Commit 1ba1a1ce authored by Nick Mathewson's avatar Nick Mathewson 🐻
Browse files

Always declare groups when building with openssl 1.1.1 APIs

Failing to do on clients was causing TLS 1.3 negotiation to fail.

Fixes bug 28245; bugfix on 0.2.9.15, when we added TLS 1.3 support.
parent 0a824bd8
o Major bugfixes (OpenSSL, portability):
- Fix our usage of named groups when running as a TLS 1.3 client in
OpenSSL 1.1.1. Previously, we only initialized EC groups when running
as a server, which caused clients to fail to negotiate TLS 1.3 with
relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was
added.
...@@ -677,6 +677,7 @@ AC_CHECK_FUNCS([ \ ...@@ -677,6 +677,7 @@ AC_CHECK_FUNCS([ \
SSL_get_server_random \ SSL_get_server_random \
SSL_get_client_ciphers \ SSL_get_client_ciphers \
SSL_get_client_random \ SSL_get_client_random \
SSL_CTX_set1_groups_list \
SSL_CIPHER_find \ SSL_CIPHER_find \
SSL_CTX_set_security_level \ SSL_CTX_set_security_level \
TLS_method TLS_method
......
...@@ -1217,6 +1217,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, ...@@ -1217,6 +1217,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh)); SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
crypto_dh_free(dh); crypto_dh_free(dh);
} }
/* We check for this function in two ways, since it might be either a symbol
* or a macro. */
#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
{
const char *list;
if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
list = "P-224:P-256";
else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
list = "P-256:P-224";
else
list = "P-256:P-224";
int r = SSL_CTX_set1_groups_list(result->ctx, list);
if (r < 0)
goto error;
}
#else
if (! is_client) { if (! is_client) {
int nid; int nid;
EC_KEY *ec_key; EC_KEY *ec_key;
...@@ -1232,6 +1248,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, ...@@ -1232,6 +1248,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_ecdh(result->ctx, ec_key); SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
EC_KEY_free(ec_key); EC_KEY_free(ec_key);
} }
#endif
SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER, SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
always_accept_verify_cb); always_accept_verify_cb);
/* let us realloc bufs that we're writing from */ /* let us realloc bufs that we're writing from */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment