October 2011 - tor-commits - lists.torproject.org

[tor/master] Basic function to write authenticate cells
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 81024f43ec3a3ab32683764cb925606bfcb603d7 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Sep 14 14:44:42 2011 -0400 Basic function to write authenticate cells Also, tweak the cert cell code to send auth certs --- src/or/connection_or.c | 195 +++++++++++++++++++++++++++++++++++++++++++++++- src/or/connection_or.h | 5 + 2 files changed, 197 insertions(+), 3 deletions(-) diff --git a/src/or/connection_or.c b/src/or/connection_or.c index dcb838b..c72d89d 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1776,13 +1776,14 @@ connection_or_send_cert_cell(or_connection_t *conn) var_cell_t *cell; size_t cell_len; int pos; + int server_mode; tor_assert(conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3); if (! conn->handshake_state) return -1; - if (tor_tls_get_my_certs(! conn->handshake_state->started_here, - &link_cert, &id_cert) < 0) + server_mode = ! conn->handshake_state->started_here; + if (tor_tls_get_my_certs(server_mode, &link_cert, &id_cert) < 0) return -1; tor_cert_get_der(link_cert, &link_encoded, &link_len); tor_cert_get_der(id_cert, &id_encoded, &id_len); @@ -1795,7 +1796,10 @@ connection_or_send_cert_cell(or_connection_t *conn) cell->payload[0] = 2; pos = 1; - cell->payload[pos] = OR_CERT_TYPE_TLS_LINK; /* Link cert */ + if (server_mode) + cell->payload[pos] = OR_CERT_TYPE_TLS_LINK; /* Link cert */ + else + cell->payload[pos] = OR_CERT_TYPE_AUTH_1024; /* client authentication */ set_uint16(&cell->payload[pos+1], htons(link_len)); memcpy(&cell->payload[pos+3], link_encoded, link_len); pos += 3 + link_len; @@ -1842,3 +1846,188 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn) return 0; } +/** DOCDOC */ +#define V3_HS_AUTH_FIXED_PART_LEN (8+(32*6)) +#define V3_HS_AUTH_BODY_LEN (V3_HS_AUTH_FIXED_PART_LEN + 8 + 16) + +#define AUTHTYPE_RSA_SHA256_TLSSECRET 1 + +/** Compute the main body of an AUTHENTICATE cell that a client can use + * to authenticate itself on a v3 handshake for conn. Write it to the + * outlen-byte buffer at out. + * + * If server is true, only calculate the first + * V3_HS_AUTH_FIXED_PART_LEN bytes -- the part of the authenticator that's + * determined by the rest of the handshake, and which match the provided value + * exactly. + * + * If server is false and signing_key is NULL, calculate the + * first V3_HS_AUTH_BODY_LEN bytes of the authenticator (that is, everything + * that should be signed), but don't actually sign it. + * + * If server is false and signing_key is provided, calculate the + * entire authenticator, signed with signing_key. + */ +int +connection_or_compute_authenticate_cell_body(or_connection_t *conn, + uint8_t *out, size_t outlen, + crypto_pk_env_t *signing_key, + int server) +{ + uint8_t *ptr; + + /* assert state is reasonable XXXX */ + + if (outlen < V3_HS_AUTH_FIXED_PART_LEN || + (!server && outlen < V3_HS_AUTH_BODY_LEN)) + return -1; + + ptr = out; + + /* Type: 8 bytes. */ + memcpy(ptr, "AUTH0001", 8); + ptr += 8; + + { + const tor_cert_t *id_cert=NULL, *link_cert=NULL; + const uint8_t *my_id, *their_id, *client_id, *server_id; + if (tor_tls_get_my_certs(0, &link_cert, &id_cert)) + return -1; + my_id = (uint8_t*)tor_cert_get_id_digests(id_cert)->d[DIGEST_SHA256]; + their_id = (uint8_t*) + tor_cert_get_id_digests(conn->handshake_state->id_cert)->d[DIGEST_SHA256]; + client_id = server ? their_id : my_id; + server_id = server ? my_id : their_id; + + /* Client ID digest: 32 octets. */ + memcpy(ptr, client_id, 32); + ptr += 32; + + /* Server ID digest: 32 octets. */ + memcpy(ptr, server_id, 32); + ptr += 32; + } + + { + crypto_digest_env_t *server_d, *client_d; + if (server) { + server_d = conn->handshake_state->digest_sent; + client_d = conn->handshake_state->digest_received; + } else { + client_d = conn->handshake_state->digest_sent; + server_d = conn->handshake_state->digest_received; + } + + /* Server log digest : 32 octets */ + crypto_digest_get_digest(server_d, (char*)ptr, 32); + ptr += 32; + + /* Client log digest : 32 octets */ + crypto_digest_get_digest(client_d, (char*)ptr, 32); + ptr += 32; + } + + { + /* Digest of cert used on TLS link : 32 octets. */ + const tor_cert_t *cert = NULL; + tor_cert_t *freecert = NULL; + if (server) { + tor_tls_get_my_certs(1, &cert, NULL); + } else { + freecert = tor_tls_get_peer_cert(conn->tls); + cert = freecert; + } + if (!cert) + return -1; + memcpy(ptr, tor_cert_get_cert_digests(cert)->d[DIGEST_SHA256], 32); + + if (freecert) + tor_cert_free(freecert); + ptr += 32; + } + + /* HMAC of clientrandom and serverrandom using master key : 32 octets */ + tor_tls_get_tlssecrets(conn->tls, ptr); + ptr += 32; + + tor_assert(ptr - out == V3_HS_AUTH_FIXED_PART_LEN); + + if (server) + return ptr-out; + + /* Time: 8 octets. */ + { + uint64_t now = time(NULL); + if ((time_t)now < 0) + return -1; + set_uint32(ptr, htonl((uint32_t)(now>>32))); + set_uint32(ptr+4, htonl((uint32_t)now)); + ptr += 8; + } + + /* Nonce: 16 octets. */ + crypto_rand((char*)ptr, 16); + ptr += 16; + + tor_assert(ptr - out == V3_HS_AUTH_BODY_LEN); + + if (!signing_key) + return ptr - out; + + { + int siglen; + char d[32]; + crypto_digest256(d, (char*)out, ptr-out, DIGEST_SHA256); + siglen = crypto_pk_private_sign(signing_key, + (char*)ptr, outlen - (ptr-out), + d, 32); + if (siglen < 0) + return -1; + + ptr += siglen; + tor_assert(ptr <= out+outlen); + return ptr - out; + } +} + +/** Send an AUTHENTICATE cell on the connection conn. Return 0 on + * success, -1 on failure */ +int +connection_or_send_authenticate_cell(or_connection_t *conn) +{ + var_cell_t *cell; + crypto_pk_env_t *pk = tor_tls_get_my_client_auth_key(); + int authlen; + int cell_maxlen; + /* XXXX make sure we're actually supposed to send this! */ + + if (!pk) + return -1;/*XXXX log*/ + cell_maxlen = 4 + /* overhead */ + V3_HS_AUTH_BODY_LEN + /* Authentication body */ + crypto_pk_keysize(pk) + /* Max signature length */ + 16 /* just in case XXXX */ ; + + cell = var_cell_new(cell_maxlen); + set_uint16(cell->payload, htons(AUTHTYPE_RSA_SHA256_TLSSECRET)); + /* skip over length ; we don't know that yet. */ + + authlen = connection_or_compute_authenticate_cell_body(conn, + cell->payload+4, + cell_maxlen-4, + pk, + 0 /* not server */); + if (authlen < 0) { + /* XXXX log */ + var_cell_free(cell); + return -1; + } + tor_assert(authlen + 4 <= cell->payload_len); + set_uint16(cell->payload+2, htons(authlen)); + cell->payload_len = authlen + 4; + + connection_or_write_var_cell_to_buf(cell, conn); + var_cell_free(cell); + + return 0; +} diff --git a/src/or/connection_or.h b/src/or/connection_or.h index 6e50e29..ba441c4 100644 --- a/src/or/connection_or.h +++ b/src/or/connection_or.h @@ -52,6 +52,11 @@ int connection_or_send_destroy(circid_t circ_id, or_connection_t *conn, int connection_or_send_netinfo(or_connection_t *conn); int connection_or_send_cert_cell(or_connection_t *conn); int connection_or_send_auth_challenge_cell(or_connection_t *conn); +int connection_or_compute_authenticate_cell_body(or_connection_t *conn, + uint8_t *out, size_t outlen, + crypto_pk_env_t *signing_key, + int server); +int connection_or_send_authenticate_cell(or_connection_t *conn); int is_or_protocol_version_known(uint16_t version);

1 0

[tor/master] Function to return peer cert as tor_tls_cert
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit e48e47fa03fa09d89527c1bbfaee4c9d7d3eee6e Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Sep 22 11:01:14 2011 -0400 Function to return peer cert as tor_tls_cert --- src/common/tortls.c | 12 ++++++++++++ src/common/tortls.h | 1 + 2 files changed, 13 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index e275307..aa90f18 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1856,6 +1856,18 @@ tor_tls_peer_has_cert(tor_tls_t *tls) return 1; } +/** Return the peer certificate, or NULL if there isn't one. */ +tor_cert_t * +tor_tls_get_peer_cert(tor_tls_t *tls) +{ + X509 *cert; + cert = SSL_get_peer_certificate(tls->ssl); + tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, "getting peer certificate"); + if (!cert) + return NULL; + return tor_cert_new(cert); +} + /** Warn that a certificate lifetime extends through a certain range. */ static void log_cert_lifetime(const X509 *cert, const char *problem) diff --git a/src/common/tortls.h b/src/common/tortls.h index b522dd1..00bf406 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -66,6 +66,7 @@ void tor_tls_set_renegotiate_callback(tor_tls_t *tls, int tor_tls_is_server(tor_tls_t *tls); void tor_tls_free(tor_tls_t *tls); int tor_tls_peer_has_cert(tor_tls_t *tls); +tor_cert_t *tor_tls_get_peer_cert(tor_tls_t *tls); int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity); int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance); int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);

1 0

[tor/master] Functions to get a public RSA key from a cert
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 0a4f56277290d4736db3b15dc4c2071000f7883f Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Sep 22 10:18:17 2011 -0400 Functions to get a public RSA key from a cert --- src/common/tortls.c | 34 ++++++++++++++++++++++++++++++++++ src/common/tortls.h | 2 ++ 2 files changed, 36 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 332d784..5d36fd0 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -838,6 +838,40 @@ tor_tls_get_my_certs(int server, return 0; } +/** + * Return the authentication key that we use to authenticate ourselves as a + * client in the V3 in-protocol handshake. + */ +crypto_pk_env_t * +tor_tls_get_my_client_auth_key(void) +{ + if (! client_tls_context) + return NULL; + return client_tls_context->auth_key; +} + +/** + * Return the public key that a cetificate certifies. Return NULL if the + * cert's key is not RSA. + */ +crypto_pk_env_t * +tor_tls_cert_get_key(tor_cert_t *cert) +{ + crypto_pk_env_t *result = NULL; + EVP_PKEY *pkey = X509_get_pubkey(cert->cert); + RSA *rsa; + if (!pkey) + return NULL; + rsa = EVP_PKEY_get1_RSA(pkey); + if (!rsa) { + EVP_PKEY_free(pkey); + return NULL; + } + result = _crypto_new_pk_env_rsa(rsa); + EVP_PKEY_free(pkey); + return result; +} + /** Return true iff a and b represent the same public key. */ static int pkey_eq(EVP_PKEY *a, EVP_PKEY *b) diff --git a/src/common/tortls.h b/src/common/tortls.h index 70d24a5..b522dd1 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -118,6 +118,8 @@ const digests_t *tor_cert_get_cert_digests(const tor_cert_t *cert); int tor_tls_get_my_certs(int server, const tor_cert_t **link_cert_out, const tor_cert_t **id_cert_out); +crypto_pk_env_t *tor_tls_get_my_client_auth_key(void); +crypto_pk_env_t *tor_tls_cert_get_key(tor_cert_t *cert); int tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert); int tor_tls_cert_is_valid(const tor_cert_t *cert, const tor_cert_t *signing_cert);

1 0

[tor/master] Add AUTH keys as specified in proposal 176
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit a6fc5059cdb3263c0053ac76c39bef43a61269cc Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Sep 16 11:21:30 2011 -0400 Add AUTH keys as specified in proposal 176 Our keys and x.509 certs are proliferating here. Previously we had: An ID cert (using the main ID key), self-signed A link cert (using a shorter-term link key), signed by the ID key Once proposal 176 and 179 are done, we will also have: Optionally, a presentation cert (using the link key), signed by whomever. An authentication cert (using a shorter-term ID key), signed by the ID key. These new keys are managed as part of the tls context infrastructure, since you want to rotate them under exactly the same circumstances, and since they need X509 certificates. --- src/common/tortls.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 files changed, 34 insertions(+), 12 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 5d36fd0..e275307 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -112,9 +112,11 @@ struct tor_cert_t { typedef struct tor_tls_context_t { int refcnt; SSL_CTX *ctx; - tor_cert_t *my_cert; + tor_cert_t *my_link_cert; tor_cert_t *my_id_cert; - crypto_pk_env_t *key; + tor_cert_t *my_auth_cert; + crypto_pk_env_t *link_key; + crypto_pk_env_t *auth_key; } tor_tls_context_t; #define TOR_TLS_MAGIC 0x71571571 @@ -811,9 +813,11 @@ tor_tls_context_decref(tor_tls_context_t *ctx) tor_assert(ctx); if (--ctx->refcnt == 0) { SSL_CTX_free(ctx->ctx); - tor_cert_free(ctx->my_cert); + tor_cert_free(ctx->my_link_cert); tor_cert_free(ctx->my_id_cert); - crypto_free_pk_env(ctx->key); + tor_cert_free(ctx->my_auth_cert); + crypto_free_pk_env(ctx->link_key); + crypto_free_pk_env(ctx->auth_key); tor_free(ctx); } } @@ -832,7 +836,7 @@ tor_tls_get_my_certs(int server, if (! ctx) return -1; if (link_cert_out) - *link_cert_out = ctx->my_cert; + *link_cert_out = server ? ctx->my_link_cert : ctx->my_auth_cert; if (id_cert_out) *id_cert_out = ctx->my_id_cert; return 0; @@ -1050,37 +1054,48 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext, static tor_tls_context_t * tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) { - crypto_pk_env_t *rsa = NULL; + crypto_pk_env_t *rsa = NULL, *rsa_auth = NULL; EVP_PKEY *pkey = NULL; tor_tls_context_t *result = NULL; - X509 *cert = NULL, *idcert = NULL; + X509 *cert = NULL, *idcert = NULL, *authcert = NULL; char *nickname = NULL, *nn2 = NULL; tor_tls_init(); nickname = crypto_random_hostname(8, 20, "www.", ".net"); nn2 = crypto_random_hostname(8, 20, "www.", ".net"); - /* Generate short-term RSA key. */ + /* Generate short-term RSA key for use with TLS. */ if (!(rsa = crypto_new_pk_env())) goto error; if (crypto_pk_generate_key(rsa)<0) goto error; - /* Create certificate signed by identity key. */ + /* Generate short-term RSA key for use in the in-protocol ("v3") + * authentication handshake. */ + if (!(rsa_auth = crypto_new_pk_env())) + goto error; + if (crypto_pk_generate_key(rsa_auth)<0) + goto error; + /* Create a link certificate signed by identity key. */ cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, key_lifetime); /* Create self-signed certificate for identity key. */ idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, IDENTITY_CERT_LIFETIME); - if (!cert || !idcert) { + /* Create an authentication certificate signed by identity key. */ + authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2, + key_lifetime); + if (!cert || !idcert || !authcert) { log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); goto error; } result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; - result->my_cert = tor_cert_new(X509_dup(cert)); + result->my_link_cert = tor_cert_new(X509_dup(cert)); result->my_id_cert = tor_cert_new(X509_dup(idcert)); - result->key = crypto_pk_dup_key(rsa); + result->my_auth_cert = tor_cert_new(X509_dup(authcert)); + result->link_key = crypto_pk_dup_key(rsa); + result->auth_key = crypto_pk_dup_key(rsa_auth); #ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ @@ -1146,6 +1161,9 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) if (rsa) crypto_free_pk_env(rsa); + if (rsa_auth) + crypto_free_pk_env(rsa_auth); + X509_free(authcert); tor_free(nickname); tor_free(nn2); return result; @@ -1158,12 +1176,16 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) EVP_PKEY_free(pkey); if (rsa) crypto_free_pk_env(rsa); + if (rsa_auth) + crypto_free_pk_env(rsa_auth); if (result) tor_tls_context_decref(result); if (cert) X509_free(cert); if (idcert) X509_free(idcert); + if (authcert) + X509_free(authcert); return NULL; }

1 0

[tor/master] Function to detect certificate types that signal v3 certificates
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 92602345e001d8e66038d5d98cbb21eea5ef40c9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Sep 16 17:48:20 2011 -0400 Function to detect certificate types that signal v3 certificates --- src/common/tortls.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++ src/common/tortls.h | 1 + 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 1435223..332d784 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2075,6 +2075,77 @@ tor_tls_used_v1_handshake(tor_tls_t *tls) return 1; } +/** Return true iff name is a DN of a kind that could only + * occur in a v3-handshake-indicating certificate */ +static int +dn_indicates_v3_cert(X509_NAME *name) +{ + X509_NAME_ENTRY *entry; + int n_entries; + ASN1_OBJECT *obj; + ASN1_STRING *str; + unsigned char *s; + int len, r; + + n_entries = X509_NAME_entry_count(name); + if (n_entries != 1) + return 1; /* More than one entry in the DN. */ + entry = X509_NAME_get_entry(name, 0); + + obj = X509_NAME_ENTRY_get_object(entry); + if (OBJ_obj2nid(obj) != OBJ_txt2nid("commonName")) + return 1; /* The entry isn't a commonName. */ + + str = X509_NAME_ENTRY_get_data(entry); + len = ASN1_STRING_to_UTF8(&s, str); + if (len < 0) + return 0; + r = fast_memneq(s + len - 4, ".net", 4); + OPENSSL_free(s); + return r; +} + +/** Return true iff the peer certificate we're received on tls + * indicates that this connection should use the v3 (in-protocol) + * authentication handshake. + * + * Only the connection initiator should use this, and only once the initial + * handshake is done; the responder detects a v1 handshake by cipher types, + * and a v3/v2 handshake by Versions cell vs renegotiation. + */ +int +tor_tls_received_v3_certificate(tor_tls_t *tls) +{ + X509 *cert = SSL_get_peer_certificate(tls->ssl); + EVP_PKEY *key; + X509_NAME *issuer_name, *subject_name; + + if (!cert) { + log_warn(LD_BUG, "Called on a connection with no peer certificate"); + return 0; + } + + subject_name = X509_get_subject_name(cert); + issuer_name = X509_get_issuer_name(cert); + + if (X509_name_cmp(subject_name, issuer_name) == 0) + return 1; /* purportedly self signed */ + + if (dn_indicates_v3_cert(subject_name) || + dn_indicates_v3_cert(issuer_name)) + return 1; /* DN is fancy */ + + key = X509_get_pubkey(cert); + if (EVP_PKEY_bits(key) != 1024 || + EVP_PKEY_type(key->type) != EVP_PKEY_RSA) { + EVP_PKEY_free(key); + return 1; /* Key is fancy */ + } + + EVP_PKEY_free(key); + return 0; +} + /** Return the number of server handshakes that we've noticed doing on * tls. */ int diff --git a/src/common/tortls.h b/src/common/tortls.h index 40eb830..70d24a5 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -88,6 +88,7 @@ void tor_tls_get_buffer_sizes(tor_tls_t *tls, size_t *wbuf_capacity, size_t *wbuf_bytes); int tor_tls_used_v1_handshake(tor_tls_t *tls); +int tor_tls_received_v3_certificate(tor_tls_t *tls); int tor_tls_get_num_server_handshakes(tor_tls_t *tls); int tor_tls_server_got_renegotiate(tor_tls_t *tls); int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out);

1 0

[tor/master] Function to extract the TLSSECRETS field for v3 handshakes
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit c39688de6c5d4bf19739ecffb2e98aa560a4630a Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 13:46:21 2011 -0400 Function to extract the TLSSECRETS field for v3 handshakes --- src/common/tortls.c | 30 ++++++++++++++++++++++++++++++ src/common/tortls.h | 1 + 2 files changed, 31 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index b711967..2b12eea 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1985,6 +1985,36 @@ tor_tls_server_got_renegotiate(tor_tls_t *tls) return tls->got_renegotiate; } +/** Set the DIGEST256_LEN buffer at secrets_out to the value used in + * the v3 handshake to prove that the client knows the TLS secrets for the + * connection tls. Return 0 on success, -1 on failure. + */ +int +tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out) +{ +#define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification" + char buf[128]; + size_t len; + tor_assert(tls); + tor_assert(tls->ssl); + tor_assert(tls->ssl->s3); + tor_assert(tls->ssl->session); + /* + The value is an HMAC, using the TLS master key as the HMAC key, of + client_random | server_random | TLSSECRET_MAGIC + */ + memcpy(buf + 0, tls->ssl->s3->client_random, 32); + memcpy(buf + 32, tls->ssl->s3->server_random, 32); + memcpy(buf + 64, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1); + len = 64 + strlen(TLSSECRET_MAGIC) + 1; + crypto_hmac_sha256((char*)secrets_out, + (char*)tls->ssl->session->master_key, + tls->ssl->session->master_key_length, + buf, len); + memset(buf, 0, sizeof(buf)); + return 0; +} + /** Examine the amount of memory used and available for buffers in tls. * Set *rbuf_capacity to the amount of storage allocated for the read * buffer and *rbuf_bytes to the amount actually used. diff --git a/src/common/tortls.h b/src/common/tortls.h index c55da4a..a6aed29 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -90,6 +90,7 @@ void tor_tls_get_buffer_sizes(tor_tls_t *tls, int tor_tls_used_v1_handshake(tor_tls_t *tls); int tor_tls_get_num_server_handshakes(tor_tls_t *tls); int tor_tls_server_got_renegotiate(tor_tls_t *tls); +int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out); /* Log and abort if there are unhandled TLS errors in OpenSSL's error stack. */

1 0

[tor/master] Functions to send cert and auth_challenge cells.
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit df78daa5da0fd27fdd2fd8ad13aa12e74696a4ef Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 11:38:38 2011 -0400 Functions to send cert and auth_challenge cells. --- src/or/connection_or.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++ src/or/connection_or.h | 3 ++ src/or/or.h | 15 ++++++++- 3 files changed, 98 insertions(+), 1 deletions(-) diff --git a/src/or/connection_or.c b/src/or/connection_or.c index b146efb..dcb838b 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1761,3 +1761,84 @@ connection_or_send_netinfo(or_connection_t *conn) return 0; } +/** DOCDOC */ +#define OR_CERT_TYPE_TLS_LINK 1 +#define OR_CERT_TYPE_ID_1024 2 + +/** Send a CERT cell on the connection conn. Return 0 on success, -1 + * on failure. */ +int +connection_or_send_cert_cell(or_connection_t *conn) +{ + const tor_cert_t *link_cert = NULL, *id_cert = NULL; + const uint8_t *link_encoded = NULL, *id_encoded = NULL; + size_t link_len, id_len; + var_cell_t *cell; + size_t cell_len; + int pos; + + tor_assert(conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3); + + if (! conn->handshake_state) + return -1; + if (tor_tls_get_my_certs(! conn->handshake_state->started_here, + &link_cert, &id_cert) < 0) + return -1; + tor_cert_get_der(link_cert, &link_encoded, &link_len); + tor_cert_get_der(id_cert, &id_encoded, &id_len); + + cell_len = 1 /* 1 octet: num certs in cell */ + + 2 * ( 1 + 2 ) /* For each cert: 1 octet for type, 2 for length */ + + link_len + id_len; + cell = var_cell_new(cell_len); + cell->command = CELL_CERT; + cell->payload[0] = 2; + pos = 1; + + cell->payload[pos] = OR_CERT_TYPE_TLS_LINK; /* Link cert */ + set_uint16(&cell->payload[pos+1], htons(link_len)); + memcpy(&cell->payload[pos+3], link_encoded, link_len); + pos += 3 + link_len; + + cell->payload[pos] = OR_CERT_TYPE_ID_1024; /* ID cert */ + set_uint16(&cell->payload[pos+1], htons(id_len)); + memcpy(&cell->payload[pos+3], id_encoded, id_len); + pos += 3 + id_len; + + tor_assert(pos == (int)cell_len); /* Otherwise we just smashed the heap */ + + connection_or_write_var_cell_to_buf(cell, conn); + var_cell_free(cell); + + return 0; +} + +/** Send an AUTH_CHALLENGE cell on the connection conn. Return 0 + * on success, -1 on failure. */ +int +connection_or_send_auth_challenge_cell(or_connection_t *conn) +{ + var_cell_t *cell; + uint8_t *cp; + uint8_t challenge[OR_AUTH_CHALLENGE_LEN]; + tor_assert(conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V3); + + if (! conn->handshake_state) + return -1; + + if (crypto_rand((char*)challenge, OR_AUTH_CHALLENGE_LEN) < 0) + return -1; + cell = var_cell_new(OR_AUTH_CHALLENGE_LEN + 4); + cell->command = CELL_AUTH_CHALLENGE; + memcpy(cell->payload, challenge, OR_AUTH_CHALLENGE_LEN); + cp = cell->payload + OR_AUTH_CHALLENGE_LEN; + set_uint16(cp, htons(1)); /* We recognize one authentication type. */ + set_uint16(cp+2, htons(AUTHTYPE_RSA_SHA256_TLSSECRET)); + + connection_or_write_var_cell_to_buf(cell, conn); + var_cell_free(cell); + memset(challenge, 0, sizeof(challenge)); + + return 0; +} + diff --git a/src/or/connection_or.h b/src/or/connection_or.h index 072edbd..6e50e29 100644 --- a/src/or/connection_or.h +++ b/src/or/connection_or.h @@ -50,6 +50,9 @@ void connection_or_write_var_cell_to_buf(const var_cell_t *cell, int connection_or_send_destroy(circid_t circ_id, or_connection_t *conn, int reason); int connection_or_send_netinfo(or_connection_t *conn); +int connection_or_send_cert_cell(or_connection_t *conn); +int connection_or_send_auth_challenge_cell(or_connection_t *conn); + int is_or_protocol_version_known(uint16_t version); void cell_pack(packed_cell_t *dest, const cell_t *src); diff --git a/src/or/or.h b/src/or/or.h index ef4ddbd..ebf9ab5 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1084,7 +1084,10 @@ typedef struct listener_connection_t { } listener_connection_t; -/** Stores flags and information related to the portion of a v2 Tor OR +/** Minimum length of the random part of an AUTH_CHALLENGE cell. */ +#define OR_AUTH_CHALLENGE_LEN 32 + +/** Stores flags and information related to the portion of a v2/v3 Tor OR * connection handshake that happens after the TLS handshake is finished. */ typedef struct or_handshake_state_t { @@ -1095,6 +1098,16 @@ typedef struct or_handshake_state_t { unsigned int started_here : 1; /** True iff we have received and processed a VERSIONS cell. */ unsigned int received_versions : 1; + + /** Digests of the cells that we have sent or received as part of a V3 + * handshake. Used for making and checking AUTHENTICATE cells. + * + * @{ + */ + crypto_digest_env_t *digest_sent; + crypto_digest_env_t *digest_received; + /** @} */ + } or_handshake_state_t; /** Subtype of connection_t for an "OR connection" -- that is, one that speaks

1 0

[tor/master] Turn X509 certificates into a first-class type and add some functions
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit c0bbcf138fa4e7d8e1974ed91718025d0dd5cc7a Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 11:37:15 2011 -0400 Turn X509 certificates into a first-class type and add some functions --- src/common/tortls.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++++-- src/common/tortls.h | 11 ++++ 2 files changed, 155 insertions(+), 6 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 1bb9c74..b711967 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -97,14 +97,23 @@ static int use_unsafe_renegotiation_op = 0; * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */ static int use_unsafe_renegotiation_flag = 0; +/** Structure that we use for a single certificate. */ +struct tor_cert_t { + X509 *cert; + uint8_t *encoded; + size_t encoded_len; + digests_t cert_digests; + digests_t pkey_digests; +}; + /** Holds a SSL_CTX object and related state used to configure TLS * connections. */ typedef struct tor_tls_context_t { int refcnt; SSL_CTX *ctx; - X509 *my_cert; - X509 *my_id_cert; + tor_cert_t *my_cert; + tor_cert_t *my_id_cert; crypto_pk_env_t *key; } tor_tls_context_t; @@ -670,6 +679,115 @@ static const int N_CLIENT_CIPHERS = SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) #endif +/** Free all storage held in cert */ +void +tor_cert_free(tor_cert_t *cert) +{ + if (! cert) + return; + if (cert->cert) + X509_free(cert->cert); + tor_free(cert->encoded); + memset(cert, 0x03, sizeof(cert)); + tor_free(cert); +} + +/** + * Allocate a new tor_cert_t to hold the certificate "x509_cert". + * + * Steals a reference to x509_cert. + */ +static tor_cert_t * +tor_cert_new(X509 *x509_cert) +{ + tor_cert_t *cert; + EVP_PKEY *pkey; + RSA *rsa; + int length = i2d_X509(x509_cert, NULL), length2; + unsigned char *cp; + + cert = tor_malloc_zero(sizeof(tor_cert_t)); + if (length <= 0) { + tor_free(cert); + log_err(LD_CRYPTO, "Couldn't get length of encoded x509 certificate"); + X509_free(x509_cert); + return NULL; + } + cert->encoded_len = (size_t) length; + cp = cert->encoded = tor_malloc(length); + length2 = i2d_X509(x509_cert, &cp); + tor_assert(length2 == length); + + cert->cert = x509_cert; + + crypto_digest_all(&cert->cert_digests, + (char*)cert->encoded, cert->encoded_len); + + if ((pkey = X509_get_pubkey(x509_cert)) && + (rsa = EVP_PKEY_get1_RSA(pkey))) { + crypto_pk_env_t *pk = _crypto_new_pk_env_rsa(rsa); + crypto_pk_get_all_digests(pk, &cert->pkey_digests); + crypto_free_pk_env(pk); + EVP_PKEY_free(pkey); + } + + return cert; +} + +/** Read a DER-encoded X509 cert, of length exactly certificate_len, + * from a certificate. Return a newly allocated tor_cert_t on success + * and NULL on failure. */ +tor_cert_t * +tor_cert_decode(const uint8_t *certificate, size_t certificate_len) +{ + X509 *x509; + const unsigned char *cp = (const unsigned char *)certificate; + tor_cert_t *newcert; + tor_assert(certificate); + + if (certificate_len > INT_MAX) + return NULL; + +#if OPENSSL_VERSION_NUMBER < 0x00908000l + /* This ifdef suppresses a type warning. Take out this case once everybody + * is using OpenSSL 0.9.8 or later. */ + x509 = d2i_X509(NULL, (unsigned char**)&cp, (int)certificate_len); +#else + x509 = d2i_X509(NULL, &cp, (int)certificate_len); +#endif + if (!x509) + return NULL; /* Couldn't decode */ + if (cp - certificate != (int)certificate_len) { + X509_free(x509); + return NULL; /* Didn't use all the bytes */ + } + newcert = tor_cert_new(x509); + if (!newcert) { + X509_free(x509); + return NULL; + } + if (newcert->encoded_len != certificate_len || + fast_memneq(newcert->encoded, certificate, certificate_len)) { + /* Cert wasn't in DER */ + tor_cert_free(newcert); + return NULL; + } + return newcert; +} + +/** Set *encoded_out and *size_out/b> to cert's encoded DER + * representation and length, respectively. */ +void +tor_cert_get_der(const tor_cert_t *cert, + const uint8_t **encoded_out, size_t *size_out) +{ + tor_assert(cert); + tor_assert(encoded_out); + tor_assert(size_out); + *encoded_out = cert->encoded; + *size_out = cert->encoded_len; +} + /** Remove a reference to ctx, and free it if it has no more * references. */ static void @@ -678,13 +796,33 @@ tor_tls_context_decref(tor_tls_context_t *ctx) tor_assert(ctx); if (--ctx->refcnt == 0) { SSL_CTX_free(ctx->ctx); - X509_free(ctx->my_cert); - X509_free(ctx->my_id_cert); + tor_cert_free(ctx->my_cert); + tor_cert_free(ctx->my_id_cert); crypto_free_pk_env(ctx->key); tor_free(ctx); } } +/** Set *link_cert_out and *id_cert_out to the link certificate + * and ID certificate that we're currently using for our V3 in-protocol + * handshake's certificate chain. If server is true, provide the certs + * that we use in server mode; otherwise, provide the certs that we use in + * client mode. */ +int +tor_tls_get_my_certs(int server, + const tor_cert_t **link_cert_out, + const tor_cert_t **id_cert_out) +{ + tor_tls_context_t *ctx = server ? server_tls_context : client_tls_context; + if (! ctx) + return -1; + if (link_cert_out) + *link_cert_out = ctx->my_cert; + if (id_cert_out) + *id_cert_out = ctx->my_id_cert; + return 0; +} + /** Increase the reference count of ctx. */ static void tor_tls_context_incref(tor_tls_context_t *ctx) @@ -813,8 +951,8 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; - result->my_cert = X509_dup(cert); - result->my_id_cert = X509_dup(idcert); + result->my_cert = tor_cert_new(X509_dup(cert)); + result->my_id_cert = tor_cert_new(X509_dup(idcert)); result->key = crypto_pk_dup_key(rsa); #ifdef EVERYONE_HAS_AES diff --git a/src/common/tortls.h b/src/common/tortls.h index 9b8108b..c55da4a 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -17,6 +17,9 @@ /* Opaque structure to hold a TLS connection. */ typedef struct tor_tls_t tor_tls_t; +/* Opaque structure to hold an X509 certificate. */ +typedef struct tor_cert_t tor_cert_t; + /* Possible return values for most tor_tls_* functions. */ #define _MIN_TOR_TLS_ERROR_VAL -9 #define TOR_TLS_ERROR_MISC -9 @@ -104,5 +107,13 @@ struct bufferevent *tor_tls_init_bufferevent(tor_tls_t *tls, int filter); #endif +void tor_cert_free(tor_cert_t *cert); +tor_cert_t *tor_cert_decode(const uint8_t *certificate, size_t certificate_len); +void tor_cert_get_der(const tor_cert_t *cert, + const uint8_t **encoded_out, size_t *size_out); +int tor_tls_get_my_certs(int server, + const tor_cert_t **link_cert_out, + const tor_cert_t **id_cert_out); + #endif

1 0

[tor/master] New function to get all digests of a public key
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit dcf69a9e12d013563575e50b7d6f547832f92f66 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 14:32:51 2011 -0400 New function to get all digests of a public key --- src/common/crypto.c | 26 ++++++++++++++++++++++++++ src/common/crypto.h | 1 + 2 files changed, 27 insertions(+), 0 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index 9ad7575..edb0d42 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1249,6 +1249,32 @@ crypto_pk_get_digest(crypto_pk_env_t *pk, char *digest_out) return 0; } +/** Compute all digests of the DER encoding of pk, and store them + * in digests_out. Return 0 on success, -1 on failure. */ +int +crypto_pk_get_all_digests(crypto_pk_env_t *pk, digests_t *digests_out) +{ + unsigned char *buf, *bufp; + int len; + + len = i2d_RSAPublicKey(pk->key, NULL); + if (len < 0) + return -1; + buf = bufp = tor_malloc(len+1); + len = i2d_RSAPublicKey(pk->key, &bufp); + if (len < 0) { + crypto_log_errors(LOG_WARN,"encoding public key"); + tor_free(buf); + return -1; + } + if (crypto_digest_all(digests_out, (char*)buf, len) < 0) { + tor_free(buf); + return -1; + } + tor_free(buf); + return 0; +} + /** Copy in to the outlen-byte buffer out, adding spaces * every four spaces. */ /* static */ void diff --git a/src/common/crypto.h b/src/common/crypto.h index 9b4eee6..d50d9f9 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -150,6 +150,7 @@ int crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env, char *to, int crypto_pk_asn1_encode(crypto_pk_env_t *pk, char *dest, size_t dest_len); crypto_pk_env_t *crypto_pk_asn1_decode(const char *str, size_t len); int crypto_pk_get_digest(crypto_pk_env_t *pk, char *digest_out); +int crypto_pk_get_all_digests(crypto_pk_env_t *pk, digests_t *digests_out); int crypto_pk_get_fingerprint(crypto_pk_env_t *pk, char *fp_out,int add_space); int crypto_pk_check_fingerprint_syntax(const char *s);

1 0

[tor/master] Function to get digests of the certs and their keys
by nickm＠torproject.org 11 Oct '11

11 Oct '11

commit 8c9fdecfe9e6c93e678a5917e302aa18ada8a3b6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Sep 14 14:43:44 2011 -0400 Function to get digests of the certs and their keys --- src/common/tortls.c | 14 ++++++++++++++ src/common/tortls.h | 2 ++ 2 files changed, 16 insertions(+), 0 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 0ba47ba..1435223 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -789,6 +789,20 @@ tor_cert_get_der(const tor_cert_t *cert, *size_out = cert->encoded_len; } +/** Return a set of digests for the public key in cert. */ +const digests_t * +tor_cert_get_id_digests(const tor_cert_t *cert) +{ + return &cert->pkey_digests; +} + +/** Return a set of digests for the public key in cert. */ +const digests_t * +tor_cert_get_cert_digests(const tor_cert_t *cert) +{ + return &cert->cert_digests; +} + /** Remove a reference to ctx, and free it if it has no more * references. */ static void diff --git a/src/common/tortls.h b/src/common/tortls.h index 36309af..40eb830 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -112,6 +112,8 @@ void tor_cert_free(tor_cert_t *cert); tor_cert_t *tor_cert_decode(const uint8_t *certificate, size_t certificate_len); void tor_cert_get_der(const tor_cert_t *cert, const uint8_t **encoded_out, size_t *size_out); +const digests_t *tor_cert_get_id_digests(const tor_cert_t *cert); +const digests_t *tor_cert_get_cert_digests(const tor_cert_t *cert); int tor_tls_get_my_certs(int server, const tor_cert_t **link_cert_out, const tor_cert_t **id_cert_out);

1 0