Make Tor build happily with OpenSSL master and libressl.

Also tested with 1.0.0t and 1.0.2f.

Closes ticket 19784.

Closes most of 17921. (Still need to make some tests pass.)
This commit is contained in:
Nick Mathewson 2016-02-03 11:13:12 -05:00
parent 957cdb5469
commit 27582325dc
9 changed files with 54 additions and 34 deletions

View File

@ -0,0 +1,4 @@
o Minor features (compilation):
- Tor builds successfully with the unreleased OpenSSL 1.1 alpha
releases, and with the latest LibreSSL. Closes tickets 17921 and
17984.

View File

@ -81,47 +81,46 @@
#ifdef USE_EVP_AES_CTR #ifdef USE_EVP_AES_CTR
struct aes_cnt_cipher { /* We don't actually define the struct here. */
EVP_CIPHER_CTX evp;
};
aes_cnt_cipher_t * aes_cnt_cipher_t *
aes_new_cipher(const char *key, const char *iv) aes_new_cipher(const char *key, const char *iv)
{ {
aes_cnt_cipher_t *cipher; EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
cipher = tor_malloc_zero(sizeof(aes_cnt_cipher_t)); EVP_EncryptInit(cipher, EVP_aes_128_ctr(),
EVP_EncryptInit(&cipher->evp, EVP_aes_128_ctr(),
(const unsigned char*)key, (const unsigned char *)iv); (const unsigned char*)key, (const unsigned char *)iv);
return cipher; return (aes_cnt_cipher_t *) cipher;
} }
void void
aes_cipher_free(aes_cnt_cipher_t *cipher) aes_cipher_free(aes_cnt_cipher_t *cipher_)
{ {
if (!cipher) if (!cipher_)
return; return;
EVP_CIPHER_CTX_cleanup(&cipher->evp); EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
memwipe(cipher, 0, sizeof(aes_cnt_cipher_t)); EVP_CIPHER_CTX_cleanup(cipher);
tor_free(cipher); EVP_CIPHER_CTX_free(cipher);
} }
void void
aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len, aes_crypt(aes_cnt_cipher_t *cipher_, const char *input, size_t len,
char *output) char *output)
{ {
int outl; int outl;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
tor_assert(len < INT_MAX); tor_assert(len < INT_MAX);
EVP_EncryptUpdate(&cipher->evp, (unsigned char*)output, EVP_EncryptUpdate(cipher, (unsigned char*)output,
&outl, (const unsigned char *)input, (int)len); &outl, (const unsigned char *)input, (int)len);
} }
void void
aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len) aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
{ {
int outl; int outl;
EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
tor_assert(len < INT_MAX); tor_assert(len < INT_MAX);
EVP_EncryptUpdate(&cipher->evp, (unsigned char*)data, EVP_EncryptUpdate(cipher, (unsigned char*)data,
&outl, (unsigned char*)data, (int)len); &outl, (unsigned char*)data, (int)len);
} }
int int

View File

@ -13,7 +13,6 @@
* \brief Headers for aes.c * \brief Headers for aes.c
*/ */
struct aes_cnt_cipher;
typedef struct aes_cnt_cipher aes_cnt_cipher_t; typedef struct aes_cnt_cipher aes_cnt_cipher_t;
aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv); aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv);

View File

@ -35,9 +35,11 @@
(((st) == SSL3_ST_SW_SRVR_HELLO_A) || \ (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \
((st) == SSL3_ST_SW_SRVR_HELLO_B)) ((st) == SSL3_ST_SW_SRVR_HELLO_B))
#define OSSL_HANDSHAKE_STATE int #define OSSL_HANDSHAKE_STATE int
#define CONST_IF_OPENSSL_1_1_API
#else #else
#define STATE_IS_SW_SERVER_HELLO(st) \ #define STATE_IS_SW_SERVER_HELLO(st) \
((st) == TLS_ST_SW_SRVR_HELLO) ((st) == TLS_ST_SW_SRVR_HELLO)
#define CONST_IF_OPENSSL_1_1_API const
#endif #endif
#endif #endif

View File

@ -373,8 +373,12 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
used by Tor and the set of algorithms available in the engine */ used by Tor and the set of algorithms available in the engine */
log_engine("RSA", ENGINE_get_default_RSA()); log_engine("RSA", ENGINE_get_default_RSA());
log_engine("DH", ENGINE_get_default_DH()); log_engine("DH", ENGINE_get_default_DH());
#ifdef OPENSSL_1_1_API
log_engine("EC", ENGINE_get_default_EC());
#else
log_engine("ECDH", ENGINE_get_default_ECDH()); log_engine("ECDH", ENGINE_get_default_ECDH());
log_engine("ECDSA", ENGINE_get_default_ECDSA()); log_engine("ECDSA", ENGINE_get_default_ECDSA());
#endif
log_engine("RAND", ENGINE_get_default_RAND()); log_engine("RAND", ENGINE_get_default_RAND());
log_engine("RAND (which we will not use)", ENGINE_get_default_RAND()); log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1)); log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));

View File

@ -911,7 +911,7 @@ tor_tls_cert_is_valid(int severity,
} else if (cert_key) { } else if (cert_key) {
int min_bits = 1024; int min_bits = 1024;
#ifdef EVP_PKEY_EC #ifdef EVP_PKEY_EC
if (EVP_PKEY_type(cert_key->type) == EVP_PKEY_EC) if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
min_bits = 128; min_bits = 128;
#endif #endif
if (EVP_PKEY_bits(cert_key) >= min_bits) if (EVP_PKEY_bits(cert_key) >= min_bits)
@ -1414,7 +1414,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
/* Now we need to see if there are any ciphers whose presence means we're /* Now we need to see if there are any ciphers whose presence means we're
* dealing with an updated Tor. */ * dealing with an updated Tor. */
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const char *ciphername = SSL_CIPHER_get_name(cipher); const char *ciphername = SSL_CIPHER_get_name(cipher);
if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) && if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) && strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
@ -1431,7 +1431,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
{ {
const uint16_t *v2_cipher = v2_cipher_list; const uint16_t *v2_cipher = v2_cipher_list;
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff; uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
if (id == 0x00ff) /* extended renegotiation indicator. */ if (id == 0x00ff) /* extended renegotiation indicator. */
continue; continue;
@ -1453,7 +1453,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
smartlist_t *elts = smartlist_new(); smartlist_t *elts = smartlist_new();
char *s; char *s;
for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
const char *ciphername = SSL_CIPHER_get_name(cipher); const char *ciphername = SSL_CIPHER_get_name(cipher);
smartlist_add(elts, (char*)ciphername); smartlist_add(elts, (char*)ciphername);
} }
@ -1562,7 +1562,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
STATIC int STATIC int
tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len, tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers, STACK_OF(SSL_CIPHER) *peer_ciphers,
SSL_CIPHER **cipher, void *arg) CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
void *arg)
{ {
(void) secret; (void) secret;
(void) secret_len; (void) secret_len;
@ -1733,8 +1734,13 @@ tor_tls_block_renegotiation(tor_tls_t *tls)
void void
tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls) tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
{ {
#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
long options = SSL_get_options(tls->ssl); long options = SSL_get_options(tls->ssl);
tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
#else
(void) tls;
#endif
} }
/** Return whether this tls initiated the connect (client) or /** Return whether this tls initiated the connect (client) or

View File

@ -145,7 +145,8 @@ STATIC void tor_tls_server_info_callback(const SSL *ssl, int type, int val);
STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret, STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret,
int *secret_len, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers, STACK_OF(SSL_CIPHER) *peer_ciphers,
SSL_CIPHER **cipher, void *arg); CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
void *arg);
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
uint16_t cipher); uint16_t cipher);
MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa, MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa,

View File

@ -1108,6 +1108,11 @@ test_crypto_digests(void *arg)
crypto_pk_free(k); crypto_pk_free(k);
} }
#ifndef OPENSSL_1_1_API
#define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
#define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
#endif
/** Encode src into dest with OpenSSL's EVP Encode interface, returning the /** Encode src into dest with OpenSSL's EVP Encode interface, returning the
* length of the encoded data in bytes. * length of the encoded data in bytes.
*/ */
@ -1115,12 +1120,13 @@ static int
base64_encode_evp(char *dest, char *src, size_t srclen) base64_encode_evp(char *dest, char *src, size_t srclen)
{ {
const unsigned char *s = (unsigned char*)src; const unsigned char *s = (unsigned char*)src;
EVP_ENCODE_CTX ctx; EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
int len, ret; int len, ret;
EVP_EncodeInit(&ctx); EVP_EncodeInit(ctx);
EVP_EncodeUpdate(&ctx, (unsigned char *)dest, &len, s, (int)srclen); EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
EVP_EncodeFinal(&ctx, (unsigned char *)(dest + len), &ret); EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
EVP_ENCODE_CTX_free(ctx);
return ret+ len; return ret+ len;
} }

View File

@ -1347,11 +1347,10 @@ test_tortls_get_buffer_sizes(void *ignored)
tls->ssl->s3->wbuf.offset = 0; tls->ssl->s3->wbuf.offset = 0;
tls->ssl->s3->wbuf.left = 43; tls->ssl->s3->wbuf.left = 43;
ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
ret = tor_tls_get_buffer_sizes(NULL, NULL, NULL, NULL, NULL);
tt_int_op(ret, OP_EQ, -1); tt_int_op(ret, OP_EQ, -1);
#else #else
ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
tt_int_op(ret, OP_EQ, 0); tt_int_op(ret, OP_EQ, 0);
tt_int_op(rbuf_c, OP_EQ, 0); tt_int_op(rbuf_c, OP_EQ, 0);
tt_int_op(wbuf_c, OP_EQ, 0); tt_int_op(wbuf_c, OP_EQ, 0);
@ -2594,14 +2593,14 @@ test_tortls_create_certificate(void *ignored)
tt_assert(!ret); tt_assert(!ret);
fixed_crypto_pk_get_evp_pkey_result_index = 0; fixed_crypto_pk_get_evp_pkey_result_index = 0;
fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY)); fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
fixed_crypto_pk_get_evp_pkey_result[1] = NULL; fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1); ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
tt_assert(!ret); tt_assert(!ret);
fixed_crypto_pk_get_evp_pkey_result_index = 0; fixed_crypto_pk_get_evp_pkey_result_index = 0;
fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY)); fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
fixed_crypto_pk_get_evp_pkey_result[1] = tor_malloc_zero(sizeof(EVP_PKEY)); fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new();
ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1); ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
tt_assert(!ret); tt_assert(!ret);