static int tls_init_ecdh_curve(tls_t *tls) { int nid; EC_KEY *ecdh; if (!(nid = OBJ_sn2nid("prime256v1"))) { tls_log_errors(1, "Couldn't find specified curve", 0); errno = EIO; return -1; } if (!(ecdh = EC_KEY_new_by_curve_name(nid))) { tls_log_errors(1, "Couldn't create specified curve", 0); errno = EIO; return -1; } SSL_CTX_set_options(tls->ctx, SSL_OP_SINGLE_ECDH_USE); SSL_CTX_set_tmp_ecdh(tls->ctx, ecdh); EC_KEY_free(ecdh); return 0; }
/** Given a TLS object and the result of an SSL_* call, use * SSL_get_error to determine whether an error has occurred, and if so * which one. Return one of TOR_TLS_{DONE|WANTREAD|WANTWRITE|ERROR}. * If extra&CATCH_SYSCALL is true, return _TOR_TLS_SYSCALL instead of * reporting syscall errors. If extra&CATCH_ZERO is true, return * _TOR_TLS_ZERORETURN instead of reporting zero-return errors. * * If an error has occurred, log it at level <b>severity</b> and describe the * current action as <b>doing</b>. */ static int tor_tls_get_error(tor_tls_t *tls, int r, int extra, const char *doing, int severity) { int err = SSL_get_error(tls->ssl, r); int tor_error = TOR_TLS_ERROR_MISC; switch (err) { case SSL_ERROR_NONE: return TOR_TLS_DONE; case SSL_ERROR_WANT_READ: return TOR_TLS_WANTREAD; case SSL_ERROR_WANT_WRITE: return TOR_TLS_WANTWRITE; case SSL_ERROR_SYSCALL: if (extra&CATCH_SYSCALL) return _TOR_TLS_SYSCALL; if (r == 0) { log(severity, LD_NET, "TLS error: unexpected close while %s", doing); tor_error = TOR_TLS_ERROR_IO; } else { int e = tor_socket_errno(tls->socket); log(severity, LD_NET, "TLS error: <syscall error while %s> (errno=%d: %s)", doing, e, tor_socket_strerror(e)); tor_error = tor_errno_to_tls_error(e); } tls_log_errors(tls, severity, doing); return tor_error; case SSL_ERROR_ZERO_RETURN: if (extra&CATCH_ZERO) return _TOR_TLS_ZERORETURN; log(severity, LD_NET, "TLS connection closed while %s", doing); tls_log_errors(tls, severity, doing); return TOR_TLS_CLOSE; default: tls_log_errors(tls, severity, doing); return TOR_TLS_ERROR_MISC; } }
tls_t *tls_init_master(tls_issues_t *ti) { /* Default id in case RAND fails */ unsigned char sessionId[32] = "sofia/tls"; tls_t *tls; #if HAVE_SIGPIPE signal(SIGPIPE, SIG_IGN); /* Ignore spurios SIGPIPE from OpenSSL */ #endif tls_set_default(ti); if (!(tls = tls_create(tls_master))) return NULL; if (tls_init_context(tls, ti) < 0) { int err = errno; tls_free(tls); errno = err; return NULL; } RAND_pseudo_bytes(sessionId, sizeof(sessionId)); SSL_CTX_set_session_id_context(tls->ctx, (void*) sessionId, sizeof(sessionId)); if (ti->CAfile != NULL) SSL_CTX_set_client_CA_list(tls->ctx, SSL_load_client_CA_file(ti->CAfile)); #if 0 if (sock != -1) { tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE); if (tls->bio_con == NULL) { tls_log_errors(1, "tls_init_master", 0); tls_free(tls); errno = EIO; return NULL; } } #endif return tls; }
static int tls_error(tls_t *tls, int ret, char const *who, void *buf, int size) { int events = 0; int err = SSL_get_error(tls->con, ret); switch (err) { case SSL_ERROR_WANT_WRITE: events = SU_WAIT_OUT; break; case SSL_ERROR_WANT_READ: events = SU_WAIT_IN; break; case SSL_ERROR_ZERO_RETURN: return 0; case SSL_ERROR_SYSCALL: if (SSL_get_shutdown(tls->con) & SSL_RECEIVED_SHUTDOWN) return 0; /* EOS */ if (errno == 0) return 0; /* EOS */ return -1; default: tls_log_errors(1, who, err); errno = EIO; return -1; } if (buf) { tls->write_events = events; tls->write_buffer = buf, tls->write_buffer_len = size; } else { tls->read_events = events; } errno = EAGAIN; return -1; }
tls_t *tls_init_secondary(tls_t *master, int sock, int accept) { tls_t *tls = tls_create(tls_slave); if (tls) { tls->ctx = master->ctx; tls->type = master->type; tls->accept = accept ? 1 : 0; tls->verify_outgoing = master->verify_outgoing; tls->verify_incoming = master->verify_incoming; tls->verify_subj_out = master->verify_subj_out; tls->verify_subj_in = master->verify_subj_in; tls->verify_date = master->verify_date; tls->x509_verified = master->x509_verified; if (!(tls->read_buffer = su_alloc(tls->home, tls_buffer_size))) su_home_unref(tls->home), tls = NULL; } if (!tls) return tls; assert(sock != -1); tls->bio_con = BIO_new_socket(sock, BIO_NOCLOSE); tls->con = SSL_new(tls->ctx); if (tls->con == NULL) { tls_log_errors(1, "tls_init_secondary", 0); tls_free(tls); errno = EIO; return NULL; } SSL_set_bio(tls->con, tls->bio_con, tls->bio_con); SSL_set_mode(tls->con, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); SSL_set_ex_data(tls->con, tls_ex_data_idx, tls); su_setblocking(sock, 0); return tls; }
static int tls_init_context(tls_t *tls, tls_issues_t const *ti) { int verify; static int random_loaded; ONCE_INIT(tls_init_once); if (!random_loaded) { random_loaded = 1; if (ti->randFile && !RAND_load_file(ti->randFile, 1024 * 1024)) { if (ti->configured > 1) { SU_DEBUG_3(("%s: cannot open randFile %s\n", "tls_init_context", ti->randFile)); tls_log_errors(3, "tls_init_context", 0); } /* errno = EIO; */ /* return -1; */ } } #if HAVE_SIGPIPE /* Avoid possible SIGPIPE when sending close_notify */ signal(SIGPIPE, SIG_IGN); #endif if (tls->ctx == NULL) if (!(tls->ctx = SSL_CTX_new((SSL_METHOD*)SSLv23_method()))) { tls_log_errors(1, "SSL_CTX_new() failed", 0); errno = EIO; return -1; } if (!(ti->version & TPTLS_VERSION_SSLv2)) SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv2); if (!(ti->version & TPTLS_VERSION_SSLv3)) SSL_CTX_set_options(tls->ctx, SSL_OP_NO_SSLv3); if (!(ti->version & TPTLS_VERSION_TLSv1)) SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1); if (!(ti->version & TPTLS_VERSION_TLSv1_1)) SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_1); if (!(ti->version & TPTLS_VERSION_TLSv1_2)) SSL_CTX_set_options(tls->ctx, SSL_OP_NO_TLSv1_2); SSL_CTX_sess_set_remove_cb(tls->ctx, NULL); SSL_CTX_set_timeout(tls->ctx, ti->timeout); /* Set callback if we have a passphrase */ if (ti->passphrase != NULL) { SSL_CTX_set_default_passwd_cb(tls->ctx, passwd_cb); SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, (void *)ti); } if (!SSL_CTX_use_certificate_file(tls->ctx, ti->cert, SSL_FILETYPE_PEM)) { if (ti->configured > 0) { SU_DEBUG_1(("%s: invalid local certificate: %s\n", "tls_init_context", ti->cert)); tls_log_errors(3, "tls_init_context", 0); #if require_client_certificate errno = EIO; return -1; #endif } } if (!SSL_CTX_use_PrivateKey_file(tls->ctx, ti->key, SSL_FILETYPE_PEM)) { if (ti->configured > 0) { SU_DEBUG_1(("%s: invalid private key: %s\n", "tls_init_context", ti->key)); tls_log_errors(3, "tls_init_context(key)", 0); #if require_client_certificate errno = EIO; return -1; #endif } } if (!SSL_CTX_check_private_key(tls->ctx)) { if (ti->configured > 0) { SU_DEBUG_1(("%s: private key does not match the certificate public key\n", "tls_init_context")); } #if require_client_certificate errno = EIO; return -1; #endif } if (!SSL_CTX_load_verify_locations(tls->ctx, ti->CAfile, ti->CApath)) { SU_DEBUG_1(("%s: error loading CA list: %s\n", "tls_init_context", ti->CAfile)); if (ti->configured > 0) tls_log_errors(3, "tls_init_context(CA)", 0); errno = EIO; return -1; } /* corresponds to (enum tport_tls_verify_policy) */ tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0; tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0; tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0; tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0; tls->verify_date = (ti->verify_date) ? 1 : 0; if (tls->verify_incoming) verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; else verify = SSL_VERIFY_NONE; SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth); SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb); if (tls_init_ecdh_curve(tls) == 0) { SU_DEBUG_3(("%s\n", "tls: initialized ECDH")); } else { SU_DEBUG_3(("%s\n", "tls: failed to initialize ECDH")); } if (!SSL_CTX_set_cipher_list(tls->ctx, ti->ciphers)) { SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context")); tls_log_errors(3, "tls_init_context", 0); errno = EIO; return -1; } return 0; }
/** Create a new TLS context for use with Tor TLS handshakes. * <b>identity</b> should be set to the identity key used to sign the * certificate, and <b>nickname</b> set to the nickname to use. * * You can call this function multiple times. Each time you call it, * it generates new certificates; all new connections will use * the new SSL context. */ int tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) { crypto_pk_env_t *rsa = NULL; EVP_PKEY *pkey = NULL; tor_tls_context_t *result = NULL; X509 *cert = NULL, *idcert = NULL; char *nickname = NULL, *nn2 = NULL; tor_tls_init(); nickname = crypto_random_hostname(8, 20, "www.", ".net"); nn2 = crypto_random_hostname(8, 20, "www.", ".net"); /* Generate short-term RSA key. */ if (!(rsa = crypto_new_pk_env())) goto error; if (crypto_pk_generate_key(rsa)<0) goto error; /* Create certificate signed by identity key. */ cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, key_lifetime); /* Create self-signed certificate for identity key. */ idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, IDENTITY_CERT_LIFETIME); if (!cert || !idcert) { log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); goto error; } result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; result->my_cert = X509_dup(cert); result->my_id_cert = X509_dup(idcert); result->key = crypto_pk_dup_key(rsa); #ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ if (!(result->ctx = SSL_CTX_new(TLSv1_method()))) goto error; #else /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */ if (!(result->ctx = SSL_CTX_new(SSLv23_method()))) goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); #endif SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE); #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_CTX_set_options(result->ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif /* Yes, we know what we are doing here. No, we do not treat a renegotiation * as authenticating any earlier-received data. */ if (use_unsafe_renegotiation_op) { SSL_CTX_set_options(result->ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); } /* Don't actually allow compression; it uses ram and time, but the data * we transmit is all encrypted anyway. */ if (result->ctx->comp_methods) result->ctx->comp_methods = NULL; #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS); #endif if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) goto error; X509_free(cert); /* We just added a reference to cert. */ cert=NULL; if (idcert) { X509_STORE *s = SSL_CTX_get_cert_store(result->ctx); tor_assert(s); X509_STORE_add_cert(s, idcert); X509_free(idcert); /* The context now owns the reference to idcert */ idcert = NULL; } SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF); tor_assert(rsa); if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1))) goto error; if (!SSL_CTX_use_PrivateKey(result->ctx, pkey)) goto error; EVP_PKEY_free(pkey); pkey = NULL; if (!SSL_CTX_check_private_key(result->ctx)) goto error; { crypto_dh_env_t *dh = crypto_dh_new(); SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh)); crypto_dh_free(dh); } SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER, always_accept_verify_cb); /* let us realloc bufs that we're writing from */ SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); /* Free the old context if one exists. */ if (global_tls_context) { /* This is safe even if there are open connections: OpenSSL does * reference counting with SSL and SSL_CTX objects. */ tor_tls_context_decref(global_tls_context); } global_tls_context = result; if (rsa) crypto_free_pk_env(rsa); tor_free(nickname); tor_free(nn2); return 0; error: tls_log_errors(NULL, LOG_WARN, "creating TLS context"); tor_free(nickname); tor_free(nn2); if (pkey) EVP_PKEY_free(pkey); if (rsa) crypto_free_pk_env(rsa); if (result) tor_tls_context_decref(result); if (cert) X509_free(cert); if (idcert) X509_free(idcert); return -1; }
/** Generate and sign an X509 certificate with the public key <b>rsa</b>, * signed by the private key <b>rsa_sign</b>. The commonName of the * certificate will be <b>cname</b>; the commonName of the issuer will be * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b> seconds * starting from now. Return a certificate on success, NULL on * failure. */ static X509 * tor_tls_create_certificate(crypto_pk_env_t *rsa, crypto_pk_env_t *rsa_sign, const char *cname, const char *cname_sign, unsigned int cert_lifetime) { time_t start_time, end_time; EVP_PKEY *sign_pkey = NULL, *pkey=NULL; X509 *x509 = NULL; X509_NAME *name = NULL, *name_issuer=NULL; tor_tls_init(); start_time = time(NULL); tor_assert(rsa); tor_assert(cname); tor_assert(rsa_sign); tor_assert(cname_sign); if (!(sign_pkey = _crypto_pk_env_get_evp_pkey(rsa_sign,1))) goto error; if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,0))) goto error; if (!(x509 = X509_new())) goto error; if (!(X509_set_version(x509, 2))) goto error; if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time))) goto error; if (!(name = tor_x509_name_new(cname))) goto error; if (!(X509_set_subject_name(x509, name))) goto error; if (!(name_issuer = tor_x509_name_new(cname_sign))) goto error; if (!(X509_set_issuer_name(x509, name_issuer))) goto error; if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time)) goto error; end_time = start_time + cert_lifetime; if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time)) goto error; if (!X509_set_pubkey(x509, pkey)) goto error; if (!X509_sign(x509, sign_pkey, EVP_sha1())) goto error; goto done; error: if (x509) { X509_free(x509); x509 = NULL; } done: tls_log_errors(NULL, LOG_WARN, "generating certificate"); if (sign_pkey) EVP_PKEY_free(sign_pkey); if (pkey) EVP_PKEY_free(pkey); if (name) X509_NAME_free(name); if (name_issuer) X509_NAME_free(name_issuer); return x509; }
static int tls_init_context(tls_t *tls, tls_issues_t const *ti) { int verify; static int random_loaded; ONCE_INIT(tls_init_once); if (!random_loaded) { random_loaded = 1; if (ti->randFile && !RAND_load_file(ti->randFile, 1024 * 1024)) { if (ti->configured > 1) { SU_DEBUG_3(("%s: cannot open randFile %s\n", "tls_init_context", ti->randFile)); tls_log_errors(3, "tls_init_context", 0); } /* errno = EIO; */ /* return -1; */ } } #if HAVE_SIGPIPE /* Avoid possible SIGPIPE when sending close_notify */ signal(SIGPIPE, SIG_IGN); #endif if (tls->ctx == NULL) { const SSL_METHOD *meth; /* meth = SSLv3_method(); */ /* meth = SSLv23_method(); */ if (ti->version) meth = TLSv1_method(); else meth = SSLv23_method(); tls->ctx = SSL_CTX_new((SSL_METHOD*)meth); } if (tls->ctx == NULL) { tls_log_errors(1, "tls_init_context", 0); errno = EIO; return -1; } if (!SSL_CTX_use_certificate_file(tls->ctx, ti->cert, SSL_FILETYPE_PEM)) { if (ti->configured > 0) { SU_DEBUG_1(("%s: invalid local certificate: %s\n", "tls_init_context", ti->cert)); tls_log_errors(3, "tls_init_context", 0); #if require_client_certificate errno = EIO; return -1; #endif } } if (!SSL_CTX_use_PrivateKey_file(tls->ctx, ti->key, SSL_FILETYPE_PEM)) { if (ti->configured > 0) { SU_DEBUG_1(("%s: invalid private key: %s\n", "tls_init_context", ti->key)); tls_log_errors(3, "tls_init_context(key)", 0); #if require_client_certificate errno = EIO; return -1; #endif } } if (!SSL_CTX_check_private_key(tls->ctx)) { if (ti->configured > 0) { SU_DEBUG_1(("%s: private key does not match the certificate public key\n", "tls_init_context")); } #if require_client_certificate errno = EIO; return -1; #endif } if (!SSL_CTX_load_verify_locations(tls->ctx, ti->CAfile, ti->CApath)) { SU_DEBUG_1(("%s: error loading CA list: %s\n", "tls_init_context", ti->CAfile)); if (ti->configured > 0) tls_log_errors(3, "tls_init_context(CA)", 0); errno = EIO; return -1; } /* corresponds to (enum tport_tls_verify_policy) */ tls->verify_incoming = (ti->policy & 0x1) ? 1 : 0; tls->verify_outgoing = (ti->policy & 0x2) ? 1 : 0; tls->verify_subj_in = (ti->policy & 0x4) ? tls->verify_incoming : 0; tls->verify_subj_out = (ti->policy & 0x8) ? tls->verify_outgoing : 0; tls->verify_date = (ti->verify_date) ? 1 : 0; if (tls->verify_incoming) verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; else verify = SSL_VERIFY_NONE; SSL_CTX_set_verify_depth(tls->ctx, ti->verify_depth); SSL_CTX_set_verify(tls->ctx, verify, tls_verify_cb); if (!SSL_CTX_set_cipher_list(tls->ctx, ti->cipher)) { SU_DEBUG_1(("%s: error setting cipher list\n", "tls_init_context")); tls_log_errors(3, "tls_init_context", 0); errno = EIO; return -1; } return 0; }