1 /* Copyright (c) 2012, Jacob Appelbaum
2  * Copyright (c) 2012, The Tor Project, Inc. */
3 /* See LICENSE for licensing information */
4 
5 /**
6   * \file tlsdate-helper.h
7   * \brief The secondary header for our clock helper.
8   **/
9 
10 #ifndef TLSDATEHELPER_H
11 #define TLSDATEHELPER_H
12 
13 #include <stdarg.h>
14 #include <inttypes.h>
15 #include <stdio.h>
16 #include <string.h>
17 #include <unistd.h>
18 #include <sys/stat.h>
19 #include <sys/time.h>
20 #include <sys/types.h>
21 #include <sys/wait.h>
22 #include <time.h>
23 #include <pwd.h>
24 #include <grp.h>
25 #include <arpa/inet.h>
26 #include <ctype.h>
27 
28 #ifndef USE_POLARSSL
29 #include <openssl/bio.h>
30 #include <openssl/ssl.h>
31 #include <openssl/err.h>
32 #include <openssl/evp.h>
33 #include <openssl/x509.h>
34 #include <openssl/conf.h>
35 #include <openssl/x509v3.h>
36 #endif
37 
38 int verbose;
39 
40 #include "src/util.h"
41 
42 /** Name of user that we feel safe to run SSL handshake with. */
43 #ifndef UNPRIV_USER
44 #define UNPRIV_USER "nobody"
45 #endif
46 #ifndef UNPRIV_GROUP
47 #define UNPRIV_GROUP "nogroup"
48 #endif
49 
50 // We should never accept a time before we were compiled
51 // We measure in seconds since the epoch - eg: echo `date '+%s'`
52 // We set this manually to ensure others can reproduce a build;
53 // automation of this will make every build different!
54 #ifndef RECENT_COMPILE_DATE
55 #define RECENT_COMPILE_DATE (uint32_t) 1342323666
56 #endif
57 
58 #ifndef MAX_REASONABLE_TIME
59 #define MAX_REASONABLE_TIME (uint32_t) 1999991337
60 #endif
61 
62 #ifndef MIN_PUB_KEY_LEN
63 #define MIN_PUB_KEY_LEN (uint32_t) 1023
64 #endif
65 
66 #ifndef MIN_ECC_PUB_KEY_LEN
67 #define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
68 #endif
69 
70 #ifndef MAX_ECC_PUB_KEY_LEN
71 #define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
72 #endif
73 // After the duration of the TLS handshake exceeds this threshold
74 // (in msec), a warning is printed.
75 #define TLS_RTT_THRESHOLD      2000
76 
77 // RFC 5280 says...
78 // ub-common-name-length INTEGER ::= 64
79 #define MAX_CN_NAME_LENGTH 64
80 
81 // RFC 1034 and posix say...
82 #define TLSDATE_HOST_NAME_MAX 255
83 
84 // To support our RFC 2595 wildcard verification
85 #define RFC2595_MIN_LABEL_COUNT 3
86 
87 static int ca_racket;
88 
89 static const char *host;
90 
91 static const char *hostname_to_verify;
92 
93 static const char *port;
94 
95 static const char *protocol;
96 
97 static char *proxy;
98 
99 static const char *ca_cert_container;
100 #ifndef USE_POLARSSL
101 void openssl_time_callback (const SSL* ssl, int where, int ret);
102 uint32_t get_certificate_keybits (EVP_PKEY *public_key);
103 uint32_t check_cn (SSL *ssl, const char *hostname);
104 uint32_t check_san (SSL *ssl, const char *hostname);
105 long openssl_check_against_host_and_verify (SSL *ssl);
106 uint32_t check_name (SSL *ssl, const char *hostname);
107 uint32_t verify_signature (SSL *ssl, const char *hostname);
108 void check_key_length (SSL *ssl);
109 void inspect_key (SSL *ssl, const char *hostname);
110 void check_key_length (SSL *ssl);
111 void inspect_key (SSL *ssl, const char *hostname);
112 #endif
113 uint32_t dns_label_count (char *label, char *delim);
114 uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
115                                        const char *orig_cert_wild_card);
116 static void run_ssl (uint32_t *time_map, int time_is_an_illusion);
117 
118 #endif
119