Commit 1992c761 authored by Nick Mathewson's avatar Nick Mathewson 🐕
Browse files

Split tls modules and their tests into openssl and generic.

Also, add a stubbed-out nss version of the modules.  The tests won't
pass with NSS yet since the NSS modules don't do anything.

This is a good patch to read with --color-moved.
parent 91c1e88b
......@@ -10,6 +10,16 @@ src_lib_libtor_tls_a_SOURCES = \
src/lib/tls/tortls.c \
src/lib/tls/x509.c
if USE_NSS
src_lib_libtor_tls_a_SOURCES += \
src/lib/tls/tortls_nss.c \
src/lib/tls/x509_nss.c
else
src_lib_libtor_tls_a_SOURCES += \
src/lib/tls/tortls_openssl.c \
src/lib/tls/x509_openssl.c
endif
src_lib_libtor_tls_a_CFLAGS = $(AM_CFLAGS) $(TOR_CFLAGS_CRYPTLIB)
src_lib_libtor_tls_testing_a_SOURCES = \
......@@ -22,4 +32,6 @@ noinst_HEADERS += \
src/lib/tls/ciphers.inc \
src/lib/tls/buffers_tls.h \
src/lib/tls/tortls.h \
src/lib/tls/tortls_internal.h \
src/lib/tls/tortls_st.h \
src/lib/tls/x509.h
This diff is collapsed.
......@@ -50,74 +50,13 @@ struct tor_x509_cert_t;
#define TOR_TLS_IS_ERROR(rv) ((rv) < TOR_TLS_CLOSE)
#ifdef TORTLS_PRIVATE
#ifdef ENABLE_OPENSSL
struct ssl_st;
struct ssl_ctx_st;
struct ssl_session_st;
#endif
/** Holds a SSL_CTX object and related state used to configure TLS
* connections.
*/
typedef struct tor_tls_context_t tor_tls_context_t;
STATIC int tor_errno_to_tls_error(int e);
STATIC int tor_tls_get_error(tor_tls_t *tls, int r, int extra,
const char *doing, int severity, int domain);
STATIC tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
STATIC void tor_tls_allocate_tor_tls_object_ex_data_index(void);
MOCK_DECL(STATIC void, try_to_extract_certs_from_tls,
(int severity, tor_tls_t *tls, struct x509_st **cert_out,
struct x509_st **id_cert_out));
#ifdef TORTLS_OPENSSL_PRIVATE
STATIC int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx);
STATIC int tor_tls_classify_client_ciphers(const struct ssl_st *ssl,
STACK_OF(SSL_CIPHER) *peer_ciphers);
#endif
STATIC int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl);
#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
STATIC size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
uint8_t *out,
size_t len);
#endif
STATIC void tor_tls_debug_state_callback(const struct ssl_st *ssl,
int type, int val);
STATIC void tor_tls_server_info_callback(const struct ssl_st *ssl,
int type, int val);
#ifdef TORTLS_OPENSSL_PRIVATE
STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret,
int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
void *arg);
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
uint16_t cipher);
#endif /* defined(TORTLS_OPENSSL_PRIVATE) */
STATIC tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client);
STATIC int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
crypto_pk_t *identity,
unsigned int key_lifetime,
unsigned int flags,
int is_client);
#ifdef TOR_UNIT_TESTS
extern int tor_tls_object_ex_data_index;
extern tor_tls_context_t *server_tls_context;
extern tor_tls_context_t *client_tls_context;
extern uint16_t v2_cipher_list[];
extern uint64_t total_bytes_written_over_tls;
extern uint64_t total_bytes_written_by_tls;
#endif /* defined(TOR_UNIT_TESTS) */
#endif /* defined(TORTLS_PRIVATE) */
const char *tor_tls_err_to_string(int err);
void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz);
void tor_tls_free_all(void);
#define TOR_TLS_CTX_IS_PUBLIC_SERVER (1u<<0)
......@@ -131,6 +70,9 @@ int tor_tls_context_init(unsigned flags,
crypto_pk_t *client_identity,
crypto_pk_t *server_identity,
unsigned int key_lifetime);
void tor_tls_context_incref(tor_tls_context_t *ctx);
void tor_tls_context_decref(tor_tls_context_t *ctx);
tor_tls_context_t *tor_tls_context_get(int is_server);
tor_tls_t *tor_tls_new(int sock, int is_server);
void tor_tls_set_logged_address(tor_tls_t *tls, const char *address);
void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
......
/* Copyright (c) 2003, Roger Dingledine
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
#ifndef TORTLS_INTERNAL_H
#define TORTLS_INTERNAL_H
#ifdef ENABLE_OPENSSL
struct ssl_st;
struct ssl_ctx_st;
struct ssl_session_st;
#endif
int tor_errno_to_tls_error(int e);
int tor_tls_get_error(tor_tls_t *tls, int r, int extra,
const char *doing, int severity, int domain);
tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
void tor_tls_allocate_tor_tls_object_ex_data_index(void);
MOCK_DECL(void, try_to_extract_certs_from_tls,
(int severity, tor_tls_t *tls,
tor_x509_cert_impl_t **cert_out,
tor_x509_cert_impl_t **id_cert_out));
#ifdef TORTLS_OPENSSL_PRIVATE
int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx);
int tor_tls_classify_client_ciphers(const struct ssl_st *ssl,
STACK_OF(SSL_CIPHER) *peer_ciphers);
#endif
int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl);
#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
uint8_t *out,
size_t len);
#endif
void tor_tls_debug_state_callback(const struct ssl_st *ssl,
int type, int val);
void tor_tls_server_info_callback(const struct ssl_st *ssl,
int type, int val);
#ifdef TORTLS_OPENSSL_PRIVATE
STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret,
int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
void *arg);
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
uint16_t cipher);
#endif /* defined(TORTLS_OPENSSL_PRIVATE) */
tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client);
int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
crypto_pk_t *identity,
unsigned int key_lifetime,
unsigned int flags,
int is_client);
#ifdef TOR_UNIT_TESTS
extern int tor_tls_object_ex_data_index;
extern tor_tls_context_t *server_tls_context;
extern tor_tls_context_t *client_tls_context;
extern uint16_t v2_cipher_list[];
extern uint64_t total_bytes_written_over_tls;
extern uint64_t total_bytes_written_by_tls;
#endif /* defined(TOR_UNIT_TESTS) */
#endif /* defined(TORTLS_INTERNAL_H) */
/* Copyright (c) 2003, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file tortls_nss.c
* \brief Wrapper functions to present a consistent interface to
* TLS and SSL X.509 functions from NSS.
**/
#include "orconfig.h"
#define TORTLS_PRIVATE
#ifdef _WIN32 /*wrkard for dtls1.h >= 0.9.8m of "#include <winsock.h>"*/
#include <winsock2.h>
#include <ws2tcpip.h>
#endif
#include "lib/crypt_ops/crypto_cipher.h"
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_dh.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/tls/x509.h"
#include "lib/tls/tortls.h"
#include "lib/tls/tortls_internal.h"
#include "lib/log/util_bug.h"
int
tor_errno_to_tls_error(int e)
{
(void)e;
// XXXX
return -1;
}
int
tor_tls_get_error(tor_tls_t *tls, int r, int extra,
const char *doing, int severity, int domain)
{
(void)tls;
(void)r;
(void)extra;
(void)doing;
(void)severity;
(void)domain;
// XXXX
return -1;
}
tor_tls_t *
tor_tls_get_by_ssl(const struct ssl_st *ssl)
{
(void) ssl;
// XXXX
// XXXX refers to ssl_st.
return NULL;
}
void
tor_tls_allocate_tor_tls_object_ex_data_index(void)
{
// XXXX openssl only.
}
MOCK_IMPL(void,
try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
tor_x509_cert_impl_t **cert_out,
tor_x509_cert_impl_t **id_cert_out))
{
tor_assert(tls);
tor_assert(cert_out);
tor_assert(id_cert_out);
(void)severity;
// XXXX
}
int
tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl)
{
(void) ssl;
// XXXX
// XXXX refers to ssl_st.
return 0;
}
void
tor_tls_debug_state_callback(const struct ssl_st *ssl,
int type, int val)
{
(void) ssl;
(void)type;
(void)val;
// XXXX
// XXXX refers to ssl_st.
}
void
tor_tls_server_info_callback(const struct ssl_st *ssl,
int type, int val)
{
(void)ssl;
(void)type;
(void)val;
// XXXX
// XXXX refers to ssl_st.
}
tor_tls_context_t *
tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client)
{
tor_assert(identity);
tor_assert(key_lifetime);
(void)flags;
(void)is_client;
// XXXX
return NULL;
}
int
tor_tls_context_init_one(tor_tls_context_t **ppcontext,
crypto_pk_t *identity,
unsigned int key_lifetime,
unsigned int flags,
int is_client)
{
tor_assert(ppcontext);
tor_assert(identity);
tor_assert(key_lifetime);
(void)flags;
(void)is_client;
// XXXX
return -1;
}
void
tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
{
(void)tls;
(void)buf;
(void)sz;
// XXXX
}
void
tor_tls_init(void)
{
// XXXX
}
void
tls_log_errors(tor_tls_t *tls, int severity, int domain,
const char *doing)
{
(void)tls;
(void)severity;
(void)domain;
(void)doing;
// XXXX
}
tor_tls_t *
tor_tls_new(int sock, int is_server)
{
(void)sock;
(void)is_server;
// XXXX
return NULL;
}
void
tor_tls_set_renegotiate_callback(tor_tls_t *tls,
void (*cb)(tor_tls_t *, void *arg),
void *arg)
{
tor_assert(tls);
(void)cb;
(void)arg;
// XXXX;
}
void
tor_tls_free_(tor_tls_t *tls)
{
(void)tls;
// XXXX
}
int
tor_tls_peer_has_cert(tor_tls_t *tls)
{
(void)tls;
// XXXX
return -1;
}
MOCK_IMPL(tor_x509_cert_t *,
tor_tls_get_peer_cert,(tor_tls_t *tls))
{
tor_assert(tls);
// XXXX
return NULL;
}
MOCK_IMPL(tor_x509_cert_t *,
tor_tls_get_own_cert,(tor_tls_t *tls))
{
tor_assert(tls);
// XXXX
return NULL;
}
int
tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity)
{
tor_assert(tls);
tor_assert(identity);
(void)severity;
// XXXX
return -1;
}
int
tor_tls_check_lifetime(int severity,
tor_tls_t *tls, time_t now,
int past_tolerance,
int future_tolerance)
{
tor_assert(tls);
(void)severity;
(void)now;
(void)past_tolerance;
(void)future_tolerance;
// XXXX
return -1;
}
MOCK_IMPL(int,
tor_tls_read, (tor_tls_t *tls, char *cp, size_t len))
{
tor_assert(tls);
tor_assert(cp);
(void)len;
// XXXX
return -1;
}
int
tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
{
tor_assert(tls);
tor_assert(cp);
(void)n;
// XXXX
return -1;
}
int
tor_tls_handshake(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
int
tor_tls_finish_handshake(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
void
tor_tls_unblock_renegotiation(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
}
void
tor_tls_block_renegotiation(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
}
void
tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
}
int
tor_tls_shutdown(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
int
tor_tls_get_pending_bytes(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
size_t
tor_tls_get_forced_write_size(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return 0;
}
void
tor_tls_get_n_raw_bytes(tor_tls_t *tls,
size_t *n_read, size_t *n_written)
{
tor_assert(tls);
tor_assert(n_read);
tor_assert(n_written);
// XXXX
}
int
tor_tls_get_buffer_sizes(tor_tls_t *tls,
size_t *rbuf_capacity, size_t *rbuf_bytes,
size_t *wbuf_capacity, size_t *wbuf_bytes)
{
tor_assert(tls);
tor_assert(rbuf_capacity);
tor_assert(rbuf_bytes);
tor_assert(wbuf_capacity);
tor_assert(wbuf_bytes);
// XXXX
return -1;
}
MOCK_IMPL(double,
tls_get_write_overhead_ratio, (void))
{
// XXXX
return 0.0;
}
int
tor_tls_used_v1_handshake(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
int
tor_tls_get_num_server_handshakes(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
int
tor_tls_server_got_renegotiate(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return -1;
}
MOCK_IMPL(int,
tor_tls_cert_matches_key,(const tor_tls_t *tls,
const struct tor_x509_cert_t *cert))
{
tor_assert(tls);
tor_assert(cert);
// XXXX
return 0;
}
MOCK_IMPL(int,
tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out))
{
tor_assert(tls);
tor_assert(secrets_out);
// XXXX
return -1;
}
MOCK_IMPL(int,
tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
const uint8_t *context,
size_t context_len,
const char *label))
{
tor_assert(tls);
tor_assert(secrets_out);
tor_assert(context);
tor_assert(label);
(void)context_len;
// XXXX
return -1;
}
void
check_no_tls_errors_(const char *fname, int line)
{
(void)fname;
(void)line;
// XXXX
}
void
tor_tls_log_one_error(tor_tls_t *tls, unsigned long err,
int severity, int domain, const char *doing)
{
tor_assert(tls);
(void)err;
(void)severity;
(void)domain;
(void)doing;
// XXXX
}
int
tor_tls_get_my_certs(int server,
const struct tor_x509_cert_t **link_cert_out,
const struct tor_x509_cert_t **id_cert_out)
{
tor_assert(link_cert_out);
tor_assert(id_cert_out);
(void)server;
// XXXX
return -1;
}
crypto_pk_t *
tor_tls_get_my_client_auth_key(void)
{
// XXXX
return NULL;
}
const char *
tor_tls_get_ciphersuite_name(tor_tls_t *tls)
{
tor_assert(tls);
// XXXX
return NULL;
}
int
evaluate_ecgroup_for_tls(const char *ecgroup)
{
(void)ecgroup;
// XXXX
return -1;
}
This diff is collapsed.
This diff is collapsed.
......@@ -17,7 +17,9 @@
/* Opaque structure to hold an X509 certificate. */
typedef struct tor_x509_cert_t tor_x509_cert_t;
#ifdef ENABLE_OPENSSL
#ifdef ENABLE_NSS
typedef struct CERTCertificateStr tor_x509_cert_impl_t;
#elif defined(ENABLE_OPENSSL)
typedef struct x509_st tor_x509_cert_impl_t;
#endif
......
/* Copyright (c) 2003, Roger Dingledine.
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2018, The Tor Project, Inc. */
/* See LICENSE for licensing information */