June 2015 - tor-commits - lists.torproject.org

[tor/maint-0.2.6] Fix sandboxing to work when running as a relay
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit a68e5323f809056cae9fcefc06357f9646595d89 Author: Peter Palfrader <peter(a)palfrader.org> Date: Tue Jun 2 20:06:49 2015 +0200 Fix sandboxing to work when running as a relay This includes correctly allowing renaming secret_id_key and allowing the eventfd2 and futex syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. --- changes/bug16244 | 7 +++++++ src/common/sandbox.c | 2 ++ src/or/main.c | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/changes/bug16244 b/changes/bug16244 new file mode 100644 index 0000000..00bc557 --- /dev/null +++ b/changes/bug16244 @@ -0,0 +1,7 @@ + o Minor bugfixes (sandbox, relay): + - Fix sandboxing to work when running as a relay again. This + includes correctly allowing renaming secret_id_key and + allowing the eventfd2 and futex syscalls. + Fixes bug 16244; bugfix on 0.2.6.1-alpha. + Patch by Peter Palfrader. + diff --git a/src/common/sandbox.c b/src/common/sandbox.c index a32bd0d..cdb4521 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -129,11 +129,13 @@ static int filter_nopar_gen[] = { SCMP_SYS(clone), SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), + SCMP_SYS(eventfd2), SCMP_SYS(fcntl), SCMP_SYS(fstat), #ifdef __NR_fstat64 SCMP_SYS(fstat64), #endif + SCMP_SYS(futex), SCMP_SYS(getdents64), SCMP_SYS(getegid), #ifdef __NR_getegid32 diff --git a/src/or/main.c b/src/or/main.c index d0fe8cb..8aa9a15 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2984,7 +2984,7 @@ sandbox_init_filter(void) // orport if (server_mode(get_options())) { - OPEN_DATADIR2_SUFFIX("keys", "secret_id_key", "tmp"); + OPEN_DATADIR2_SUFFIX("keys", "secret_id_key", ".tmp"); OPEN_DATADIR2_SUFFIX("keys", "secret_onion_key", ".tmp"); OPEN_DATADIR2_SUFFIX("keys", "secret_onion_key_ntor", ".tmp"); OPEN_DATADIR2("keys", "secret_id_key.old");

1 0

[tor/master] Merge remote-tracking branch 'public/bug15760_hard_026_v2'
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit 0030765e04d8dfe3dfaf8124b01a4d578b7d8ceb Merge: 3d653df ff835e2 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jun 2 13:45:27 2015 -0400 Merge remote-tracking branch 'public/bug15760_hard_026_v2' Conflicts: src/common/tortls.c configure.ac | 18 ++++ src/common/tortls.c | 289 ++++++++++++++++----------------------------------- 2 files changed, 109 insertions(+), 198 deletions(-) diff --cc src/common/tortls.c index a4b6c48,deeee5f..a1bc9ab --- a/src/common/tortls.c +++ b/src/common/tortls.c @@@ -741,31 -787,9 +724,9 @@@ static const char CLIENT_CIPHER_LIST[] #undef CIPHER #undef XCIPHER - /** Holds a cipher that we want to advertise, and its 2-byte ID. */ - typedef struct cipher_info_t { unsigned id; const char *name; } cipher_info_t; - /** A list of all the ciphers that clients should advertise, including items - * that OpenSSL might not know about. */ - static const cipher_info_t CLIENT_CIPHER_INFO_LIST[] = { - #define CIPHER(id, name) { id, name }, - #define XCIPHER(id, name) { id, #name }, - #include "ciphers.inc" - #undef CIPHER - #undef XCIPHER - }; - - /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */ - static const int N_CLIENT_CIPHERS = ARRAY_LENGTH(CLIENT_CIPHER_INFO_LIST); - #endif - - #ifndef V2_HANDSHAKE_CLIENT - #undef CLIENT_CIPHER_LIST - #define CLIENT_CIPHER_LIST (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) - #endif - /** Free all storage held in cert */ void -tor_cert_free(tor_cert_t *cert) +tor_x509_cert_free(tor_x509_cert_t *cert) { if (! cert) return; @@@ -1597,6 -1644,10 +1558,10 @@@ tor_tls_classify_client_ciphers(const S static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl) { + STACK_OF(SSL_CIPHER) *ciphers; + #ifdef HAVE_SSL_GET_CLIENT_CIPHERS - ciphers = SSL_get_client_ciphers(ssl); ++ ciphers = SSL_get_ciphers(ssl); + #else SSL_SESSION *session; if (!(session = SSL_get_session((SSL *)ssl))) { log_info(LD_NET, "No session on TLS?"); @@@ -1701,151 -1759,10 +1668,7 @@@ tor_tls_setup_session_secret_cb(tor_tls { SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL); } -#else -#define tor_tls_setup_session_secret_cb(tls) STMT_NIL -#endif - /** Explain which ciphers we're missing. */ - static void - log_unsupported_ciphers(smartlist_t *unsupported) - { - char *joined; - - log_notice(LD_NET, "We weren't able to find support for all of the " - "TLS ciphersuites that we wanted to advertise. This won't " - "hurt security, but it might make your Tor (if run as a client) " - "more easy for censors to block."); - - if (SSLeay() < 0x10000000L) { - log_notice(LD_NET, "To correct this, use a more recent OpenSSL, " - "built without disabling any secure ciphers or features."); - } else { - log_notice(LD_NET, "To correct this, use a version of OpenSSL " - "built with none of its ciphers disabled."); - } - - joined = smartlist_join_strings(unsupported, ":", 0, NULL); - log_info(LD_NET, "The unsupported ciphers were: %s", joined); - tor_free(joined); - } - - static void - set_ssl_ciphers_to_list(SSL *ssl, STACK_OF(SSL_CIPHER) *stack) - { - STACK_OF(SSL_CIPHER) *ciphers; - - int r, i; - /* #1: ensure that the ssl object has its own list of ciphers. Otherwise we - * might be about to stomp the SSL_CTX ciphers list. */ - r = SSL_set_cipher_list(ssl, "HIGH"); - tor_assert(r); - - /* #2: Grab ssl_ciphers and clear it. */ - ciphers = SSL_get_ciphers(ssl); - tor_assert(ciphers); - sk_SSL_CIPHER_zero(ciphers); - - /* #3: Copy the elements from stack. */ - for (i = 0; i < sk_SSL_CIPHER_num(stack); ++i) { - SSL_CIPHER *c = sk_SSL_CIPHER_value(stack, i); - sk_SSL_CIPHER_push(ciphers, c); - } - } - - /** Replace the ciphers on ssl with a new list of SSL ciphersuites: - * specifically, a list designed to mimic a common web browser. We might not - * be able to do that if OpenSSL doesn't support all the ciphers we want. - * Some of the ciphers in the list won't actually be implemented by OpenSSL: - * that's okay so long as the server doesn't select them. - * - * [If the server does select a bogus cipher, we won't crash or - * anything; we'll just fail later when we try to look up the cipher in - * ssl->cipher_list_by_id.] - */ - static void - rectify_client_ciphers(SSL *ssl) - { - #ifdef V2_HANDSHAKE_CLIENT - if (PREDICT_UNLIKELY(!CLIENT_CIPHER_STACK)) { - STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); - - /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers - * we want to use/advertise. */ - int i = 0, j = 0; - smartlist_t *unsupported = smartlist_new(); - - /* First, create a dummy SSL_CIPHER for every cipher. */ - CLIENT_CIPHER_DUMMIES = - tor_malloc_zero(sizeof(SSL_CIPHER)*N_CLIENT_CIPHERS); - for (i=0; i < N_CLIENT_CIPHERS; ++i) { - CLIENT_CIPHER_DUMMIES[i].valid = 1; - /* The "3<<24" here signifies that the cipher is supposed to work with - * SSL3 and TLS1. */ - CLIENT_CIPHER_DUMMIES[i].id = CLIENT_CIPHER_INFO_LIST[i].id | (3<<24); - CLIENT_CIPHER_DUMMIES[i].name = CLIENT_CIPHER_INFO_LIST[i].name; - } - - CLIENT_CIPHER_STACK = sk_SSL_CIPHER_new_null(); - tor_assert(CLIENT_CIPHER_STACK); - - log_debug(LD_NET, "List was: %s", CLIENT_CIPHER_LIST); - for (j = 0; j < sk_SSL_CIPHER_num(ciphers); ++j) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, j); - log_debug(LD_NET, "Cipher %d: %lx %s", j, - SSL_CIPHER_get_id(cipher), SSL_CIPHER_get_name(cipher)); - } - - /* Then copy as many ciphers as we can from the good list, inserting - * dummies as needed. Let j be an index into list of ciphers we have - * (ciphers) and let i be an index into the ciphers we want - * (CLIENT_INFO_CIPHER_LIST). We are building a list of ciphers in - * CLIENT_CIPHER_STACK. - */ - for (i = j = 0; i < N_CLIENT_CIPHERS; ) { - SSL_CIPHER *cipher = NULL; - if (j < sk_SSL_CIPHER_num(ciphers)) - cipher = sk_SSL_CIPHER_value(ciphers, j); - if (cipher && ((SSL_CIPHER_get_id(cipher) >> 24) & 0xff) != 3) { - /* Skip over non-v3 ciphers entirely. (This should no longer be - * needed, thanks to saying !SSLv2 above.) */ - log_debug(LD_NET, "Skipping v%d cipher %s", - (int)((SSL_CIPHER_get_id(cipher)>>24) & 0xff), - SSL_CIPHER_get_name(cipher)); - ++j; - } else if (cipher && - (SSL_CIPHER_get_id(cipher) & 0xffff) == - CLIENT_CIPHER_INFO_LIST[i].id) { - /* "cipher" is the cipher we expect. Put it on the list. */ - log_debug(LD_NET, "Found cipher %s", SSL_CIPHER_get_name(cipher)); - sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, cipher); - ++j; - ++i; - } else if (!strcmp(CLIENT_CIPHER_DUMMIES[i].name, - "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA")) { - /* We found bogus cipher 0xfeff, which OpenSSL doesn't support and - * never has. For this one, we need a dummy. */ - log_debug(LD_NET, "Inserting fake %s", CLIENT_CIPHER_DUMMIES[i].name); - sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, &CLIENT_CIPHER_DUMMIES[i]); - ++i; - } else { - /* OpenSSL doesn't have this one. */ - log_debug(LD_NET, "Completely omitting unsupported cipher %s", - CLIENT_CIPHER_INFO_LIST[i].name); - smartlist_add(unsupported, (char*) CLIENT_CIPHER_INFO_LIST[i].name); - ++i; - } - } - - if (smartlist_len(unsupported)) - log_unsupported_ciphers(unsupported); - - smartlist_free(unsupported); - } - - set_ssl_ciphers_to_list(ssl, CLIENT_CIPHER_STACK); - - #else - (void)ciphers; - #endif - } - /** Create a new TLS object from a file descriptor, and a flag to * determine whether it is functioning as a server. */ @@@ -2773,16 -2751,49 +2634,49 @@@ SSL_SESSION_get_master_key(SSL_SESSION * the v3 handshake to prove that the client knows the TLS secrets for the * connection tls. Return 0 on success, -1 on failure. */ -int -tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out) +MOCK_IMPL(int, +tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out)) { #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification" - char buf[128]; + uint8_t buf[128]; size_t len; + tor_assert(tls); - tor_assert(tls->ssl); - tor_assert(tls->ssl->s3); - tor_assert(tls->ssl->session); + + SSL *const ssl = tls->ssl; + SSL_SESSION *const session = SSL_get_session(ssl); + + tor_assert(ssl); + tor_assert(session); + + const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0); + const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0); + const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0); + + tor_assert(server_random_len); + tor_assert(client_random_len); + tor_assert(master_key_len); + + len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1; + tor_assert(len <= sizeof(buf)); + + { + size_t r = SSL_get_client_random(ssl, buf, client_random_len); + tor_assert(r == client_random_len); + } + { + size_t r = SSL_get_server_random(ssl, buf+client_random_len, server_random_len); + tor_assert(r == server_random_len); + } + uint8_t *master_key = tor_malloc_zero(master_key_len); + { + size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len); + tor_assert(r == master_key_len); + } + + uint8_t *nextbuf = buf + client_random_len + server_random_len; + memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1); + /* The value is an HMAC, using the TLS master key as the HMAC key, of client_random | server_random | TLSSECRET_MAGIC

1 0

[tor/master] Use accessor functions for client_random/server_random/master_key
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit f90a704f12587ba7585a8a4d31cb6de756bb3868 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 26 12:09:53 2015 -0400 Use accessor functions for client_random/server_random/master_key If OpenSSL accepts my patch to introduce these functions, they'll be a way to help Tor work with OpenSSL 1.1. --- src/common/tortls.c | 94 +++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 83 insertions(+), 11 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index d4a565c..d80cf42 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2707,6 +2707,46 @@ tor_tls_server_got_renegotiate(tor_tls_t *tls) return tls->got_renegotiate; } +#ifndef HAVE_SSL_GET_CLIENT_RANDOM +static size_t +SSL_get_client_random(SSL *s, uint8_t *out, size_t len) +{ + if (len == 0) + return SSL3_RANDOM_SIZE; + tor_assert(len == SSL3_RANDOM_SIZE); + tor_assert(s->s3); + memcpy(out, s->s3->client_random, len); + return len; +} +#endif + +#ifndef HAVE_SSL_GET_SERVER_RANDOM +static size_t +SSL_get_server_random(SSL *s, uint8_t *out, size_t len) +{ + if (len == 0) + return SSL3_RANDOM_SIZE; + tor_assert(len == SSL3_RANDOM_SIZE); + tor_assert(s->s3); + memcpy(out, s->s3->server_random, len); + return len; +} +#endif + +#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY +static size_t +SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out, size_t len) +{ + if (len == 0) + return s->master_key_length; + tor_assert(len == (size_t)s->master_key_length); + tor_assert(s->master_key); + memcpy(out, s->master_key, len); + return len; +} +#endif + + /** Set the DIGEST256_LEN buffer at secrets_out to the value used in * the v3 handshake to prove that the client knows the TLS secrets for the * connection tls. Return 0 on success, -1 on failure. @@ -2715,25 +2755,57 @@ int tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out) { #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification" - char buf[128]; + uint8_t buf[128]; size_t len; + tor_assert(tls); - tor_assert(tls->ssl); - tor_assert(tls->ssl->s3); - tor_assert(tls->ssl->session); + + SSL *const ssl = tls->ssl; + SSL_SESSION *const session = SSL_get_session(ssl); + + tor_assert(ssl); + tor_assert(session); + + const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0); + const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0); + const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0); + + tor_assert(server_random_len); + tor_assert(client_random_len); + tor_assert(master_key_len); + + len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1; + tor_assert(len <= sizeof(buf)); + + { + size_t r = SSL_get_client_random(ssl, buf, client_random_len); + tor_assert(r == client_random_len); + } + { + size_t r = SSL_get_server_random(ssl, buf+client_random_len, server_random_len); + tor_assert(r == server_random_len); + } + uint8_t *master_key = tor_malloc_zero(master_key_len); + { + size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len); + tor_assert(r == master_key_len); + } + + uint8_t *nextbuf = buf + client_random_len + server_random_len; + memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1); + /* The value is an HMAC, using the TLS master key as the HMAC key, of client_random | server_random | TLSSECRET_MAGIC */ - memcpy(buf + 0, tls->ssl->s3->client_random, 32); - memcpy(buf + 32, tls->ssl->s3->server_random, 32); - memcpy(buf + 64, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1); - len = 64 + strlen(TLSSECRET_MAGIC) + 1; crypto_hmac_sha256((char*)secrets_out, - (char*)tls->ssl->session->master_key, - tls->ssl->session->master_key_length, - buf, len); + (char*)master_key, + master_key_len, + (char*)buf, len); memwipe(buf, 0, sizeof(buf)); + memwipe(master_key, 0, master_key_len); + tor_free(master_key); + return 0; }

1 0

[tor/master] Use autoconf, not OPENSSL_VERSION_NUMBER, to detect SSL_CIPHER_find
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit ff835e23280c0f29ca9ab25bfc3069276c0b8ab6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jun 2 13:27:55 2015 -0400 Use autoconf, not OPENSSL_VERSION_NUMBER, to detect SSL_CIPHER_find Repairs build with libressl --- configure.ac | 1 + src/common/tortls.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index ede8f84..ab96c20 100644 --- a/configure.ac +++ b/configure.ac @@ -639,6 +639,7 @@ AC_CHECK_FUNCS([ \ SSL_get_server_random \ SSL_get_client_ciphers \ SSL_get_client_random \ + SSL_CIPHER_find \ ]) LIBS="$save_LIBS" LDFLAGS="$save_LDFLAGS" diff --git a/src/common/tortls.c b/src/common/tortls.c index d80cf42..deeee5f 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1487,7 +1487,7 @@ static int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, uint16_t cipher) { const SSL_CIPHER *c; -#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,2) +#ifdef HAVE_SSL_CIPHER_FIND { unsigned char cipherid[3]; tor_assert(ssl);

1 0

[tor/master] Stop looking at session->ciphers when possible
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit 95375963981bb2346429de86b0cbb558d6b399d5 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 26 11:05:36 2015 -0400 Stop looking at session->ciphers when possible If the OpenSSL team accepts my patch to add an SSL_get_client_ciphers function, this patch will make Tor use it when available, thereby working better with openssl 1.1. --- configure.ac | 17 +++++++++++++++++ src/common/tortls.c | 8 +++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index cc271c8..ede8f84 100644 --- a/configure.ac +++ b/configure.ac @@ -623,10 +623,27 @@ else fi AC_SUBST(TOR_OPENSSL_LIBS) +dnl Now check for particular openssl functions. +save_LIBS="$LIBS" +save_LDFLAGS="$LDFLAGS" +save_CPPFLAGS="$CPPFLAGS" +LIBS="$TOR_OPENSSL_LIBS $LIBS" +LDFLAGS="$TOR_LDFLAGS_openssl $LDFLAGS" +CPPFLAGS="$TOR_CPPFLAGS_openssl $CPPFLAGS" AC_CHECK_MEMBERS([struct ssl_method_st.get_cipher_by_char], , , [#include <openssl/ssl.h> ]) +AC_CHECK_FUNCS([ \ + SSL_SESSION_get_master_key \ + SSL_get_server_random \ + SSL_get_client_ciphers \ + SSL_get_client_random \ + ]) +LIBS="$save_LIBS" +LDFLAGS="$save_LDFLAGS" +CPPFLAGS="$save_CPPFLAGS" + dnl ------------------------------------------------------ dnl Where do you live, zlib? And how do we call you? diff --git a/src/common/tortls.c b/src/common/tortls.c index 01bccd7..d4a565c 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1644,13 +1644,19 @@ tor_tls_classify_client_ciphers(const SSL *ssl, static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl) { + STACK_OF(SSL_CIPHER) *ciphers; +#ifdef HAVE_SSL_GET_CLIENT_CIPHERS + ciphers = SSL_get_client_ciphers(ssl); +#else SSL_SESSION *session; if (!(session = SSL_get_session((SSL *)ssl))) { log_info(LD_NET, "No session on TLS?"); return CIPHERS_ERR; } + ciphers = session->ciphers; +#endif - return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2; + return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2; } /** Invoked when we're accepting a connection on ssl, and the connection

1 0

[tor/master] Remove rectify_client_ciphers as needless.
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit 80082b7185feb77f83ff484e1779438aa0396634 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 26 10:56:54 2015 -0400 Remove rectify_client_ciphers as needless. We previously used this function instead of SSL_set_cipher_list() to set up a stack of client SSL_CIPHERs for these reasons: A) In order to force a particular order of the results. B) In order to be able to include dummy entries for ciphers that this build of openssl did not support, so we could impersonate Firefox harder. But we no longer do B, since we merged proposal 198 and stopped lying about what ciphers we know. And A was actually pointless, since I had misread the implementation of SSL_set_cipher_list(). It _does_ do some internal sorting, but that is pre-sorting on the master list of ciphers, not sorting on the user's preferred order. --- src/common/tortls.c | 184 --------------------------------------------------- 1 file changed, 184 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 654efb5..01bccd7 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -217,16 +217,6 @@ struct tor_tls_t { void *callback_arg; }; -#ifdef V2_HANDSHAKE_CLIENT -/** An array of fake SSL_CIPHER objects that we use in order to trick OpenSSL - * in client mode into advertising the ciphers we want. See - * rectify_client_ciphers() for details. */ -static SSL_CIPHER *CLIENT_CIPHER_DUMMIES = NULL; -/** A stack of SSL_CIPHER objects, some real, some fake. - * See rectify_client_ciphers() for details. */ -static STACK_OF(SSL_CIPHER) *CLIENT_CIPHER_STACK = NULL; -#endif - /** The ex_data index in which we store a pointer to an SSL object's * corresponding tor_tls_t object. */ static int tor_tls_object_ex_data_index = -1; @@ -595,12 +585,6 @@ tor_tls_free_all(void) client_tls_context = NULL; tor_tls_context_decref(ctx); } -#ifdef V2_HANDSHAKE_CLIENT - if (CLIENT_CIPHER_DUMMIES) - tor_free(CLIENT_CIPHER_DUMMIES); - if (CLIENT_CIPHER_STACK) - sk_SSL_CIPHER_free(CLIENT_CIPHER_STACK); -#endif } /** We need to give OpenSSL a callback to verify certificates. This is @@ -790,7 +774,6 @@ const char UNRESTRICTED_SERVER_CIPHER_LIST[] = * (SSL3_TXT_RSA_NULL_SHA). If you do this, you won't be able to communicate * with any of the "real" Tors, though. */ -#ifdef V2_HANDSHAKE_CLIENT #define CIPHER(id, name) name ":" #define XCIPHER(id, name) /** List of ciphers that clients should advertise, omitting items that @@ -804,28 +787,6 @@ static const char CLIENT_CIPHER_LIST[] = #undef CIPHER #undef XCIPHER -/** Holds a cipher that we want to advertise, and its 2-byte ID. */ -typedef struct cipher_info_t { unsigned id; const char *name; } cipher_info_t; -/** A list of all the ciphers that clients should advertise, including items - * that OpenSSL might not know about. */ -static const cipher_info_t CLIENT_CIPHER_INFO_LIST[] = { -#define CIPHER(id, name) { id, name }, -#define XCIPHER(id, name) { id, #name }, -#include "./ciphers.inc" -#undef CIPHER -#undef XCIPHER -}; - -/** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */ -static const int N_CLIENT_CIPHERS = ARRAY_LENGTH(CLIENT_CIPHER_INFO_LIST); -#endif - -#ifndef V2_HANDSHAKE_CLIENT -#undef CLIENT_CIPHER_LIST -#define CLIENT_CIPHER_LIST (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) -#endif - /** Free all storage held in cert */ void tor_cert_free(tor_cert_t *cert) @@ -1796,149 +1757,6 @@ tor_tls_setup_session_secret_cb(tor_tls_t *tls) #define tor_tls_setup_session_secret_cb(tls) STMT_NIL #endif -/** Explain which ciphers we're missing. */ -static void -log_unsupported_ciphers(smartlist_t *unsupported) -{ - char *joined; - - log_notice(LD_NET, "We weren't able to find support for all of the " - "TLS ciphersuites that we wanted to advertise. This won't " - "hurt security, but it might make your Tor (if run as a client) " - "more easy for censors to block."); - - if (SSLeay() < 0x10000000L) { - log_notice(LD_NET, "To correct this, use a more recent OpenSSL, " - "built without disabling any secure ciphers or features."); - } else { - log_notice(LD_NET, "To correct this, use a version of OpenSSL " - "built with none of its ciphers disabled."); - } - - joined = smartlist_join_strings(unsupported, ":", 0, NULL); - log_info(LD_NET, "The unsupported ciphers were: %s", joined); - tor_free(joined); -} - -static void -set_ssl_ciphers_to_list(SSL *ssl, STACK_OF(SSL_CIPHER) *stack) -{ - STACK_OF(SSL_CIPHER) *ciphers; - - int r, i; - /* #1: ensure that the ssl object has its own list of ciphers. Otherwise we - * might be about to stomp the SSL_CTX ciphers list. */ - r = SSL_set_cipher_list(ssl, "HIGH"); - tor_assert(r); - - /* #2: Grab ssl_ciphers and clear it. */ - ciphers = SSL_get_ciphers(ssl); - tor_assert(ciphers); - sk_SSL_CIPHER_zero(ciphers); - - /* #3: Copy the elements from stack. */ - for (i = 0; i < sk_SSL_CIPHER_num(stack); ++i) { - SSL_CIPHER *c = sk_SSL_CIPHER_value(stack, i); - sk_SSL_CIPHER_push(ciphers, c); - } -} - -/** Replace the ciphers on ssl with a new list of SSL ciphersuites: - * specifically, a list designed to mimic a common web browser. We might not - * be able to do that if OpenSSL doesn't support all the ciphers we want. - * Some of the ciphers in the list won't actually be implemented by OpenSSL: - * that's okay so long as the server doesn't select them. - * - * [If the server does select a bogus cipher, we won't crash or - * anything; we'll just fail later when we try to look up the cipher in - * ssl->cipher_list_by_id.] - */ -static void -rectify_client_ciphers(SSL *ssl) -{ -#ifdef V2_HANDSHAKE_CLIENT - if (PREDICT_UNLIKELY(!CLIENT_CIPHER_STACK)) { - STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); - - /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers - * we want to use/advertise. */ - int i = 0, j = 0; - smartlist_t *unsupported = smartlist_new(); - - /* First, create a dummy SSL_CIPHER for every cipher. */ - CLIENT_CIPHER_DUMMIES = - tor_malloc_zero(sizeof(SSL_CIPHER)*N_CLIENT_CIPHERS); - for (i=0; i < N_CLIENT_CIPHERS; ++i) { - CLIENT_CIPHER_DUMMIES[i].valid = 1; - /* The "3<<24" here signifies that the cipher is supposed to work with - * SSL3 and TLS1. */ - CLIENT_CIPHER_DUMMIES[i].id = CLIENT_CIPHER_INFO_LIST[i].id | (3<<24); - CLIENT_CIPHER_DUMMIES[i].name = CLIENT_CIPHER_INFO_LIST[i].name; - } - - CLIENT_CIPHER_STACK = sk_SSL_CIPHER_new_null(); - tor_assert(CLIENT_CIPHER_STACK); - - log_debug(LD_NET, "List was: %s", CLIENT_CIPHER_LIST); - for (j = 0; j < sk_SSL_CIPHER_num(ciphers); ++j) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, j); - log_debug(LD_NET, "Cipher %d: %lx %s", j, - SSL_CIPHER_get_id(cipher), SSL_CIPHER_get_name(cipher)); - } - - /* Then copy as many ciphers as we can from the good list, inserting - * dummies as needed. Let j be an index into list of ciphers we have - * (ciphers) and let i be an index into the ciphers we want - * (CLIENT_INFO_CIPHER_LIST). We are building a list of ciphers in - * CLIENT_CIPHER_STACK. - */ - for (i = j = 0; i < N_CLIENT_CIPHERS; ) { - SSL_CIPHER *cipher = NULL; - if (j < sk_SSL_CIPHER_num(ciphers)) - cipher = sk_SSL_CIPHER_value(ciphers, j); - if (cipher && ((SSL_CIPHER_get_id(cipher) >> 24) & 0xff) != 3) { - /* Skip over non-v3 ciphers entirely. (This should no longer be - * needed, thanks to saying !SSLv2 above.) */ - log_debug(LD_NET, "Skipping v%d cipher %s", - (int)((SSL_CIPHER_get_id(cipher)>>24) & 0xff), - SSL_CIPHER_get_name(cipher)); - ++j; - } else if (cipher && - (SSL_CIPHER_get_id(cipher) & 0xffff) == CLIENT_CIPHER_INFO_LIST[i].id) { - /* "cipher" is the cipher we expect. Put it on the list. */ - log_debug(LD_NET, "Found cipher %s", SSL_CIPHER_get_name(cipher)); - sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, cipher); - ++j; - ++i; - } else if (!strcmp(CLIENT_CIPHER_DUMMIES[i].name, - "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA")) { - /* We found bogus cipher 0xfeff, which OpenSSL doesn't support and - * never has. For this one, we need a dummy. */ - log_debug(LD_NET, "Inserting fake %s", CLIENT_CIPHER_DUMMIES[i].name); - sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, &CLIENT_CIPHER_DUMMIES[i]); - ++i; - } else { - /* OpenSSL doesn't have this one. */ - log_debug(LD_NET, "Completely omitting unsupported cipher %s", - CLIENT_CIPHER_INFO_LIST[i].name); - smartlist_add(unsupported, (char*) CLIENT_CIPHER_INFO_LIST[i].name); - ++i; - } - } - - if (smartlist_len(unsupported)) - log_unsupported_ciphers(unsupported); - - smartlist_free(unsupported); - } - - set_ssl_ciphers_to_list(ssl, CLIENT_CIPHER_STACK); - -#else - (void)ciphers; -#endif -} - /** Create a new TLS object from a file descriptor, and a flag to * determine whether it is functioning as a server. */ @@ -1978,8 +1796,6 @@ tor_tls_new(int sock, int isServer) tor_free(result); goto err; } - if (!isServer) - rectify_client_ciphers(result->ssl); result->socket = sock; bio = BIO_new_socket(sock, BIO_NOCLOSE); if (! bio) {

1 0

[tor/master] Revert "Try using SSL_get_ciphers in place of session->ciphers"
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit 44259b89423fd6b26b451eacfec85a2463a7f99d Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri May 22 10:22:11 2015 -0400 Revert "Try using SSL_get_ciphers in place of session->ciphers" This reverts commit 67964cfa787461bc56380fe46439fd5c9863bb4f. It was the cause of #16153, and was not in any released Tor. We need a better solution for getting session->ciphers. --- src/common/tortls.c | 36 +++++------------------------------- 1 file changed, 5 insertions(+), 31 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index e0265b4..654efb5 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1683,39 +1683,13 @@ tor_tls_classify_client_ciphers(const SSL *ssl, static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl) { - STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); - -#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) - { - SSL_SESSION *session; - STACK_OF(SSL_CIPHER) *c1; - int i; - if (!(session = SSL_get_session((SSL *)ssl))) { - log_info(LD_NET, "No session on TLS?"); - return CIPHERS_ERR; - } - c1 = session->ciphers; - - if (sk_SSL_CIPHER_num(c1) != sk_SSL_CIPHER_num(ciphers)) { - log_warn(LD_BUG, "Whoops. session->ciphers doesn't " - "match SSL_get_ciphers()"); - return 0; - } - for (i = 0; i < sk_SSL_CIPHER_num(c1); ++i) { - SSL_CIPHER *a = sk_SSL_CIPHER_value(ciphers, i); - SSL_CIPHER *b = sk_SSL_CIPHER_value(c1, i); - unsigned long a_id = SSL_CIPHER_get_id(a); - unsigned long b_id = SSL_CIPHER_get_id(b); - if (a_id != b_id) { - log_warn(LD_BUG, "Cipher mismatch between session->ciphers and " - "SSL_get_ciphers() at %d: %lx vs %lx", i, - a_id, b_id); - } - } + SSL_SESSION *session; + if (!(session = SSL_get_session((SSL *)ssl))) { + log_info(LD_NET, "No session on TLS?"); + return CIPHERS_ERR; } -#endif - return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2; + return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2; } /** Invoked when we're accepting a connection on ssl, and the connection

1 0

[torspec/master] Add a proposal to kill off the TAP protocol
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit bbac37fd60c03a876e5c0d3637c3043a9e6734c1 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jun 2 12:00:04 2015 -0400 Add a proposal to kill off the TAP protocol --- proposals/000-index.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/proposals/000-index.txt b/proposals/000-index.txt index ffc2af1..f8e959d 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -164,6 +164,8 @@ Proposals by number: 241 Resisting guard-turnover attacks [DRAFT] 242 Better performance and usability for the MyFamily option [OPEN] 243 Give out HSDir flag only to relays with Stable flag [OPEN] +244 Use RFC5705 Key Exporting in our AUTHENTICATE calls [DRAFT] +245 Deprecating and removing the TAP circuit extension protocol [DRAFT] Proposals by status: @@ -189,6 +191,8 @@ Proposals by status: 239 Consensus Hash Chaining 240 Early signing key revocation for directory authorities 241 Resisting guard-turnover attacks + 244 Use RFC5705 Key Exporting in our AUTHENTICATE calls + 245 Deprecating and removing the TAP circuit extension protocol NEEDS-REVISION: 131 Help users to verify they are using Tor 190 Bridge Client Authorization Based on a Shared Secret

1 0

[torspec/master] Whoops; actually add proposal 244.
by nickm＠torproject.org 02 Jun '15

02 Jun '15

commit 7bca621cca1ab11f2e550f20e3fe60adec4034ef Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jun 2 11:59:06 2015 -0400 Whoops; actually add proposal 244. --- proposals/244-use-rfc5705-for-tls-binding.txt | 41 +++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/proposals/244-use-rfc5705-for-tls-binding.txt b/proposals/244-use-rfc5705-for-tls-binding.txt new file mode 100644 index 0000000..66b8e09 --- /dev/null +++ b/proposals/244-use-rfc5705-for-tls-binding.txt @@ -0,0 +1,41 @@ +Filename: 244-use-rfc5705-for-tls-binding.txt +Title: Use RFC5705 Key Exporting in our AUTHENTICATE calls +Author: Nick Mathewson +Created: 2015-05-14 +Status: Draft + +1. Proposal + + We use AUTHENTICATE cells to bind the connection-initiator's Tor + identity to a TLS session. Our current type of authentication + ("RSA-SHA256-TLSSecret", see tor-spec.txt section 4.4) does this by + signing a document that includes an HMAC of client_random and + server_random, using the TLS master secret as a secret key. + + There is a more standard way to get at this information, by using the + facility defined in RFC5705. Further, it is likely to continue to + work with more TLS libraries, including TLS libraries like OpenSSL 1.1 + that make master secrets and session data opaque. + + I propose that we introduce a new authentication type, with AuthType + and TYPE field to be determined, that works the same as our current + "RSA-SHA256-TLSSecret" authentication, except for these fields: + + TYPE is a different constant string. + + TLSSECRETS is replaced by the output of the Exporter function in + RFC5705, using as its inputs: + * The label string "EXPORTER FOR TOR TLS CLIENT BINDING " + TYPE + * The context value equal to the client's identity key digest. + * The length 32. + + I propose that proposal 224's section on authenticating with ed25519 + keys be amended accordingly: + + TYPE is a different constant string, different from the one above. + + TLSSECRETS is replaced by the output of the Exporter function in + RFC5705, using as its inputs: + * The label string "EXPORTER FOR TOR TLS CLIENT BINDING " + TYPE + * The context value equal to the client's Ed25519 identity key + * The length 32.

1 0

[onionoo/master] Properly close BufferedWriter in LockFile.
by karsten＠torproject.org 02 Jun '15

02 Jun '15

commit 715f98d356b742a466bb57ef3040bb437fb262a8 Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Mon Jun 1 10:40:28 2015 +0200 Properly close BufferedWriter in LockFile. Patch by firebrand. Fixes #15654. --- .../java/org/torproject/onionoo/util/LockFile.java | 27 +++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/torproject/onionoo/util/LockFile.java b/src/main/java/org/torproject/onionoo/util/LockFile.java index 0a1f17d..fc8a792 100644 --- a/src/main/java/org/torproject/onionoo/util/LockFile.java +++ b/src/main/java/org/torproject/onionoo/util/LockFile.java @@ -17,6 +17,13 @@ public class LockFile { private final File lockFile = new File("lock"); + /** + * Acquire the lock by writing a lock file with the current time in + * milliseconds and return whether this operation was successful. + * + * @return <code>true</code> if the lock file did not exist and writing + * that file now succeeded, <code>false</code> otherwise. + */ public boolean acquireLock() { Time time = TimeFactory.getTime(); try { @@ -26,10 +33,15 @@ public class LockFile { if (this.lockFile.getParentFile() != null) { this.lockFile.getParentFile().mkdirs(); } - BufferedWriter bw = new BufferedWriter(new FileWriter( - this.lockFile)); - bw.append("" + time.currentTimeMillis() + "\n"); - bw.close(); + } catch (SecurityException e) { + log.error("Unable to access lock file location", e); + return false; + } + + try (BufferedWriter bw = new BufferedWriter(new FileWriter( + this.lockFile))) { + bw.append(String.valueOf(time.currentTimeMillis())); + bw.newLine(); return true; } catch (IOException e) { log.error("Caught exception while trying to acquire lock!", e); @@ -37,6 +49,13 @@ public class LockFile { } } + /** + * Release the lock by deleting the lock file if it exists and return + * whether the file was successfully deleted. + * + * @return <code>true</code> if the lock file does not exist anymore + * when returning, <code>false</code> otherwise. + */ public boolean releaseLock() { if (this.lockFile.exists()) { this.lockFile.delete();

1 0