Merge remote-tracking branch 'origin/maint-0.2.4' into release-0.2.4
This commit is contained in:
commit
183c861e9a
|
@ -0,0 +1,6 @@
|
|||
o Major bugfixes:
|
||||
- When running a hidden service, do not allow TunneledDirConns 0;
|
||||
this will keep the hidden service from running, and also
|
||||
make it publish its descriptors directly over HTTP. Fixes bug 10849;
|
||||
bugfix on 0.2.1.1-alpha.
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
o Major bugfixes:
|
||||
- Generate the server's preference list for ciphersuites
|
||||
automatically based on uniform criteria, and considering all
|
||||
OpenSSL ciphersuites with acceptable strength and forward
|
||||
secrecy. (The sort order is: prefer AES to 3DES; break ties by
|
||||
preferring ECDHE to DHE; break ties by preferring GCM to CBC;
|
||||
break ties by preferring SHA384 to SHA256 to SHA1; and finally,
|
||||
break ties by preferring AES256 to AES128.) This resolves bugs
|
||||
#11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'.
|
||||
Bugfix on 0.2.4.8-alpha.
|
||||
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
o Minor features:
|
||||
- When we run out of usable circuit IDs on a channel, log only one
|
||||
warning for the whole channel, and include a description of
|
||||
how many circuits there were on the channel. Fix for part of ticket
|
||||
#11553.
|
|
@ -0,0 +1,6 @@
|
|||
o Minor bugfixes:
|
||||
- Downgrade the warning severity for the the "md was still referenced 1
|
||||
node(s)" warning. Tor 0.2.5.4-alpha has better code for trying to
|
||||
diagnose this bug, and the current warning in earlier versions of
|
||||
tor achieves nothing useful. Addresses warning from bug 7164.
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
o Minor features (security):
|
||||
- Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but leave
|
||||
the default at 8GBytes), to better support Raspberry Pi users. Fixes
|
||||
bug 9686; bugfix on 0.2.4.14-alpha.
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
o Minor features (performance, compatibility):
|
||||
- Update the list of TLS cipehrsuites that a client advertises
|
||||
to match those advertised by Firefox 28. This enables selection of
|
||||
(fast) GCM ciphersuites, disables some strange old ciphers, and
|
||||
disables the ECDH (not to be confused with ECDHE) ciphersuites.
|
||||
Resolves ticket 11438.
|
|
@ -0,0 +1,5 @@
|
|||
o Major bugfixes (security, OOM)
|
||||
- Fix a memory leak that could occur if a microdescriptor parse
|
||||
fails during the tokenizing step. This could enable a memory
|
||||
exhaustion attack by directory servers. Fixes bug #11649; bugfix
|
||||
on 0.2.2.6-alpha.
|
|
@ -0,0 +1,6 @@
|
|||
o Minor features:
|
||||
- Servers now trust themselves to have a better view than clients of
|
||||
which TLS ciphersuites to choose. (Thanks to #11513, the server
|
||||
list is now well-considered, whereas the client list has been
|
||||
chosen mainly for anti-fingerprinting purposes.) Resolves ticket
|
||||
11528.
|
|
@ -4,85 +4,50 @@
|
|||
*
|
||||
* This file was automatically generated by get_mozilla_ciphers.py.
|
||||
*/
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||
CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||
#else
|
||||
XCIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
CIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
|
||||
#else
|
||||
XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
||||
CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
|
||||
CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
|
||||
CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA
|
||||
CIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA
|
||||
CIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
|
||||
CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
||||
CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
|
||||
CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
|
||||
XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
|
||||
CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
|
||||
|
@ -94,89 +59,63 @@
|
|||
#else
|
||||
XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
|
||||
XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA
|
||||
CIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
|
||||
CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
|
||||
XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA
|
||||
CIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
|
||||
#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
|
||||
CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
|
||||
XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA
|
||||
CIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_SEED_SHA
|
||||
CIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
|
||||
#else
|
||||
XCIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_RC4_128_MD5
|
||||
CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
|
||||
#else
|
||||
XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_RC4_128_SHA
|
||||
CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
|
||||
CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA
|
||||
CIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
|
||||
CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
|
||||
XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
|
||||
CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
|
||||
CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
|
||||
#ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
|
||||
CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
|
||||
XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
|
||||
CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
|
||||
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
|
||||
CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
|
||||
XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA
|
||||
CIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
|
||||
#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
|
||||
CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
|
||||
#else
|
||||
XCIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
|
||||
XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
|
||||
#endif
|
||||
/* No openssl macro found for 0xfeff */
|
||||
#ifdef SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
|
||||
CIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
|
||||
#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
|
||||
CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#else
|
||||
XCIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
|
||||
XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
|
||||
CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
|
||||
#else
|
||||
XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_RC4_128_SHA
|
||||
CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
|
||||
#else
|
||||
XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
|
||||
#endif
|
||||
#ifdef SSL3_TXT_RSA_RC4_128_MD5
|
||||
CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
|
||||
#else
|
||||
XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
|
||||
#endif
|
||||
|
|
|
@ -0,0 +1,115 @@
|
|||
#!/usr/bin/python
|
||||
# Copyright 2014, The Tor Project, Inc
|
||||
# See LICENSE for licensing information
|
||||
|
||||
# This script parses openssl headers to find ciphersuite names, determines
|
||||
# which ones we should be willing to use as a server, and sorts them according
|
||||
# to preference rules.
|
||||
#
|
||||
# Run it on all the files in your openssl include directory.
|
||||
|
||||
import re
|
||||
import sys
|
||||
|
||||
EPHEMERAL_INDICATORS = [ "_EDH_", "_DHE_", "_ECDHE_" ]
|
||||
BAD_STUFF = [ "_DES_40_", "MD5", "_RC4_", "_DES_64_",
|
||||
"_SEED_", "_CAMELLIA_", "_NULL" ]
|
||||
|
||||
# these never get #ifdeffed.
|
||||
MANDATORY = [
|
||||
"TLS1_TXT_DHE_RSA_WITH_AES_256_SHA",
|
||||
"TLS1_TXT_DHE_RSA_WITH_AES_128_SHA",
|
||||
"SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA",
|
||||
]
|
||||
|
||||
def find_ciphers(filename):
|
||||
with open(filename) as f:
|
||||
for line in f:
|
||||
m = re.search(r'(?:SSL3|TLS1)_TXT_\w+', line)
|
||||
if m:
|
||||
yield m.group(0)
|
||||
|
||||
def usable_cipher(ciph):
|
||||
ephemeral = False
|
||||
for e in EPHEMERAL_INDICATORS:
|
||||
if e in ciph:
|
||||
ephemeral = True
|
||||
if not ephemeral:
|
||||
return False
|
||||
|
||||
if "_RSA_" not in ciph:
|
||||
return False
|
||||
|
||||
for b in BAD_STUFF:
|
||||
if b in ciph:
|
||||
return False
|
||||
return True
|
||||
|
||||
# All fields we sort on, in order of priority.
|
||||
FIELDS = [ 'cipher', 'fwsec', 'mode', 'digest', 'bitlength' ]
|
||||
# Map from sorted fields to recognized value in descending order of goodness
|
||||
FIELD_VALS = { 'cipher' : [ 'AES', 'DES'],
|
||||
'fwsec' : [ 'ECDHE', 'DHE' ],
|
||||
'mode' : [ 'GCM', 'CBC' ],
|
||||
'digest' : [ 'SHA384', 'SHA256', 'SHA' ],
|
||||
'bitlength' : [ '256', '128', '192' ],
|
||||
}
|
||||
|
||||
class Ciphersuite(object):
|
||||
def __init__(self, name, fwsec, cipher, bitlength, mode, digest):
|
||||
self.name = name
|
||||
self.fwsec = fwsec
|
||||
self.cipher = cipher
|
||||
self.bitlength = bitlength
|
||||
self.mode = mode
|
||||
self.digest = digest
|
||||
|
||||
for f in FIELDS:
|
||||
assert(getattr(self, f) in FIELD_VALS[f])
|
||||
|
||||
def sort_key(self):
|
||||
return tuple(FIELD_VALS[f].index(getattr(self,f)) for f in FIELDS)
|
||||
|
||||
|
||||
def parse_cipher(ciph):
|
||||
m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)(|_CBC|_CBC3|_GCM)_(SHA|SHA256|SHA384)$', ciph)
|
||||
|
||||
if not m:
|
||||
print "/* Couldn't parse %s ! */"%ciph
|
||||
return None
|
||||
|
||||
fwsec, cipher, bits, mode, digest = m.groups()
|
||||
if fwsec == 'EDH':
|
||||
fwsec = 'DHE'
|
||||
|
||||
if mode in [ '_CBC3', '_CBC', '' ]:
|
||||
mode = 'CBC'
|
||||
elif mode == '_GCM':
|
||||
mode = 'GCM'
|
||||
|
||||
return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest)
|
||||
|
||||
ALL_CIPHERS = []
|
||||
|
||||
for fname in sys.argv[1:]:
|
||||
ALL_CIPHERS += (parse_cipher(c)
|
||||
for c in find_ciphers(fname)
|
||||
if usable_cipher(c) )
|
||||
|
||||
ALL_CIPHERS.sort(key=Ciphersuite.sort_key)
|
||||
|
||||
for c in ALL_CIPHERS:
|
||||
if c is ALL_CIPHERS[-1]:
|
||||
colon = ';'
|
||||
else:
|
||||
colon = ' ":"'
|
||||
|
||||
if c.name in MANDATORY:
|
||||
print " /* Required */"
|
||||
print ' %s%s'%(c.name,colon)
|
||||
else:
|
||||
print "#ifdef %s"%c.name
|
||||
print ' %s%s'%(c.name,colon)
|
||||
print "#endif"
|
||||
|
||||
|
|
@ -41,12 +41,12 @@ fileA = open(ff('security/manager/ssl/src/nsNSSComponent.cpp'),'r')
|
|||
inCipherSection = False
|
||||
cipherLines = []
|
||||
for line in fileA:
|
||||
if line.startswith('static CipherPref CipherPrefs'):
|
||||
if line.startswith('static const CipherPref sCipherPrefs[]'):
|
||||
# Get the starting boundary of the Cipher Preferences
|
||||
inCipherSection = True
|
||||
elif inCipherSection:
|
||||
line = line.strip()
|
||||
if line.startswith('{NULL, 0}'):
|
||||
if line.startswith('{ nullptr, 0}'):
|
||||
# At the ending boundary of the Cipher Prefs
|
||||
break
|
||||
else:
|
||||
|
@ -56,12 +56,30 @@ fileA.close()
|
|||
# Parse the lines and put them into a dict
|
||||
ciphers = {}
|
||||
cipher_pref = {}
|
||||
key_pending = None
|
||||
for line in cipherLines:
|
||||
m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S*)\s*}', line)
|
||||
m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S+)\s*(?:,\s*(true|false))?\s*}', line)
|
||||
if m:
|
||||
key,value = m.groups()
|
||||
ciphers[key] = value
|
||||
cipher_pref[value] = key
|
||||
assert not key_pending
|
||||
key,value,enabled = m.groups()
|
||||
if enabled == 'true':
|
||||
ciphers[key] = value
|
||||
cipher_pref[value] = key
|
||||
continue
|
||||
m = re.search(r'^{\s*\"([^\"]+)\",', line)
|
||||
if m:
|
||||
assert not key_pending
|
||||
key_pending = m.group(1)
|
||||
continue
|
||||
m = re.search(r'^\s*(\S+)(?:,\s*(true|false))?\s*}', line)
|
||||
if m:
|
||||
assert key_pending
|
||||
key = key_pending
|
||||
value,enabled = m.groups()
|
||||
key_pending = None
|
||||
if enabled == 'true':
|
||||
ciphers[key] = value
|
||||
cipher_pref[value] = key
|
||||
|
||||
####
|
||||
# Now find the correct order for the ciphers
|
||||
|
|
|
@ -714,31 +714,47 @@ tor_tls_create_certificate(crypto_pk_t *rsa,
|
|||
/** List of ciphers that servers should select from when we actually have
|
||||
* our choice of what cipher to use. */
|
||||
const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CHC_SHA
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
|
||||
#endif
|
||||
/* This list is autogenerated with the gen_server_ciphers.py script;
|
||||
* don't hand-edit it. */
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
|
||||
#endif
|
||||
//#if TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
|
||||
// TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":"
|
||||
//#endif
|
||||
/* These next two are mandatory. */
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
|
||||
#endif
|
||||
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
|
||||
#endif
|
||||
/* Required */
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
|
||||
/* Required */
|
||||
TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
|
||||
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
|
||||
TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
|
||||
#endif
|
||||
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
|
||||
/* Required */
|
||||
SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
|
||||
|
||||
/* Note: to set up your own private testing network with link crypto
|
||||
* disabled, set your Tors' cipher list to
|
||||
|
@ -1261,6 +1277,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
|||
goto error;
|
||||
SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
|
||||
|
||||
/* Prefer the server's ordering of ciphers: the client's ordering has
|
||||
* historically been chosen for fingerprinting resistance. */
|
||||
SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||
|
||||
/* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to
|
||||
* workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
|
||||
* June 2012), wherein renegotiating while using one of these TLS
|
||||
|
|
|
@ -148,6 +148,8 @@ struct channel_s {
|
|||
ENUM_BF(circ_id_type_t) circ_id_type:2;
|
||||
/** DOCDOC*/
|
||||
unsigned wide_circ_ids:1;
|
||||
/** Have we logged a warning about circID exhaustion on this channel? */
|
||||
unsigned warned_circ_ids_exhausted:1;
|
||||
/*
|
||||
* Which circ_id do we try to use next on this connection? This is
|
||||
* always in the range 0..1<<15-1.
|
||||
|
|
|
@ -127,7 +127,14 @@ get_unique_circ_id_by_chan(channel_t *chan)
|
|||
/* Make sure we don't loop forever if all circ_id's are used. This
|
||||
* matters because it's an external DoS opportunity.
|
||||
*/
|
||||
log_warn(LD_CIRC,"No unused circ IDs. Failing.");
|
||||
if (! chan->warned_circ_ids_exhausted) {
|
||||
chan->warned_circ_ids_exhausted = 1;
|
||||
log_warn(LD_CIRC,"No unused circIDs found on channel %s wide "
|
||||
"circID support, with %u inbound and %u outbound circuits. "
|
||||
"Failing a circuit.",
|
||||
chan->wide_circ_ids ? "with" : "without",
|
||||
chan->num_p_circuits, chan->num_n_circuits);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
test_circ_id |= high_bit;
|
||||
|
|
|
@ -2616,10 +2616,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||
REJECT("If EntryNodes is set, UseEntryGuards must be enabled.");
|
||||
}
|
||||
|
||||
if (options->MaxMemInCellQueues < (500 << 20)) {
|
||||
log_warn(LD_CONFIG, "MaxMemInCellQueues must be at least 500 MB for now. "
|
||||
if (options->MaxMemInCellQueues < (256 << 20)) {
|
||||
log_warn(LD_CONFIG, "MaxMemInCellQueues must be at least 256 MB for now. "
|
||||
"Ideally, have it as large as you can afford.");
|
||||
options->MaxMemInCellQueues = (500 << 20);
|
||||
options->MaxMemInCellQueues = (256 << 20);
|
||||
}
|
||||
|
||||
options->AllowInvalid_ = 0;
|
||||
|
@ -3062,6 +3062,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||
REJECT("If you set UseBridges, you must specify at least one bridge.");
|
||||
if (options->UseBridges && !options->TunnelDirConns)
|
||||
REJECT("If you set UseBridges, you must set TunnelDirConns.");
|
||||
if (options->RendConfigLines &&
|
||||
(!options->TunnelDirConns || !options->PreferTunneledDirConns))
|
||||
REJECT("If you are running a hidden service, you must set TunnelDirConns "
|
||||
"and PreferTunneledDirConns");
|
||||
|
||||
for (cl = options->Bridges; cl; cl = cl->next) {
|
||||
if (parse_bridge_line(cl->value, 1)<0)
|
||||
|
|
|
@ -614,7 +614,7 @@ microdesc_free_(microdesc_t *md, const char *fname, int lineno)
|
|||
}
|
||||
});
|
||||
if (found) {
|
||||
log_warn(LD_BUG, "microdesc_free() called from %s:%d, but md was still "
|
||||
log_info(LD_BUG, "microdesc_free() called from %s:%d, but md was still "
|
||||
"referenced %d node(s); held_by_nodes == %u",
|
||||
fname, lineno, found, md->held_by_nodes);
|
||||
} else {
|
||||
|
|
|
@ -4374,11 +4374,13 @@ microdescs_parse_from_string(const char *s, const char *eos,
|
|||
microdesc_free(md);
|
||||
md = NULL;
|
||||
|
||||
SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
|
||||
memarea_clear(area);
|
||||
smartlist_clear(tokens);
|
||||
s = start_of_next_microdesc;
|
||||
}
|
||||
|
||||
SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
|
||||
memarea_drop_all(area);
|
||||
smartlist_free(tokens);
|
||||
|
||||
|
|
Loading…
Reference in New Issue