tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit abab3c2458a025102e2b32a0c7932c24c0cc1586
parent 4f42d10a23df1263446f0eb7072f6f7054330466
Author: David Goulet <dgoulet@torproject.org>
Date:   Wed, 23 Apr 2025 11:00:53 -0400

Merge branch 'maint-0.4.8'

Diffstat:

Achanges/bug40911 | 5+++++


Achanges/ticket41041 | 10++++++++++


Msrc/lib/tls/tortls.c | 5++---


Msrc/lib/tls/tortls.h | 2--


Msrc/lib/tls/tortls_openssl.c | 55++++++++++++++++++++++++++++++++++++++-----------------


5 files changed, 55 insertions(+), 22 deletions(-)

diff --git a/changes/bug40911 b/changes/bug40911
@@ -0,0 +1,5 @@
+  o Minor bugfixes (compiler warnings):
+    - Make sure the two bitfields in the half-closed edge struct are
+      unsigned, as we're using them for boolean values and assign 1 to
+      them. Fixes bug 40911; bugfix on 0.4.7.2-alpha.
+
diff --git a/changes/ticket41041 b/changes/ticket41041
@@ -0,0 +1,10 @@
+  o Minor features (security, TLS):
+    - When we are running with OpenSSL 3.5.0 or later,
+      support using the ML-KEM768 for post-quantum key agreement.
+      Closes ticket 41041.
+
+  o Minor features (performance TLS):
+    - When running with with OpenSSL 3.0.0 or later,
+      support using X25519 for TLS key agreement.
+      (This should slightly improve performance
+      for TLS session establishment.)
diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
@@ -162,9 +162,8 @@ tor_tls_err_to_string(int err)
  * If <b>server_identity</b> is NULL, this will not generate a server
  * TLS context. If TOR_TLS_CTX_IS_PUBLIC_SERVER is set in <b>flags</b>, use
  * the same TLS context for incoming and outgoing connections, and
- * ignore <b>client_identity</b>. If one of TOR_TLS_CTX_USE_ECDHE_P{224,256}
- * is set in <b>flags</b>, use that ECDHE group if possible; otherwise use
- * the default ECDHE group. */
+ * ignore <b>client_identity</b>.
+ */
 int
 tor_tls_context_init(unsigned flags,
                      crypto_pk_t *client_identity,
diff --git a/src/lib/tls/tortls.h b/src/lib/tls/tortls.h
@@ -75,8 +75,6 @@ void tor_tls_get_state_description(tor_tls_t *tls, char *buf, size_t sz);
 void tor_tls_free_all(void);
 
 #define TOR_TLS_CTX_IS_PUBLIC_SERVER (1u<<0)
-#define TOR_TLS_CTX_USE_ECDHE_P256   (1u<<1)
-#define TOR_TLS_CTX_USE_ECDHE_P224   (1u<<2)
 
 void tor_tls_init(void);
 void tls_log_errors(tor_tls_t *tls, int severity, int domain,
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
@@ -670,28 +670,49 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
  * or a macro. */
 #if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
   {
-    const char *list;
-    if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
-      list = "P-224:P-256";
-    else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
-      list = "P-256:P-224";
-    else
-      list = "P-256:P-224";
-    int r = (int) SSL_CTX_set1_groups_list(result->ctx, list);
-    if (r < 0)
-      goto error;
+    // We'd like to say something like:
+    //    "?X25519MLKEM768:P-256:P-224"
+    // to mean that we prefer X25519MLKEM768 if it is present;
+    // but we do insist on the presence of  P-256 and P-224.
+    //
+    // Unfortunately, we support back to OpenSSL 3.0, which did not provide
+    // any syntax for saying "don't worry if this group isn't supported."
+    // Instead, we have to make this preference list of preference lists.
+    static const char *group_lists[] = {
+      // We do use the ? syntax here, since every version of OpenSSL
+      // that supports ML-KEM also supports the ? syntax.
+      // We also use the * and / syntaxes:
+      //   '*' indicates that the client should send these keyshares.
+      //   "/" means that we should consider a set of of groups
+      //   as equivalently secure.
+      //
+      // Note that we tell the client to send a P-256 keyshare, since until
+      // this commit, our servers didn't accept X25519.
+      "?*X25519MLKEM768 / ?SecP256r1MLKEM768:?X25519 / *P-256:P-224",
+      "P-256:X25519:P-224",
+      "P-256:P-224",
+    };
+    bool success = false;
+    for (unsigned j = 0; j < ARRAY_LENGTH(group_lists); ++j) {
+      const char *list = group_lists[j];
+      int r = (int) SSL_CTX_set1_groups_list(result->ctx, list);
+      if (r == 1) {
+        log_info(LD_NET, "Set supported groups to %s", list);
+        success = true;
+        break;
+      }
+      log_info(LD_NET, "Group list %s wasn't accepted", list);
+    }
+    if (! success) {
+      log_warn(LD_NET, "No lists of TLS groups were supported. "
+               "Using library defaults");
+    }
   }
 #else /* !(defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SE...)) */
   if (! is_client) {
     int nid;
     EC_KEY *ec_key;
-    if (flags & TOR_TLS_CTX_USE_ECDHE_P224)
-      nid = NID_secp224r1;
-    else if (flags & TOR_TLS_CTX_USE_ECDHE_P256)
-      nid = NID_X9_62_prime256v1;
-    else
-      nid = NID_tor_default_ecdhe_group;
-    /* Use P-256 for ECDHE. */
+    nid = NID_tor_default_ecdhe_group;
     ec_key = EC_KEY_new_by_curve_name(nid);
     if (ec_key != NULL) /*XXXX Handle errors? */
       SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);