commit 2ac2d0a426d1cd0ba1b2004d349b28e7acda0666
parent 8db047b927d4675661e86b563509c0f28b51a1ed
Author: Nick Mathewson <nickm@torproject.org>
Date: Fri, 9 Nov 2018 10:49:47 -0500
Merge branch 'maint-0.3.4' into maint-0.3.5
Diffstat:
3 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/changes/bug28245 b/changes/bug28245
@@ -0,0 +1,6 @@
+ o Major bugfixes (OpenSSL, portability):
+ - Fix our usage of named groups when running as a TLS 1.3 client in
+ OpenSSL 1.1.1. Previously, we only initialized EC groups when running
+ as a server, which caused clients to fail to negotiate TLS 1.3 with
+ relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was
+ added.
diff --git a/configure.ac b/configure.ac
@@ -953,6 +953,7 @@ AC_CHECK_FUNCS([ \
SSL_get_server_random \
SSL_get_client_ciphers \
SSL_get_client_random \
+ SSL_CTX_set1_groups_list \
SSL_CIPHER_find \
SSL_CTX_set_security_level \
TLS_method
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
@@ -639,6 +639,22 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_dh(result->ctx, dh);
DH_free(dh);
}
+/* We check for this function in two ways, since it might be either a symbol
+ * or a macro. */
+#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
+ {
+ const char *list;
+ if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
+ list = "P-224:P-256";
+ else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
+ list = "P-256:P-224";
+ else
+ list = "P-256:P-224";
+ int r = SSL_CTX_set1_groups_list(result->ctx, list);
+ if (r < 0)
+ goto error;
+ }
+#else
if (! is_client) {
int nid;
EC_KEY *ec_key;
@@ -654,6 +670,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
EC_KEY_free(ec_key);
}
+#endif
SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
always_accept_verify_cb);
/* let us realloc bufs that we're writing from */
