Commit 1ba1a1ce authored by Nick Mathewson's avatar Nick Mathewson
Browse files

Always declare groups when building with openssl 1.1.1 APIs

Failing to do on clients was causing TLS 1.3 negotiation to fail.

Fixes bug 28245; bugfix on 0.2.9.15, when we added TLS 1.3 support.
parent 0a824bd8
o Major bugfixes (OpenSSL, portability):
- Fix our usage of named groups when running as a TLS 1.3 client in
OpenSSL 1.1.1. Previously, we only initialized EC groups when running
as a server, which caused clients to fail to negotiate TLS 1.3 with
relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was
added.
...@@ -677,6 +677,7 @@ AC_CHECK_FUNCS([ \ ...@@ -677,6 +677,7 @@ AC_CHECK_FUNCS([ \
SSL_get_server_random \ SSL_get_server_random \
SSL_get_client_ciphers \ SSL_get_client_ciphers \
SSL_get_client_random \ SSL_get_client_random \
SSL_CTX_set1_groups_list \
SSL_CIPHER_find \ SSL_CIPHER_find \
SSL_CTX_set_security_level \ SSL_CTX_set_security_level \
TLS_method TLS_method
......
...@@ -1217,6 +1217,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, ...@@ -1217,6 +1217,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh)); SSL_CTX_set_tmp_dh(result->ctx, crypto_dh_get_dh_(dh));
crypto_dh_free(dh); crypto_dh_free(dh);
} }
/* We check for this function in two ways, since it might be either a symbol
* or a macro. */
#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
{
const char *list;
if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
list = "P-224:P-256";
else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
list = "P-256:P-224";
else
list = "P-256:P-224";
int r = SSL_CTX_set1_groups_list(result->ctx, list);
if (r < 0)
goto error;
}
#else
if (! is_client) { if (! is_client) {
int nid; int nid;
EC_KEY *ec_key; EC_KEY *ec_key;
...@@ -1232,6 +1248,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, ...@@ -1232,6 +1248,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_ecdh(result->ctx, ec_key); SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
EC_KEY_free(ec_key); EC_KEY_free(ec_key);
} }
#endif
SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER, SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
always_accept_verify_cb); always_accept_verify_cb);
/* let us realloc bufs that we're writing from */ /* let us realloc bufs that we're writing from */
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment