Home Explore Help
Sign In
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge branch 'bug4822_021_v2_squashed' into maint-0.2.1

Nick Mathewson 14 years ago
parent
df17b62d54 4752b34879
commit
b839ace7d0
2 changed files with 47 additions and 3 deletions
Split View Show Diff Stats
  1. 13 0
      changes/bug4822
  2. 34 3
      src/common/tortls.c

+ 13 - 0
changes/bug4822
View File 

@@ -0,0 +1,13 @@
 
+  o Major security workaround:
 
+    - When building or running with any version of OpenSSL earlier
 
+      than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
 
+      a bug (CVE-2011-4576) in which their block cipher padding
 
+      included uninitialized data, potentially leaking sensitive
 
+      information to any peer with whom they made a SSLv3
 
+      connection. Tor does not use SSL v3 by default, but a hostile
 
+      client or server could force an SSLv3 connection in order to
 
+      gain information that they shouldn't have been able to get. The
 
+      best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
 
+      later). But when building or running with a non-upgraded
 
+      OpenSSL, we should instead make sure that the bug can't happen
 
+      by disabling SSLv3 entirely.

+ 34 - 3
src/common/tortls.c
View File 

@@ -64,6 +64,16 @@
 
 
 #define ADDR(tls) (((tls) && (tls)->address) ? tls->address : "peer")
 
 
+#if (OPENSSL_VERSION_NUMBER  <  0x0090813fL ||    \
 
+     (OPENSSL_VERSION_NUMBER >= 0x00909000L &&    \
 
+      OPENSSL_VERSION_NUMBER <  0x1000006fL))
 
+/* This is a version of OpenSSL before 0.9.8s/1.0.0f. It does not have
 
+ * the CVE-2011-4657 fix, and as such it can't use RELEASE_BUFFERS and
 
+ * SSL3 safely at the same time.
 
+ */
 
+#define DISABLE_SSL3_HANDSHAKE
 
+#endif
 
+
 
 /* We redefine these so that we can run correctly even if the vendor gives us
 
  * a version of OpenSSL that does not match its header files.  (Apple: I am
 
  * looking at you.)
 
@@ -739,16 +749,37 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
 
     result->key = crypto_pk_dup_key(rsa);
 
   }
 
 
-#ifdef EVERYONE_HAS_AES
 
-  /* Tell OpenSSL to only use TLS1 */
 
+#if 0
 
+  /* Tell OpenSSL to only use TLS1. This would actually break compatibility
 
+   * with clients that are configured to use SSLv23_method(), so we should
 
+   * probably never use it.
 
+   */
 
   if (!(result->ctx = SSL_CTX_new(TLSv1_method())))
 
     goto error;
 
-#else
 
+#endif
 
+
 
   /* Tell OpenSSL to use SSL3 or TLS1 but not SSL2. */
 
   if (!(result->ctx = SSL_CTX_new(SSLv23_method())))
 
     goto error;
 
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
+
 
+  if (
 
+#ifdef DISABLE_SSL3_HANDSHAKE
 
+      1 ||
 
 #endif
 
+      SSLeay()  <  0x0090813fL ||
 
+      (SSLeay() >= 0x00909000L &&
 
+       SSLeay() <  0x1000006fL)) {
 
+    /* And not SSL3 if it's subject to CVE-2011-4657. */
 
+    log_info(LD_NET, "Disabling SSLv3 because this OpenSSL version "
 
+             "might otherwise be vulnerable to CVE-2011-4657 "
 
+             "(compile-time version %08lx (%s); "
 
+             "runtime version %08lx (%s))",
 
+             OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT,
 
+             SSLeay(), SSLeay_version(SSLEAY_VERSION));
 
+    SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv3);
 
+  }
 
+
 
   SSL_CTX_set_options(result->ctx, SSL_OP_SINGLE_DH_USE);
 
 
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION