From 8e562874a42a1a3eb982ba2df3ff1f3860db0d31 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 5 Mar 2018 15:34:04 -0500 Subject: [PATCH 1/6] Edit our openssl detection in autoconf to tolerate no-deprecated. When openssl is built with no-deprecated, the TLSv1_1_method() function isn't visible in the headers. That's sad, because that method is what we were looking at. Instead, we now look at SSL_CIPHER_get_id(), which is present in OpenSSL 1.0.1 and later, which is _not_ deprecated, and which is also present in LibreSSL. Fixes ticket 25353. Not a bugfix exactly -- we never really worked with this configuration. --- configure.ac | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 878f5a88bb..aa2617b70a 100644 --- a/configure.ac +++ b/configure.ac @@ -788,9 +788,18 @@ AC_ARG_WITH(ssl-dir, AC_MSG_NOTICE([Now, we'll look for OpenSSL >= 1.0.1]) TOR_SEARCH_LIBRARY(openssl, $tryssldir, [-lssl -lcrypto $TOR_LIB_GDI $TOR_LIB_WS32], - [#include ], - [struct ssl_method_st; const struct ssl_method_st *TLSv1_1_method(void);], - [TLSv1_1_method();], [], + [#include + char *getenv(const char *);], + [struct ssl_cipher_st; + unsigned SSL_CIPHER_get_id(const struct ssl_cipher_st *); + char *getenv(const char *);], + dnl This funny-looking test program calls getenv, so that the compiler + dnl will neither make code that call SSL_CIPHER_get_id(NULL) [producing + dnl a crash], nor optimize out the call to SSL_CIPHER_get_id(). + dnl We look for SSL_cipher_get_id() because it is present in + dnl OpenSSL >=1.0.1, because it is not deprecated, and because Tor + dnl depends on it. + [if (getenv("THIS_SHOULDNT_BE_SET_X201803")) SSL_CIPHER_get_id((void *)0);], [], [/usr/local/opt/openssl /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /opt/openssl]) dnl XXXX check for OPENSSL_VERSION_NUMBER == SSLeay() From a15b2c57e1f901c531a5f063513a541adb418ae1 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 18 Apr 2018 12:31:24 -0400 Subject: [PATCH 2/6] Add support for openssl built with "no-deprecated". Patch from Andrew John Hughes; partial fix for 19981. --- src/common/aes.c | 4 ++++ src/common/crypto.c | 16 ++++++++++++++++ src/common/tortls.c | 15 +++++++++++++++ 3 files changed, 35 insertions(+) diff --git a/src/common/aes.c b/src/common/aes.c index 5d0841dfa3..95737cffcc 100644 --- a/src/common/aes.c +++ b/src/common/aes.c @@ -116,7 +116,11 @@ aes_cipher_free_(aes_cnt_cipher_t *cipher_) if (!cipher_) return; EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_; +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) + EVP_CIPHER_CTX_reset(cipher); +#else EVP_CIPHER_CTX_cleanup(cipher); +#endif EVP_CIPHER_CTX_free(cipher); } void diff --git a/src/common/crypto.c b/src/common/crypto.c index 9fcd17742c..c98a968757 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -43,6 +43,7 @@ DISABLE_GCC_WARNING(redundant-decls) #include #include #include +#include ENABLE_GCC_WARNING(redundant-decls) @@ -204,8 +205,15 @@ crypto_early_init(void) crypto_early_initialized_ = 1; +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS | + OPENSSL_INIT_LOAD_CRYPTO_STRINGS | + OPENSSL_INIT_ADD_ALL_CIPHERS | + OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); +#else ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); +#endif setup_openssl_threading(); @@ -1660,11 +1668,15 @@ memwipe(void *mem, uint8_t byte, size_t sz) int crypto_global_cleanup(void) { +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) EVP_cleanup(); +#endif #ifndef NEW_THREAD_API ERR_remove_thread_state(NULL); #endif +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) ERR_free_strings(); +#endif if (dh_param_p) BN_clear_free(dh_param_p); @@ -1676,11 +1688,15 @@ crypto_global_cleanup(void) dh_param_p = dh_param_p_tls = dh_param_g = NULL; #ifndef DISABLE_ENGINES +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) ENGINE_cleanup(); +#endif #endif CONF_modules_unload(1); +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) CRYPTO_cleanup_all_ex_data(); +#endif crypto_openssl_free_all(); diff --git a/src/common/tortls.c b/src/common/tortls.c index 05e29e22ff..23bcd85281 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -56,10 +56,21 @@ ENABLE_GCC_WARNING(redundant-decls) #include "container.h" #include +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) +#define X509_get_notBefore_const(cert) \ + X509_get0_notBefore(cert) +#define X509_get_notAfter_const(cert) \ + X509_get0_notAfter(cert) +#define X509_get_notBefore(cert) \ + X509_getm_notBefore(cert) +#define X509_get_notAfter(cert) \ + X509_getm_notAfter(cert) +#else #define X509_get_notBefore_const(cert) \ ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert)) #define X509_get_notAfter_const(cert) \ ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert)) +#endif /* Copied from or.h */ #define LEGAL_NICKNAME_CHARACTERS \ @@ -355,8 +366,12 @@ tor_tls_init(void) check_no_tls_errors(); if (!tls_library_is_initialized) { +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); +#else SSL_library_init(); SSL_load_error_strings(); +#endif #if (SIZEOF_VOID_P >= 8 && \ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1)) From 9d27e3f01468c2a31d3d3ab538a668d8351e5324 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 18 Apr 2018 12:32:39 -0400 Subject: [PATCH 3/6] Make test_tortls.c build with openssl no_deprecated. Also for 19981. --- src/test/test_tortls.c | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c index 29f7cc9c37..ef1be139a6 100644 --- a/src/test/test_tortls.c +++ b/src/test/test_tortls.c @@ -202,6 +202,17 @@ test_tortls_tor_tls_get_error(void *data) tor_tls_free(tls); } +static void +library_init(void) +{ +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); +#else + SSL_library_init(); + SSL_load_error_strings(); +#endif +} + static void test_tortls_get_state_description(void *ignored) { @@ -210,9 +221,7 @@ test_tortls_get_state_description(void *ignored) char *buf; SSL_CTX *ctx; - SSL_library_init(); - SSL_load_error_strings(); - + library_init(); ctx = SSL_CTX_new(SSLv23_method()); buf = tor_malloc_zero(1000); @@ -274,8 +283,7 @@ test_tortls_get_by_ssl(void *ignored) SSL_CTX *ctx; SSL *ssl; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); tor_tls_allocate_tor_tls_object_ex_data_index(); ctx = SSL_CTX_new(SSLv23_method()); @@ -322,8 +330,7 @@ test_tortls_log_one_error(void *ignored) SSL_CTX *ctx; SSL *ssl = NULL; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); ctx = SSL_CTX_new(SSLv23_method()); tls = tor_malloc_zero(sizeof(tor_tls_t)); @@ -415,8 +422,7 @@ test_tortls_get_error(void *ignored) int ret; SSL_CTX *ctx; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); ctx = SSL_CTX_new(SSLv23_method()); setup_capture_of_logs(LOG_INFO); @@ -792,8 +798,8 @@ test_tortls_classify_client_ciphers(void *ignored) STACK_OF(SSL_CIPHER) *ciphers; SSL_CIPHER *tmp_cipher; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); + tor_tls_allocate_tor_tls_object_ex_data_index(); tls = tor_malloc_zero(sizeof(tor_tls_t)); @@ -897,8 +903,7 @@ test_tortls_client_is_using_v2_ciphers(void *ignored) SSL_SESSION *sess; STACK_OF(SSL_CIPHER) *ciphers; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); ctx = SSL_CTX_new(TLSv1_method()); ssl = SSL_new(ctx); @@ -1541,8 +1546,8 @@ test_tortls_session_secret_cb(void *ignored) STACK_OF(SSL_CIPHER) *ciphers = NULL; SSL_CIPHER *one; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); + tor_tls_allocate_tor_tls_object_ex_data_index(); tls = tor_malloc_zero(sizeof(tor_tls_t)); @@ -1733,8 +1738,7 @@ test_tortls_find_cipher_by_id(void *ignored) fixed_cipher2 = tor_malloc_zero(sizeof(SSL_CIPHER)); fixed_cipher2->id = 0xC00A; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); ctx = SSL_CTX_new(m); ssl = SSL_new(ctx); @@ -1825,8 +1829,7 @@ test_tortls_server_info_callback(void *ignored) SSL_CTX *ctx; SSL *ssl; - SSL_library_init(); - SSL_load_error_strings(); + library_init(); ctx = SSL_CTX_new(TLSv1_method()); ssl = SSL_new(ctx); From c296f002541aee6dee5884187640fb273466b8f6 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 18 Apr 2018 12:35:36 -0400 Subject: [PATCH 4/6] Changes file for openssl no-deprecated work. --- changes/feature19429 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changes/feature19429 diff --git a/changes/feature19429 b/changes/feature19429 new file mode 100644 index 0000000000..29db6a5bc2 --- /dev/null +++ b/changes/feature19429 @@ -0,0 +1,5 @@ + o Minor features (compatibility): + - Tor now detects versions of OpenSSL 1.1.0 and later compiled with the + no-deprecated option, and builds correctly with them. Closes + tickets 19981 and 25353. + From 32181cbaa2c4f0cdd8d3d39ddafb8aff643a4280 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 18 Apr 2018 13:03:31 -0400 Subject: [PATCH 5/6] mention 19429 in changes file --- changes/feature19429 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changes/feature19429 b/changes/feature19429 index 29db6a5bc2..0faa6e84e1 100644 --- a/changes/feature19429 +++ b/changes/feature19429 @@ -1,5 +1,5 @@ o Minor features (compatibility): - Tor now detects versions of OpenSSL 1.1.0 and later compiled with the no-deprecated option, and builds correctly with them. Closes - tickets 19981 and 25353. + tickets 19429, 19981, and 25353. From d6a773f57d7d91e9a98444b048ed779120f14dfd Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 27 Apr 2018 12:55:52 -0400 Subject: [PATCH 6/6] Only define X509_get_not{BeforeAfter} if they are not defined (The originally submitted version of a15b2c57e1f901c531 broke with OpenSSL 1.1.0.) --- src/common/tortls.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index 23bcd85281..cd236363f8 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -61,11 +61,15 @@ ENABLE_GCC_WARNING(redundant-decls) X509_get0_notBefore(cert) #define X509_get_notAfter_const(cert) \ X509_get0_notAfter(cert) +#ifndef X509_get_notBefore #define X509_get_notBefore(cert) \ X509_getm_notBefore(cert) +#endif +#ifndef X509_get_notAfter #define X509_get_notAfter(cert) \ X509_getm_notAfter(cert) -#else +#endif +#else /* ! OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) */ #define X509_get_notBefore_const(cert) \ ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert)) #define X509_get_notAfter_const(cert) \