mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Make Tor build happily with OpenSSL master and libressl.
Also tested with 1.0.0t and 1.0.2f. Closes ticket 19784. Closes most of 17921. (Still need to make some tests pass.)
This commit is contained in:
parent
957cdb5469
commit
27582325dc
4
changes/bug17921_bug17984
Normal file
4
changes/bug17921_bug17984
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
o Minor features (compilation):
|
||||||
|
- Tor builds successfully with the unreleased OpenSSL 1.1 alpha
|
||||||
|
releases, and with the latest LibreSSL. Closes tickets 17921 and
|
||||||
|
17984.
|
@ -81,47 +81,46 @@
|
|||||||
|
|
||||||
#ifdef USE_EVP_AES_CTR
|
#ifdef USE_EVP_AES_CTR
|
||||||
|
|
||||||
struct aes_cnt_cipher {
|
/* We don't actually define the struct here. */
|
||||||
EVP_CIPHER_CTX evp;
|
|
||||||
};
|
|
||||||
|
|
||||||
aes_cnt_cipher_t *
|
aes_cnt_cipher_t *
|
||||||
aes_new_cipher(const char *key, const char *iv)
|
aes_new_cipher(const char *key, const char *iv)
|
||||||
{
|
{
|
||||||
aes_cnt_cipher_t *cipher;
|
EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
|
||||||
cipher = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
|
EVP_EncryptInit(cipher, EVP_aes_128_ctr(),
|
||||||
EVP_EncryptInit(&cipher->evp, EVP_aes_128_ctr(),
|
|
||||||
(const unsigned char*)key, (const unsigned char *)iv);
|
(const unsigned char*)key, (const unsigned char *)iv);
|
||||||
return cipher;
|
return (aes_cnt_cipher_t *) cipher;
|
||||||
}
|
}
|
||||||
void
|
void
|
||||||
aes_cipher_free(aes_cnt_cipher_t *cipher)
|
aes_cipher_free(aes_cnt_cipher_t *cipher_)
|
||||||
{
|
{
|
||||||
if (!cipher)
|
if (!cipher_)
|
||||||
return;
|
return;
|
||||||
EVP_CIPHER_CTX_cleanup(&cipher->evp);
|
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
|
||||||
memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
|
EVP_CIPHER_CTX_cleanup(cipher);
|
||||||
tor_free(cipher);
|
EVP_CIPHER_CTX_free(cipher);
|
||||||
}
|
}
|
||||||
void
|
void
|
||||||
aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len,
|
aes_crypt(aes_cnt_cipher_t *cipher_, const char *input, size_t len,
|
||||||
char *output)
|
char *output)
|
||||||
{
|
{
|
||||||
int outl;
|
int outl;
|
||||||
|
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
|
||||||
|
|
||||||
tor_assert(len < INT_MAX);
|
tor_assert(len < INT_MAX);
|
||||||
|
|
||||||
EVP_EncryptUpdate(&cipher->evp, (unsigned char*)output,
|
EVP_EncryptUpdate(cipher, (unsigned char*)output,
|
||||||
&outl, (const unsigned char *)input, (int)len);
|
&outl, (const unsigned char *)input, (int)len);
|
||||||
}
|
}
|
||||||
void
|
void
|
||||||
aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
|
aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
|
||||||
{
|
{
|
||||||
int outl;
|
int outl;
|
||||||
|
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
|
||||||
|
|
||||||
tor_assert(len < INT_MAX);
|
tor_assert(len < INT_MAX);
|
||||||
|
|
||||||
EVP_EncryptUpdate(&cipher->evp, (unsigned char*)data,
|
EVP_EncryptUpdate(cipher, (unsigned char*)data,
|
||||||
&outl, (unsigned char*)data, (int)len);
|
&outl, (unsigned char*)data, (int)len);
|
||||||
}
|
}
|
||||||
int
|
int
|
||||||
|
@ -13,7 +13,6 @@
|
|||||||
* \brief Headers for aes.c
|
* \brief Headers for aes.c
|
||||||
*/
|
*/
|
||||||
|
|
||||||
struct aes_cnt_cipher;
|
|
||||||
typedef struct aes_cnt_cipher aes_cnt_cipher_t;
|
typedef struct aes_cnt_cipher aes_cnt_cipher_t;
|
||||||
|
|
||||||
aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv);
|
aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv);
|
||||||
|
@ -35,9 +35,11 @@
|
|||||||
(((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
|
(((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
|
||||||
((st) == SSL3_ST_SW_SRVR_HELLO_B))
|
((st) == SSL3_ST_SW_SRVR_HELLO_B))
|
||||||
#define OSSL_HANDSHAKE_STATE int
|
#define OSSL_HANDSHAKE_STATE int
|
||||||
|
#define CONST_IF_OPENSSL_1_1_API
|
||||||
#else
|
#else
|
||||||
#define STATE_IS_SW_SERVER_HELLO(st) \
|
#define STATE_IS_SW_SERVER_HELLO(st) \
|
||||||
((st) == TLS_ST_SW_SRVR_HELLO)
|
((st) == TLS_ST_SW_SRVR_HELLO)
|
||||||
|
#define CONST_IF_OPENSSL_1_1_API const
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
@ -373,8 +373,12 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
|
|||||||
used by Tor and the set of algorithms available in the engine */
|
used by Tor and the set of algorithms available in the engine */
|
||||||
log_engine("RSA", ENGINE_get_default_RSA());
|
log_engine("RSA", ENGINE_get_default_RSA());
|
||||||
log_engine("DH", ENGINE_get_default_DH());
|
log_engine("DH", ENGINE_get_default_DH());
|
||||||
|
#ifdef OPENSSL_1_1_API
|
||||||
|
log_engine("EC", ENGINE_get_default_EC());
|
||||||
|
#else
|
||||||
log_engine("ECDH", ENGINE_get_default_ECDH());
|
log_engine("ECDH", ENGINE_get_default_ECDH());
|
||||||
log_engine("ECDSA", ENGINE_get_default_ECDSA());
|
log_engine("ECDSA", ENGINE_get_default_ECDSA());
|
||||||
|
#endif
|
||||||
log_engine("RAND", ENGINE_get_default_RAND());
|
log_engine("RAND", ENGINE_get_default_RAND());
|
||||||
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
|
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
|
||||||
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
|
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));
|
||||||
|
@ -911,7 +911,7 @@ tor_tls_cert_is_valid(int severity,
|
|||||||
} else if (cert_key) {
|
} else if (cert_key) {
|
||||||
int min_bits = 1024;
|
int min_bits = 1024;
|
||||||
#ifdef EVP_PKEY_EC
|
#ifdef EVP_PKEY_EC
|
||||||
if (EVP_PKEY_type(cert_key->type) == EVP_PKEY_EC)
|
if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
|
||||||
min_bits = 128;
|
min_bits = 128;
|
||||||
#endif
|
#endif
|
||||||
if (EVP_PKEY_bits(cert_key) >= min_bits)
|
if (EVP_PKEY_bits(cert_key) >= min_bits)
|
||||||
@ -1414,7 +1414,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
|
|||||||
/* Now we need to see if there are any ciphers whose presence means we're
|
/* Now we need to see if there are any ciphers whose presence means we're
|
||||||
* dealing with an updated Tor. */
|
* dealing with an updated Tor. */
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
|
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
|
||||||
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
|
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
|
||||||
const char *ciphername = SSL_CIPHER_get_name(cipher);
|
const char *ciphername = SSL_CIPHER_get_name(cipher);
|
||||||
if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
|
if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
|
||||||
strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
|
strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
|
||||||
@ -1431,7 +1431,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
|
|||||||
{
|
{
|
||||||
const uint16_t *v2_cipher = v2_cipher_list;
|
const uint16_t *v2_cipher = v2_cipher_list;
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
|
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
|
||||||
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
|
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
|
||||||
uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
|
uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
|
||||||
if (id == 0x00ff) /* extended renegotiation indicator. */
|
if (id == 0x00ff) /* extended renegotiation indicator. */
|
||||||
continue;
|
continue;
|
||||||
@ -1453,7 +1453,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
|
|||||||
smartlist_t *elts = smartlist_new();
|
smartlist_t *elts = smartlist_new();
|
||||||
char *s;
|
char *s;
|
||||||
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
|
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
|
||||||
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
|
const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
|
||||||
const char *ciphername = SSL_CIPHER_get_name(cipher);
|
const char *ciphername = SSL_CIPHER_get_name(cipher);
|
||||||
smartlist_add(elts, (char*)ciphername);
|
smartlist_add(elts, (char*)ciphername);
|
||||||
}
|
}
|
||||||
@ -1562,7 +1562,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
|
|||||||
STATIC int
|
STATIC int
|
||||||
tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
|
tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
|
||||||
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
||||||
SSL_CIPHER **cipher, void *arg)
|
CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
|
||||||
|
void *arg)
|
||||||
{
|
{
|
||||||
(void) secret;
|
(void) secret;
|
||||||
(void) secret_len;
|
(void) secret_len;
|
||||||
@ -1733,8 +1734,13 @@ tor_tls_block_renegotiation(tor_tls_t *tls)
|
|||||||
void
|
void
|
||||||
tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
|
tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
|
||||||
{
|
{
|
||||||
|
#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
|
||||||
|
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
|
||||||
long options = SSL_get_options(tls->ssl);
|
long options = SSL_get_options(tls->ssl);
|
||||||
tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
|
tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
|
||||||
|
#else
|
||||||
|
(void) tls;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Return whether this tls initiated the connect (client) or
|
/** Return whether this tls initiated the connect (client) or
|
||||||
|
@ -145,7 +145,8 @@ STATIC void tor_tls_server_info_callback(const SSL *ssl, int type, int val);
|
|||||||
STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret,
|
STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret,
|
||||||
int *secret_len,
|
int *secret_len,
|
||||||
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
STACK_OF(SSL_CIPHER) *peer_ciphers,
|
||||||
SSL_CIPHER **cipher, void *arg);
|
CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
|
||||||
|
void *arg);
|
||||||
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
|
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
|
||||||
uint16_t cipher);
|
uint16_t cipher);
|
||||||
MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa,
|
MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa,
|
||||||
|
@ -1108,6 +1108,11 @@ test_crypto_digests(void *arg)
|
|||||||
crypto_pk_free(k);
|
crypto_pk_free(k);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef OPENSSL_1_1_API
|
||||||
|
#define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
|
||||||
|
#define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
|
||||||
|
#endif
|
||||||
|
|
||||||
/** Encode src into dest with OpenSSL's EVP Encode interface, returning the
|
/** Encode src into dest with OpenSSL's EVP Encode interface, returning the
|
||||||
* length of the encoded data in bytes.
|
* length of the encoded data in bytes.
|
||||||
*/
|
*/
|
||||||
@ -1115,12 +1120,13 @@ static int
|
|||||||
base64_encode_evp(char *dest, char *src, size_t srclen)
|
base64_encode_evp(char *dest, char *src, size_t srclen)
|
||||||
{
|
{
|
||||||
const unsigned char *s = (unsigned char*)src;
|
const unsigned char *s = (unsigned char*)src;
|
||||||
EVP_ENCODE_CTX ctx;
|
EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
|
||||||
int len, ret;
|
int len, ret;
|
||||||
|
|
||||||
EVP_EncodeInit(&ctx);
|
EVP_EncodeInit(ctx);
|
||||||
EVP_EncodeUpdate(&ctx, (unsigned char *)dest, &len, s, (int)srclen);
|
EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
|
||||||
EVP_EncodeFinal(&ctx, (unsigned char *)(dest + len), &ret);
|
EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
|
||||||
|
EVP_ENCODE_CTX_free(ctx);
|
||||||
return ret+ len;
|
return ret+ len;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1347,11 +1347,10 @@ test_tortls_get_buffer_sizes(void *ignored)
|
|||||||
tls->ssl->s3->wbuf.offset = 0;
|
tls->ssl->s3->wbuf.offset = 0;
|
||||||
tls->ssl->s3->wbuf.left = 43;
|
tls->ssl->s3->wbuf.left = 43;
|
||||||
|
|
||||||
|
ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
|
||||||
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
|
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
|
||||||
ret = tor_tls_get_buffer_sizes(NULL, NULL, NULL, NULL, NULL);
|
|
||||||
tt_int_op(ret, OP_EQ, -1);
|
tt_int_op(ret, OP_EQ, -1);
|
||||||
#else
|
#else
|
||||||
ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
|
|
||||||
tt_int_op(ret, OP_EQ, 0);
|
tt_int_op(ret, OP_EQ, 0);
|
||||||
tt_int_op(rbuf_c, OP_EQ, 0);
|
tt_int_op(rbuf_c, OP_EQ, 0);
|
||||||
tt_int_op(wbuf_c, OP_EQ, 0);
|
tt_int_op(wbuf_c, OP_EQ, 0);
|
||||||
@ -2594,14 +2593,14 @@ test_tortls_create_certificate(void *ignored)
|
|||||||
tt_assert(!ret);
|
tt_assert(!ret);
|
||||||
|
|
||||||
fixed_crypto_pk_get_evp_pkey_result_index = 0;
|
fixed_crypto_pk_get_evp_pkey_result_index = 0;
|
||||||
fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY));
|
fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
|
||||||
fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
|
fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
|
||||||
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
|
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
|
||||||
tt_assert(!ret);
|
tt_assert(!ret);
|
||||||
|
|
||||||
fixed_crypto_pk_get_evp_pkey_result_index = 0;
|
fixed_crypto_pk_get_evp_pkey_result_index = 0;
|
||||||
fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY));
|
fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
|
||||||
fixed_crypto_pk_get_evp_pkey_result[1] = tor_malloc_zero(sizeof(EVP_PKEY));
|
fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new();
|
||||||
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
|
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
|
||||||
tt_assert(!ret);
|
tt_assert(!ret);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user