Home Explore Help
Sign In
piros
/
tor
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Require openssl 1.0.0a for using openssl's ctr-mode implementation

Previously we required 1.0.0, but there was a bug in the 1.0.0 counter
mode. Found by Pascal. Fixes bug 4779.

A more elegant solution would be good here if somebody has time to code
one.
Nick Mathewson 12 years ago
parent
334a0513de
commit
78f43c5d03
2 changed files with 8 additions and 2 deletions
Split View Show Diff Stats
  1. 4 0
      changes/bug4779
  2. 4 2
      src/common/aes.c

+ 4 - 0
changes/bug4779
View File 

@@ -0,0 +1,4 @@
 
+  o Minor bugfixes:
 
+    - Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
 
+      that was fixed in OpenSSL 1.0.0a. Fixes bug 4779; bugfix on
 
+      Tor 0.2.3.9-alpha. Found by Pascal.

+ 4 - 2
src/common/aes.c
View File 

@@ -17,7 +17,7 @@
 
 #include <openssl/aes.h>
 
 #include <openssl/evp.h>
 
 #include <openssl/engine.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
 
+#if OPENSSL_VERSION_NUMBER >= 0x1000001fL
 
 /* See comments about which counter mode implementation to use below. */
 
 #include <openssl/modes.h>
 
 #define USE_OPENSSL_CTR
 
@@ -45,7 +45,9 @@
 
  * Here we have a counter mode that's faster than the one shipping with
 
  * OpenSSL pre-1.0 (by about 10%!).  But OpenSSL 1.0.0 added a counter mode
 
  * implementation faster than the one here (by about 7%).  So we pick which
 
- * one to used based on the Openssl version above.
 
+ * one to used based on the Openssl version above.  (OpenSSL 1.0.0a fixed a
 
+ * critical bug in that counter mode implementation, so we actually require
 
+ * that one.)
 
  */
 
 
 /*======================================================================*/