November 2016 - tor-commits - lists.torproject.org

[tor-launcher/master] Bug 19646: Mac OS: wrong location for meek browser profile
by gk＠torproject.org 03 Nov '16

03 Nov '16

commit 5ac452d86f93ee15ba3722afc606be862e8f3686 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Nov 2 11:41:12 2016 -0400 Bug 19646: Mac OS: wrong location for meek browser profile Set an TOR_BROWSER_TOR_DATA_DIR environment variable before starting tor. meek-client-torbrowser uses this on OSX to determine the location of the meek browser profile. --- src/components/tl-process.js | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/components/tl-process.js b/src/components/tl-process.js index de71d45..3284049 100644 --- a/src/components/tl-process.js +++ b/src/components/tl-process.js @@ -445,13 +445,18 @@ TorProcessService.prototype = args.push("1"); } + // Set an environment variable that points to the Tor data directory. + // This is used by meek-client-torbrowser to find the location for + // the meek browser profile. + let env = Cc["@mozilla.org/process/environment;1"] + .getService(Ci.nsIEnvironment); + env.set("TOR_BROWSER_TOR_DATA_DIR", dataDir.path); + // On Windows, prepend the Tor program directory to PATH. This is // needed so that pluggable transports can find OpenSSL DLLs, etc. // See https://trac.torproject.org/projects/tor/ticket/10845 if (TorLauncherUtil.isWindows) { - var env = Cc["@mozilla.org/process/environment;1"] - .getService(Ci.nsIEnvironment); var path = exeFile.parent.path; if (env.exists("PATH")) path += ";" + env.get("PATH");

1 0

[tor/master] New authentication types to use RFC5705.
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit b004ff45d7f637675be976737eb7efea8da5b49c Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 10 16:47:52 2016 -0400 New authentication types to use RFC5705. See proposal 244. This feature lets us stop looking at the internals of SSL objects, *and* should let us port better to more SSL libraries, if they have RFC5705 support. Preparatory for #19156 --- src/common/tortls.c | 22 ++++++++++++++++++++++ src/common/tortls.h | 5 +++++ src/or/connection_or.c | 39 ++++++++++++++++++++++++++++++++++----- src/or/or.h | 23 ++++++++++++++++++++++- 4 files changed, 83 insertions(+), 6 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 23889be..eaa5748 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2448,6 +2448,28 @@ tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out)) return 0; } +/** Using the RFC5705 key material exporting construction, and the + * provided context (context_len bytes long) and + * label (a NUL-terminated string), compute a 32-byte secret in + * secrets_out that only the parties to this TLS session can + * compute. Return 0 on success and -1 on failure. + */ +MOCK_IMPL(int, +tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out, + const uint8_t *context, + size_t context_len, + const char *label)) +{ + tor_assert(tls); + tor_assert(tls->ssl); + + int r = SSL_export_keying_material(tls->ssl, + secrets_out, DIGEST256_LEN, + label, strlen(label), + context, context_len, 1); + return (r == 1) ? 0 : -1; +} + /** Examine the amount of memory used and available for buffers in tls. * Set *rbuf_capacity to the amount of storage allocated for the read * buffer and *rbuf_bytes to the amount actually used. diff --git a/src/common/tortls.h b/src/common/tortls.h index 7c035a2..fe5898e 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -226,6 +226,11 @@ int tor_tls_used_v1_handshake(tor_tls_t *tls); int tor_tls_get_num_server_handshakes(tor_tls_t *tls); int tor_tls_server_got_renegotiate(tor_tls_t *tls); MOCK_DECL(int,tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out)); +MOCK_DECL(int,tor_tls_export_key_material,( + tor_tls_t *tls, uint8_t *secrets_out, + const uint8_t *context, + size_t context_len, + const char *label)); /* Log and abort if there are unhandled TLS errors in OpenSSL's error stack. */ diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 09579f8..d06a246 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -2318,15 +2318,34 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, auth1_t *auth = NULL; auth_ctx_t *ctx = auth_ctx_new(); int result; + int old_tlssecrets_algorithm = 0; + const char *authtype_str = NULL; - /* assert state is reasonable XXXX */ + int is_ed = 0; + const int authtype = 1; /* XXXX this should be an argument. */ - ctx->is_ed = 0; + /* assert state is reasonable XXXX */ + switch (authtype) { + case AUTHTYPE_RSA_SHA256_TLSSECRET: + authtype_str = "AUTH0001"; + old_tlssecrets_algorithm = 1; + break; + case AUTHTYPE_RSA_SHA256_RFC5705: + authtype_str = "AUTH0002"; + break; + case AUTHTYPE_ED25519_SHA256_RFC5705: + authtype_str = "AUTH0003"; + is_ed = 1; + break; + default: + tor_assert(0); + break; + } auth = auth1_new(); /* Type: 8 bytes. */ - memcpy(auth1_getarray_type(auth), "AUTH0001", 8); + memcpy(auth1_getarray_type(auth), authtype_str, 8); { const tor_x509_cert_t *id_cert=NULL, *link_cert=NULL; @@ -2380,7 +2399,8 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, cert = freecert; } if (!cert) { - log_warn(LD_OR, "Unable to find cert when making AUTH1 data."); + log_warn(LD_OR, "Unable to find cert when making %s data.", + authtype_str); goto err; } @@ -2392,7 +2412,16 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, } /* HMAC of clientrandom and serverrandom using master key : 32 octets */ - tor_tls_get_tlssecrets(conn->tls, auth->tlssecrets); + if (old_tlssecrets_algorithm) { + tor_tls_get_tlssecrets(conn->tls, auth->tlssecrets); + } else { + char label[128]; + tor_snprintf(label, sizeof(label), + "EXPORTER FOR TOR TLS CLIENT BINDING %s", authtype_str); + tor_tls_export_key_material(conn->tls, auth->tlssecrets, + auth->cid, sizeof(auth->cid), + label); + } /* 8 octets were reserved for the current time, but we're trying to get out * of the habit of sending time around willynilly. Fortunately, nothing diff --git a/src/or/or.h b/src/or/or.h index 5b9b007..402fbfd 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1348,13 +1348,34 @@ typedef struct listener_connection_t { #define OR_CERT_TYPE_RSA_ED_CROSSCERT 7 /**@}*/ -/** The one currently supported type of AUTHENTICATE cell. It contains +/** The first supported type of AUTHENTICATE cell. It contains * a bunch of structures signed with an RSA1024 key. The signed * structures include a HMAC using negotiated TLS secrets, and a digest * of all cells sent or received before the AUTHENTICATE cell (including * the random server-generated AUTH_CHALLENGE cell). */ #define AUTHTYPE_RSA_SHA256_TLSSECRET 1 +/** As AUTHTYPE_RSA_SHA256_TLSSECRET, but instead of using the + * negotiated TLS secrets, uses exported keying material from the TLS + * session as described in RFC 5705. + * + * Not used by today's tors, since everything that supports this + * also supports ED25519_SHA3_5705, which is better. + **/ +#define AUTHTYPE_RSA_SHA256_RFC5705 2 +/** As AUTHTYPE_RSA_SHA256_RFC5705, but uses an Ed25519 identity key to + * authenticate. */ +#define AUTHTYPE_ED25519_SHA256_RFC5705 3 +/* + * NOTE: authchallenge_type_is_better() relies on these AUTHTYPE codes + * being sorted in order of preference. If we someday add one with + * a higher numerical value that we don't like as much, we should revise + * authchallenge_type_is_better(). + */ + + + + /** The length of the part of the AUTHENTICATE cell body that the client and * server can generate independently (when using RSA_SHA256_TLSSECRET). It

1 0

[tor/master] Free rsa_ed_crosscert at exit.
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit e94f1b4e0d4b31ed80e2eefb8700f2671817f561 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Aug 30 11:10:03 2016 -0400 Free rsa_ed_crosscert at exit. Fixes bug 17779; bugfix on 0.2.7.2-alpha. --- changes/bug17779 | 6 ++++++ src/or/routerkeys.c | 3 +++ 2 files changed, 9 insertions(+) diff --git a/changes/bug17779 b/changes/bug17779 new file mode 100644 index 0000000..0ed2d12 --- /dev/null +++ b/changes/bug17779 @@ -0,0 +1,6 @@ + o Minor bugfixes (leak at exit): + - Fix a small harmless memory leak at exit of the previously unused + RSA->Ed identity cross-certificate. Fixes 17779; bugfix on + 0.2.7.2-alpha. + + diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 060ffd8..6d3ad40 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -1139,9 +1139,12 @@ routerkeys_free_all(void) tor_cert_free(signing_key_cert); tor_cert_free(link_cert_cert); tor_cert_free(auth_key_cert); + tor_free(rsa_ed_crosscert); master_identity_key = master_signing_key = NULL; current_auth_key = NULL; signing_key_cert = link_cert_cert = auth_key_cert = NULL; + rsa_ed_crosscert = NULL; // redundant + rsa_ed_crosscert_len = 0; }

1 0

[tor/master] Make the current time an argument to x509 cert-checking functions
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit 0b4221f98dbb93c9322e7a778f04bcbcfcc79738 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 10 20:02:03 2016 -0400 Make the current time an argument to x509 cert-checking functions This makes the code a bit cleaner by having more of the functions be pure functions that don't depend on the current time. --- src/common/tortls.c | 25 ++++++++++++++----------- src/common/tortls.h | 4 +++- src/or/channeltls.c | 3 ++- src/or/torcert.c | 15 +++++++++------ src/or/torcert.h | 4 ++-- src/test/test_tortls.c | 26 +++++++++++++------------- 6 files changed, 43 insertions(+), 34 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index eaa5748..fd86981 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -136,6 +136,7 @@ static void tor_tls_context_decref(tor_tls_context_t *ctx); static void tor_tls_context_incref(tor_tls_context_t *ctx); static int check_cert_lifetime_internal(int severity, const X509 *cert, + time_t now, int past_tolerance, int future_tolerance); /** Global TLS contexts. We keep them here because nobody else needs @@ -860,6 +861,7 @@ int tor_tls_cert_is_valid(int severity, const tor_x509_cert_t *cert, const tor_x509_cert_t *signing_cert, + time_t now, int check_rsa_1024) { check_no_tls_errors(); @@ -879,7 +881,7 @@ tor_tls_cert_is_valid(int severity, /* okay, the signature checked out right. Now let's check the check the * lifetime. */ - if (check_cert_lifetime_internal(severity, cert->cert, + if (check_cert_lifetime_internal(severity, cert->cert, now, 48*60*60, 30*24*60*60) < 0) goto bad; @@ -2028,13 +2030,13 @@ tor_tls_get_peer_cert,(tor_tls_t *tls)) /** Warn that a certificate lifetime extends through a certain range. */ static void -log_cert_lifetime(int severity, const X509 *cert, const char *problem) +log_cert_lifetime(int severity, const X509 *cert, const char *problem, + time_t now) { BIO *bio = NULL; BUF_MEM *buf; char *s1=NULL, *s2=NULL; char mytime[33]; - time_t now = time(NULL); struct tm tm; size_t n; @@ -2182,6 +2184,7 @@ tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity_key) */ int tor_tls_check_lifetime(int severity, tor_tls_t *tls, + time_t now, int past_tolerance, int future_tolerance) { X509 *cert; @@ -2190,7 +2193,7 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls, if (!(cert = SSL_get_peer_certificate(tls->ssl))) goto done; - if (check_cert_lifetime_internal(severity, cert, + if (check_cert_lifetime_internal(severity, cert, now, past_tolerance, future_tolerance) < 0) goto done; @@ -2206,24 +2209,24 @@ tor_tls_check_lifetime(int severity, tor_tls_t *tls, /** Helper: check whether cert is expired give or take * past_tolerance seconds, or not-yet-valid give or take - * future_tolerance seconds. If it is live, return 0. If it is not - * live, log a message and return -1. */ + * future_tolerance seconds. (Relative to the current time + * now.) If it is live, return 0. If it is not live, log a message + * and return -1. */ static int check_cert_lifetime_internal(int severity, const X509 *cert, + time_t now, int past_tolerance, int future_tolerance) { - time_t now, t; - - now = time(NULL); + time_t t; t = now + future_tolerance; if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) { - log_cert_lifetime(severity, cert, "not yet valid"); + log_cert_lifetime(severity, cert, "not yet valid", now); return -1; } t = now - past_tolerance; if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) { - log_cert_lifetime(severity, cert, "already expired"); + log_cert_lifetime(severity, cert, "already expired", now); return -1; } diff --git a/src/common/tortls.h b/src/common/tortls.h index fe5898e..3adb1b2 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -200,7 +200,8 @@ int tor_tls_peer_has_cert(tor_tls_t *tls); MOCK_DECL(tor_x509_cert_t *,tor_tls_get_peer_cert,(tor_tls_t *tls)); int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity); int tor_tls_check_lifetime(int severity, - tor_tls_t *tls, int past_tolerance, + tor_tls_t *tls, time_t now, + int past_tolerance, int future_tolerance); MOCK_DECL(int, tor_tls_read, (tor_tls_t *tls, char *cp, size_t len)); int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n); @@ -259,6 +260,7 @@ MOCK_DECL(int,tor_tls_cert_matches_key,(const tor_tls_t *tls, int tor_tls_cert_is_valid(int severity, const tor_x509_cert_t *cert, const tor_x509_cert_t *signing_cert, + time_t now, int check_rsa_1024); const char *tor_tls_get_ciphersuite_name(tor_tls_t *tls); diff --git a/src/or/channeltls.c b/src/or/channeltls.c index cf57c29..9315f80 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1918,7 +1918,8 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan) if (! or_handshake_certs_rsa_ok(severity, chan->conn->handshake_state->certs, - chan->conn->tls)) + chan->conn->tls, + time(NULL))) ERR("Invalid RSA certificates!"); if (chan->conn->handshake_state->started_here) { diff --git a/src/or/torcert.c b/src/or/torcert.c index 94382f6..b7ed7f8 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -431,7 +431,8 @@ or_handshake_certs_free(or_handshake_certs_t *certs) int or_handshake_certs_rsa_ok(int severity, or_handshake_certs_t *certs, - tor_tls_t *tls) + tor_tls_t *tls, + time_t now) { tor_x509_cert_t *link_cert = certs->link_cert; tor_x509_cert_t *auth_cert = certs->auth_cert; @@ -442,17 +443,19 @@ or_handshake_certs_rsa_ok(int severity, ERR("The certs we wanted were missing"); if (! tor_tls_cert_matches_key(tls, link_cert)) ERR("The link certificate didn't match the TLS public key"); - if (! tor_tls_cert_is_valid(severity, link_cert, id_cert, 0)) + if (! tor_tls_cert_is_valid(severity, link_cert, id_cert, now, 0)) ERR("The link certificate was not valid"); - if (! tor_tls_cert_is_valid(severity, id_cert, id_cert, 1)) + if (! tor_tls_cert_is_valid(severity, id_cert, id_cert, now, 1)) ERR("The ID certificate was not valid"); } else { if (! (id_cert && auth_cert)) ERR("The certs we wanted were missing"); - /* Remember these certificates so we can check an AUTHENTICATE cell */ - if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, 1)) + /* Remember these certificates so we can check an AUTHENTICATE cell + * XXXX make sure we do that + */ + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, now, 1)) ERR("The authentication certificate was not valid"); - if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, 1)) + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, now, 1)) ERR("The ID certificate was not valid"); } diff --git a/src/or/torcert.h b/src/or/torcert.h index 39439d9..f851b92 100644 --- a/src/or/torcert.h +++ b/src/or/torcert.h @@ -81,8 +81,8 @@ or_handshake_certs_t *or_handshake_certs_new(void); void or_handshake_certs_free(or_handshake_certs_t *certs); int or_handshake_certs_rsa_ok(int severity, or_handshake_certs_t *certs, - tor_tls_t *tls); -int or_handshake_certs_ed25519_ok(or_handshake_certs_t *certs); + tor_tls_t *tls, + time_t now); #endif diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c index 8efcac2..44961c8 100644 --- a/src/test/test_tortls.c +++ b/src/test/test_tortls.c @@ -1086,13 +1086,13 @@ test_tortls_check_lifetime(void *ignored) time_t now = time(NULL); tls = tor_malloc_zero(sizeof(tor_tls_t)); - ret = tor_tls_check_lifetime(LOG_WARN, tls, 0, 0); + ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), 0, 0); tt_int_op(ret, OP_EQ, -1); tls->ssl = tor_malloc_zero(sizeof(SSL)); tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION)); tls->ssl->session->peer = validCert; - ret = tor_tls_check_lifetime(LOG_WARN, tls, 0, 0); + ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), 0, 0); tt_int_op(ret, OP_EQ, 0); ASN1_STRING_free(validCert->cert_info->validity->notBefore); @@ -1100,10 +1100,10 @@ test_tortls_check_lifetime(void *ignored) ASN1_STRING_free(validCert->cert_info->validity->notAfter); validCert->cert_info->validity->notAfter = ASN1_TIME_set(NULL, now+60); - ret = tor_tls_check_lifetime(LOG_WARN, tls, 0, -1000); + ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), 0, -1000); tt_int_op(ret, OP_EQ, -1); - ret = tor_tls_check_lifetime(LOG_WARN, tls, -1000, 0); + ret = tor_tls_check_lifetime(LOG_WARN, tls, time(NULL), -1000, 0); tt_int_op(ret, OP_EQ, -1); done: @@ -2653,18 +2653,18 @@ test_tortls_cert_is_valid(void *ignored) tor_x509_cert_t *cert = NULL, *scert = NULL; scert = tor_malloc_zero(sizeof(tor_x509_cert_t)); - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0); tt_int_op(ret, OP_EQ, 0); cert = tor_malloc_zero(sizeof(tor_x509_cert_t)); - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0); tt_int_op(ret, OP_EQ, 0); tor_free(scert); tor_free(cert); cert = tor_x509_cert_new(read_cert_from(validCertString)); scert = tor_x509_cert_new(read_cert_from(caCertString)); - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0); tt_int_op(ret, OP_EQ, 1); #ifndef OPENSSL_OPAQUE @@ -2675,7 +2675,7 @@ test_tortls_cert_is_valid(void *ignored) ASN1_TIME_free(cert->cert->cert_info->validity->notAfter); cert->cert->cert_info->validity->notAfter = ASN1_TIME_set(NULL, time(NULL)-1000000); - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0); tt_int_op(ret, OP_EQ, 0); tor_x509_cert_free(cert); @@ -2684,7 +2684,7 @@ test_tortls_cert_is_valid(void *ignored) scert = tor_x509_cert_new(read_cert_from(caCertString)); X509_PUBKEY_free(cert->cert->cert_info->key); cert->cert->cert_info->key = NULL; - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 1); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1); tt_int_op(ret, OP_EQ, 0); #endif @@ -2695,7 +2695,7 @@ test_tortls_cert_is_valid(void *ignored) scert = tor_x509_cert_new(read_cert_from(caCertString)); /* This doesn't actually change the key in the cert. XXXXXX */ BN_one(EVP_PKEY_get1_RSA(X509_get_pubkey(cert->cert))->n); - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 1); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1); tt_int_op(ret, OP_EQ, 0); tor_x509_cert_free(cert); @@ -2704,7 +2704,7 @@ test_tortls_cert_is_valid(void *ignored) scert = tor_x509_cert_new(read_cert_from(caCertString)); /* This doesn't actually change the key in the cert. XXXXXX */ X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC; - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 1); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 1); tt_int_op(ret, OP_EQ, 0); tor_x509_cert_free(cert); @@ -2713,7 +2713,7 @@ test_tortls_cert_is_valid(void *ignored) scert = tor_x509_cert_new(read_cert_from(caCertString)); /* This doesn't actually change the key in the cert. XXXXXX */ X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC; - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0); tt_int_op(ret, OP_EQ, 1); tor_x509_cert_free(cert); @@ -2723,7 +2723,7 @@ test_tortls_cert_is_valid(void *ignored) /* This doesn't actually change the key in the cert. XXXXXX */ X509_get_pubkey(cert->cert)->type = EVP_PKEY_EC; X509_get_pubkey(cert->cert)->ameth = NULL; - ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, 0); + ret = tor_tls_cert_is_valid(LOG_WARN, cert, scert, time(NULL), 0); tt_int_op(ret, OP_EQ, 0); #endif

1 0

[tor/master] Refactor ...compute_authenticate_cell_body() to return a var_cell_t.
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit 4ef42e7c529a95b69d3e830e115e5d0453d38dfb Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue May 19 13:10:01 2015 -0400 Refactor ...compute_authenticate_cell_body() to return a var_cell_t. This means we don't need to precompute the length. Helps simplify the implementation of 19156. --- src/or/channeltls.c | 33 +++++++++++++++++++++------- src/or/connection_or.c | 59 ++++++++++++++++++++++++-------------------------- src/or/connection_or.h | 3 +-- 3 files changed, 54 insertions(+), 41 deletions(-) diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 8009c0b..9e92aad 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -2112,9 +2112,11 @@ channel_tls_process_auth_challenge_cell(var_cell_t *cell, channel_tls_t *chan) STATIC void channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) { - uint8_t expected[V3_AUTH_FIXED_PART_LEN+256]; + var_cell_t *expected_cell = NULL; const uint8_t *auth; int authlen; + const int authtype = 1; /* XXXX extend this */ + int bodylen; tor_assert(cell); tor_assert(chan); @@ -2127,6 +2129,7 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) safe_str(chan->conn->base_.address), \ chan->conn->base_.port, (s)); \ connection_or_close_for_error(chan->conn, 0); \ + var_cell_free(expected_cell); \ return; \ } while (0) @@ -2158,7 +2161,7 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) if (4 + len > cell->payload_len) ERR("Authenticator was truncated"); - if (type != AUTHTYPE_RSA_SHA256_TLSSECRET) + if (type != authtype) ERR("Authenticator type was not recognized"); auth += 4; @@ -2168,14 +2171,26 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) if (authlen < V3_AUTH_BODY_LEN + 1) ERR("Authenticator was too short"); - ssize_t bodylen = - connection_or_compute_authenticate_cell_body( - chan->conn, expected, sizeof(expected), - AUTHTYPE_RSA_SHA256_TLSSECRET, NULL, NULL, 1); - if (bodylen < 0 || bodylen != V3_AUTH_FIXED_PART_LEN) + expected_cell = connection_or_compute_authenticate_cell_body( + chan->conn, authtype, NULL, NULL, 1); + if (! expected_cell) ERR("Couldn't compute expected AUTHENTICATE cell body"); - if (tor_memneq(expected, auth, bodylen)) + if (authtype == AUTHTYPE_RSA_SHA256_TLSSECRET || + authtype == AUTHTYPE_RSA_SHA256_RFC5705) { + bodylen = V3_AUTH_BODY_LEN; + } else { + bodylen = authlen - ED25519_SIG_LEN; /* XXXX DOCDOC */ + } + if (expected_cell->payload_len != bodylen+4) { + ERR("Expected AUTHENTICATE cell body len not as expected."); + } + + /* Length of random part. */ + if (bodylen < 24) + ERR("Bodylen is somehow less than 24, which should really be impossible"); + + if (tor_memneq(expected_cell->payload+4, auth, bodylen-24)) ERR("Some field in the AUTHENTICATE cell body was not as expected"); { @@ -2246,6 +2261,8 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) chan->conn->base_.port); } + var_cell_free(expected_cell); + #undef ERR } diff --git a/src/or/connection_or.c b/src/or/connection_or.c index fed933b..ed91595 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -2292,8 +2292,8 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn) } /** Compute the main body of an AUTHENTICATE cell that a client can use - * to authenticate itself on a v3 handshake for conn. Write it to the - * outlen-byte buffer at out. + * to authenticate itself on a v3 handshake for conn. Return it + * in a var_cell_t. * * If server is true, only calculate the first * V3_AUTH_FIXED_PART_LEN bytes -- the part of the authenticator that's @@ -2309,9 +2309,8 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn) * * Return the length of the cell body on success, and -1 on failure. */ -int +var_cell_t * connection_or_compute_authenticate_cell_body(or_connection_t *conn, - uint8_t *out, size_t outlen, const int authtype, crypto_pk_t *signing_key, ed25519_keypair_t *ed_signing_key, @@ -2319,7 +2318,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, { auth1_t *auth = NULL; auth_ctx_t *ctx = auth_ctx_new(); - int result; + var_cell_t *result = NULL; int old_tlssecrets_algorithm = 0; const char *authtype_str = NULL; @@ -2444,7 +2443,22 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, * checks it. That's followed by 16 bytes of nonce. */ crypto_rand((char*)auth->rand, 24); + ssize_t maxlen = auth1_encoded_len(auth, ctx); + if (ed_signing_key && is_ed) { + maxlen += ED25519_SIG_LEN; + } else if (signing_key && !is_ed) { + maxlen += crypto_pk_keysize(signing_key); + } + + const int AUTH_CELL_HEADER_LEN = 4; /* 2 bytes of type, 2 bytes of length */ + result = var_cell_new(AUTH_CELL_HEADER_LEN + maxlen); + uint8_t *const out = result->payload + AUTH_CELL_HEADER_LEN; + const size_t outlen = maxlen; ssize_t len; + + result->command = CELL_AUTHENTICATE; + set_uint16(result->payload, htons(authtype)); + if ((len = auth1_encode(out, outlen, auth, ctx)) < 0) { log_warn(LD_OR, "Unable to encode signed part of AUTH1 data."); goto err; @@ -2457,7 +2471,8 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, log_warn(LD_OR, "Unable to parse signed part of AUTH1 data."); goto err; } - result = (int) (tmp->end_of_fixed_part - out); + result->payload_len = (tmp->end_of_signed - result->payload); + auth1_free(tmp); if (len2 != len) { log_warn(LD_OR, "Mismatched length when re-parsing AUTH1 data."); @@ -2488,7 +2503,6 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, } auth1_setlen_sig(auth, siglen); - } len = auth1_encode(out, outlen, auth, ctx); @@ -2496,12 +2510,15 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, log_warn(LD_OR, "Unable to encode signed AUTH1 data."); goto err; } + tor_assert(len + AUTH_CELL_HEADER_LEN <= result->payload_len); + result->payload_len = len + AUTH_CELL_HEADER_LEN; + set_uint16(result->payload+2, htons(len)); - result = (int) len; goto done; err: - result = -1; + var_cell_free(result); + result = NULL; done: auth1_free(auth); auth_ctx_free(ctx); @@ -2515,8 +2532,6 @@ connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype)) { var_cell_t *cell; crypto_pk_t *pk = tor_tls_get_my_client_auth_key(); - int authlen; - size_t cell_maxlen; /* XXXX make sure we're actually supposed to send this! */ if (!pk) { @@ -2529,33 +2544,15 @@ connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype)) return -1; } - /* XXXX stop precomputing this. */ - cell_maxlen = 4 + /* overhead */ - V3_AUTH_BODY_LEN + /* Authentication body */ - crypto_pk_keysize(pk) + /* Max signature length */ - 16 /* add a few extra bytes just in case. */; - - cell = var_cell_new(cell_maxlen); - cell->command = CELL_AUTHENTICATE; - set_uint16(cell->payload, htons(AUTHTYPE_RSA_SHA256_TLSSECRET)); - /* skip over length ; we don't know that yet. */ - - authlen = connection_or_compute_authenticate_cell_body(conn, - cell->payload+4, - cell_maxlen-4, + cell = connection_or_compute_authenticate_cell_body(conn, AUTHTYPE_RSA_SHA256_TLSSECRET, pk, NULL, 0 /* not server */); - if (authlen < 0) { + if (! cell) { log_warn(LD_BUG, "Unable to compute authenticate cell!"); - var_cell_free(cell); return -1; } - tor_assert(authlen + 4 <= cell->payload_len); - set_uint16(cell->payload+2, htons(authlen)); - cell->payload_len = authlen + 4; - connection_or_write_var_cell_to_buf(cell, conn); var_cell_free(cell); diff --git a/src/or/connection_or.h b/src/or/connection_or.h index 8373ed9..65a8ac1 100644 --- a/src/or/connection_or.h +++ b/src/or/connection_or.h @@ -84,8 +84,7 @@ int connection_or_send_versions(or_connection_t *conn, int v3_plus); MOCK_DECL(int,connection_or_send_netinfo,(or_connection_t *conn)); int connection_or_send_certs_cell(or_connection_t *conn); int connection_or_send_auth_challenge_cell(or_connection_t *conn); -int connection_or_compute_authenticate_cell_body(or_connection_t *conn, - uint8_t *out, size_t outlen, +var_cell_t *connection_or_compute_authenticate_cell_body(or_connection_t *conn, const int authtype, crypto_pk_t *signing_key, ed25519_keypair_t *ed_signing_key,

1 0

[tor/master] Send ed25519 certificates in certs cell, when we have them.
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit fdd8f8df67be92b5e3058afcad68a1e267442b77 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Mar 5 12:01:19 2015 +0100 Send ed25519 certificates in certs cell, when we have them. Implements 19155 (send CERTS cells correctly for Ed25519) Also send RSA->Ed crosscert --- src/or/connection_or.c | 114 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 93 insertions(+), 21 deletions(-) diff --git a/src/or/connection_or.c b/src/or/connection_or.c index fc60e61..09579f8 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -38,9 +38,11 @@ #include "relay.h" #include "rephist.h" #include "router.h" +#include "routerkeys.h" #include "routerlist.h" #include "ext_orport.h" #include "scheduler.h" +#include "torcert.h" static int connection_tls_finish_handshake(or_connection_t *conn); static int connection_or_launch_v3_or_handshake(or_connection_t *conn); @@ -2121,14 +2123,56 @@ connection_or_send_netinfo,(or_connection_t *conn)) return 0; } +/** Add an encoded X509 cert (stored as cert_len bytes at + * cert_encoded) to the trunnel certs_cell_t object that we are + * building in certs_cell. Set its type field to cert_type. */ +static void +add_x509_cert(certs_cell_t *certs_cell, + uint8_t cert_type, + const tor_x509_cert_t *cert) +{ + const uint8_t *cert_encoded = NULL; + size_t cert_len; + tor_x509_cert_get_der(cert, &cert_encoded, &cert_len); + tor_assert(cert_len <= UINT16_MAX); + + certs_cell_cert_t *ccc = certs_cell_cert_new(); + ccc->cert_type = cert_type; + ccc->cert_len = cert_len; + certs_cell_cert_setlen_body(ccc, cert_len); + memcpy(certs_cell_cert_getarray_body(ccc), cert_encoded, cert_len); + + certs_cell_add_certs(certs_cell, ccc); +} + +/** Add an Ed25519 cert from cert to the trunnel certs_cell_t object + * that we are building in certs_cell. Set its type field to + * cert_type. */ +static void +add_ed25519_cert(certs_cell_t *certs_cell, + uint8_t cert_type, + const tor_cert_t *cert) +{ + if (NULL == cert) + return; + + certs_cell_cert_t *ccc = certs_cell_cert_new(); + ccc->cert_type = cert_type; + tor_assert(cert->encoded_len <= UINT16_MAX); + ccc->cert_len = cert->encoded_len; + certs_cell_cert_setlen_body(ccc, cert->encoded_len); + memcpy(certs_cell_cert_getarray_body(ccc), cert->encoded, + cert->encoded_len); + + certs_cell_add_certs(certs_cell, ccc); +} + /** Send a CERTS cell on the connection conn. Return 0 on success, -1 * on failure. */ int connection_or_send_certs_cell(or_connection_t *conn) { const tor_x509_cert_t *link_cert = NULL, *id_cert = NULL; - const uint8_t *link_encoded = NULL, *id_encoded = NULL; - size_t link_len, id_len; var_cell_t *cell; certs_cell_t *certs_cell = NULL; @@ -2137,34 +2181,62 @@ connection_or_send_certs_cell(or_connection_t *conn) if (! conn->handshake_state) return -1; + const int conn_in_server_mode = ! conn->handshake_state->started_here; + + /* Get the encoded values of the X509 certificates */ if (tor_tls_get_my_certs(conn_in_server_mode, &link_cert, &id_cert) < 0) return -1; - certs_cell = certs_cell_new(); - - tor_x509_cert_get_der(link_cert, &link_encoded, &link_len); - tor_x509_cert_get_der(id_cert, &id_encoded, &id_len); + tor_assert(link_cert); + tor_assert(id_cert); - certs_cell_cert_t *ccc = certs_cell_cert_new(); - if (conn_in_server_mode) - ccc->cert_type = OR_CERT_TYPE_TLS_LINK; /* Link cert */ - else - ccc->cert_type = OR_CERT_TYPE_AUTH_1024; /* client authentication */ - ccc->cert_len = link_len; - certs_cell_cert_setlen_body(ccc, link_len); - memcpy(certs_cell_cert_getarray_body(ccc), link_encoded, link_len); + certs_cell = certs_cell_new(); - certs_cell_add_certs(certs_cell, ccc); + /* Start adding certs. First the link cert or auth1024 cert. */ + if (conn_in_server_mode) { + add_x509_cert(certs_cell, + OR_CERT_TYPE_TLS_LINK, link_cert); + } else { + add_x509_cert(certs_cell, + OR_CERT_TYPE_AUTH_1024, link_cert); + } - ccc = certs_cell_cert_new(); - ccc->cert_type = OR_CERT_TYPE_ID_1024; /* ID cert */ - ccc->cert_len = id_len; - certs_cell_cert_setlen_body(ccc, id_len); - memcpy(certs_cell_cert_getarray_body(ccc), id_encoded, id_len); + /* Next the RSA->RSA ID cert */ + add_x509_cert(certs_cell, + OR_CERT_TYPE_ID_1024, id_cert); + + /* Next the Ed25519 certs */ + add_ed25519_cert(certs_cell, + CERTTYPE_ED_ID_SIGN, + get_master_signing_key_cert()); + if (conn_in_server_mode) { + add_ed25519_cert(certs_cell, + CERTTYPE_ED_SIGN_LINK, + get_current_link_cert_cert()); + } else { + add_ed25519_cert(certs_cell, + CERTTYPE_ED_SIGN_AUTH, + get_current_auth_key_cert()); + } - certs_cell_add_certs(certs_cell, ccc); + /* And finally the crosscert. */ + { + const uint8_t *crosscert=NULL; + size_t crosscert_len; + get_master_rsa_crosscert(&crosscert, &crosscert_len); + if (crosscert) { + certs_cell_cert_t *ccc = certs_cell_cert_new(); + ccc->cert_type = CERTTYPE_RSA1024_ID_EDID; + ccc->cert_len = crosscert_len; + certs_cell_cert_setlen_body(ccc, crosscert_len); + memcpy(certs_cell_cert_getarray_body(ccc), crosscert, + crosscert_len); + certs_cell_add_certs(certs_cell, ccc); + } + } + /* We've added all the certs; make the cell. */ certs_cell->n_certs = certs_cell_getlen_certs(certs_cell); ssize_t alloc_len = certs_cell_encoded_len(certs_cell);

1 0

[tor/master] Fix a misfeature with the Ed cert expiration API
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit fae7060aea5c562fc59e7089b6a3459a5718b2d0 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Aug 30 08:48:50 2016 -0400 Fix a misfeature with the Ed cert expiration API The batch-verification helper didn't expose the expiration time, which made it pretty error-prone. This closes ticket 15087. --- src/or/routerparse.c | 12 +++++------- src/or/torcert.c | 23 +++++++++++++++++------ src/or/torcert.h | 5 +++-- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 03f8f4e..686ac48 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -2028,12 +2028,13 @@ router_parse_entry_from_string(const char *s, const char *end, ed25519_checkable_t check[3]; int check_ok[3]; - if (tor_cert_get_checkable_sig(&check[0], cert, NULL) < 0) { + time_t expires = TIME_MAX; + if (tor_cert_get_checkable_sig(&check[0], cert, NULL, &expires) < 0) { log_err(LD_BUG, "Couldn't create 'checkable' for cert."); goto err; } if (tor_cert_get_checkable_sig(&check[1], - ntor_cc_cert, &ntor_cc_pk) < 0) { + ntor_cc_cert, &ntor_cc_pk, &expires) < 0) { log_err(LD_BUG, "Couldn't create 'checkable' for ntor_cc_cert."); goto err; } @@ -2063,10 +2064,7 @@ router_parse_entry_from_string(const char *s, const char *end, } /* We check this before adding it to the routerlist. */ - if (cert->valid_until < ntor_cc_cert->valid_until) - router->cert_expiration_time = cert->valid_until; - else - router->cert_expiration_time = ntor_cc_cert->valid_until; + router->cert_expiration_time = expires; } } @@ -2376,7 +2374,7 @@ extrainfo_parse_entry_from_string(const char *s, const char *end, ed25519_checkable_t check[2]; int check_ok[2]; - if (tor_cert_get_checkable_sig(&check[0], cert, NULL) < 0) { + if (tor_cert_get_checkable_sig(&check[0], cert, NULL, NULL) < 0) { log_err(LD_BUG, "Couldn't create 'checkable' for cert."); goto err; } diff --git a/src/or/torcert.c b/src/or/torcert.c index b7ed7f8..2629155 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -166,11 +166,17 @@ tor_cert_parse(const uint8_t *encoded, const size_t len) } /** Fill in checkable_out with the information needed to check - * the signature on cert with pubkey. */ + * the signature on cert with pubkey. + * + * On success, if expiration_out is provided, and it is some time + * _after_ the expiration time of this certificate, set it to the + * expiration time of this certificate. + */ int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out, const tor_cert_t *cert, - const ed25519_public_key_t *pubkey) + const ed25519_public_key_t *pubkey, + time_t *expiration_out) { if (! pubkey) { if (cert->signing_key_included) @@ -187,6 +193,10 @@ tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out, memcpy(checkable_out->signature.sig, cert->encoded + signed_len, ED25519_SIG_LEN); + if (expiration_out) { + *expiration_out = MIN(*expiration_out, cert->valid_until); + } + return 0; } @@ -201,14 +211,15 @@ tor_cert_checksig(tor_cert_t *cert, { ed25519_checkable_t checkable; int okay; + time_t expires = TIME_MAX; - if (now && now > cert->valid_until) { - cert->cert_expired = 1; + if (tor_cert_get_checkable_sig(&checkable, cert, pubkey, &expires) < 0) return -1; - } - if (tor_cert_get_checkable_sig(&checkable, cert, pubkey) < 0) + if (now && now > expires) { + cert->cert_expired = 1; return -1; + } if (ed25519_checksig_batch(&okay, &checkable, 1) < 0) { cert->sig_bad = 1; diff --git a/src/or/torcert.h b/src/or/torcert.h index f851b92..143a2aa 100644 --- a/src/or/torcert.h +++ b/src/or/torcert.h @@ -57,8 +57,9 @@ tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen); void tor_cert_free(tor_cert_t *cert); int tor_cert_get_checkable_sig(ed25519_checkable_t *checkable_out, - const tor_cert_t *out, - const ed25519_public_key_t *pubkey); + const tor_cert_t *out, + const ed25519_public_key_t *pubkey, + time_t *expiration_out); int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now);

1 0

[tor/master] Code to send correct authentication data when we are using AUTHTYPE>2
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit 2bf655394942e5b76944df92c8cd002fc15d3382 Author: Nick Mathewson <nickm(a)torproject.org> Date: Sat May 16 12:09:25 2015 -0400 Code to send correct authentication data when we are using AUTHTYPE>2 Implements the major part of 19156, except doesn't actually send the new cell type yet. --- src/or/channeltls.c | 3 ++- src/or/connection_or.c | 42 +++++++++++++++++++++++++++++++++++------- src/or/connection_or.h | 8 +++++--- src/or/or.h | 2 ++ 4 files changed, 44 insertions(+), 11 deletions(-) diff --git a/src/or/channeltls.c b/src/or/channeltls.c index e30ecb0..8009c0b 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -2170,7 +2170,8 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) ssize_t bodylen = connection_or_compute_authenticate_cell_body( - chan->conn, expected, sizeof(expected), NULL, 1); + chan->conn, expected, sizeof(expected), + AUTHTYPE_RSA_SHA256_TLSSECRET, NULL, NULL, 1); if (bodylen < 0 || bodylen != V3_AUTH_FIXED_PART_LEN) ERR("Couldn't compute expected AUTHENTICATE cell body"); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index d06a246..fed933b 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -2312,7 +2312,9 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn) int connection_or_compute_authenticate_cell_body(or_connection_t *conn, uint8_t *out, size_t outlen, + const int authtype, crypto_pk_t *signing_key, + ed25519_keypair_t *ed_signing_key, int server) { auth1_t *auth = NULL; @@ -2322,7 +2324,6 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, const char *authtype_str = NULL; int is_ed = 0; - const int authtype = 1; /* XXXX this should be an argument. */ /* assert state is reasonable XXXX */ switch (authtype) { @@ -2343,6 +2344,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, } auth = auth1_new(); + ctx->is_ed = is_ed; /* Type: 8 bytes. */ memcpy(auth1_getarray_type(auth), authtype_str, 8); @@ -2371,6 +2373,20 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, memcpy(auth->sid, server_id, 32); } + if (is_ed) { + const ed25519_public_key_t *my_ed_id, *their_ed_id; + if (!conn->handshake_state->ed_id_sign_cert) + goto err; + my_ed_id = get_master_identity_key(); + their_ed_id = &conn->handshake_state->ed_id_sign_cert->signing_key; + + const uint8_t *cid_ed = (server ? their_ed_id : my_ed_id)->pubkey; + const uint8_t *sid_ed = (server ? my_ed_id : their_ed_id)->pubkey; + + memcpy(auth->u1_cid_ed, cid_ed, ED25519_PUBKEY_LEN); + memcpy(auth->u1_sid_ed, sid_ed, ED25519_PUBKEY_LEN); + } + { crypto_digest_t *server_d, *client_d; if (server) { @@ -2450,7 +2466,14 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, goto done; } - if (signing_key) { + if (ed_signing_key && is_ed) { + ed25519_signature_t sig; + if (ed25519_sign(&sig, out, len, ed_signing_key) < 0) + goto err; + auth1_setlen_sig(auth, ED25519_SIG_LEN); + memcpy(auth1_getarray_sig(auth), sig.sig, ED25519_SIG_LEN); + + } else if (signing_key && !is_ed) { auth1_setlen_sig(auth, crypto_pk_keysize(signing_key)); char d[32]; @@ -2466,12 +2489,14 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, auth1_setlen_sig(auth, siglen); - len = auth1_encode(out, outlen, auth, ctx); - if (len < 0) { - log_warn(LD_OR, "Unable to encode signed AUTH1 data."); - goto err; - } } + + len = auth1_encode(out, outlen, auth, ctx); + if (len < 0) { + log_warn(LD_OR, "Unable to encode signed AUTH1 data."); + goto err; + } + result = (int) len; goto done; @@ -2504,6 +2529,7 @@ connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype)) return -1; } + /* XXXX stop precomputing this. */ cell_maxlen = 4 + /* overhead */ V3_AUTH_BODY_LEN + /* Authentication body */ crypto_pk_keysize(pk) + /* Max signature length */ @@ -2517,7 +2543,9 @@ connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype)) authlen = connection_or_compute_authenticate_cell_body(conn, cell->payload+4, cell_maxlen-4, + AUTHTYPE_RSA_SHA256_TLSSECRET, pk, + NULL, 0 /* not server */); if (authlen < 0) { log_warn(LD_BUG, "Unable to compute authenticate cell!"); diff --git a/src/or/connection_or.h b/src/or/connection_or.h index 2e8c606..8373ed9 100644 --- a/src/or/connection_or.h +++ b/src/or/connection_or.h @@ -85,9 +85,11 @@ MOCK_DECL(int,connection_or_send_netinfo,(or_connection_t *conn)); int connection_or_send_certs_cell(or_connection_t *conn); int connection_or_send_auth_challenge_cell(or_connection_t *conn); int connection_or_compute_authenticate_cell_body(or_connection_t *conn, - uint8_t *out, size_t outlen, - crypto_pk_t *signing_key, - int server); + uint8_t *out, size_t outlen, + const int authtype, + crypto_pk_t *signing_key, + ed25519_keypair_t *ed_signing_key, + int server); MOCK_DECL(int,connection_or_send_authenticate_cell, (or_connection_t *conn, int type)); diff --git a/src/or/or.h b/src/or/or.h index 402fbfd..9e9b1bf 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1445,6 +1445,8 @@ typedef struct or_handshake_state_t { tor_x509_cert_t *auth_cert; /** A self-signed identity certificate */ tor_x509_cert_t *id_cert; + /** DOCDOC */ + struct tor_cert_st *ed_id_sign_cert; /**@}*/ } or_handshake_state_t;

1 0

[tor/master] Add function to check RSA->Ed cross-certifications
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit e3c825372180be00aff9c8e5cde60ea36d141f8c Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 10 14:19:09 2016 -0400 Add function to check RSA->Ed cross-certifications Also, adjust signing approach to more closely match the signing scheme in the proposal. (The format doesn't quite match the format in the proposal, since RSA signatures aren't fixed-length.) Closes 19020. --- src/or/torcert.c | 105 ++++++++++++++++++++++++++++++++++++++++++++- src/or/torcert.h | 5 +++ src/test/test_routerkeys.c | 62 ++++++++++++++++++++++++++ 3 files changed, 171 insertions(+), 1 deletion(-) diff --git a/src/or/torcert.c b/src/or/torcert.c index 2f0cc53..94382f6 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -257,6 +257,8 @@ tor_cert_opt_eq(const tor_cert_t *cert1, const tor_cert_t *cert2) return tor_cert_eq(cert1, cert2); } +#define RSA_ED_CROSSCERT_PREFIX "Tor TLS RSA/Ed25519 cross-certificate" + /** Create new cross-certification object to certify ed_key as the * master ed25519 identity key for the RSA identity key rsa_key. * Allocates and stores the encoded certificate in *cert, and returns @@ -281,11 +283,21 @@ tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, ssize_t sz = rsa_ed_crosscert_encode(res, alloc_sz, cc); tor_assert(sz > 0 && sz <= alloc_sz); + crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA256); + crypto_digest_add_bytes(d, RSA_ED_CROSSCERT_PREFIX, + strlen(RSA_ED_CROSSCERT_PREFIX)); + const int signed_part_len = 32 + 4; + crypto_digest_add_bytes(d, (char*)res, signed_part_len); + + uint8_t digest[DIGEST256_LEN]; + crypto_digest_get_digest(d, (char*)digest, sizeof(digest)); + crypto_digest_free(d); + int siglen = crypto_pk_private_sign(rsa_key, (char*)rsa_ed_crosscert_getarray_sig(cc), rsa_ed_crosscert_getlen_sig(cc), - (char*)res, signed_part_len); + (char*)digest, sizeof(digest)); tor_assert(siglen > 0 && siglen <= (int)crypto_pk_keysize(rsa_key)); tor_assert(siglen <= UINT8_MAX); cc->sig_len = siglen; @@ -297,6 +309,96 @@ tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, return sz; } +/** + * Check whether the crosscert_len byte certificate in crosscert + * is in fact a correct cross-certification of master_key using + * the RSA key rsa_id_key. + * + * Also reject the certificate if it expired before + * reject_if_expired_before. + * + * Return 0 on success, negative on failure. + */ +int +rsa_ed25519_crosscert_check(const uint8_t *crosscert, + const size_t crosscert_len, + const crypto_pk_t *rsa_id_key, + const ed25519_public_key_t *master_key, + const time_t reject_if_expired_before) +{ + rsa_ed_crosscert_t *cc = NULL; + int rv; + +#define ERR(code, s) \ + do { \ + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \ + "Received a bad RSA->Ed25519 crosscert: %s", \ + (s)); \ + rv = (code); \ + goto err; \ + } while (0) + + if (BUG(crypto_pk_keysize(rsa_id_key) > PK_BYTES)) + return -1; + + if (BUG(!crosscert)) + return -1; + + ssize_t parsed_len = rsa_ed_crosscert_parse(&cc, crosscert, crosscert_len); + if (parsed_len < 0 || crosscert_len != (size_t)parsed_len) { + ERR(-2, "Unparseable or overlong crosscert"); + } + + if (tor_memneq(rsa_ed_crosscert_getarray_ed_key(cc), + master_key->pubkey, + ED25519_PUBKEY_LEN)) { + ERR(-3, "Crosscert did not match Ed25519 key"); + } + + const uint32_t expiration_date = rsa_ed_crosscert_get_expiration(cc); + const uint64_t expiration_time = expiration_date * 3600; + + if (reject_if_expired_before < 0 || + expiration_time < (uint64_t)reject_if_expired_before) { + ERR(-4, "Crosscert is expired"); + } + + const uint8_t *eos = rsa_ed_crosscert_get_end_of_signed(cc); + const uint8_t *sig = rsa_ed_crosscert_getarray_sig(cc); + const uint8_t siglen = rsa_ed_crosscert_get_sig_len(cc); + tor_assert(eos >= crosscert); + tor_assert((size_t)(eos - crosscert) <= crosscert_len); + tor_assert(siglen == rsa_ed_crosscert_getlen_sig(cc)); + + /* Compute the digest */ + uint8_t digest[DIGEST256_LEN]; + crypto_digest_t *d = crypto_digest256_new(DIGEST_SHA256); + crypto_digest_add_bytes(d, RSA_ED_CROSSCERT_PREFIX, + strlen(RSA_ED_CROSSCERT_PREFIX)); + crypto_digest_add_bytes(d, (char*)crosscert, eos-crosscert); + crypto_digest_get_digest(d, (char*)digest, sizeof(digest)); + crypto_digest_free(d); + + /* Now check the signature */ + uint8_t signed_[PK_BYTES]; + int signed_len = crypto_pk_public_checksig(rsa_id_key, + (char*)signed_, sizeof(signed_), + (char*)sig, siglen); + if (signed_len < DIGEST256_LEN) { + ERR(-5, "Bad signature, or length of signed data not as expected"); + } + + if (tor_memneq(digest, signed_, DIGEST256_LEN)) { + ERR(-6, "The signature was good, but it didn't match the data"); + } + + rv = 0; + err: + rsa_ed_crosscert_free(cc); + return rv; +} + +/** Construct and return a new empty or_handshake_certs object */ or_handshake_certs_t * or_handshake_certs_new(void) { @@ -317,6 +419,7 @@ or_handshake_certs_free(or_handshake_certs_t *certs) tor_free(certs); } +#undef ERR #define ERR(s) \ do { \ log_fn(severity, LD_PROTOCOL, \ diff --git a/src/or/torcert.h b/src/or/torcert.h index 0420b41..39439d9 100644 --- a/src/or/torcert.h +++ b/src/or/torcert.h @@ -71,6 +71,11 @@ ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, const crypto_pk_t *rsa_key, time_t expires, uint8_t **cert); +int rsa_ed25519_crosscert_check(const uint8_t *crosscert, + const size_t crosscert_len, + const crypto_pk_t *rsa_id_key, + const ed25519_public_key_t *master_key, + const time_t reject_if_expired_before); or_handshake_certs_t *or_handshake_certs_new(void); void or_handshake_certs_free(or_handshake_certs_t *certs); diff --git a/src/test/test_routerkeys.c b/src/test/test_routerkeys.c index 24b0da1..56055a3 100644 --- a/src/test/test_routerkeys.c +++ b/src/test/test_routerkeys.c @@ -614,6 +614,67 @@ test_routerkeys_cross_certify_tap(void *args) crypto_pk_free(onion_key); } + +static void +test_routerkeys_rsa_ed_crosscert(void *arg) +{ + (void)arg; + ed25519_public_key_t ed; + crypto_pk_t *rsa = pk_generate(2); + + uint8_t *cc = NULL; + ssize_t cc_len; + time_t expires_in = 1470846177; + + tt_int_op(0, OP_EQ, ed25519_public_from_base64(&ed, + "ThisStringCanContainAnythingSoNoKeyHereNowX")); + cc_len = tor_make_rsa_ed25519_crosscert(&ed, rsa, expires_in, &cc); + + tt_int_op(cc_len, OP_GT, 0); + tt_int_op(cc_len, OP_GT, 37); /* key, expires, siglen */ + tt_mem_op(cc, OP_EQ, ed.pubkey, 32); + time_t expires_out = 3600 * ntohl(get_uint32(cc+32)); + tt_int_op(expires_out, OP_GE, expires_in); + tt_int_op(expires_out, OP_LE, expires_in + 3600); + + tt_int_op(cc_len, OP_EQ, 37 + get_uint8(cc+36)); + + tt_int_op(0, OP_EQ, rsa_ed25519_crosscert_check(cc, cc_len, rsa, &ed, + expires_in - 10)); + + /* Now try after it has expired */ + tt_int_op(-4, OP_EQ, rsa_ed25519_crosscert_check(cc, cc_len, rsa, &ed, + expires_out + 1)); + + /* Truncated object */ + tt_int_op(-2, OP_EQ, rsa_ed25519_crosscert_check(cc, cc_len - 2, rsa, &ed, + expires_in - 10)); + + /* Key not as expected */ + cc[0] ^= 3; + tt_int_op(-3, OP_EQ, rsa_ed25519_crosscert_check(cc, cc_len, rsa, &ed, + expires_in - 10)); + cc[0] ^= 3; + + /* Bad signature */ + cc[40] ^= 3; + tt_int_op(-5, OP_EQ, rsa_ed25519_crosscert_check(cc, cc_len, rsa, &ed, + expires_in - 10)); + cc[40] ^= 3; + + /* Signature of wrong data */ + cc[0] ^= 3; + ed.pubkey[0] ^= 3; + tt_int_op(-6, OP_EQ, rsa_ed25519_crosscert_check(cc, cc_len, rsa, &ed, + expires_in - 10)); + cc[0] ^= 3; + ed.pubkey[0] ^= 3; + + done: + crypto_pk_free(rsa); + tor_free(cc); +} + #define TEST(name, flags) \ { #name , test_routerkeys_ ## name, (flags), NULL, NULL } @@ -626,6 +687,7 @@ struct testcase_t routerkeys_tests[] = { TEST(ed_keys_init_all, TT_FORK), TEST(cross_certify_ntor, 0), TEST(cross_certify_tap, 0), + TEST(rsa_ed_crosscert, 0), END_OF_TESTCASES };

1 0

[tor/master] Handle u32 overflow in ed25519 cert expiration time.
by nickm＠torproject.org 03 Nov '16

03 Nov '16

commit 0704fa8a63c2e203162c359e184e63b10c45630c Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Aug 30 09:00:34 2016 -0400 Handle u32 overflow in ed25519 cert expiration time. The impact here isn't too bad. First, the only affected certs that expire after 32-bit signed time overflows in Y2038. Second, it could only make it seem that a non-expired cert is expired: it could never make it seem that an expired cert was still live. Fixes bug 20027; bugfix on 0.2.7.2-alpha. --- changes/bug20027 | 3 +++ src/or/torcert.c | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/changes/bug20027 b/changes/bug20027 new file mode 100644 index 0000000..79d1540 --- /dev/null +++ b/changes/bug20027 @@ -0,0 +1,3 @@ + o Minor bugfixes (ed25519 certificates): + - Correctly interpret ed25519 certificates that would expire some + time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha. diff --git a/src/or/torcert.c b/src/or/torcert.c index 2629155..ef7775e 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -139,7 +139,11 @@ tor_cert_parse(const uint8_t *encoded, const size_t len) cert->encoded_len = len; memcpy(cert->signed_key.pubkey, parsed->certified_key, 32); - cert->valid_until = parsed->exp_field * 3600; + const int64_t valid_until_64 = ((int64_t)parsed->exp_field) * 3600; + if (valid_until_64 > TIME_MAX) + cert->valid_until = TIME_MAX - 1; + else + cert->valid_until = (time_t) valid_until_64; cert->cert_type = parsed->cert_type; for (unsigned i = 0; i < ed25519_cert_getlen_ext(parsed); ++i) {

1 0