Make Tor build happily with OpenSSL master and libressl.

Also tested with 1.0.0t and 1.0.2f.

Closes ticket 19784.

Closes most of 17921. (Still need to make some tests pass.)
This commit is contained in:
Nick Mathewson 2016-02-03 11:13:12 -05:00
parent 957cdb5469
commit 27582325dc
9 changed files with 54 additions and 34 deletions

View File

@ -0,0 +1,4 @@
o Minor features (compilation):
- Tor builds successfully with the unreleased OpenSSL 1.1 alpha
releases, and with the latest LibreSSL. Closes tickets 17921 and
17984.

View File

@ -81,47 +81,46 @@
#ifdef USE_EVP_AES_CTR
struct aes_cnt_cipher {
EVP_CIPHER_CTX evp;
};
/* We don't actually define the struct here. */
aes_cnt_cipher_t *
aes_new_cipher(const char *key, const char *iv)
{
aes_cnt_cipher_t *cipher;
cipher = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
EVP_EncryptInit(&cipher->evp, EVP_aes_128_ctr(),
EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
EVP_EncryptInit(cipher, EVP_aes_128_ctr(),
(const unsigned char*)key, (const unsigned char *)iv);
return cipher;
return (aes_cnt_cipher_t *) cipher;
}
void
aes_cipher_free(aes_cnt_cipher_t *cipher)
aes_cipher_free(aes_cnt_cipher_t *cipher_)
{
if (!cipher)
if (!cipher_)
return;
EVP_CIPHER_CTX_cleanup(&cipher->evp);
memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
tor_free(cipher);
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
EVP_CIPHER_CTX_cleanup(cipher);
EVP_CIPHER_CTX_free(cipher);
}
void
aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len,
aes_crypt(aes_cnt_cipher_t *cipher_, const char *input, size_t len,
char *output)
{
int outl;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
tor_assert(len < INT_MAX);
EVP_EncryptUpdate(&cipher->evp, (unsigned char*)output,
EVP_EncryptUpdate(cipher, (unsigned char*)output,
&outl, (const unsigned char *)input, (int)len);
}
void
aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
{
int outl;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
tor_assert(len < INT_MAX);
EVP_EncryptUpdate(&cipher->evp, (unsigned char*)data,
EVP_EncryptUpdate(cipher, (unsigned char*)data,
&outl, (unsigned char*)data, (int)len);
}
int

View File

@ -13,7 +13,6 @@
* \brief Headers for aes.c
*/
struct aes_cnt_cipher;
typedef struct aes_cnt_cipher aes_cnt_cipher_t;
aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv);

View File

@ -35,9 +35,11 @@
(((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
((st) == SSL3_ST_SW_SRVR_HELLO_B))
#define OSSL_HANDSHAKE_STATE int
#define CONST_IF_OPENSSL_1_1_API
#else
#define STATE_IS_SW_SERVER_HELLO(st) \
((st) == TLS_ST_SW_SRVR_HELLO)
#define CONST_IF_OPENSSL_1_1_API const
#endif
#endif

View File

@ -373,8 +373,12 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
used by Tor and the set of algorithms available in the engine */
log_engine("RSA", ENGINE_get_default_RSA());
log_engine("DH", ENGINE_get_default_DH());
#ifdef OPENSSL_1_1_API
log_engine("EC", ENGINE_get_default_EC());
#else
log_engine("ECDH", ENGINE_get_default_ECDH());
log_engine("ECDSA", ENGINE_get_default_ECDSA());
#endif
log_engine("RAND", ENGINE_get_default_RAND());
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));

View File

@ -911,7 +911,7 @@ tor_tls_cert_is_valid(int severity,
} else if (cert_key) {
int min_bits = 1024;
#ifdef EVP_PKEY_EC
if (EVP_PKEY_type(cert_key->type) == EVP_PKEY_EC)
if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
min_bits = 128;
#endif
if (EVP_PKEY_bits(cert_key) >= min_bits)
@ -1414,7 +1414,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
/* Now we need to see if there are any ciphers whose presence means we're
* dealing with an updated Tor. */
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const char *ciphername = SSL_CIPHER_get_name(cipher);
if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
@ -1431,7 +1431,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
{
const uint16_t *v2_cipher = v2_cipher_list;
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
if (id == 0x00ff) /* extended renegotiation indicator. */
continue;
@ -1453,7 +1453,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
smartlist_t *elts = smartlist_new();
char *s;
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const char *ciphername = SSL_CIPHER_get_name(cipher);
smartlist_add(elts, (char*)ciphername);
}
@ -1562,7 +1562,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
STATIC int
tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
SSL_CIPHER **cipher, void *arg)
CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
void *arg)
{
(void) secret;
(void) secret_len;
@ -1733,8 +1734,13 @@ tor_tls_block_renegotiation(tor_tls_t *tls)
void
tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
{
#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
long options = SSL_get_options(tls->ssl);
tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
#else
(void) tls;
#endif
}
/** Return whether this tls initiated the connect (client) or

View File

@ -143,9 +143,10 @@ STATIC size_t SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out,
STATIC void tor_tls_debug_state_callback(const SSL *ssl, int type, int val);
STATIC void tor_tls_server_info_callback(const SSL *ssl, int type, int val);
STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret,
int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
SSL_CIPHER **cipher, void *arg);
int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
void *arg);
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
uint16_t cipher);
MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa,

View File

@ -1108,6 +1108,11 @@ test_crypto_digests(void *arg)
crypto_pk_free(k);
}
#ifndef OPENSSL_1_1_API
#define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
#define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
#endif
/** Encode src into dest with OpenSSL's EVP Encode interface, returning the
* length of the encoded data in bytes.
*/
@ -1115,12 +1120,13 @@ static int
base64_encode_evp(char *dest, char *src, size_t srclen)
{
const unsigned char *s = (unsigned char*)src;
EVP_ENCODE_CTX ctx;
EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
int len, ret;
EVP_EncodeInit(&ctx);
EVP_EncodeUpdate(&ctx, (unsigned char *)dest, &len, s, (int)srclen);
EVP_EncodeFinal(&ctx, (unsigned char *)(dest + len), &ret);
EVP_EncodeInit(ctx);
EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
EVP_ENCODE_CTX_free(ctx);
return ret+ len;
}

View File

@ -1347,11 +1347,10 @@ test_tortls_get_buffer_sizes(void *ignored)
tls->ssl->s3->wbuf.offset = 0;
tls->ssl->s3->wbuf.left = 43;
ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
ret = tor_tls_get_buffer_sizes(NULL, NULL, NULL, NULL, NULL);
tt_int_op(ret, OP_EQ, -1);
#else
ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
tt_int_op(ret, OP_EQ, 0);
tt_int_op(rbuf_c, OP_EQ, 0);
tt_int_op(wbuf_c, OP_EQ, 0);
@ -2594,14 +2593,14 @@ test_tortls_create_certificate(void *ignored)
tt_assert(!ret);
fixed_crypto_pk_get_evp_pkey_result_index = 0;
fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY));
fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
tt_assert(!ret);
fixed_crypto_pk_get_evp_pkey_result_index = 0;
fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY));
fixed_crypto_pk_get_evp_pkey_result[1] = tor_malloc_zero(sizeof(EVP_PKEY));
fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new();
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
tt_assert(!ret);