1 /* Copyright (c) 2012, Jacob Appelbaum 2 * Copyright (c) 2012, The Tor Project, Inc. */ 3 /* See LICENSE for licensing information */ 4 5 /** 6 * \file tlsdate-helper.h 7 * \brief The secondary header for our clock helper. 8 **/ 9 10 #ifndef TLSDATEHELPER_H 11 #define TLSDATEHELPER_H 12 13 #include <stdarg.h> 14 #include <inttypes.h> 15 #include <stdio.h> 16 #include <string.h> 17 #include <unistd.h> 18 #include <sys/stat.h> 19 #include <sys/time.h> 20 #include <sys/types.h> 21 #include <sys/wait.h> 22 #include <time.h> 23 #include <pwd.h> 24 #include <grp.h> 25 #include <arpa/inet.h> 26 #include <ctype.h> 27 28 #ifndef USE_POLARSSL 29 #include <openssl/bio.h> 30 #include <openssl/ssl.h> 31 #include <openssl/err.h> 32 #include <openssl/evp.h> 33 #include <openssl/x509.h> 34 #include <openssl/conf.h> 35 #include <openssl/x509v3.h> 36 #endif 37 38 int verbose; 39 40 #include "src/util.h" 41 42 /** Name of user that we feel safe to run SSL handshake with. */ 43 #ifndef UNPRIV_USER 44 #define UNPRIV_USER "nobody" 45 #endif 46 #ifndef UNPRIV_GROUP 47 #define UNPRIV_GROUP "nogroup" 48 #endif 49 50 // We should never accept a time before we were compiled 51 // We measure in seconds since the epoch - eg: echo `date '+%s'` 52 // We set this manually to ensure others can reproduce a build; 53 // automation of this will make every build different! 54 #ifndef RECENT_COMPILE_DATE 55 #define RECENT_COMPILE_DATE (uint32_t) 1342323666 56 #endif 57 58 #ifndef MAX_REASONABLE_TIME 59 #define MAX_REASONABLE_TIME (uint32_t) 1999991337 60 #endif 61 62 #ifndef MIN_PUB_KEY_LEN 63 #define MIN_PUB_KEY_LEN (uint32_t) 1023 64 #endif 65 66 #ifndef MIN_ECC_PUB_KEY_LEN 67 #define MIN_ECC_PUB_KEY_LEN (uint32_t) 160 68 #endif 69 70 #ifndef MAX_ECC_PUB_KEY_LEN 71 #define MAX_ECC_PUB_KEY_LEN (uint32_t) 521 72 #endif 73 // After the duration of the TLS handshake exceeds this threshold 74 // (in msec), a warning is printed. 75 #define TLS_RTT_THRESHOLD 2000 76 77 // RFC 5280 says... 78 // ub-common-name-length INTEGER ::= 64 79 #define MAX_CN_NAME_LENGTH 64 80 81 // RFC 1034 and posix say... 82 #define TLSDATE_HOST_NAME_MAX 255 83 84 // To support our RFC 2595 wildcard verification 85 #define RFC2595_MIN_LABEL_COUNT 3 86 87 static int ca_racket; 88 89 static const char *host; 90 91 static const char *hostname_to_verify; 92 93 static const char *port; 94 95 static const char *protocol; 96 97 static char *proxy; 98 99 static const char *ca_cert_container; 100 #ifndef USE_POLARSSL 101 void openssl_time_callback (const SSL* ssl, int where, int ret); 102 uint32_t get_certificate_keybits (EVP_PKEY *public_key); 103 uint32_t check_cn (SSL *ssl, const char *hostname); 104 uint32_t check_san (SSL *ssl, const char *hostname); 105 long openssl_check_against_host_and_verify (SSL *ssl); 106 uint32_t check_name (SSL *ssl, const char *hostname); 107 uint32_t verify_signature (SSL *ssl, const char *hostname); 108 void check_key_length (SSL *ssl); 109 void inspect_key (SSL *ssl, const char *hostname); 110 void check_key_length (SSL *ssl); 111 void inspect_key (SSL *ssl, const char *hostname); 112 #endif 113 uint32_t dns_label_count (char *label, char *delim); 114 uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname, 115 const char *orig_cert_wild_card); 116 static void run_ssl (uint32_t *time_map, int time_is_an_illusion); 117 118 #endif 119
