October 2011 - tor-commits - lists.torproject.org

[tor/master] Add more log statements for protocol/internal failures
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 1bd65680bdfcd46e1c96e71e3912cbdef4fc158a Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 6 14:58:59 2011 -0400 Add more log statements for protocol/internal failures --- src/or/command.c | 36 ++++++++++++++++++++++++++++++------ src/or/connection_or.c | 17 +++++++++++------ 2 files changed, 41 insertions(+), 12 deletions(-) diff --git a/src/or/command.c b/src/or/command.c index 7efd18f..8cf6c46 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -149,10 +149,15 @@ command_process_cell(cell_t *cell, or_connection_t *conn) #endif /* Reject all but VERSIONS and NETINFO when handshaking. */ + /* (VERSIONS should actually be impossible; it's variable-length.) */ if (handshaking && cell->command != CELL_VERSIONS && - cell->command != CELL_NETINFO) + cell->command != CELL_NETINFO) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received unexpected cell command %d in state %s; ignoring it.", + (int)cell->command, + conn_state_to_string(CONN_TYPE_OR,conn->_base.state)); return; - /* XXXX VERSIONS should be impossible; it's variable-length. */ + } if (conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3) or_handshake_state_record_cell(conn->handshake_state, cell, 1); @@ -239,18 +244,37 @@ command_process_var_cell(var_cell_t *cell, or_connection_t *conn) /* fall through */ case OR_CONN_STATE_TLS_SERVER_RENEGOTIATING: - if (cell->command != CELL_VERSIONS) - return; /*XXXX023 log*/ + if (cell->command != CELL_VERSIONS) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received a non-VERSIONS cell with command %d in state %s; " + "ignoring it.", + (int)cell->command, + conn_state_to_string(CONN_TYPE_OR,conn->_base.state)); + return; + } break; case OR_CONN_STATE_OR_HANDSHAKING_V3: if (cell->command != CELL_AUTHENTICATE) or_handshake_state_record_var_cell(conn->handshake_state, cell, 1); break; /* Everything is allowed */ case OR_CONN_STATE_OPEN: - if (conn->link_proto < 3) + if (conn->link_proto < 3) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received a variable-length cell with command %d in state %s " + "with link protocol %d; ignoring it.", + (int)cell->command, + conn_state_to_string(CONN_TYPE_OR,conn->_base.state), + (int)conn->link_proto); return; + } + break; default: - /*XXXX023 log */ + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received var-length cell with command %d in unexpected state " + "%s [%d]; ignoring it.", + (int)cell->command, + conn_state_to_string(CONN_TYPE_OR,conn->_base.state), + (int)conn->_base.state); return; } diff --git a/src/or/connection_or.c b/src/or/connection_or.c index a5b965b..b4c1fd0 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -2176,15 +2176,20 @@ connection_or_send_authenticate_cell(or_connection_t *conn, int authtype) int cell_maxlen; /* XXXX make sure we're actually supposed to send this! */ - if (!pk) - return -1;/*XXXX log*/ - if (authtype != AUTHTYPE_RSA_SHA256_TLSSECRET) - return -1;/*XXXX log*/ + if (!pk) { + log_warn(LD_BUG, "Unable to compute authenticate cell: no client auth key"); + return -1; + } + if (authtype != AUTHTYPE_RSA_SHA256_TLSSECRET) { + log_warn(LD_BUG, "Tried to send authenticate cell with unknown " + "authentication type %d", authtype); + return -1; + } cell_maxlen = 4 + /* overhead */ V3_AUTH_BODY_LEN + /* Authentication body */ crypto_pk_keysize(pk) + /* Max signature length */ - 16 /* just in case XXXX */ ; + 16 /* add a few extra bytes just in case. */; cell = var_cell_new(cell_maxlen); cell->command = CELL_AUTHENTICATE; @@ -2197,7 +2202,7 @@ connection_or_send_authenticate_cell(or_connection_t *conn, int authtype) pk, 0 /* not server */); if (authlen < 0) { - /* XXXX log */ + log_warn(LD_BUG, "Unable to compute authenticate cell!"); var_cell_free(cell); return -1; }

1 0

[tor/master] Fix a few 64bit compiler warnings
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 66200320ffe584893acaf4ea5a55851039e2e92c Author: Sebastian Hahn <sebastian(a)torproject.org> Date: Tue Oct 11 03:06:41 2011 +0200 Fix a few 64bit compiler warnings --- src/or/connection_or.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/or/connection_or.c b/src/or/connection_or.c index b4c1fd0..42fcea2 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1951,7 +1951,7 @@ connection_or_send_cert_cell(or_connection_t *conn) size_t link_len, id_len; var_cell_t *cell; size_t cell_len; - int pos; + ssize_t pos; int server_mode; tor_assert(conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3); @@ -2037,6 +2037,7 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn) * * If server is false and signing_key is provided, calculate the * entire authenticator, signed with signing_key. + * DOCDOC return value */ int connection_or_compute_authenticate_cell_body(or_connection_t *conn, @@ -2128,7 +2129,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, tor_assert(ptr - out == V3_AUTH_FIXED_PART_LEN); if (server) - return ptr-out; + return V3_AUTH_FIXED_PART_LEN; // ptr-out /* Time: 8 octets. */ { @@ -2147,7 +2148,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, tor_assert(ptr - out == V3_AUTH_BODY_LEN); if (!signing_key) - return ptr - out; + return V3_AUTH_BODY_LEN; // ptr - out { int siglen; @@ -2161,7 +2162,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, ptr += siglen; tor_assert(ptr <= out+outlen); - return ptr - out; + return (int)(ptr - out); } } @@ -2173,7 +2174,7 @@ connection_or_send_authenticate_cell(or_connection_t *conn, int authtype) var_cell_t *cell; crypto_pk_env_t *pk = tor_tls_get_my_client_auth_key(); int authlen; - int cell_maxlen; + size_t cell_maxlen; /* XXXX make sure we're actually supposed to send this! */ if (!pk) {

1 0

[tor/master] New function to get all digests of a public key
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit dcf69a9e12d013563575e50b7d6f547832f92f66 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 14:32:51 2011 -0400 New function to get all digests of a public key --- src/common/crypto.c | 26 ++++++++++++++++++++++++++ src/common/crypto.h | 1 + 2 files changed, 27 insertions(+), 0 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index 9ad7575..edb0d42 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1249,6 +1249,32 @@ crypto_pk_get_digest(crypto_pk_env_t *pk, char *digest_out) return 0; } +/** Compute all digests of the DER encoding of pk, and store them + * in digests_out. Return 0 on success, -1 on failure. */ +int +crypto_pk_get_all_digests(crypto_pk_env_t *pk, digests_t *digests_out) +{ + unsigned char *buf, *bufp; + int len; + + len = i2d_RSAPublicKey(pk->key, NULL); + if (len < 0) + return -1; + buf = bufp = tor_malloc(len+1); + len = i2d_RSAPublicKey(pk->key, &bufp); + if (len < 0) { + crypto_log_errors(LOG_WARN,"encoding public key"); + tor_free(buf); + return -1; + } + if (crypto_digest_all(digests_out, (char*)buf, len) < 0) { + tor_free(buf); + return -1; + } + tor_free(buf); + return 0; +} + /** Copy in to the outlen-byte buffer out, adding spaces * every four spaces. */ /* static */ void diff --git a/src/common/crypto.h b/src/common/crypto.h index 9b4eee6..d50d9f9 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -150,6 +150,7 @@ int crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env, char *to, int crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len); crypto_pk_env_t *crypto_pk_asn1_decode(const char *str, size_t len); int crypto_pk_get_digest(crypto_pk_env_t *pk, char *digest_out); +int crypto_pk_get_all_digests(crypto_pk_env_t *pk, digests_t *digests_out); int crypto_pk_get_fingerprint(crypto_pk_env_t *pk, char *fp_out,int add_space); int crypto_pk_check_fingerprint_syntax(const char *s);

1 0

[tor/master] Turn X509 certificates into a first-class type and add some functions
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit c0bbcf138fa4e7d8e1974ed91718025d0dd5cc7a Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 11:37:15 2011 -0400 Turn X509 certificates into a first-class type and add some functions --- src/common/tortls.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++++-- src/common/tortls.h | 11 ++++ 2 files changed, 155 insertions(+), 6 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 1bb9c74..b711967 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -97,14 +97,23 @@ static int use_unsafe_renegotiation_op = 0; * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */ static int use_unsafe_renegotiation_flag = 0; +/** Structure that we use for a single certificate. */ +struct tor_cert_t { + X509 *cert; + uint8_t *encoded; + size_t encoded_len; + digests_t cert_digests; + digests_t pkey_digests; +}; + /** Holds a SSL_CTX object and related state used to configure TLS * connections. */ typedef struct tor_tls_context_t { int refcnt; SSL_CTX *ctx; - X509 *my_cert; - X509 *my_id_cert; + tor_cert_t *my_cert; + tor_cert_t *my_id_cert; crypto_pk_env_t *key; } tor_tls_context_t; @@ -670,6 +679,115 @@ static const int N_CLIENT_CIPHERS = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) #endif +/** Free all storage held in cert */ +void +tor_cert_free(tor_cert_t *cert) +{ + if (! cert) + return; + if (cert->cert) + X509_free(cert->cert); + tor_free(cert->encoded); + memset(cert, 0x03, sizeof(cert)); + tor_free(cert); +} + +/** + * Allocate a new tor_cert_t to hold the certificate "x509_cert". + * + * Steals a reference to x509_cert. + */ +static tor_cert_t * +tor_cert_new(X509 *x509_cert) +{ + tor_cert_t *cert; + EVP_PKEY *pkey; + RSA *rsa; + int length = i2d_X509(x509_cert, NULL), length2; + unsigned char *cp; + + cert = tor_malloc_zero(sizeof(tor_cert_t)); + if (length <= 0) { + tor_free(cert); + log_err(LD_CRYPTO, "Couldn't get length of encoded x509 certificate"); + X509_free(x509_cert); + return NULL; + } + cert->encoded_len = (size_t) length; + cp = cert->encoded = tor_malloc(length); + length2 = i2d_X509(x509_cert, &cp); + tor_assert(length2 == length); + + cert->cert = x509_cert; + + crypto_digest_all(&cert->cert_digests, + (char*)cert->encoded, cert->encoded_len); + + if ((pkey = X509_get_pubkey(x509_cert)) && + (rsa = EVP_PKEY_get1_RSA(pkey))) { + crypto_pk_env_t *pk = _crypto_new_pk_env_rsa(rsa); + crypto_pk_get_all_digests(pk, &cert->pkey_digests); + crypto_free_pk_env(pk); + EVP_PKEY_free(pkey); + } + + return cert; +} + +/** Read a DER-encoded X509 cert, of length exactly certificate_len, + * from a certificate. Return a newly allocated tor_cert_t on success + * and NULL on failure. */ +tor_cert_t * +tor_cert_decode(const uint8_t *certificate, size_t certificate_len) +{ + X509 *x509; + const unsigned char *cp = (const unsigned char *)certificate; + tor_cert_t *newcert; + tor_assert(certificate); + + if (certificate_len > INT_MAX) + return NULL; + +#if OPENSSL_VERSION_NUMBER < 0x00908000l + /* This ifdef suppresses a type warning. Take out this case once everybody + * is using OpenSSL 0.9.8 or later. */ + x509 = d2i_X509(NULL, (unsigned char**)&cp, (int)certificate_len); +#else + x509 = d2i_X509(NULL, &cp, (int)certificate_len); +#endif + if (!x509) + return NULL; /* Couldn't decode */ + if (cp - certificate != (int)certificate_len) { + X509_free(x509); + return NULL; /* Didn't use all the bytes */ + } + newcert = tor_cert_new(x509); + if (!newcert) { + X509_free(x509); + return NULL; + } + if (newcert->encoded_len != certificate_len || + fast_memneq(newcert->encoded, certificate, certificate_len)) { + /* Cert wasn't in DER */ + tor_cert_free(newcert); + return NULL; + } + return newcert; +} + +/** Set *encoded_out and *size_out/b> to cert's encoded DER + * representation and length, respectively. */ +void +tor_cert_get_der(const tor_cert_t *cert, + const uint8_t **encoded_out, size_t *size_out) +{ + tor_assert(cert); + tor_assert(encoded_out); + tor_assert(size_out); + *encoded_out = cert->encoded; + *size_out = cert->encoded_len; +} + /** Remove a reference to ctx, and free it if it has no more * references. */ static void @@ -678,13 +796,33 @@ tor_tls_context_decref(tor_tls_context_t *ctx) tor_assert(ctx); if (--ctx->refcnt == 0) { SSL_CTX_free(ctx->ctx); - X509_free(ctx->my_cert); - X509_free(ctx->my_id_cert); + tor_cert_free(ctx->my_cert); + tor_cert_free(ctx->my_id_cert); crypto_free_pk_env(ctx->key); tor_free(ctx); } } +/** Set *link_cert_out and *id_cert_out to the link certificate + * and ID certificate that we're currently using for our V3 in-protocol + * handshake's certificate chain. If server is true, provide the certs + * that we use in server mode; otherwise, provide the certs that we use in + * client mode. */ +int +tor_tls_get_my_certs(int server, + const tor_cert_t **link_cert_out, + const tor_cert_t **id_cert_out) +{ + tor_tls_context_t *ctx = server ? server_tls_context : client_tls_context; + if (! ctx) + return -1; + if (link_cert_out) + *link_cert_out = ctx->my_cert; + if (id_cert_out) + *id_cert_out = ctx->my_id_cert; + return 0; +} + /** Increase the reference count of ctx. */ static void tor_tls_context_incref(tor_tls_context_t *ctx) @@ -813,8 +951,8 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; - result->my_cert = X509_dup(cert); - result->my_id_cert = X509_dup(idcert); + result->my_cert = tor_cert_new(X509_dup(cert)); + result->my_id_cert = tor_cert_new(X509_dup(idcert)); result->key = crypto_pk_dup_key(rsa); #ifdef EVERYONE_HAS_AES diff --git a/src/common/tortls.h b/src/common/tortls.h index 9b8108b..c55da4a 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -17,6 +17,9 @@ /* Opaque structure to hold a TLS connection. */ typedef struct tor_tls_t tor_tls_t; +/* Opaque structure to hold an X509 certificate. */ +typedef struct tor_cert_t tor_cert_t; + /* Possible return values for most tor_tls_* functions. */ #define _MIN_TOR_TLS_ERROR_VAL -9 #define TOR_TLS_ERROR_MISC -9 @@ -104,5 +107,13 @@ struct bufferevent *tor_tls_init_bufferevent(tor_tls_t *tls, int filter); #endif +void tor_cert_free(tor_cert_t *cert); +tor_cert_t *tor_cert_decode(const uint8_t *certificate, size_t certificate_len); +void tor_cert_get_der(const tor_cert_t *cert, + const uint8_t **encoded_out, size_t *size_out); +int tor_tls_get_my_certs(int server, + const tor_cert_t **link_cert_out, + const tor_cert_t **id_cert_out); + #endif

1 0

[tor/master] Add a sha256 hmac function, with tests
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit fdbb9cdf746bbf0c39c34188baa8872471183ff7 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 11:38:13 2011 -0400 Add a sha256 hmac function, with tests --- src/common/crypto.c | 68 +++++++++++++++++++++++++++++++++++++++++++++ src/common/crypto.h | 3 ++ src/test/test_crypto.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 141 insertions(+), 1 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index edb0d42..c397199 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1740,6 +1740,74 @@ crypto_hmac_sha1(char *hmac_out, (unsigned char*)hmac_out, NULL); } +/** Compute the HMAC-SHA-256 of the msg_len bytes in msg, using + * the key of length key_len. Store the DIGEST_LEN-byte result + * in hmac_out. + */ +void +crypto_hmac_sha256(char *hmac_out, + const char *key, size_t key_len, + const char *msg, size_t msg_len) +{ +#if (OPENSSL_VERSION_NUMBER >= 0x00908000l) + /* If we've got OpenSSL >=0.9.8 we can use its hmac implementation. */ + tor_assert(key_len < INT_MAX); + tor_assert(msg_len < INT_MAX); + HMAC(EVP_sha256(), key, (int)key_len, (unsigned char*)msg, (int)msg_len, + (unsigned char*)hmac_out, NULL); +#else + /* OpenSSL doesn't have an EVP implementation for SHA256. We'll need + to do HMAC on our own. + + HMAC isn't so hard: To compute HMAC(key, msg): + 1. If len(key) > blocksize, key = H(key). + 2. If len(key) < blocksize, right-pad key up to blocksize with 0 bytes. + 3. let ipad = key xor 0x363636363636....36 + let opad = key xor 0x5c5c5c5c5c5c....5c + The result is H(opad | H( ipad | msg ) ) + */ +#define BLOCKSIZE 64 +#define DIGESTSIZE 32 + uint8_t k[BLOCKSIZE]; + uint8_t pad[BLOCKSIZE]; + uint8_t d[DIGESTSIZE]; + int i; + SHA256_CTX st; + + tor_assert(key_len < INT_MAX); + tor_assert(msg_len < INT_MAX); + + if (key_len <= BLOCKSIZE) { + memset(k, 0, sizeof(k)); + memcpy(k, key, key_len); /* not time invariant in key_len */ + } else { + SHA256((const uint8_t *)key, key_len, k); + memset(k+DIGESTSIZE, 0, sizeof(k)-DIGESTSIZE); + } + for (i = 0; i < BLOCKSIZE; ++i) + pad[i] = k[i] ^ 0x36; + SHA256_Init(&st); + SHA256_Update(&st, pad, BLOCKSIZE); + SHA256_Update(&st, (uint8_t*)msg, msg_len); + SHA256_Final(d, &st); + + for (i = 0; i < BLOCKSIZE; ++i) + pad[i] = k[i] ^ 0x5c; + SHA256_Init(&st); + SHA256_Update(&st, pad, BLOCKSIZE); + SHA256_Update(&st, d, DIGESTSIZE); + SHA256_Final((uint8_t*)hmac_out, &st); + + /* Now clear everything. */ + memset(k, 0, sizeof(k)); + memset(pad, 0, sizeof(pad)); + memset(d, 0, sizeof(d)); + memset(&st, 0, sizeof(st)); +#undef BLOCKSIZE +#undef DIGESTSIZE +#endif +} + /* DH */ /** Shared P parameter for our circuit-crypto DH key exchanges. */ diff --git a/src/common/crypto.h b/src/common/crypto.h index d50d9f9..80c1029 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -196,6 +196,9 @@ void crypto_digest_assign(crypto_digest_env_t *into, void crypto_hmac_sha1(char *hmac_out, const char *key, size_t key_len, const char *msg, size_t msg_len); +void crypto_hmac_sha256(char *hmac_out, + const char *key, size_t key_len, + const char *msg, size_t msg_len); /* Key negotiation */ #define DH_TYPE_CIRCUIT 1 diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index dca0d3a..1b338a2 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -231,7 +231,7 @@ test_crypto_sha(void) { crypto_digest_env_t *d1 = NULL, *d2 = NULL; int i; - char key[80]; + char key[160]; char digest[32]; char data[50]; char d_out1[DIGEST_LEN], d_out2[DIGEST256_LEN]; @@ -276,6 +276,75 @@ test_crypto_sha(void) test_streq(hex_str(digest, 20), "AA4AE5E15272D00E95705637CE8A3B55ED402112"); + /* Test HMAC-SHA256 with test cases from wikipedia and RFC 4231 */ + + /* Case empty (wikipedia) */ + crypto_hmac_sha256(digest, "", 0, "", 0); + test_streq(hex_str(digest, 32), + "B613679A0814D9EC772F95D778C35FC5FF1697C493715653C6C712144292C5AD"); + + /* Case quick-brown (wikipedia) */ + crypto_hmac_sha256(digest, "key", 3, + "The quick brown fox jumps over the lazy dog", 43); + test_streq(hex_str(digest, 32), + "F7BC83F430538424B13298E6AA6FB143EF4D59A14946175997479DBC2D1A3CD8"); + + /* "Test Case 1" from RFC 4231 */ + memset(key, 0x0b, 20); + crypto_hmac_sha256(digest, key, 20, "Hi There", 8); + test_memeq_hex(digest, + "b0344c61d8db38535ca8afceaf0bf12b" + "881dc200c9833da726e9376c2e32cff7"); + + /* "Test Case 2" from RFC 4231 */ + memset(key, 0x0b, 20); + crypto_hmac_sha256(digest, "Jefe", 4, "what do ya want for nothing?", 28); + test_memeq_hex(digest, + "5bdcc146bf60754e6a042426089575c7" + "5a003f089d2739839dec58b964ec3843"); + + /* "Test case 3" from RFC 4231 */ + memset(key, 0xaa, 20); + memset(data, 0xdd, 50); + crypto_hmac_sha256(digest, key, 20, data, 50); + test_memeq_hex(digest, + "773ea91e36800e46854db8ebd09181a7" + "2959098b3ef8c122d9635514ced565fe"); + + /* "Test case 4" from RFC 4231 */ + base16_decode(key, 25, + "0102030405060708090a0b0c0d0e0f10111213141516171819", 50); + memset(data, 0xcd, 50); + crypto_hmac_sha256(digest, key, 25, data, 50); + test_memeq_hex(digest, + "82558a389a443c0ea4cc819899f2083a" + "85f0faa3e578f8077a2e3ff46729665b"); + + /* "Test case 5" from RFC 4231 */ + memset(key, 0x0c, 20); + crypto_hmac_sha256(digest, key, 20, "Test With Truncation", 20); + test_memeq_hex(digest, + "a3b6167473100ee06e0c796c2955552b"); + + /* "Test case 6" from RFC 4231 */ + memset(key, 0xaa, 131); + crypto_hmac_sha256(digest, key, 131, + "Test Using Larger Than Block-Size Key - Hash Key First", + 54); + test_memeq_hex(digest, + "60e431591ee0b67f0d8a26aacbf5b77f" + "8e0bc6213728c5140546040f0ee37f54"); + + /* "Test case 7" from RFC 4231 */ + memset(key, 0xaa, 131); + crypto_hmac_sha256(digest, key, 131, + "This is a test using a larger than block-size key and a " + "larger than block-size data. The key needs to be hashed " + "before being used by the HMAC algorithm.", 152); + test_memeq_hex(digest, + "9b09ffa71b942fcb27635fbcd5b0e944" + "bfdc63644f0713938a7f51535c3a35e2"); + /* Incremental digest code. */ d1 = crypto_new_digest_env(); test_assert(d1);

1 0

[tor/master] Functions to send cert and auth_challenge cells.
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit df78daa5da0fd27fdd2fd8ad13aa12e74696a4ef Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 11:38:38 2011 -0400 Functions to send cert and auth_challenge cells. --- src/or/connection_or.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++ src/or/connection_or.h | 3 ++ src/or/or.h | 15 ++++++++- 3 files changed, 98 insertions(+), 1 deletions(-) diff --git a/src/or/connection_or.c b/src/or/connection_or.c index b146efb..dcb838b 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1761,3 +1761,84 @@ connection_or_send_netinfo(or_connection_t *conn) return 0; } +/** DOCDOC */ +#define OR_CERT_TYPE_TLS_LINK 1 +#define OR_CERT_TYPE_ID_1024 2 + +/** Send a CERT cell on the connection conn. Return 0 on success, -1 + * on failure. */ +int +connection_or_send_cert_cell(or_connection_t *conn) +{ + const tor_cert_t *link_cert = NULL, *id_cert = NULL; + const uint8_t *link_encoded = NULL, *id_encoded = NULL; + size_t link_len, id_len; + var_cell_t *cell; + size_t cell_len; + int pos; + + tor_assert(conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3); + + if (! conn->handshake_state) + return -1; + if (tor_tls_get_my_certs(! conn->handshake_state->started_here, + &link_cert, &id_cert) < 0) + return -1; + tor_cert_get_der(link_cert, &link_encoded, &link_len); + tor_cert_get_der(id_cert, &id_encoded, &id_len); + + cell_len = 1 /* 1 octet: num certs in cell */ + + 2 * ( 1 + 2 ) /* For each cert: 1 octet for type, 2 for length */ + + link_len + id_len; + cell = var_cell_new(cell_len); + cell->command = CELL_CERT; + cell->payload[0] = 2; + pos = 1; + + cell->payload[pos] = OR_CERT_TYPE_TLS_LINK; /* Link cert */ + set_uint16(&cell->payload[pos+1], htons(link_len)); + memcpy(&cell->payload[pos+3], link_encoded, link_len); + pos += 3 + link_len; + + cell->payload[pos] = OR_CERT_TYPE_ID_1024; /* ID cert */ + set_uint16(&cell->payload[pos+1], htons(id_len)); + memcpy(&cell->payload[pos+3], id_encoded, id_len); + pos += 3 + id_len; + + tor_assert(pos == (int)cell_len); /* Otherwise we just smashed the heap */ + + connection_or_write_var_cell_to_buf(cell, conn); + var_cell_free(cell); + + return 0; +} + +/** Send an AUTH_CHALLENGE cell on the connection conn. Return 0 + * on success, -1 on failure. */ +int +connection_or_send_auth_challenge_cell(or_connection_t *conn) +{ + var_cell_t *cell; + uint8_t *cp; + uint8_t challenge[OR_AUTH_CHALLENGE_LEN]; + tor_assert(conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3); + + if (! conn->handshake_state) + return -1; + + if (crypto_rand((char*)challenge, OR_AUTH_CHALLENGE_LEN) < 0) + return -1; + cell = var_cell_new(OR_AUTH_CHALLENGE_LEN + 4); + cell->command = CELL_AUTH_CHALLENGE; + memcpy(cell->payload, challenge, OR_AUTH_CHALLENGE_LEN); + cp = cell->payload + OR_AUTH_CHALLENGE_LEN; + set_uint16(cp, htons(1)); /* We recognize one authentication type. */ + set_uint16(cp+2, htons(AUTHTYPE_RSA_SHA256_TLSSECRET)); + + connection_or_write_var_cell_to_buf(cell, conn); + var_cell_free(cell); + memset(challenge, 0, sizeof(challenge)); + + return 0; +} + diff --git a/src/or/connection_or.h b/src/or/connection_or.h index 072edbd..6e50e29 100644 --- a/src/or/connection_or.h +++ b/src/or/connection_or.h @@ -50,6 +50,9 @@ void connection_or_write_var_cell_to_buf(const var_cell_t *cell, int connection_or_send_destroy(circid_t circ_id, or_connection_t *conn, int reason); int connection_or_send_netinfo(or_connection_t *conn); +int connection_or_send_cert_cell(or_connection_t *conn); +int connection_or_send_auth_challenge_cell(or_connection_t *conn); + int is_or_protocol_version_known(uint16_t version); void cell_pack(packed_cell_t *dest, const cell_t *src); diff --git a/src/or/or.h b/src/or/or.h index ef4ddbd..ebf9ab5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1084,7 +1084,10 @@ typedef struct listener_connection_t { } listener_connection_t; -/** Stores flags and information related to the portion of a v2 Tor OR +/** Minimum length of the random part of an AUTH_CHALLENGE cell. */ +#define OR_AUTH_CHALLENGE_LEN 32 + +/** Stores flags and information related to the portion of a v2/v3 Tor OR * connection handshake that happens after the TLS handshake is finished. */ typedef struct or_handshake_state_t { @@ -1095,6 +1098,16 @@ typedef struct or_handshake_state_t { unsigned int started_here : 1; /** True iff we have received and processed a VERSIONS cell. */ unsigned int received_versions : 1; + + /** Digests of the cells that we have sent or received as part of a V3 + * handshake. Used for making and checking AUTHENTICATE cells. + * + * @{ + */ + crypto_digest_env_t *digest_sent; + crypto_digest_env_t *digest_received; + /** @} */ + } or_handshake_state_t; /** Subtype of connection_t for an "OR connection" -- that is, one that speaks

1 0

[tor/master] Cell types and states for new OR handshake
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 1b0645acba905c37759194c222aacbbe40771223 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 10:03:09 2011 -0400 Cell types and states for new OR handshake Also, define all commands > 128 as variable-length when using v3 or later link protocol. Running into a var cell with an unrecognized type is no longer a bug. --- src/or/buffers.c | 38 ++++++++++++++++++++++++++++---------- src/or/command.c | 11 +++++------ src/or/connection.c | 9 ++++++--- src/or/connection_or.c | 6 +++--- src/or/or.h | 32 +++++++++++++++++++------------- 5 files changed, 61 insertions(+), 35 deletions(-) diff --git a/src/or/buffers.c b/src/or/buffers.c index 1025ced..c589fba 100644 --- a/src/or/buffers.c +++ b/src/or/buffers.c @@ -1005,6 +1005,32 @@ fetch_from_buf(char *string, size_t string_len, buf_t *buf) return (int)buf->datalen; } +/** True iff the cell command command is one that implies a variable-length + * cell in Tor link protocol linkproto. */ +static inline int +cell_command_is_var_length(uint8_t command, int linkproto) +{ + /* If linkproto is v2 (2), CELL_VERSIONS is the only variable-length cells work as + * implemented here. If it's 1, there are no variable-length cells. Tor + * does not support other versions right now, and so can't negotiate them. + */ + switch (linkproto) { + case 1: + /* Link protocol version 1 has no variable-length cells. */ + return 0; + case 2: + /* In link protocol version 2, VERSIONS is the only variable-length cell */ + return command == CELL_VERSIONS; + case 0: + case 3: + default: + /* In link protocol version 3 and later, and in version "unknown", + * commands 128 and higher indicate variable-length. VERSIONS is + * grandfathered in. */ + return command == CELL_VERSIONS || command >= 128; + } +} + /** Check buf for a variable-length cell according to the rules of link * protocol version linkproto. If one is found, pull it off the buffer * and assign a newly allocated var_cell_t to *out, and return 1. @@ -1019,12 +1045,6 @@ fetch_var_cell_from_buf(buf_t *buf, var_cell_t **out, int linkproto) var_cell_t *result; uint8_t command; uint16_t length; - /* If linkproto is unknown (0) or v2 (2), variable-length cells work as - * implemented here. If it's 1, there are no variable-length cells. Tor - * does not support other versions right now, and so can't negotiate them. - */ - if (linkproto == 1) - return 0; check(); *out = NULL; if (buf->datalen < VAR_CELL_HEADER_SIZE) @@ -1032,7 +1052,7 @@ fetch_var_cell_from_buf(buf_t *buf, var_cell_t **out, int linkproto) peek_from_buf(hdr, sizeof(hdr), buf); command = get_uint8(hdr+2); - if (!(CELL_COMMAND_IS_VAR_LENGTH(command))) + if (!(cell_command_is_var_length(command, linkproto))) return 0; length = ntohs(get_uint16(hdr+3)); @@ -1101,8 +1121,6 @@ fetch_var_cell_from_evbuffer(struct evbuffer *buf, var_cell_t **out, uint16_t cell_length; var_cell_t *cell; int result = 0; - if (linkproto == 1) - return 0; *out = NULL; buf_len = evbuffer_get_length(buf); @@ -1113,7 +1131,7 @@ fetch_var_cell_from_evbuffer(struct evbuffer *buf, var_cell_t **out, tor_assert(n >= VAR_CELL_HEADER_SIZE); command = get_uint8(hdr+2); - if (!(CELL_COMMAND_IS_VAR_LENGTH(command))) { + if (!(cell_command_is_var_length(command, linkproto))) { goto done; } diff --git a/src/or/command.c b/src/or/command.c index d24373e..72d8cd7 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -93,7 +93,7 @@ command_time_process_cell(cell_t *cell, or_connection_t *conn, int *time, void command_process_cell(cell_t *cell, or_connection_t *conn) { - int handshaking = (conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING); + int handshaking = (conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V2); #ifdef KEEP_TIMING_STATS /* how many of each cell have we seen so far this second? needs better * name. */ @@ -207,7 +207,7 @@ command_process_var_cell(var_cell_t *cell, or_connection_t *conn) #endif /* reject all when not handshaking. */ - if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING) + if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING_V2) return; switch (cell->command) { @@ -216,10 +216,9 @@ command_process_var_cell(var_cell_t *cell, or_connection_t *conn) PROCESS_CELL(versions, cell, conn); break; default: - log_warn(LD_BUG, + log_fn(LOG_INFO, LD_PROTOCOL, "Variable-length cell of unknown type (%d) received.", cell->command); - tor_fragile_assert(); break; } } @@ -506,7 +505,7 @@ command_process_versions_cell(var_cell_t *cell, or_connection_t *conn) int highest_supported_version = 0; const uint8_t *cp, *end; if (conn->link_proto != 0 || - conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING || + conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING_V2 || (conn->handshake_state && conn->handshake_state->received_versions)) { log_fn(LOG_PROTOCOL_WARN, LD_OR, "Received a VERSIONS cell on a connection with its version " @@ -572,7 +571,7 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn) conn->link_proto == 0 ? "non-versioned" : "a v1"); return; } - if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING) { + if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING_V2) { log_fn(LOG_PROTOCOL_WARN, LD_OR, "Received a NETINFO cell on non-handshaking connection; dropping."); return; diff --git a/src/or/connection.c b/src/or/connection.c index 45a1271..2bd2d07 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -140,10 +140,13 @@ conn_state_to_string(int type, int state) case OR_CONN_STATE_PROXY_HANDSHAKING: return "handshaking (proxy)"; case OR_CONN_STATE_TLS_HANDSHAKING: return "handshaking (TLS)"; case OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING: - return "renegotiating (TLS)"; + return "renegotiating (TLS, v2 handshake)"; case OR_CONN_STATE_TLS_SERVER_RENEGOTIATING: - return "waiting for renegotiation (TLS)"; - case OR_CONN_STATE_OR_HANDSHAKING: return "handshaking (Tor)"; + return "waiting for renegotiation or V3 handshake"; + case OR_CONN_STATE_OR_HANDSHAKING_V2: + return "handshaking (Tor, v2 handshake)"; + case OR_CONN_STATE_OR_HANDSHAKING_V3: + return "handshaking (Tor, v3 handshake)"; case OR_CONN_STATE_OPEN: return "open"; } break; diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 29f0f8d..b146efb 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -387,7 +387,7 @@ connection_or_process_inbuf(or_connection_t *conn) /* fall through. */ #endif case OR_CONN_STATE_OPEN: - case OR_CONN_STATE_OR_HANDSHAKING: + case OR_CONN_STATE_OR_HANDSHAKING_V2: return connection_or_process_cells_from_inbuf(conn); default: return 0; /* don't do anything */ @@ -439,7 +439,7 @@ connection_or_finished_flushing(or_connection_t *conn) switch (conn->_base.state) { case OR_CONN_STATE_PROXY_HANDSHAKING: case OR_CONN_STATE_OPEN: - case OR_CONN_STATE_OR_HANDSHAKING: + case OR_CONN_STATE_OR_HANDSHAKING_V2: break; default: log_err(LD_BUG,"Called in unexpected state %d.", conn->_base.state); @@ -1476,7 +1476,7 @@ connection_tls_finish_handshake(or_connection_t *conn) tor_tls_block_renegotiation(conn->tls); return connection_or_set_state_open(conn); } else { - conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING; + conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING_V2; if (connection_init_or_handshake_state(conn, started_here) < 0) return -1; if (!started_here) { diff --git a/src/or/or.h b/src/or/or.h index d6eaeb6..ef4ddbd 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -283,22 +283,27 @@ typedef enum { #define OR_CONN_STATE_CONNECTING 1 /** State for a connection to an OR: waiting for proxy handshake to complete */ #define OR_CONN_STATE_PROXY_HANDSHAKING 2 -/** State for a connection to an OR or client: SSL is handshaking, not done +/** State for an OR connection client: SSL is handshaking, not done * yet. */ #define OR_CONN_STATE_TLS_HANDSHAKING 3 /** State for a connection to an OR: We're doing a second SSL handshake for - * renegotiation purposes. */ + * renegotiation purposes. (V2 handshake only.) */ #define OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING 4 /** State for a connection at an OR: We're waiting for the client to - * renegotiate. */ + * renegotiate (to indicate a v2 handshake) or send a versions cell (to + * indicate a v3 handshake) */ #define OR_CONN_STATE_TLS_SERVER_RENEGOTIATING 5 -/** State for a connection to an OR: We're done with our SSL handshake, but we - * haven't yet negotiated link protocol versions and sent a netinfo cell. - */ -#define OR_CONN_STATE_OR_HANDSHAKING 6 -/** State for a connection to an OR: Ready to send/receive cells. */ -#define OR_CONN_STATE_OPEN 7 -#define _OR_CONN_STATE_MAX 7 +/** State for an OR connection: We're done with our SSL handshake, we've done + * renegotiation, but we haven't yet negotiated link protocol versions and + * sent a netinfo cell. */ +#define OR_CONN_STATE_OR_HANDSHAKING_V2 6 +/** State for an OR connection: We're done with our SSL handshake, but we + * haven't yet negotiated link protocol versions, done a V3 handshake, and + * sent a netinfo cell. */ +#define OR_CONN_STATE_OR_HANDSHAKING_V3 7 +/** State for an OR connection:: Ready to send/receive cells. */ +#define OR_CONN_STATE_OPEN 8 +#define _OR_CONN_STATE_MAX 8 #define _EXIT_CONN_STATE_MIN 1 /** State for an exit connection: waiting for response from DNS farm. */ @@ -820,9 +825,10 @@ typedef enum { #define CELL_NETINFO 8 #define CELL_RELAY_EARLY 9 -/** True iff the cell command x is one that implies a variable-length - * cell. */ -#define CELL_COMMAND_IS_VAR_LENGTH(x) ((x) == CELL_VERSIONS) +#define CELL_VPADDING 128 +#define CELL_CERT 129 +#define CELL_AUTH_CHALLENGE 130 +#define CELL_AUTHENTICATE 131 /** How long to test reachability before complaining to the user. */ #define TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT (20*60)

1 0

[tor/master] Function to extract the TLSSECRETS field for v3 handshakes
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit c39688de6c5d4bf19739ecffb2e98aa560a4630a Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 13:46:21 2011 -0400 Function to extract the TLSSECRETS field for v3 handshakes --- src/common/tortls.c | 30 ++++++++++++++++++++++++++++++ src/common/tortls.h | 1 + 2 files changed, 31 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index b711967..2b12eea 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1985,6 +1985,36 @@ tor_tls_server_got_renegotiate(tor_tls_t *tls) return tls->got_renegotiate; } +/** Set the DIGEST256_LEN buffer at secrets_out to the value used in + * the v3 handshake to prove that the client knows the TLS secrets for the + * connection tls. Return 0 on success, -1 on failure. + */ +int +tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out) +{ +#define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification" + char buf[128]; + size_t len; + tor_assert(tls); + tor_assert(tls->ssl); + tor_assert(tls->ssl->s3); + tor_assert(tls->ssl->session); + /* + The value is an HMAC, using the TLS master key as the HMAC key, of + client_random | server_random | TLSSECRET_MAGIC + */ + memcpy(buf + 0, tls->ssl->s3->client_random, 32); + memcpy(buf + 32, tls->ssl->s3->server_random, 32); + memcpy(buf + 64, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1); + len = 64 + strlen(TLSSECRET_MAGIC) + 1; + crypto_hmac_sha256((char*)secrets_out, + (char*)tls->ssl->session->master_key, + tls->ssl->session->master_key_length, + buf, len); + memset(buf, 0, sizeof(buf)); + return 0; +} + /** Examine the amount of memory used and available for buffers in tls. * Set *rbuf_capacity to the amount of storage allocated for the read * buffer and *rbuf_bytes to the amount actually used. diff --git a/src/common/tortls.h b/src/common/tortls.h index c55da4a..a6aed29 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -90,6 +90,7 @@ void tor_tls_get_buffer_sizes(tor_tls_t *tls, int tor_tls_used_v1_handshake(tor_tls_t *tls); int tor_tls_get_num_server_handshakes(tor_tls_t *tls); int tor_tls_server_got_renegotiate(tor_tls_t *tls); +int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out); /* Log and abort if there are unhandled TLS errors in OpenSSL's error stack. */

1 0

[tor/master] More functions to manipulate certs received in cells
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit f4c1fa2a04c310c4e0274129bb2fff2aacb59248 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Sep 14 13:04:48 2011 -0400 More functions to manipulate certs received in cells --- src/common/tortls.c | 118 +++++++++++++++++++++++++++++++++++++++++++++------ src/common/tortls.h | 3 + 2 files changed, 108 insertions(+), 13 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 2b12eea..0ba47ba 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -207,6 +207,7 @@ static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, unsigned int key_lifetime); static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime); +static int check_cert_lifetime_internal(const X509 *cert, int tolerance); /** Global TLS contexts. We keep them here because nobody else needs * to touch them. */ @@ -823,6 +824,84 @@ tor_tls_get_my_certs(int server, return 0; } +/** Return true iff a and b represent the same public key. */ +static int +pkey_eq(EVP_PKEY *a, EVP_PKEY *b) +{ + /* We'd like to do this, but openssl 0.9.7 doesn't have it: + return EVP_PKEY_cmp(a,b) == 1; + */ + unsigned char *a_enc=NULL, *b_enc=NULL, *a_ptr, *b_ptr; + int a_len1, b_len1, a_len2, b_len2, result; + a_len1 = i2d_PublicKey(a, NULL); + b_len1 = i2d_PublicKey(b, NULL); + if (a_len1 != b_len1) + return 0; + a_ptr = a_enc = tor_malloc(a_len1); + b_ptr = b_enc = tor_malloc(b_len1); + a_len2 = i2d_PublicKey(a, &a_ptr); + b_len2 = i2d_PublicKey(b, &b_ptr); + tor_assert(a_len2 == a_len1); + tor_assert(b_len2 == b_len1); + result = tor_memeq(a_enc, b_enc, a_len1); + tor_free(a_enc); + tor_free(b_enc); + return result; +} + +/** Return true iff the other side of tls has authenticated to us, and + * the key certified in cert is the same as the key they used to do it. + */ +int +tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert) +{ + X509 *peercert = SSL_get_peer_certificate(tls->ssl); + EVP_PKEY *link_key = NULL, *cert_key = NULL; + int result; + + if (!peercert) + return 0; + link_key = X509_get_pubkey(peercert); + cert_key = X509_get_pubkey(cert->cert); + + result = link_key && cert_key && pkey_eq(cert_key, link_key); + + X509_free(peercert); + if (link_key) + EVP_PKEY_free(link_key); + if (cert_key) + EVP_PKEY_free(cert_key); + + return result; +} + +/** Check wither cert is well-formed, currently live, and correctly + * signed by the public key in signing_cert. Return 0 if the cert is + * good, and -1 if it's bad or we couldn't check it. */ +int +tor_tls_cert_is_valid(const tor_cert_t *cert, + const tor_cert_t *signing_cert) +{ + EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert); + int r; + if (!signing_key) + return 0; + r = X509_verify(cert->cert, signing_key); + EVP_PKEY_free(signing_key); + if (r <= 0) + return 0; + + /* okay, the signature checked out right. Now let's check the check the + * lifetime. */ + /*XXXX tolerance might be iffy here */ + if (check_cert_lifetime_internal(cert->cert, 60*60) < 0) + return 0; + + /* XXXX compare DNs or anything? */ + + return -1; +} + /** Increase the reference count of ctx. */ static void tor_tls_context_incref(tor_tls_context_t *ctx) @@ -1709,7 +1788,7 @@ tor_tls_peer_has_cert(tor_tls_t *tls) /** Warn that a certificate lifetime extends through a certain range. */ static void -log_cert_lifetime(X509 *cert, const char *problem) +log_cert_lifetime(const X509 *cert, const char *problem) { BIO *bio = NULL; BUF_MEM *buf; @@ -1856,25 +1935,14 @@ tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key) int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance) { - time_t now, t; X509 *cert; int r = -1; - now = time(NULL); - if (!(cert = SSL_get_peer_certificate(tls->ssl))) goto done; - t = now + tolerance; - if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { - log_cert_lifetime(cert, "not yet valid"); + if (check_cert_lifetime_internal(cert, tolerance) < 0) goto done; - } - t = now - tolerance; - if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { - log_cert_lifetime(cert, "already expired"); - goto done; - } r = 0; done: @@ -1886,6 +1954,30 @@ tor_tls_check_lifetime(tor_tls_t *tls, int tolerance) return r; } +/** Helper: check whether cert is currently live, give or take + * tolerance seconds. If it is live, return 0. If it is not live, + * log a message and return -1. */ +static int +check_cert_lifetime_internal(const X509 *cert, int tolerance) +{ + time_t now, t; + + now = time(NULL); + + t = now + tolerance; + if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { + log_cert_lifetime(cert, "not yet valid"); + return -1; + } + t = now - tolerance; + if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { + log_cert_lifetime(cert, "already expired"); + return -1; + } + + return 0; +} + /** Return the number of bytes available for reading from tls. */ int diff --git a/src/common/tortls.h b/src/common/tortls.h index a6aed29..36309af 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -115,6 +115,9 @@ void tor_cert_get_der(const tor_cert_t *cert, int tor_tls_get_my_certs(int server, const tor_cert_t **link_cert_out, const tor_cert_t **id_cert_out); +int tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert); +int tor_tls_cert_is_valid(const tor_cert_t *cert, + const tor_cert_t *signing_cert); #endif

1 0

[tor/master] Function to detect certificate types that signal v3 certificates
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 92602345e001d8e66038d5d98cbb21eea5ef40c9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Sep 16 17:48:20 2011 -0400 Function to detect certificate types that signal v3 certificates --- src/common/tortls.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/common/tortls.h | 1 + 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 1435223..332d784 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2075,6 +2075,77 @@ tor_tls_used_v1_handshake(tor_tls_t *tls) return 1; } +/** Return true iff name is a DN of a kind that could only + * occur in a v3-handshake-indicating certificate */ +static int +dn_indicates_v3_cert(X509_NAME *name) +{ + X509_NAME_ENTRY *entry; + int n_entries; + ASN1_OBJECT *obj; + ASN1_STRING *str; + unsigned char *s; + int len, r; + + n_entries = X509_NAME_entry_count(name); + if (n_entries != 1) + return 1; /* More than one entry in the DN. */ + entry = X509_NAME_get_entry(name, 0); + + obj = X509_NAME_ENTRY_get_object(entry); + if (OBJ_obj2nid(obj) != OBJ_txt2nid("commonName")) + return 1; /* The entry isn't a commonName. */ + + str = X509_NAME_ENTRY_get_data(entry); + len = ASN1_STRING_to_UTF8(&s, str); + if (len < 0) + return 0; + r = fast_memneq(s + len - 4, ".net", 4); + OPENSSL_free(s); + return r; +} + +/** Return true iff the peer certificate we're received on tls + * indicates that this connection should use the v3 (in-protocol) + * authentication handshake. + * + * Only the connection initiator should use this, and only once the initial + * handshake is done; the responder detects a v1 handshake by cipher types, + * and a v3/v2 handshake by Versions cell vs renegotiation. + */ +int +tor_tls_received_v3_certificate(tor_tls_t *tls) +{ + X509 *cert = SSL_get_peer_certificate(tls->ssl); + EVP_PKEY *key; + X509_NAME *issuer_name, *subject_name; + + if (!cert) { + log_warn(LD_BUG, "Called on a connection with no peer certificate"); + return 0; + } + + subject_name = X509_get_subject_name(cert); + issuer_name = X509_get_issuer_name(cert); + + if (X509_name_cmp(subject_name, issuer_name) == 0) + return 1; /* purportedly self signed */ + + if (dn_indicates_v3_cert(subject_name) || + dn_indicates_v3_cert(issuer_name)) + return 1; /* DN is fancy */ + + key = X509_get_pubkey(cert); + if (EVP_PKEY_bits(key) != 1024 || + EVP_PKEY_type(key->type) != EVP_PKEY_RSA) { + EVP_PKEY_free(key); + return 1; /* Key is fancy */ + } + + EVP_PKEY_free(key); + return 0; +} + /** Return the number of server handshakes that we've noticed doing on * tls. */ int diff --git a/src/common/tortls.h b/src/common/tortls.h index 40eb830..70d24a5 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -88,6 +88,7 @@ void tor_tls_get_buffer_sizes(tor_tls_t *tls, size_t *wbuf_capacity, size_t *wbuf_bytes); int tor_tls_used_v1_handshake(tor_tls_t *tls); +int tor_tls_received_v3_certificate(tor_tls_t *tls); int tor_tls_get_num_server_handshakes(tor_tls_t *tls); int tor_tls_server_got_renegotiate(tor_tls_t *tls); int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out);

1 0