Tor 0.4.9.2-alpha-dev
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
relay_handshake.c
Go to the documentation of this file.
1/* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5/* See LICENSE for licensing information */
6
7/**
8 * @file relay_handshake.c
9 * @brief Functions to implement the relay-only parts of our
10 * connection handshake.
11 *
12 * Some parts of our TLS link handshake are only done by relays (including
13 * bridges). Specifically, only relays need to send CERTS cells; only
14 * relays need to send or receive AUTHCHALLENGE cells, and only relays need to
15 * send or receive AUTHENTICATE cells.
16 **/
17
18#include "orconfig.h"
19#include "core/or/or.h"
21
22#include "app/config/config.h"
25#include "trunnel/link_handshake.h"
28
32#include "core/or/var_cell_st.h"
33
34#include "lib/tls/tortls.h"
35#include "lib/tls/x509.h"
36
37/** Helper used to add an encoded certs to a cert cell */
38static void
39add_certs_cell_cert_helper(certs_cell_t *certs_cell,
40 uint8_t cert_type,
41 const uint8_t *cert_encoded,
42 size_t cert_len)
43{
44 tor_assert(cert_len <= UINT16_MAX);
45 certs_cell_cert_t *ccc = certs_cell_cert_new();
46 ccc->cert_type = cert_type;
47 ccc->cert_len = cert_len;
48 certs_cell_cert_setlen_body(ccc, cert_len);
49 memcpy(certs_cell_cert_getarray_body(ccc), cert_encoded, cert_len);
50
51 certs_cell_add_certs(certs_cell, ccc);
52}
53
54/** Add an encoded X509 cert (stored as <b>cert_len</b> bytes at
55 * <b>cert_encoded</b>) to the trunnel certs_cell_t object that we are
56 * building in <b>certs_cell</b>. Set its type field to <b>cert_type</b>.
57 * (If <b>cert</b> is NULL, take no action.) */
58static void
59add_x509_cert(certs_cell_t *certs_cell,
60 uint8_t cert_type,
61 const tor_x509_cert_t *cert)
62{
63 if (NULL == cert)
64 return;
65
66 const uint8_t *cert_encoded = NULL;
67 size_t cert_len;
68 tor_x509_cert_get_der(cert, &cert_encoded, &cert_len);
69
70 add_certs_cell_cert_helper(certs_cell, cert_type, cert_encoded, cert_len);
71}
72
73/** Add an Ed25519 cert from <b>cert</b> to the trunnel certs_cell_t object
74 * that we are building in <b>certs_cell</b>. Set its type field to
75 * <b>cert_type</b>. (If <b>cert</b> is NULL, take no action.) */
76static void
77add_ed25519_cert(certs_cell_t *certs_cell,
78 uint8_t cert_type,
79 const tor_cert_t *cert)
80{
81 if (NULL == cert)
82 return;
83
84 add_certs_cell_cert_helper(certs_cell, cert_type,
85 cert->encoded, cert->encoded_len);
86}
87
88#ifdef TOR_UNIT_TESTS
89int certs_cell_ed25519_disabled_for_testing = 0;
90#else
91#define certs_cell_ed25519_disabled_for_testing 0
92#endif
93
94/** Send a CERTS cell on the connection <b>conn</b>. Return 0 on success, -1
95 * on failure. */
96int
98{
99 const tor_x509_cert_t *global_link_cert = NULL, *id_cert = NULL;
100 tor_x509_cert_t *own_link_cert = NULL;
101 var_cell_t *cell;
102
103 certs_cell_t *certs_cell = NULL;
104
106
107 if (! conn->handshake_state)
108 return -1;
109
110 const int conn_in_server_mode = ! conn->handshake_state->started_here;
111
112 /* Get the encoded values of the X509 certificates */
113 if (tor_tls_get_my_certs(conn_in_server_mode,
114 &global_link_cert, &id_cert) < 0)
115 return -1;
116
117 if (conn_in_server_mode) {
118 own_link_cert = tor_tls_get_own_cert(conn->tls);
119 }
120 tor_assert(id_cert);
121
122 certs_cell = certs_cell_new();
123
124 /* Start adding certs. First the link cert or auth1024 cert. */
125 if (conn_in_server_mode) {
126 tor_assert_nonfatal(own_link_cert);
127 add_x509_cert(certs_cell,
128 OR_CERT_TYPE_TLS_LINK, own_link_cert);
129 } else {
130 tor_assert(global_link_cert);
131 add_x509_cert(certs_cell,
132 OR_CERT_TYPE_AUTH_1024, global_link_cert);
133 }
134
135 /* Next the RSA->RSA ID cert */
136 add_x509_cert(certs_cell,
137 OR_CERT_TYPE_ID_1024, id_cert);
138
139 /* Next the Ed25519 certs */
140 add_ed25519_cert(certs_cell,
141 CERTTYPE_ED_ID_SIGN,
142 get_master_signing_key_cert());
143 if (conn_in_server_mode) {
144 tor_assert_nonfatal(conn->handshake_state->own_link_cert ||
145 certs_cell_ed25519_disabled_for_testing);
146 add_ed25519_cert(certs_cell,
147 CERTTYPE_ED_SIGN_LINK,
149 } else {
150 add_ed25519_cert(certs_cell,
151 CERTTYPE_ED_SIGN_AUTH,
152 get_current_auth_key_cert());
153 }
154
155 /* And finally the crosscert. */
156 {
157 const uint8_t *crosscert=NULL;
158 size_t crosscert_len;
159 get_master_rsa_crosscert(&crosscert, &crosscert_len);
160 if (crosscert) {
162 CERTTYPE_RSA1024_ID_EDID,
163 crosscert, crosscert_len);
164 }
165 }
166
167 /* We've added all the certs; make the cell. */
168 certs_cell->n_certs = certs_cell_getlen_certs(certs_cell);
169
170 ssize_t alloc_len = certs_cell_encoded_len(certs_cell);
171 tor_assert(alloc_len >= 0 && alloc_len <= UINT16_MAX);
172 cell = var_cell_new(alloc_len);
173 cell->command = CELL_CERTS;
174 ssize_t enc_len = certs_cell_encode(cell->payload, alloc_len, certs_cell);
175 tor_assert(enc_len > 0 && enc_len <= alloc_len);
176 cell->payload_len = enc_len;
177
179 var_cell_free(cell);
180 certs_cell_free(certs_cell);
181 tor_x509_cert_free(own_link_cert);
182
183 return 0;
184}
185
186/** Return true iff <b>challenge_type</b> is an AUTHCHALLENGE type that
187 * we can send and receive. */
188int
189authchallenge_type_is_supported(uint16_t challenge_type)
190{
191 switch (challenge_type) {
193 return 1;
194
195 case AUTHTYPE_RSA_SHA256_TLSSECRET: // obsolete.
196 case AUTHTYPE_RSA_SHA256_RFC5705: // never implemented.
197 default:
198 return 0;
199 }
200}
201
202/** Return true iff <b>challenge_type_a</b> is one that we would rather
203 * use than <b>challenge_type_b</b>. */
204int
205authchallenge_type_is_better(uint16_t challenge_type_a,
206 uint16_t challenge_type_b)
207{
208 /* Any supported type is better than an unsupported one;
209 * all unsupported types are equally bad. */
210 if (!authchallenge_type_is_supported(challenge_type_a))
211 return 0;
212 if (!authchallenge_type_is_supported(challenge_type_b))
213 return 1;
214 /* It happens that types are superior in numerically ascending order.
215 * If that ever changes, this must change too. */
216 return (challenge_type_a > challenge_type_b);
217}
218
219/** Send an AUTH_CHALLENGE cell on the connection <b>conn</b>. Return 0
220 * on success, -1 on failure. */
221int
223{
224 var_cell_t *cell = NULL;
225 int r = -1;
227
228 if (! conn->handshake_state)
229 return -1;
230
231 auth_challenge_cell_t *ac = auth_challenge_cell_new();
232
233 tor_assert(sizeof(ac->challenge) == 32);
234 crypto_rand((char*)ac->challenge, sizeof(ac->challenge));
235
237 auth_challenge_cell_add_methods(ac, AUTHTYPE_ED25519_SHA256_RFC5705);
238 auth_challenge_cell_set_n_methods(ac,
239 auth_challenge_cell_getlen_methods(ac));
240
241 cell = var_cell_new(auth_challenge_cell_encoded_len(ac));
242 ssize_t len = auth_challenge_cell_encode(cell->payload, cell->payload_len,
243 ac);
244 if (len != cell->payload_len) {
245 /* LCOV_EXCL_START */
246 log_warn(LD_BUG, "Encoded auth challenge cell length not as expected");
247 goto done;
248 /* LCOV_EXCL_STOP */
249 }
250 cell->command = CELL_AUTH_CHALLENGE;
251
253 r = 0;
254
255 done:
256 var_cell_free(cell);
257 auth_challenge_cell_free(ac);
258
259 return r;
260}
261
262/** Compute the main body of an AUTHENTICATE cell that a client can use
263 * to authenticate itself on a v3 handshake for <b>conn</b>. Return it
264 * in a var_cell_t.
265 *
266 * If <b>server</b> is true, only calculate the first
267 * V3_AUTH_FIXED_PART_LEN bytes -- the part of the authenticator that's
268 * determined by the rest of the handshake, and which match the provided value
269 * exactly.
270 *
271 * If <b>server</b> is false and <b>ed_signing_key</b> is NULL, calculate the
272 * first V3_AUTH_BODY_LEN bytes of the authenticator (that is, everything
273 * that should be signed), but don't actually sign it.
274 *
275 * If <b>server</b> is false and <b>ed_signing_key</b> is provided,
276 * calculate the
277 * entire authenticator, signed with <b>ed_signing_key</b>.
278 *
279 * Return the length of the cell body on success, and -1 on failure.
280 */
283 const int authtype,
284 const ed25519_keypair_t *ed_signing_key,
285 int server)
286{
287 auth1_t *auth = NULL;
288 var_cell_t *result = NULL;
289 const char *authtype_str = NULL;
290
291 /* assert state is reasonable XXXX */
292 switch (authtype) {
295 /* These are unsupported; we should never reach this point. */
296 tor_assert_nonfatal_unreached_once();
297 return NULL;
298 break;
300 authtype_str = "AUTH0003";
301 break;
302 default:
303 tor_assert(0);
304 break;
305 }
306
307 auth = auth1_new();
308
309 /* Type: 8 bytes. */
310 memcpy(auth1_getarray_type(auth), authtype_str, 8);
311
312 {
313 const tor_x509_cert_t *id_cert=NULL;
314 const common_digests_t *my_digests, *their_digests;
315 const uint8_t *my_id, *their_id, *client_id, *server_id;
316 if (tor_tls_get_my_certs(server, NULL, &id_cert))
317 goto err;
318 my_digests = tor_x509_cert_get_id_digests(id_cert);
319 their_digests =
321 tor_assert(my_digests);
322 tor_assert(their_digests);
323 my_id = (uint8_t*)my_digests->d[DIGEST_SHA256];
324 their_id = (uint8_t*)their_digests->d[DIGEST_SHA256];
325
326 client_id = server ? their_id : my_id;
327 server_id = server ? my_id : their_id;
328
329 /* Client ID digest: 32 octets. */
330 memcpy(auth->cid, client_id, 32);
331
332 /* Server ID digest: 32 octets. */
333 memcpy(auth->sid, server_id, 32);
334 }
335
336 {
337 const ed25519_public_key_t *my_ed_id, *their_ed_id;
338 if (!conn->handshake_state->certs->ed_id_sign) {
339 log_warn(LD_OR, "Ed authenticate without Ed ID cert from peer.");
340 goto err;
341 }
342 my_ed_id = get_master_identity_key();
343 their_ed_id = &conn->handshake_state->certs->ed_id_sign->signing_key;
344
345 const uint8_t *cid_ed = (server ? their_ed_id : my_ed_id)->pubkey;
346 const uint8_t *sid_ed = (server ? my_ed_id : their_ed_id)->pubkey;
347
348 memcpy(auth->cid_ed, cid_ed, ED25519_PUBKEY_LEN);
349 memcpy(auth->sid_ed, sid_ed, ED25519_PUBKEY_LEN);
350 }
351
352 {
353 crypto_digest_t *server_d, *client_d;
354 if (server) {
355 server_d = conn->handshake_state->digest_sent;
356 client_d = conn->handshake_state->digest_received;
357 } else {
358 client_d = conn->handshake_state->digest_sent;
359 server_d = conn->handshake_state->digest_received;
360 }
361
362 /* Server log digest : 32 octets */
363 crypto_digest_get_digest(server_d, (char*)auth->slog, 32);
364
365 /* Client log digest : 32 octets */
366 crypto_digest_get_digest(client_d, (char*)auth->clog, 32);
367 }
368
369 {
370 /* Digest of cert used on TLS link : 32 octets. */
371 tor_x509_cert_t *cert = NULL;
372 if (server) {
373 cert = tor_tls_get_own_cert(conn->tls);
374 } else {
375 cert = tor_tls_get_peer_cert(conn->tls);
376 }
377 if (!cert) {
378 log_warn(LD_OR, "Unable to find cert when making %s data.",
379 authtype_str);
380 goto err;
381 }
382
383 memcpy(auth->scert,
384 tor_x509_cert_get_cert_digests(cert)->d[DIGEST_SHA256], 32);
385
386 tor_x509_cert_free(cert);
387 }
388
389 /* RFC5709 key exporter material : 32 octets */
390 {
391 char label[128];
392 tor_snprintf(label, sizeof(label),
393 "EXPORTER FOR TOR TLS CLIENT BINDING %s", authtype_str);
394 int r = tor_tls_export_key_material(conn->tls, auth->tlssecrets,
395 auth->cid, sizeof(auth->cid),
396 label);
397 if (r < 0) {
398 if (r != -2)
399 log_warn(LD_BUG, "TLS key export failed for unknown reason.");
400 // If r == -2, this was openssl bug 7712.
401 goto err;
402 }
403 }
404
405 /* 8 octets were reserved for the current time, but we're trying to get out
406 * of the habit of sending time around willynilly. Fortunately, nothing
407 * checks it. That's followed by 16 bytes of nonce. */
408 crypto_rand((char*)auth->rand, 24);
409
410 ssize_t maxlen = auth1_encoded_len(auth);
411 if (ed_signing_key) {
412 maxlen += ED25519_SIG_LEN;
413 }
414
415 const int AUTH_CELL_HEADER_LEN = 4; /* 2 bytes of type, 2 bytes of length */
416 result = var_cell_new(AUTH_CELL_HEADER_LEN + maxlen);
417 uint8_t *const out = result->payload + AUTH_CELL_HEADER_LEN;
418 const size_t outlen = maxlen;
419 ssize_t len;
420
421 result->command = CELL_AUTHENTICATE;
422 set_uint16(result->payload, htons(authtype));
423
424 if ((len = auth1_encode(out, outlen, auth)) < 0) {
425 /* LCOV_EXCL_START */
426 log_warn(LD_BUG, "Unable to encode signed part of AUTH1 data.");
427 goto err;
428 /* LCOV_EXCL_STOP */
429 }
430
431 if (server) {
432 auth1_t *tmp = NULL;
433 ssize_t len2 = auth1_parse(&tmp, out, len);
434 if (!tmp) {
435 /* LCOV_EXCL_START */
436 log_warn(LD_BUG, "Unable to parse signed part of AUTH1 data that "
437 "we just encoded");
438 goto err;
439 /* LCOV_EXCL_STOP */
440 }
441 result->payload_len = (tmp->end_of_signed - result->payload);
442
443 auth1_free(tmp);
444 if (len2 != len) {
445 /* LCOV_EXCL_START */
446 log_warn(LD_BUG, "Mismatched length when re-parsing AUTH1 data.");
447 goto err;
448 /* LCOV_EXCL_STOP */
449 }
450 goto done;
451 }
452
453 if (ed_signing_key) {
455 if (ed25519_sign(&sig, out, len, ed_signing_key) < 0) {
456 /* LCOV_EXCL_START */
457 log_warn(LD_BUG, "Unable to sign ed25519 authentication data");
458 goto err;
459 /* LCOV_EXCL_STOP */
460 }
461 auth1_setlen_sig(auth, ED25519_SIG_LEN);
462 memcpy(auth1_getarray_sig(auth), sig.sig, ED25519_SIG_LEN);
463 }
464
465 len = auth1_encode(out, outlen, auth);
466 if (len < 0) {
467 /* LCOV_EXCL_START */
468 log_warn(LD_BUG, "Unable to encode signed AUTH1 data.");
469 goto err;
470 /* LCOV_EXCL_STOP */
471 }
472 tor_assert(len + AUTH_CELL_HEADER_LEN <= result->payload_len);
473 result->payload_len = len + AUTH_CELL_HEADER_LEN;
474 set_uint16(result->payload+2, htons(len));
475
476 goto done;
477
478 err:
479 var_cell_free(result);
480 result = NULL;
481 done:
482 auth1_free(auth);
483 return result;
484}
485
486/** Send an AUTHENTICATE cell on the connection <b>conn</b>. Return 0 on
487 * success, -1 on failure */
488MOCK_IMPL(int,
490{
491 var_cell_t *cell;
492 /* XXXX make sure we're actually supposed to send this! */
493
494 if (! authchallenge_type_is_supported(authtype)) {
495 log_warn(LD_BUG, "Tried to send authenticate cell with unknown "
496 "authentication type %d", authtype);
497 return -1;
498 }
499
501 authtype,
502 get_current_auth_keypair(),
503 0 /* not server */);
504 if (! cell) {
505 log_fn(LOG_PROTOCOL_WARN, LD_NET, "Unable to compute authenticate cell!");
506 return -1;
507 }
509 var_cell_free(cell);
510
511 return 0;
512}
static void set_uint16(void *cp, uint16_t v)
Definition: bytes.h:78
Header file for config.c.
var_cell_t * var_cell_new(uint16_t payload_len)
void connection_or_write_var_cell_to_buf(const var_cell_t *cell, or_connection_t *conn)
Header file for connection_or.c.
void crypto_digest_get_digest(crypto_digest_t *digest, char *out, size_t out_len)
int ed25519_sign(ed25519_signature_t *signature_out, const uint8_t *msg, size_t len, const ed25519_keypair_t *keypair)
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:479
Common functions for using (pseudo-)random number generators.
#define log_fn(severity, domain, args,...)
Definition: log.h:283
#define LD_OR
Definition: log.h:92
#define LD_BUG
Definition: log.h:86
#define LD_NET
Definition: log.h:66
Master header file for Tor-specific functionality.
#define OR_CERT_TYPE_ID_1024
Definition: or.h:642
#define AUTHTYPE_RSA_SHA256_TLSSECRET
Definition: or.h:657
#define OR_CERT_TYPE_AUTH_1024
Definition: or.h:646
#define OR_CERT_TYPE_TLS_LINK
Definition: or.h:639
#define AUTHTYPE_RSA_SHA256_RFC5705
Definition: or.h:665
#define AUTHTYPE_ED25519_SHA256_RFC5705
Definition: or.h:668
OR connection structure.
OR handshake certs structure.
OR handshake state structure.
#define OR_CONN_STATE_OR_HANDSHAKING_V3
Definition: orconn_event.h:43
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
int authchallenge_type_is_better(uint16_t challenge_type_a, uint16_t challenge_type_b)
static void add_certs_cell_cert_helper(certs_cell_t *certs_cell, uint8_t cert_type, const uint8_t *cert_encoded, size_t cert_len)
int connection_or_send_certs_cell(or_connection_t *conn)
static void add_ed25519_cert(certs_cell_t *certs_cell, uint8_t cert_type, const tor_cert_t *cert)
var_cell_t * connection_or_compute_authenticate_cell_body(or_connection_t *conn, const int authtype, const ed25519_keypair_t *ed_signing_key, int server)
int authchallenge_type_is_supported(uint16_t challenge_type)
int connection_or_send_authenticate_cell(or_connection_t *conn, int authtype)
int connection_or_send_auth_challenge_cell(or_connection_t *conn)
static void add_x509_cert(certs_cell_t *certs_cell, uint8_t cert_type, const tor_x509_cert_t *cert)
Header for feature/relay/relay_handshake.c.
Header for routerkeys.c.
char d[N_COMMON_DIGEST_ALGORITHMS][DIGEST256_LEN]
Definition: crypto_digest.h:89
uint8_t state
Definition: connection_st.h:49
or_handshake_state_t * handshake_state
struct tor_tls_t * tls
struct tor_cert_st * ed_id_sign
struct tor_x509_cert_t * id_cert
struct tor_cert_st * own_link_cert
crypto_digest_t * digest_sent
or_handshake_certs_t * certs
size_t encoded_len
Definition: torcert.h:43
uint8_t * encoded
Definition: torcert.h:41
uint8_t command
Definition: var_cell_st.h:18
uint16_t payload_len
Definition: var_cell_st.h:22
uint8_t payload[FLEXIBLE_ARRAY_MEMBER]
Definition: var_cell_st.h:24
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
Header for torcert.c.
int tor_tls_get_my_certs(int server, const tor_x509_cert_t **link_cert_out, const tor_x509_cert_t **id_cert_out)
Definition: tortls.c:76
Headers for tortls.c.
struct tor_x509_cert_t * tor_tls_get_peer_cert(tor_tls_t *tls)
Definition: tortls_nss.c:506
struct tor_x509_cert_t * tor_tls_get_own_cert(tor_tls_t *tls)
Definition: tortls_nss.c:516
int tor_tls_export_key_material(tor_tls_t *tls, uint8_t *secrets_out, const uint8_t *context, size_t context_len, const char *label)
Definition: tortls_nss.c:721
#define tor_assert(expr)
Definition: util_bug.h:103
Variable-length cell structure.
#define ED25519_SIG_LEN
Definition: x25519_sizes.h:34
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
Headers for tortls.c.
const common_digests_t * tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
Definition: x509.c:69
const common_digests_t * tor_x509_cert_get_id_digests(const tor_x509_cert_t *cert)
Definition: x509.c:59
void tor_x509_cert_get_der(const tor_x509_cert_t *cert, const uint8_t **encoded_out, size_t *size_out)
Definition: x509_nss.c:218