7 files changed, 61 insertions, 4 deletions

diff --git a/src/lib/crypt_ops/crypto_curve25519.c b/src/lib/crypt_ops/crypto_curve25519.c
index e6a39a8c08..f3a9de9fc5 100644
--- a/src/lib/crypt_ops/crypto_curve25519.c
+++ b/src/lib/crypt_ops/crypto_curve25519.c
@@ -289,7 +289,7 @@ curve25519_basepoint_spot_check(void)
     0x0d,0xbf,0x3a,0x0d,0x26,0x38,0x1a,0xf4,
     0xeb,0xa4,0xa9,0x8e,0xaa,0x9b,0x4e,0x6a
   };
-  const int loop_max=200;
+  const int loop_max=8;
   int save_use_ed = curve25519_use_ed;
   unsigned char e1[32], e2[32];
   unsigned char x[32],y[32];
diff --git a/src/lib/crypt_ops/crypto_dh_openssl.c b/src/lib/crypt_ops/crypto_dh_openssl.c
index 54946458d5..0d9bd513cf 100644
--- a/src/lib/crypt_ops/crypto_dh_openssl.c
+++ b/src/lib/crypt_ops/crypto_dh_openssl.c
@@ -45,6 +45,8 @@ static BIGNUM *dh_param_p_tls = NULL;
 /** Shared G parameter for our DH key exchanges. */
 static BIGNUM *dh_param_g = NULL;
 
+/* This function is disabled unless we change the DH parameters. */
+#if 0
 /** Validate a given set of Diffie-Hellman parameters.  This is moderately
  * computationally expensive (milliseconds), so should only be called when
  * the DH parameters change. Returns 0 on success, * -1 on failure.
@@ -98,6 +100,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNUM *g)
     DH_free(dh);
   return ret;
 }
+#endif
 
 /**
  * Helper: convert <b>hex<b> to a bignum, and return it.  Assert that the
@@ -151,8 +154,11 @@ crypto_dh_init_openssl(void)
   dh_param_p = bignum_from_hex(OAKLEY_PRIME_2);
   dh_param_p_tls = bignum_from_hex(TLS_DH_PRIME);
 
+  /* Checks below are disabled unless we change the hardcoded DH parameters. */
+#if 0
   tor_assert(0 == crypto_validate_dh_params(dh_param_p, dh_param_g));
   tor_assert(0 == crypto_validate_dh_params(dh_param_p_tls, dh_param_g));
+#endif
 }
 
 /** Number of bits to use when choosing the x or y value in a Diffie-Hellman
diff --git a/src/lib/err/backtrace.c b/src/lib/err/backtrace.c
index d18a595c34..b568c888c5 100644
--- a/src/lib/err/backtrace.c
+++ b/src/lib/err/backtrace.c
@@ -32,6 +32,9 @@
 #ifdef HAVE_SIGNAL_H
 #include <signal.h>
 #endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
 #include <errno.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/src/lib/fs/freespace.c b/src/lib/fs/freespace.c
index 2dbba3c5f8..c18b1e0234 100644
--- a/src/lib/fs/freespace.c
+++ b/src/lib/fs/freespace.c
@@ -19,6 +19,7 @@
 #include <windows.h>
 #endif
 
+#include <errno.h>
 #include <string.h>
 
 /** Return the amount of free disk space we have permission to use, in
diff --git a/src/lib/net/inaddr_st.h b/src/lib/net/inaddr_st.h
index dc4c6e3a00..a6b7796268 100644
--- a/src/lib/net/inaddr_st.h
+++ b/src/lib/net/inaddr_st.h
@@ -28,6 +28,9 @@
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
 
 #ifdef _WIN32
 #include <winsock2.h>
@@ -60,7 +63,7 @@ struct in6_addr
 /** @{ */
 /** Many BSD variants seem not to define these. */
 #if defined(__APPLE__) || defined(__darwin__) || \
-  defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
+  defined(__FreeBSD__) || defined(__NetBSD__) || defined(OpenBSD)
 #ifndef s6_addr16
 #define s6_addr16 __u6_addr.__u6_addr16
 #endif
diff --git a/src/lib/net/socketpair.c b/src/lib/net/socketpair.c
index 380338f15c..6a21581d87 100644
--- a/src/lib/net/socketpair.c
+++ b/src/lib/net/socketpair.c
@@ -62,7 +62,7 @@ get_local_listener(int family, int type)
     len = sizeof(sin);
   } else {
     sa = (struct sockaddr *) &sin6;
-    sin6.sin6_family = AF_INET;
+    sin6.sin6_family = AF_INET6;
     sin6.sin6_addr.s6_addr[15] = 1;
     len = sizeof(sin6);
   }
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 63f6259a6c..99371cfc40 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -99,6 +99,9 @@ ENABLE_GCC_WARNING(redundant-decls)
 #define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
 #endif
 
+/** Set to true iff openssl bug 7712 has been detected. */
+static int openssl_bug_7712_is_present = 0;
+
 /** Return values for tor_tls_classify_client_ciphers.
  *
  * @{
@@ -1054,6 +1057,13 @@ tor_tls_new(tor_socket_t sock, int isServer)
   }
 #endif /* defined(SSL_set_tlsext_host_name) */
 
+#ifdef SSL_CTRL_SET_MAX_PROTO_VERSION
+  if (openssl_bug_7712_is_present) {
+    /* We can't actually use TLS 1.3 until this bug is fixed. */
+    SSL_set_max_proto_version(result->ssl, TLS1_2_VERSION);
+  }
+#endif
+
   if (!SSL_set_cipher_list(result->ssl,
                      isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
     tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
@@ -1671,7 +1681,8 @@ tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out))
  * provided <b>context</b> (<b>context_len</b> bytes long) and
  * <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
  * <b>secrets_out</b> that only the parties to this TLS session can
- * compute.  Return 0 on success and -1 on failure.
+ * compute.  Return 0 on success; -1 on failure; and -2 on failure
+ * caused by OpenSSL bug 7712.
  */
 MOCK_IMPL(int,
 tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
@@ -1686,6 +1697,39 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
                                      secrets_out, DIGEST256_LEN,
                                      label, strlen(label),
                                      context, context_len, 1);
+
+  if (r != 1) {
+    int severity = openssl_bug_7712_is_present ? LOG_WARN : LOG_DEBUG;
+    tls_log_errors(tls, severity, LD_NET, "exporting keying material");
+  }
+
+#ifdef TLS1_3_VERSION
+  if (r != 1 &&
+      strlen(label) > 12 &&
+      SSL_version(tls->ssl) >= TLS1_3_VERSION) {
+
+    if (! openssl_bug_7712_is_present) {
+      /* We might have run into OpenSSL issue 7712, which caused OpenSSL
+       * 1.1.1a to not handle long labels.  Let's test to see if we have.
+       */
+      r = SSL_export_keying_material(tls->ssl, secrets_out, DIGEST256_LEN,
+                                     "short", 5, context, context_len, 1);
+      if (r == 1) {
+        /* A short label succeeds, but a long label fails. This was openssl
+         * issue 7712. */
+        openssl_bug_7712_is_present = 1;
+        log_warn(LD_GENERAL, "Detected OpenSSL bug 7712: disabling TLS 1.3 on "
+                 "future connections. A fix is expected to appear in OpenSSL "
+                 "1.1.1b.");
+      }
+    }
+    if (openssl_bug_7712_is_present)
+      return -2;
+    else
+      return -1;
+  }
+#endif
+
   return (r == 1) ? 0 : -1;
 }