diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-02-03 11:13:12 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-02-03 11:13:12 -0500 |
| commit | 27582325dc691f02c41612a258483a73f2e0e000 (patch) | |
| tree | 61314753c73f7ee49a2f94cff54a86f2ad6d7733 | |
| parent | 957cdb54699937818b539c75e413e88760ee34cd (diff) | |
| download | tor-27582325dc691f02c41612a258483a73f2e0e000.tar.gz tor-27582325dc691f02c41612a258483a73f2e0e000.zip | |
Make Tor build happily with OpenSSL master and libressl.
Also tested with 1.0.0t and 1.0.2f.
Closes ticket 19784.
Closes most of 17921. (Still need to make some tests pass.)
| -rw-r--r-- | changes/bug17921_bug17984 | 4 | ||||
| -rw-r--r-- | src/common/aes.c | 31 | ||||
| -rw-r--r-- | src/common/aes.h | 1 | ||||
| -rw-r--r-- | src/common/compat_openssl.h | 2 | ||||
| -rw-r--r-- | src/common/crypto.c | 4 | ||||
| -rw-r--r-- | src/common/tortls.c | 16 | ||||
| -rw-r--r-- | src/common/tortls.h | 7 | ||||
| -rw-r--r-- | src/test/test_crypto.c | 14 | ||||
| -rw-r--r-- | src/test/test_tortls.c | 9 |
9 files changed, 54 insertions, 34 deletions
diff --git a/changes/bug17921_bug17984 b/changes/bug17921_bug17984 new file mode 100644 index 0000000000..f254e295e0 --- /dev/null +++ b/changes/bug17921_bug17984 @@ -0,0 +1,4 @@ + o Minor features (compilation): + - Tor builds successfully with the unreleased OpenSSL 1.1 alpha + releases, and with the latest LibreSSL. Closes tickets 17921 and + 17984. diff --git a/src/common/aes.c b/src/common/aes.c index 7b6cc39b20..89c99c150a 100644 --- a/src/common/aes.c +++ b/src/common/aes.c @@ -81,47 +81,46 @@ #ifdef USE_EVP_AES_CTR -struct aes_cnt_cipher { - EVP_CIPHER_CTX evp; -}; +/* We don't actually define the struct here. */ aes_cnt_cipher_t * aes_new_cipher(const char *key, const char *iv) { - aes_cnt_cipher_t *cipher; - cipher = tor_malloc_zero(sizeof(aes_cnt_cipher_t)); - EVP_EncryptInit(&cipher->evp, EVP_aes_128_ctr(), + EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new(); + EVP_EncryptInit(cipher, EVP_aes_128_ctr(), (const unsigned char*)key, (const unsigned char *)iv); - return cipher; + return (aes_cnt_cipher_t *) cipher; } void -aes_cipher_free(aes_cnt_cipher_t *cipher) +aes_cipher_free(aes_cnt_cipher_t *cipher_) { - if (!cipher) + if (!cipher_) return; - EVP_CIPHER_CTX_cleanup(&cipher->evp); - memwipe(cipher, 0, sizeof(aes_cnt_cipher_t)); - tor_free(cipher); + EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_; + EVP_CIPHER_CTX_cleanup(cipher); + EVP_CIPHER_CTX_free(cipher); } void -aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len, +aes_crypt(aes_cnt_cipher_t *cipher_, const char *input, size_t len, char *output) { int outl; + EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_; tor_assert(len < INT_MAX); - EVP_EncryptUpdate(&cipher->evp, (unsigned char*)output, + EVP_EncryptUpdate(cipher, (unsigned char*)output, &outl, (const unsigned char *)input, (int)len); } void -aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len) +aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len) { int outl; + EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_; tor_assert(len < INT_MAX); - EVP_EncryptUpdate(&cipher->evp, (unsigned char*)data, + EVP_EncryptUpdate(cipher, (unsigned char*)data, &outl, (unsigned char*)data, (int)len); } int diff --git a/src/common/aes.h b/src/common/aes.h index df2f3aa65d..5500db7d0c 100644 --- a/src/common/aes.h +++ b/src/common/aes.h @@ -13,7 +13,6 @@ * \brief Headers for aes.c */ -struct aes_cnt_cipher; typedef struct aes_cnt_cipher aes_cnt_cipher_t; aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv); diff --git a/src/common/compat_openssl.h b/src/common/compat_openssl.h index 9c98181bdd..d5333a26d6 100644 --- a/src/common/compat_openssl.h +++ b/src/common/compat_openssl.h @@ -35,9 +35,11 @@ (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \ ((st) == SSL3_ST_SW_SRVR_HELLO_B)) #define OSSL_HANDSHAKE_STATE int +#define CONST_IF_OPENSSL_1_1_API #else #define STATE_IS_SW_SERVER_HELLO(st) \ ((st) == TLS_ST_SW_SRVR_HELLO) +#define CONST_IF_OPENSSL_1_1_API const #endif #endif diff --git a/src/common/crypto.c b/src/common/crypto.c index a42c461b14..bc659b1935 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -373,8 +373,12 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir) used by Tor and the set of algorithms available in the engine */ log_engine("RSA", ENGINE_get_default_RSA()); log_engine("DH", ENGINE_get_default_DH()); +#ifdef OPENSSL_1_1_API + log_engine("EC", ENGINE_get_default_EC()); +#else log_engine("ECDH", ENGINE_get_default_ECDH()); log_engine("ECDSA", ENGINE_get_default_ECDSA()); +#endif log_engine("RAND", ENGINE_get_default_RAND()); log_engine("RAND (which we will not use)", ENGINE_get_default_RAND()); log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1)); diff --git a/src/common/tortls.c b/src/common/tortls.c index 6e4cd3d480..5f84e5cf4d 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -911,7 +911,7 @@ tor_tls_cert_is_valid(int severity, } else if (cert_key) { int min_bits = 1024; #ifdef EVP_PKEY_EC - if (EVP_PKEY_type(cert_key->type) == EVP_PKEY_EC) + if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC) min_bits = 128; #endif if (EVP_PKEY_bits(cert_key) >= min_bits) @@ -1414,7 +1414,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl, /* Now we need to see if there are any ciphers whose presence means we're * dealing with an updated Tor. */ for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); + const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); const char *ciphername = SSL_CIPHER_get_name(cipher); if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) && strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) && @@ -1431,7 +1431,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl, { const uint16_t *v2_cipher = v2_cipher_list; for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); + const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff; if (id == 0x00ff) /* extended renegotiation indicator. */ continue; @@ -1453,7 +1453,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl, smartlist_t *elts = smartlist_new(); char *s; for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); + const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i); const char *ciphername = SSL_CIPHER_get_name(cipher); smartlist_add(elts, (char*)ciphername); } @@ -1562,7 +1562,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val) STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len, STACK_OF(SSL_CIPHER) *peer_ciphers, - SSL_CIPHER **cipher, void *arg) + CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher, + void *arg) { (void) secret; (void) secret_len; @@ -1733,8 +1734,13 @@ tor_tls_block_renegotiation(tor_tls_t *tls) void tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls) { +#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \ + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0 long options = SSL_get_options(tls->ssl); tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); +#else + (void) tls; +#endif } /** Return whether this tls initiated the connect (client) or diff --git a/src/common/tortls.h b/src/common/tortls.h index 6a4ef9aebe..7239eb9fd7 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -143,9 +143,10 @@ STATIC size_t SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out, STATIC void tor_tls_debug_state_callback(const SSL *ssl, int type, int val); STATIC void tor_tls_server_info_callback(const SSL *ssl, int type, int val); STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret, - int *secret_len, - STACK_OF(SSL_CIPHER) *peer_ciphers, - SSL_CIPHER **cipher, void *arg); + int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, + CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher, + void *arg); STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, uint16_t cipher); MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa, diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index fb21f3ad09..3244c210e6 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -1108,6 +1108,11 @@ test_crypto_digests(void *arg) crypto_pk_free(k); } +#ifndef OPENSSL_1_1_API +#define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX)) +#define EVP_ENCODE_CTX_free(ctx) tor_free(ctx) +#endif + /** Encode src into dest with OpenSSL's EVP Encode interface, returning the * length of the encoded data in bytes. */ @@ -1115,12 +1120,13 @@ static int base64_encode_evp(char *dest, char *src, size_t srclen) { const unsigned char *s = (unsigned char*)src; - EVP_ENCODE_CTX ctx; + EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new(); int len, ret; - EVP_EncodeInit(&ctx); - EVP_EncodeUpdate(&ctx, (unsigned char *)dest, &len, s, (int)srclen); - EVP_EncodeFinal(&ctx, (unsigned char *)(dest + len), &ret); + EVP_EncodeInit(ctx); + EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen); + EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret); + EVP_ENCODE_CTX_free(ctx); return ret+ len; } diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c index 98f5facc11..ce7e6bcde4 100644 --- a/src/test/test_tortls.c +++ b/src/test/test_tortls.c @@ -1347,11 +1347,10 @@ test_tortls_get_buffer_sizes(void *ignored) tls->ssl->s3->wbuf.offset = 0; tls->ssl->s3->wbuf.left = 43; + ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b); #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) - ret = tor_tls_get_buffer_sizes(NULL, NULL, NULL, NULL, NULL); tt_int_op(ret, OP_EQ, -1); #else - ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b); tt_int_op(ret, OP_EQ, 0); tt_int_op(rbuf_c, OP_EQ, 0); tt_int_op(wbuf_c, OP_EQ, 0); @@ -2594,14 +2593,14 @@ test_tortls_create_certificate(void *ignored) tt_assert(!ret); fixed_crypto_pk_get_evp_pkey_result_index = 0; - fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY)); + fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new(); fixed_crypto_pk_get_evp_pkey_result[1] = NULL; ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1); tt_assert(!ret); fixed_crypto_pk_get_evp_pkey_result_index = 0; - fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY)); - fixed_crypto_pk_get_evp_pkey_result[1] = tor_malloc_zero(sizeof(EVP_PKEY)); + fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new(); + fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new(); ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1); tt_assert(!ret); |