14 #define TORTLS_PRIVATE
15 #define TOR_X509_PRIVATE
30 #include "lib/tls/x509_internal.h"
37 DISABLE_GCC_WARNING(
"-Wstrict-prototypes")
40 #include <private/pprio.h>
45 ENABLE_GCC_WARNING(
"-Wstrict-prototypes")
47 static SECStatus always_accept_cert_cb(
void *, PRFileDesc *, PRBool, PRBool);
50 try_to_extract_certs_from_tls,(
int severity,
tor_tls_t *tls,
51 tor_x509_cert_impl_t **cert_out,
52 tor_x509_cert_impl_t **id_cert_out))
59 *cert_out = *id_cert_out = NULL;
61 CERTCertificate *peer = SSL_PeerCertificate(tls->ssl);
66 CERTCertList *chain = SSL_PeerCertificateChain(tls->ssl);
67 CERTCertListNode *c = CERT_LIST_HEAD(chain);
68 for (; !CERT_LIST_END(c, chain); c = CERT_LIST_NEXT(c)) {
69 if (CERT_CompareCerts(c->cert, peer) == PR_FALSE) {
70 *id_cert_out = CERT_DupCertificate(c->cert);
74 CERT_DestroyCertList(chain);
78 we_like_ssl_cipher(SSLCipherAlgorithm ca)
81 case ssl_calg_null:
return false;
82 case ssl_calg_rc4:
return false;
83 case ssl_calg_rc2:
return false;
84 case ssl_calg_des:
return false;
85 case ssl_calg_3des:
return false;
86 case ssl_calg_idea:
return false;
87 case ssl_calg_fortezza:
return false;
88 case ssl_calg_camellia:
return false;
89 case ssl_calg_seed:
return false;
91 case ssl_calg_aes:
return true;
92 case ssl_calg_aes_gcm:
return true;
93 case ssl_calg_chacha20:
return true;
98 we_like_ssl_kea(SSLKEAType kt)
101 case ssl_kea_null:
return false;
102 case ssl_kea_rsa:
return false;
103 case ssl_kea_fortezza:
return false;
104 case ssl_kea_ecdh_psk:
return false;
105 case ssl_kea_dh_psk:
return false;
107 case ssl_kea_dh:
return true;
108 case ssl_kea_ecdh:
return true;
109 case ssl_kea_tls13_any:
return true;
111 case ssl_kea_size:
return true;
112 default:
return true;
117 we_like_mac_algorithm(SSLMACAlgorithm ma)
120 case ssl_mac_null:
return false;
121 case ssl_mac_md5:
return false;
122 case ssl_hmac_md5:
return false;
124 case ssl_mac_sha:
return true;
125 case ssl_hmac_sha:
return true;
126 case ssl_hmac_sha256:
return true;
127 case ssl_mac_aead:
return true;
128 case ssl_hmac_sha384:
return true;
129 default:
return true;
134 we_like_auth_type(SSLAuthType at)
137 case ssl_auth_null:
return false;
138 case ssl_auth_rsa_decrypt:
return false;
139 case ssl_auth_dsa:
return false;
140 case ssl_auth_kea:
return false;
142 case ssl_auth_ecdsa:
return true;
143 case ssl_auth_ecdh_rsa:
return true;
144 case ssl_auth_ecdh_ecdsa:
return true;
145 case ssl_auth_rsa_sign:
return true;
146 case ssl_auth_rsa_pss:
return true;
147 case ssl_auth_psk:
return true;
148 case ssl_auth_tls13_any:
return true;
150 case ssl_auth_size:
return true;
151 default:
return true;
167 if (info->authType == ssl_auth_tls13_any)
173 if (strstr(info->cipherSuiteName,
"_SHA384") ||
174 strstr(info->cipherSuiteName,
"_SHA512")) {
183 unsigned int key_lifetime,
unsigned flags,
int is_client)
195 key_lifetime, flags) < 0) {
202 PRFileDesc *tcp = PR_NewTCPSocket();
206 ctx->ctx = SSL_ImportFD(NULL, tcp);
215 s = SSL_ConfigServerCert(ctx->ctx,
216 ctx->my_link_cert->cert,
218 crypto_pk_get_nss_privkey(ctx->link_key),
228 s = SSL_OptionSet(ctx->ctx, SSL_REQUIRE_CERTIFICATE, PR_TRUE);
235 s = SSL_AuthCertificateHook(ctx->ctx, always_accept_cert_cb, NULL);
238 s = SSL_OptionSet(ctx->ctx, SSL_ENABLE_FDX, PR_TRUE);
245 s = SSL_OptionSet(ctx->ctx,
246 is_client ? SSL_HANDSHAKE_AS_CLIENT : SSL_HANDSHAKE_AS_SERVER,
253 SSLVersionRange vrange;
254 memset(&vrange, 0,
sizeof(vrange));
255 s = SSL_VersionRangeGetSupported(ssl_variant_stream, &vrange);
258 if (vrange.min < SSL_LIBRARY_VERSION_TLS_1_0)
259 vrange.min = SSL_LIBRARY_VERSION_TLS_1_0;
260 s = SSL_VersionRangeSet(ctx->ctx, &vrange);
267 const PRUint16 *ciphers = SSL_GetImplementedCiphers();
268 const PRUint16 n_ciphers = SSL_GetNumImplementedCiphers();
270 for (i = 0; i < n_ciphers; ++i) {
271 SSLCipherSuiteInfo info;
272 memset(&info, 0,
sizeof(info));
273 s = SSL_GetCipherSuiteInfo(ciphers[i], &info,
sizeof(info));
276 if (BUG(info.cipherSuite != ciphers[i]))
278 int disable = info.effectiveKeyBits < 128 ||
279 info.macBits < 128 ||
280 !we_like_ssl_cipher(info.symCipher) ||
281 !we_like_ssl_kea(info.keaType) ||
282 !we_like_mac_algorithm(info.macAlgorithm) ||
283 !we_like_auth_type(info.authType);
291 s = SSL_CipherPrefSet(ctx->ctx, ciphers[i],
292 disable ? PR_FALSE : PR_TRUE);
299 s = SSL_OptionSet(ctx->ctx, SSL_REUSE_SERVER_ECDHE_KEY, PR_FALSE);
304 s = SSL_OptionSet(ctx->ctx, SSL_NO_CACHE, PR_TRUE);
309 s = SSL_OptionSet(ctx->ctx, SSL_ENABLE_SERVER_DHE, PR_TRUE);
314 SSLNamedGroup groups[] = {
315 ssl_grp_ec_curve25519,
316 ssl_grp_ec_secp256r1,
317 ssl_grp_ec_secp224r1,
320 s = SSL_NamedGroupConfig(ctx->ctx, groups,
ARRAY_LENGTH(groups));
338 tor_tls_context_impl_free_(tor_tls_context_impl_t *ctx)
371 PRErrorCode code = PORT_GetError();
373 tls->last_error = code;
375 const char *addr = tls ? tls->
address : NULL;
376 const char *
string = PORT_ErrorToString(code);
377 const char *
name = PORT_ErrorToName(code);
380 string =
"<unrecognized>";
386 const char *with = addr ?
" with " :
"";
387 addr = addr ? addr :
"";
389 log_fn(severity, domain,
"TLS error %s while %s%s%s: %s",
390 name, doing, with, addr,
string);
392 log_fn(severity, domain,
"TLS error %s%s%s: %s",
name,
string,
402 if (tls->last_error == 0) {
405 return PORT_ErrorToString((PRErrorCode)tls->last_error);
414 PRFileDesc *tcp = NULL;
416 tcp = PR_ImportTCPSocket(sock);
418 tcp = PR_NewTCPSocket();
428 PRFileDesc *ssl = SSL_ImportFD(ctx->ctx, count);
436 PRSocketOptionData data;
437 data.option = PR_SockOpt_Nonblocking;
438 data.value.non_blocking = 1;
439 if (PR_SetSocketOption(ssl, &data) != PR_SUCCESS) {
445 tls->magic = TOR_TLS_MAGIC;
450 tls->
state = TOR_TLS_ST_HANDSHAKE;
456 SSL_SetURL(tls->
ssl, fake_hostname);
459 SECStatus s = SSL_ResetHandshake(ssl, is_server ? PR_TRUE : PR_FALSE);
460 if (s != SECSuccess) {
503 log_warn(
LD_NET,
"Out of sockets when trying to shut down an NSS "
508 PRFileDesc *tcp = PR_GetIdentitiesLayer(tls->
ssl, PR_NSPR_IO_LAYER);
514 PR_ChangeFileDescNativeHandle(tcp, sock);
521 tor_tls_impl_free_(tor_tls_impl_t *tls)
534 CERTCertificate *cert = SSL_PeerCertificate(tls->
ssl);
535 int result = (cert != NULL);
536 CERT_DestroyCertificate(cert);
543 CERTCertificate *cert = SSL_PeerCertificate(tls->
ssl);
545 return tor_x509_cert_new(cert);
554 CERTCertificate *cert = SSL_LocalCertificate(tls->
ssl);
556 return tor_x509_cert_new(cert);
568 PRInt32 rv = PR_Read(tls->
ssl, cp, (
int)len);
574 return TOR_TLS_CLOSE;
575 PRErrorCode err = PORT_GetError();
576 if (err == PR_WOULD_BLOCK_ERROR) {
577 return TOR_TLS_WANTREAD;
580 return TOR_TLS_ERROR_MISC;
591 PRInt32 rv = PR_Write(tls->
ssl, cp, (
int)n);
597 return TOR_TLS_ERROR_MISC;
598 PRErrorCode err = PORT_GetError();
600 if (err == PR_WOULD_BLOCK_ERROR) {
601 return TOR_TLS_WANTWRITE;
604 return TOR_TLS_ERROR_MISC;
614 SECStatus s = SSL_ForceHandshake(tls->
ssl);
615 if (s == SECSuccess) {
616 tls->
state = TOR_TLS_ST_OPEN;
617 log_debug(
LD_NET,
"SSL handshake is supposedly complete.");
620 if (PORT_GetError() == PR_WOULD_BLOCK_ERROR)
621 return TOR_TLS_WANTREAD;
623 return TOR_TLS_ERROR_MISC;
660 int n = SSL_DataPending(tls->
ssl);
678 size_t *n_read,
size_t *n_written)
685 *n_read = *n_written = 0;
689 *n_read = (size_t)(r - tls->last_read_count);
690 *n_written = (size_t)(w - tls->last_write_count);
692 tls->last_read_count = r;
693 tls->last_write_count = w;
698 size_t *rbuf_capacity,
size_t *rbuf_bytes,
699 size_t *wbuf_capacity,
size_t *wbuf_bytes)
736 tor_tls_cert_matches_key,(
const tor_tls_t *tls,
737 const struct tor_x509_cert_t *cert))
746 if (!peercert || !peercert->cert)
749 CERTSubjectPublicKeyInfo *peer_info = &peercert->cert->subjectPublicKeyInfo;
750 CERTSubjectPublicKeyInfo *cert_info = &cert->cert->subjectPublicKeyInfo;
765 const unsigned int peer_info_orig_len = peer_info->subjectPublicKey.len;
766 const unsigned int cert_info_orig_len = cert_info->subjectPublicKey.len;
776 peer_info->subjectPublicKey.len = ((peer_info_orig_len + 7) >> 3);
777 cert_info->subjectPublicKey.len = ((cert_info_orig_len + 7) >> 3);
779 rv = SECOID_CompareAlgorithmID(&peer_info->algorithm,
780 &cert_info->algorithm) == 0 &&
781 SECITEM_ItemsAreEqual(&peer_info->subjectPublicKey,
782 &cert_info->subjectPublicKey);
785 peer_info->subjectPublicKey.len = peer_info_orig_len;
786 cert_info->subjectPublicKey.len = cert_info_orig_len;
789 tor_x509_cert_free(peercert);
807 const uint8_t *context,
822 PR_SetError(PR_UNKNOWN_ERROR, 0);
823 s = SSL_ExportKeyingMaterial(tls->
ssl,
824 label, (
unsigned)strlen(label),
825 PR_TRUE, context, (
unsigned)context_len,
827 if (s != SECSuccess) {
829 "exporting key material for a TLS handshake");
832 return (s == SECSuccess) ? 0 : -1;
836 tor_tls_get_ciphersuite_name(
tor_tls_t *tls)
840 SSLChannelInfo channel_info;
841 SSLCipherSuiteInfo cipher_info;
843 memset(&channel_info, 0,
sizeof(channel_info));
844 memset(&cipher_info, 0,
sizeof(cipher_info));
846 SECStatus s = SSL_GetChannelInfo(tls->
ssl,
847 &channel_info,
sizeof(channel_info));
851 s = SSL_GetCipherSuiteInfo(channel_info.cipherSuite,
852 &cipher_info,
sizeof(cipher_info));
856 return cipher_info.cipherSuiteName;
860 #define SEC_OID_TOR_DEFAULT_ECDHE_GROUP SEC_OID_ANSIX962_EC_PRIME256V1
869 else if (!strcasecmp(ecgroup,
"P256"))
870 tag = SEC_OID_ANSIX962_EC_PRIME256V1;
871 else if (!strcasecmp(ecgroup,
"P224"))
872 tag = SEC_OID_SECG_EC_SECP224R1;
883 always_accept_cert_cb(
void *arg, PRFileDesc *ssl, PRBool checkSig,
Headers for crypto_cipher.c.
Headers for crypto_nss_mgt.c.
char * crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, const char *suffix)
Common functions for using (pseudo-)random number generators.
Common functions for cryptographic routines.
#define log_fn(severity, domain, args,...)
int tor_get_prfiledesc_byte_counts(PRFileDesc *fd, uint64_t *n_read_out, uint64_t *n_written_out)
void tor_nss_countbytes_init(void)
PRFileDesc * tor_wrap_prfiledesc_with_byte_counter(PRFileDesc *stack)
Header for nss_countbytes.c, which lets us count the number of bytes actually written on a PRFileDesc...
int tor_snprintf(char *str, size_t size, const char *format,...)
int tor_close_socket(tor_socket_t s)
void tor_release_socket_ownership(tor_socket_t s)
tor_socket_t tor_open_socket_nonblocking(int domain, int type, int protocol)
tor_tls_state_bitfield_t state
#define MOCK_IMPL(rv, funcname, arglist)
void tor_tls_context_incref(tor_tls_context_t *ctx)
void tor_tls_context_decref(tor_tls_context_t *ctx)
tor_tls_context_t * tor_tls_context_get(int is_server)
int tor_tls_context_init_certificates(tor_tls_context_t *result, crypto_pk_t *identity, unsigned key_lifetime, unsigned flags)
int tor_tls_server_got_renegotiate(tor_tls_t *tls)
struct tor_x509_cert_t * tor_tls_get_peer_cert(tor_tls_t *tls)
void tor_tls_block_renegotiation(tor_tls_t *tls)
int tor_tls_peer_has_cert(tor_tls_t *tls)
int tor_tls_used_v1_handshake(tor_tls_t *tls)
void tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len)
void tor_tls_unblock_renegotiation(tor_tls_t *tls)
double tls_get_write_overhead_ratio(void)
int evaluate_ecgroup_for_tls(const char *ecgroup)
void tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
void tor_tls_set_renegotiate_callback(tor_tls_t *tls, void(*cb)(tor_tls_t *, void *arg), void *arg)
int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
int tor_tls_get_buffer_sizes(tor_tls_t *tls, size_t *rbuf_capacity, size_t *rbuf_bytes, size_t *wbuf_capacity, size_t *wbuf_bytes)
int tor_tls_get_pending_bytes(tor_tls_t *tls)
int tor_tls_handshake(tor_tls_t *tls)
struct tor_x509_cert_t * tor_tls_get_own_cert(tor_tls_t *tls)
const char * tor_tls_get_last_error_msg(const tor_tls_t *tls)
int tor_tls_finish_handshake(tor_tls_t *tls)
void tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out)
void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
tor_tls_t * tor_tls_new(tor_socket_t sock, int is_server)
int tor_tls_export_key_material(tor_tls_t *tls, uint8_t *secrets_out, const uint8_t *context, size_t context_len, const char *label)
size_t tor_tls_get_forced_write_size(tor_tls_t *tls)
Declare internal functions for lib/tls.
tor_tls_context_t * tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client)
static bool ciphersuite_has_nss_export_bug(const SSLCipherSuiteInfo *info)
#define SEC_OID_TOR_DEFAULT_ECDHE_GROUP
void tor_tls_release_socket(tor_tls_t *tls)
Structure declarations for internal TLS types.
Macros to manage assertions, fatal and non-fatal.
#define IF_BUG_ONCE(cond)