Merge branch 'bug4822_021_v2_squashed' into maint-0.2.1

2 files changed, 47 insertions, 3 deletions

diff --git a/changes/bug4822 b/changes/bug4822
new file mode 100644
index 0000000000..73f43f0452
--- /dev/null
+++ b/changes/bug4822
@@ -0,0 +1,13 @@
+  o Major security workaround:
+    - When building or running with any version of OpenSSL earlier
+      than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
+      a bug (CVE-2011-4576) in which their block cipher padding
+      included uninitialized data, potentially leaking sensitive
+      information to any peer with whom they made a SSLv3
+      connection. Tor does not use SSL v3 by default, but a hostile
+      client or server could force an SSLv3 connection in order to
+      gain information that they shouldn't have been able to get. The
+      best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
+      later). But when building or running with a non-upgraded
+      OpenSSL, we should instead make sure that the bug can't happen
+      by disabling SSLv3 entirely.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index cc805f80ce..d88a59b9c7 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -64,6 +64,16 @@
 
 #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
 
+#if (OPENSSL_VERSION_NUMBER  <  0x0090813fL ||    \
+     (OPENSSL_VERSION_NUMBER >= 0x00909000L &&    \
+      OPENSSL_VERSION_NUMBER <  0x1000006fL))
+/* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have
+ * the CVE-2011-4657 fix, and as such it can't use RELEASE_BUFFERS and
+ * SSL3 safely at the same time.
+ */
+#define DISABLE_SSL3_HANDSHAKE
+#endif
+
 /* We redefine these so that we can run correctly even if the vendor gives us
  * a version of OpenSSL that does not match its header files.  (Apple: I am
  * looking at you.)
@@ -739,16 +749,37 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
     result->key = crypto_pk_dup_key(rsa);
   }
 
-#ifdef EVERYONE_HAS_AES
-  /* Tell OpenSSL to only use TLS1 */
+#if 0
+  /* Tell OpenSSL to only use TLS1. This would actually break compatibility
+   * with clients that are configured to use SSLv23_method(), so we should
+   * probably never use it.
+   */
   if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
     goto error;
-#else
+#endif
+
   /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
   if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
     goto error;
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
+
+  if (
+#ifdef DISABLE_SSL3_HANDSHAKE
+      1 ||
 #endif
+      SSLeay()  <  0x0090813fL ||
+      (SSLeay() >= 0x00909000L &&
+       SSLeay() <  0x1000006fL)) {
+    /* And not SSL3 if it's subject to CVE-2011-4657. */
+    log_info(LD_NET, "Disabling SSLv3 because this OpenSSL version "
+             "might otherwise be vulnerable to CVE-2011-4657 "
+             "(compile-time version %08lx (%s); "
+             "runtime version %08lx (%s))",
+             OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
+             SSLeay(), SSLeay_version(SSLEAY_VERSION));
+    SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
+  }
+
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
 
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION