Commit Graph

9690 Commits

Author SHA1 Message Date
George Kadianakis
e2b3527106 Also handle needless renegotiations in SSL_write().
SSL_read(), SSL_write() and SSL_do_handshake() can always progress the
SSL protocol instead of their normal operation, this means that we
must be checking for needless renegotiations after they return.

Introduce tor_tls_got_excess_renegotiations() which makes the
          tls->server_handshake_count > 2
check for us, and use it in tor_tls_read() and tor_tls_write().

Cases that should not be handled:

* SSL_do_handshake() is only called by tor_tls_renegotiate() which is a
  client-only function.

* The SSL_read() in tor_tls_shutdown() does not need to be handled,
  since SSL_shutdown() will be called if SSL_read() returns an error.
2011-10-26 13:36:30 +02:00
George Kadianakis
340809dd22 Get rid of tor_tls_block_renegotiation().
Since we check for naughty renegotiations using
tor_tls_t.server_handshake_count we don't need that semi-broken
function (at least till there is a way to disable rfc5746
renegotiations too).
2011-10-26 13:16:14 +02:00
George Kadianakis
ecd239e3b5 Detect and deny excess renegotiations attempts.
Switch 'server_handshake_count' from a uint8_t to 2 unsigned int bits.
Since we won't ever be doing more than 3 handshakes, we don't need the
extra space.

Toggle tor_tls_t.got_renegotiate based on the server_handshake_count.
Also assert that when we've done two handshakes as a server (the initial
SSL handshake, and the renegotiation handshake) we've just
renegotiated.

Finally, in tor_tls_read() return an error if we see more than 2
handshakes.
2011-10-26 03:12:18 +02:00
George Kadianakis
4fd79f9def Detect renegotiation when it actually happens.
The renegotiation callback was called only when the first Application
Data arrived, instead of when the renegotiation took place.

This happened because SSL_read() returns -1 and sets the error to
SSL_ERROR_WANT_READ when a renegotiation happens instead of reading
data [0].

I also added a commented out aggressive assert that I won't enable yet
because I don't feel I understand SSL_ERROR_WANT_READ enough.

[0]: Look at documentation of SSL_read(), SSL_get_error() and
     SSL_CTX_set_mode() (SSL_MODE_AUTO_RETRY section).
2011-10-26 03:09:22 +02:00
George Kadianakis
69a821ea1c Refactor the SSL_set_info_callback() callbacks.
Introduce tor_tls_state_changed_callback(), which handles every SSL
state change.

The new function tor_tls_got_server_hello() is called every time we
send a ServerHello during a v2 handshake, and plays the role of the
previous tor_tls_server_info_callback() function.
2011-10-26 02:05:45 +02:00
Nick Mathewson
8af0cfc10d Add some points to make it easy to turn off v3 support 2011-10-10 23:14:32 -04:00
Sebastian Hahn
35fe4825fc Quiet two notices, and spelling mistake cleanup 2011-10-10 23:14:31 -04:00
Sebastian Hahn
66200320ff Fix a few 64bit compiler warnings 2011-10-10 23:14:31 -04:00
Nick Mathewson
1bd65680bd Add more log statements for protocol/internal failures 2011-10-10 23:14:31 -04:00
Nick Mathewson
059d3d0613 Remove auth_challenge field from or_handshake_state_t
We didn't need to record this value; it was already recorded
implicitly while computing cell digests for later examination in the
authenticate cells.
2011-10-10 23:14:31 -04:00
Nick Mathewson
d79ff2ce94 spec conformance: allow only one cert of each type 2011-10-10 23:14:31 -04:00
Nick Mathewson
e56d7a3809 Give tor_cert_get_id_digests() fail-fast behavior
Right now we can take the digests only of an RSA key, and only expect to
take the digests of an RSA key.  The old tor_cert_get_id_digests() would
return a good set of digests for an RSA key, and an all-zero one for a
non-RSA key.  This behavior is too error-prone: it carries the risk that
we will someday check two non-RSA keys for equality and conclude that
they must be equal because they both have the same (zero) "digest".

Instead, let's have tor_cert_get_id_digests() return NULL for keys we
can't handle, and make its callers explicitly test for NULL.
2011-10-10 23:14:31 -04:00
Nick Mathewson
40f0d111c2 Fix some more issues wrt tor_cert_new found by asn 2011-10-10 23:14:30 -04:00
Nick Mathewson
ce102f7a59 Make more safe_str usage happen for new logs in command.c 2011-10-10 23:14:30 -04:00
Nick Mathewson
23664fb3b8 Set up network parameters on non-authenticated incoming connections
Also add some info log messages for the steps of the v3 handshake.

Now my test network bootstraps!
2011-10-10 23:14:30 -04:00
Nick Mathewson
7aadae606b Make sure we stop putting cells into our hash at the right time. 2011-10-10 23:14:30 -04:00
Nick Mathewson
41b250d7ea Bugfixes for authenticate handling and generation 2011-10-10 23:14:30 -04:00
Nick Mathewson
610cb0ecc4 Fix log message about what cells we are sending 2011-10-10 23:14:30 -04:00
Nick Mathewson
f726c67dd4 more verbose log for recording an odd cell 2011-10-10 23:14:30 -04:00
Nick Mathewson
40f343e176 Actually accept cells in SERVER_RENEGOTIATING 2011-10-10 23:14:29 -04:00
Nick Mathewson
6bfb31ff56 Generate certificates that enable v3 handshake 2011-10-10 23:14:29 -04:00
Nick Mathewson
7935c4bdfa Allow "finished flushing" during v3 handshake 2011-10-10 23:14:29 -04:00
Nick Mathewson
83bb9742b5 Hook up all of the prop176 code; allow v3 negotiations to actually work 2011-10-10 23:14:18 -04:00
Nick Mathewson
445f947890 Remove a no-longer-relevant comment 2011-10-10 23:14:17 -04:00
Nick Mathewson
9a77ebc794 Make tor_tls_cert_is_valid check key lengths 2011-10-10 23:14:17 -04:00
Nick Mathewson
3f22ec179c New functions to record digests of cells during v3 handshake
Also, free all of the new fields in or_handshake_state_t
2011-10-10 23:14:17 -04:00
Nick Mathewson
6c7f28454e Implement cert/auth cell reading 2011-10-10 23:14:17 -04:00
Nick Mathewson
81024f43ec Basic function to write authenticate cells
Also, tweak the cert cell code to send auth certs
2011-10-10 23:14:16 -04:00
Nick Mathewson
e48e47fa03 Function to return peer cert as tor_tls_cert 2011-10-10 23:14:16 -04:00
Nick Mathewson
a6fc5059cd Add AUTH keys as specified in proposal 176
Our keys and x.509 certs are proliferating here.  Previously we had:
   An ID cert (using the main ID key), self-signed
   A link cert (using a shorter-term link key), signed by the ID key

Once proposal 176 and 179 are done, we will also have:
   Optionally, a presentation cert (using the link key),
       signed by whomever.
   An authentication cert (using a shorter-term ID key), signed by
       the ID key.

These new keys are managed as part of the tls context infrastructure,
since you want to rotate them under exactly the same circumstances,
and since they need X509 certificates.
2011-10-10 23:14:16 -04:00
Nick Mathewson
0a4f562772 Functions to get a public RSA key from a cert 2011-10-10 23:14:16 -04:00
Nick Mathewson
92602345e0 Function to detect certificate types that signal v3 certificates 2011-10-10 23:14:10 -04:00
Nick Mathewson
8c9fdecfe9 Function to get digests of the certs and their keys 2011-10-10 23:14:10 -04:00
Nick Mathewson
f4c1fa2a04 More functions to manipulate certs received in cells 2011-10-10 23:14:10 -04:00
Nick Mathewson
c39688de6c Function to extract the TLSSECRETS field for v3 handshakes 2011-10-10 23:14:10 -04:00
Nick Mathewson
df78daa5da Functions to send cert and auth_challenge cells. 2011-10-10 23:14:10 -04:00
Nick Mathewson
1b0645acba Cell types and states for new OR handshake
Also, define all commands > 128 as variable-length when using
v3 or later link protocol.  Running into a var cell with an
unrecognized type is no longer a bug.
2011-10-10 23:14:09 -04:00
Nick Mathewson
fdbb9cdf74 Add a sha256 hmac function, with tests 2011-10-10 23:14:09 -04:00
Nick Mathewson
c0bbcf138f Turn X509 certificates into a first-class type and add some functions 2011-10-10 23:14:02 -04:00
Nick Mathewson
dcf69a9e12 New function to get all digests of a public key 2011-10-10 23:14:02 -04:00
Nick Mathewson
bc2d9357f5 Merge remote-tracking branch 'origin/maint-0.2.2' 2011-10-10 22:50:52 -04:00
Nick Mathewson
b5edc838f2 Merge remote-tracking branch 'sebastian/osxcompile' 2011-10-10 22:03:20 -04:00
Sebastian Hahn
b4bd836f46 Consider hibernation before dropping privs
Without this patch, Tor wasn't sure whether it would be hibernating or
not, so it postponed opening listeners until after the privs had been
dropped. This doesn't work so well for low ports. Bug was introduced in
the fix for bug 2003. Fixes bug 4217, reported by Zax and katmagic.
Thanks!
2011-10-11 02:42:12 +02:00
Sebastian Hahn
cce85c819b Fix a compile warning on OS X 10.6 and up 2011-10-11 02:25:00 +02:00
Nick Mathewson
6a673ad313 Add a missing comma in tor_check_port_forwarding
My fault; fix for bug 4213.
2011-10-10 11:42:05 -04:00
Robert Ransom
9648f034c0 Update documentation comment for rend_client_reextend_intro_circuit
One of its callers assumes a non-zero result indicates a permanent failure
(i.e. the current attempt to connect to this HS either has failed or is
 doomed).  The other caller only requires that this function's result
never equal -2.

Bug reported by Sebastian Hahn.
2011-10-10 05:33:53 -07:00
Robert Ransom
274b25de12 Don't launch a useless circuit in rend_client_reextend_intro_circuit
Fixes bug 4212.  Bug reported by katmagic and found by Sebastian.
2011-10-10 03:05:19 -07:00
Nick Mathewson
ca597efb22 Merge remote-tracking branch 'karsten/feature3951' into maint-0.2.2 2011-10-07 16:46:50 -04:00
Nick Mathewson
1ec22eac4b Merge remote-tracking branch 'public/bug2003_nm' 2011-10-07 16:43:45 -04:00
Nick Mathewson
8b0ee60fe7 reinstate a notice for the non-loopback socksport case
Thanks to prop171, it's no longer a crazy thing to do, but you should
make sure that you really meant it!
2011-10-07 16:34:21 -04:00