19 #define TORTLS_PRIVATE
20 #define TORTLS_OPENSSL_PRIVATE
21 #define TOR_X509_PRIVATE
34 #include "lib/crypt_ops/compat_openssl.h"
36 #include "lib/tls/x509_internal.h"
40 DISABLE_GCC_WARNING(
"-Wredundant-decls")
42 #include <openssl/opensslv.h>
45 #error "We require OpenSSL with ECC support"
48 #include <openssl/ssl.h>
49 #include <openssl/ssl3.h>
50 #include <openssl/err.h>
51 #include <openssl/tls1.h>
52 #include <openssl/asn1.h>
53 #include <openssl/bio.h>
54 #include <openssl/bn.h>
55 #include <openssl/rsa.h>
57 ENABLE_GCC_WARNING(
"-Wredundant-decls")
59 #include "lib/tls/tortls.h"
78 #define LEGAL_NICKNAME_CHARACTERS \
79 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
81 #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
83 #if OPENSSL_VERSION_NUMBER < OPENSSL_V(1,0,0,'f')
88 #define DISABLE_SSL3_HANDSHAKE
95 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
96 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
98 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
99 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
103 static int openssl_bug_7712_is_present = 0;
110 #define CIPHERS_ERR -1
120 #define CIPHERS_UNRESTRICTED 3
125 STATIC int tor_tls_object_ex_data_index = -1;
129 tor_tls_allocate_tor_tls_object_ex_data_index(
void)
131 if (tor_tls_object_ex_data_index == -1) {
132 tor_tls_object_ex_data_index =
133 SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
134 tor_assert(tor_tls_object_ex_data_index != -1);
141 tor_tls_get_by_ssl(
const SSL *ssl)
143 tor_tls_t *result = SSL_get_ex_data(ssl, tor_tls_object_ex_data_index);
150 static int tls_library_is_initialized = 0;
153 #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
154 #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
161 const char *ssl_state;
162 const char *tortls_state;
164 if (PREDICT_UNLIKELY(!tls || !tls->
ssl)) {
165 strlcpy(buf,
"(No SSL object)", sz);
169 ssl_state = SSL_state_string_long(tls->
ssl);
170 switch (tls->
state) {
171 #define CASE(st) case TOR_TLS_ST_##st: tortls_state = " in "#st ; break
179 case TOR_TLS_ST_BUFFEREVENT:
183 tortls_state =
" in unknown TLS state";
194 tor_tls_log_one_error(
tor_tls_t *tls,
unsigned long err,
195 int severity,
int domain,
const char *doing)
197 const char *state = NULL, *addr;
198 const char *msg, *lib, *func;
200 state = (tls && tls->
ssl)?SSL_state_string_long(tls->
ssl):
"---";
202 addr = tls ? tls->
address : NULL;
207 switch (ERR_GET_REASON(err)) {
208 case SSL_R_HTTP_REQUEST:
209 case SSL_R_HTTPS_PROXY_REQUEST:
210 case SSL_R_RECORD_LENGTH_MISMATCH:
211 #ifndef OPENSSL_1_1_API
212 case SSL_R_RECORD_TOO_LARGE:
214 case SSL_R_UNKNOWN_PROTOCOL:
215 case SSL_R_UNSUPPORTED_PROTOCOL:
222 msg = (
const char*)ERR_reason_error_string(err);
223 lib = (
const char*)ERR_lib_error_string(err);
224 func = (
const char*)ERR_func_error_string(err);
225 if (!msg) msg =
"(null)";
226 if (!lib) lib =
"(null)";
227 if (!func) func =
"(null)";
229 tor_log(severity, domain,
"TLS error while %s%s%s: %s (in %s:%s:%s)",
230 doing, addr?
" with ":
"", addr?addr:
"",
231 msg, lib, func, state);
233 tor_log(severity, domain,
"TLS error%s%s: %s (in %s:%s:%s)",
234 addr?
" with ":
"", addr?addr:
"",
235 msg, lib, func, state);
247 while ((err = ERR_get_error()) != 0) {
249 tls->last_error = err;
250 tor_tls_log_one_error(tls, err, severity, domain, doing);
266 if (tls->last_error == 0) {
269 return (
const char*)ERR_reason_error_string(tls->last_error);
272 #define CATCH_SYSCALL 1
286 tor_tls_get_error(
tor_tls_t *tls,
int r,
int extra,
287 const char *doing,
int severity,
int domain)
289 int err = SSL_get_error(tls->
ssl, r);
290 int tor_error = TOR_TLS_ERROR_MISC;
294 case SSL_ERROR_WANT_READ:
295 return TOR_TLS_WANTREAD;
296 case SSL_ERROR_WANT_WRITE:
297 return TOR_TLS_WANTWRITE;
298 case SSL_ERROR_SYSCALL:
299 if (extra&CATCH_SYSCALL)
300 return TOR_TLS_SYSCALL_;
302 tor_log(severity,
LD_NET,
"TLS error: unexpected close while %s (%s)",
303 doing, SSL_state_string_long(tls->
ssl));
304 tor_error = TOR_TLS_ERROR_IO;
306 int e = tor_socket_errno(tls->
socket);
308 "TLS error: <syscall error while %s> (errno=%d: %s; state=%s)",
309 doing, e, tor_socket_strerror(e),
310 SSL_state_string_long(tls->
ssl));
315 case SSL_ERROR_ZERO_RETURN:
316 if (extra&CATCH_ZERO)
317 return TOR_TLS_ZERORETURN_;
318 tor_log(severity,
LD_NET,
"TLS connection closed while %s in state %s",
319 doing, SSL_state_string_long(tls->
ssl));
321 return TOR_TLS_CLOSE;
324 return TOR_TLS_ERROR_MISC;
333 check_no_tls_errors();
335 if (!tls_library_is_initialized) {
336 #ifdef OPENSSL_1_1_API
337 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
340 SSL_load_error_strings();
343 #if (SIZEOF_VOID_P >= 8 && \
344 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
345 long version = tor_OpenSSL_version_num();
348 if (version >= OPENSSL_V_SERIES(1,0,1)) {
358 EC_KEY *key = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
359 const EC_GROUP *g = key ? EC_KEY_get0_group(key) : NULL;
360 const EC_METHOD *m = g ? EC_GROUP_method_of(g) : NULL;
361 const int warn = (m == EC_GFp_simple_method() ||
362 m == EC_GFp_mont_method() ||
363 m == EC_GFp_nist_method());
367 log_notice(
LD_GENERAL,
"We were built to run on a 64-bit CPU, with "
368 "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
369 "that apparently lacks accelerated support for the NIST "
370 "P-224 and P-256 groups. Building openssl with such "
371 "support (using the enable-ec_nistp_64_gcc_128 option "
372 "when configuring it) would make ECDH much faster.");
377 tor_tls_allocate_tor_tls_object_ex_data_index();
379 tls_library_is_initialized = 1;
388 always_accept_verify_cb(
int preverify_ok,
389 X509_STORE_CTX *x509_ctx)
398 static const char SERVER_CIPHER_LIST[] =
399 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
405 TLS1_3_TXT_AES_128_GCM_SHA256
":"
407 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
":"
408 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA;
412 static const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
414 #ifdef TLS1_3_TXT_AES_256_GCM_SHA384
415 TLS1_3_TXT_AES_256_GCM_SHA384
":"
417 #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
418 TLS1_3_TXT_CHACHA20_POLY1305_SHA256
":"
420 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
421 TLS1_3_TXT_AES_128_GCM_SHA256
":"
423 #ifdef TLS1_3_TXT_AES_128_CCM_SHA256
424 TLS1_3_TXT_AES_128_CCM_SHA256
":"
429 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
430 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
":"
432 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
433 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
":"
435 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
436 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
":"
438 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
439 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
":"
441 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
442 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
":"
444 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
445 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
":"
447 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
448 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
":"
450 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
451 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
":"
453 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
454 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
":"
456 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
457 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
":"
459 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
460 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
":"
462 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
463 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
":"
466 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
":"
468 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
":"
469 #ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
470 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
":"
472 #ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
473 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
482 #define CIPHER(id, name) name ":"
483 #define XCIPHER(id, name)
486 static const char CLIENT_CIPHER_LIST[] =
488 #include "lib/tls/ciphers.inc"
501 tor_tls_cert_matches_key,(
const tor_tls_t *tls,
const tor_x509_cert_t *cert))
507 X509 *peercert = peer->cert;
508 EVP_PKEY *link_key = NULL, *cert_key = NULL;
511 link_key = X509_get_pubkey(peercert);
512 cert_key = X509_get_pubkey(cert->cert);
514 result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
516 tor_x509_cert_free(peer);
518 EVP_PKEY_free(link_key);
520 EVP_PKEY_free(cert_key);
526 tor_tls_context_impl_free_(
struct ssl_ctx_st *ctx)
534 #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
542 unsigned flags,
int is_client)
544 EVP_PKEY *pkey = NULL;
564 if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
569 #ifdef HAVE_TLS_METHOD
570 if (!(result->ctx = SSL_CTX_new(TLS_method())))
573 if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
577 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
579 SSL_CTX_set_security_level(result->ctx, 1);
582 SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
583 SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
587 SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
599 #ifdef SSL_OP_NO_TICKET
601 SSL_CTX_set_options(result->ctx, SSL_OP_NO_TICKET);
605 SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
606 SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_ECDH_USE);
608 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
609 SSL_CTX_set_options(result->ctx,
610 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
616 SSL_CTX_set_options(result->ctx,
617 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
623 #ifdef SSL_OP_NO_COMPRESSION
624 SSL_CTX_set_options(result->ctx, SSL_OP_NO_COMPRESSION);
626 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
627 #ifndef OPENSSL_NO_COMP
628 if (result->ctx->comp_methods)
629 result->ctx->comp_methods = NULL;
633 #ifdef SSL_MODE_RELEASE_BUFFERS
634 SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
637 if (result->my_link_cert &&
638 !SSL_CTX_use_certificate(result->ctx,
639 result->my_link_cert->cert)) {
642 if (result->my_id_cert) {
643 X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
645 X509_STORE_add_cert(s, result->my_id_cert->cert);
648 SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
651 if (!(pkey = crypto_pk_get_openssl_evp_pkey_(result->link_key,1)))
653 if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
657 if (!SSL_CTX_check_private_key(result->ctx))
664 SSL_CTX_set_tmp_dh(result->ctx, dh);
669 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
672 if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
673 list =
"P-224:P-256";
674 else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
675 list =
"P-256:P-224";
677 list =
"P-256:P-224";
678 int r = (int) SSL_CTX_set1_groups_list(result->ctx, list);
686 if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
688 else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
689 nid = NID_X9_62_prime256v1;
691 nid = NID_tor_default_ecdhe_group;
693 ec_key = EC_KEY_new_by_curve_name(nid);
695 SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
699 SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
700 always_accept_verify_cb);
702 SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
716 tor_tls_debug_state_callback(
const SSL *ssl,
int type,
int val)
719 log_debug(
LD_HANDSHAKE,
"SSL %p is now in state %s [type=%d,val=%d].",
720 ssl, SSL_state_string_long(ssl), type, val);
726 tor_tls_get_ciphersuite_name(
tor_tls_t *tls)
728 return SSL_get_cipher(tls->
ssl);
735 STATIC uint16_t v2_cipher_list[] = {
767 static int v2_cipher_list_pruned = 0;
772 find_cipher_by_id(
const SSL *ssl,
const SSL_METHOD *m, uint16_t cipher)
775 #ifdef HAVE_SSL_CIPHER_FIND
778 unsigned char cipherid[3];
784 c = SSL_CIPHER_find((SSL*)ssl, cipherid);
786 tor_assert((SSL_CIPHER_get_id(c) & 0xffff) == cipher);
791 # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
792 if (m && m->get_cipher_by_char) {
793 unsigned char cipherid[3];
798 c = m->get_cipher_by_char(cipherid);
804 # ifndef OPENSSL_1_1_API
805 if (m && m->get_cipher && m->num_ciphers) {
811 for (i = 0; i < m->num_ciphers(); ++i) {
812 c = m->get_cipher(i);
813 if (c && (c->id & 0xffff) == cipher) {
831 prune_v2_cipher_list(
const SSL *ssl)
833 uint16_t *inp, *outp;
834 #ifdef HAVE_TLS_METHOD
835 const SSL_METHOD *m = TLS_method();
837 const SSL_METHOD *m = SSLv23_method();
840 inp = outp = v2_cipher_list;
842 if (find_cipher_by_id(ssl, m, *inp)) {
850 v2_cipher_list_pruned = 1;
858 tor_tls_classify_client_ciphers(
const SSL *ssl,
859 STACK_OF(SSL_CIPHER) *peer_ciphers)
863 if (PREDICT_UNLIKELY(!v2_cipher_list_pruned))
864 prune_v2_cipher_list(ssl);
866 tor_tls = tor_tls_get_by_ssl(ssl);
867 if (tor_tls && tor_tls->client_cipher_list_type)
868 return tor_tls->client_cipher_list_type;
873 log_info(
LD_NET,
"No ciphers on session");
879 for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
880 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
881 const char *ciphername = SSL_CIPHER_get_name(cipher);
882 if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
883 strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
884 strcmp(ciphername, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) &&
885 strcmp(ciphername,
"(NONE)")) {
886 log_debug(
LD_NET,
"Got a non-version-1 cipher called '%s'", ciphername);
895 const uint16_t *v2_cipher = v2_cipher_list;
896 for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
897 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
898 uint16_t
id = SSL_CIPHER_get_id(cipher) & 0xffff;
901 if (!
id ||
id != *v2_cipher) {
902 res = CIPHERS_UNRESTRICTED;
907 if (*v2_cipher != 0) {
908 res = CIPHERS_UNRESTRICTED;
918 for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
919 const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
920 const char *ciphername = SSL_CIPHER_get_name(cipher);
924 log_debug(
LD_NET,
"Got a %s V2/V3 cipher list from %s. It is: '%s'",
925 (res == CIPHERS_V2) ?
"fictitious" :
"real", ADDR(tor_tls), s);
927 smartlist_free(elts);
930 if (tor_tls && peer_ciphers)
931 return tor_tls->client_cipher_list_type = res;
940 tor_tls_client_is_using_v2_ciphers(
const SSL *ssl)
942 STACK_OF(SSL_CIPHER) *ciphers;
943 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
944 ciphers = SSL_get_client_ciphers(ssl);
946 SSL_SESSION *session;
947 if (!(session = SSL_get_session((SSL *)ssl))) {
948 log_info(
LD_NET,
"No session on TLS?");
951 ciphers = session->ciphers;
954 return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
964 tor_tls_server_info_callback(
const SSL *ssl,
int type,
int val)
973 tor_tls_debug_state_callback(ssl, type, val);
975 if (type != SSL_CB_ACCEPT_LOOP)
978 OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl);
979 if (! STATE_IS_SW_SERVER_HELLO(ssl_state))
981 tls = tor_tls_get_by_ssl(ssl);
984 if (tls->negotiated_callback)
987 log_warn(
LD_BUG,
"Couldn't look up the tls for an SSL*. How odd!");
992 if (tor_tls_client_is_using_v2_ciphers(ssl)) {
1001 SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN);
1003 SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL);
1009 log_warn(
LD_BUG,
"Couldn't look up the tls for an SSL*. How odd!");
1028 tor_tls_session_secret_cb(SSL *ssl,
void *secret,
int *secret_len,
1029 STACK_OF(SSL_CIPHER) *peer_ciphers,
1030 CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
1035 (void) peer_ciphers;
1039 if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
1040 CIPHERS_UNRESTRICTED) {
1041 SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
1044 SSL_set_session_secret_cb(ssl, NULL, NULL);
1049 tor_tls_setup_session_secret_cb(
tor_tls_t *tls)
1051 SSL_set_session_secret_cb(tls->
ssl, tor_tls_session_secret_cb, NULL);
1063 result->magic = TOR_TLS_MAGIC;
1065 check_no_tls_errors();
1067 if (!(result->
ssl = SSL_new(context->ctx))) {
1073 #ifdef SSL_set_tlsext_host_name
1077 SSL_set_tlsext_host_name(result->
ssl, fake_hostname);
1082 #ifdef SSL_CTRL_SET_MAX_PROTO_VERSION
1083 if (openssl_bug_7712_is_present) {
1085 SSL_set_max_proto_version(result->
ssl, TLS1_2_VERSION);
1089 if (!SSL_set_cipher_list(result->
ssl,
1090 isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
1092 #ifdef SSL_set_tlsext_host_name
1093 SSL_set_tlsext_host_name(result->
ssl, NULL);
1095 SSL_free(result->
ssl);
1100 bio = BIO_new_socket(sock, BIO_CLOSE);
1103 #ifdef SSL_set_tlsext_host_name
1104 SSL_set_tlsext_host_name(result->
ssl, NULL);
1106 SSL_free(result->
ssl);
1112 SSL_set_ex_data(result->
ssl, tor_tls_object_ex_data_index, result);
1115 "Couldn't set the tls for an SSL*; connection will fail");
1118 SSL_set_bio(result->
ssl, bio, bio);
1120 result->context = context;
1121 result->
state = TOR_TLS_ST_HANDSHAKE;
1123 result->wantwrite_n = 0;
1124 result->last_write_count = (
unsigned long) BIO_number_written(bio);
1125 result->last_read_count = (
unsigned long) BIO_number_read(bio);
1126 if (result->last_write_count || result->last_read_count) {
1127 log_warn(
LD_NET,
"Newly created BIO has read count %lu, write count %lu",
1128 result->last_read_count, result->last_write_count);
1131 SSL_set_info_callback(result->
ssl, tor_tls_server_info_callback);
1133 SSL_set_info_callback(result->
ssl, tor_tls_debug_state_callback);
1137 tor_tls_setup_session_secret_cb(result);
1157 tls->negotiated_callback = cb;
1158 tls->callback_arg = arg;
1161 SSL_set_info_callback(tls->
ssl, tor_tls_server_info_callback);
1163 SSL_set_info_callback(tls->
ssl, tor_tls_debug_state_callback);
1175 SSL_set_options(tls->
ssl,
1176 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1186 #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1187 tls->
ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
1197 #if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
1198 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
1199 long options = SSL_get_options(tls->
ssl);
1200 tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
1217 rbio = SSL_get_rbio(tls->
ssl);
1218 wbio = SSL_get_wbio(tls->
ssl);
1221 (void) BIO_set_close(rbio, BIO_NOCLOSE);
1223 if (wbio && wbio != rbio) {
1224 (void) BIO_set_close(wbio, BIO_NOCLOSE);
1229 tor_tls_impl_free_(tor_tls_impl_t *ssl)
1234 #ifdef SSL_set_tlsext_host_name
1235 SSL_set_tlsext_host_name(ssl, NULL);
1253 r = SSL_read(tls->
ssl, cp, (
int)len);
1257 log_info(
LD_NET,
"Got a TLS renegotiation from %s", ADDR(tls));
1258 if (tls->negotiated_callback)
1259 tls->negotiated_callback(tls, tls->callback_arg);
1264 err = tor_tls_get_error(tls, r, CATCH_ZERO,
"reading",
LOG_DEBUG,
LD_NET);
1265 if (err == TOR_TLS_ZERORETURN_ || err == TOR_TLS_CLOSE) {
1266 log_debug(
LD_NET,
"read returned r=%d; TLS is closed",r);
1267 tls->
state = TOR_TLS_ST_CLOSED;
1268 return TOR_TLS_CLOSE;
1271 log_debug(
LD_NET,
"read returned r=%d, err=%d",r,err);
1278 STATIC uint64_t total_bytes_written_over_tls = 0;
1281 STATIC uint64_t total_bytes_written_by_tls = 0;
1298 if (tls->wantwrite_n) {
1301 log_debug(
LD_NET,
"resuming pending-write, (%d to flush, reusing %d)",
1302 (
int)n, (
int)tls->wantwrite_n);
1303 n = tls->wantwrite_n;
1304 tls->wantwrite_n = 0;
1306 r = SSL_write(tls->
ssl, cp, (
int)n);
1308 if (err == TOR_TLS_DONE) {
1309 total_bytes_written_over_tls += r;
1312 if (err == TOR_TLS_WANTWRITE || err == TOR_TLS_WANTREAD) {
1313 tls->wantwrite_n = n;
1330 check_no_tls_errors();
1332 OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->
ssl);
1335 log_debug(
LD_HANDSHAKE,
"About to call SSL_accept on %p (%s)", tls,
1336 SSL_state_string_long(tls->
ssl));
1337 r = SSL_accept(tls->
ssl);
1339 log_debug(
LD_HANDSHAKE,
"About to call SSL_connect on %p (%s)", tls,
1340 SSL_state_string_long(tls->
ssl));
1341 r = SSL_connect(tls->
ssl);
1344 OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->
ssl);
1346 if (oldstate != newstate)
1347 log_debug(
LD_HANDSHAKE,
"After call, %p was in state %s",
1348 tls, SSL_state_string_long(tls->
ssl));
1353 if (ERR_peek_error() != 0) {
1356 return TOR_TLS_ERROR_MISC;
1358 if (r == TOR_TLS_DONE) {
1359 tls->
state = TOR_TLS_ST_OPEN;
1376 int r = TOR_TLS_DONE;
1377 check_no_tls_errors();
1379 SSL_set_info_callback(tls->
ssl, NULL);
1380 SSL_set_verify(tls->
ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
1381 SSL_clear_mode(tls->
ssl, SSL_MODE_NO_AUTO_CHAIN);
1382 if (tor_tls_client_is_using_v2_ciphers(tls->
ssl)) {
1387 log_warn(
LD_BUG,
"For some reason, wasV2Handshake didn't"
1388 " get set. Fixing that.");
1391 log_debug(
LD_HANDSHAKE,
"Completed V2 TLS handshake with client; waiting"
1392 " for renegotiation.");
1400 if (SSL_set_cipher_list(tls->
ssl, SERVER_CIPHER_LIST) == 0) {
1402 r = TOR_TLS_ERROR_MISC;
1415 cert = SSL_get_peer_certificate(tls->
ssl);
1429 cert = SSL_get_peer_certificate(tls->
ssl);
1433 return tor_x509_cert_new(cert);
1441 X509 *cert = SSL_get_certificate(tls->
ssl);
1443 "getting own-connection certificate");
1448 X509 *duplicate = X509_dup(cert);
1449 if (BUG(duplicate == NULL))
1451 return tor_x509_cert_new(duplicate);
1461 try_to_extract_certs_from_tls,(
int severity,
tor_tls_t *tls,
1462 X509 **cert_out, X509 **id_cert_out))
1464 X509 *cert = NULL, *id_cert = NULL;
1465 STACK_OF(X509) *chain = NULL;
1466 int num_in_chain, i;
1467 *cert_out = *id_cert_out = NULL;
1468 if (!(cert = SSL_get_peer_certificate(tls->
ssl)))
1471 if (!(chain = SSL_get_peer_cert_chain(tls->
ssl)))
1473 num_in_chain = sk_X509_num(chain);
1478 if (num_in_chain < 1) {
1480 "Unexpected number of certificates in chain (%d)",
1484 for (i=0; i<num_in_chain; ++i) {
1485 id_cert = sk_X509_value(chain, i);
1486 if (X509_cmp(id_cert, cert) != 0)
1489 *id_cert_out = id_cert ? X509_dup(id_cert) : NULL;
1498 return SSL_pending(tls->
ssl);
1506 return tls->wantwrite_n;
1517 r = (
unsigned long) BIO_number_read(SSL_get_rbio(tls->
ssl));
1525 wbio = SSL_get_wbio(tls->
ssl);
1526 #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
1531 if (BIO_method_type(wbio) == BIO_TYPE_BUFFER &&
1532 (tmpbio = BIO_next(wbio)) != NULL)
1535 if (wbio->method == BIO_f_buffer() && (tmpbio = BIO_next(wbio)) != NULL)
1538 w = (
unsigned long) BIO_number_written(wbio);
1545 *n_read = (size_t)(r - tls->last_read_count);
1546 *n_written = (size_t)(w - tls->last_write_count);
1547 if (*n_read > INT_MAX || *n_written > INT_MAX) {
1548 log_warn(
LD_BUG,
"Preposterously large value in tor_tls_get_n_raw_bytes. "
1549 "r=%lu, last_read=%lu, w=%lu, last_written=%lu",
1550 r, tls->last_read_count, w, tls->last_write_count);
1552 total_bytes_written_by_tls += *n_written;
1553 tls->last_read_count = r;
1554 tls->last_write_count = w;
1562 if (total_bytes_written_over_tls == 0)
1565 return ((
double)total_bytes_written_by_tls) /
1566 ((double)total_bytes_written_over_tls);
1572 check_no_tls_errors_(
const char *fname,
int line)
1574 if (ERR_peek_error() == 0)
1576 log_warn(
LD_CRYPTO,
"Unhandled OpenSSL errors found at %s:%d: ",
1577 tor_fix_source_file(fname), line);
1597 #ifndef HAVE_SSL_GET_CLIENT_RANDOM
1599 SSL_get_client_random(SSL *s, uint8_t *out,
size_t len)
1602 return SSL3_RANDOM_SIZE;
1605 memcpy(out, s->s3->client_random, len);
1610 #ifndef HAVE_SSL_GET_SERVER_RANDOM
1612 SSL_get_server_random(SSL *s, uint8_t *out,
size_t len)
1615 return SSL3_RANDOM_SIZE;
1618 memcpy(out, s->s3->server_random, len);
1623 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
1625 SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out,
size_t len)
1629 return s->master_key_length;
1630 tor_assert(len == (
size_t)s->master_key_length);
1632 memcpy(out, s->master_key, len);
1644 #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification"
1649 SSL *
const ssl = tls->
ssl;
1650 SSL_SESSION *
const session = SSL_get_session(ssl);
1655 const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0);
1656 const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0);
1657 const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0);
1663 len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1;
1667 size_t r = SSL_get_client_random(ssl, buf, client_random_len);
1672 size_t r = SSL_get_server_random(ssl,
1673 buf+client_random_len,
1678 uint8_t *master_key = tor_malloc_zero(master_key_len);
1680 size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len);
1684 uint8_t *nextbuf = buf + client_random_len + server_random_len;
1685 memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1);
1696 memwipe(master_key, 0, master_key_len);
1711 const uint8_t *context,
1718 int r = SSL_export_keying_material(tls->
ssl,
1720 label, strlen(label),
1721 context, context_len, 1);
1728 #ifdef TLS1_3_VERSION
1730 strlen(label) > 12 &&
1731 SSL_version(tls->
ssl) >= TLS1_3_VERSION) {
1733 if (! openssl_bug_7712_is_present) {
1738 "short", 5, context, context_len, 1);
1742 openssl_bug_7712_is_present = 1;
1743 log_warn(
LD_GENERAL,
"Detected OpenSSL bug 7712: disabling TLS 1.3 on "
1744 "future connections. A fix is expected to appear in OpenSSL "
1748 if (openssl_bug_7712_is_present)
1755 return (r == 1) ? 0 : -1;
1767 size_t *rbuf_capacity,
size_t *rbuf_bytes,
1768 size_t *wbuf_capacity,
size_t *wbuf_bytes)
1770 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
1772 (void)rbuf_capacity;
1774 (void)wbuf_capacity;
1779 if (tls->
ssl->s3->rbuf.buf)
1780 *rbuf_capacity = tls->
ssl->s3->rbuf.len;
1783 if (tls->
ssl->s3->wbuf.buf)
1784 *wbuf_capacity = tls->
ssl->s3->wbuf.len;
1787 *rbuf_bytes = tls->
ssl->s3->rbuf.left;
1788 *wbuf_bytes = tls->
ssl->s3->wbuf.left;
1804 nid = NID_tor_default_ecdhe_group;
1805 else if (!strcasecmp(ecgroup,
"P256"))
1806 nid = NID_X9_62_prime256v1;
1807 else if (!strcasecmp(ecgroup,
"P224"))
1808 nid = NID_secp224r1;
1812 ec_key = EC_KEY_new_by_curve_name(nid);
1813 ret = (ec_key != NULL);
1814 EC_KEY_free(ec_key);
Inline functions for reading and writing multibyte values from the middle of strings,...
static uint16_t tor_htons(uint16_t a)
static void set_uint16(void *cp, uint16_t v)
Macro definitions for MIN, MAX, and CLAMP.
Header for compat_string.c.
Headers for crypto_cipher.c.
struct dh_st * crypto_dh_new_openssl_tls(void)
void crypto_hmac_sha256(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len)
char * crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix, const char *suffix)
Common functions for using (pseudo-)random number generators.
void memwipe(void *mem, uint8_t byte, size_t sz)
Common functions for cryptographic routines.
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
#define log_fn(severity, domain, args,...)
int tor_snprintf(char *str, size_t size, const char *format,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
tor_tls_state_bitfield_t state
unsigned int wasV2Handshake
unsigned int got_renegotiate
#define MOCK_IMPL(rv, funcname, arglist)
void tor_tls_context_incref(tor_tls_context_t *ctx)
void tor_tls_context_decref(tor_tls_context_t *ctx)
int tor_errno_to_tls_error(int e)
tor_tls_context_t * tor_tls_context_get(int is_server)
int tor_tls_context_init_certificates(tor_tls_context_t *result, crypto_pk_t *identity, unsigned key_lifetime, unsigned flags)
int tor_tls_server_got_renegotiate(tor_tls_t *tls)
struct tor_x509_cert_t * tor_tls_get_peer_cert(tor_tls_t *tls)
void tor_tls_block_renegotiation(tor_tls_t *tls)
int tor_tls_peer_has_cert(tor_tls_t *tls)
int tor_tls_used_v1_handshake(tor_tls_t *tls)
void tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written)
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len)
void tor_tls_unblock_renegotiation(tor_tls_t *tls)
double tls_get_write_overhead_ratio(void)
int evaluate_ecgroup_for_tls(const char *ecgroup)
void tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
void tor_tls_set_renegotiate_callback(tor_tls_t *tls, void(*cb)(tor_tls_t *, void *arg), void *arg)
int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n)
int tor_tls_get_buffer_sizes(tor_tls_t *tls, size_t *rbuf_capacity, size_t *rbuf_bytes, size_t *wbuf_capacity, size_t *wbuf_bytes)
int tor_tls_get_pending_bytes(tor_tls_t *tls)
int tor_tls_handshake(tor_tls_t *tls)
struct tor_x509_cert_t * tor_tls_get_own_cert(tor_tls_t *tls)
const char * tor_tls_get_last_error_msg(const tor_tls_t *tls)
int tor_tls_finish_handshake(tor_tls_t *tls)
void tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out)
void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz)
void tor_tls_release_socket(tor_tls_t *tls)
tor_tls_t * tor_tls_new(tor_socket_t sock, int is_server)
int tor_tls_export_key_material(tor_tls_t *tls, uint8_t *secrets_out, const uint8_t *context, size_t context_len, const char *label)
size_t tor_tls_get_forced_write_size(tor_tls_t *tls)
Declare internal functions for lib/tls.
tor_tls_context_t * tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client)
Structure declarations for internal TLS types.
Macros to manage assertions, fatal and non-fatal.
#define IF_BUG_ONCE(cond)