mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 12:23:32 +01:00
Merge branch 'bug17549'
This commit is contained in:
commit
0a3eed5f20
3
changes/bug17549
Normal file
3
changes/bug17549
Normal file
@ -0,0 +1,3 @@
|
||||
o Minor bugfixes (compilation):
|
||||
- Repair compilation with the most recent (unreleased, alpha)
|
||||
vesions of OpenSSL 1.1. Fixes bug 17549.
|
37
src/common/compat_openssl.h
Normal file
37
src/common/compat_openssl.h
Normal file
@ -0,0 +1,37 @@
|
||||
/* Copyright (c) 2001, Matej Pfajfar.
|
||||
* Copyright (c) 2001-2004, Roger Dingledine.
|
||||
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
||||
* Copyright (c) 2007-2015, The Tor Project, Inc. */
|
||||
/* See LICENSE for licensing information */
|
||||
|
||||
#ifndef TOR_COMPAT_OPENSSL_H
|
||||
#define TOR_COMPAT_OPENSSL_H
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
/**
|
||||
* \file compat_openssl.h
|
||||
*
|
||||
* \brief compatability definitions for working with different openssl forks
|
||||
**/
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
|
||||
#error "We require OpenSSL >= 1.0.0"
|
||||
#endif
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
|
||||
#define OPENSSL_VERSION SSLEAY_VERSION
|
||||
#define OpenSSL_version(v) SSLeay_version(v)
|
||||
#define OpenSSL_version_num() SSLeay()
|
||||
#define RAND_OpenSSL() RAND_SSLeay()
|
||||
#define STATE_IS_SW_SERVER_HELLO(st) \
|
||||
(((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
|
||||
((st) == SSL3_ST_SW_SRVR_HELLO_B))
|
||||
#define OSSL_HANDSHAKE_STATE int
|
||||
#else
|
||||
#define STATE_IS_SW_SERVER_HELLO(st) \
|
||||
((st) == TLS_ST_SW_SRVR_HELLO)
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
@ -21,18 +21,13 @@
|
||||
#undef OCSP_RESPONSE
|
||||
#endif
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
|
||||
#define CRYPTO_PRIVATE
|
||||
#include "crypto.h"
|
||||
#include "compat_openssl.h"
|
||||
#include "crypto_curve25519.h"
|
||||
#include "crypto_ed25519.h"
|
||||
#include "crypto_format.h"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
|
||||
#error "We require OpenSSL >= 1.0.0"
|
||||
#endif
|
||||
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rsa.h>
|
||||
#include <openssl/pem.h>
|
||||
@ -227,7 +222,7 @@ const char *
|
||||
crypto_openssl_get_version_str(void)
|
||||
{
|
||||
if (crypto_openssl_version_str == NULL) {
|
||||
const char *raw_version = SSLeay_version(SSLEAY_VERSION);
|
||||
const char *raw_version = OpenSSL_version(OPENSSL_VERSION);
|
||||
crypto_openssl_version_str = parse_openssl_version_str(raw_version);
|
||||
}
|
||||
return crypto_openssl_version_str;
|
||||
@ -251,11 +246,13 @@ crypto_openssl_get_header_version_str(void)
|
||||
static int
|
||||
crypto_force_rand_ssleay(void)
|
||||
{
|
||||
if (RAND_get_rand_method() != RAND_SSLeay()) {
|
||||
RAND_METHOD *default_method;
|
||||
default_method = RAND_OpenSSL();
|
||||
if (RAND_get_rand_method() != default_method) {
|
||||
log_notice(LD_CRYPTO, "It appears that one of our engines has provided "
|
||||
"a replacement the OpenSSL RNG. Resetting it to the default "
|
||||
"implementation.");
|
||||
RAND_set_rand_method(RAND_SSLeay());
|
||||
RAND_set_rand_method(default_method);
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
@ -291,16 +288,18 @@ crypto_early_init(void)
|
||||
|
||||
setup_openssl_threading();
|
||||
|
||||
if (SSLeay() == OPENSSL_VERSION_NUMBER &&
|
||||
!strcmp(SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_TEXT)) {
|
||||
unsigned long version_num = OpenSSL_version_num();
|
||||
const char *version_str = OpenSSL_version(OPENSSL_VERSION);
|
||||
if (version_num == OPENSSL_VERSION_NUMBER &&
|
||||
!strcmp(version_str, OPENSSL_VERSION_TEXT)) {
|
||||
log_info(LD_CRYPTO, "OpenSSL version matches version from headers "
|
||||
"(%lx: %s).", SSLeay(), SSLeay_version(SSLEAY_VERSION));
|
||||
"(%lx: %s).", version_num, version_str);
|
||||
} else {
|
||||
log_warn(LD_CRYPTO, "OpenSSL version from headers does not match the "
|
||||
"version we're running with. If you get weird crashes, that "
|
||||
"might be why. (Compiled with %lx: %s; running with %lx: %s).",
|
||||
(unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
|
||||
SSLeay(), SSLeay_version(SSLEAY_VERSION));
|
||||
version_num, version_str);
|
||||
}
|
||||
|
||||
crypto_force_rand_ssleay();
|
||||
@ -404,11 +403,7 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
|
||||
void
|
||||
crypto_thread_cleanup(void)
|
||||
{
|
||||
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
|
||||
ERR_remove_thread_state(NULL);
|
||||
#else
|
||||
ERR_remove_state(0);
|
||||
#endif
|
||||
}
|
||||
|
||||
/** used by tortls.c: wrap an RSA* in a crypto_pk_t. */
|
||||
@ -2695,11 +2690,7 @@ int
|
||||
crypto_global_cleanup(void)
|
||||
{
|
||||
EVP_cleanup();
|
||||
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
|
||||
ERR_remove_thread_state(NULL);
|
||||
#else
|
||||
ERR_remove_state(0);
|
||||
#endif
|
||||
ERR_free_strings();
|
||||
|
||||
if (dh_param_p)
|
||||
|
@ -118,6 +118,7 @@ COMMONHEADERS = \
|
||||
src/common/ciphers.inc \
|
||||
src/common/compat.h \
|
||||
src/common/compat_libevent.h \
|
||||
src/common/compat_openssl.h \
|
||||
src/common/compat_threads.h \
|
||||
src/common/container.h \
|
||||
src/common/crypto.h \
|
||||
|
@ -40,9 +40,6 @@
|
||||
#include <openssl/opensslv.h>
|
||||
#include "crypto.h"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
|
||||
#error "We require OpenSSL >= 1.0.0"
|
||||
#endif
|
||||
#ifdef OPENSSL_NO_EC
|
||||
#error "We require OpenSSL with ECC support"
|
||||
#endif
|
||||
@ -384,7 +381,7 @@ tor_tls_init(void)
|
||||
|
||||
#if (SIZEOF_VOID_P >= 8 && \
|
||||
OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
|
||||
long version = SSLeay();
|
||||
long version = OpenSSL_version_num();
|
||||
|
||||
/* LCOV_EXCL_START : we can't test these lines on the same machine */
|
||||
if (version >= OPENSSL_V_SERIES(1,0,1)) {
|
||||
@ -1525,7 +1522,6 @@ STATIC void
|
||||
tor_tls_server_info_callback(const SSL *ssl, int type, int val)
|
||||
{
|
||||
tor_tls_t *tls;
|
||||
int ssl_state;
|
||||
(void) val;
|
||||
|
||||
tor_tls_debug_state_callback(ssl, type, val);
|
||||
@ -1533,9 +1529,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
|
||||
if (type != SSL_CB_ACCEPT_LOOP)
|
||||
return;
|
||||
|
||||
ssl_state = SSL_state(ssl);
|
||||
if ((ssl_state != SSL3_ST_SW_SRVR_HELLO_A) &&
|
||||
(ssl_state != SSL3_ST_SW_SRVR_HELLO_B))
|
||||
OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl);
|
||||
if (! STATE_IS_SW_SERVER_HELLO(ssl_state))
|
||||
return;
|
||||
tls = tor_tls_get_by_ssl(ssl);
|
||||
if (tls) {
|
||||
@ -1892,13 +1887,14 @@ int
|
||||
tor_tls_handshake(tor_tls_t *tls)
|
||||
{
|
||||
int r;
|
||||
int oldstate;
|
||||
tor_assert(tls);
|
||||
tor_assert(tls->ssl);
|
||||
tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE);
|
||||
|
||||
check_no_tls_errors();
|
||||
oldstate = SSL_state(tls->ssl);
|
||||
|
||||
OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->ssl);
|
||||
|
||||
if (tls->isServer) {
|
||||
log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls,
|
||||
SSL_state_string_long(tls->ssl));
|
||||
@ -1908,7 +1904,10 @@ tor_tls_handshake(tor_tls_t *tls)
|
||||
SSL_state_string_long(tls->ssl));
|
||||
r = SSL_connect(tls->ssl);
|
||||
}
|
||||
if (oldstate != SSL_state(tls->ssl))
|
||||
|
||||
OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->ssl);
|
||||
|
||||
if (oldstate != newstate)
|
||||
log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
|
||||
tls, SSL_state_string_long(tls->ssl));
|
||||
/* We need to call this here and not earlier, since OpenSSL has a penchant
|
||||
|
@ -12,6 +12,7 @@
|
||||
**/
|
||||
|
||||
#include "crypto.h"
|
||||
#include "compat_openssl.h"
|
||||
#include "compat.h"
|
||||
#include "testsupport.h"
|
||||
|
||||
|
@ -56,6 +56,9 @@ extern tor_tls_context_t *client_tls_context;
|
||||
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) \
|
||||
&& !defined(LIBRESSL_VERSION_NUMBER)
|
||||
#define OPENSSL_OPAQUE
|
||||
#define SSL_STATE_STR "before SSL initialization"
|
||||
#else
|
||||
#define SSL_STATE_STR "before/accept initialization"
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_OPAQUE
|
||||
@ -131,7 +134,6 @@ test_tortls_tor_tls_new(void *data)
|
||||
MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key);
|
||||
crypto_pk_t *key1 = NULL, *key2 = NULL;
|
||||
SSL_METHOD *method = NULL;
|
||||
SSL_CTX *ctx = NULL;
|
||||
|
||||
key1 = pk_generate(2);
|
||||
key2 = pk_generate(3);
|
||||
@ -149,7 +151,7 @@ test_tortls_tor_tls_new(void *data)
|
||||
|
||||
#ifndef OPENSSL_OPAQUE
|
||||
method = give_me_a_test_method();
|
||||
ctx = SSL_CTX_new(method);
|
||||
SSL_CTX *ctx = SSL_CTX_new(method);
|
||||
method->num_ciphers = fake_num_ciphers;
|
||||
client_tls_context->ctx = ctx;
|
||||
tls = tor_tls_new(-1, 0);
|
||||
@ -237,35 +239,35 @@ test_tortls_get_state_description(void *ignored)
|
||||
|
||||
tls->ssl = SSL_new(ctx);
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in HANDSHAKE");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in HANDSHAKE");
|
||||
|
||||
tls->state = TOR_TLS_ST_OPEN;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in OPEN");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in OPEN");
|
||||
|
||||
tls->state = TOR_TLS_ST_GOTCLOSE;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in GOTCLOSE");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in GOTCLOSE");
|
||||
|
||||
tls->state = TOR_TLS_ST_SENTCLOSE;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in SENTCLOSE");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in SENTCLOSE");
|
||||
|
||||
tls->state = TOR_TLS_ST_CLOSED;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in CLOSED");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in CLOSED");
|
||||
|
||||
tls->state = TOR_TLS_ST_RENEGOTIATE;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in RENEGOTIATE");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in RENEGOTIATE");
|
||||
|
||||
tls->state = TOR_TLS_ST_BUFFEREVENT;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR);
|
||||
|
||||
tls->state = 7;
|
||||
tor_tls_get_state_description(tls, buf, 200);
|
||||
tt_str_op(buf, OP_EQ, "before/accept initialization in unknown TLS state");
|
||||
tt_str_op(buf, OP_EQ, SSL_STATE_STR " in unknown TLS state");
|
||||
|
||||
done:
|
||||
SSL_CTX_free(ctx);
|
||||
@ -414,7 +416,7 @@ test_tortls_log_one_error(void *ignored)
|
||||
tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL);
|
||||
tt_int_op(mock_saved_log_number(), OP_EQ, 1);
|
||||
tt_str_op(mock_saved_log_at(0), OP_EQ, "TLS error with 127.hello: (null)"
|
||||
" (in (null):(null):before/accept initialization)\n");
|
||||
" (in (null):(null):" SSL_STATE_STR ")\n");
|
||||
|
||||
done:
|
||||
teardown_capture_of_logs(previous_log);
|
||||
|
Loading…
Reference in New Issue
Block a user