Commit 6a88d8f6 authored by Nick Mathewson's avatar Nick Mathewson 👁
Browse files

When enabling NSS, disable OpenSSL.

We used to link both libraries at once, but now that I'm working on
TLS, there's nothing left to keep OpenSSL around for when NSS is
enabled.

Note that this patch causes a couple of places that still assumed
OpenSSL to be disabled when NSS is enabled
   - tor-gencert
   - pbkdf2
parent 1992c761
......@@ -67,14 +67,15 @@ AM_CONDITIONAL(LIBFUZZER_ENABLED, test "x$enable_libfuzzer" = "xyes")
AM_CONDITIONAL(OSS_FUZZ_ENABLED, test "x$enable_oss_fuzz" = "xyes")
AM_CONDITIONAL(USE_RUST, test "x$enable_rust" = "xyes")
AM_CONDITIONAL(USE_NSS, test "x$enable_nss" = "xyes")
AM_CONDITIONAL(USE_OPENSSL, true)
AM_CONDITIONAL(USE_OPENSSL, test "x$enable_nss" != "xyes")
if test "x$enable_nss" = "xyes"; then
AC_DEFINE(ENABLE_NSS, 1,
[Defined if we're building with NSS in addition to OpenSSL.])
else
AC_DEFINE(ENABLE_OPENSSL, 1,
[Defined if we're building with OpenSSL or LibreSSL])
fi
AC_DEFINE(ENABLE_OPENSSL, 1,
[Defined if we're building with OpenSSL or LibreSSL])
if test "$enable_static_tor" = "yes"; then
enable_static_libevent="yes";
......@@ -872,6 +873,8 @@ fi
dnl ------------------------------------------------------
dnl Where do you live, openssl? And how do we call you?
if test "x$enable_nss" != "xyes"; then
tor_openssl_pkg_redhat="openssl"
tor_openssl_pkg_debian="libssl-dev"
tor_openssl_devpkg_redhat="openssl-devel"
......@@ -971,6 +974,11 @@ AC_CHECK_SIZEOF(SHA_CTX, , [AC_INCLUDES_DEFAULT()
#include <openssl/sha.h>
])
fi # enable_nss
dnl ======================================================================
dnl Can we use KIST?
dnl Define the set of checks for KIST scheduler support.
AC_DEFUN([CHECK_KIST_SUPPORT],[
dnl KIST needs struct tcp_info and for certain members to exist.
......
......@@ -82,6 +82,11 @@
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/crypt_ops/crypto_init.h"
#ifdef ENABLE_NSS
#include "lib/crypt_ops/crypto_nss_mgt.h"
#else
#include "lib/crypt_ops/crypto_openssl_mgt.h"
#endif
#include "feature/dircache/dirserv.h"
#include "feature/relay/dns.h"
#include "core/or/dos.h"
......@@ -5238,9 +5243,16 @@ options_init_from_torrc(int argc, char **argv)
printf("Libevent\t\t%-15s\t\t%s\n",
tor_libevent_get_header_version_str(),
tor_libevent_get_version_str());
#ifdef ENABLE_OPENSSL
printf("OpenSSL \t\t%-15s\t\t%s\n",
crypto_openssl_get_header_version_str(),
crypto_openssl_get_version_str());
#endif
#ifdef ENABLE_NSS
printf("NSS \t\t%-15s\t\t%s\n",
crypto_nss_get_header_version_str(),
crypto_nss_get_version_str());
#endif
if (tor_compress_supports_method(ZLIB_METHOD)) {
printf("Zlib \t\t%-15s\t\t%s\n",
tor_compress_version_str(ZLIB_METHOD),
......
......@@ -3504,10 +3504,11 @@ tor_init(int argc, char *argv[])
const char *version = get_version();
log_notice(LD_GENERAL, "Tor %s running on %s with Libevent %s, "
"OpenSSL %s, Zlib %s, Liblzma %s, and Libzstd %s.", version,
"%s %s, Zlib %s, Liblzma %s, and Libzstd %s.", version,
get_uname(),
tor_libevent_get_version_str(),
crypto_openssl_get_version_str(),
crypto_get_library_name(),
crypto_get_library_version_string(),
tor_compress_supports_method(ZLIB_METHOD) ?
tor_compress_version_str(ZLIB_METHOD) : "N/A",
tor_compress_supports_method(LZMA_METHOD) ?
......
......@@ -7,6 +7,10 @@
#ifndef TOR_COMPAT_OPENSSL_H
#define TOR_COMPAT_OPENSSL_H
#include "orconfig.h"
#ifdef ENABLE_OPENSSL
#include <openssl/opensslv.h>
#include "lib/crypt_ops/crypto_openssl_mgt.h"
......@@ -47,5 +51,7 @@
#define CONST_IF_OPENSSL_1_1_API const
#endif /* !defined(OPENSSL_1_1_API) */
#endif /* defined(ENABLE_OPENSSL) */
#endif /* !defined(TOR_COMPAT_OPENSSL_H) */
......@@ -56,7 +56,7 @@ struct dh_st *crypto_dh_new_openssl_tls(void);
void crypto_dh_init_openssl(void);
void crypto_dh_free_all_openssl(void);
#endif
#ifdef ENABLE_OPENSSL
#ifdef ENABLE_NSS
void crypto_dh_init_nss(void);
void crypto_dh_free_all_nss(void);
#endif
......
......@@ -37,6 +37,7 @@
#include "ed25519/donna/ed25519_donna_tor.h"
#include <string.h>
#include <errno.h>
static void pick_ed25519_impl(void);
......
......@@ -29,6 +29,7 @@
#include "lib/fs/files.h"
#include <string.h>
#include <errno.h>
/** Write the <b>datalen</b> bytes from <b>data</b> to the file named
* <b>fname</b> in the tagged-data format. This format contains a
......
......@@ -17,12 +17,14 @@
#include "lib/intmath/cmp.h"
#include "lib/log/util_bug.h"
#ifdef ENABLE_OPENSSL
#include <openssl/opensslv.h>
#if defined(HAVE_ERR_LOAD_KDF_STRINGS)
#include <openssl/kdf.h>
#define HAVE_OPENSSL_HKDF 1
#endif
#endif
#include <string.h>
......
......@@ -88,6 +88,10 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
#ifdef ENABLE_OPENSSL
if (crypto_openssl_late_init(useAccel, accelName, accelDir) < 0)
return -1;
#else
(void)useAccel;
(void)accelName;
(void)accelDir;
#endif
#ifdef ENABLE_NSS
if (crypto_nss_late_init() < 0)
......@@ -139,3 +143,41 @@ crypto_postfork(void)
crypto_nss_postfork();
#endif
}
/** Return the name of the crypto library we're using. */
const char *
crypto_get_library_name(void)
{
#ifdef ENABLE_OPENSSL
return "OpenSSL";
#endif
#ifdef ENABLE_NSS
return "NSS";
#endif
}
/** Return the version of the crypto library we are using, as given in the
* library. */
const char *
crypto_get_library_version_string(void)
{
#ifdef ENABLE_OPENSSL
return crypto_openssl_get_version_str();
#endif
#ifdef ENABLE_NSS
return crypto_nss_get_version_str();
#endif
}
/** Return the version of the crypto library we're using, as given in the
* headers. */
const char *
crypto_get_header_version_string(void)
{
#ifdef ENABLE_OPENSSL
return crypto_openssl_get_header_version_str();
#endif
#ifdef ENABLE_NSS
return crypto_nss_get_header_version_str();
#endif
}
......@@ -26,4 +26,8 @@ void crypto_thread_cleanup(void);
int crypto_global_cleanup(void);
void crypto_postfork(void);
const char *crypto_get_library_name(void);
const char *crypto_get_library_version_string(void);
const char *crypto_get_header_version_string(void);
#endif /* !defined(TOR_CRYPTO_H) */
......@@ -35,9 +35,11 @@
#include "lib/testsupport/testsupport.h"
#include "lib/fs/files.h"
#include "lib/defs/digest_sizes.h"
#include "lib/crypt_ops/crypto_digest.h"
#ifdef ENABLE_NSS
#include "lib/crypt_ops/crypto_nss_mgt.h"
#include "lib/crypt_ops/crypto_digest.h"
#endif
#ifdef ENABLE_OPENSSL
......@@ -80,6 +82,7 @@ ENABLE_GCC_WARNING(redundant-decls)
#endif
#include <string.h>
#include <errno.h>
/**
* How many bytes of entropy we add at once.
......@@ -335,7 +338,8 @@ crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
void
crypto_strongest_rand(uint8_t *out, size_t out_len)
{
#define DLEN SHA512_DIGEST_LENGTH
#define DLEN DIGEST512_LEN
/* We're going to hash DLEN bytes from the system RNG together with some
* bytes from the PRNGs from our crypto librar(y/ies), in order to yield
* DLEN bytes.
......@@ -360,11 +364,11 @@ crypto_strongest_rand(uint8_t *out, size_t out_len)
// LCOV_EXCL_STOP
}
if (out_len >= DLEN) {
SHA512(inp, sizeof(inp), out);
crypto_digest512((char*)out, (char*)inp, sizeof(inp), DIGEST_SHA512);
out += DLEN;
out_len -= DLEN;
} else {
SHA512(inp, sizeof(inp), tmp);
crypto_digest512((char*)tmp, (char*)inp, sizeof(inp), DIGEST_SHA512);
memcpy(out, tmp, out_len);
break;
}
......@@ -699,6 +703,7 @@ smartlist_shuffle(smartlist_t *sl)
int
crypto_force_rand_ssleay(void)
{
#ifdef ENABLE_OPENSSL
RAND_METHOD *default_method;
default_method = RAND_OpenSSL();
if (RAND_get_rand_method() != default_method) {
......@@ -708,6 +713,7 @@ crypto_force_rand_ssleay(void)
RAND_set_rand_method(default_method);
return 1;
}
#endif
return 0;
}
......
......@@ -37,11 +37,12 @@ crypto_get_rsa_padding_overhead(int padding)
{
switch (padding)
{
case RSA_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD;
case PK_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD;
default: tor_assert(0); return -1; // LCOV_EXCL_LINE
}
}
#ifdef ENABLE_OPENSSL
/** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
*/
int
......@@ -53,6 +54,7 @@ crypto_get_rsa_padding(int padding)
default: tor_assert(0); return -1; // LCOV_EXCL_LINE
}
}
#endif
/** Compare the public-key components of a and b. Return non-zero iff
* a==b. A NULL key is considered to be distinct from all non-NULL
......@@ -100,7 +102,7 @@ crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env,
tor_assert(to);
tor_assert(fromlen < SIZE_T_CEILING);
overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
overhead = crypto_get_rsa_padding_overhead(padding);
pkeylen = crypto_pk_keysize(env);
if (!force && fromlen+overhead <= pkeylen) {
......
......@@ -21,7 +21,9 @@
#include "lib/ctime/di_ops.h"
#include "lib/log/util_bug.h"
#ifdef ENABLE_OPENSSL
#include <openssl/evp.h>
#endif
#if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
#define HAVE_SCRYPT
......@@ -265,6 +267,7 @@ secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len,
return (int)key_out_len;
case S2K_TYPE_PBKDF2: {
#ifdef ENABLE_OPENSSL
uint8_t log_iters;
if (spec_len < 1 || secret_len > INT_MAX || spec_len > INT_MAX)
return S2K_BAD_LEN;
......@@ -278,6 +281,10 @@ secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len,
if (rv < 0)
return S2K_FAILED;
return (int)key_out_len;
#else
// XXXXXXXXXXXXXXXXXXXXXXXX implement me.
return S2K_NO_SCRYPT_SUPPORT;
#endif
}
case S2K_TYPE_SCRYPT: {
......
......@@ -23,12 +23,14 @@
#include <wincrypt.h>
#endif /* defined(_WIN32) */
DISABLE_GCC_WARNING(redundant-decls)
#include <stdlib.h>
#ifdef ENABLE_OPENSSL
DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/err.h>
#include <openssl/crypto.h>
ENABLE_GCC_WARNING(redundant-decls)
#endif
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
......
......@@ -9,7 +9,6 @@ src_lib_libtor_crypt_ops_a_SOURCES = \
src/lib/crypt_ops/crypto_cipher.c \
src/lib/crypt_ops/crypto_curve25519.c \
src/lib/crypt_ops/crypto_dh.c \
src/lib/crypt_ops/crypto_dh_openssl.c \
src/lib/crypt_ops/crypto_digest.c \
src/lib/crypt_ops/crypto_ed25519.c \
src/lib/crypt_ops/crypto_format.c \
......@@ -37,6 +36,7 @@ endif
if USE_OPENSSL
src_lib_libtor_crypt_ops_a_SOURCES += \
src/lib/crypt_ops/crypto_dh_openssl.c \
src/lib/crypt_ops/crypto_openssl_mgt.c
endif
......
......@@ -15,28 +15,38 @@ struct ssl_session_st;
int tor_errno_to_tls_error(int e);
int tor_tls_get_error(tor_tls_t *tls, int r, int extra,
const char *doing, int severity, int domain);
tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
void tor_tls_allocate_tor_tls_object_ex_data_index(void);
MOCK_DECL(void, try_to_extract_certs_from_tls,
(int severity, tor_tls_t *tls,
tor_x509_cert_impl_t **cert_out,
tor_x509_cert_impl_t **id_cert_out));
#ifdef TORTLS_OPENSSL_PRIVATE
int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx);
int tor_tls_classify_client_ciphers(const struct ssl_st *ssl,
STACK_OF(SSL_CIPHER) *peer_ciphers);
#endif
tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client);
int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
crypto_pk_t *identity,
unsigned int key_lifetime,
unsigned int flags,
int is_client);
#ifdef ENABLE_OPENSSL
tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl);
#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
uint8_t *out,
size_t len);
#endif
void tor_tls_debug_state_callback(const struct ssl_st *ssl,
int type, int val);
void tor_tls_server_info_callback(const struct ssl_st *ssl,
int type, int val);
void tor_tls_allocate_tor_tls_object_ex_data_index(void);
#if !defined(HAVE_SSL_SESSION_GET_MASTER_KEY)
size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
uint8_t *out,
size_t len);
#endif
#ifdef TORTLS_OPENSSL_PRIVATE
int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx);
int tor_tls_classify_client_ciphers(const struct ssl_st *ssl,
STACK_OF(SSL_CIPHER) *peer_ciphers);
STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret,
int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
......@@ -44,14 +54,8 @@ STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret,
void *arg);
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
uint16_t cipher);
#endif /* defined(TORTLS_OPENSSL_PRIVATE) */
tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client);
int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
crypto_pk_t *identity,
unsigned int key_lifetime,
unsigned int flags,
int is_client);
#endif
#endif
#ifdef TOR_UNIT_TESTS
extern int tor_tls_object_ex_data_index;
......
......@@ -47,19 +47,6 @@ tor_tls_get_error(tor_tls_t *tls, int r, int extra,
// XXXX
return -1;
}
tor_tls_t *
tor_tls_get_by_ssl(const struct ssl_st *ssl)
{
(void) ssl;
// XXXX
// XXXX refers to ssl_st.
return NULL;
}
void
tor_tls_allocate_tor_tls_object_ex_data_index(void)
{
// XXXX openssl only.
}
MOCK_IMPL(void,
try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
tor_x509_cert_impl_t **cert_out,
......@@ -71,36 +58,7 @@ try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
(void)severity;
// XXXX
}
int
tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl)
{
(void) ssl;
// XXXX
// XXXX refers to ssl_st.
return 0;
}
void
tor_tls_debug_state_callback(const struct ssl_st *ssl,
int type, int val)
{
(void) ssl;
(void)type;
(void)val;
// XXXX
// XXXX refers to ssl_st.
}
void
tor_tls_server_info_callback(const struct ssl_st *ssl,
int type, int val)
{
(void)ssl;
(void)type;
(void)val;
// XXXX
// XXXX refers to ssl_st.
}
tor_tls_context_t *
tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client)
......
......@@ -13,11 +13,14 @@
#include "core/or/or.h"
#include "core/crypto/onion_tap.h"
#include "core/crypto/relay_crypto.h"
#ifdef ENABLE_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/obj_mac.h>
#endif
#include "core/or/circuitlist.h"
#include "app/config/config.h"
......@@ -580,6 +583,7 @@ bench_dh(void)
" %f millisec each.\n", NANOCOUNT(start, end, iters)/1e6);
}
#ifdef ENABLE_OPENSSL
static void
bench_ecdh_impl(int nid, const char *name)
{
......@@ -629,6 +633,7 @@ bench_ecdh_p224(void)
{
bench_ecdh_impl(NID_secp224r1, "P-224");
}
#endif
typedef void (*bench_fn)(void);
......@@ -652,8 +657,11 @@ static struct benchmark_t benchmarks[] = {
ENT(cell_aes),
ENT(cell_ops),
ENT(dh),
#ifdef ENABLE_OPENSSL
ENT(ecdh_p256),
ENT(ecdh_p224),
#endif
{NULL,NULL,0}
};
......
......@@ -118,7 +118,6 @@ src_test_test_SOURCES += \
src/test/test_controller_events.c \
src/test/test_crypto.c \
src/test/test_crypto_ope.c \
src/test/test_crypto_openssl.c \
src/test/test_data.c \
src/test/test_dir.c \
src/test/test_dir_common.c \
......@@ -189,6 +188,7 @@ if USE_NSS
# ...
else
src_test_test_SOURCES += \
src/test/test_crypto_openssl.c \
src/test/test_tortls_openssl.c
endif
......
......@@ -866,7 +866,9 @@ struct testgroup_t testgroups[] = {
{ "control/event/", controller_event_tests },
{ "crypto/", crypto_tests },
{ "crypto/ope/", crypto_ope_tests },
#ifdef ENABLE_OPENSSL
{ "crypto/openssl/", crypto_openssl_tests },
#endif
{ "crypto/pem/", pem_tests },
{ "dir/", dir_tests },
{ "dir_handle_get/", dir_handle_get_tests },
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment