mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
When Tor is compiled with NSS, don't claim support for LinkAuth=1
Closes ticket 27288
This commit is contained in:
parent
035166e7bf
commit
991bec67ee
@ -2641,6 +2641,12 @@ connection_or_send_certs_cell(or_connection_t *conn)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef TOR_UNIT_TESTS
|
||||
int testing__connection_or_pretend_TLSSECRET_is_supported = 0;
|
||||
#else
|
||||
#define testing__connection_or_pretend_TLSSECRET_is_supported 0
|
||||
#endif
|
||||
|
||||
/** Return true iff <b>challenge_type</b> is an AUTHCHALLENGE type that
|
||||
* we can send and receive. */
|
||||
int
|
||||
@ -2648,6 +2654,11 @@ authchallenge_type_is_supported(uint16_t challenge_type)
|
||||
{
|
||||
switch (challenge_type) {
|
||||
case AUTHTYPE_RSA_SHA256_TLSSECRET:
|
||||
#ifdef HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
|
||||
return 1;
|
||||
#else
|
||||
return testing__connection_or_pretend_TLSSECRET_is_supported;
|
||||
#endif
|
||||
case AUTHTYPE_ED25519_SHA256_RFC5705:
|
||||
return 1;
|
||||
case AUTHTYPE_RSA_SHA256_RFC5705:
|
||||
@ -2690,10 +2701,12 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn)
|
||||
tor_assert(sizeof(ac->challenge) == 32);
|
||||
crypto_rand((char*)ac->challenge, sizeof(ac->challenge));
|
||||
|
||||
if (authchallenge_type_is_supported(AUTHTYPE_RSA_SHA256_TLSSECRET))
|
||||
auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_TLSSECRET);
|
||||
/* Disabled, because everything that supports this method also supports
|
||||
* the much-superior ED25519_SHA256_RFC5705 */
|
||||
/* auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_RFC5705); */
|
||||
if (authchallenge_type_is_supported(AUTHTYPE_ED25519_SHA256_RFC5705))
|
||||
auth_challenge_cell_add_methods(ac, AUTHTYPE_ED25519_SHA256_RFC5705);
|
||||
auth_challenge_cell_set_n_methods(ac,
|
||||
auth_challenge_cell_getlen_methods(ac));
|
||||
@ -2855,7 +2868,11 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn,
|
||||
|
||||
/* HMAC of clientrandom and serverrandom using master key : 32 octets */
|
||||
if (old_tlssecrets_algorithm) {
|
||||
tor_tls_get_tlssecrets(conn->tls, auth->tlssecrets);
|
||||
if (tor_tls_get_tlssecrets(conn->tls, auth->tlssecrets) < 0) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_OR, "Somebody asked us for an older TLS "
|
||||
"authentication method (AUTHTYPE_RSA_SHA256_TLSSECRET) "
|
||||
"which we don't support.");
|
||||
}
|
||||
} else {
|
||||
char label[128];
|
||||
tor_snprintf(label, sizeof(label),
|
||||
|
@ -160,6 +160,7 @@ STATIC void note_or_connect_failed(const or_connection_t *or_conn);
|
||||
|
||||
#ifdef TOR_UNIT_TESTS
|
||||
extern int certs_cell_ed25519_disabled_for_testing;
|
||||
extern int testing__connection_or_pretend_TLSSECRET_is_supported;
|
||||
#endif
|
||||
|
||||
#endif /* !defined(TOR_CONNECTION_OR_H) */
|
||||
|
@ -374,7 +374,11 @@ protover_get_supported_protocols(void)
|
||||
"HSIntro=3-4 "
|
||||
"HSRend=1-2 "
|
||||
"Link=1-5 "
|
||||
#ifdef HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
|
||||
"LinkAuth=1,3 "
|
||||
#else
|
||||
"LinkAuth=3 "
|
||||
#endif
|
||||
"Microdesc=1-2 "
|
||||
"Relay=1-2";
|
||||
}
|
||||
@ -920,4 +924,3 @@ protover_free_all(void)
|
||||
}
|
||||
|
||||
#endif /* !defined(HAVE_RUST) */
|
||||
|
||||
|
@ -191,3 +191,14 @@ crypto_get_header_version_string(void)
|
||||
return crypto_nss_get_header_version_str();
|
||||
#endif
|
||||
}
|
||||
|
||||
/** Return true iff Tor is using the NSS library. */
|
||||
int
|
||||
tor_is_using_nss(void)
|
||||
{
|
||||
#ifdef ENABLE_NSS
|
||||
return 1;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
@ -31,4 +31,6 @@ const char *crypto_get_library_name(void);
|
||||
const char *crypto_get_library_version_string(void);
|
||||
const char *crypto_get_header_version_string(void);
|
||||
|
||||
int tor_is_using_nss(void);
|
||||
|
||||
#endif /* !defined(TOR_CRYPTO_H) */
|
||||
|
@ -126,6 +126,10 @@ int tor_tls_server_got_renegotiate(tor_tls_t *tls);
|
||||
MOCK_DECL(int,tor_tls_cert_matches_key,(const tor_tls_t *tls,
|
||||
const struct tor_x509_cert_t *cert));
|
||||
MOCK_DECL(int,tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out));
|
||||
#ifdef ENABLE_OPENSSL
|
||||
/* OpenSSL lets us see these master secrets; NSS sensibly does not. */
|
||||
#define HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
|
||||
#endif
|
||||
MOCK_DECL(int,tor_tls_export_key_material,(
|
||||
tor_tls_t *tls, uint8_t *secrets_out,
|
||||
const uint8_t *context,
|
||||
|
10
src/rust/external/external.rs
vendored
10
src/rust/external/external.rs
vendored
@ -26,3 +26,13 @@ pub fn c_tor_version_as_new_as(platform: &str, cutoff: &str) -> bool {
|
||||
|
||||
result == 1
|
||||
}
|
||||
|
||||
extern "C" {
|
||||
fn tor_is_using_nss() -> c_int;
|
||||
}
|
||||
|
||||
/// Return true if Tor was built to use NSS.
|
||||
pub fn c_tor_is_using_nss() -> bool
|
||||
{
|
||||
0 != unsafe { tor_is_using_nss() }
|
||||
}
|
||||
|
@ -10,6 +10,7 @@ use std::str::FromStr;
|
||||
use std::string::String;
|
||||
|
||||
use external::c_tor_version_as_new_as;
|
||||
use external::c_tor_is_using_nss;
|
||||
|
||||
use errors::ProtoverError;
|
||||
use protoset::ProtoSet;
|
||||
@ -141,8 +142,20 @@ impl From<Protocol> for UnknownProtocol {
|
||||
///
|
||||
// C_RUST_COUPLED: protover.c `protover_get_supported_protocols`
|
||||
pub(crate) fn get_supported_protocols_cstr() -> &'static CStr {
|
||||
cstr!(
|
||||
"Cons=1-2 \
|
||||
if c_tor_is_using_nss() {
|
||||
cstr!("Cons=1-2 \
|
||||
Desc=1-2 \
|
||||
DirCache=1-2 \
|
||||
HSDir=1-2 \
|
||||
HSIntro=3-4 \
|
||||
HSRend=1-2 \
|
||||
Link=1-5 \
|
||||
LinkAuth=3 \
|
||||
Microdesc=1-2 \
|
||||
Relay=1-2"
|
||||
)
|
||||
} else {
|
||||
cstr!("Cons=1-2 \
|
||||
Desc=1-2 \
|
||||
DirCache=1-2 \
|
||||
HSDir=1-2 \
|
||||
@ -153,6 +166,7 @@ pub(crate) fn get_supported_protocols_cstr() -> &'static CStr {
|
||||
Microdesc=1-2 \
|
||||
Relay=1-2"
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/// A map of protocol names to the versions of them which are supported.
|
||||
|
@ -942,15 +942,25 @@ test_link_handshake_send_authchallenge(void *arg)
|
||||
cell1 = mock_got_var_cell;
|
||||
tt_int_op(0, OP_EQ, connection_or_send_auth_challenge_cell(c1));
|
||||
cell2 = mock_got_var_cell;
|
||||
#ifdef HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
|
||||
tt_int_op(38, OP_EQ, cell1->payload_len);
|
||||
tt_int_op(38, OP_EQ, cell2->payload_len);
|
||||
#else
|
||||
tt_int_op(36, OP_EQ, cell1->payload_len);
|
||||
tt_int_op(36, OP_EQ, cell2->payload_len);
|
||||
#endif
|
||||
tt_int_op(0, OP_EQ, cell1->circ_id);
|
||||
tt_int_op(0, OP_EQ, cell2->circ_id);
|
||||
tt_int_op(CELL_AUTH_CHALLENGE, OP_EQ, cell1->command);
|
||||
tt_int_op(CELL_AUTH_CHALLENGE, OP_EQ, cell2->command);
|
||||
|
||||
#ifdef HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
|
||||
tt_mem_op("\x00\x02\x00\x01\x00\x03", OP_EQ, cell1->payload + 32, 6);
|
||||
tt_mem_op("\x00\x02\x00\x01\x00\x03", OP_EQ, cell2->payload + 32, 6);
|
||||
#else
|
||||
tt_mem_op("\x00\x01\x00\x03", OP_EQ, cell1->payload + 32, 4);
|
||||
tt_mem_op("\x00\x01\x00\x03", OP_EQ, cell2->payload + 32, 4);
|
||||
#endif
|
||||
tt_mem_op(cell1->payload, OP_NE, cell2->payload, 32);
|
||||
|
||||
done:
|
||||
@ -992,6 +1002,8 @@ static void *
|
||||
recv_authchallenge_setup(const struct testcase_t *test)
|
||||
{
|
||||
(void)test;
|
||||
|
||||
testing__connection_or_pretend_TLSSECRET_is_supported = 1;
|
||||
authchallenge_data_t *d = tor_malloc_zero(sizeof(*d));
|
||||
d->c = or_connection_new(CONN_TYPE_OR, AF_INET);
|
||||
d->chan = tor_malloc_zero(sizeof(*d->chan));
|
||||
@ -1205,6 +1217,8 @@ authenticate_data_setup(const struct testcase_t *test)
|
||||
authenticate_data_t *d = tor_malloc_zero(sizeof(*d));
|
||||
int is_ed = d->is_ed = (test->setup_data == (void*)3);
|
||||
|
||||
testing__connection_or_pretend_TLSSECRET_is_supported = 1;
|
||||
|
||||
scheduler_init();
|
||||
|
||||
MOCK(connection_or_write_var_cell_to_buf, mock_write_var_cell);
|
||||
|
@ -452,10 +452,12 @@ test_protover_supported_protocols(void *arg)
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_WORKING_TOR_TLS_GET_TLSSECRETS
|
||||
/* Legacy LinkAuth does not appear anywhere in the code. */
|
||||
tt_assert(protocol_list_supports_protocol(supported_protocols,
|
||||
PRT_LINKAUTH,
|
||||
PROTOVER_LINKAUTH_V1));
|
||||
#endif
|
||||
/* Latest LinkAuth is not exposed in the headers. */
|
||||
tt_assert(protocol_list_supports_protocol(supported_protocols,
|
||||
PRT_LINKAUTH,
|
||||
@ -641,4 +643,3 @@ struct testcase_t protover_tests[] = {
|
||||
PV_TEST(vote_roundtrip, 0),
|
||||
END_OF_TESTCASES
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user