| blob | ee91715e2d7e9c60200352ba8991ee5b25827041 |
1 /* Copyright (c) 2003, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file tortls.c
8 * \brief Wrapper functions to present a consistent interface to
9 * TLS, SSL, and X.509 functions from OpenSSL.
10 **/
12 /* (Unlike other tor functions, these
13 * are prefixed with tor_ in order to avoid conflicting with OpenSSL
14 * functions and variables.)
15 */
19 #define TORTLS_PRIVATE
20 #define TORTLS_OPENSSL_PRIVATE
21 #define TOR_X509_PRIVATE
23 #ifdef _WIN32
24 /* We need to include these here, or else the dtls1.h header will include
25 * <winsock.h> and mess things up, in at least some openssl versions. */
26 #include <winsock2.h>
27 #include <ws2tcpip.h>
38 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
39 * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
42 #include <openssl/opensslv.h>
44 #ifdef OPENSSL_NO_EC
46 #endif
48 #include <openssl/ssl.h>
49 #include <openssl/ssl3.h>
50 #include <openssl/err.h>
51 #include <openssl/tls1.h>
52 #include <openssl/asn1.h>
53 #include <openssl/bio.h>
54 #include <openssl/bn.h>
55 #include <openssl/rsa.h>
72 #include <stdlib.h>
73 #include <string.h>
77 /* Copied from or.h */
78 #define LEGAL_NICKNAME_CHARACTERS \
79 "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
84 /* This is a version of OpenSSL before 1.0.0f. It does not have
85 * the CVE-2011-4576 fix, and as such it can't use RELEASE_BUFFERS and
86 * SSL3 safely at the same time.
87 */
88 #define DISABLE_SSL3_HANDSHAKE
91 /* We redefine these so that we can run correctly even if the vendor gives us
92 * a version of OpenSSL that does not match its header files. (Apple: I am
93 * looking at you.)
94 */
95 #ifndef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
96 #define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L
97 #endif
98 #ifndef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
99 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
100 #endif
102 /** Set to true iff openssl bug 7712 has been detected. */
105 /** Return values for tor_tls_classify_client_ciphers.
106 *
107 * @{
108 */
109 /** An error occurred when examining the client ciphers */
110 #define CIPHERS_ERR -1
111 /** The client cipher list indicates that a v1 handshake was in use. */
112 #define CIPHERS_V1 1
113 /** The client cipher list indicates that the client is using the v2 or the
114 * v3 handshake, but that it is (probably!) lying about what ciphers it
115 * supports */
116 #define CIPHERS_V2 2
117 /** The client cipher list indicates that the client is using the v2 or the
118 * v3 handshake, and that it is telling the truth about what ciphers it
119 * supports */
120 #define CIPHERS_UNRESTRICTED 3
121 /** @} */
123 /** The ex_data index in which we store a pointer to an SSL object's
124 * corresponding tor_tls_t object. */
127 /** Helper: Allocate tor_tls_object_ex_data_index. */
128 void
130 {
132 tor_tls_object_ex_data_index =
135 }
136 }
138 /** Helper: given a SSL* pointer, return the tor_tls_t object using that
139 * pointer. */
140 tor_tls_t *
142 {
147 }
149 /** True iff tor_tls_init() has been called. */
152 /* Module-internal error codes. */
153 #define TOR_TLS_SYSCALL_ (MIN_TOR_TLS_ERROR_VAL_ - 2)
154 #define TOR_TLS_ZERORETURN_ (MIN_TOR_TLS_ERROR_VAL_ - 1)
156 /** Write a description of the current state of <b>tls</b> into the
157 * <b>sz</b>-byte buffer at <b>buf</b>. */
158 void
160 {
167 }
178 #undef CASE
185 }
188 }
190 /** Log a single error <b>err</b> as returned by ERR_get_error(), which was
191 * received while performing an operation <b>doing</b> on <b>tls</b>. Log
192 * the message at <b>severity</b>, in log domain <b>domain</b>. */
193 void
196 {
204 /* Some errors are known-benign, meaning they are the fault of the other
205 * side of the connection. The caller doesn't know this, so override the
206 * priority for those cases. */
211 #ifndef OPENSSL_1_1_API
213 #endif
220 }
236 }
237 }
239 /** Log all pending tls errors at level <b>severity</b> in log domain
240 * <b>domain</b>. Use <b>doing</b> to describe our current activities.
241 */
242 void
244 {
251 }
252 }
254 /**
255 * Return a string representing more detail about the last error received
256 * on TLS.
257 *
258 * May return null if no error was found.
259 **/
262 {
265 }
268 }
270 }
272 #define CATCH_SYSCALL 1
273 #define CATCH_ZERO 2
275 /** Given a TLS object and the result of an SSL_* call, use
276 * SSL_get_error to determine whether an error has occurred, and if so
277 * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}.
278 * If extra&CATCH_SYSCALL is true, return TOR_TLS_SYSCALL_ instead of
279 * reporting syscall errors. If extra&CATCH_ZERO is true, return
280 * TOR_TLS_ZERORETURN_ instead of reporting zero-return errors.
281 *
282 * If an error has occurred, log it at level <b>severity</b> and describe the
283 * current action as <b>doing</b>.
284 */
285 int
288 {
312 }
325 }
326 }
328 /** Initialize OpenSSL, unless it has already been initialized.
329 */
330 void
332 {
336 #ifdef OPENSSL_1_1_API
338 #else
343 #if (SIZEOF_VOID_P >= 8 && \
344 OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1) && \
345 (!defined(LIBRESSL_VERSION_NUMBER) || \
346 LIBRESSL_VERSION_NUMBER < 0x3080000fL))
349 /* LCOV_EXCL_START : we can't test these lines on the same machine */
351 /* Warn if we could *almost* be running with much faster ECDH.
352 If we're built for a 64-bit target, using OpenSSL 1.0.1, but we
353 don't have one of the built-in __uint128-based speedups, we are
354 just one build operation away from an accelerated handshake.
356 (We could be looking at OPENSSL_NO_EC_NISTP_64_GCC_128 instead of
357 doing this test, but that gives compile-time options, not runtime
358 behavior.)
359 */
370 "OpenSSL 1.0.1 or later, but with a version of OpenSSL "
371 "that apparently lacks accelerated support for the NIST "
372 "P-224 and P-256 groups. Building openssl with such "
373 "support (using the enable-ec_nistp_64_gcc_128 option "
375 }
376 /* LCOV_EXCL_STOP */
382 }
383 }
385 /** We need to give OpenSSL a callback to verify certificates. This is
386 * it: We always accept peer certs and complete the handshake. We
387 * don't validate them until later.
388 */
389 int
392 {
396 }
398 /** List of ciphers that servers should select from when the client might be
399 * claiming extra unsupported ciphers in order to avoid fingerprinting. */
401 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
402 /* This one can never actually get selected, since if the client lists it,
403 * we will assume that the client is honest, and not use this list.
404 * Nonetheless we list it if it's available, so that the server doesn't
405 * conclude that it has no valid ciphers if it's running with TLS1.3.
406 */
407 TLS1_3_TXT_AES_128_GCM_SHA256 ":"
409 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
410 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA;
412 /** List of ciphers that servers should select from when we actually have
413 * our choice of what cipher to use. */
415 /* Here are the TLS 1.3 ciphers we like, in the order we prefer. */
416 #ifdef TLS1_3_TXT_AES_256_GCM_SHA384
417 TLS1_3_TXT_AES_256_GCM_SHA384 ":"
418 #endif
419 #ifdef TLS1_3_TXT_CHACHA20_POLY1305_SHA256
420 TLS1_3_TXT_CHACHA20_POLY1305_SHA256 ":"
421 #endif
422 #ifdef TLS1_3_TXT_AES_128_GCM_SHA256
423 TLS1_3_TXT_AES_128_GCM_SHA256 ":"
424 #endif
425 #ifdef TLS1_3_TXT_AES_128_CCM_SHA256
426 TLS1_3_TXT_AES_128_CCM_SHA256 ":"
427 #endif
429 /* This list is autogenerated with the gen_server_ciphers.py script;
430 * don't hand-edit it. */
431 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
432 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
433 #endif
434 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
435 TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
436 #endif
437 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
438 TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
439 #endif
440 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
441 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
442 #endif
443 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
444 TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
445 #endif
446 #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
447 TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
448 #endif
449 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
450 TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
451 #endif
452 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
453 TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
454 #endif
455 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_CCM
456 TLS1_TXT_DHE_RSA_WITH_AES_256_CCM ":"
457 #endif
458 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_CCM
459 TLS1_TXT_DHE_RSA_WITH_AES_128_CCM ":"
460 #endif
461 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
462 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
463 #endif
464 #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
465 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
466 #endif
467 /* Required */
468 TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
469 /* Required */
470 TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
471 #ifdef TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305
472 TLS1_TXT_ECDHE_RSA_WITH_CHACHA20_POLY1305 ":"
473 #endif
474 #ifdef TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
475 TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305
476 #endif
477 ;
479 /* Note: to set up your own private testing network with link crypto
480 * disabled, set your Tors' cipher list to
481 * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate
482 * with any of the "real" Tors, though. */
485 #define XCIPHER(id, name)
486 /** List of ciphers that clients should advertise, omitting items that
487 * our OpenSSL doesn't know about. */
489 #ifndef COCCI
491 #endif
492 /* Tell it not to use SSLv2 ciphers, so that it can select an SSLv3 version
493 * of any cipher we say. */
494 "!SSLv2"
495 ;
496 #undef CIPHER
497 #undef XCIPHER
499 /** Return true iff the other side of <b>tls</b> has authenticated to us, and
500 * the key certified in <b>cert</b> is the same as the key they used to do it.
501 */
504 {
525 }
527 void
529 {
533 }
535 /** The group we should use for ecdhe when none was selected. */
536 #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
538 /** Create a new TLS context for use with Tor TLS handshakes.
539 * <b>identity</b> should be set to the identity key used to sign the
540 * certificate.
541 */
542 tor_tls_context_t *
545 {
558 }
559 }
561 #if 0
562 /* Tell OpenSSL to only use TLS1. This may have subtly different results
563 * from SSLv23_method() with SSLv2 and SSLv3 disabled, so we need to do some
564 * investigation before we consider adjusting it. It should be compatible
565 * with existing Tors. */
570 /* Tell OpenSSL to use TLS 1.0 or later but not SSL2 or SSL3. */
571 #ifdef HAVE_TLS_METHOD
574 #else
579 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
580 /* Level 1 re-enables RSA1024 and DH1024 for compatibility with old tors */
582 #endif
587 /* Prefer the server's ordering of ciphers: the client's ordering has
588 * historically been chosen for fingerprinting resistance. */
591 /* Disable TLS tickets if they're supported. We never want to use them;
592 * using them can make our perfect forward secrecy a little worse, *and*
593 * create an opportunity to fingerprint us (since it's unusual to use them
594 * with TLS sessions turned off).
595 *
596 * In 0.2.4, clients advertise support for them though, to avoid a TLS
597 * distinguishability vector. This can give us worse PFS, though, if we
598 * get a server that doesn't set SSL_OP_NO_TICKET. With luck, there will
599 * be few such servers by the time 0.2.4 is more stable.
600 */
601 #ifdef SSL_OP_NO_TICKET
604 }
605 #endif
610 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
612 SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
613 #endif
614 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
615 * as authenticating any earlier-received data.
616 */
617 {
619 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
620 }
622 /* Don't actually allow compression; it uses RAM and time, it makes TLS
623 * vulnerable to CRIME-style attacks, and most of the data we transmit over
624 * TLS is encrypted (and therefore uncompressible) anyway. */
625 #ifdef SSL_OP_NO_COMPRESSION
627 #endif
628 #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
629 #ifndef OPENSSL_NO_COMP
632 #endif
635 #ifdef SSL_MODE_RELEASE_BUFFERS
637 #endif
643 }
648 }
649 }
661 }
663 {
668 }
669 /* We check for this function in two ways, since it might be either a symbol
670 * or a macro. */
671 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
672 {
678 else
683 }
692 else
694 /* Use P-256 for ECDHE. */
699 }
702 always_accept_verify_cb);
703 /* let us realloc bufs that we're writing from */
706 #ifdef SSL_OP_TLSEXT_PADDING
707 /* Adds a padding extension to ensure the ClientHello size is never between
708 * 256 and 511 bytes in length. */
710 #endif
714 error:
720 }
722 /** Invoked when a TLS state changes: log the change at severity 'debug' */
723 void
725 {
726 /* LCOV_EXCL_START since this depends on whether debug is captured or not */
729 /* LCOV_EXCL_STOP */
730 }
732 /* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
735 {
737 }
739 /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
740 * 0.2.3.17-beta. If a client is using this list, we can't believe the ciphers
741 * that it claims to support. We'll prune this list to remove the ciphers
742 * *we* don't recognize. */
772 0
773 };
774 /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */
777 /** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>;
778 * return 1 if it does support it, or if we have no way to tell. */
779 int
781 {
783 #ifdef HAVE_SSL_CIPHER_FIND
785 {
790 * with a two-byte 'cipherid', it may look for a v2
791 * cipher with the appropriate 3 bytes. */
796 }
799 # if defined(HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR)
804 * with a two-byte 'cipherid', it may look for a v2
805 * cipher with the appropriate 3 bytes. */
810 }
812 # ifndef OPENSSL_1_1_API
814 /* It would seem that some of the "let's-clean-up-openssl" forks have
815 * removed the get_cipher_by_char function. Okay, so now you get a
816 * quadratic search.
817 */
823 }
824 }
826 }
833 }
835 /** Remove from v2_cipher_list every cipher that we don't support, so that
836 * comparing v2_cipher_list to a client's cipher list will give a sensible
837 * result. */
838 static void
840 {
842 #ifdef HAVE_TLS_METHOD
844 #else
846 #endif
853 inp++;
854 }
855 }
859 }
861 /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
862 * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
863 * CIPHERS_UNRESTRICTED.
864 **/
865 int
868 {
878 /* If we reached this point, we just got a client hello. See if there is
879 * a cipher list. */
884 }
885 /* Now we need to see if there are any ciphers whose presence means we're
886 * dealing with an updated Tor. */
895 // return 1;
897 }
898 }
901 v2_or_higher:
902 {
912 }
914 }
918 }
920 }
922 dump_ciphers:
923 {
930 }
936 }
937 done:
942 }
944 /** Return true iff the cipher list suggested by the client for <b>ssl</b> is
945 * a list that indicates that the client knows how to do the v2 TLS connection
946 * handshake. */
947 int
949 {
951 #ifdef HAVE_SSL_GET_CLIENT_CIPHERS
953 #else
958 }
963 }
965 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
966 * changes state. We use this:
967 * <ul><li>To alter the state of the handshake partway through, so we
968 * do not send or request extra certificates in v2 handshakes.</li>
969 * <li>To detect renegotiation</li></ul>
970 */
971 void
973 {
979 }
991 /* Check whether we're watching for renegotiates. If so, this is one! */
997 }
999 /* Now check the cipher list. */
1003 * This is a renegotiation. */
1005 /* Yes, we're casting away the const from ssl. This is very naughty of us.
1006 * Let's hope openssl doesn't notice! */
1008 /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
1010 /* Don't send a hello request. */
1016 /* LCOV_EXCL_START this line is not reachable */
1018 /* LCOV_EXCL_STOP */
1019 }
1020 }
1021 }
1023 /** Callback to get invoked on a server after we've read the list of ciphers
1024 * the client supports, but before we pick our own ciphersuite.
1025 *
1026 * We can't abuse an info_cb for this, since by the time one of the
1027 * client_hello info_cbs is called, we've already picked which ciphersuite to
1028 * use.
1029 *
1030 * Technically, this function is an abuse of this callback, since the point of
1031 * a session_secret_cb is to try to set up and/or verify a shared-secret for
1032 * authentication on the fly. But as long as we return 0, we won't actually be
1033 * setting up a shared secret, and all will be fine.
1034 */
1035 int
1040 {
1048 CIPHERS_UNRESTRICTED) {
1050 }
1055 }
1056 static void
1058 {
1060 }
1062 /** Create a new TLS object from a file descriptor, and a flag to
1063 * determine whether it is functioning as a server.
1064 */
1065 tor_tls_t *
1067 {
1079 }
1081 #ifdef SSL_set_tlsext_host_name
1082 /* Browsers use the TLS hostname extension, so we should too. */
1087 }
1090 #ifdef SSL_CTRL_SET_MAX_PROTO_VERSION
1092 /* We can't actually use TLS 1.3 until this bug is fixed. */
1094 }
1100 #ifdef SSL_set_tlsext_host_name
1102 #endif
1106 }
1111 #ifdef SSL_set_tlsext_host_name
1113 #endif
1117 }
1118 {
1124 }
1125 }
1137 }
1142 }
1148 err:
1150 done:
1151 /* Not expected to get called. */
1154 }
1156 /** Set <b>cb</b> to be called with argument <b>arg</b> whenever <b>tls</b>
1157 * next gets a client-side renegotiate in the middle of a read. Do not
1158 * invoke this function until <em>after</em> initial handshaking is done!
1159 */
1160 void
1164 {
1172 }
1173 }
1175 /** If this version of openssl requires it, turn on renegotiation on
1176 * <b>tls</b>.
1177 */
1178 void
1180 {
1181 /* Yes, we know what we are doing here. No, we do not treat a renegotiation
1182 * as authenticating any earlier-received data. */
1184 SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
1185 }
1187 /** If this version of openssl supports it, turn off renegotiation on
1188 * <b>tls</b>. (Our protocol never requires this for security, but it's nice
1189 * to use belt-and-suspenders here.)
1190 */
1191 void
1193 {
1194 #ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG
1196 #else
1198 #endif
1199 }
1201 /**
1202 * Tell the TLS library that the underlying socket for <b>tls</b> has been
1203 * closed, and the library should not attempt to free that socket itself.
1204 */
1205 void
1207 {
1217 }
1220 }
1221 }
1223 void
1225 {
1229 #ifdef SSL_set_tlsext_host_name
1231 #endif
1233 }
1235 /** Underlying function for TLS reading. Reads up to <b>len</b>
1236 * characters from <b>tls</b> into <b>cp</b>. On success, returns the
1237 * number of characters read. On failure, returns TOR_TLS_ERROR,
1238 * TOR_TLS_CLOSE, TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1239 */
1242 {
1251 /* Renegotiation happened! */
1256 }
1258 }
1268 }
1269 }
1271 /** Total number of bytes that we've used TLS to send. Used to track TLS
1272 * overhead. */
1274 /** Total number of bytes that TLS has put on the network for us. Used to
1275 * track TLS overhead. */
1278 /** Underlying function for TLS writing. Write up to <b>n</b>
1279 * characters from <b>cp</b> onto <b>tls</b>. On success, returns the
1280 * number of characters written. On failure, returns TOR_TLS_ERROR,
1281 * TOR_TLS_WANTREAD, or TOR_TLS_WANTWRITE.
1282 */
1283 int
1285 {
1294 /* if WANTWRITE last time, we must use the _same_ n as before */
1300 }
1306 }
1309 }
1311 }
1313 /** Perform initial handshake on <b>tls</b>. When finished, returns
1314 * TOR_TLS_DONE. On failure, returns TOR_TLS_ERROR, TOR_TLS_WANTREAD,
1315 * or TOR_TLS_WANTWRITE.
1316 */
1317 int
1319 {
1337 }
1344 /* We need to call this here and not earlier, since OpenSSL has a penchant
1345 * for clearing its flags when you say accept or connect. */
1352 }
1356 }
1358 }
1360 /** Perform the final part of the initial TLS handshake on <b>tls</b>. This
1361 * should be called for the first handshake only: it determines whether the v1
1362 * or the v2 handshake was used, and adjusts things for the renegotiation
1363 * handshake as appropriate.
1364 *
1365 * tor_tls_handshake() calls this on its own; you only need to call this if
1366 * bufferevent is doing the handshake for you.
1367 */
1368 int
1370 {
1378 /* This check is redundant, but back when we did it in the callback,
1379 * we might have not been able to look up the tor_tls_t if the code
1380 * was buggy. Fixing that. */
1384 }
1390 }
1392 /* Client-side */
1394 /* XXXX this can move, probably? -NM */
1398 }
1399 }
1402 }
1404 /** Return true iff this TLS connection is authenticated.
1405 */
1406 int
1408 {
1416 }
1418 /** Return a newly allocated copy of the peer certificate, or NULL if there
1419 * isn't one. */
1422 {
1429 }
1431 /** Return a newly allocated copy of the cerficate we used on the connection,
1432 * or NULL if somehow we didn't use one. */
1435 {
1441 /* Fun inconsistency: SSL_get_peer_certificate increments the reference
1442 * count, but SSL_get_certificate does not. */
1447 }
1449 /** Helper function: try to extract a link certificate and an identity
1450 * certificate from <b>tls</b>, and store them in *<b>cert_out</b> and
1451 * *<b>id_cert_out</b> respectively. Log all messages at level
1452 * <b>severity</b>.
1453 *
1454 * Note that a reference is added both of the returned certificates. */
1458 {
1469 /* 1 means we're receiving (server-side), and it's just the id_cert.
1470 * 2 means we're connecting (client-side), and it's both the link
1471 * cert and the id_cert.
1472 */
1476 num_in_chain);
1478 }
1483 }
1485 }
1487 /** Return the number of bytes available for reading from <b>tls</b>.
1488 */
1489 int
1491 {
1494 }
1496 /** If <b>tls</b> requires that the next write be of a particular size,
1497 * return that size. Otherwise, return 0. */
1498 size_t
1500 {
1502 }
1504 /** Sets n_read and n_written to the number of bytes read and written,
1505 * respectively, on the raw socket used by <b>tls</b> since the last time this
1506 * function was called on <b>tls</b>. */
1507 void
1509 {
1513 /* We want the number of bytes actually for real written. Unfortunately,
1514 * sometimes OpenSSL replaces the wbio on tls->ssl with a buffering bio,
1515 * which makes the answer turn out wrong. Let's cope with that. Note
1516 * that this approach will fail if we ever replace tls->ssl's BIOs with
1517 * buffering bios for reasons of our own. As an alternative, we could
1518 * save the original BIO for tls->ssl in the tor_tls_t structure, but
1519 * that would be tempting fate. */
1521 #if OPENSSL_VERSION_NUMBER >= OPENSSL_VER(1,1,0,0,5)
1522 /* BIO structure is opaque as of OpenSSL 1.1.0-pre5-dev. Again, not
1523 * supposed to use this form of the version macro, but the OpenSSL developers
1524 * introduced major API changes in the pre-release stage.
1525 */
1535 /* We are ok with letting these unsigned ints go "negative" here:
1536 * If we wrapped around, this should still give us the right answer, unless
1537 * we wrapped around by more than ULONG_MAX since the last time we called
1538 * this function.
1539 */
1546 }
1550 }
1552 /** Return a ratio of the bytes that TLS has sent to the bytes that we've told
1553 * it to send. Used to track whether our TLS records are getting too tiny. */
1556 {
1562 }
1564 /** Implement check_no_tls_errors: If there are any pending OpenSSL
1565 * errors, log an error message. */
1566 void
1568 {
1574 }
1576 /** Return true iff the initial TLS connection at <b>tls</b> did not use a v2
1577 * TLS handshake. Output is undefined if the handshake isn't finished. */
1578 int
1580 {
1582 }
1584 /** Return true iff the server TLS connection <b>tls</b> got the renegotiation
1585 * request it was waiting for. */
1586 int
1588 {
1590 }
1592 #ifndef HAVE_SSL_GET_CLIENT_RANDOM
1593 static size_t
1595 {
1602 }
1605 #ifndef HAVE_SSL_GET_SERVER_RANDOM
1606 static size_t
1608 {
1615 }
1618 #ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
1619 size_t
1621 {
1629 }
1632 /** Set the DIGEST256_LEN buffer at <b>secrets_out</b> to the value used in
1633 * the v3 handshake to prove that the client knows the TLS secrets for the
1634 * connection <b>tls</b>. Return 0 on success, -1 on failure.
1635 */
1638 {
1662 }
1672 }
1682 }
1687 {
1690 }
1692 {
1695 server_random_len);
1697 }
1700 {
1703 }
1708 /*
1709 The value is an HMAC, using the TLS master key as the HMAC key, of
1710 client_random | server_random | TLSSECRET_MAGIC
1711 */
1714 master_key_len,
1721 }
1723 /** Using the RFC5705 key material exporting construction, and the
1724 * provided <b>context</b> (<b>context_len</b> bytes long) and
1725 * <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
1726 * <b>secrets_out</b> that only the parties to this TLS session can
1727 * compute. Return 0 on success; -1 on failure; and -2 on failure
1728 * caused by OpenSSL bug 7712.
1729 */
1735 {
1747 }
1749 #ifdef TLS1_3_VERSION
1755 /* We might have run into OpenSSL issue 7712, which caused OpenSSL
1756 * 1.1.1a to not handle long labels. Let's test to see if we have.
1757 */
1761 /* A short label succeeds, but a long label fails. This was openssl
1762 * issue 7712. */
1766 }
1767 }
1770 else
1772 }
1776 }
1778 /** Examine the amount of memory used and available for buffers in <b>tls</b>.
1779 * Set *<b>rbuf_capacity</b> to the amount of storage allocated for the read
1780 * buffer and *<b>rbuf_bytes</b> to the amount actually used.
1781 * Set *<b>wbuf_capacity</b> to the amount of storage allocated for the write
1782 * buffer and *<b>wbuf_bytes</b> to the amount actually used.
1783 *
1784 * Return 0 on success, -1 on failure.*/
1785 int
1789 {
1790 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
1801 else
1805 else
1811 }
1813 /** Check whether the ECC group requested is supported by the current OpenSSL
1814 * library instance. Return 1 if the group is supported, and 0 if not.
1815 */
1816 int
1818 {
1829 else
1837 }