Browse Source

Make Tor build happily with OpenSSL master and libressl.

Also tested with 1.0.0t and 1.0.2f.

Closes ticket 19784.

Closes most of 17921. (Still need to make some tests pass.)
Nick Mathewson 8 years ago
parent
commit
27582325dc

+ 4 - 0
changes/bug17921_bug17984

@@ -0,0 +1,4 @@
+  o Minor features (compilation):
+    - Tor builds successfully with the unreleased OpenSSL 1.1 alpha
+      releases, and with the latest LibreSSL. Closes tickets 17921 and
+      17984.

+ 15 - 16
src/common/aes.c

@@ -81,47 +81,46 @@
 
 #ifdef USE_EVP_AES_CTR
 
-struct aes_cnt_cipher {
-  EVP_CIPHER_CTX evp;
-};
+/* We don't actually define the struct here. */
 
 aes_cnt_cipher_t *
 aes_new_cipher(const char *key, const char *iv)
 {
-  aes_cnt_cipher_t *cipher;
-  cipher = tor_malloc_zero(sizeof(aes_cnt_cipher_t));
-  EVP_EncryptInit(&cipher->evp, EVP_aes_128_ctr(),
+  EVP_CIPHER_CTX *cipher = EVP_CIPHER_CTX_new();
+  EVP_EncryptInit(cipher, EVP_aes_128_ctr(),
                   (const unsigned char*)key, (const unsigned char *)iv);
-  return cipher;
+  return (aes_cnt_cipher_t *) cipher;
 }
 void
-aes_cipher_free(aes_cnt_cipher_t *cipher)
+aes_cipher_free(aes_cnt_cipher_t *cipher_)
 {
-  if (!cipher)
+  if (!cipher_)
     return;
-  EVP_CIPHER_CTX_cleanup(&cipher->evp);
-  memwipe(cipher, 0, sizeof(aes_cnt_cipher_t));
-  tor_free(cipher);
+  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
+  EVP_CIPHER_CTX_cleanup(cipher);
+  EVP_CIPHER_CTX_free(cipher);
 }
 void
-aes_crypt(aes_cnt_cipher_t *cipher, const char *input, size_t len,
+aes_crypt(aes_cnt_cipher_t *cipher_, const char *input, size_t len,
           char *output)
 {
   int outl;
+  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
 
   tor_assert(len < INT_MAX);
 
-  EVP_EncryptUpdate(&cipher->evp, (unsigned char*)output,
+  EVP_EncryptUpdate(cipher, (unsigned char*)output,
                     &outl, (const unsigned char *)input, (int)len);
 }
 void
-aes_crypt_inplace(aes_cnt_cipher_t *cipher, char *data, size_t len)
+aes_crypt_inplace(aes_cnt_cipher_t *cipher_, char *data, size_t len)
 {
   int outl;
+  EVP_CIPHER_CTX *cipher = (EVP_CIPHER_CTX *) cipher_;
 
   tor_assert(len < INT_MAX);
 
-  EVP_EncryptUpdate(&cipher->evp, (unsigned char*)data,
+  EVP_EncryptUpdate(cipher, (unsigned char*)data,
                     &outl, (unsigned char*)data, (int)len);
 }
 int

+ 0 - 1
src/common/aes.h

@@ -13,7 +13,6 @@
  * \brief Headers for aes.c
  */
 
-struct aes_cnt_cipher;
 typedef struct aes_cnt_cipher aes_cnt_cipher_t;
 
 aes_cnt_cipher_t* aes_new_cipher(const char *key, const char *iv);

+ 2 - 0
src/common/compat_openssl.h

@@ -35,9 +35,11 @@
   (((st) == SSL3_ST_SW_SRVR_HELLO_A) ||    \
    ((st) == SSL3_ST_SW_SRVR_HELLO_B))
 #define OSSL_HANDSHAKE_STATE int
+#define CONST_IF_OPENSSL_1_1_API
 #else
 #define STATE_IS_SW_SERVER_HELLO(st) \
   ((st) == TLS_ST_SW_SRVR_HELLO)
+#define CONST_IF_OPENSSL_1_1_API const
 #endif
 
 #endif

+ 4 - 0
src/common/crypto.c

@@ -373,8 +373,12 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
          used by Tor and the set of algorithms available in the engine */
       log_engine("RSA", ENGINE_get_default_RSA());
       log_engine("DH", ENGINE_get_default_DH());
+#ifdef OPENSSL_1_1_API
+      log_engine("EC", ENGINE_get_default_EC());
+#else
       log_engine("ECDH", ENGINE_get_default_ECDH());
       log_engine("ECDSA", ENGINE_get_default_ECDSA());
+#endif
       log_engine("RAND", ENGINE_get_default_RAND());
       log_engine("RAND (which we will not use)", ENGINE_get_default_RAND());
       log_engine("SHA1", ENGINE_get_digest_engine(NID_sha1));

+ 11 - 5
src/common/tortls.c

@@ -911,7 +911,7 @@ tor_tls_cert_is_valid(int severity,
   } else if (cert_key) {
     int min_bits = 1024;
 #ifdef EVP_PKEY_EC
-    if (EVP_PKEY_type(cert_key->type) == EVP_PKEY_EC)
+    if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
       min_bits = 128;
 #endif
     if (EVP_PKEY_bits(cert_key) >= min_bits)
@@ -1414,7 +1414,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
   /* Now we need to see if there are any ciphers whose presence means we're
    * dealing with an updated Tor. */
   for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
-    SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
+    const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
     const char *ciphername = SSL_CIPHER_get_name(cipher);
     if (strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) &&
         strcmp(ciphername, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) &&
@@ -1431,7 +1431,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
   {
     const uint16_t *v2_cipher = v2_cipher_list;
     for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
-      SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
+      const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
       uint16_t id = SSL_CIPHER_get_id(cipher) & 0xffff;
       if (id == 0x00ff) /* extended renegotiation indicator. */
         continue;
@@ -1453,7 +1453,7 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
     smartlist_t *elts = smartlist_new();
     char *s;
     for (i = 0; i < sk_SSL_CIPHER_num(peer_ciphers); ++i) {
-      SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
+      const SSL_CIPHER *cipher = sk_SSL_CIPHER_value(peer_ciphers, i);
       const char *ciphername = SSL_CIPHER_get_name(cipher);
       smartlist_add(elts, (char*)ciphername);
     }
@@ -1562,7 +1562,8 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
 STATIC int
 tor_tls_session_secret_cb(SSL *ssl, void *secret, int *secret_len,
                           STACK_OF(SSL_CIPHER) *peer_ciphers,
-                          SSL_CIPHER **cipher, void *arg)
+                          CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
+                          void *arg)
 {
   (void) secret;
   (void) secret_len;
@@ -1733,8 +1734,13 @@ tor_tls_block_renegotiation(tor_tls_t *tls)
 void
 tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
 {
+#if defined(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && \
+  SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION != 0
   long options = SSL_get_options(tls->ssl);
   tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION));
+#else
+  (void) tls;
+#endif
 }
 
 /** Return whether this tls initiated the connect (client) or

+ 4 - 3
src/common/tortls.h

@@ -143,9 +143,10 @@ STATIC size_t SSL_SESSION_get_master_key(SSL_SESSION *s, uint8_t *out,
 STATIC void tor_tls_debug_state_callback(const SSL *ssl, int type, int val);
 STATIC void tor_tls_server_info_callback(const SSL *ssl, int type, int val);
 STATIC int tor_tls_session_secret_cb(SSL *ssl, void *secret,
-                                     int *secret_len,
-                                     STACK_OF(SSL_CIPHER) *peer_ciphers,
-                                     SSL_CIPHER **cipher, void *arg);
+                            int *secret_len,
+                            STACK_OF(SSL_CIPHER) *peer_ciphers,
+                            CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher,
+                            void *arg);
 STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
                              uint16_t cipher);
 MOCK_DECL(STATIC X509*, tor_tls_create_certificate,(crypto_pk_t *rsa,

+ 10 - 4
src/test/test_crypto.c

@@ -1108,6 +1108,11 @@ test_crypto_digests(void *arg)
   crypto_pk_free(k);
 }
 
+#ifndef OPENSSL_1_1_API
+#define EVP_ENCODE_CTX_new() tor_malloc_zero(sizeof(EVP_ENCODE_CTX))
+#define EVP_ENCODE_CTX_free(ctx) tor_free(ctx)
+#endif
+
 /** Encode src into dest with OpenSSL's EVP Encode interface, returning the
  * length of the encoded data in bytes.
  */
@@ -1115,12 +1120,13 @@ static int
 base64_encode_evp(char *dest, char *src, size_t srclen)
 {
   const unsigned char *s = (unsigned char*)src;
-  EVP_ENCODE_CTX ctx;
+  EVP_ENCODE_CTX *ctx = EVP_ENCODE_CTX_new();
   int len, ret;
 
-  EVP_EncodeInit(&ctx);
-  EVP_EncodeUpdate(&ctx, (unsigned char *)dest, &len, s, (int)srclen);
-  EVP_EncodeFinal(&ctx, (unsigned char *)(dest + len), &ret);
+  EVP_EncodeInit(ctx);
+  EVP_EncodeUpdate(ctx, (unsigned char *)dest, &len, s, (int)srclen);
+  EVP_EncodeFinal(ctx, (unsigned char *)(dest + len), &ret);
+  EVP_ENCODE_CTX_free(ctx);
   return ret+ len;
 }
 

+ 4 - 5
src/test/test_tortls.c

@@ -1347,11 +1347,10 @@ test_tortls_get_buffer_sizes(void *ignored)
   tls->ssl->s3->wbuf.offset = 0;
   tls->ssl->s3->wbuf.left = 43;
 
+  ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
 #if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,1,0)
-  ret = tor_tls_get_buffer_sizes(NULL, NULL, NULL, NULL, NULL);
   tt_int_op(ret, OP_EQ, -1);
 #else
-  ret = tor_tls_get_buffer_sizes(tls, &rbuf_c, &rbuf_b, &wbuf_c, &wbuf_b);
   tt_int_op(ret, OP_EQ, 0);
   tt_int_op(rbuf_c, OP_EQ, 0);
   tt_int_op(wbuf_c, OP_EQ, 0);
@@ -2594,14 +2593,14 @@ test_tortls_create_certificate(void *ignored)
   tt_assert(!ret);
 
   fixed_crypto_pk_get_evp_pkey_result_index = 0;
-  fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY));
+  fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
   fixed_crypto_pk_get_evp_pkey_result[1] = NULL;
   ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
   tt_assert(!ret);
 
   fixed_crypto_pk_get_evp_pkey_result_index = 0;
-  fixed_crypto_pk_get_evp_pkey_result[0] = tor_malloc_zero(sizeof(EVP_PKEY));
-  fixed_crypto_pk_get_evp_pkey_result[1] = tor_malloc_zero(sizeof(EVP_PKEY));
+  fixed_crypto_pk_get_evp_pkey_result[0] = EVP_PKEY_new();
+  fixed_crypto_pk_get_evp_pkey_result[1] = EVP_PKEY_new();
   ret = tor_tls_create_certificate(pk1, pk2, "hello", "hello2", 1);
   tt_assert(!ret);