commit df4fa92a88dbeadcc85ea28ac52af006e9e1466a Merge: a427a7c 71aacbe Author: Nick Mathewson nickm@torproject.org Date: Tue Jun 14 12:17:24 2016 -0400

Merge branch 'maint-0.2.8'

changes/bug19406 | 4 ++ src/common/crypto.c | 182 ++++++++++++++++++++++++++++++++++++++--------- src/common/tortls.c | 6 ++ src/test/test_tortls.c | 6 +- src/tools/tor-checkkey.c | 11 ++- src/tools/tor-gencert.c | 22 ++++++ 6 files changed, 195 insertions(+), 36 deletions(-)

diff --cc src/common/crypto.c index 76e262e,614f9b5..4df674b --- a/src/common/crypto.c +++ b/src/common/crypto.c @@@ -2311,17 -2387,27 +2396,32 @@@ crypto_dh_get_bytes(crypto_dh_t *dh int crypto_dh_generate_public(crypto_dh_t *dh) { + #ifndef OPENSSL_1_1_API again: + #endif if (!DH_generate_key(dh->dh)) { + /* LCOV_EXCL_START + * To test this we would need some way to tell openssl to break DH. */ crypto_log_errors(LOG_WARN, "generating DH key"); return -1; + /* LCOV_EXCL_STOP */ } + #ifdef OPENSSL_1_1_API + /* OpenSSL 1.1.x doesn't appear to let you regenerate a DH key, without + * recreating the DH object. I have no idea what sort of aliasing madness + * can occur here, so do the check, and just bail on failure. + */ + BIGNUM *pub_key, *priv_key; + DH_get0_key(dh->dh, &pub_key, &priv_key); + if (tor_check_dh_key(LOG_WARN, pub_key)<0) { + log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-" + "the-universe chances really do happen. Treating as a failure."); + return -1; + } + #else if (tor_check_dh_key(LOG_WARN, dh->dh->pub_key)<0) { + /* LCOV_EXCL_START + * If this happens, then openssl's DH implementation is busted. */ log_warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-" "the-universe chances really do happen. Trying again."); /* Free and clear the keys, so OpenSSL will actually try again. */ @@@ -2329,8 -2415,8 +2429,9 @@@ BN_clear_free(dh->dh->priv_key); dh->dh->pub_key = dh->dh->priv_key = NULL; goto again; + /* LCOV_EXCL_STOP */ } + #endif return 0; }