diff options
| author | Nick Mathewson <nickm@torproject.org> | 2018-11-09 10:10:25 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2018-11-09 10:10:25 -0500 |
| commit | 1ba1a1ceca4501b673bfc56b15f1063ce35afe4e (patch) | |
| tree | 355ff85aa5efa422d4264ee49a7d1a90300a9bd2 /src | |
| parent | 0a824bd88998be66bfd8d55c7200fe3903e19739 (diff) | |
| download | tor-1ba1a1ceca4501b673bfc56b15f1063ce35afe4e.tar.gz tor-1ba1a1ceca4501b673bfc56b15f1063ce35afe4e.zip | |
Always declare groups when building with openssl 1.1.1 APIs
Failing to do on clients was causing TLS 1.3 negotiation to fail.
Fixes bug 28245; bugfix on 0.2.9.15, when we added TLS 1.3 support.
Diffstat (limited to 'src')
| -rw-r--r-- | src/common/tortls.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index 1f2fe1ce18..7c50f87112 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1217,6 +1217,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh)); crypto_dh_free(dh); } +/* We check for this function in two ways, since it might be either a symbol + * or a macro. */ +#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST) + { + const char *list; + if (flags & TOR_TLS_CTX_USE_ECDHE_P224) + list = "P-224:P-256"; + else if (flags & TOR_TLS_CTX_USE_ECDHE_P256) + list = "P-256:P-224"; + else + list = "P-256:P-224"; + int r = SSL_CTX_set1_groups_list(result->ctx, list); + if (r < 0) + goto error; + } +#else if (! is_client) { int nid; EC_KEY *ec_key; @@ -1232,6 +1248,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, SSL_CTX_set_tmp_ecdh(result->ctx, ec_key); EC_KEY_free(ec_key); } +#endif SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER, always_accept_verify_cb); /* let us realloc bufs that we're writing from */ |