diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-11-09 10:49:47 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-11-09 10:49:47 -0500 |
| commit | 93cf98cbb160f31804d129e6e3e33355883fc1b2 (patch) | |
| tree | 5ccd80608e6e339b0c81887133a894fdc72f6bc1 | |
| parent | dd0b8517940a62827498d1f930afa491f0edc612 (diff) | |
| parent | c06b7f090cfe49cef1b174d69277534eb0441696 (diff) | |
| download | tor-93cf98cbb160f31804d129e6e3e33355883fc1b2.tar.gz tor-93cf98cbb160f31804d129e6e3e33355883fc1b2.zip | |
Merge branch 'maint-0.3.3' into release-0.3.3
| -rw-r--r-- | changes/bug28245 | 6 | ||||
| -rw-r--r-- | configure.ac | 1 | ||||
| -rw-r--r-- | src/common/tortls.c | 17 |
3 files changed, 24 insertions, 0 deletions
diff --git a/changes/bug28245 b/changes/bug28245 new file mode 100644 index 0000000000..d7e6deb810 --- /dev/null +++ b/changes/bug28245 @@ -0,0 +1,6 @@ + o Major bugfixes (OpenSSL, portability): + - Fix our usage of named groups when running as a TLS 1.3 client in + OpenSSL 1.1.1. Previously, we only initialized EC groups when running + as a server, which caused clients to fail to negotiate TLS 1.3 with + relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was + added. diff --git a/configure.ac b/configure.ac index bd084c9d31..a651a7b5f3 100644 --- a/configure.ac +++ b/configure.ac @@ -855,6 +855,7 @@ AC_CHECK_FUNCS([ \ SSL_get_server_random \ SSL_get_client_ciphers \ SSL_get_client_random \ + SSL_CTX_set1_groups_list \ SSL_CIPHER_find \ SSL_CTX_set_security_level \ TLS_method diff --git a/src/common/tortls.c b/src/common/tortls.c index 7e2a134dc3..4ceb38ac86 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1263,6 +1263,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh)); crypto_dh_free(dh); } +/* We check for this function in two ways, since it might be either a symbol + * or a macro. */ +#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST) + { + const char *list; + if (flags & TOR_TLS_CTX_USE_ECDHE_P224) + list = "P-224:P-256"; + else if (flags & TOR_TLS_CTX_USE_ECDHE_P256) + list = "P-256:P-224"; + else + list = "P-256:P-224"; + int r = SSL_CTX_set1_groups_list(result->ctx, list); + if (r < 0) + goto error; + } +#else if (! is_client) { int nid; EC_KEY *ec_key; @@ -1278,6 +1294,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, SSL_CTX_set_tmp_ecdh(result->ctx, ec_key); EC_KEY_free(ec_key); } +#endif SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER, always_accept_verify_cb); /* let us realloc bufs that we're writing from */ |