diff options
| author | Yawning Angel <yawning@schwanenlied.me> | 2015-05-21 17:07:30 +0000 |
|---|---|---|
| committer | Yawning Angel <yawning@schwanenlied.me> | 2015-05-21 17:07:30 +0000 |
| commit | 452cebc4a41bdba41d4a8ce3c16e73d585bb53f4 (patch) | |
| tree | 90145e18db15b67bdaf7e47a771c51014ec54ba7 /src/common/tortls.c | |
| parent | 0b7bf3585a378bca4fc5bb551af3c37d517fdf28 (diff) | |
| download | tor-452cebc4a41bdba41d4a8ce3c16e73d585bb53f4.tar.gz tor-452cebc4a41bdba41d4a8ce3c16e73d585bb53f4.zip | |
Remove support for OpenSSL without ECC.
As OpenSSL >= 1.0.0 is now required, ECDHE is now mandatory. The group
has to be validated at runtime, because of RedHat lawyers (P224 support
is entirely missing in the OpenSSL RPM, but P256 is present and is the
default).
Resolves ticket #16140.
Diffstat (limited to 'src/common/tortls.c')
| -rw-r--r-- | src/common/tortls.c | 34 |
1 files changed, 29 insertions, 5 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index ca7b15fcd7..57d5408ca8 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -49,6 +49,9 @@ #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0) #error "We require OpenSSL >= 1.0.0" #endif +#ifdef OPENSSL_NO_EC +#error "We require OpenSSL with ECC support" +#endif #include <openssl/ssl.h> #include <openssl/ssl3.h> @@ -475,7 +478,6 @@ tor_tls_init(void) SSL_load_error_strings(); #if (SIZEOF_VOID_P >= 8 && \ - !defined(OPENSSL_NO_EC) && \ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1)) long version = SSLeay(); @@ -1327,7 +1329,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh)); crypto_dh_free(dh); } -#if !defined(OPENSSL_NO_EC) if (! is_client) { int nid; EC_KEY *ec_key; @@ -1343,9 +1344,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, SSL_CTX_set_tmp_ecdh(result->ctx, ec_key); EC_KEY_free(ec_key); } -#else - (void)flags; -#endif SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER, always_accept_verify_cb); /* let us realloc bufs that we're writing from */ @@ -2933,3 +2931,29 @@ tor_tls_init_bufferevent(tor_tls_t *tls, struct bufferevent *bufev_in, } #endif +/** Check whether the ECC group requested is supported by the current OpenSSL + * library instance. Return 1 if the group is supported, and 0 if not. + */ +int +evaluate_ecgroup_for_tls(const char *ecgroup) +{ + EC_KEY *ec_key; + int nid; + int ret; + + if (!ecgroup) + nid = NID_tor_default_ecdhe_group; + else if (!strcasecmp(ecgroup, "P256")) + nid = NID_X9_62_prime256v1; + else if (!strcasecmp(ecgroup, "P224")) + nid = NID_secp224r1; + else + return 0; + + ec_key = EC_KEY_new_by_curve_name(nid); + ret = (ec_key != NULL); + EC_KEY_free(ec_key); + + return ret; +} + |