20#define TORTLS_OPENSSL_PRIVATE
21#define TOR_X509_PRIVATE
34#include "lib/crypt_ops/compat_openssl.h"
36#include "lib/tls/x509_internal.h"
40DISABLE_GCC_WARNING(
"-Wredundant-decls")
42#include <openssl/opensslv.h>
45#error "We require OpenSSL with ECC support"
48#include <openssl/ssl.h>
49#include <openssl/ssl3.h>
50#include <openssl/err.h>
51#include <openssl/tls1.h>
52#include <openssl/asn1.h>
53#include <openssl/bio.h>
54#include <openssl/bn.h>
55#include <openssl/rsa.h>
57ENABLE_GCC_WARNING(
"-Wredundant-decls")
59#include "lib/tls/tortls.h"
78#define LEGAL_NICKNAME_CHARACTERS \
79 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
81#define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
83#if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f')
88#define DISABLE_SSL3_HANDSHAKE
95#ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
96#define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
98#ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
99#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
103static int openssl_bug_7712_is_present = 0;
110#define CIPHERS_ERR -1
120#define CIPHERS_UNRESTRICTED 3
125STATIC int tor_tls_object_ex_data_index = -1;
129tor_tls_allocate_tor_tls_object_ex_data_index(
void)
131 if (tor_tls_object_ex_data_index == -1) {
132 tor_tls_object_ex_data_index =
133 SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
134 tor_assert(tor_tls_object_ex_data_index != -1);
141tor_tls_get_by_ssl(
const SSL *ssl)
143 tor_tls_t *result = SSL_get_ex_data(ssl, tor_tls_object_ex_data_index);
150static int tls_library_is_initialized = 0;
153#define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
154#define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
161 const char *ssl_state;
162 const char *tortls_state;
164 if (PREDICT_UNLIKELY(!tls || !tls->
ssl)) {
165 strlcpy(buf,
"(No SSL object)", sz);
169 ssl_state = SSL_state_string_long(tls->
ssl);
170 switch (tls->
state) {
171#define CASE(st) case TOR_TLS_ST_##st: tortls_state = " in "#st ; break
179 case TOR_TLS_ST_BUFFEREVENT:
183 tortls_state =
" in unknown TLS state";
194tor_tls_log_one_error(
tor_tls_t *tls,
unsigned long err,
195 int severity,
int domain,
const char *doing)
197 const char *state = NULL, *addr;
198 const char *msg, *lib, *func;
200 state = (tls && tls->
ssl)?SSL_state_string_long(tls->
ssl):
"---";
202 addr = tls ? tls->
address : NULL;
207 switch (ERR_GET_REASON(err)) {
208 case SSL_R_HTTP_REQUEST:
209 case SSL_R_HTTPS_PROXY_REQUEST:
210 case SSL_R_RECORD_LENGTH_MISMATCH:
211#ifndef OPENSSL_1_1_API
212 case SSL_R_RECORD_TOO_LARGE:
214 case SSL_R_UNKNOWN_PROTOCOL:
215 case SSL_R_UNSUPPORTED_PROTOCOL:
222 msg = (
const char*)ERR_reason_error_string(err);
223 lib = (
const char*)ERR_lib_error_string(err);
224 func = (
const char*)ERR_func_error_string(err);
225 if (!msg) msg =
"(null)";
226 if (!lib) lib =
"(null)";
227 if (!func) func =
"(null)";
229 tor_log(severity, domain,
"TLS error while %s%s%s: %s (in %s:%s:%s)",
230 doing, addr?
" with ":
"", addr?addr:
"",
231 msg, lib, func, state);
233 tor_log(severity, domain,
"TLS error%s%s: %s (in %s:%s:%s)",
234 addr?
" with ":
"", addr?addr:
"",
235 msg, lib, func, state);
247 while ((err = ERR_get_error()) != 0) {
249 tls->last_error = err;
250 tor_tls_log_one_error(tls, err, severity, domain, doing);
266 if (tls->last_error == 0) {
269 return (
const char*)ERR_reason_error_string(tls->last_error);
272#define CATCH_SYSCALL 1
286tor_tls_get_error(
tor_tls_t *tls,
int r,
int extra,
287 const char *doing,
int severity,
int domain)
289 int err = SSL_get_error(tls->
ssl, r);
290 int tor_error = TOR_TLS_ERROR_MISC;
294 case SSL_ERROR_WANT_READ:
295 return TOR_TLS_WANTREAD;
296 case SSL_ERROR_WANT_WRITE:
297 return TOR_TLS_WANTWRITE;
298 case SSL_ERROR_SYSCALL:
299 if (extra&CATCH_SYSCALL)
300 return TOR_TLS_SYSCALL_;
302 tor_log(severity,
LD_NET,
"TLS error: unexpected close while %s (%s)",
303 doing, SSL_state_string_long(tls->
ssl));
304 tor_error = TOR_TLS_ERROR_IO;
306 int e = tor_socket_errno(tls->
socket);
308 "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
309 doing, e, tor_socket_strerror(e),
310 SSL_state_string_long(tls->
ssl));
315 case SSL_ERROR_ZERO_RETURN:
316 if (extra&CATCH_ZERO)
317 return TOR_TLS_ZERORETURN_;
318 tor_log(severity,
LD_NET,
"TLS connection closed while %s in state %s",
319 doing, SSL_state_string_long(tls->
ssl));
321 return TOR_TLS_CLOSE;
324 return TOR_TLS_ERROR_MISC;
333 check_no_tls_errors();
335 if (!tls_library_is_initialized) {
336#ifdef OPENSSL_1_1_API
337 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
340 SSL_load_error_strings();
343#if (SIZEOF_VOID_P >= 8 && \
344 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \
345 (!defined(LIBRESSL_VERSION_NUMBER) || \
346 LIBRESSL_VERSION_NUMBER < 0x3080000fL))
347 long version = tor_OpenSSL_version_num();
350 if (version >= OPENSSL_V_SERIES(1,0,1)) {
360 EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
361 const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL;
362 const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL;
363 const int warn = (m == EC_GFp_simple_method() ||
364 m == EC_GFp_mont_method() ||
365 m == EC_GFp_nist_method());
369 log_notice(
LD_GENERAL,
"We were built to run on a 64-bit CPU, with "
370 "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
371 "that apparently lacks accelerated support for the NIST "
372 "P-224 and P-256 groups. Building openssl with such "
373 "support (using the enable-ec_nistp_64_gcc_128 option "
374 "when configuring it) would make ECDH much faster.");
379 tor_tls_allocate_tor_tls_object_ex_data_index();
381 tls_library_is_initialized = 1;
390always_accept_verify_cb(
int preverify_ok,
391 X509_STORE_CTX *x509_ctx)
400static const char SERVER_CIPHER_LIST[] =
401#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
407 TLS1_3_TXT_AES_128_GCM_SHA256
":"
409 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
":"
410 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA;
414static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
416#ifdef TLS1_3_TXT_AES_256_GCM_SHA384
417 TLS1_3_TXT_AES_256_GCM_SHA384
":"
419#ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
420 TLS1_3_TXT_CHACHA20_POLY1305_SHA256
":"
422#ifdef TLS1_3_TXT_AES_128_GCM_SHA256
423 TLS1_3_TXT_AES_128_GCM_SHA256
":"
425#ifdef TLS1_3_TXT_AES_128_CCM_SHA256
426 TLS1_3_TXT_AES_128_CCM_SHA256
":"
431#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
432 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
":"
434#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
435 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
437#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
438 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
":"
440#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
441 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
":"
443#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
444 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
":"
446#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
447 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
":"
449#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
450 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
":"
452#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
453 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
":"
455#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
456 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
":"
458#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
459 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
":"
461#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
462 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
":"
464#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
465 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
":"
468 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
":"
470 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
":"
471#ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
472 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
":"
474#ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
475 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
484#define CIPHER(id, name) name ":"
485#define XCIPHER(id, name)
488static const char CLIENT_CIPHER_LIST[] =
490#include "lib/tls/ciphers.inc"
503tor_tls_cert_matches_key,(
const tor_tls_t *tls,
const tor_x509_cert_t *cert))
509 X509 *peercert = peer->cert;
510 EVP_PKEY *link_key = NULL, *cert_key = NULL;
513 link_key = X509_get_pubkey(peercert);
514 cert_key = X509_get_pubkey(cert->cert);
516 result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
518 tor_x509_cert_free(peer);
520 EVP_PKEY_free(link_key);
522 EVP_PKEY_free(cert_key);
528tor_tls_context_impl_free_(
struct ssl_ctx_st *ctx)
536#define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
544 unsigned flags,
int is_client)
546 EVP_PKEY *pkey = NULL;
566 if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
571#ifdef HAVE_TLS_METHOD
572 if (!(result->ctx = SSL_CTX_new(TLS_method())))
575 if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
579#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
581 SSL_CTX_set_security_level(result->ctx, 1);
584 SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
585 SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
589 SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
601#ifdef SSL_OP_NO_TICKET
603 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
607 SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
608 SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
610#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
611 SSL_CTX_set_options(result->ctx,
612 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
618 SSL_CTX_set_options(result->ctx,
619 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
625#ifdef SSL_OP_NO_COMPRESSION
626 SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
628#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
629#ifndef OPENSSL_NO_COMP
630 if (result->ctx->comp_methods)
631 result->ctx->comp_methods = NULL;
635#ifdef SSL_MODE_RELEASE_BUFFERS
636 SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
639 if (result->my_link_cert &&
640 !SSL_CTX_use_certificate(result->ctx,
641 result->my_link_cert->cert)) {
644 if (result->my_id_cert) {
645 X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
647 X509_STORE_add_cert(s, result->my_id_cert->cert);
650 SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
653 if (!(pkey = crypto_pk_get_openssl_evp_pkey_(result->link_key,1)))
655 if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
659 if (!SSL_CTX_check_private_key(result->ctx))
666 SSL_CTX_set_tmp_dh(result->ctx, dh);
671#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
674 if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
675 list =
"P-224:P-256";
676 else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
677 list =
"P-256:P-224";
679 list =
"P-256:P-224";
680 int r = (int) SSL_CTX_set1_groups_list(result->ctx, list);
688 if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
690 else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
691 nid = NID_X9_62_prime256v1;
693 nid = NID_tor_default_ecdhe_group;
695 ec_key = EC_KEY_new_by_curve_name(nid);
697 SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
701 SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
702 always_accept_verify_cb);
704 SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
706#ifdef SSL_OP_TLSEXT_PADDING
709 SSL_CTX_set_options(result->ctx, SSL_OP_TLSEXT_PADDING);
724tor_tls_debug_state_callback(
const SSL *ssl,
int type,
int val)
727 log_debug(
LD_HANDSHAKE,
"SSL %p is now in state %s [type=%d,val=%d].",
728 ssl, SSL_state_string_long(ssl), type, val);
734tor_tls_get_ciphersuite_name(
tor_tls_t *tls)
736 return SSL_get_cipher(tls->
ssl);
743STATIC uint16_t v2_cipher_list[] = {
775static int v2_cipher_list_pruned = 0;
780find_cipher_by_id(
const SSL *ssl,
const SSL_METHOD *m, uint16_t cipher)
783#ifdef HAVE_SSL_CIPHER_FIND
786 unsigned char cipherid[3];
792 c = SSL_CIPHER_find((SSL*)ssl, cipherid);
794 tor_assert((SSL_CIPHER_get_id(c) & 0xffff) == cipher);
799# if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
800 if (m && m->get_cipher_by_char) {
801 unsigned char cipherid[3];
806 c = m->get_cipher_by_char(cipherid);
812# ifndef OPENSSL_1_1_API
813 if (m && m->get_cipher && m->num_ciphers) {
819 for (i = 0; i < m->num_ciphers(); ++i) {
820 c = m->get_cipher(i);
821 if (c && (c->id & 0xffff) == cipher) {
839prune_v2_cipher_list(
const SSL *ssl)
841 uint16_t *inp, *outp;
842#ifdef HAVE_TLS_METHOD
843 const SSL_METHOD *m = TLS_method();
845 const SSL_METHOD *m = SSLv23_method();
848 inp = outp = v2_cipher_list;
850 if (find_cipher_by_id(ssl, m, *inp)) {
858 v2_cipher_list_pruned = 1;
866tor_tls_classify_client_ciphers(
const SSL *ssl,
867 STACK_OF(SSL_CIPHER) *peer_ciphers)
871 if (PREDICT_UNLIKELY(!v2_cipher_list_pruned))
872 prune_v2_cipher_list(ssl);
874 tor_tls = tor_tls_get_by_ssl(ssl);
875 if (tor_tls && tor_tls->client_cipher_list_type)
876 return tor_tls->client_cipher_list_type;
881 log_info(
LD_NET,
"No ciphers on session");
887 for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
888 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
889 const char *ciphername = SSL_CIPHER_get_name(cipher);
890 if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
891 strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
892 strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
893 strcmp(ciphername,
"(NONE)")) {
894 log_debug(
LD_NET,
"Got a non-version-1 cipher called '%s'", ciphername);
903 const uint16_t *v2_cipher = v2_cipher_list;
904 for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
905 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
906 uint16_t
id = SSL_CIPHER_get_id(cipher) & 0xffff;
909 if (!
id ||
id != *v2_cipher) {
910 res = CIPHERS_UNRESTRICTED;
915 if (*v2_cipher != 0) {
916 res = CIPHERS_UNRESTRICTED;
926 for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
927 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
928 const char *ciphername = SSL_CIPHER_get_name(cipher);
932 log_debug(
LD_NET,
"Got a %s V2/V3 cipher list from %s. It is: '%s'",
933 (res == CIPHERS_V2) ?
"fictitious" :
"real", ADDR(tor_tls), s);
935 smartlist_free(elts);
938 if (tor_tls && peer_ciphers)
939 return tor_tls->client_cipher_list_type = res;
948tor_tls_client_is_using_v2_ciphers(
const SSL *ssl)
950 STACK_OF(SSL_CIPHER) *ciphers;
951#ifdef HAVE_SSL_GET_CLIENT_CIPHERS
952 ciphers = SSL_get_client_ciphers(ssl);
954 SSL_SESSION *session;
955 if (!(session = SSL_get_session((SSL *)ssl))) {
956 log_info(
LD_NET,
"No session on TLS?");
959 ciphers = session->ciphers;
962 return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
972tor_tls_server_info_callback(
const SSL *ssl,
int type,
int val)
981 tor_tls_debug_state_callback(ssl, type, val);
983 if (type != SSL_CB_ACCEPT_LOOP)
986 OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl);
987 if (! STATE_IS_SW_SERVER_HELLO(ssl_state))
989 tls = tor_tls_get_by_ssl(ssl);
992 if (tls->negotiated_callback)
995 log_warn(
LD_BUG,
"Couldn't look up the tls for an SSL*. How odd!");
1000 if (tor_tls_client_is_using_v2_ciphers(ssl)) {
1009 SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
1011 SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
1017 log_warn(
LD_BUG,
"Couldn't look up the tls for an SSL*. How odd!");
1036tor_tls_session_secret_cb(SSL *ssl,
void *secret,
int *secret_len,
1037 STACK_OF(SSL_CIPHER) *peer_ciphers,
1038 CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
1043 (void) peer_ciphers;
1047 if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
1048 CIPHERS_UNRESTRICTED) {
1049 SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
1052 SSL_set_session_secret_cb(ssl, NULL, NULL);
1057tor_tls_setup_session_secret_cb(
tor_tls_t *tls)
1059 SSL_set_session_secret_cb(tls->
ssl, tor_tls_session_secret_cb, NULL);
1071 result->magic = TOR_TLS_MAGIC;
1073 check_no_tls_errors();
1075 if (!(result->
ssl = SSL_new(context->ctx))) {
1081#ifdef SSL_set_tlsext_host_name
1085 SSL_set_tlsext_host_name(result->
ssl, fake_hostname);
1090#ifdef SSL_CTRL_SET_MAX_PROTO_VERSION
1091 if (openssl_bug_7712_is_present) {
1093 SSL_set_max_proto_version(result->
ssl, TLS1_2_VERSION);
1097 if (!SSL_set_cipher_list(result->
ssl,
1098 isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
1100#ifdef SSL_set_tlsext_host_name
1101 SSL_set_tlsext_host_name(result->
ssl, NULL);
1103 SSL_free(result->
ssl);
1108 bio = BIO_new_socket(sock, BIO_CLOSE);
1111#ifdef SSL_set_tlsext_host_name
1112 SSL_set_tlsext_host_name(result->
ssl, NULL);
1114 SSL_free(result->
ssl);
1120 SSL_set_ex_data(result->
ssl, tor_tls_object_ex_data_index, result);
1123 "Couldn't set the tls for an SSL*; connection will fail");
1126 SSL_set_bio(result->
ssl, bio, bio);
1128 result->context = context;
1129 result->
state = TOR_TLS_ST_HANDSHAKE;
1131 result->wantwrite_n = 0;
1132 result->last_write_count = (
unsigned long) BIO_number_written(bio);
1133 result->last_read_count = (
unsigned long) BIO_number_read(bio);
1134 if (result->last_write_count || result->last_read_count) {
1135 log_warn(
LD_NET,
"Newly created BIO has read count %lu, write count %lu",
1136 result->last_read_count, result->last_write_count);
1139 SSL_set_info_callback(result->
ssl, tor_tls_server_info_callback);
1141 SSL_set_info_callback(result->
ssl, tor_tls_debug_state_callback);
1145 tor_tls_setup_session_secret_cb(result);
1165 tls->negotiated_callback = cb;
1166 tls->callback_arg = arg;
1169 SSL_set_info_callback(tls->
ssl, tor_tls_server_info_callback);
1171 SSL_set_info_callback(tls->
ssl, tor_tls_debug_state_callback);
1183 SSL_set_options(tls->
ssl,
1184 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1194#ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1195 tls->
ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
1212 rbio = SSL_get_rbio(tls->
ssl);
1213 wbio = SSL_get_wbio(tls->
ssl);
1216 (void) BIO_set_close(rbio, BIO_NOCLOSE);
1218 if (wbio && wbio != rbio) {
1219 (void) BIO_set_close(wbio, BIO_NOCLOSE);
1224tor_tls_impl_free_(tor_tls_impl_t *ssl)
1229#ifdef SSL_set_tlsext_host_name
1230 SSL_set_tlsext_host_name(ssl, NULL);
1248 r = SSL_read(tls->
ssl, cp, (
int)len);
1252 log_info(
LD_NET,
"Got a TLS renegotiation from %s", ADDR(tls));
1253 if (tls->negotiated_callback)
1254 tls->negotiated_callback(tls, tls->callback_arg);
1259 err = tor_tls_get_error(tls, r, CATCH_ZERO,
"reading",
LOG_DEBUG,
LD_NET);
1260 if (err == TOR_TLS_ZERORETURN_ || err == TOR_TLS_CLOSE) {
1261 log_debug(
LD_NET,
"read returned r=%d; TLS is closed",r);
1262 tls->
state = TOR_TLS_ST_CLOSED;
1263 return TOR_TLS_CLOSE;
1266 log_debug(
LD_NET,
"read returned r=%d, err=%d",r,err);
1273STATIC uint64_t total_bytes_written_over_tls = 0;
1276STATIC uint64_t total_bytes_written_by_tls = 0;
1293 if (tls->wantwrite_n) {
1296 log_debug(
LD_NET,
"resuming pending-write, (%d to flush, reusing %d)",
1297 (
int)n, (
int)tls->wantwrite_n);
1298 n = tls->wantwrite_n;
1299 tls->wantwrite_n = 0;
1301 r = SSL_write(tls->
ssl, cp, (
int)n);
1303 if (err == TOR_TLS_DONE) {
1304 total_bytes_written_over_tls += r;
1307 if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
1308 tls->wantwrite_n = n;
1325 check_no_tls_errors();
1327 OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->
ssl);
1330 log_debug(
LD_HANDSHAKE,
"About to call SSL_accept on %p (%s)", tls,
1331 SSL_state_string_long(tls->
ssl));
1332 r = SSL_accept(tls->
ssl);
1334 log_debug(
LD_HANDSHAKE,
"About to call SSL_connect on %p (%s)", tls,
1335 SSL_state_string_long(tls->
ssl));
1336 r = SSL_connect(tls->
ssl);
1339 OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->
ssl);
1341 if (oldstate != newstate)
1342 log_debug(
LD_HANDSHAKE,
"After call, %p was in state %s",
1343 tls, SSL_state_string_long(tls->
ssl));
1348 if (ERR_peek_error() != 0) {
1351 return TOR_TLS_ERROR_MISC;
1353 if (r == TOR_TLS_DONE) {
1354 tls->
state = TOR_TLS_ST_OPEN;
1371 int r = TOR_TLS_DONE;
1372 check_no_tls_errors();
1374 SSL_set_info_callback(tls->
ssl, NULL);
1375 SSL_set_verify(tls->
ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
1376 SSL_clear_mode(tls->
ssl, SSL_MODE_NO_AUTO_CHAIN);
1377 if (tor_tls_client_is_using_v2_ciphers(tls->
ssl)) {
1382 log_warn(
LD_BUG,
"For some reason, wasV2Handshake didn't"
1383 " get set. Fixing that.");
1386 log_debug(
LD_HANDSHAKE,
"Completed V2 TLS handshake with client; waiting"
1387 " for renegotiation.");
1395 if (SSL_set_cipher_list(tls->
ssl, SERVER_CIPHER_LIST) == 0) {
1397 r = TOR_TLS_ERROR_MISC;
1410 cert = SSL_get_peer_certificate(tls->
ssl);
1424 cert = SSL_get_peer_certificate(tls->
ssl);
1428 return tor_x509_cert_new(cert);
1436 X509 *cert = SSL_get_certificate(tls->
ssl);
1438 "getting own-connection certificate");
1443 X509 *duplicate = X509_dup(cert);
1444 if (BUG(duplicate == NULL))
1446 return tor_x509_cert_new(duplicate);
1456try_to_extract_certs_from_tls,(
int severity,
tor_tls_t *tls,
1457 X509 **cert_out, X509 **id_cert_out))
1459 X509 *cert = NULL, *id_cert = NULL;
1460 STACK_OF(X509) *chain = NULL;
1461 int num_in_chain, i;
1462 *cert_out = *id_cert_out = NULL;
1463 if (!(cert = SSL_get_peer_certificate(tls->
ssl)))
1466 if (!(chain = SSL_get_peer_cert_chain(tls->
ssl)))
1468 num_in_chain = sk_X509_num(chain);
1473 if (num_in_chain < 1) {
1475 "Unexpected number of certificates in chain (%d)",
1479 for (i=0; i<num_in_chain; ++i) {
1480 id_cert = sk_X509_value(chain, i);
1481 if (X509_cmp(id_cert, cert) != 0)
1484 *id_cert_out = id_cert ? X509_dup(id_cert) : NULL;
1493 return SSL_pending(tls->
ssl);
1501 return tls->wantwrite_n;
1512 r = (
unsigned long) BIO_number_read(SSL_get_rbio(tls->
ssl));
1520 wbio = SSL_get_wbio(tls->
ssl);
1521#if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
1526 if (BIO_method_type(wbio) == BIO_TYPE_BUFFER &&
1527 (tmpbio = BIO_next(wbio)) != NULL)
1530 if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
1533 w = (
unsigned long) BIO_number_written(wbio);
1540 *n_read = (size_t)(r - tls->last_read_count);
1541 *n_written = (size_t)(w - tls->last_write_count);
1542 if (*n_read > INT_MAX || *n_written > INT_MAX) {
1543 log_warn(
LD_BUG,
"Preposterously large value in tor_tls_get_n_raw_bytes. "
1544 "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
1545 r, tls->last_read_count, w, tls->last_write_count);
1547 total_bytes_written_by_tls += *n_written;
1548 tls->last_read_count = r;
1549 tls->last_write_count = w;
1557 if (total_bytes_written_over_tls == 0)
1560 return ((
double)total_bytes_written_by_tls) /
1561 ((double)total_bytes_written_over_tls);
1567check_no_tls_errors_(
const char *fname,
int line)
1569 if (ERR_peek_error() == 0)
1571 log_warn(
LD_CRYPTO,
"Unhandled OpenSSL errors found at %s:%d: ",
1572 tor_fix_source_file(fname), line);
1592#ifndef HAVE_SSL_GET_CLIENT_RANDOM
1594SSL_get_client_random(SSL *s, uint8_t *out,
size_t len)
1597 return SSL3_RANDOM_SIZE;
1600 memcpy(out, s->s3->client_random, len);
1605#ifndef HAVE_SSL_GET_SERVER_RANDOM
1607SSL_get_server_random(SSL *s, uint8_t *out,
size_t len)
1610 return SSL3_RANDOM_SIZE;
1613 memcpy(out, s->s3->server_random, len);
1618#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
1620SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out,
size_t len)
1624 return s->master_key_length;
1625 tor_assert(len == (
size_t)s->master_key_length);
1627 memcpy(out, s->master_key, len);
1639#define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification"
1644 SSL *
const ssl = tls->
ssl;
1645 SSL_SESSION *
const session = SSL_get_session(ssl);
1650 const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0);
1651 const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0);
1652 const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0);
1654 if (BUG(! server_random_len)) {
1655 log_warn(
LD_NET,
"Missing server randomness after handshake "
1656 "using %s (cipher: %s, server: %s) from %s",
1657 SSL_get_version(ssl),
1658 SSL_get_cipher_name(ssl),
1664 if (BUG(! client_random_len)) {
1665 log_warn(
LD_NET,
"Missing client randomness after handshake "
1666 "using %s (cipher: %s, server: %s) from %s",
1667 SSL_get_version(ssl),
1668 SSL_get_cipher_name(ssl),
1674 if (BUG(! master_key_len)) {
1675 log_warn(
LD_NET,
"Missing master key after handshake "
1676 "using %s (cipher: %s, server: %s) from %s",
1677 SSL_get_version(ssl),
1678 SSL_get_cipher_name(ssl),
1684 len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1;
1688 size_t r = SSL_get_client_random(ssl, buf, client_random_len);
1693 size_t r = SSL_get_server_random(ssl,
1694 buf+client_random_len,
1699 uint8_t *master_key = tor_malloc_zero(master_key_len);
1701 size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len);
1705 uint8_t *nextbuf = buf + client_random_len + server_random_len;
1706 memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1);
1717 memwipe(master_key, 0, master_key_len);
1732 const uint8_t *context,
1739 int r = SSL_export_keying_material(tls->
ssl,
1741 label, strlen(label),
1742 context, context_len, 1);
1749#ifdef TLS1_3_VERSION
1751 strlen(label) > 12 &&
1752 SSL_version(tls->
ssl) >= TLS1_3_VERSION) {
1754 if (! openssl_bug_7712_is_present) {
1759 "short", 5, context, context_len, 1);
1763 openssl_bug_7712_is_present = 1;
1764 log_warn(
LD_GENERAL,
"Detected OpenSSL bug 7712: disabling TLS 1.3 on "
1765 "future connections.");
1768 if (openssl_bug_7712_is_present)
1775 return (r == 1) ? 0 : -1;
1787 size_t *rbuf_capacity,
size_t *rbuf_bytes,
1788 size_t *wbuf_capacity,
size_t *wbuf_bytes)
1790#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
1792 (void)rbuf_capacity;
1794 (void)wbuf_capacity;
1799 if (tls->
ssl->s3->rbuf.buf)
1800 *rbuf_capacity = tls->
ssl->s3->rbuf.len;
1803 if (tls->
ssl->s3->wbuf.buf)
1804 *wbuf_capacity = tls->
ssl->s3->wbuf.len;
1807 *rbuf_bytes = tls->
ssl->s3->rbuf.left;
1808 *wbuf_bytes = tls->
ssl->s3->wbuf.left;
1824 nid = NID_tor_default_ecdhe_group;
1825 else if (!strcasecmp(ecgroup,
"P256"))
1826 nid = NID_X9_62_prime256v1;
1827 else if (!strcasecmp(ecgroup,
"P224"))
1828 nid = NID_secp224r1;
1832 ec_key = EC_KEY_new_by_curve_name(nid);
1833 ret = (ec_key != NULL);
1834 EC_KEY_free(ec_key);
Inline functions for reading and writing multibyte values from the middle of strings,...
static uint16_t tor_htons(uint16_t a)
static void set_uint16(void *cp, uint16_t v)
Macro definitions for MIN, MAX, and CLAMP.
Header for compat_string.c.
Headers for crypto_cipher.c.
struct dh_st * crypto_dh_new_openssl_tls(void)
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
char * crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, const char *suffix)
Common functions for using (pseudo-)random number generators.
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
#define log_fn(severity, domain, args,...)
int tor_snprintf(char *str, size_t size, const char *format,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
tor_tls_state_bitfield_t state
unsigned int wasV2Handshake
unsigned int got_renegotiate
#define MOCK_IMPL(rv, funcname, arglist)
void tor_tls_context_incref(tor_tls_context_t *ctx)
tor_tls_context_t * tor_tls_context_get(int is_server)
void tor_tls_context_decref(tor_tls_context_t *ctx)
int tor_errno_to_tls_error(int e)
int tor_tls_context_init_certificates(tor_tls_context_t *result, crypto_pk_t *identity, unsigned key_lifetime, unsigned flags)
int tor_tls_server_got_renegotiate(tor_tls_t *tls)
void tor_tls_block_renegotiation(tor_tls_t *tls)
int tor_tls_peer_has_cert(tor_tls_t *tls)
int tor_tls_used_v1_handshake(tor_tls_t *tls)
void tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len)
void tor_tls_unblock_renegotiation(tor_tls_t *tls)
double tls_get_write_overhead_ratio(void)
int evaluate_ecgroup_for_tls(const char *ecgroup)
void tor_tls_set_renegotiate_callback(tor_tls_t *tls, void(*cb)(tor_tls_t *, void *arg), void *arg)
int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
int tor_tls_get_buffer_sizes(tor_tls_t *tls, size_t *rbuf_capacity, size_t *rbuf_bytes, size_t *wbuf_capacity, size_t *wbuf_bytes)
struct tor_x509_cert_t * tor_tls_get_peer_cert(tor_tls_t *tls)
int tor_tls_get_pending_bytes(tor_tls_t *tls)
int tor_tls_handshake(tor_tls_t *tls)
int tor_tls_finish_handshake(tor_tls_t *tls)
tor_tls_t * tor_tls_new(tor_socket_t sock, int is_server)
const char * tor_tls_get_last_error_msg(const tor_tls_t *tls)
void tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
struct tor_x509_cert_t * tor_tls_get_own_cert(tor_tls_t *tls)
int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out)
void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
void tor_tls_release_socket(tor_tls_t *tls)
int tor_tls_export_key_material(tor_tls_t *tls, uint8_t *secrets_out, const uint8_t *context, size_t context_len, const char *label)
size_t tor_tls_get_forced_write_size(tor_tls_t *tls)
Declare internal functions for lib/tls.
tor_tls_context_t * tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client)
Structure declarations for internal TLS types.
Macros to manage assertions, fatal and non-fatal.
#define IF_BUG_ONCE(cond)