commit 0030765e04d8dfe3dfaf8124b01a4d578b7d8ceb Merge: 3d653df ff835e2 Author: Nick Mathewson <nickm@torproject.org> Date: Tue Jun 2 13:45:27 2015 -0400 Merge remote-tracking branch 'public/bug15760_hard_026_v2' Conflicts: src/common/tortls.c configure.ac | 18 ++++ src/common/tortls.c | 289 ++++++++++++++++----------------------------------- 2 files changed, 109 insertions(+), 198 deletions(-) diff --cc src/common/tortls.c index a4b6c48,deeee5f..a1bc9ab --- a/src/common/tortls.c +++ b/src/common/tortls.c @@@ -741,31 -787,9 +724,9 @@@ static const char CLIENT_CIPHER_LIST[] #undef CIPHER #undef XCIPHER - /** Holds a cipher that we want to advertise, and its 2-byte ID. */ - typedef struct cipher_info_t { unsigned id; const char *name; } cipher_info_t; - /** A list of all the ciphers that clients should advertise, including items - * that OpenSSL might not know about. */ - static const cipher_info_t CLIENT_CIPHER_INFO_LIST[] = { - #define CIPHER(id, name) { id, name }, - #define XCIPHER(id, name) { id, #name }, - #include "ciphers.inc" - #undef CIPHER - #undef XCIPHER - }; - - /** The length of CLIENT_CIPHER_INFO_LIST and CLIENT_CIPHER_DUMMIES. */ - static const int N_CLIENT_CIPHERS = ARRAY_LENGTH(CLIENT_CIPHER_INFO_LIST); - #endif - - #ifndef V2_HANDSHAKE_CLIENT - #undef CLIENT_CIPHER_LIST - #define CLIENT_CIPHER_LIST (TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" \ - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) - #endif - /** Free all storage held in <b>cert</b> */ void -tor_cert_free(tor_cert_t *cert) +tor_x509_cert_free(tor_x509_cert_t *cert) { if (! cert) return; @@@ -1597,6 -1644,10 +1558,10 @@@ tor_tls_classify_client_ciphers(const S static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl) { + STACK_OF(SSL_CIPHER) *ciphers; + #ifdef HAVE_SSL_GET_CLIENT_CIPHERS - ciphers = SSL_get_client_ciphers(ssl); ++ ciphers = SSL_get_ciphers(ssl); + #else SSL_SESSION *session; if (!(session = SSL_get_session((SSL *)ssl))) { log_info(LD_NET, "No session on TLS?"); @@@ -1701,151 -1759,10 +1668,7 @@@ tor_tls_setup_session_secret_cb(tor_tls { SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL); } -#else -#define tor_tls_setup_session_secret_cb(tls) STMT_NIL -#endif - /** Explain which ciphers we're missing. */ - static void - log_unsupported_ciphers(smartlist_t *unsupported) - { - char *joined; - - log_notice(LD_NET, "We weren't able to find support for all of the " - "TLS ciphersuites that we wanted to advertise. This won't " - "hurt security, but it might make your Tor (if run as a client) " - "more easy for censors to block."); - - if (SSLeay() < 0x10000000L) { - log_notice(LD_NET, "To correct this, use a more recent OpenSSL, " - "built without disabling any secure ciphers or features."); - } else { - log_notice(LD_NET, "To correct this, use a version of OpenSSL " - "built with none of its ciphers disabled."); - } - - joined = smartlist_join_strings(unsupported, ":", 0, NULL); - log_info(LD_NET, "The unsupported ciphers were: %s", joined); - tor_free(joined); - } - - static void - set_ssl_ciphers_to_list(SSL *ssl, STACK_OF(SSL_CIPHER) *stack) - { - STACK_OF(SSL_CIPHER) *ciphers; - - int r, i; - /* #1: ensure that the ssl object has its own list of ciphers. Otherwise we - * might be about to stomp the SSL_CTX ciphers list. */ - r = SSL_set_cipher_list(ssl, "HIGH"); - tor_assert(r); - - /* #2: Grab ssl_ciphers and clear it. */ - ciphers = SSL_get_ciphers(ssl); - tor_assert(ciphers); - sk_SSL_CIPHER_zero(ciphers); - - /* #3: Copy the elements from stack. */ - for (i = 0; i < sk_SSL_CIPHER_num(stack); ++i) { - SSL_CIPHER *c = sk_SSL_CIPHER_value(stack, i); - sk_SSL_CIPHER_push(ciphers, c); - } - } - - /** Replace the ciphers on <b>ssl</b> with a new list of SSL ciphersuites: - * specifically, a list designed to mimic a common web browser. We might not - * be able to do that if OpenSSL doesn't support all the ciphers we want. - * Some of the ciphers in the list won't actually be implemented by OpenSSL: - * that's okay so long as the server doesn't select them. - * - * [If the server <b>does</b> select a bogus cipher, we won't crash or - * anything; we'll just fail later when we try to look up the cipher in - * ssl->cipher_list_by_id.] - */ - static void - rectify_client_ciphers(SSL *ssl) - { - #ifdef V2_HANDSHAKE_CLIENT - if (PREDICT_UNLIKELY(!CLIENT_CIPHER_STACK)) { - STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl); - - /* We need to set CLIENT_CIPHER_STACK to an array of the ciphers - * we want to use/advertise. */ - int i = 0, j = 0; - smartlist_t *unsupported = smartlist_new(); - - /* First, create a dummy SSL_CIPHER for every cipher. */ - CLIENT_CIPHER_DUMMIES = - tor_malloc_zero(sizeof(SSL_CIPHER)*N_CLIENT_CIPHERS); - for (i=0; i < N_CLIENT_CIPHERS; ++i) { - CLIENT_CIPHER_DUMMIES[i].valid = 1; - /* The "3<<24" here signifies that the cipher is supposed to work with - * SSL3 and TLS1. */ - CLIENT_CIPHER_DUMMIES[i].id = CLIENT_CIPHER_INFO_LIST[i].id | (3<<24); - CLIENT_CIPHER_DUMMIES[i].name = CLIENT_CIPHER_INFO_LIST[i].name; - } - - CLIENT_CIPHER_STACK = sk_SSL_CIPHER_new_null(); - tor_assert(CLIENT_CIPHER_STACK); - - log_debug(LD_NET, "List was: %s", CLIENT_CIPHER_LIST); - for (j = 0; j < sk_SSL_CIPHER_num(ciphers); ++j) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, j); - log_debug(LD_NET, "Cipher %d: %lx %s", j, - SSL_CIPHER_get_id(cipher), SSL_CIPHER_get_name(cipher)); - } - - /* Then copy as many ciphers as we can from the good list, inserting - * dummies as needed. Let j be an index into list of ciphers we have - * (ciphers) and let i be an index into the ciphers we want - * (CLIENT_INFO_CIPHER_LIST). We are building a list of ciphers in - * CLIENT_CIPHER_STACK. - */ - for (i = j = 0; i < N_CLIENT_CIPHERS; ) { - SSL_CIPHER *cipher = NULL; - if (j < sk_SSL_CIPHER_num(ciphers)) - cipher = sk_SSL_CIPHER_value(ciphers, j); - if (cipher && ((SSL_CIPHER_get_id(cipher) >> 24) & 0xff) != 3) { - /* Skip over non-v3 ciphers entirely. (This should no longer be - * needed, thanks to saying !SSLv2 above.) */ - log_debug(LD_NET, "Skipping v%d cipher %s", - (int)((SSL_CIPHER_get_id(cipher)>>24) & 0xff), - SSL_CIPHER_get_name(cipher)); - ++j; - } else if (cipher && - (SSL_CIPHER_get_id(cipher) & 0xffff) == - CLIENT_CIPHER_INFO_LIST[i].id) { - /* "cipher" is the cipher we expect. Put it on the list. */ - log_debug(LD_NET, "Found cipher %s", SSL_CIPHER_get_name(cipher)); - sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, cipher); - ++j; - ++i; - } else if (!strcmp(CLIENT_CIPHER_DUMMIES[i].name, - "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA")) { - /* We found bogus cipher 0xfeff, which OpenSSL doesn't support and - * never has. For this one, we need a dummy. */ - log_debug(LD_NET, "Inserting fake %s", CLIENT_CIPHER_DUMMIES[i].name); - sk_SSL_CIPHER_push(CLIENT_CIPHER_STACK, &CLIENT_CIPHER_DUMMIES[i]); - ++i; - } else { - /* OpenSSL doesn't have this one. */ - log_debug(LD_NET, "Completely omitting unsupported cipher %s", - CLIENT_CIPHER_INFO_LIST[i].name); - smartlist_add(unsupported, (char*) CLIENT_CIPHER_INFO_LIST[i].name); - ++i; - } - } - - if (smartlist_len(unsupported)) - log_unsupported_ciphers(unsupported); - - smartlist_free(unsupported); - } - - set_ssl_ciphers_to_list(ssl, CLIENT_CIPHER_STACK); - - #else - (void)ciphers; - #endif - } - /** Create a new TLS object from a file descriptor, and a flag to * determine whether it is functioning as a server. */ @@@ -2773,16 -2751,49 +2634,49 @@@ SSL_SESSION_get_master_key(SSL_SESSION * the v3 handshake to prove that the client knows the TLS secrets for the * connection <b>tls</b>. Return 0 on success, -1 on failure. */ -int -tor_tls_get_tlssecrets(tor_tls_t *tls, uint8_t *secrets_out) +MOCK_IMPL(int, +tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out)) { #define TLSSECRET_MAGIC "Tor V3 handshake TLS cross-certification" - char buf[128]; + uint8_t buf[128]; size_t len; + tor_assert(tls); - tor_assert(tls->ssl); - tor_assert(tls->ssl->s3); - tor_assert(tls->ssl->session); + + SSL *const ssl = tls->ssl; + SSL_SESSION *const session = SSL_get_session(ssl); + + tor_assert(ssl); + tor_assert(session); + + const size_t server_random_len = SSL_get_server_random(ssl, NULL, 0); + const size_t client_random_len = SSL_get_client_random(ssl, NULL, 0); + const size_t master_key_len = SSL_SESSION_get_master_key(session, NULL, 0); + + tor_assert(server_random_len); + tor_assert(client_random_len); + tor_assert(master_key_len); + + len = client_random_len + server_random_len + strlen(TLSSECRET_MAGIC) + 1; + tor_assert(len <= sizeof(buf)); + + { + size_t r = SSL_get_client_random(ssl, buf, client_random_len); + tor_assert(r == client_random_len); + } + { + size_t r = SSL_get_server_random(ssl, buf+client_random_len, server_random_len); + tor_assert(r == server_random_len); + } + uint8_t *master_key = tor_malloc_zero(master_key_len); + { + size_t r = SSL_SESSION_get_master_key(session, master_key, master_key_len); + tor_assert(r == master_key_len); + } + + uint8_t *nextbuf = buf + client_random_len + server_random_len; + memcpy(nextbuf, TLSSECRET_MAGIC, strlen(TLSSECRET_MAGIC) + 1); + /* The value is an HMAC, using the TLS master key as the HMAC key, of client_random | server_random | TLSSECRET_MAGIC