic a common web browser. We might not be able to do
  1541. * that if OpenSSL doesn't support all the ciphers we want. Some of the
  1542. * ciphers in the list won't actually be implemented by OpenSSL: that's okay
  1543. * so long as the server doesn't select them.
  1544. *
  1545. * [If the server <b>does</b> select a bogus cipher, we won't crash or
  1546. * anything; we'll just fail later when we try to look up the cipher in
  1547. * ssl->cipher_list_by_id.]
  1548. */
  1549. static void
  1550. rectify_client_ciphers(STACK_OF(SSL_CIPHER) **ciphers)
  1551. {
  1552. #ifdef V2_HANDSHAKE_CLIENT
  1553. if (PREDICT_UNLIKELY(!CLIENT_CIPHER_STACK)) {
  1554. /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
  1555. * we want to use/advertise. */
  1556. int i = 0, j = 0;
  1557. smartlist_t *unsupported = smartlist_new();
  1558. /* First, create a dummy SSL_CIPHER for every cipher. */
  1559. CLIENT_CIPHER_DUMMIES =
  1560. tor_malloc_zero(sizeof(SSL_CIPHER)*N_CLIENT_CIPHERS);
  1561. for (i=0; i < N_CLIENT_CIPHERS; ++i) {
  1562. CLIENT_CIPHER_DUMMIES[i].valid = 1;
  1563. /* The "3<<24" here signifies that the cipher is supposed to work with
  1564. * SSL3 and TLS1. */
  1565. CLIENT_CIPHER_DUMMIES[i].id = CLIENT_CIPHER_INFO_LIST[i].id | (3<<24);
  1566. CLIENT_CIPHER_DUMMIES[i].name = CLIENT_CIPHER_INFO_LIST[i].name;
  1567. }
  1568. CLIENT_CIPHER_STACK = sk_SSL_CIPHER_new_null();
  1569. tor_assert(CLIENT_CIPHER_STACK);
  1570. log_debug(LD_NET, "List was: %s", CLIENT_CIPHER_LIST);
  1571. for (j = 0; j < sk_SSL_CIPHER_num(*ciphers); ++j) {
  1572. SSL_CIPHER *cipher = sk_SSL_CIPHER_value(*ciphers, j);
  1573. log_debug(LD_NET, "Cipher %d: %lx %s", j, cipher->id, cipher->name);
  1574. }
  1575. /* Then copy as many ciphers as we can from the good list, inserting
  1576. * dummies as needed. Let j be an index into list of ciphers we have
  1577. * (*ciphers) and let i be an index into the ciphers we want
  1578. * (CLIENT_INFO_CIPHER_LIST). We are building a list of ciphers in
  1579. * CLIENT_CIPHER_STACK.
  1580. */
  1581. for (i = j = 0; i < N_CLIENT_CIPHERS; ) {
  1582. SSL_CIPHER *cipher = NULL;
  1583. if (j < sk_SSL_CIPHER_num(*ciphers))
  1584. cipher = sk_SSL_CIPHER_value(*ciphers, j);
  1585. if (cipher && ((cipher->id >> 24) & 0xff) != 3) {
  1586. /* Skip over non-v3 ciphers entirely. (This should no longer be
  1587. * needed, thanks to saying !SSLv2 above.) */
  1588. log_debug(LD_NET, "Skipping v%d cipher %s",
  1589. (int)((cipher->id>>24) & 0xff),
  1590. cipher->name);
  1591. ++j;
  1592. } else if (cipher &&
  1593. (cipher->id & 0xffff) == CLIENT_CIPHER_INFO_LIST[i].id) {
  1594. /* "cipher" is the cipher we expect. Put it on the list. */
  1595. log_debug(LD_NET, "Found cipher %s", cipher->name);
  1596. sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, cipher);
  1597. ++j;
  1598. ++i;
  1599. } else if (!strcmp(CLIENT_CIPHER_DUMMIES[i].name,
  1600. "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA")) {
  1601. /* We found bogus cipher 0xfeff, which OpenSSL doesn't support and
  1602. * never has. For this one, we need a dummy. */
  1603. log_debug(LD_NET, "Inserting fake %s", CLIENT_CIPHER_DUMMIES[i].name);
  1604. sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, &CLIENT_CIPHER_DUMMIES[i]);
  1605. ++i;
  1606. } else {
  1607. /* OpenSSL doesn't have this one. */
  1608. log_debug(LD_NET, "Completely omitting unsupported cipher %s",
  1609. CLIENT_CIPHER_INFO_LIST[i].name);
  1610. smartlist_add(unsupported, (char*) CLIENT_CIPHER_INFO_LIST[i].name);
  1611. ++i;
  1612. }
  1613. }
  1614. if (smartlist_len(unsupported))
  1615. log_unsupported_ciphers(unsupported);
  1616. smartlist_free(unsupported);
  1617. }
  1618. sk_SSL_CIPHER_free(*ciphers);
  1619. *ciphers = sk_SSL_CIPHER_dup(CLIENT_CIPHER_STACK);
  1620. tor_assert(*ciphers);
  1621. #else
  1622. (void)ciphers;
  1623. #endif
  1624. }
  1625. /** Create a new TLS object from a file descriptor, and a flag to
  1626. * determine whether it is functioning as a server.
  1627. */
  1628. tor_tls_t *
  1629. tor_tls_new(int sock, int isServer)
  1630. {
  1631. BIO *bio = NULL;
  1632. tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
  1633. tor_tls_context_t *context = isServer ? server_tls_context :
  1634. client_tls_context;
  1635. result->magic = TOR_TLS_MAGIC;
  1636. tor_assert(context); /* make sure somebody made it first */
  1637. if (!(result->ssl = SSL_new(context->ctx))) {
  1638. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating SSL object");
  1639. tor_free(result);
  1640. return NULL;
  1641. }
  1642. #ifdef SSL_set_tlsext_host_name
  1643. /* Browsers use the TLS hostname extension, so we should too. */
  1644. if (!isServer) {
  1645. char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
  1646. SSL_set_tlsext_host_name(result->ssl, fake_hostname);
  1647. tor_free(fake_hostname);
  1648. }
  1649. #endif
  1650. if (!SSL_set_cipher_list(result->ssl,
  1651. isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
  1652. tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
  1653. #ifdef SSL_set_tlsext_host_name
  1654. SSL_set_tlsext_host_name(result->ssl, NULL);
  1655. #endif
  1656. SSL_free(result->ssl);
  1657. tor_free(result);
  1658. return NULL;
  1659. }
  1660. if (!isServer)
  1661. rectify_client_ciphers(&result->ssl->cipher_list);
  1662. result->socket = sock;
  1663. bio = BIO_new_socket(sock, BIO_NOCLOSE);
  1664. if (! bio) {
  1665. tls_log_errors(NULL, LOG_WARN, LD_NET, "opening BIO");
  1666. #ifdef SSL_set_tlsext_host_name
  1667. SSL_set_tlsext_host_name(result->ssl, NULL);
  1668. #endif
  1669. SSL_free(result->ssl);
  1670. tor_free(result);
  1671. return NULL;
  1672. }
  1673. {
  1674. int set_worked =
  1675. SSL_set_ex_data(result->ssl, tor_tls_object_ex_data_index, result);
  1676. if (!set_worked) {
  1677. log_warn(LD_BUG,
  1678. "Couldn't set the tls for an SSL*; connection will fail");
  1679. }
  1680. }
  1681. SSL_set_bio(result->ssl, bio, bio);
  1682. tor_tls_context_incref(context);
  1683. result->context = context;
  1684. result->state = TOR_TLS_ST_HANDSHAKE;
  1685. result->isServer = isServer;
  1686. result->wantwrite_n = 0;
  1687. result->last_write_count = BIO_number_written(bio);
  1688. result->last_read_count = BIO_number_read(bio);
  1689. if (result->last_write_count || result->last_read_count) {
  1690. log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
  1691. result->last_read_count, result->last_write_count);
  1692. }
  1693. #ifdef V2_HANDSHAKE_SERVER
  1694. if (isServer) {
  1695. SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
  1696. } else
  1697. #endif
  1698. {
  1699. SSL_set_info_callback(result->ssl, tor_tls_debug_state_callback);
  1700. }
  1701. if (isServer)
  1702. tor_tls_setup_session_secret_cb(result);
  1703. /* Not expected to get called. */
  1704. tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
  1705. return result;
  1706. }
  1707. /** Make future log messages about <b>tls</b> display the address
  1708. * <b>address</b>.
  1709. */
  1710. void
  1711. tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
  1712. {
  1713. tor_assert(tls);
  1714. tor_free(tls->address);
  1715. tls->address = tor_strdup(address);
  1716. }
  1717. /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
  1718. * next gets a client-side renegotiate in the middle of a read. Do not
  1719. * invoke this function until <em>after</em> initial handshaking is done!
  1720. */
  1721. void
  1722. tor_tls_set_renegotiate_callback(tor_tls_t *tls,
  1723. void (*cb)(tor_tls_t *, void *arg),
  1724. void *arg)
  1725. {
  1726. tls->negotiated_callback = cb;
  1727. tls->callback_arg = arg;
  1728. tls->got_renegotiate = 0;
  1729. #ifdef V2_HANDSHAKE_SERVER
  1730. if (cb) {
  1731. SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
  1732. } else {
  1733. SSL_set_info_callback(tls->ssl, tor_tls_debug_state_callback);
  1734. }
  1735. #endif
  1736. }
  1737. /** If this version of openssl requires it, turn on renegotiation on
  1738. * <b>tls</b>.
  1739. */
  1740. void
  1741. tor_tls_unblock_renegotiation(tor_tls_t *tls)
  1742. {
  1743. /* Yes, we know what we are doing here. No, we do not treat a renegotiation
  1744. * as authenticating any earlier-received data. */
  1745. if (use_unsafe_renegotiation_flag) {
  1746. tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1747. }
  1748. if (use_unsafe_renegotiation_op) {
  1749. SSL_set_options(tls->ssl,
  1750. SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
  1751. }
  1752. }
  1753. /** If this version of openssl supports it, turn off renegotiation on
  1754. * <b>tls</b>. (Our protocol never requires this for security, but it's nice
  1755. * to use belt-and-suspenders here.)
  1756. */
  1757. void
  1758. tor_tls_block_renegotiation(tor_tls_t *tls)
  1759. {
  1760. tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  1761. }
  1762. /** Assert that the flags that allow legacy renegotiation are still set */
  1763. void
  1764. tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
  1765. {
  1766. if (use_unsafe_renegotiation_flag) {
  1767. tor_assert(0 != (tls->ssl->s3->flags &
  1768. SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
  1769. }
  1770. if (use_unsafe_renegotiation_op) {
  1771. long options = SSL_get_options(tls->ssl);
  1772. tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
  1773. }
  1774. }
  1775. /** Return whether this tls initiated the connect (client) or
  1776. * received it (server). */
  1777. int
  1778. tor_tls_is_server(tor_tls_t *tls)
  1779. {
  1780. tor_assert(tls);
  1781. return tls->isServer;
  1782. }
  1783. /** Release resources associated with a TLS object. Does not close the
  1784. * underlying file descriptor.
  1785. */
  1786. void
  1787. tor_tls_free(tor_tls_t *tls)
  1788. {
  1789. if (!tls)
  1790. return;
  1791. tor_assert(tls->ssl);
  1792. {
  1793. size_t r,w;
  1794. tor_tls_get_n_raw_bytes(tls,&r,&w); /* ensure written_by_tls is updated */
  1795. }
  1796. #ifdef SSL_set_tlsext_host_name
  1797. SSL_set_tlsext_host_name(tls->ssl, NULL);
  1798. #endif
  1799. SSL_free(tls->ssl);
  1800. tls->ssl = NULL;
  1801. tls->negotiated_callback = NULL;
  1802. if (tls->context)
  1803. tor_tls_context_decref(tls->context);
  1804. tor_free(tls->address);
  1805. tls->magic = 0x99999999;
  1806. tor_free(tls);
  1807. }
  1808. /** Underlying function for TLS reading. Reads up to <b>len</b>
  1809. * characters from <b>tls</b> into <b>cp</b>. On success, returns the
  1810. * number of characters read. On failure, returns TOR_TLS_ERROR,
  1811. * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1812. */
  1813. int
  1814. tor_tls_read(tor_tls_t *tls, char *cp, size_t len)
  1815. {
  1816. int r, err;
  1817. tor_assert(tls);
  1818. tor_assert(tls->ssl);
  1819. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1820. tor_assert(len<INT_MAX);
  1821. r = SSL_read(tls->ssl, cp, (int)len);
  1822. if (r > 0) {
  1823. #ifdef V2_HANDSHAKE_SERVER
  1824. if (tls->got_renegotiate) {
  1825. /* Renegotiation happened! */
  1826. log_info(LD_NET, "Got a TLS renegotiation from %s", ADDR(tls));
  1827. if (tls->negotiated_callback)
  1828. tls->negotiated_callback(tls, tls->callback_arg);
  1829. tls->got_renegotiate = 0;
  1830. }
  1831. #endif
  1832. return r;
  1833. }
  1834. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading", LOG_DEBUG, LD_NET);
  1835. if (err == TOR_TLS_ZERORETURN_ || err == TOR_TLS_CLOSE) {
  1836. log_debug(LD_NET,"read returned r=%d; TLS is closed",r);
  1837. tls->state = TOR_TLS_ST_CLOSED;
  1838. return TOR_TLS_CLOSE;
  1839. } else {
  1840. tor_assert(err != TOR_TLS_DONE);
  1841. log_debug(LD_NET,"read returned r=%d, err=%d",r,err);
  1842. return err;
  1843. }
  1844. }
  1845. /** Total number of bytes that we've used TLS to send. Used to track TLS
  1846. * overhead. */
  1847. static uint64_t total_bytes_written_over_tls = 0;
  1848. /** Total number of bytes that TLS has put on the network for us. Used to
  1849. * track TLS overhead. */
  1850. static uint64_t total_bytes_written_by_tls = 0;
  1851. /** Underlying function for TLS writing. Write up to <b>n</b>
  1852. * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
  1853. * number of characters written. On failure, returns TOR_TLS_ERROR,
  1854. * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
  1855. */
  1856. int
  1857. tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
  1858. {
  1859. int r, err;
  1860. tor_assert(tls);
  1861. tor_assert(tls->ssl);
  1862. tor_assert(tls->state == TOR_TLS_ST_OPEN);
  1863. tor_assert(n < INT_MAX);
  1864. if (n == 0)
  1865. return 0;
  1866. if (tls->wantwrite_n) {
  1867. /* if WANTWRITE last time, we must use the _same_ n as before */
  1868. tor_assert(n >= tls->wantwrite_n);
  1869. log_debug(LD_NET,"resuming pending-write, (%d to flush, reusing %d)",
  1870. (int)n, (int)tls->wantwrite_n);
  1871. n = tls->wantwrite_n;
  1872. tls->wantwrite_n = 0;
  1873. }
  1874. r = SSL_write(tls->ssl, cp, (int)n);
  1875. err = tor_tls_get_error(tls, r, 0, "writing", LOG_INFO, LD_NET);
  1876. if (err == TOR_TLS_DONE) {
  1877. total_bytes_written_over_tls += r;
  1878. return r;
  1879. }
  1880. if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
  1881. tls->wantwrite_n = n;
  1882. }
  1883. return err;
  1884. }
  1885. /** Perform initial handshake on <b>tls</b>. When finished, returns
  1886. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  1887. * or TOR_TLS_WANTWRITE.
  1888. */
  1889. int
  1890. tor_tls_handshake(tor_tls_t *tls)
  1891. {
  1892. int r;
  1893. int oldstate;
  1894. tor_assert(tls);
  1895. tor_assert(tls->ssl);
  1896. tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE);
  1897. check_no_tls_errors();
  1898. oldstate = tls->ssl->state;
  1899. if (tls->isServer) {
  1900. log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls,
  1901. SSL_state_string_long(tls->ssl));
  1902. r = SSL_accept(tls->ssl);
  1903. } else {
  1904. log_debug(LD_HANDSHAKE, "About to call SSL_connect on %p (%s)", tls,
  1905. SSL_state_string_long(tls->ssl));
  1906. r = SSL_connect(tls->ssl);
  1907. }
  1908. if (oldstate != tls->ssl->state)
  1909. log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
  1910. tls, SSL_state_string_long(tls->ssl));
  1911. /* We need to call this here and not earlier, since OpenSSL has a penchant
  1912. * for clearing its flags when you say accept or connect. */
  1913. tor_tls_unblock_renegotiation(tls);
  1914. r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
  1915. if (ERR_peek_error() != 0) {
  1916. tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
  1917. "handshaking");
  1918. return TOR_TLS_ERROR_MISC;
  1919. }
  1920. if (r == TOR_TLS_DONE) {
  1921. tls->state = TOR_TLS_ST_OPEN;
  1922. return tor_tls_finish_handshake(tls);
  1923. }
  1924. return r;
  1925. }
  1926. /** Perform the final part of the intial TLS handshake on <b>tls</b>. This
  1927. * should be called for the first handshake only: it determines whether the v1
  1928. * or the v2 handshake was used, and adjusts things for the renegotiation
  1929. * handshake as appropriate.
  1930. *
  1931. * tor_tls_handshake() calls this on its own; you only need to call this if
  1932. * bufferevent is doing the handshake for you.
  1933. */
  1934. int
  1935. tor_tls_finish_handshake(tor_tls_t *tls)
  1936. {
  1937. int r = TOR_TLS_DONE;
  1938. if (tls->isServer) {
  1939. SSL_set_info_callback(tls->ssl, NULL);
  1940. SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
  1941. /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
  1942. tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
  1943. #ifdef V2_HANDSHAKE_SERVER
  1944. if (tor_tls_client_is_using_v2_ciphers(tls->ssl)) {
  1945. /* This check is redundant, but back when we did it in the callback,
  1946. * we might have not been able to look up the tor_tls_t if the code
  1947. * was buggy. Fixing that. */
  1948. if (!tls->wasV2Handshake) {
  1949. log_warn(LD_BUG, "For some reason, wasV2Handshake didn't"
  1950. " get set. Fixing that.");
  1951. }
  1952. tls->wasV2Handshake = 1;
  1953. log_debug(LD_HANDSHAKE, "Completed V2 TLS handshake with client; waiting"
  1954. " for renegotiation.");
  1955. } else {
  1956. tls->wasV2Handshake = 0;
  1957. }
  1958. #endif
  1959. } else {
  1960. #ifdef V2_HANDSHAKE_CLIENT
  1961. /* If we got no ID cert, we're a v2 handshake. */
  1962. X509 *cert = SSL_get_peer_certificate(tls->ssl);
  1963. STACK_OF(X509) *chain = SSL_get_peer_cert_chain(tls->ssl);
  1964. int n_certs = sk_X509_num(chain);
  1965. if (n_certs > 1 || (n_certs == 1 && cert != sk_X509_value(chain, 0))) {
  1966. log_debug(LD_HANDSHAKE, "Server sent back multiple certificates; it "
  1967. "looks like a v1 handshake on %p", tls);
  1968. tls->wasV2Handshake = 0;
  1969. } else {
  1970. log_debug(LD_HANDSHAKE,
  1971. "Server sent back a single certificate; looks like "
  1972. "a v2 handshake on %p.", tls);
  1973. tls->wasV2Handshake = 1;
  1974. }
  1975. if (cert)
  1976. X509_free(cert);
  1977. #endif
  1978. if (SSL_set_cipher_list(tls->ssl, SERVER_CIPHER_LIST) == 0) {
  1979. tls_log_errors(NULL, LOG_WARN, LD_HANDSHAKE, "re-setting ciphers");
  1980. r = TOR_TLS_ERROR_MISC;
  1981. }
  1982. }
  1983. return r;
  1984. }
  1985. #ifdef USE_BUFFEREVENTS
  1986. /** Put <b>tls</b>, which must be a client connection, into renegotiation
  1987. * mode. */
  1988. int
  1989. tor_tls_start_renegotiating(tor_tls_t *tls)
  1990. {
  1991. int r = SSL_renegotiate(tls->ssl);
  1992. if (r <= 0) {
  1993. return tor_tls_get_error(tls, r, 0, "renegotiating", LOG_WARN,
  1994. LD_HANDSHAKE);
  1995. }
  1996. return 0;
  1997. }
  1998. #endif
  1999. /** Client only: Renegotiate a TLS session. When finished, returns
  2000. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD, or
  2001. * TOR_TLS_WANTWRITE.
  2002. */
  2003. int
  2004. tor_tls_renegotiate(tor_tls_t *tls)
  2005. {
  2006. int r;
  2007. tor_assert(tls);
  2008. /* We could do server-initiated renegotiation too, but that would be tricky.
  2009. * Instead of "SSL_renegotiate, then SSL_do_handshake until done" */
  2010. tor_assert(!tls->isServer);
  2011. if (tls->state != TOR_TLS_ST_RENEGOTIATE) {
  2012. int r = SSL_renegotiate(tls->ssl);
  2013. if (r <= 0) {
  2014. return tor_tls_get_error(tls, r, 0, "renegotiating", LOG_WARN,
  2015. LD_HANDSHAKE);
  2016. }
  2017. tls->state = TOR_TLS_ST_RENEGOTIATE;
  2018. }
  2019. r = SSL_do_handshake(tls->ssl);
  2020. if (r == 1) {
  2021. tls->state = TOR_TLS_ST_OPEN;
  2022. return TOR_TLS_DONE;
  2023. } else
  2024. return tor_tls_get_error(tls, r, 0, "renegotiating handshake", LOG_INFO,
  2025. LD_HANDSHAKE);
  2026. }
  2027. /** Shut down an open tls connection <b>tls</b>. When finished, returns
  2028. * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
  2029. * or TOR_TLS_WANTWRITE.
  2030. */
  2031. int
  2032. tor_tls_shutdown(tor_tls_t *tls)
  2033. {
  2034. int r, err;
  2035. char buf[128];
  2036. tor_assert(tls);
  2037. tor_assert(tls->ssl);
  2038. while (1) {
  2039. if (tls->state == TOR_TLS_ST_SENTCLOSE) {
  2040. /* If we've already called shutdown once to send a close message,
  2041. * we read until the other side has closed too.
  2042. */
  2043. do {
  2044. r = SSL_read(tls->ssl, buf, 128);
  2045. } while (r>0);
  2046. err = tor_tls_get_error(tls, r, CATCH_ZERO, "reading to shut down",
  2047. LOG_INFO, LD_NET);
  2048. if (err == TOR_TLS_ZERORETURN_) {
  2049. tls->state = TOR_TLS_ST_GOTCLOSE;
  2050. /* fall through... */
  2051. } else {
  2052. return err;
  2053. }
  2054. }
  2055. r = SSL_shutdown(tls->ssl);
  2056. if (r == 1) {
  2057. /* If shutdown returns 1, the connection is entirely closed. */
  2058. tls->state = TOR_TLS_ST_CLOSED;
  2059. return TOR_TLS_DONE;
  2060. }
  2061. err = tor_tls_get_error(tls, r, CATCH_SYSCALL|CATCH_ZERO, "shutting down",
  2062. LOG_INFO, LD_NET);
  2063. if (err == TOR_TLS_SYSCALL_) {
  2064. /* The underlying TCP connection closed while we were shutting down. */
  2065. tls->state = TOR_TLS_ST_CLOSED;
  2066. return TOR_TLS_DONE;
  2067. } else if (err == TOR_TLS_ZERORETURN_) {
  2068. /* The TLS connection says that it sent a shutdown record, but
  2069. * isn't done shutting down yet. Make sure that this hasn't
  2070. * happened before, then go back to the start of the function
  2071. * and try to read.
  2072. */
  2073. if (tls->state == TOR_TLS_ST_GOTCLOSE ||
  2074. tls->state == TOR_TLS_ST_SENTCLOSE) {
  2075. log_warn(LD_NET,
  2076. "TLS returned \"half-closed\" value while already half-closed");
  2077. return TOR_TLS_ERROR_MISC;
  2078. }
  2079. tls->state = TOR_TLS_ST_SENTCLOSE;
  2080. /* fall through ... */
  2081. } else {
  2082. return err;
  2083. }
  2084. } /* end loop */
  2085. }
  2086. /** Return true iff this TLS connection is authenticated.
  2087. */
  2088. int
  2089. tor_tls_peer_has_cert(tor_tls_t *tls)
  2090. {
  2091. X509 *cert;
  2092. cert = SSL_get_peer_certificate(tls->ssl);
  2093. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  2094. if (!cert)
  2095. return 0;
  2096. X509_free(cert);
  2097. return 1;
  2098. }
  2099. /** Return the peer certificate, or NULL if there isn't one. */
  2100. tor_cert_t *
  2101. tor_tls_get_peer_cert(tor_tls_t *tls)
  2102. {
  2103. X509 *cert;
  2104. cert = SSL_get_peer_certificate(tls->ssl);
  2105. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate");
  2106. if (!cert)
  2107. return NULL;
  2108. return tor_cert_new(cert);
  2109. }
  2110. /** Warn that a certificate lifetime extends through a certain range. */
  2111. static void
  2112. log_cert_lifetime(int severity, const X509 *cert, const char *problem)
  2113. {
  2114. BIO *bio = NULL;
  2115. BUF_MEM *buf;
  2116. char *s1=NULL, *s2=NULL;
  2117. char mytime[33];
  2118. time_t now = time(NULL);
  2119. struct tm tm;
  2120. if (problem)
  2121. tor_log(severity, LD_GENERAL,
  2122. "Certificate %s. Either their clock is set wrong, or your clock "
  2123. "is wrong.",
  2124. problem);
  2125. if (!(bio = BIO_new(BIO_s_mem()))) {
  2126. log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
  2127. }
  2128. if (!(ASN1_TIME_print(bio, X509_get_notBefore(cert)))) {
  2129. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  2130. goto end;
  2131. }
  2132. BIO_get_mem_ptr(bio, &buf);
  2133. s1 = tor_strndup(buf->data, buf->length);
  2134. (void)BIO_reset(bio);
  2135. if (!(ASN1_TIME_print(bio, X509_get_notAfter(cert)))) {
  2136. tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
  2137. goto end;
  2138. }
  2139. BIO_get_mem_ptr(bio, &buf);
  2140. s2 = tor_strndup(buf->data, buf->length);
  2141. strftime(mytime, 32, "%b %d %H:%M:%S %Y UTC", tor_gmtime_r(&now, &tm));
  2142. tor_log(severity, LD_GENERAL,
  2143. "(certificate lifetime runs from %s through %s. Your time is %s.)",
  2144. s1,s2,mytime);
  2145. end:
  2146. /* Not expected to get invoked */
  2147. tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
  2148. if (bio)
  2149. BIO_free(bio);
  2150. tor_free(s1);
  2151. tor_free(s2);
  2152. }
  2153. /** Helper function: try to extract a link certificate and an identity
  2154. * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
  2155. * *<b>id_cert_out</b> respectively. Log all messages at level
  2156. * <b>severity</b>.
  2157. *
  2158. * Note that a reference is added to cert_out, so it needs to be
  2159. * freed. id_cert_out doesn't. */
  2160. static void
  2161. try_to_extract_certs_from_tls(int severity, tor_tls_t *tls,
  2162. X509 **cert_out, X509 **id_cert_out)
  2163. {
  2164. X509 *cert = NULL, *id_cert = NULL;
  2165. STACK_OF(X509) *chain = NULL;
  2166. int num_in_chain, i;
  2167. *cert_out = *id_cert_out = NULL;
  2168. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  2169. return;
  2170. *cert_out = cert;
  2171. if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
  2172. return;
  2173. num_in_chain = sk_X509_num(chain);
  2174. /* 1 means we're receiving (server-side), and it's just the id_cert.
  2175. * 2 means we're connecting (client-side), and it's both the link
  2176. * cert and the id_cert.
  2177. */
  2178. if (num_in_chain < 1) {
  2179. log_fn(severity,LD_PROTOCOL,
  2180. "Unexpected number of certificates in chain (%d)",
  2181. num_in_chain);
  2182. return;
  2183. }
  2184. for (i=0; i<num_in_chain; ++i) {
  2185. id_cert = sk_X509_value(chain, i);
  2186. if (X509_cmp(id_cert, cert) != 0)
  2187. break;
  2188. }
  2189. *id_cert_out = id_cert;
  2190. }
  2191. /** If the provided tls connection is authenticated and has a
  2192. * certificate chain that is currently valid and signed, then set
  2193. * *<b>identity_key</b> to the identity certificate's key and return
  2194. * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
  2195. */
  2196. int
  2197. tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity_key)
  2198. {
  2199. X509 *cert = NULL, *id_cert = NULL;
  2200. EVP_PKEY *id_pkey = NULL;
  2201. RSA *rsa;
  2202. int r = -1;
  2203. *identity_key = NULL;
  2204. try_to_extract_certs_from_tls(severity, tls, &cert, &id_cert);
  2205. if (!cert)
  2206. goto done;
  2207. if (!id_cert) {
  2208. log_fn(severity,LD_PROTOCOL,"No distinct identity certificate found");
  2209. goto done;
  2210. }
  2211. tls_log_errors(tls, severity, LD_HANDSHAKE, "before verifying certificate");
  2212. if (!(id_pkey = X509_get_pubkey(id_cert)) ||
  2213. X509_verify(cert, id_pkey) <= 0) {
  2214. log_fn(severity,LD_PROTOCOL,"X509_verify on cert and pkey returned <= 0");
  2215. tls_log_errors(tls, severity, LD_HANDSHAKE, "verifying certificate");
  2216. goto done;
  2217. }
  2218. rsa = EVP_PKEY_get1_RSA(id_pkey);
  2219. if (!rsa)
  2220. goto done;
  2221. *identity_key = crypto_new_pk_from_rsa_(rsa);
  2222. r = 0;
  2223. done:
  2224. if (cert)
  2225. X509_free(cert);
  2226. if (id_pkey)
  2227. EVP_PKEY_free(id_pkey);
  2228. /* This should never get invoked, but let's make sure in case OpenSSL
  2229. * acts unexpectedly. */
  2230. tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "finishing tor_tls_verify");
  2231. return r;
  2232. }
  2233. /** Check whether the certificate set on the connection <b>tls</b> is expired
  2234. * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2235. * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
  2236. *
  2237. * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
  2238. */
  2239. int
  2240. tor_tls_check_lifetime(int severity, tor_tls_t *tls,
  2241. int past_tolerance, int future_tolerance)
  2242. {
  2243. X509 *cert;
  2244. int r = -1;
  2245. if (!(cert = SSL_get_peer_certificate(tls->ssl)))
  2246. goto done;
  2247. if (check_cert_lifetime_internal(severity, cert,
  2248. past_tolerance, future_tolerance) < 0)
  2249. goto done;
  2250. r = 0;
  2251. done:
  2252. if (cert)
  2253. X509_free(cert);
  2254. /* Not expected to get invoked */
  2255. tls_log_errors(tls, LOG_WARN, LD_NET, "checking certificate lifetime");
  2256. return r;
  2257. }
  2258. /** Helper: check whether <b>cert</b> is expired give or take
  2259. * <b>past_tolerance</b> seconds, or not-yet-valid give or take
  2260. * <b>future_tolerance</b> seconds. If it is live, return 0. If it is not
  2261. * live, log a message and return -1. */
  2262. static int
  2263. check_cert_lifetime_internal(int severity, const X509 *cert,
  2264. int past_tolerance, int future_tolerance)
  2265. {
  2266. time_t now, t;
  2267. now = time(NULL);
  2268. t = now + future_tolerance;
  2269. if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
  2270. log_cert_lifetime(severity, cert, "not yet valid");
  2271. return -1;
  2272. }
  2273. t = now - past_tolerance;
  2274. if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
  2275. log_cert_lifetime(severity, cert, "already expired");
  2276. return -1;
  2277. }
  2278. return 0;
  2279. }
  2280. /** Return the number of bytes available for reading from <b>tls</b>.
  2281. */
  2282. int
  2283. tor_tls_get_pending_bytes(tor_tls_t *tls)
  2284. {
  2285. tor_assert(tls);
  2286. return SSL_pending(tls->ssl);
  2287. }
  2288. /** If <b>tls</b> requires that the next write be of a particular size,
  2289. * return that size. Otherwise, return 0. */
  2290. size_t
  2291. tor_tls_get_forced_write_size(tor_tls_t *tls)
  2292. {
  2293. return tls->wantwrite_n;
  2294. }
  2295. /** Sets n_read and n_written to the number of bytes read and written,
  2296. * respectively, on the raw socket used by <b>tls</b> since the last time this
  2297. * function was called on <b>tls</b>. */
  2298. void
  2299. tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
  2300. {
  2301. BIO *wbio, *tmpbio;
  2302. unsigned long r, w;
  2303. r = BIO_number_read(SSL_get_rbio(tls->ssl));
  2304. /* We want the number of bytes actually for real written. Unfortunately,
  2305. * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
  2306. * which makes the answer turn out wrong. Let's cope with that. Note
  2307. * that this approach will fail if we ever replace tls->ssl's BIOs with
  2308. * buffering bios for reasons of our own. As an alternative, we could
  2309. * save the original BIO for tls->ssl in the tor_tls_t structure, but
  2310. * that would be tempting fate. */
  2311. wbio = SSL_get_wbio(tls->ssl);
  2312. if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
  2313. wbio = tmpbio;
  2314. w = BIO_number_written(wbio);
  2315. /* We are ok with letting these unsigned ints go "negative" here:
  2316. * If we wrapped around, this should still give us the right answer, unless
  2317. * we wrapped around by more than ULONG_MAX since the last time we called
  2318. * this function.
  2319. */
  2320. *n_read = (size_t)(r - tls->last_read_count);
  2321. *n_written = (size_t)(w - tls->last_write_count);
  2322. if (*n_read > INT_MAX || *n_written > INT_MAX) {
  2323. log_warn(LD_BUG, "Preposterously large value in tor_tls_get_n_raw_bytes. "
  2324. "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
  2325. r, tls->last_read_count, w, tls->last_write_count);
  2326. }
  2327. total_bytes_written_by_tls += *n_written;
  2328. tls->last_read_count = r;
  2329. tls->last_write_count = w;
  2330. }
  2331. /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
  2332. * it to send. Used to track whether our TLS records are getting too tiny. */
  2333. double
  2334. tls_get_write_overhead_ratio(void)
  2335. {
  2336. if (total_bytes_written_over_tls == 0)
  2337. return 1.0;
  2338. return U64_TO_DBL(total_bytes_written_by_tls) /
  2339. U64_TO_DBL(total_bytes_written_over_tls);
  2340. }
  2341. /** Implement check_no_tls_errors: If there are any pending OpenSSL
  2342. * errors, log an error message. */
  2343. void
  2344. check_no_tls_errors_(const char *fname, int line)
  2345. {
  2346. if (ERR_peek_error() == 0)
  2347. return;
  2348. log_warn(LD_CRYPTO, "Unhandled OpenSSL errors found at %s:%d: ",
  2349. tor_fix_source_file(fname), line);
  2350. tls_log_errors(NULL, LOG_WARN, LD_NET, NULL);
  2351. }
  2352. /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
  2353. * TLS handshake. Output is undefined if the handshake isn't finished. */
  2354. int
  2355. tor_tls_used_v1_handshake(tor_tls_t *tls)
  2356. {
  2357. if (tls->isServer) {
  2358. #ifdef V2_HANDSHAKE_SERVER
  2359. return ! tls->wasV2Handshake;
  2360. #endif
  2361. } else {
  2362. #ifdef V2_HANDSHAKE_CLIENT
  2363. return ! tls->wasV2Handshake;
  2364. #endif
  2365. }
  2366. return 1;
  2367. }
  2368. /** Return true iff <b>name</b> is a DN of a kind that could only
  2369. * occur in a v3-handshake-indicating certificate */
  2370. static int
  2371. dn_indicates_v3_cert(X509_NAME *name)
  2372. {
  2373. #ifdef DISABLE_V3_LINKPROTO_CLIENTSIDE
  2374. (void)name;
  2375. return 0;
  2376. #else
  2377. X509_NAME_ENTRY *entry;
  2378. int n_entries;
  2379. ASN1_OBJECT *obj;
  2380. ASN1_STRING *str;
  2381. unsigned char *s;
  2382. int len, r;
  2383. n_entries = X509_NAME_entry_count(name);
  2384. if (n_entries != 1)
  2385. return 1; /* More than one entry in the DN. */
  2386. entry = X509_NAME_get_entry(name, 0);
  2387. obj = X509_NAME_ENTRY_get_object(entry);
  2388. if (OBJ_obj2nid(obj) != OBJ_txt2nid("commonName"))
  2389. return 1; /* The entry isn't a commonName. */
  2390. str = X509_NAME_ENTRY_get_data(entry);
  2391. len = ASN1_STRING_to_UTF8(&s, str);
  2392. if (len < 0)
  2393. return 0;
  2394. r = fast_memneq(s + len - 4, ".net", 4);
  2395. OPENSSL_free(s);
  2396. return r;
  2397. #endif
  2398. }
  2399. /** Return true iff the peer certificate we're received on <b>tls</b>
  2400. * indicates that this connection should use the v3 (in-protocol)
  2401. * authentication handshake.
  2402. *
  2403. * Only the connection initiator should use this, and only once the initial
  2404. * handshake is done; the responder detects a v1 handshake by cipher types,
  2405. * and a v3/v2 handshake by Versions cell vs renegotiation.
  2406. */
  2407. int
  2408. tor_tls_received_v3_certificate(tor_tls_t *tls)
  2409. {
  2410. X509 *cert = SSL_get_peer_certificate(tls->ssl);
  2411. EVP_PKEY *key = NULL;
  2412. X509_NAME *issuer_name, *subject_name;
  2413. int is_v3 = 0;
  2414. if (!cert) {
  2415. log_warn(LD_BUG, "Called on a connection with no peer certificate");
  2416. goto done;
  2417. }
  2418. subject_name = X509_get_subject_name(cert);
  2419. issuer_name = X509_get_issuer_name(cert);
  2420. if (X509_name_cmp(subject_name, issuer_name) == 0) {
  2421. is_v3 = 1; /* purportedly self signed */
  2422. goto done;
  2423. }
  2424. if (dn_indicates_v3_cert(subject_name) ||
  2425. dn_indicates_v3_cert(issuer_name)) {
  2426. is_v3 = 1; /* DN is fancy */
  2427. goto done;
  2428. }
  2429. key = X509_get_pubkey(cert);
  2430. if (EVP_PKEY_bits(key) != 1024 ||
  2431. EVP_PKEY_type(key->type) != EVP_PKEY_RSA) {
  2432. is_v3 = 1; /* Key is fancy */
  2433. goto done;
  2434. }
  2435. done:
  2436. if (key)
  2437. EVP_PKEY_free(key);
  2438. if (cert)
  2439. X509_free(cert);
  2440. return is_v3;
  2441. }
  2442. /** Return the number of server handshakes that we've noticed doing on
  2443. * <b>tls</b>. */
  2444. int
  2445. tor_tls_get_num_server_handshakes(tor_tls_t *tls)
  2446. {
  2447. return tls->server_handshake_count;
  2448. }
  2449. /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
  2450. * request it was waiting for. */
  2451. int
  2452. tor_tls_server_got_renegotiate(tor_tls_t *tls)
  2453. {
  2454. return tls->got_renegotiate;
  2455. }
  2456. /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
  2457. * the v3 handshake to prove that the client knows the TLS secrets for the
  2458. * connection <b>tls</b>. Return 0 on success, -1 on failure.
  2459. */
  2460. int
  2461. tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out)
  2462. {
  2463. #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification"
  2464. char buf[128];
  2465. size_t len;
  2466. tor_assert(tls);
  2467. tor_assert(tls->ssl);
  2468. tor_assert(tls->ssl->s3);
  2469. tor_assert(tls->ssl->session);
  2470. /*
  2471. The value is an HMAC, using the TLS master key as the HMAC key, of
  2472. client_random | server_random | TLSSECRET_MAGIC
  2473. */
  2474. memcpy(buf + 0, tls->ssl->s3->client_random, 32);
  2475. memcpy(buf + 32, tls->ssl->s3->server_random, 32);
  2476. memcpy(buf + 64, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1);
  2477. len = 64 + strlen(TLSSECRET_MAGIC) + 1;
  2478. crypto_hmac_sha256((char*)secrets_out,
  2479. (char*)tls->ssl->session->master_key,
  2480. tls->ssl->session->master_key_length,
  2481. buf, len);
  2482. memwipe(buf, 0, sizeof(buf));
  2483. return 0;
  2484. }
  2485. /** Examine the amount of memory used and available for buffers in <b>tls</b>.
  2486. * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
  2487. * buffer and *<b>rbuf_bytes</b> to the amount actually used.
  2488. * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
  2489. * buffer and *<b>wbuf_bytes</b> to the amount actually used. */
  2490. void
  2491. tor_tls_get_buffer_sizes(tor_tls_t *tls,
  2492. size_t *rbuf_capacity, size_t *rbuf_bytes,
  2493. size_t *wbuf_capacity, size_t *wbuf_bytes)
  2494. {
  2495. if (tls->ssl->s3->rbuf.buf)
  2496. *rbuf_capacity = tls->ssl->s3->rbuf.len;
  2497. else
  2498. *rbuf_capacity = 0;
  2499. if (tls->ssl->s3->wbuf.buf)
  2500. *wbuf_capacity = tls->ssl->s3->wbuf.len;
  2501. else
  2502. *wbuf_capacity = 0;
  2503. *rbuf_bytes = tls->ssl->s3->rbuf.left;
  2504. *wbuf_bytes = tls->ssl->s3->wbuf.left;
  2505. }
  2506. #ifdef USE_BUFFEREVENTS
  2507. /** Construct and return an TLS-encrypting bufferevent to send data over
  2508. * <b>socket</b>, which must match the socket of the underlying bufferevent
  2509. * <b>bufev_in</b>. The TLS object <b>tls</b> is used for encryption.
  2510. *
  2511. * This function will either create a filtering bufferevent that wraps around
  2512. * <b>bufev_in</b>, or it will free bufev_in and return a new bufferevent that
  2513. * uses the <b>tls</b> to talk to the network directly. Do not use
  2514. * <b>bufev_in</b> after calling this function.
  2515. *
  2516. * The connection will start out doing a server handshake if <b>receiving</b>
  2517. * is strue, and a client handshake otherwise.
  2518. *
  2519. * Returns NULL on failure.
  2520. */
  2521. struct bufferevent *
  2522. tor_tls_init_bufferevent(tor_tls_t *tls, struct bufferevent *bufev_in,
  2523. evutil_socket_t socket, int receiving,
  2524. int filter)
  2525. {
  2526. struct bufferevent *out;
  2527. const enum bufferevent_ssl_state state = receiving ?
  2528. BUFFEREVENT_SSL_ACCEPTING : BUFFEREVENT_SSL_CONNECTING;
  2529. if (filter || tor_libevent_using_iocp_bufferevents()) {
  2530. /* Grab an extra reference to the SSL, since BEV_OPT_CLOSE_ON_FREE
  2531. means that the SSL will get freed too.
  2532. This increment makes our SSL usage not-threadsafe, BTW. We should
  2533. see if we're allowed to use CRYPTO_add from outside openssl. */
  2534. tls->ssl->references += 1;
  2535. out = bufferevent_openssl_filter_new(tor_libevent_get_base(),
  2536. bufev_in,
  2537. tls->ssl,
  2538. state,
  2539. BEV_OPT_DEFER_CALLBACKS|
  2540. BEV_OPT_CLOSE_ON_FREE);
  2541. /* Tell the underlying bufferevent when to accept more data from the SSL
  2542. filter (only when it's got less than 32K to write), and when to notify
  2543. the SSL filter that it could write more (when it drops under 24K). */
  2544. bufferevent_setwatermark(bufev_in, EV_WRITE, 24*1024, 32*1024);
  2545. } else {
  2546. if (bufev_in) {
  2547. evutil_socket_t s = bufferevent_getfd(bufev_in);
  2548. tor_assert(s == -1 || s == socket);
  2549. tor_assert(evbuffer_get_length(bufferevent_get_input(bufev_in)) == 0);
  2550. tor_assert(evbuffer_get_length(bufferevent_get_output(bufev_in)) == 0);
  2551. tor_assert(BIO_number_read(SSL_get_rbio(tls->ssl)) == 0);
  2552. tor_assert(BIO_number_written(SSL_get_rbio(tls->ssl)) == 0);
  2553. bufferevent_free(bufev_in);
  2554. }
  2555. /* Current versions (as of 2.0.x) of Libevent need to defer
  2556. * bufferevent_openssl callbacks, or else our callback functions will
  2557. * get called reentrantly, which is bad for us.
  2558. */
  2559. out = bufferevent_openssl_socket_new(tor_libevent_get_base(),
  2560. socket,
  2561. tls->ssl,
  2562. state,
  2563. BEV_OPT_DEFER_CALLBACKS);
  2564. }
  2565. tls->state = TOR_TLS_ST_BUFFEREVENT;
  2566. /* Unblock _after_ creating the bufferevent, since accept/connect tend to
  2567. * clear flags. */
  2568. tor_tls_unblock_renegotiation(tls);
  2569. return out;
  2570. }
  2571. #endif