1 /* Copyright (c) 2012, Jacob Appelbaum 2 * Copyright (c) 2012, The Tor Project, Inc. */ 3 /* See LICENSE for licensing information */ 4 5 /** 6 * \file tlsdate-helper.h 7 * \brief The secondary header for our clock helper. 8 **/ 9 10 #ifndef TLSDATEHELPER_H 11 #define TLSDATEHELPER_H 12 13 #include <stdarg.h> 14 #include <stdint.h> 15 #include <stdio.h> 16 #include <string.h> 17 #ifdef TARGET_OS_HAIKU 18 #include <posix/string.h> 19 #include <bsd/string.h> 20 #endif 21 #include <unistd.h> 22 #include <sys/stat.h> 23 #include <sys/time.h> 24 #include <sys/types.h> 25 #include <sys/wait.h> 26 #include <sys/mman.h> 27 #include <time.h> 28 #include <pwd.h> 29 #include <grp.h> 30 #include <arpa/inet.h> 31 #include <ctype.h> 32 #ifdef HAVE_PRCTL 33 #include <sys/prctl.h> 34 #endif 35 36 #ifndef USE_POLARSSL 37 #include <openssl/bio.h> 38 #include <openssl/ssl.h> 39 #include <openssl/err.h> 40 #include <openssl/evp.h> 41 #include <openssl/x509.h> 42 #include <openssl/conf.h> 43 #include <openssl/x509v3.h> 44 #endif 45 46 int verbose; 47 int verbose_debug; 48 49 #include "src/util.h" 50 51 /** Name of user that we feel safe to run SSL handshake with. */ 52 #ifndef UNPRIV_USER 53 #define UNPRIV_USER "nobody" 54 #endif 55 #ifndef UNPRIV_GROUP 56 #define UNPRIV_GROUP "nogroup" 57 #endif 58 59 // We should never accept a time before we were compiled 60 // We measure in seconds since the epoch - eg: echo `date '+%s'` 61 // We set this manually to ensure others can reproduce a build; 62 // automation of this will make every build different! 63 #ifndef RECENT_COMPILE_DATE 64 #define RECENT_COMPILE_DATE 1342323666L 65 #endif 66 67 #ifndef MAX_REASONABLE_TIME 68 #define MAX_REASONABLE_TIME 1999991337L 69 #endif 70 71 #ifndef MIN_PUB_KEY_LEN 72 #define MIN_PUB_KEY_LEN (uint32_t) 1023 73 #endif 74 75 #ifndef MIN_ECC_PUB_KEY_LEN 76 #define MIN_ECC_PUB_KEY_LEN (uint32_t) 160 77 #endif 78 79 #ifndef MAX_ECC_PUB_KEY_LEN 80 #define MAX_ECC_PUB_KEY_LEN (uint32_t) 521 81 #endif 82 // After the duration of the TLS handshake exceeds this threshold 83 // (in msec), a warning is printed. 84 #define TLS_RTT_THRESHOLD 2000 85 86 // After the duration of the TLS handshake exceeds this threshold 87 // (in msec), we consider the operation to have failed. 88 #define TLS_RTT_UNREASONABLE 30000 89 90 // RFC 5280 says... 91 // ub-common-name-length INTEGER ::= 64 92 #define MAX_CN_NAME_LENGTH 64 93 94 // RFC 1034 and posix say... 95 #define TLSDATE_HOST_NAME_MAX 255 96 97 // To support our RFC 2595 wildcard verification 98 #define RFC2595_MIN_LABEL_COUNT 3 99 100 // Define a max length for the HTTP Date: header 101 #define MAX_DATE_LINE_LEN 32 102 103 // Define a max length for HTTP headers 104 #define MAX_HTTP_HEADERS_SIZE 8192 105 106 // Define our basic HTTP request 107 #define HTTP_REQUEST \ 108 "HEAD / HTTP/1.1\r\n" \ 109 "User-Agent: %s\r\n" \ 110 "Host: %s\r\n" \ 111 "\r\n" 112 113 static int ca_racket; 114 115 static const char *host; 116 117 static const char *hostname_to_verify; 118 119 static const char *port; 120 121 static const char *protocol; 122 123 static char *proxy; 124 125 static const char *ca_cert_container; 126 #ifndef USE_POLARSSL 127 void openssl_time_callback (const SSL* ssl, int where, int ret); 128 uint32_t get_certificate_keybits (EVP_PKEY *public_key); 129 uint32_t check_cn (SSL *ssl, const char *hostname); 130 uint32_t check_san (SSL *ssl, const char *hostname); 131 long openssl_check_against_host_and_verify (SSL *ssl); 132 uint32_t check_name (SSL *ssl, const char *hostname); 133 uint32_t verify_signature (SSL *ssl, const char *hostname); 134 void check_key_length (SSL *ssl); 135 void inspect_key (SSL *ssl, const char *hostname); 136 void check_key_length (SSL *ssl); 137 void inspect_key (SSL *ssl, const char *hostname); 138 #endif 139 uint32_t dns_label_count (char *label, char *delim); 140 uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname, 141 const char *orig_cert_wild_card); 142 static void run_ssl (uint32_t *time_map, int time_is_an_illusion, int http); 143 144 #endif 145