tortls.c 48.3 KB
Newer Older
1
2
/* Copyright (c) 2003, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
Karsten Loesing's avatar
Karsten Loesing committed
3
 * Copyright (c) 2007-2009, The Tor Project, Inc. */
4
5
/* See LICENSE for licensing information */

Nick Mathewson's avatar
Nick Mathewson committed
6
7
/**
 * \file tortls.c
8
9
 * \brief Wrapper functions to present a consistent interface to
 * TLS, SSL, and X.509 functions from OpenSSL.
Nick Mathewson's avatar
Nick Mathewson committed
10
 **/
11

Nick Mathewson's avatar
Nick Mathewson committed
12
/* (Unlike other tor functions, these
13
14
 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
 * functions and variables.)
Nick Mathewson's avatar
Nick Mathewson committed
15
 */
16

17
#include "orconfig.h"
18
19
20

#include <assert.h>
#include <openssl/ssl.h>
21
#include <openssl/ssl3.h>
22
23
24
25
#include <openssl/err.h>
#include <openssl/tls1.h>
#include <openssl/asn1.h>
#include <openssl/bio.h>
26
27
28
#include <openssl/opensslv.h>

#if OPENSSL_VERSION_NUMBER < 0x00907000l
29
#error "We require OpenSSL >= 0.9.7"
30
#endif
31

32
#define CRYPTO_PRIVATE /* to import prototypes from crypto.h */
33

34
35
36
37
38
#include "crypto.h"
#include "tortls.h"
#include "util.h"
#include "log.h"
#include "container.h"
39
#include "ht.h"
40
#include <string.h>
41

42
43
44
45
/* Enable the "v2" TLS handshake.
 */
#define V2_HANDSHAKE_SERVER
#define V2_HANDSHAKE_CLIENT
46

47
/* Copied from or.h */
48
49
#define LEGAL_NICKNAME_CHARACTERS \
  "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
50

Nick Mathewson's avatar
Nick Mathewson committed
51
/** How long do identity certificates live? (sec) */
52
#define IDENTITY_CERT_LIFETIME  (365*24*60*60)
Nick Mathewson's avatar
Nick Mathewson committed
53

54
55
#define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")

56
/** Structure holding the TLS state for a single connection. */
57
typedef struct tor_tls_context_t {
58
  int refcnt;
59
  SSL_CTX *ctx;
60
61
  X509 *my_cert;
  X509 *my_id_cert;
62
  crypto_pk_env_t *key;
63
} tor_tls_context_t;
64

Nick Mathewson's avatar
Nick Mathewson committed
65
/** Holds a SSL object and its associated data.  Members are only
66
 * accessed from within tortls.c.
67
 */
68
struct tor_tls_t {
69
  HT_ENTRY(tor_tls_t) node;
Roger Dingledine's avatar
Roger Dingledine committed
70
  tor_tls_context_t *context; /** A link to the context object for this tls. */
71
72
  SSL *ssl; /**< An OpenSSL SSL object. */
  int socket; /**< The underlying file descriptor for this TLS connection. */
73
  char *address; /**< An address to log when describing this connection. */
74
75
  enum {
    TOR_TLS_ST_HANDSHAKE, TOR_TLS_ST_OPEN, TOR_TLS_ST_GOTCLOSE,
76
    TOR_TLS_ST_SENTCLOSE, TOR_TLS_ST_CLOSED, TOR_TLS_ST_RENEGOTIATE,
77
  } state : 3; /**< The current SSL state, depending on which operations have
78
79
                * completed successfully. */
  unsigned int isServer:1; /**< True iff this is a server-side connection */
80
81
82
83
84
  unsigned int wasV2Handshake:1; /**< True iff the original handshake for
                                  * this connection used the updated version
                                  * of the connection protocol (client sends
                                  * different cipher list, server sends only
                                  * one certificate). */
85
86
 /** True iff we should call negotiated_callback when we're done reading. */
  unsigned int got_renegotiate:1;
87
88
  size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
                       * time. */
89
90
91
  /** Last values retrieved from BIO_number_read()/write(); see
   * tor_tls_get_n_raw_bytes() for usage.
   */
92
93
  unsigned long last_write_count;
  unsigned long last_read_count;
94
95
  /** If set, a callback to invoke whenever the client tries to renegotiate
   * the handshake. */
96
  void (*negotiated_callback)(tor_tls_t *tls, void *arg);
97
  /** Argument to pass to negotiated_callback. */
98
  void *callback_arg;
99
100
};

101
102
103
#ifdef V2_HANDSHAKE_CLIENT
/** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL
 * in client mode into advertising the ciphers we want.  See
104
 * rectify_client_ciphers() for details. */
105
106
static SSL_CIPHER *CLIENT_CIPHER_DUMMIES = NULL;
/** A stack of SSL_CIPHER objects, some real, some fake.
107
 * See rectify_client_ciphers() for details. */
108
109
110
static STACK_OF(SSL_CIPHER) *CLIENT_CIPHER_STACK = NULL;
#endif

111
112
113
114
115
116
117
118
119
120
121
122
/** Helper: compare tor_tls_t objects by its SSL. */
static INLINE int
tor_tls_entries_eq(const tor_tls_t *a, const tor_tls_t *b)
{
  return a->ssl == b->ssl;
}

/** Helper: return a hash value for a tor_tls_t by its SSL. */
static INLINE unsigned int
tor_tls_entry_hash(const tor_tls_t *a)
{
#if SIZEOF_INT == SIZEOF_VOID_P
123
  return ((unsigned int)(uintptr_t)a->ssl);
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
#else
  return (unsigned int) ((((uint64_t)a->ssl)>>2) & UINT_MAX);
#endif
}

/** Map from SSL* pointers to tor_tls_t objects using those pointers.
 */
static HT_HEAD(tlsmap, tor_tls_t) tlsmap_root = HT_INITIALIZER();

HT_PROTOTYPE(tlsmap, tor_tls_t, node, tor_tls_entry_hash,
             tor_tls_entries_eq)
HT_GENERATE(tlsmap, tor_tls_t, node, tor_tls_entry_hash,
            tor_tls_entries_eq, 0.6, malloc, realloc, free)

/** Helper: given a SSL* pointer, return the tor_tls_t object using that
 * pointer. */
static INLINE tor_tls_t *
141
tor_tls_get_by_ssl(const SSL *ssl)
142
143
144
{
  tor_tls_t search, *result;
  memset(&search, 0, sizeof(search));
145
  search.ssl = (SSL*)ssl;
146
147
148
149
  result = HT_FIND(tlsmap, &tlsmap_root, &search);
  return result;
}

150
151
static void tor_tls_context_decref(tor_tls_context_t *ctx);
static void tor_tls_context_incref(tor_tls_context_t *ctx);
152
static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
153
154
155
156
                                        crypto_pk_env_t *rsa_sign,
                                        const char *cname,
                                        const char *cname_sign,
                                        unsigned int lifetime);
157
static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
158

Nick Mathewson's avatar
Nick Mathewson committed
159
/** Global tls context. We keep it here because nobody else needs to
160
 * touch it. */
161
static tor_tls_context_t *global_tls_context = NULL;
Nick Mathewson's avatar
Nick Mathewson committed
162
/** True iff tor_tls_init() has been called. */
163
static int tls_library_is_initialized = 0;
164

165
/* Module-internal error codes. */
166
167
#define _TOR_TLS_SYSCALL    (_MIN_TOR_TLS_ERROR_VAL - 2)
#define _TOR_TLS_ZERORETURN (_MIN_TOR_TLS_ERROR_VAL - 1)
168

169
#include "tortls_states.h"
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

/** Return the symbolic name of an OpenSSL state. */
static const char *
ssl_state_to_string(int ssl_state)
{
  static char buf[40];
  int i;
  for (i = 0; state_map[i].name; ++i) {
    if (state_map[i].state == ssl_state)
      return state_map[i].name;
  }
  tor_snprintf(buf, sizeof(buf), "Unknown state %d", ssl_state);
  return buf;
}

Nick Mathewson's avatar
Nick Mathewson committed
185
186
/** Log all pending tls errors at level <b>severity</b>.  Use
 * <b>doing</b> to describe our current activities.
187
 */
Nick Mathewson's avatar
Nick Mathewson committed
188
static void
189
tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
Nick Mathewson's avatar
Nick Mathewson committed
190
{
191
192
  const char *state = NULL;
  int st;
193
  unsigned long err;
194
195
  const char *msg, *lib, *func, *addr;
  addr = tls ? tls->address : NULL;
196
  st = (tls && tls->ssl) ? tls->ssl->state : -1;
Nick Mathewson's avatar
Nick Mathewson committed
197
198
199
200
  while ((err = ERR_get_error()) != 0) {
    msg = (const char*)ERR_reason_error_string(err);
    lib = (const char*)ERR_lib_error_string(err);
    func = (const char*)ERR_func_error_string(err);
201
202
    if (!state)
      state = (st>=0)?ssl_state_to_string(st):"---";
Nick Mathewson's avatar
Nick Mathewson committed
203
204
    if (!msg) msg = "(null)";
    if (doing) {
205
      log(severity, domain, "TLS error while %s%s%s: %s (in %s:%s:%s)",
206
          doing, addr?" with ":"", addr?addr:"",
207
          msg, lib, func, state);
Nick Mathewson's avatar
Nick Mathewson committed
208
    } else {
209
      log(severity, domain, "TLS error%s%s: %s (in %s:%s:%s)",
210
          addr?" with ":"", addr?addr:"",
211
          msg, lib, func, state);
Nick Mathewson's avatar
Nick Mathewson committed
212
    }
Nick Mathewson's avatar
Nick Mathewson committed
213
214
  }
}
215

216
217
/** Convert an errno (or a WSAerrno on windows) into a TOR_TLS_* error
 * code. */
218
static int
219
220
tor_errno_to_tls_error(int e)
{
221
#if defined(MS_WINDOWS)
222
  switch (e) {
223
224
225
226
227
228
229
230
231
232
233
234
    case WSAECONNRESET: // most common
      return TOR_TLS_ERROR_CONNRESET;
    case WSAETIMEDOUT:
      return TOR_TLS_ERROR_TIMEOUT;
    case WSAENETUNREACH:
    case WSAEHOSTUNREACH:
      return TOR_TLS_ERROR_NO_ROUTE;
    case WSAECONNREFUSED:
      return TOR_TLS_ERROR_CONNREFUSED; // least common
    default:
      return TOR_TLS_ERROR_MISC;
  }
235
236
#else
  switch (e) {
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
    case ECONNRESET: // most common
      return TOR_TLS_ERROR_CONNRESET;
    case ETIMEDOUT:
      return TOR_TLS_ERROR_TIMEOUT;
    case EHOSTUNREACH:
    case ENETUNREACH:
      return TOR_TLS_ERROR_NO_ROUTE;
    case ECONNREFUSED:
      return TOR_TLS_ERROR_CONNREFUSED; // least common
    default:
      return TOR_TLS_ERROR_MISC;
  }
#endif
}

252
/** Given a TOR_TLS_* error code, return a string equivalent. */
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
const char *
tor_tls_err_to_string(int err)
{
  if (err >= 0)
    return "[Not an error.]";
  switch (err) {
    case TOR_TLS_ERROR_MISC: return "misc error";
    case TOR_TLS_ERROR_IO: return "unexpected close";
    case TOR_TLS_ERROR_CONNREFUSED: return "connection refused";
    case TOR_TLS_ERROR_CONNRESET: return "connection reset";
    case TOR_TLS_ERROR_NO_ROUTE: return "host unreachable";
    case TOR_TLS_ERROR_TIMEOUT: return "connection timed out";
    case TOR_TLS_CLOSE: return "closed";
    case TOR_TLS_WANTREAD: return "want to read";
    case TOR_TLS_WANTWRITE: return "want to write";
    default: return "(unknown error code)";
  }
}

272
273
274
#define CATCH_SYSCALL 1
#define CATCH_ZERO    2

Nick Mathewson's avatar
Nick Mathewson committed
275
/** Given a TLS object and the result of an SSL_* call, use
276
277
278
279
280
281
 * SSL_get_error to determine whether an error has occurred, and if so
 * which one.  Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
 * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of
 * reporting syscall errors.  If extra&CATCH_ZERO is true, return
 * _TOR_TLS_ZERORETURN instead of reporting zero-return errors.
 *
Nick Mathewson's avatar
Nick Mathewson committed
282
283
 * If an error has occurred, log it at level <b>severity</b> and describe the
 * current action as <b>doing</b>.
284
 */
285
static int
286
tor_tls_get_error(tor_tls_t *tls, int r, int extra,
287
                  const char *doing, int severity, int domain)
288
289
{
  int err = SSL_get_error(tls->ssl, r);
290
  int tor_error = TOR_TLS_ERROR_MISC;
291
292
293
294
295
296
297
298
  switch (err) {
    case SSL_ERROR_NONE:
      return TOR_TLS_DONE;
    case SSL_ERROR_WANT_READ:
      return TOR_TLS_WANTREAD;
    case SSL_ERROR_WANT_WRITE:
      return TOR_TLS_WANTWRITE;
    case SSL_ERROR_SYSCALL:
299
      if (extra&CATCH_SYSCALL)
300
        return _TOR_TLS_SYSCALL;
301
      if (r == 0) {
302
303
        log(severity, LD_NET, "TLS error: unexpected close while %s (%s)",
            doing, ssl_state_to_string(tls->ssl->state));
304
305
        tor_error = TOR_TLS_ERROR_IO;
      } else {
306
        int e = tor_socket_errno(tls->socket);
307
        log(severity, LD_NET,
308
309
310
            "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
            doing, e, tor_socket_strerror(e),
            ssl_state_to_string(tls->ssl->state));
311
        tor_error = tor_errno_to_tls_error(e);
312
      }
313
      tls_log_errors(tls, severity, domain, doing);
314
      return tor_error;
315
    case SSL_ERROR_ZERO_RETURN:
316
      if (extra&CATCH_ZERO)
317
        return _TOR_TLS_ZERORETURN;
318
319
320
      log(severity, LD_NET, "TLS connection closed while %s in state %s",
          doing, ssl_state_to_string(tls->ssl->state));
      tls_log_errors(tls, severity, domain, doing);
321
      return TOR_TLS_CLOSE;
322
    default:
323
      tls_log_errors(tls, severity, domain, doing);
324
      return TOR_TLS_ERROR_MISC;
325
326
327
  }
}

Nick Mathewson's avatar
Nick Mathewson committed
328
/** Initialize OpenSSL, unless it has already been initialized.
329
 */
330
static void
331
332
tor_tls_init(void)
{
333
334
  if (!tls_library_is_initialized) {
    SSL_library_init();
335
    SSL_load_error_strings();
336
337
338
339
    tls_library_is_initialized = 1;
  }
}

340
/** Free all global TLS structures. */
341
342
343
344
void
tor_tls_free_all(void)
{
  if (global_tls_context) {
345
    tor_tls_context_decref(global_tls_context);
346
347
    global_tls_context = NULL;
  }
348
349
350
351
  if (!HT_EMPTY(&tlsmap_root)) {
    log_warn(LD_MM, "Still have entries in the tlsmap at shutdown.");
  }
  HT_CLEAR(tlsmap, &tlsmap_root);
352
353
354
355
356
357
#ifdef V2_HANDSHAKE_CLIENT
  if (CLIENT_CIPHER_DUMMIES)
    tor_free(CLIENT_CIPHER_DUMMIES);
  if (CLIENT_CIPHER_STACK)
    sk_SSL_CIPHER_free(CLIENT_CIPHER_STACK);
#endif
358
359
}

Nick Mathewson's avatar
Nick Mathewson committed
360
/** We need to give OpenSSL a callback to verify certificates. This is
361
362
363
 * it: We always accept peer certs and complete the handshake.  We
 * don't validate them until later.
 */
364
365
366
static int
always_accept_verify_cb(int preverify_ok,
                        X509_STORE_CTX *x509_ctx)
367
{
368
369
  (void) preverify_ok;
  (void) x509_ctx;
370
371
372
  return 1;
}

Roger Dingledine's avatar
Roger Dingledine committed
373
/** Return a newly allocated X509 name with commonName <b>cname</b>. */
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
static X509_NAME *
tor_x509_name_new(const char *cname)
{
  int nid;
  X509_NAME *name;
  if (!(name = X509_NAME_new()))
    return NULL;
  if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
  if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
                                   (unsigned char*)cname, -1, -1, 0)))
    goto error;
  return name;
 error:
  X509_NAME_free(name);
  return NULL;
}

Nick Mathewson's avatar
Nick Mathewson committed
391
392
393
394
/** Generate and sign an X509 certificate with the public key <b>rsa</b>,
 * signed by the private key <b>rsa_sign</b>.  The commonName of the
 * certificate will be <b>cname</b>; the commonName of the issuer will be
 * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds
395
396
 * starting from now.  Return a certificate on success, NULL on
 * failure.
397
 */
398
static X509 *
399
tor_tls_create_certificate(crypto_pk_env_t *rsa,
400
401
402
403
                           crypto_pk_env_t *rsa_sign,
                           const char *cname,
                           const char *cname_sign,
                           unsigned int cert_lifetime)
404
405
{
  time_t start_time, end_time;
406
  EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
407
  X509 *x509 = NULL;
408
  X509_NAME *name = NULL, *name_issuer=NULL;
409

410
411
  tor_tls_init();

412
413
  start_time = time(NULL);

414
415
416
417
  tor_assert(rsa);
  tor_assert(cname);
  tor_assert(rsa_sign);
  tor_assert(cname_sign);
418
419
420
421
  if (!(sign_pkey = _crypto_pk_env_get_evp_pkey(rsa_sign,1)))
    goto error;
  if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,0)))
    goto error;
422
  if (!(x509 = X509_new()))
423
    goto error;
424
  if (!(X509_set_version(x509, 2)))
425
    goto error;
426
  if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
427
    goto error;
428

429
  if (!(name = tor_x509_name_new(cname)))
430
    goto error;
431
432
  if (!(X509_set_subject_name(x509, name)))
    goto error;
433
  if (!(name_issuer = tor_x509_name_new(cname_sign)))
434
    goto error;
435
  if (!(X509_set_issuer_name(x509, name_issuer)))
436
    goto error;
437

438
  if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
439
    goto error;
440
  end_time = start_time + cert_lifetime;
441
  if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
442
    goto error;
443
  if (!X509_set_pubkey(x509, pkey))
444
    goto error;
445
  if (!X509_sign(x509, sign_pkey, EVP_sha1()))
446
    goto error;
447

448
449
  goto done;
 error:
450
  if (x509) {
451
    X509_free(x509);
452
453
    x509 = NULL;
  }
454
 done:
455
  tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
456
457
  if (sign_pkey)
    EVP_PKEY_free(sign_pkey);
458
459
460
461
  if (pkey)
    EVP_PKEY_free(pkey);
  if (name)
    X509_NAME_free(name);
462
463
  if (name_issuer)
    X509_NAME_free(name_issuer);
464
  return x509;
465
466
}

467
468
469
470
/** List of ciphers that servers should select from.*/
#define SERVER_CIPHER_LIST                         \
  (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"           \
   TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"           \
471
472
473
474
475
476
   SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
/* Note: for setting up your own private testing network with link crypto
 * disabled, set the cipher lists to your cipher list to
 * SSL3_TXT_RSA_NULL_SHA.  If you do this, you won't be able to communicate
 * with any of the "real" Tors, though. */

477
478
479
480
#ifdef V2_HANDSHAKE_CLIENT
#define CIPHER(id, name) name ":"
#define XCIPHER(id, name)
/** List of ciphers that clients should advertise, omitting items that
481
 * our OpenSSL doesn't know about. */
482
483
484
485
486
487
488
489
490
static const char CLIENT_CIPHER_LIST[] =
#include "./ciphers.inc"
  ;
#undef CIPHER
#undef XCIPHER

/** Holds a cipher that we want to advertise, and its 2-byte ID. */
typedef struct cipher_info_t { unsigned id; const char *name; } cipher_info_t;
/** A list of all the ciphers that clients should advertise, including items
491
 * that OpenSSL might not know about. */
492
493
494
495
496
497
498
499
500
501
502
static const cipher_info_t CLIENT_CIPHER_INFO_LIST[] = {
#define CIPHER(id, name) { id, name },
#define XCIPHER(id, name) { id, #name },
#include "./ciphers.inc"
#undef CIPHER
#undef XCIPHER
};

/** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */
static const int N_CLIENT_CIPHERS =
  sizeof(CLIENT_CIPHER_INFO_LIST)/sizeof(CLIENT_CIPHER_INFO_LIST[0]);
503
504
505
506
507
508
#endif

#ifndef V2_HANDSHAKE_CLIENT
#undef CLIENT_CIPHER_LIST
#define CLIENT_CIPHER_LIST  (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"      \
                             SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
509
510
#endif

511
512
/** Remove a reference to <b>ctx</b>, and free it if it has no more
 * references. */
513
static void
514
tor_tls_context_decref(tor_tls_context_t *ctx)
515
{
516
517
518
519
520
  tor_assert(ctx);
  if (--ctx->refcnt == 0) {
    SSL_CTX_free(ctx->ctx);
    X509_free(ctx->my_cert);
    X509_free(ctx->my_id_cert);
521
    crypto_free_pk_env(ctx->key);
522
523
524
525
    tor_free(ctx);
  }
}

526
/** Increase the reference count of <b>ctx</b>. */
527
528
529
530
static void
tor_tls_context_incref(tor_tls_context_t *ctx)
{
  ++ctx->refcnt;
531
532
}

533
534
535
536
/** Create a new TLS context for use with Tor TLS handshakes.
 * <b>identity</b> should be set to the identity key used to sign the
 * certificate, and <b>nickname</b> set to the nickname to use.
 *
537
 * You can call this function multiple times.  Each time you call it,
538
539
 * it generates new certificates; all new connections will use
 * the new SSL context.
540
 */
541
int
542
tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
543
{
544
  crypto_pk_env_t *rsa = NULL;
545
  EVP_PKEY *pkey = NULL;
546
  tor_tls_context_t *result = NULL;
547
  X509 *cert = NULL, *idcert = NULL;
548
  char *nickname = NULL, *nn2 = NULL;
549

550
  tor_tls_init();
551
552
  nickname = crypto_random_hostname(8, 20, "www.", ".net");
  nn2 = crypto_random_hostname(8, 20, "www.", ".net");
553

554
555
556
557
558
559
560
561
562
563
564
565
566
567
  /* Generate short-term RSA key. */
  if (!(rsa = crypto_new_pk_env()))
    goto error;
  if (crypto_pk_generate_key(rsa)<0)
    goto error;
  /* Create certificate signed by identity key. */
  cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
                                    key_lifetime);
  /* Create self-signed certificate for identity key. */
  idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
                                      IDENTITY_CERT_LIFETIME);
  if (!cert || !idcert) {
    log(LOG_WARN, LD_CRYPTO, "Error creating certificate");
    goto error;
568
569
  }

570
  result = tor_malloc_zero(sizeof(tor_tls_context_t));
571
  result->refcnt = 1;
572
573
  result->my_cert = X509_dup(cert);
  result->my_id_cert = X509_dup(idcert);
574
  result->key = crypto_pk_dup_key(rsa);
575

576
#ifdef EVERYONE_HAS_AES
577
578
579
  /* Tell OpenSSL to only use TLS1 */
  if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
    goto error;
580
#else
581
582
583
584
  /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
  if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
    goto error;
  SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
585
#endif
586
  SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
587

588
589
590
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
  SSL_CTX_set_options(result->ctx,
                      SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
591
592
593
594
595
596
597
598
599
600
601
602
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  /* Yes, we know what we are doing here.  No, we do not treat a renegotiation
   * as authenticating any earlier-received data.
   *
   * (OpenSSL 0.9.8l introdeced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION
   * here.  OpenSSL 0.9.8m thoughtfully turned it into an option and (it
   * seems) broke anything that used SSL3_FLAGS_* for the purpose.  So we need
   * to do both.)
   */
  SSL_CTX_set_options(result->ctx,
                      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
603
#endif
604
605
606
607
  /* Don't actually allow compression; it uses ram and time, but the data
   * we transmit is all encrypted anyway. */
  if (result->ctx->comp_methods)
    result->ctx->comp_methods = NULL;
608
609
610
#ifdef SSL_MODE_RELEASE_BUFFERS
  SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
611
612
613
614
  if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
    goto error;
  X509_free(cert); /* We just added a reference to cert. */
  cert=NULL;
615
616
617
  if (idcert) {
    X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
    tor_assert(s);
Roger Dingledine's avatar
Roger Dingledine committed
618
    X509_STORE_add_cert(s, idcert);
619
620
    X509_free(idcert); /* The context now owns the reference to idcert */
    idcert = NULL;
621
  }
622
623
624
625
626
627
628
629
630
631
  SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
  tor_assert(rsa);
  if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
    goto error;
  if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
    goto error;
  EVP_PKEY_free(pkey);
  pkey = NULL;
  if (!SSL_CTX_check_private_key(result->ctx))
    goto error;
632
633
634
635
636
  {
    crypto_dh_env_t *dh = crypto_dh_new();
    SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh));
    crypto_dh_free(dh);
  }
637
638
639
640
  SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
                     always_accept_verify_cb);
  /* let us realloc bufs that we're writing from */
  SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
641
642
643
644
  /* Free the old context if one exists. */
  if (global_tls_context) {
    /* This is safe even if there are open connections: OpenSSL does
     * reference counting with SSL and SSL_CTX objects. */
645
    tor_tls_context_decref(global_tls_context);
646
  }
647
  global_tls_context = result;
Nick Mathewson's avatar
Nick Mathewson committed
648
649
  if (rsa)
    crypto_free_pk_env(rsa);
650
651
  tor_free(nickname);
  tor_free(nn2);
652
  return 0;
653
654

 error:
655
  tls_log_errors(NULL, LOG_WARN, LD_NET, "creating TLS context");
656
657
  tor_free(nickname);
  tor_free(nn2);
658
659
  if (pkey)
    EVP_PKEY_free(pkey);
660
661
  if (rsa)
    crypto_free_pk_env(rsa);
662
  if (result)
663
    tor_tls_context_decref(result);
Nick Mathewson's avatar
Nick Mathewson committed
664
665
666
  if (cert)
    X509_free(cert);
  if (idcert)
667
    X509_free(idcert);
668
  return -1;
669
670
}

671
#ifdef V2_HANDSHAKE_SERVER
672
/** Return true iff the cipher list suggested by the client for <b>ssl</b> is
673
 * a list that indicates that the client knows how to do the v2 TLS connection
674
 * handshake. */
675
static int
676
tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address)
677
678
679
680
681
{
  int i;
  SSL_SESSION *session;
  /* If we reached this point, we just got a client hello.  See if there is
   * a cipher list. */
682
  if (!(session = SSL_get_session((SSL *)ssl))) {
683
    log_warn(LD_NET, "No session on TLS?");
684
    return 0;
685
686
687
  }
  if (!session->ciphers) {
    log_warn(LD_NET, "No ciphers on session");
688
    return 0;
689
690
691
692
693
694
695
  }
  /* Now we need to see if there are any ciphers whose presence means we're
   * dealing with an updated Tor. */
  for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
    SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
    const char *ciphername = SSL_CIPHER_get_name(cipher);
    if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
696
        strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
697
698
699
        strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
        strcmp(ciphername, "(NONE)")) {
      /* XXXX should be ld_debug */
700
      log_info(LD_NET, "Got a non-version-1 cipher called '%s'", ciphername);
701
702
      // return 1;
      goto dump_list;
703
704
    }
  }
705
706
707
708
709
710
711
712
713
714
715
  return 0;
 dump_list:
  {
    smartlist_t *elts = smartlist_create();
    char *s;
    for (i = 0; i < sk_SSL_CIPHER_num(session->ciphers); ++i) {
      SSL_CIPHER *cipher = sk_SSL_CIPHER_value(session->ciphers, i);
      const char *ciphername = SSL_CIPHER_get_name(cipher);
      smartlist_add(elts, (char*)ciphername);
    }
    s = smartlist_join_strings(elts, ":", 0, NULL);
716
    log_info(LD_NET, "Got a non-version-1 cipher list from %s.  It is: '%s'",
717
             address, s);
718
719
720
721
722
    tor_free(s);
    smartlist_free(elts);
  }
  return 1;
}
723

724
725
726
727
728
729
/** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
 * changes state. We use this:
 * <ul><li>To alter the state of the handshake partway through, so we
 *         do not send or request extra certificates in v2 handshakes.</li>
 * <li>To detect renegotiation</li></ul>
 */
730
731
732
static void
tor_tls_server_info_callback(const SSL *ssl, int type, int val)
{
733
  tor_tls_t *tls;
734
735
736
737
738
739
  (void) val;
  if (type != SSL_CB_ACCEPT_LOOP)
    return;
  if (ssl->state != SSL3_ST_SW_SRVR_HELLO_A)
    return;

740
741
742
743
744
745
746
747
748
749
  tls = tor_tls_get_by_ssl(ssl);
  if (tls) {
    /* Check whether we're watching for renegotiates.  If so, this is one! */
    if (tls->negotiated_callback)
      tls->got_renegotiate = 1;
  } else {
    log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
  }

  /* Now check the cipher list. */
750
  if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) {
751
752
    /*XXXX_TLS keep this from happening more than once! */

753
754
755
756
757
758
759
    /* Yes, we're casting away the const from ssl.  This is very naughty of us.
     * Let's hope openssl doesn't notice! */

    /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
    SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
    /* Don't send a hello request. */
    SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
760
761
762
763
764
765

    if (tls) {
      tls->wasV2Handshake = 1;
    } else {
      log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
    }
766
767
768
769
  }
}
#endif

770
/** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
771
 * a list designed to mimic a common web browser.  Some of the ciphers in the
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
 * list won't actually be implemented by OpenSSL: that's okay so long as the
 * server doesn't select them, and the server won't select anything besides
 * what's in SERVER_CIPHER_LIST.
 *
 * [If the server <b>does</b> select a bogus cipher, we won't crash or
 * anything; we'll just fail later when we try to look up the cipher in
 * ssl->cipher_list_by_id.]
 */
static void
rectify_client_ciphers(STACK_OF(SSL_CIPHER) **ciphers)
{
#ifdef V2_HANDSHAKE_CLIENT
  if (PREDICT_UNLIKELY(!CLIENT_CIPHER_STACK)) {
    /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers
     * we want.*/
    int i = 0, j = 0;

    /* First, create a dummy SSL_CIPHER for every cipher. */
    CLIENT_CIPHER_DUMMIES =
      tor_malloc_zero(sizeof(SSL_CIPHER)*N_CLIENT_CIPHERS);
    for (i=0; i < N_CLIENT_CIPHERS; ++i) {
      CLIENT_CIPHER_DUMMIES[i].valid = 1;
      CLIENT_CIPHER_DUMMIES[i].id = CLIENT_CIPHER_INFO_LIST[i].id | (3<<24);
      CLIENT_CIPHER_DUMMIES[i].name = CLIENT_CIPHER_INFO_LIST[i].name;
    }

    CLIENT_CIPHER_STACK = sk_SSL_CIPHER_new_null();
    tor_assert(CLIENT_CIPHER_STACK);

    log_debug(LD_NET, "List was: %s", CLIENT_CIPHER_LIST);
    for (j = 0; j < sk_SSL_CIPHER_num(*ciphers); ++j) {
      SSL_CIPHER *cipher = sk_SSL_CIPHER_value(*ciphers, j);
      log_debug(LD_NET, "Cipher %d: %lx %s", j, cipher->id, cipher->name);
    }

    /* Then copy as many ciphers as we can from the good list, inserting
     * dummies as needed. */
    j=0;
    for (i = 0; i < N_CLIENT_CIPHERS; ) {
      SSL_CIPHER *cipher = NULL;
      if (j < sk_SSL_CIPHER_num(*ciphers))
        cipher = sk_SSL_CIPHER_value(*ciphers, j);
      if (cipher && ((cipher->id >> 24) & 0xff) != 3) {
        log_debug(LD_NET, "Skipping v2 cipher %s", cipher->name);
        ++j;
      } else if (cipher &&
                 (cipher->id & 0xffff) == CLIENT_CIPHER_INFO_LIST[i].id) {
        log_debug(LD_NET, "Found cipher %s", cipher->name);
        sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, cipher);
        ++j;
        ++i;
      } else {
        log_debug(LD_NET, "Inserting fake %s", CLIENT_CIPHER_DUMMIES[i].name);
        sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, &CLIENT_CIPHER_DUMMIES[i]);
        ++i;
      }
    }
  }

  sk_SSL_CIPHER_free(*ciphers);
  *ciphers = sk_SSL_CIPHER_dup(CLIENT_CIPHER_STACK);
  tor_assert(*ciphers);

#else
    (void)ciphers;
#endif
}

Nick Mathewson's avatar
Nick Mathewson committed
840
841
/** Create a new TLS object from a file descriptor, and a flag to
 * determine whether it is functioning as a server.
842
 */
843
tor_tls_t *
844
tor_tls_new(int sock, int isServer)
845
{
846
  BIO *bio = NULL;
847
  tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
848

849
  tor_assert(global_tls_context); /* make sure somebody made it first */
850
  if (!(result->ssl = SSL_new(global_tls_context->ctx))) {
851
    tls_log_errors(NULL, LOG_WARN, LD_NET, "generating TLS context");
852
    tor_free(result);
853
    return NULL;
854
  }
855
856
857
858
859
860

#ifdef SSL_set_tlsext_host_name
  /* Browsers use the TLS hostname extension, so we should too. */
  {
    char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
    SSL_set_tlsext_host_name(result->ssl, fake_hostname);
861
    tor_free(fake_hostname);
862
863
864
  }
#endif

865
866
  if (!SSL_set_cipher_list(result->ssl,
                     isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
867
    tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
868
869
870
#ifdef SSL_set_tlsext_host_name
    SSL_set_tlsext_host_name(result->ssl, NULL);
#endif
871
872
873
874
    SSL_free(result->ssl);
    tor_free(result);
    return NULL;
  }
875
876
  if (!isServer)
    rectify_client_ciphers(&result->ssl->cipher_list);
877
  result->socket = sock;
878
879
  bio = BIO_new_socket(sock, BIO_NOCLOSE);
  if (! bio) {
880
    tls_log_errors(NULL, LOG_WARN, LD_NET, "opening BIO");
881
882
883
#ifdef SSL_set_tlsext_host_name
    SSL_set_tlsext_host_name(result->ssl, NULL);
#endif
884
    SSL_free(result->ssl);
885
886
887
    tor_free(result);
    return NULL;
  }
888
  HT_INSERT(tlsmap, &tlsmap_root, result);
889
  SSL_set_bio(result->ssl, bio, bio);
890
891
  tor_tls_context_incref(global_tls_context);
  result->context = global_tls_context;
892
893
  result->state = TOR_TLS_ST_HANDSHAKE;
  result->isServer = isServer;
894
  result->wantwrite_n = 0;
895
896
897
898
899
900
  result->last_write_count = BIO_number_written(bio);
  result->last_read_count = BIO_number_read(bio);
  if (result->last_write_count || result->last_read_count) {
    log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
             result->last_read_count, result->last_write_count);
  }
901
902
903
904
905
#ifdef V2_HANDSHAKE_SERVER
  if (isServer) {
    SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
  }
#endif
906
  /* Not expected to get called. */
907
  tls_log_errors(NULL, LOG_WARN, LD_NET, "generating TLS context");
908
909
910
  return result;
}

911
912
913
914
915
916
917
918
919
920
921
/** Make future log messages about <b>tls</b> display the address
 * <b>address</b>.
 */
void
tor_tls_set_logged_address(tor_tls_t *tls, const char *address)
{
  tor_assert(tls);
  tor_free(tls->address);
  tls->address = tor_strdup(address);
}

922
923
/** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
 * next gets a client-side renegotiate in the middle of a read.  Do not
924
 * invoke this function until <em>after</em> initial handshaking is done!
925
 */
926
927
928
929
930
931
932
void
tor_tls_set_renegotiate_callback(tor_tls_t *tls,
                                 void (*cb)(tor_tls_t *, void *arg),
                                 void *arg)
{
  tls->negotiated_callback = cb;
  tls->callback_arg = arg;
933
934
935
936
937
938
939
940
  tls->got_renegotiate = 0;
#ifdef V2_HANDSHAKE_SERVER
  if (cb) {
    SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
  } else {
    SSL_set_info_callback(tls->ssl, NULL);
  }
#endif
941
942
}

943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
/** If this version of openssl requires it, turn on renegotiation on
 * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
 * to use belt-and-suspenders here.)
 */
static void
tor_tls_unblock_renegotiation(tor_tls_t *tls)
{
#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  /* Yes, we know what we are doing here.  No, we do not treat a renegotiation
   * as authenticating any earlier-received data. */
  tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
#else
  (void)tls;
#endif
}

/** If this version of openssl supports it, turn off renegotiation on
 * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
 * to use belt-and-suspenders here.)
 */
void
tor_tls_block_renegotiation(tor_tls_t *tls)
{
#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
  tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
#else
  (void)tls;
#endif
}

973
974
975
/** Return whether this tls initiated the connect (client) or
 * received it (server). */
int
976
tor_tls_is_server(tor_tls_t *tls)
977
978
979
980
981
{
  tor_assert(tls);
  return tls->isServer;
}

Nick Mathewson's avatar
Nick Mathewson committed
982
/** Release resources associated with a TLS object.  Does not close the
983
984
985
 * underlying file descriptor.
 */
void
986
tor_tls_free(tor_tls_t *tls)
987
{
988
  tor_tls_t *removed;
989
990
991
  if (!tls)
    return;
  tor_assert(tls->ssl);
992
993
994
995
  removed = HT_REMOVE(tlsmap, &tlsmap_root, tls);
  if (!removed) {
    log_warn(LD_BUG, "Freeing a TLS that was not in the ssl->tls map.");
  }
996
997
998
#ifdef SSL_set_tlsext_host_name
  SSL_set_tlsext_host_name(tls->ssl, NULL);
#endif
999
  SSL_free(tls->ssl);
1000
  tls->ssl = NULL;