tlsdate-helper.h revision c88a9f7f976f8495fcf27717a292bd1070828192 
1/* Copyright (c) 2012, Jacob Appelbaum
2 * Copyright (c) 2012, The Tor Project, Inc. */
3/* See LICENSE for licensing information */
4
5/**
6  * \file tlsdate-helper.h
7  * \brief The secondary header for our clock helper.
8  **/
9
10#ifndef TLSDATEHELPER_H
11#define TLSDATEHELPER_H
12
13#include <stdarg.h>
14#include <stdint.h>
15#include <stdio.h>
16#include <string.h>
17#include <unistd.h>
18#include <sys/time.h>
19#include <sys/types.h>
20#include <sys/wait.h>
21#include <sys/mman.h>
22#include <time.h>
23#include <pwd.h>
24#include <grp.h>
25#include <arpa/inet.h>
26#include <ctype.h>
27
28#include <openssl/bio.h>
29#include <openssl/ssl.h>
30#include <openssl/err.h>
31#include <openssl/evp.h>
32#include <openssl/x509.h>
33#include <openssl/conf.h>
34#include <openssl/x509v3.h>
35
36#include "src/util.h"
37
38/** Name of user that we feel safe to run SSL handshake with. */
39#ifndef UNPRIV_USER
40#define UNPRIV_USER "nobody"
41#endif
42#ifndef UNPRIV_GROUP
43#define UNPRIV_GROUP "nogroup"
44#endif
45
46// We should never accept a time before we were compiled
47// We measure in seconds since the epoch - eg: echo `date '+%s'`
48// We set this manually to ensure others can reproduce a build;
49// automation of this will make every build different!
50#ifndef RECENT_COMPILE_DATE
51#define RECENT_COMPILE_DATE (uint32_t) 1342323666
52#endif
53
54#ifndef MAX_REASONABLE_TIME
55#define MAX_REASONABLE_TIME (uint32_t) 1999991337
56#endif
57
58#ifndef MIN_PUB_KEY_LEN
59#define MIN_PUB_KEY_LEN (uint32_t) 1023
60#endif
61
62#ifndef MIN_ECC_PUB_KEY_LEN
63#define MIN_ECC_PUB_KEY_LEN (uint32_t) 160
64#endif
65
66#ifndef MAX_ECC_PUB_KEY_LEN
67#define MAX_ECC_PUB_KEY_LEN (uint32_t) 521
68#endif
69// After the duration of the TLS handshake exceeds this threshold
70// (in msec), a warning is printed.
71#define TLS_RTT_THRESHOLD      2000
72
73// RFC 5280 says...
74// ub-common-name-length INTEGER ::= 64
75#define MAX_CN_NAME_LENGTH 64
76
77// RFC 1034 and posix say...
78#define TLSDATE_HOST_NAME_MAX 255
79
80// To support our RFC 2595 wildcard verification
81#define RFC2595_MIN_LABEL_COUNT 3
82
83static int verbose;
84
85static int ca_racket;
86
87static const char *host;
88
89static const char *hostname_to_verify;
90
91static const char *port;
92
93static const char *protocol;
94
95static char *proxy;
96
97static const char *certdir;
98void openssl_time_callback (const SSL* ssl, int where, int ret);
99uint32_t get_certificate_keybits (EVP_PKEY *public_key);
100uint32_t check_cn (SSL *ssl, const char *hostname);
101uint32_t check_san (SSL *ssl, const char *hostname);
102long openssl_check_against_host_and_verify (SSL *ssl);
103uint32_t check_name (SSL *ssl, const char *hostname);
104uint32_t verify_signature (SSL *ssl, const char *hostname);
105void check_key_length (SSL *ssl);
106void inspect_key (SSL *ssl, const char *hostname);
107static void run_ssl (uint32_t *time_map, int time_is_an_illusion);
108static void become_nobody (void);
109void check_key_length (SSL *ssl);
110uint32_t dns_label_count (char *label, char *delim);
111uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname,
112                                       const char *orig_cert_wild_card);
113void inspect_key (SSL *ssl, const char *hostname);
114static void run_ssl (uint32_t *time_map, int time_is_an_illusion);
115
116#endif
117