Commit Graph

333 Commits

Author SHA1 Message Date
Nick Mathewson
7920ea55b8 Refactor tor_event_base_once to do what we actually want
This version avoids the timeout system entirely, gives a nicer
interface, and lets us manage allocation explicitly.
2011-11-25 17:18:54 -05:00
Nick Mathewson
e5f2f10844 Merge remote-tracking branch 'asn/bug4312' 2011-11-25 17:00:47 -05:00
Sebastian Hahn
8200a85323 Fix a check-spaces complaint 2011-11-16 16:40:56 +01:00
Nick Mathewson
69dd993a92 Make certificate skew into a protocol warning 2011-11-15 15:57:46 -05:00
Nick Mathewson
87622e4c7e Allow up to a 30 days future skew, 48 hours past skew in certs. 2011-11-15 15:57:41 -05:00
George Kadianakis
406ae1ba5a Use callback-driven approach to block renegotiations.
Also use this new approach in the bufferevents-enabled case.
2011-11-13 14:47:11 +01:00
George Kadianakis
e097bffaed Fix issues pointed out by nickm.
- Rename tor_tls_got_server_hello() to tor_tls_got_client_hello().
- Replaced some aggressive asserts with LD_BUG logging.

  They were the innocent "I believe I understand how these callbacks
  work, and this assert proves it" type of callbacks, and not the "If
  this statement is not true, computer is exploding." type of
  callbacks.
- Added a changes file.
2011-11-03 22:33:50 +01:00
Nick Mathewson
7a8960cf1b Fix a memory-poisoning memset in tortls.c 2011-10-28 16:37:42 -04:00
Sebastian Hahn
2dec6597af Merge branch 'maint-0.2.2_secfix' into master_secfix
Conflicts:
	src/common/tortls.c
	src/or/connection_or.c
	src/or/dirserv.c
	src/or/or.h
2011-10-27 00:38:45 +02:00
Sebastian Hahn
df05e5ef4d Merge branch 'maint-0.2.1_secfix' into maint-0.2.2_secfix
Conflicts:
	src/or/connection_or.c
2011-10-26 23:30:27 +02:00
Nick Mathewson
638fdedcf1 Don't send a certificate chain on outgoing TLS connections from non-relays 2011-10-26 23:20:56 +02:00
Robert Ransom
9976df9e56 Maintain separate server and client TLS contexts.
Fixes bug #988.

Conflicts:

	src/or/main.c
	src/or/router.c
2011-10-26 14:13:55 +02:00
Robert Ransom
8781640111 Refactor tor_tls_context_new:
* Make tor_tls_context_new internal to tortls.c, and return the new
  tor_tls_context_t from it.

* Add a public tor_tls_context_init wrapper function to replace it.

Conflicts:

	src/or/main.c
	src/or/router.c
2011-10-26 14:08:36 +02:00
George Kadianakis
e2b3527106 Also handle needless renegotiations in SSL_write().
SSL_read(), SSL_write() and SSL_do_handshake() can always progress the
SSL protocol instead of their normal operation, this means that we
must be checking for needless renegotiations after they return.

Introduce tor_tls_got_excess_renegotiations() which makes the
          tls->server_handshake_count > 2
check for us, and use it in tor_tls_read() and tor_tls_write().

Cases that should not be handled:

* SSL_do_handshake() is only called by tor_tls_renegotiate() which is a
  client-only function.

* The SSL_read() in tor_tls_shutdown() does not need to be handled,
  since SSL_shutdown() will be called if SSL_read() returns an error.
2011-10-26 13:36:30 +02:00
George Kadianakis
340809dd22 Get rid of tor_tls_block_renegotiation().
Since we check for naughty renegotiations using
tor_tls_t.server_handshake_count we don't need that semi-broken
function (at least till there is a way to disable rfc5746
renegotiations too).
2011-10-26 13:16:14 +02:00
George Kadianakis
ecd239e3b5 Detect and deny excess renegotiations attempts.
Switch 'server_handshake_count' from a uint8_t to 2 unsigned int bits.
Since we won't ever be doing more than 3 handshakes, we don't need the
extra space.

Toggle tor_tls_t.got_renegotiate based on the server_handshake_count.
Also assert that when we've done two handshakes as a server (the initial
SSL handshake, and the renegotiation handshake) we've just
renegotiated.

Finally, in tor_tls_read() return an error if we see more than 2
handshakes.
2011-10-26 03:12:18 +02:00
George Kadianakis
4fd79f9def Detect renegotiation when it actually happens.
The renegotiation callback was called only when the first Application
Data arrived, instead of when the renegotiation took place.

This happened because SSL_read() returns -1 and sets the error to
SSL_ERROR_WANT_READ when a renegotiation happens instead of reading
data [0].

I also added a commented out aggressive assert that I won't enable yet
because I don't feel I understand SSL_ERROR_WANT_READ enough.

[0]: Look at documentation of SSL_read(), SSL_get_error() and
     SSL_CTX_set_mode() (SSL_MODE_AUTO_RETRY section).
2011-10-26 03:09:22 +02:00
George Kadianakis
69a821ea1c Refactor the SSL_set_info_callback() callbacks.
Introduce tor_tls_state_changed_callback(), which handles every SSL
state change.

The new function tor_tls_got_server_hello() is called every time we
send a ServerHello during a v2 handshake, and plays the role of the
previous tor_tls_server_info_callback() function.
2011-10-26 02:05:45 +02:00
Nick Mathewson
87a93917c3 Fix a reference-leak in tor_tls_received_v3_certificate
We were calling SSL_get_peer_certificate but not X509_free.

This is a major part of bug4252; the bug has been in no released version.
2011-10-23 13:23:53 -04:00
Nick Mathewson
80cf342e47 Fix memory leak in prop176 code
This fixes part of bug4252.  Bug not in any released version.
2011-10-23 13:23:53 -04:00
Nick Mathewson
8af0cfc10d Add some points to make it easy to turn off v3 support 2011-10-10 23:14:32 -04:00
Sebastian Hahn
35fe4825fc Quiet two notices, and spelling mistake cleanup 2011-10-10 23:14:31 -04:00
Nick Mathewson
e56d7a3809 Give tor_cert_get_id_digests() fail-fast behavior
Right now we can take the digests only of an RSA key, and only expect to
take the digests of an RSA key.  The old tor_cert_get_id_digests() would
return a good set of digests for an RSA key, and an all-zero one for a
non-RSA key.  This behavior is too error-prone: it carries the risk that
we will someday check two non-RSA keys for equality and conclude that
they must be equal because they both have the same (zero) "digest".

Instead, let's have tor_cert_get_id_digests() return NULL for keys we
can't handle, and make its callers explicitly test for NULL.
2011-10-10 23:14:31 -04:00
Nick Mathewson
40f0d111c2 Fix some more issues wrt tor_cert_new found by asn 2011-10-10 23:14:30 -04:00
Nick Mathewson
6bfb31ff56 Generate certificates that enable v3 handshake 2011-10-10 23:14:29 -04:00
Nick Mathewson
9a77ebc794 Make tor_tls_cert_is_valid check key lengths 2011-10-10 23:14:17 -04:00
Nick Mathewson
e48e47fa03 Function to return peer cert as tor_tls_cert 2011-10-10 23:14:16 -04:00
Nick Mathewson
a6fc5059cd Add AUTH keys as specified in proposal 176
Our keys and x.509 certs are proliferating here.  Previously we had:
   An ID cert (using the main ID key), self-signed
   A link cert (using a shorter-term link key), signed by the ID key

Once proposal 176 and 179 are done, we will also have:
   Optionally, a presentation cert (using the link key),
       signed by whomever.
   An authentication cert (using a shorter-term ID key), signed by
       the ID key.

These new keys are managed as part of the tls context infrastructure,
since you want to rotate them under exactly the same circumstances,
and since they need X509 certificates.
2011-10-10 23:14:16 -04:00
Nick Mathewson
0a4f562772 Functions to get a public RSA key from a cert 2011-10-10 23:14:16 -04:00
Nick Mathewson
92602345e0 Function to detect certificate types that signal v3 certificates 2011-10-10 23:14:10 -04:00
Nick Mathewson
8c9fdecfe9 Function to get digests of the certs and their keys 2011-10-10 23:14:10 -04:00
Nick Mathewson
f4c1fa2a04 More functions to manipulate certs received in cells 2011-10-10 23:14:10 -04:00
Nick Mathewson
c39688de6c Function to extract the TLSSECRETS field for v3 handshakes 2011-10-10 23:14:10 -04:00
Nick Mathewson
c0bbcf138f Turn X509 certificates into a first-class type and add some functions 2011-10-10 23:14:02 -04:00
Nick Mathewson
f186e16241 Add write watermarks to filtered bufferevents. 2011-08-24 17:31:37 -04:00
Nick Mathewson
d3653063d3 Automatically use filtering bufferevents with IOCP. 2011-08-18 15:16:05 -04:00
Sebastian Hahn
f137ae896e Don't warn on http connection to my orport
Also remove a few other related warnings that could occur during the ssl
handshake. We do this because the relay operator can't do anything about
them, and they aren't their fault.
2011-08-11 20:37:51 +02:00
Nick Mathewson
44cfa53873 Make WIN32_WINNT defines conditional
Requested by Gisle Vanem on tor-dev.  I'm not quite sure this is the
right solution, but it's probably harmless.
2011-07-15 10:03:59 -04:00
Nick Mathewson
3f97c665aa Document feature3116 fns and improve output
- We were reporting the _bottom_ N failing states, not the top N.
- With bufferevents enabled, we logged all TLS states as being "in
  bufferevent", which isn't actually informative.
- When we had nothing to report, we reported nothing too loudly.
- Also, we needed documentation.
2011-07-11 16:13:17 -04:00
Nick Mathewson
734d9486f6 Record the states of failing OR connections
This code lets us record the state of any outgoing OR connection
that fails before it becomes open, so we can notice if they're all
dying in the same SSL state or the same OR handshake state.

More work is still needed:
  - We need documentation
  - We need to actually call the code that reports the failure when
    we realize that we're having a hard time connecting out or
    making circuits.
  - We need to periodically clear out all this data -- perhaps,
    whenever we build a circuit successfully?
  - We'll eventually want to expose it to controllers, perhaps.

Partial implementation of feature 3116.
2011-07-11 16:13:17 -04:00
Nick Mathewson
410e440a8d Log SSL state changes at LOG_DEBUG, LD_HANDSHAKE.
This can be slightly useful for debugging blocking events.

Addresses ticket 3116; based on loud_ssl_states branch.
2011-06-20 17:45:12 -04:00
Nick Mathewson
f608872b0c C style fix: a no-args function is void fn(void), not void fn(). 2011-03-03 23:42:14 -05:00
Nick Mathewson
8ae179deec Add a magic field to tor_tls_t to catch exdata corruption bugs, if any appear. 2011-03-03 23:41:34 -05:00
Robert Ransom
74fc993b98 Check the result of SSL_set_ex_data
Reported by piebeer.
2011-03-03 16:17:39 -08:00
Robert Ransom
fe1137be6f Use SSL_*_ex_data instead of SSL_*_app_data
SSL_*_app_data uses ex_data index 0, which will be the first one allocated
by SSL_get_ex_new_index. Thus, if we ever started using the ex_data feature
for some other purpose, or a library linked to Tor ever started using
OpenSSL's ex_data feature, Tor would break in spectacular and mysterious
ways. Using the SSL_*_ex_data functions directly now may save us from
that particular form of breakage in the future.

But I would not be surprised if using OpenSSL's ex_data functions at all
(directly or not) comes back to bite us on our backends quite hard. The
specified behaviour of dup_func in the man page is stupid, and
crypto/ex_data.c is a horrific mess.
2011-03-03 15:34:53 -08:00
Robert Ransom
13ee803469 Remove now-unused helper functions
These functions were needed only by code removed in the preceding commit.

Reported by mobmix.
2011-03-03 14:59:21 -08:00
Gladys Shufflebottom
49de5431d5 remove tls related hash table code 2011-03-01 18:11:25 -05:00
Nick Mathewson
50c259d763 Make the DH parameter we use for TLS match the one from Apache's mod_ssl
Our regular DH parameters that we use for circuit and rendezvous
crypto are unchanged.  This is yet another small step on the path of
protocol fingerprinting resistance.

(Backport from 0.2.2's 5ed73e3807)
2011-02-10 15:55:06 -05:00
Nick Mathewson
912b76a1bf Merge remote branch 'origin/maint-0.2.2' 2011-02-03 13:56:37 -05:00
Nick Mathewson
76582442a8 Handle failing cases of DH allocation 2011-01-25 18:09:38 -05:00