Remove support for OpenSSL without ECC.

author Yawning Angel <yawning@schwanenlied.me>

Thu, 21 May 2015 17:07:30 +0000 (17:07 +0000)

committer Yawning Angel <yawning@schwanenlied.me>

Thu, 21 May 2015 17:07:30 +0000 (17:07 +0000)
author Yawning Angel <yawning@schwanenlied.me>
Thu, 21 May 2015 17:07:30 +0000 (17:07 +0000)
committer Yawning Angel <yawning@schwanenlied.me>
Thu, 21 May 2015 17:07:30 +0000 (17:07 +0000)
diff --git a/changes/ticket16140 b/changes/ticket16140

new file mode 100644 (file)

index 0000000..00c19f1
--- /dev/null
+++ b/changes/ticket16140
@@ -0,0 +1,6 @@
+  o Removed features:
+
+    - Tor no longer supports copies of OpenSSL that are missing support for
+      Elliptic Curve Cryptography.  In particular support for at least one of
+      P256 or P224 is now required, with manual configuration needed if only
+      P224 is available.
diff --git a/src/common/tortls.c b/src/common/tortls.c

index ca7b15fcd7803857b98b329b0423d44893aef967..57d5408ca87e592d66de5f4da152a8cca111e0a5 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -49,6 +49,9 @@
  #if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0)
  #error "We require OpenSSL >= 1.0.0"
  #endif
+#ifdef OPENSSL_NO_EC
+#error "We require OpenSSL with ECC support"
+#endif
  
  #include <openssl/ssl.h>
  #include <openssl/ssl3.h>
@@ -475,7 +478,6 @@ tor_tls_init(void)
      SSL_load_error_strings();
  
  #if (SIZEOF_VOID_P >= 8 &&                              \
-     !defined(OPENSSL_NO_EC) &&                         \
       OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,1))
      long version = SSLeay();
  
@@ -1327,7 +1329,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
      SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
      crypto_dh_free(dh);
    }
-#if !defined(OPENSSL_NO_EC)
    if (! is_client) {
      int nid;
      EC_KEY *ec_key;
@@ -1343,9 +1344,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
        SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
      EC_KEY_free(ec_key);
    }
-#else
-  (void)flags;
-#endif
    SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
                       always_accept_verify_cb);
    /* let us realloc bufs that we're writing from */
@@ -2933,3 +2931,29 @@ tor_tls_init_bufferevent(tor_tls_t *tls, struct bufferevent *bufev_in,
  }
  #endif
  
+/** Check whether the ECC group requested is supported by the current OpenSSL
+ * library instance.  Return 1 if the group is supported, and 0 if not.
+ */
+int
+evaluate_ecgroup_for_tls(const char *ecgroup)
+{
+  EC_KEY *ec_key;
+  int nid;
+  int ret;
+
+  if (!ecgroup)
+    nid = NID_tor_default_ecdhe_group;
+  else if (!strcasecmp(ecgroup, "P256"))
+    nid = NID_X9_62_prime256v1;
+  else if (!strcasecmp(ecgroup, "P224"))
+    nid = NID_secp224r1;
+  else
+    return 0;
+
+  ec_key = EC_KEY_new_by_curve_name(nid);
+  ret = (ec_key != NULL);
+  EC_KEY_free(ec_key);
+
+  return ret;
+}
+
diff --git a/src/common/tortls.h b/src/common/tortls.h

index 083052f4b2bf5636641086fee4fff38c54197c98..9216e8315012badeb5e8f8fdee26e56683714456 100644 (file)
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -139,5 +139,7 @@ int tor_tls_cert_is_valid(int severity,
                            int check_rsa_1024);
  const char *tor_tls_get_ciphersuite_name(tor_tls_t *tls);
  
+int evaluate_ecgroup_for_tls(const char *ecgroup);
+
  #endif
  
diff --git a/src/or/config.c b/src/or/config.c

index 1c04578893c53672ae9b07cfde75b01f4f847bc5..e4a2d1c5ae31ef328c4a84ca6ad2e45036a26e14 100644 (file)
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -2806,6 +2806,9 @@ options_validate(or_options_t *old_options, or_options_t *options,
      COMPLAIN("Unrecognized TLSECGroup: Falling back to the default.");
      tor_free(options->TLSECGroup);
    }
+  if (!evaluate_ecgroup_for_tls(options->TLSECGroup)) {
+    REJECT("Unsupported TLSECGroup.");
+  }
  
    if (options->ExcludeNodes && options->StrictNodes) {
      COMPLAIN("You have asked to exclude certain relays from all positions "
diff --git a/src/test/bench.c b/src/test/bench.c

index a74fc776fa77c50d14c00779f74afc32c12800c3..bc2b1f04d831790743fb86f56de9a621a2c706cf 100644 (file)
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -19,11 +19,9 @@ const char tor_git_revision[] = "";
  #include "relay.h"
  #include <openssl/opensslv.h>
  #include <openssl/evp.h>
-#ifndef OPENSSL_NO_EC
  #include <openssl/ec.h>
  #include <openssl/ecdh.h>
  #include <openssl/obj_mac.h>
-#endif
  
  #include "config.h"
  #include "crypto_curve25519.h"
@@ -502,8 +500,6 @@ bench_dh(void)
           "      %f millisec each.\n", NANOCOUNT(start, end, iters)/1e6);
  }
  
-#if !defined(OPENSSL_NO_EC)
-#define HAVE_EC_BENCHMARKS
  static void
  bench_ecdh_impl(int nid, const char *name)
  {
@@ -553,7 +549,6 @@ bench_ecdh_p224(void)
  {
    bench_ecdh_impl(NID_secp224r1, "P-224");
  }
-#endif
  
  typedef void (*bench_fn)(void);
  
@@ -576,10 +571,8 @@ static struct benchmark_t benchmarks[] = {
    ENT(cell_aes),
    ENT(cell_ops),
    ENT(dh),
-#ifdef HAVE_EC_BENCHMARKS
    ENT(ecdh_p256),
    ENT(ecdh_p224),
-#endif
    {NULL,NULL,0}
  };
author	Yawning Angel <yawning@schwanenlied.me>
	Thu, 21 May 2015 17:07:30 +0000 (17:07 +0000)
committer	Yawning Angel <yawning@schwanenlied.me>
	Thu, 21 May 2015 17:07:30 +0000 (17:07 +0000)
changes/ticket16140	[new file with mode: 0644]	patch \| blob
src/common/tortls.c		patch \| blob \| blame \| history
src/common/tortls.h		patch \| blob \| blame \| history
src/or/config.c		patch \| blob \| blame \| history
src/test/bench.c		patch \| blob \| blame \| history