1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * @file relay_handshake.c
9 * @brief Functions to implement the relay-only parts of our
10 * connection handshake.
11 *
12 * Some parts of our TLS link handshake are only done by relays (including
13 * bridges). Specifically, only relays need to send CERTS cells; only
14 * relays need to send or receive AUTHCHALLENGE cells, and only relays need to
15 * send or receive AUTHENTICATE cells.
16 **/
17
18 #include "orconfig.h"
19 #include "core/or/or.h"
20 #include "feature/relay/relay_handshake.h"
21
22 #include "app/config/config.h"
23 #include "core/or/connection_or.h"
24 #include "lib/crypt_ops/crypto_rand.h"
25 #include "trunnel/link_handshake.h"
26 #include "feature/relay/routerkeys.h"
27 #include "feature/nodelist/torcert.h"
28
29 #include "core/or/or_connection_st.h"
30 #include "core/or/or_handshake_certs_st.h"
31 #include "core/or/or_handshake_state_st.h"
32 #include "core/or/var_cell_st.h"
33
34 #include "lib/tls/tortls.h"
35 #include "lib/tls/x509.h"
36
37 /** Helper used to add an encoded certs to a cert cell */
38 static void
add_certs_cell_cert_helper(certs_cell_t * certs_cell,uint8_t cert_type,const uint8_t * cert_encoded,size_t cert_len)39 add_certs_cell_cert_helper(certs_cell_t *certs_cell,
40 uint8_t cert_type,
41 const uint8_t *cert_encoded,
42 size_t cert_len)
43 {
44 tor_assert(cert_len <= UINT16_MAX);
45 certs_cell_cert_t *ccc = certs_cell_cert_new();
46 ccc->cert_type = cert_type;
47 ccc->cert_len = cert_len;
48 certs_cell_cert_setlen_body(ccc, cert_len);
49 memcpy(certs_cell_cert_getarray_body(ccc), cert_encoded, cert_len);
50
51 certs_cell_add_certs(certs_cell, ccc);
52 }
53
54 /** Add an encoded X509 cert (stored as <b>cert_len</b> bytes at
55 * <b>cert_encoded</b>) to the trunnel certs_cell_t object that we are
56 * building in <b>certs_cell</b>. Set its type field to <b>cert_type</b>.
57 * (If <b>cert</b> is NULL, take no action.) */
58 static void
add_x509_cert(certs_cell_t * certs_cell,uint8_t cert_type,const tor_x509_cert_t * cert)59 add_x509_cert(certs_cell_t *certs_cell,
60 uint8_t cert_type,
61 const tor_x509_cert_t *cert)
62 {
63 if (NULL == cert)
64 return;
65
66 const uint8_t *cert_encoded = NULL;
67 size_t cert_len;
68 tor_x509_cert_get_der(cert, &cert_encoded, &cert_len);
69
70 add_certs_cell_cert_helper(certs_cell, cert_type, cert_encoded, cert_len);
71 }
72
73 /** Add an Ed25519 cert from <b>cert</b> to the trunnel certs_cell_t object
74 * that we are building in <b>certs_cell</b>. Set its type field to
75 * <b>cert_type</b>. (If <b>cert</b> is NULL, take no action.) */
76 static void
add_ed25519_cert(certs_cell_t * certs_cell,uint8_t cert_type,const tor_cert_t * cert)77 add_ed25519_cert(certs_cell_t *certs_cell,
78 uint8_t cert_type,
79 const tor_cert_t *cert)
80 {
81 if (NULL == cert)
82 return;
83
84 add_certs_cell_cert_helper(certs_cell, cert_type,
85 cert->encoded, cert->encoded_len);
86 }
87
88 #ifdef TOR_UNIT_TESTS
89 int certs_cell_ed25519_disabled_for_testing = 0;
90 #else
91 #define certs_cell_ed25519_disabled_for_testing 0
92 #endif
93
94 /** Send a CERTS cell on the connection <b>conn</b>. Return 0 on success, -1
95 * on failure. */
96 int
connection_or_send_certs_cell(or_connection_t * conn)97 connection_or_send_certs_cell(or_connection_t *conn)
98 {
99 const tor_x509_cert_t *global_link_cert = NULL, *id_cert = NULL;
100 tor_x509_cert_t *own_link_cert = NULL;
101 var_cell_t *cell;
102
103 certs_cell_t *certs_cell = NULL;
104
105 tor_assert(conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V3);
106
107 if (! conn->handshake_state)
108 return -1;
109
110 const int conn_in_server_mode = ! conn->handshake_state->started_here;
111
112 /* Get the encoded values of the X509 certificates */
113 if (tor_tls_get_my_certs(conn_in_server_mode,
114 &global_link_cert, &id_cert) < 0)
115 return -1;
116
117 if (conn_in_server_mode) {
118 own_link_cert = tor_tls_get_own_cert(conn->tls);
119 }
120 tor_assert(id_cert);
121
122 certs_cell = certs_cell_new();
123
124 /* Start adding certs. First the link cert or auth1024 cert. */
125 if (conn_in_server_mode) {
126 tor_assert_nonfatal(own_link_cert);
127 add_x509_cert(certs_cell,
128 OR_CERT_TYPE_TLS_LINK, own_link_cert);
129 } else {
130 tor_assert(global_link_cert);
131 add_x509_cert(certs_cell,
132 OR_CERT_TYPE_AUTH_1024, global_link_cert);
133 }
134
135 /* Next the RSA->RSA ID cert */
136 add_x509_cert(certs_cell,
137 OR_CERT_TYPE_ID_1024, id_cert);
138
139 /* Next the Ed25519 certs */
140 add_ed25519_cert(certs_cell,
141 CERTTYPE_ED_ID_SIGN,
142 get_master_signing_key_cert());
143 if (conn_in_server_mode) {
144 tor_assert_nonfatal(conn->handshake_state->own_link_cert ||
145 certs_cell_ed25519_disabled_for_testing);
146 add_ed25519_cert(certs_cell,
147 CERTTYPE_ED_SIGN_LINK,
148 conn->handshake_state->own_link_cert);
149 } else {
150 add_ed25519_cert(certs_cell,
151 CERTTYPE_ED_SIGN_AUTH,
152 get_current_auth_key_cert());
153 }
154
155 /* And finally the crosscert. */
156 {
157 const uint8_t *crosscert=NULL;
158 size_t crosscert_len;
159 get_master_rsa_crosscert(&crosscert, &crosscert_len);
160 if (crosscert) {
161 add_certs_cell_cert_helper(certs_cell,
162 CERTTYPE_RSA1024_ID_EDID,
163 crosscert, crosscert_len);
164 }
165 }
166
167 /* We've added all the certs; make the cell. */
168 certs_cell->n_certs = certs_cell_getlen_certs(certs_cell);
169
170 ssize_t alloc_len = certs_cell_encoded_len(certs_cell);
171 tor_assert(alloc_len >= 0 && alloc_len <= UINT16_MAX);
172 cell = var_cell_new(alloc_len);
173 cell->command = CELL_CERTS;
174 ssize_t enc_len = certs_cell_encode(cell->payload, alloc_len, certs_cell);
175 tor_assert(enc_len > 0 && enc_len <= alloc_len);
176 cell->payload_len = enc_len;
177
178 connection_or_write_var_cell_to_buf(cell, conn);
179 var_cell_free(cell);
180 certs_cell_free(certs_cell);
181 tor_x509_cert_free(own_link_cert);
182
183 return 0;
184 }
185
186 #ifdef TOR_UNIT_TESTS
187 int testing__connection_or_pretend_TLSSECRET_is_supported = 0;
188 #else
189 #define testing__connection_or_pretend_TLSSECRET_is_supported 0
190 #endif
191
192 /** Return true iff <b>challenge_type</b> is an AUTHCHALLENGE type that
193 * we can send and receive. */
194 int
authchallenge_type_is_supported(uint16_t challenge_type)195 authchallenge_type_is_supported(uint16_t challenge_type)
196 {
197 switch (challenge_type) {
198 case AUTHTYPE_RSA_SHA256_TLSSECRET:
199 #ifdef HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
200 return 1;
201 #else
202 return testing__connection_or_pretend_TLSSECRET_is_supported;
203 #endif
204 case AUTHTYPE_ED25519_SHA256_RFC5705:
205 return 1;
206 case AUTHTYPE_RSA_SHA256_RFC5705:
207 default:
208 return 0;
209 }
210 }
211
212 /** Return true iff <b>challenge_type_a</b> is one that we would rather
213 * use than <b>challenge_type_b</b>. */
214 int
authchallenge_type_is_better(uint16_t challenge_type_a,uint16_t challenge_type_b)215 authchallenge_type_is_better(uint16_t challenge_type_a,
216 uint16_t challenge_type_b)
217 {
218 /* Any supported type is better than an unsupported one;
219 * all unsupported types are equally bad. */
220 if (!authchallenge_type_is_supported(challenge_type_a))
221 return 0;
222 if (!authchallenge_type_is_supported(challenge_type_b))
223 return 1;
224 /* It happens that types are superior in numerically ascending order.
225 * If that ever changes, this must change too. */
226 return (challenge_type_a > challenge_type_b);
227 }
228
229 /** Send an AUTH_CHALLENGE cell on the connection <b>conn</b>. Return 0
230 * on success, -1 on failure. */
231 int
connection_or_send_auth_challenge_cell(or_connection_t * conn)232 connection_or_send_auth_challenge_cell(or_connection_t *conn)
233 {
234 var_cell_t *cell = NULL;
235 int r = -1;
236 tor_assert(conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V3);
237
238 if (! conn->handshake_state)
239 return -1;
240
241 auth_challenge_cell_t *ac = auth_challenge_cell_new();
242
243 tor_assert(sizeof(ac->challenge) == 32);
244 crypto_rand((char*)ac->challenge, sizeof(ac->challenge));
245
246 if (authchallenge_type_is_supported(AUTHTYPE_RSA_SHA256_TLSSECRET))
247 auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_TLSSECRET);
248 /* Disabled, because everything that supports this method also supports
249 * the much-superior ED25519_SHA256_RFC5705 */
250 /* auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_RFC5705); */
251 if (authchallenge_type_is_supported(AUTHTYPE_ED25519_SHA256_RFC5705))
252 auth_challenge_cell_add_methods(ac, AUTHTYPE_ED25519_SHA256_RFC5705);
253 auth_challenge_cell_set_n_methods(ac,
254 auth_challenge_cell_getlen_methods(ac));
255
256 cell = var_cell_new(auth_challenge_cell_encoded_len(ac));
257 ssize_t len = auth_challenge_cell_encode(cell->payload, cell->payload_len,
258 ac);
259 if (len != cell->payload_len) {
260 /* LCOV_EXCL_START */
261 log_warn(LD_BUG, "Encoded auth challenge cell length not as expected");
262 goto done;
263 /* LCOV_EXCL_STOP */
264 }
265 cell->command = CELL_AUTH_CHALLENGE;
266
267 connection_or_write_var_cell_to_buf(cell, conn);
268 r = 0;
269
270 done:
271 var_cell_free(cell);
272 auth_challenge_cell_free(ac);
273
274 return r;
275 }
276
277 /** Compute the main body of an AUTHENTICATE cell that a client can use
278 * to authenticate itself on a v3 handshake for <b>conn</b>. Return it
279 * in a var_cell_t.
280 *
281 * If <b>server</b> is true, only calculate the first
282 * V3_AUTH_FIXED_PART_LEN bytes -- the part of the authenticator that's
283 * determined by the rest of the handshake, and which match the provided value
284 * exactly.
285 *
286 * If <b>server</b> is false and <b>signing_key</b> is NULL, calculate the
287 * first V3_AUTH_BODY_LEN bytes of the authenticator (that is, everything
288 * that should be signed), but don't actually sign it.
289 *
290 * If <b>server</b> is false and <b>signing_key</b> is provided, calculate the
291 * entire authenticator, signed with <b>signing_key</b>.
292 *
293 * Return the length of the cell body on success, and -1 on failure.
294 */
295 var_cell_t *
connection_or_compute_authenticate_cell_body(or_connection_t * conn,const int authtype,crypto_pk_t * signing_key,const ed25519_keypair_t * ed_signing_key,int server)296 connection_or_compute_authenticate_cell_body(or_connection_t *conn,
297 const int authtype,
298 crypto_pk_t *signing_key,
299 const ed25519_keypair_t *ed_signing_key,
300 int server)
301 {
302 auth1_t *auth = NULL;
303 auth_ctx_t *ctx = auth_ctx_new();
304 var_cell_t *result = NULL;
305 int old_tlssecrets_algorithm = 0;
306 const char *authtype_str = NULL;
307
308 int is_ed = 0;
309
310 /* assert state is reasonable XXXX */
311 switch (authtype) {
312 case AUTHTYPE_RSA_SHA256_TLSSECRET:
313 authtype_str = "AUTH0001";
314 old_tlssecrets_algorithm = 1;
315 break;
316 case AUTHTYPE_RSA_SHA256_RFC5705:
317 authtype_str = "AUTH0002";
318 break;
319 case AUTHTYPE_ED25519_SHA256_RFC5705:
320 authtype_str = "AUTH0003";
321 is_ed = 1;
322 break;
323 default:
324 tor_assert(0);
325 break;
326 }
327
328 auth = auth1_new();
329 ctx->is_ed = is_ed;
330
331 /* Type: 8 bytes. */
332 memcpy(auth1_getarray_type(auth), authtype_str, 8);
333
334 {
335 const tor_x509_cert_t *id_cert=NULL;
336 const common_digests_t *my_digests, *their_digests;
337 const uint8_t *my_id, *their_id, *client_id, *server_id;
338 if (tor_tls_get_my_certs(server, NULL, &id_cert))
339 goto err;
340 my_digests = tor_x509_cert_get_id_digests(id_cert);
341 their_digests =
342 tor_x509_cert_get_id_digests(conn->handshake_state->certs->id_cert);
343 tor_assert(my_digests);
344 tor_assert(their_digests);
345 my_id = (uint8_t*)my_digests->d[DIGEST_SHA256];
346 their_id = (uint8_t*)their_digests->d[DIGEST_SHA256];
347
348 client_id = server ? their_id : my_id;
349 server_id = server ? my_id : their_id;
350
351 /* Client ID digest: 32 octets. */
352 memcpy(auth->cid, client_id, 32);
353
354 /* Server ID digest: 32 octets. */
355 memcpy(auth->sid, server_id, 32);
356 }
357
358 if (is_ed) {
359 const ed25519_public_key_t *my_ed_id, *their_ed_id;
360 if (!conn->handshake_state->certs->ed_id_sign) {
361 log_warn(LD_OR, "Ed authenticate without Ed ID cert from peer.");
362 goto err;
363 }
364 my_ed_id = get_master_identity_key();
365 their_ed_id = &conn->handshake_state->certs->ed_id_sign->signing_key;
366
367 const uint8_t *cid_ed = (server ? their_ed_id : my_ed_id)->pubkey;
368 const uint8_t *sid_ed = (server ? my_ed_id : their_ed_id)->pubkey;
369
370 memcpy(auth->u1_cid_ed, cid_ed, ED25519_PUBKEY_LEN);
371 memcpy(auth->u1_sid_ed, sid_ed, ED25519_PUBKEY_LEN);
372 }
373
374 {
375 crypto_digest_t *server_d, *client_d;
376 if (server) {
377 server_d = conn->handshake_state->digest_sent;
378 client_d = conn->handshake_state->digest_received;
379 } else {
380 client_d = conn->handshake_state->digest_sent;
381 server_d = conn->handshake_state->digest_received;
382 }
383
384 /* Server log digest : 32 octets */
385 crypto_digest_get_digest(server_d, (char*)auth->slog, 32);
386
387 /* Client log digest : 32 octets */
388 crypto_digest_get_digest(client_d, (char*)auth->clog, 32);
389 }
390
391 {
392 /* Digest of cert used on TLS link : 32 octets. */
393 tor_x509_cert_t *cert = NULL;
394 if (server) {
395 cert = tor_tls_get_own_cert(conn->tls);
396 } else {
397 cert = tor_tls_get_peer_cert(conn->tls);
398 }
399 if (!cert) {
400 log_warn(LD_OR, "Unable to find cert when making %s data.",
401 authtype_str);
402 goto err;
403 }
404
405 memcpy(auth->scert,
406 tor_x509_cert_get_cert_digests(cert)->d[DIGEST_SHA256], 32);
407
408 tor_x509_cert_free(cert);
409 }
410
411 /* HMAC of clientrandom and serverrandom using master key : 32 octets */
412 if (old_tlssecrets_algorithm) {
413 if (tor_tls_get_tlssecrets(conn->tls, auth->tlssecrets) < 0) {
414 log_fn(LOG_PROTOCOL_WARN, LD_OR, "Somebody asked us for an older TLS "
415 "authentication method (AUTHTYPE_RSA_SHA256_TLSSECRET) "
416 "which we don't support.");
417 }
418 } else {
419 char label[128];
420 tor_snprintf(label, sizeof(label),
421 "EXPORTER FOR TOR TLS CLIENT BINDING %s", authtype_str);
422 int r = tor_tls_export_key_material(conn->tls, auth->tlssecrets,
423 auth->cid, sizeof(auth->cid),
424 label);
425 if (r < 0) {
426 if (r != -2)
427 log_warn(LD_BUG, "TLS key export failed for unknown reason.");
428 // If r == -2, this was openssl bug 7712.
429 goto err;
430 }
431 }
432
433 /* 8 octets were reserved for the current time, but we're trying to get out
434 * of the habit of sending time around willynilly. Fortunately, nothing
435 * checks it. That's followed by 16 bytes of nonce. */
436 crypto_rand((char*)auth->rand, 24);
437
438 ssize_t maxlen = auth1_encoded_len(auth, ctx);
439 if (ed_signing_key && is_ed) {
440 maxlen += ED25519_SIG_LEN;
441 } else if (signing_key && !is_ed) {
442 maxlen += crypto_pk_keysize(signing_key);
443 }
444
445 const int AUTH_CELL_HEADER_LEN = 4; /* 2 bytes of type, 2 bytes of length */
446 result = var_cell_new(AUTH_CELL_HEADER_LEN + maxlen);
447 uint8_t *const out = result->payload + AUTH_CELL_HEADER_LEN;
448 const size_t outlen = maxlen;
449 ssize_t len;
450
451 result->command = CELL_AUTHENTICATE;
452 set_uint16(result->payload, htons(authtype));
453
454 if ((len = auth1_encode(out, outlen, auth, ctx)) < 0) {
455 /* LCOV_EXCL_START */
456 log_warn(LD_BUG, "Unable to encode signed part of AUTH1 data.");
457 goto err;
458 /* LCOV_EXCL_STOP */
459 }
460
461 if (server) {
462 auth1_t *tmp = NULL;
463 ssize_t len2 = auth1_parse(&tmp, out, len, ctx);
464 if (!tmp) {
465 /* LCOV_EXCL_START */
466 log_warn(LD_BUG, "Unable to parse signed part of AUTH1 data that "
467 "we just encoded");
468 goto err;
469 /* LCOV_EXCL_STOP */
470 }
471 result->payload_len = (tmp->end_of_signed - result->payload);
472
473 auth1_free(tmp);
474 if (len2 != len) {
475 /* LCOV_EXCL_START */
476 log_warn(LD_BUG, "Mismatched length when re-parsing AUTH1 data.");
477 goto err;
478 /* LCOV_EXCL_STOP */
479 }
480 goto done;
481 }
482
483 if (ed_signing_key && is_ed) {
484 ed25519_signature_t sig;
485 if (ed25519_sign(&sig, out, len, ed_signing_key) < 0) {
486 /* LCOV_EXCL_START */
487 log_warn(LD_BUG, "Unable to sign ed25519 authentication data");
488 goto err;
489 /* LCOV_EXCL_STOP */
490 }
491 auth1_setlen_sig(auth, ED25519_SIG_LEN);
492 memcpy(auth1_getarray_sig(auth), sig.sig, ED25519_SIG_LEN);
493
494 } else if (signing_key && !is_ed) {
495 auth1_setlen_sig(auth, crypto_pk_keysize(signing_key));
496
497 char d[32];
498 crypto_digest256(d, (char*)out, len, DIGEST_SHA256);
499 int siglen = crypto_pk_private_sign(signing_key,
500 (char*)auth1_getarray_sig(auth),
501 auth1_getlen_sig(auth),
502 d, 32);
503 if (siglen < 0) {
504 log_warn(LD_OR, "Unable to sign AUTH1 data.");
505 goto err;
506 }
507
508 auth1_setlen_sig(auth, siglen);
509 }
510
511 len = auth1_encode(out, outlen, auth, ctx);
512 if (len < 0) {
513 /* LCOV_EXCL_START */
514 log_warn(LD_BUG, "Unable to encode signed AUTH1 data.");
515 goto err;
516 /* LCOV_EXCL_STOP */
517 }
518 tor_assert(len + AUTH_CELL_HEADER_LEN <= result->payload_len);
519 result->payload_len = len + AUTH_CELL_HEADER_LEN;
520 set_uint16(result->payload+2, htons(len));
521
522 goto done;
523
524 err:
525 var_cell_free(result);
526 result = NULL;
527 done:
528 auth1_free(auth);
529 auth_ctx_free(ctx);
530 return result;
531 }
532
533 /** Send an AUTHENTICATE cell on the connection <b>conn</b>. Return 0 on
534 * success, -1 on failure */
535 MOCK_IMPL(int,
536 connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype))
537 {
538 var_cell_t *cell;
539 crypto_pk_t *pk = tor_tls_get_my_client_auth_key();
540 /* XXXX make sure we're actually supposed to send this! */
541
542 if (!pk) {
543 log_warn(LD_BUG, "Can't compute authenticate cell: no client auth key");
544 return -1;
545 }
546 if (! authchallenge_type_is_supported(authtype)) {
547 log_warn(LD_BUG, "Tried to send authenticate cell with unknown "
548 "authentication type %d", authtype);
549 return -1;
550 }
551
552 cell = connection_or_compute_authenticate_cell_body(conn,
553 authtype,
554 pk,
555 get_current_auth_keypair(),
556 0 /* not server */);
557 if (! cell) {
558 log_fn(LOG_PROTOCOL_WARN, LD_NET, "Unable to compute authenticate cell!");
559 return -1;
560 }
561 connection_or_write_var_cell_to_buf(cell, conn);
562 var_cell_free(cell);
563
564 return 0;
565 }
566