nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 04:13:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

Restore ability to build with V2_HANDSHAKE_SERVER

Browse Source 
Fixes bug 4677; bugfix on 0.2.3.2-alpha. Fix by "piet".
This commit is contained in:
Nick Mathewson 2013-11-25 10:45:20 -05:00
parent acd8c4f868
commit 2d9adcd204
2 changed files with 61 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes/bug4677 Normal file
View File

@ -0,0 +1,4 @@
o Minor bugfixes (build):
- Restore the ability to compile Tor with V2_HANDSHAKE_SERVER
turned off. Fixes bug 4677; bugfix on 0.2.3.2-alpha. Patch
from "piet".

114
src/common/tortls.c
View File

@ -1390,6 +1390,21 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
return NULL; return NULL;
} }
/** Invoked when a TLS state changes: log the change at severity 'debug' */
static void
tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
{
log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
ssl, SSL_state_string_long(ssl), type, val);
}
/* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
const char *
tor_tls_get_ciphersuite_name(tor_tls_t *tls)
{
return SSL_get_cipher(tls->ssl);
}
#ifdef V2_HANDSHAKE_SERVER #ifdef V2_HANDSHAKE_SERVER
/* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to /* Here's the old V2 cipher list we sent from 0.2.1.1-alpha up to
@ -1458,13 +1473,6 @@ prune_v2_cipher_list(void)
v2_cipher_list_pruned = 1; v2_cipher_list_pruned = 1;
} }
/* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
const char *
tor_tls_get_ciphersuite_name(tor_tls_t *tls)
{
return SSL_get_cipher(tls->ssl);
}
/** Examine the client cipher list in <b>ssl</b>, and determine what kind of /** Examine the client cipher list in <b>ssl</b>, and determine what kind of
* client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2, * client it is. Return one of CIPHERS_ERR, CIPHERS_V1, CIPHERS_V2,
* CIPHERS_UNRESTRICTED. * CIPHERS_UNRESTRICTED.
@ -1563,56 +1571,6 @@ tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2; return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2;
} }
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0)
/** Callback to get invoked on a server after we've read the list of ciphers
* the client supports, but before we pick our own ciphersuite.
*
* We can't abuse an info_cb for this, since by the time one of the
* client_hello info_cbs is called, we've already picked which ciphersuite to
* use.
*
* Technically, this function is an abuse of this callback, since the point of
* a session_secret_cb is to try to set up and/or verify a shared-secret for
* authentication on the fly. But as long as we return 0, we won't actually be
* setting up a shared secret, and all will be fine.
*/
static int
tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
SSL_CIPHER **cipher, void *arg)
{
(void) secret;
(void) secret_len;
(void) peer_ciphers;
(void) cipher;
(void) arg;
if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
CIPHERS_UNRESTRICTED) {
SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
}
SSL_set_session_secret_cb(ssl, NULL, NULL);
return 0;
}
static void
tor_tls_setup_session_secret_cb(tor_tls_t *tls)
{
SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
}
#else
#define tor_tls_setup_session_secret_cb(tls) STMT_NIL
#endif
/** Invoked when a TLS state changes: log the change at severity 'debug' */
static void
tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
{
log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
ssl, SSL_state_string_long(ssl), type, val);
}
/** Invoked when we're accepting a connection on <b>ssl</b>, and the connection /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection
* changes state. We use this: * changes state. We use this:
* <ul><li>To alter the state of the handshake partway through, so we * <ul><li>To alter the state of the handshake partway through, so we
@ -1672,6 +1630,48 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
} }
#endif #endif
#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0) && defined(V2_HANDSHAKE_SERVER)
/** Callback to get invoked on a server after we've read the list of ciphers
* the client supports, but before we pick our own ciphersuite.
*
* We can't abuse an info_cb for this, since by the time one of the
* client_hello info_cbs is called, we've already picked which ciphersuite to
* use.
*
* Technically, this function is an abuse of this callback, since the point of
* a session_secret_cb is to try to set up and/or verify a shared-secret for
* authentication on the fly. But as long as we return 0, we won't actually be
* setting up a shared secret, and all will be fine.
*/
static int
tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
SSL_CIPHER **cipher, void *arg)
{
(void) secret;
(void) secret_len;
(void) peer_ciphers;
(void) cipher;
(void) arg;
if (tor_tls_classify_client_ciphers(ssl, peer_ciphers) ==
CIPHERS_UNRESTRICTED) {
SSL_set_cipher_list(ssl, UNRESTRICTED_SERVER_CIPHER_LIST);
}
SSL_set_session_secret_cb(ssl, NULL, NULL);
return 0;
}
static void
tor_tls_setup_session_secret_cb(tor_tls_t *tls)
{
SSL_set_session_secret_cb(tls->ssl, tor_tls_session_secret_cb, NULL);
}
#else
#define tor_tls_setup_session_secret_cb(tls) STMT_NIL
#endif
/** Explain which ciphers we're missing. */ /** Explain which ciphers we're missing. */
static void static void
log_unsupported_ciphers(smartlist_t *unsupported) log_unsupported_ciphers(smartlist_t *unsupported)