[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Remove support for OpenSSL without ECC.
commit 452cebc4a41bdba41d4a8ce3c16e73d585bb53f4
Author: Yawning Angel <yawning@xxxxxxxxxxxxxxx>
Date: Thu May 21 17:07:30 2015 +0000
Remove support for OpenSSL without ECC.
As OpenSSL >= 1.0.0 is now required, ECDHE is now mandatory. The group
has to be validated at runtime, because of RedHat lawyers (P224 support
is entirely missing in the OpenSSL RPM, but P256 is present and is the
default).
Resolves ticket #16140.
---
changes/ticket16140 | 6 ++++++
src/common/tortls.c | 34 +++++++++++++++++++++++++++++-----
src/common/tortls.h | 2 ++
src/or/config.c | 3 +++
src/test/bench.c | 7 -------
5 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/changes/ticket16140 b/changes/ticket16140
new file mode 100644
index 0000000..00c19f1
--- /dev/null
+++ b/changes/ticket16140
@@ -0,0 +1,6 @@
+ o Removed features:
+
+ - Tor no longer supports copies of OpenSSL that are missing support for
+ Elliptic Curve Cryptography. In particular support for at least one of
+ P256 or P224 is now required, with manual configuration needed if only
+ P224 is available.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index ca7b15f..57d5408 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -49,6 +49,9 @@
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
#error "We require OpenSSL >= 1.0.0"
#endif
+#ifdef OPENSSL_NO_EC
+#error "We require OpenSSL with ECC support"
+#endif
#include <openssl/ssl.h>
#include <openssl/ssl3.h>
@@ -475,7 +478,6 @@ tor_tls_init(void)
SSL_load_error_strings();
#if (SIZEOF_VOID_P >= 8 && \
- !defined(OPENSSL_NO_EC) && \
OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
long version = SSLeay();
@@ -1327,7 +1329,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
crypto_dh_free(dh);
}
-#if !defined(OPENSSL_NO_EC)
if (! is_client) {
int nid;
EC_KEY *ec_key;
@@ -1343,9 +1344,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
EC_KEY_free(ec_key);
}
-#else
- (void)flags;
-#endif
SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
always_accept_verify_cb);
/* let us realloc bufs that we're writing from */
@@ -2933,3 +2931,29 @@ tor_tls_init_bufferevent(tor_tls_t *tls, struct bufferevent *bufev_in,
}
#endif
+/** Check whether the ECC group requested is supported by the current OpenSSL
+ * library instance. Return 1 if the group is supported, and 0 if not.
+ */
+int
+evaluate_ecgroup_for_tls(const char *ecgroup)
+{
+ EC_KEY *ec_key;
+ int nid;
+ int ret;
+
+ if (!ecgroup)
+ nid = NID_tor_default_ecdhe_group;
+ else if (!strcasecmp(ecgroup, "P256"))
+ nid = NID_X9_62_prime256v1;
+ else if (!strcasecmp(ecgroup, "P224"))
+ nid = NID_secp224r1;
+ else
+ return 0;
+
+ ec_key = EC_KEY_new_by_curve_name(nid);
+ ret = (ec_key != NULL);
+ EC_KEY_free(ec_key);
+
+ return ret;
+}
+
diff --git a/src/common/tortls.h b/src/common/tortls.h
index 083052f..9216e83 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -139,5 +139,7 @@ int tor_tls_cert_is_valid(int severity,
int check_rsa_1024);
const char *tor_tls_get_ciphersuite_name(tor_tls_t *tls);
+int evaluate_ecgroup_for_tls(const char *ecgroup);
+
#endif
diff --git a/src/or/config.c b/src/or/config.c
index 1c04578..e4a2d1c 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -2806,6 +2806,9 @@ options_validate(or_options_t *old_options, or_options_t *options,
COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
tor_free(options->TLSECGroup);
}
+ if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
+ REJECT("Unsupported TLSECGroup.");
+ }
if (options->ExcludeNodes && options->StrictNodes) {
COMPLAIN("You have asked to exclude certain relays from all positions "
diff --git a/src/test/bench.c b/src/test/bench.c
index a74fc77..bc2b1f0 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -19,11 +19,9 @@ const char tor_git_revision[] = "";
#include "relay.h"
#include <openssl/opensslv.h>
#include <openssl/evp.h>
-#ifndef OPENSSL_NO_EC
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/obj_mac.h>
-#endif
#include "config.h"
#include "crypto_curve25519.h"
@@ -502,8 +500,6 @@ bench_dh(void)
" %f millisec each.\n", NANOCOUNT(start, end, iters)/1e6);
}
-#if !defined(OPENSSL_NO_EC)
-#define HAVE_EC_BENCHMARKS
static void
bench_ecdh_impl(int nid, const char *name)
{
@@ -553,7 +549,6 @@ bench_ecdh_p224(void)
{
bench_ecdh_impl(NID_secp224r1, "P-224");
}
-#endif
typedef void (*bench_fn)(void);
@@ -576,10 +571,8 @@ static struct benchmark_t benchmarks[] = {
ENT(cell_aes),
ENT(cell_ops),
ENT(dh),
-#ifdef HAVE_EC_BENCHMARKS
ENT(ecdh_p256),
ENT(ecdh_p224),
-#endif
{NULL,NULL,0}
};
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits