Commit Graph

504 Commits

Author SHA1 Message Date
Nick Mathewson
e48f8e5e87 Merge remote-tracking branch 'public/bug15760_hard_026_v2' 2015-06-02 15:08:14 -04:00
Yawning Angel
8024f6a75f A few more minor OpenSSL 1.1 fixes.
* Use `TLS_method()` instead of the deprecated `SSLv23_method()`
 * Fix one missed conversion to `SSL_CIPHER_get_id()`
2015-06-02 15:04:20 -04:00
Nick Mathewson
34edf17d88 Merge remote-tracking branch 'teor/bug16115-minor-fixes' 2015-06-02 14:51:13 -04:00
teor
b3f79da0d5 Silence unused variable warnings in find_cipher_by_id
Unused variable warnings were still generated under some versions of OpenSSL.
Instead, make sure all variables are used under all versions.

Fix on 496df21c89, not in any released version of tor.
2015-06-03 04:19:05 +10:00
Nick Mathewson
0030765e04 Merge remote-tracking branch 'public/bug15760_hard_026_v2'
Conflicts:
	src/common/tortls.c
2015-06-02 13:45:27 -04:00
Nick Mathewson
ff835e2328 Use autoconf, not OPENSSL_VERSION_NUMBER, to detect SSL_CIPHER_find
Repairs build with libressl
2015-06-02 13:38:27 -04:00
Nick Mathewson
f90a704f12 Use accessor functions for client_random/server_random/master_key
If OpenSSL accepts my patch to introduce these functions, they'll
be a way to help Tor work with OpenSSL 1.1.
2015-06-02 13:38:27 -04:00
Andrea Shepard
0e0b65db4f Appease make check-spaces 2015-06-01 12:59:14 +00:00
Nick Mathewson
1b52e95028 Merge branch '12498_ed25519_keys_v6'
Fixed numerous conflicts, and ported code to use new base64 api.
2015-05-28 11:04:33 -04:00
Nick Mathewson
55bb7bbafd Tests for AUTHENTICATE cell functionality. 2015-05-28 10:41:50 -04:00
Nick Mathewson
b75361c5ed Start testing cell encoders/processers for the v3 handshake.
An earlier version of these tests was broken; now they're a nicer,
more robust, more black-box set of tests.  The key is to have each
test check a handshake message that is wrong in _one_ way.
2015-05-28 10:41:50 -04:00
Nick Mathewson
9537596398 Stop looking at session->ciphers when possible
If the OpenSSL team accepts my patch to add an
SSL_get_client_ciphers function, this patch will make Tor use it
when available, thereby working better with openssl 1.1.
2015-05-26 11:05:36 -04:00
Nick Mathewson
80082b7185 Remove rectify_client_ciphers as needless.
We previously used this function instead of SSL_set_cipher_list() to
set up a stack of client SSL_CIPHERs for these reasons:

  A) In order to force a particular order of the results.

  B) In order to be able to include dummy entries for ciphers that
     this build of openssl did not support, so we could impersonate
     Firefox harder.

But we no longer do B, since we merged proposal 198 and stopped
lying about what ciphers we know.

And A was actually pointless, since I had misread the implementation
of SSL_set_cipher_list().  It _does_ do some internal sorting, but
that is pre-sorting on the master list of ciphers, not sorting on
the user's preferred order.
2015-05-26 10:56:54 -04:00
Nick Mathewson
44259b8942 Revert "Try using SSL_get_ciphers in place of session->ciphers"
This reverts commit 67964cfa78.

It was the cause of #16153, and was not in any released Tor.  We need
a better solution for getting session->ciphers.
2015-05-26 10:49:04 -04:00
Nick Mathewson
c8024b633e Revert "Try using SSL_get_ciphers in place of session->ciphers"
This reverts commit 67964cfa78.

It was the cause of #16153, and was not in any released Tor.  We need
a better solution for getting session->ciphers.
2015-05-22 10:22:11 -04:00
Yawning Angel
452cebc4a4 Remove support for OpenSSL without ECC.
As OpenSSL >= 1.0.0 is now required, ECDHE is now mandatory.  The group
has to be validated at runtime, because of RedHat lawyers (P224 support
is entirely missing in the OpenSSL RPM, but P256 is present and is the
default).

Resolves ticket #16140.
2015-05-21 17:07:30 +00:00
Nick Mathewson
0b7bf3585a Generate error ASAP if building with too-old openssl 2015-05-21 11:54:13 -04:00
Nick Mathewson
a35d22479b move "version" declaration to avoid "set but not used" warnings 2015-05-21 11:17:18 -04:00
Nick Mathewson
0534d46bda 19:38 < Yawning> nickm: you left the "+#ifndef SSL_clear_mode" block in ;_; 2015-05-20 15:40:42 -04:00
Nick Mathewson
ed02a409cf Merge branch 'bug16034_no_more_openssl_098_squashed'
Conflicts:
	src/test/testing_common.c
2015-05-20 15:33:22 -04:00
Nick Mathewson
f0a0568e7f Stop poking SSL_CTX->comp_methods 2015-05-20 15:27:36 -04:00
Nick Mathewson
b7f3d52865 Use SSL_CIPHER accessor functions 2015-05-20 15:27:36 -04:00
Nick Mathewson
496df21c89 Use SSL_CIPHER_find where possible. 2015-05-20 15:27:36 -04:00
Nick Mathewson
971f0f8e18 Remove code to support OpenSSL 0.9.8 2015-05-20 15:27:36 -04:00
Nick Mathewson
67964cfa78 Try using SSL_get_ciphers in place of session->ciphers
This should help openssl 1.1.  On pre-1.1, we double-check that these
two methods give us the same list, since the underlying code is awfully
hairy.
2015-05-20 15:27:36 -04:00
Nick Mathewson
2f7c9b6ecb Tweak rectify_client_ciphers to work with openssl 1.1
The key here is to never touch ssl->cipher_list directly, but only
via SSL_get_ciphers().  But it's not so simple.

See, if there is no specialized cipher_list on the SSL object,
SSL_get_ciphers returns the cipher_list on the SSL_CTX.  But we sure
don't want to modify that one!  So we need to use
SSL_set_cipher_list first to make sure that we really have a cipher
list on the SSL object.
2015-05-20 15:27:36 -04:00
Nick Mathewson
d55db221e8 tor_tls_get_buffer_sizes() will not work on openssl 1.1. Patch from yawning 2015-05-13 12:12:53 -04:00
Nick Mathewson
34451c7a45 Use SSL_state() to inspect the state of SSL objects. 2015-05-13 11:34:10 -04:00
Nick Mathewson
22da5001b5 Use SSL_clear_mode where available. 2015-05-13 11:24:47 -04:00
Nick Mathewson
92b297bb58 SSL_clear_mode exists; we can use it. 2015-05-13 11:21:38 -04:00
Nick Mathewson
fa63f991c0 Stop accessing 'ssl->s3->flags' when we are using openssl 1.1
This field was only needed to work with the now-long-gone (I hope,
except for some horrible apples) openssl 0.9.8l; if your headers say
you have openssl 1.1, you won't even need it.
2015-05-13 11:19:19 -04:00
Nick Mathewson
e086db7952 Merge branch 'writing_tests' 2015-05-07 15:29:56 -04:00
Nick Mathewson
79e85313aa Write the outlines of a WritingTests.txt document
Also, add some sample tests to be examples.
2015-05-07 15:29:16 -04:00
Nick Mathewson
241e6b0937 Fix some conversion problems 2015-04-23 09:16:42 -04:00
David Goulet
3f41318472 Add crypto_rand_int_range() and use it
Incidently, this fixes a bug where the maximum value was never used when
only using crypto_rand_int(). For instance this example below in
rendservice.c never gets to INTRO_POINT_LIFETIME_MAX_SECONDS.

  int intro_point_lifetime_seconds =
    INTRO_POINT_LIFETIME_MIN_SECONDS +
    crypto_rand_int(INTRO_POINT_LIFETIME_MAX_SECONDS -
                    INTRO_POINT_LIFETIME_MIN_SECONDS);

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-04-21 11:06:12 -04:00
cypherpunks
5176f6f103 Remove relative paths to header files.
The paths are already in the directory search path of the compiler therefore no
need to include them in the source code.
2015-03-14 13:00:05 -04:00
Nick Mathewson
a9720b90f8 Fix whitespace from tor_x509_cert rename 2015-02-24 12:03:11 -05:00
Nick Mathewson
f253aef14f Mechanical rename: tor_cert_t -> tor_x509_cert_t 2015-02-24 12:03:10 -05:00
Nick Mathewson
69deab8b2a Merge remote-tracking branch 'public/bug13319' 2015-02-02 10:25:25 -05:00
Nick Mathewson
e9caa8645e Try to work around changes in openssl 1.1.0
Prefer not to use a couple of deprecated functions; include more
headers in tortls.c

This is part of  ticket 14188.
2015-01-28 10:00:58 -05:00
Nick Mathewson
b2663298e9 Fix tortls.c build with GCC<4.6
apparantly, "pragma GCC diagnostic push/pop" don't exist with older versions.

Fixes bug in 740e592790f570c446cbb5e6d4a77f842f75; bug not in any
released Tor.
2015-01-10 17:31:48 -05:00
Nick Mathewson
740e592790 Ignore warning for redundant decl in openssl/srtp.h 2015-01-10 16:06:25 -05:00
Nick Mathewson
f54e54b0b4 Bump copyright dates to 2015, in case someday this matters. 2015-01-02 14:27:39 -05:00
Nick Mathewson
5bcf952261 Check more thoroughly for unlogged OpenSSL errors 2014-11-02 13:04:44 -05:00
Nick Mathewson
fcdcb377a4 Add another year to our copyright dates.
Because in 95 years, we or our successors will surely care about
enforcing the BSD license terms on this code.  Right?
2014-10-28 15:30:16 -04:00
Nick Mathewson
affa251c83 Use a macro to indicate "The ecdhe group we use by default".
This might make Coverity happier about the if statement where we
have a default case that's the same as one of the other cases. CID 1248515
2014-10-20 09:08:42 -04:00
Nick Mathewson
33b399a7b2 Merge remote-tracking branch 'origin/maint-0.2.5' 2014-10-16 09:09:20 -04:00
Nick Mathewson
22b9caf0ae Merge remote-tracking branch 'origin/maint-0.2.4' into maint-0.2.5 2014-10-16 09:08:52 -04:00
Nick Mathewson
943fd4a252 Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4 2014-10-16 09:08:32 -04:00
Nick Mathewson
af73d3e4d8 Disable SSLv3 unconditionally. Closes ticket 13426.
The POODLE attack doesn't affect Tor, but there's no reason to tempt
fate: SSLv3 isn't going to get any better.
2014-10-15 11:50:05 -04:00