diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-11-10 10:40:31 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-11-10 10:40:31 -0500 |
commit | 0a3eed5f204dc9759e5001c7cf2bb448015d6891 (patch) | |
tree | ed07216a1fae8ac2774e10b12f681715d2d4ff75 /src | |
parent | 0d5a439292a7837033afb733221b1f3b1f641b5f (diff) | |
parent | 05c34b3330349bbb1311e2366e7593993f1de6d7 (diff) | |
download | tor-0a3eed5f204dc9759e5001c7cf2bb448015d6891.tar.gz tor-0a3eed5f204dc9759e5001c7cf2bb448015d6891.zip |
Merge branch 'bug17549'
Diffstat (limited to 'src')
-rw-r--r-- | src/common/compat_openssl.h | 37 | ||||
-rw-r--r-- | src/common/crypto.c | 33 | ||||
-rw-r--r-- | src/common/include.am | 1 | ||||
-rw-r--r-- | src/common/tortls.c | 21 | ||||
-rw-r--r-- | src/common/tortls.h | 1 | ||||
-rw-r--r-- | src/test/test_tortls.c | 24 |
6 files changed, 74 insertions, 43 deletions
diff --git a/src/common/compat_openssl.h b/src/common/compat_openssl.h new file mode 100644 index 0000000000..3fcd684c0c --- /dev/null +++ b/src/common/compat_openssl.h @@ -0,0 +1,37 @@ +/* Copyright (c) 2001, Matej Pfajfar. + * Copyright (c) 2001-2004, Roger Dingledine. + * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. + * Copyright (c) 2007-2015, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +#ifndef TOR_COMPAT_OPENSSL_H +#define TOR_COMPAT_OPENSSL_H + +#include <openssl/opensslv.h> + +/** + * \file compat_openssl.h + * + * \brief compatability definitions for working with different openssl forks + **/ + +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0) +#error "We require OpenSSL >= 1.0.0" +#endif + +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) +#define OPENSSL_VERSION SSLEAY_VERSION +#define OpenSSL_version(v) SSLeay_version(v) +#define OpenSSL_version_num() SSLeay() +#define RAND_OpenSSL() RAND_SSLeay() +#define STATE_IS_SW_SERVER_HELLO(st) \ + (((st) == SSL3_ST_SW_SRVR_HELLO_A) || \ + ((st) == SSL3_ST_SW_SRVR_HELLO_B)) +#define OSSL_HANDSHAKE_STATE int +#else +#define STATE_IS_SW_SERVER_HELLO(st) \ + ((st) == TLS_ST_SW_SRVR_HELLO) +#endif + +#endif + diff --git a/src/common/crypto.c b/src/common/crypto.c index 7b38568360..4c41d4494d 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -21,18 +21,13 @@ #undef OCSP_RESPONSE #endif -#include <openssl/opensslv.h> - #define CRYPTO_PRIVATE #include "crypto.h" +#include "compat_openssl.h" #include "crypto_curve25519.h" #include "crypto_ed25519.h" #include "crypto_format.h" -#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0) -#error "We require OpenSSL >= 1.0.0" -#endif - #include <openssl/err.h> #include <openssl/rsa.h> #include <openssl/pem.h> @@ -227,7 +222,7 @@ const char * crypto_openssl_get_version_str(void) { if (crypto_openssl_version_str == NULL) { - const char *raw_version = SSLeay_version(SSLEAY_VERSION); + const char *raw_version = OpenSSL_version(OPENSSL_VERSION); crypto_openssl_version_str = parse_openssl_version_str(raw_version); } return crypto_openssl_version_str; @@ -251,11 +246,13 @@ crypto_openssl_get_header_version_str(void) static int crypto_force_rand_ssleay(void) { - if (RAND_get_rand_method() != RAND_SSLeay()) { + RAND_METHOD *default_method; + default_method = RAND_OpenSSL(); + if (RAND_get_rand_method() != default_method) { log_notice(LD_CRYPTO, "It appears that one of our engines has provided " "a replacement the OpenSSL RNG. Resetting it to the default " "implementation."); - RAND_set_rand_method(RAND_SSLeay()); + RAND_set_rand_method(default_method); return 1; } return 0; @@ -291,16 +288,18 @@ crypto_early_init(void) setup_openssl_threading(); - if (SSLeay() == OPENSSL_VERSION_NUMBER && - !strcmp(SSLeay_version(SSLEAY_VERSION), OPENSSL_VERSION_TEXT)) { + unsigned long version_num = OpenSSL_version_num(); + const char *version_str = OpenSSL_version(OPENSSL_VERSION); + if (version_num == OPENSSL_VERSION_NUMBER && + !strcmp(version_str, OPENSSL_VERSION_TEXT)) { log_info(LD_CRYPTO, "OpenSSL version matches version from headers " - "(%lx: %s).", SSLeay(), SSLeay_version(SSLEAY_VERSION)); + "(%lx: %s).", version_num, version_str); } else { log_warn(LD_CRYPTO, "OpenSSL version from headers does not match the " "version we're running with. If you get weird crashes, that " "might be why. (Compiled with %lx: %s; running with %lx: %s).", (unsigned long)OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT, - SSLeay(), SSLeay_version(SSLEAY_VERSION)); + version_num, version_str); } crypto_force_rand_ssleay(); @@ -404,11 +403,7 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir) void crypto_thread_cleanup(void) { -#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) ERR_remove_thread_state(NULL); -#else - ERR_remove_state(0); -#endif } /** used by tortls.c: wrap an RSA* in a crypto_pk_t. */ @@ -2695,11 +2690,7 @@ int crypto_global_cleanup(void) { EVP_cleanup(); -#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) ERR_remove_thread_state(NULL); -#else - ERR_remove_state(0); -#endif ERR_free_strings(); if (dh_param_p) diff --git a/src/common/include.am b/src/common/include.am index 7de93ba2ac..2fc92e2ceb 100644 --- a/src/common/include.am +++ b/src/common/include.am @@ -118,6 +118,7 @@ COMMONHEADERS = \ src/common/ciphers.inc \ src/common/compat.h \ src/common/compat_libevent.h \ + src/common/compat_openssl.h \ src/common/compat_threads.h \ src/common/container.h \ src/common/crypto.h \ diff --git a/src/common/tortls.c b/src/common/tortls.c index 1057cf40f0..9f9ce0ddf5 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -40,9 +40,6 @@ #include <openssl/opensslv.h> #include "crypto.h" -#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0) -#error "We require OpenSSL >= 1.0.0" -#endif #ifdef OPENSSL_NO_EC #error "We require OpenSSL with ECC support" #endif @@ -384,7 +381,7 @@ tor_tls_init(void) #if (SIZEOF_VOID_P >= 8 && \ OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1)) - long version = SSLeay(); + long version = OpenSSL_version_num(); /* LCOV_EXCL_START : we can't test these lines on the same machine */ if (version >= OPENSSL_V_SERIES(1,0,1)) { @@ -1525,7 +1522,6 @@ STATIC void tor_tls_server_info_callback(const SSL *ssl, int type, int val) { tor_tls_t *tls; - int ssl_state; (void) val; tor_tls_debug_state_callback(ssl, type, val); @@ -1533,9 +1529,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val) if (type != SSL_CB_ACCEPT_LOOP) return; - ssl_state = SSL_state(ssl); - if ((ssl_state != SSL3_ST_SW_SRVR_HELLO_A) && - (ssl_state != SSL3_ST_SW_SRVR_HELLO_B)) + OSSL_HANDSHAKE_STATE ssl_state = SSL_get_state(ssl); + if (! STATE_IS_SW_SERVER_HELLO(ssl_state)) return; tls = tor_tls_get_by_ssl(ssl); if (tls) { @@ -1892,13 +1887,14 @@ int tor_tls_handshake(tor_tls_t *tls) { int r; - int oldstate; tor_assert(tls); tor_assert(tls->ssl); tor_assert(tls->state == TOR_TLS_ST_HANDSHAKE); check_no_tls_errors(); - oldstate = SSL_state(tls->ssl); + + OSSL_HANDSHAKE_STATE oldstate = SSL_get_state(tls->ssl); + if (tls->isServer) { log_debug(LD_HANDSHAKE, "About to call SSL_accept on %p (%s)", tls, SSL_state_string_long(tls->ssl)); @@ -1908,7 +1904,10 @@ tor_tls_handshake(tor_tls_t *tls) SSL_state_string_long(tls->ssl)); r = SSL_connect(tls->ssl); } - if (oldstate != SSL_state(tls->ssl)) + + OSSL_HANDSHAKE_STATE newstate = SSL_get_state(tls->ssl); + + if (oldstate != newstate) log_debug(LD_HANDSHAKE, "After call, %p was in state %s", tls, SSL_state_string_long(tls->ssl)); /* We need to call this here and not earlier, since OpenSSL has a penchant diff --git a/src/common/tortls.h b/src/common/tortls.h index 1cfe029adb..a719cb57c3 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -12,6 +12,7 @@ **/ #include "crypto.h" +#include "compat_openssl.h" #include "compat.h" #include "testsupport.h" diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c index fd3d50cf7e..dceecf49ab 100644 --- a/src/test/test_tortls.c +++ b/src/test/test_tortls.c @@ -56,6 +56,9 @@ extern tor_tls_context_t *client_tls_context; #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0) \ && !defined(LIBRESSL_VERSION_NUMBER) #define OPENSSL_OPAQUE +#define SSL_STATE_STR "before SSL initialization" +#else +#define SSL_STATE_STR "before/accept initialization" #endif #ifndef OPENSSL_OPAQUE @@ -131,7 +134,6 @@ test_tortls_tor_tls_new(void *data) MOCK(tor_tls_cert_matches_key, mock_tls_cert_matches_key); crypto_pk_t *key1 = NULL, *key2 = NULL; SSL_METHOD *method = NULL; - SSL_CTX *ctx = NULL; key1 = pk_generate(2); key2 = pk_generate(3); @@ -149,7 +151,7 @@ test_tortls_tor_tls_new(void *data) #ifndef OPENSSL_OPAQUE method = give_me_a_test_method(); - ctx = SSL_CTX_new(method); + SSL_CTX *ctx = SSL_CTX_new(method); method->num_ciphers = fake_num_ciphers; client_tls_context->ctx = ctx; tls = tor_tls_new(-1, 0); @@ -237,35 +239,35 @@ test_tortls_get_state_description(void *ignored) tls->ssl = SSL_new(ctx); tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in HANDSHAKE"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in HANDSHAKE"); tls->state = TOR_TLS_ST_OPEN; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in OPEN"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in OPEN"); tls->state = TOR_TLS_ST_GOTCLOSE; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in GOTCLOSE"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in GOTCLOSE"); tls->state = TOR_TLS_ST_SENTCLOSE; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in SENTCLOSE"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in SENTCLOSE"); tls->state = TOR_TLS_ST_CLOSED; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in CLOSED"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in CLOSED"); tls->state = TOR_TLS_ST_RENEGOTIATE; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in RENEGOTIATE"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in RENEGOTIATE"); tls->state = TOR_TLS_ST_BUFFEREVENT; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR); tls->state = 7; tor_tls_get_state_description(tls, buf, 200); - tt_str_op(buf, OP_EQ, "before/accept initialization in unknown TLS state"); + tt_str_op(buf, OP_EQ, SSL_STATE_STR " in unknown TLS state"); done: SSL_CTX_free(ctx); @@ -414,7 +416,7 @@ test_tortls_log_one_error(void *ignored) tor_tls_log_one_error(tls, 0, LOG_WARN, 0, NULL); tt_int_op(mock_saved_log_number(), OP_EQ, 1); tt_str_op(mock_saved_log_at(0), OP_EQ, "TLS error with 127.hello: (null)" - " (in (null):(null):before/accept initialization)\n"); + " (in (null):(null):" SSL_STATE_STR ")\n"); done: teardown_capture_of_logs(previous_log); |