aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/common/ciphers.inc169
-rwxr-xr-xsrc/common/gen_server_ciphers.py115
-rw-r--r--src/common/get_mozilla_ciphers.py30
-rw-r--r--src/common/tortls.c40
-rw-r--r--src/or/config.c10
-rw-r--r--src/or/entrynodes.c6
-rw-r--r--src/or/microdesc.c2
-rw-r--r--src/or/routerlist.c6
-rw-r--r--src/or/routerparse.c2
9 files changed, 238 insertions, 142 deletions
diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc
index 137d78b11..ab4ac4072 100644
--- a/src/common/ciphers.inc
+++ b/src/common/ciphers.inc
@@ -4,86 +4,51 @@
*
* This file was automatically generated by get_mozilla_ciphers.py.
*/
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-#else
- XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
- CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-#else
- XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
- CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
-#else
- XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
- CIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
#else
- XCIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA)
+ XCIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
- CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ CIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
#else
- XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
+ XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
- CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+ CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
#else
- XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
+ XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
#endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA
- CIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+ CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
#else
- XCIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA)
+ XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- CIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
+ CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
#else
- XCIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA)
+ XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
#endif
-#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
- CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
#else
- XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
+ XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA)
#endif
-#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
- CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
+ CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
#else
- XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
+ XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
#endif
#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA
CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
#else
XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA)
#endif
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-#else
- XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
-#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
#else
XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA)
#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
- CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-#else
- XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
- CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
-#else
- XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
- CIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
-#else
- XCIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA)
-#endif
#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA
CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA)
#else
@@ -94,89 +59,63 @@
#else
XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA)
#endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA
- CIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
-#else
- XCIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA
- CIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
-#else
- XCIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA
- CIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
-#else
- XCIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA)
-#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- CIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
+#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+ CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
#else
- XCIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA)
+ XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA)
#endif
-#ifdef TLS1_TXT_RSA_WITH_SEED_SHA
- CIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA
+ CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
#else
- XCIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA)
+ XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA)
#endif
-#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
- CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
+#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA
+ CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
#else
- XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
+ XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA)
#endif
-#ifdef SSL3_TXT_RSA_RC4_128_MD5
- CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
+#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+ CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
#else
- XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
+ XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA)
#endif
-#ifdef SSL3_TXT_RSA_RC4_128_SHA
- CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
+#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
+ CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
#else
- XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
+ XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
#endif
#ifdef TLS1_TXT_RSA_WITH_AES_128_SHA
CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
#else
XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA)
#endif
-#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA
- CIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
-#else
- XCIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA)
-#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
- CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
-#else
- XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA)
-#endif
-#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
- CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA
+ CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
#else
- XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
+ XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA)
#endif
-#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA
- CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA
+ CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
#else
- XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA)
+ XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA)
#endif
-#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA
- CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
+#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA
+ CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
#else
- XCIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA)
+ XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA)
#endif
-#ifdef TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA
- CIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
+#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
+ CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
#else
- XCIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA)
+ XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
#endif
-/* No openssl macro found for 0xfeff */
-#ifdef SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
- CIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+#ifdef SSL3_TXT_RSA_RC4_128_SHA
+ CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
#else
- XCIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
+ XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA)
#endif
-#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA
- CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
+#ifdef SSL3_TXT_RSA_RC4_128_MD5
+ CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
#else
- XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA)
+ XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5)
#endif
diff --git a/src/common/gen_server_ciphers.py b/src/common/gen_server_ciphers.py
new file mode 100755
index 000000000..97ed9d046
--- /dev/null
+++ b/src/common/gen_server_ciphers.py
@@ -0,0 +1,115 @@
+#!/usr/bin/python
+# Copyright 2014, The Tor Project, Inc
+# See LICENSE for licensing information
+
+# This script parses openssl headers to find ciphersuite names, determines
+# which ones we should be willing to use as a server, and sorts them according
+# to preference rules.
+#
+# Run it on all the files in your openssl include directory.
+
+import re
+import sys
+
+EPHEMERAL_INDICATORS = [ "_EDH_", "_DHE_", "_ECDHE_" ]
+BAD_STUFF = [ "_DES_40_", "MD5", "_RC4_", "_DES_64_",
+ "_SEED_", "_CAMELLIA_", "_NULL" ]
+
+# these never get #ifdeffed.
+MANDATORY = [
+ "TLS1_TXT_DHE_RSA_WITH_AES_256_SHA",
+ "TLS1_TXT_DHE_RSA_WITH_AES_128_SHA",
+ "SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA",
+]
+
+def find_ciphers(filename):
+ with open(filename) as f:
+ for line in f:
+ m = re.search(r'(?:SSL3|TLS1)_TXT_\w+', line)
+ if m:
+ yield m.group(0)
+
+def usable_cipher(ciph):
+ ephemeral = False
+ for e in EPHEMERAL_INDICATORS:
+ if e in ciph:
+ ephemeral = True
+ if not ephemeral:
+ return False
+
+ if "_RSA_" not in ciph:
+ return False
+
+ for b in BAD_STUFF:
+ if b in ciph:
+ return False
+ return True
+
+# All fields we sort on, in order of priority.
+FIELDS = [ 'cipher', 'fwsec', 'mode', 'digest', 'bitlength' ]
+# Map from sorted fields to recognized value in descending order of goodness
+FIELD_VALS = { 'cipher' : [ 'AES', 'DES'],
+ 'fwsec' : [ 'ECDHE', 'DHE' ],
+ 'mode' : [ 'GCM', 'CBC' ],
+ 'digest' : [ 'SHA384', 'SHA256', 'SHA' ],
+ 'bitlength' : [ '256', '128', '192' ],
+}
+
+class Ciphersuite(object):
+ def __init__(self, name, fwsec, cipher, bitlength, mode, digest):
+ self.name = name
+ self.fwsec = fwsec
+ self.cipher = cipher
+ self.bitlength = bitlength
+ self.mode = mode
+ self.digest = digest
+
+ for f in FIELDS:
+ assert(getattr(self, f) in FIELD_VALS[f])
+
+ def sort_key(self):
+ return tuple(FIELD_VALS[f].index(getattr(self,f)) for f in FIELDS)
+
+
+def parse_cipher(ciph):
+ m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)(|_CBC|_CBC3|_GCM)_(SHA|SHA256|SHA384)$', ciph)
+
+ if not m:
+ print "/* Couldn't parse %s ! */"%ciph
+ return None
+
+ fwsec, cipher, bits, mode, digest = m.groups()
+ if fwsec == 'EDH':
+ fwsec = 'DHE'
+
+ if mode in [ '_CBC3', '_CBC', '' ]:
+ mode = 'CBC'
+ elif mode == '_GCM':
+ mode = 'GCM'
+
+ return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest)
+
+ALL_CIPHERS = []
+
+for fname in sys.argv[1:]:
+ ALL_CIPHERS += (parse_cipher(c)
+ for c in find_ciphers(fname)
+ if usable_cipher(c) )
+
+ALL_CIPHERS.sort(key=Ciphersuite.sort_key)
+
+for c in ALL_CIPHERS:
+ if c is ALL_CIPHERS[-1]:
+ colon = ';'
+ else:
+ colon = ' ":"'
+
+ if c.name in MANDATORY:
+ print " /* Required */"
+ print ' %s%s'%(c.name,colon)
+ else:
+ print "#ifdef %s"%c.name
+ print ' %s%s'%(c.name,colon)
+ print "#endif"
+
+
diff --git a/src/common/get_mozilla_ciphers.py b/src/common/get_mozilla_ciphers.py
index c7e9a84a0..0636eb365 100644
--- a/src/common/get_mozilla_ciphers.py
+++ b/src/common/get_mozilla_ciphers.py
@@ -41,12 +41,12 @@ fileA = open(ff('security/manager/ssl/src/nsNSSComponent.cpp'),'r')
inCipherSection = False
cipherLines = []
for line in fileA:
- if line.startswith('static CipherPref CipherPrefs'):
+ if line.startswith('static const CipherPref sCipherPrefs[]'):
# Get the starting boundary of the Cipher Preferences
inCipherSection = True
elif inCipherSection:
line = line.strip()
- if line.startswith('{NULL, 0}'):
+ if line.startswith('{ nullptr, 0}'):
# At the ending boundary of the Cipher Prefs
break
else:
@@ -56,12 +56,30 @@ fileA.close()
# Parse the lines and put them into a dict
ciphers = {}
cipher_pref = {}
+key_pending = None
for line in cipherLines:
- m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S*)\s*}', line)
+ m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S+)\s*(?:,\s*(true|false))?\s*}', line)
if m:
- key,value = m.groups()
- ciphers[key] = value
- cipher_pref[value] = key
+ assert not key_pending
+ key,value,enabled = m.groups()
+ if enabled == 'true':
+ ciphers[key] = value
+ cipher_pref[value] = key
+ continue
+ m = re.search(r'^{\s*\"([^\"]+)\",', line)
+ if m:
+ assert not key_pending
+ key_pending = m.group(1)
+ continue
+ m = re.search(r'^\s*(\S+)(?:,\s*(true|false))?\s*}', line)
+ if m:
+ assert key_pending
+ key = key_pending
+ value,enabled = m.groups()
+ key_pending = None
+ if enabled == 'true':
+ ciphers[key] = value
+ cipher_pref[value] = key
####
# Now find the correct order for the ciphers
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 8eb524ebf..8f3f6a713 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -714,31 +714,47 @@ tor_tls_create_certificate(crypto_pk_t *rsa,
/** List of ciphers that servers should select from when we actually have
* our choice of what cipher to use. */
const char UNRESTRICTED_SERVER_CIPHER_LIST[] =
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CHC_SHA
- TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
-#endif
+ /* This list is autogenerated with the gen_server_ciphers.py script;
+ * don't hand-edit it. */
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":"
#endif
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":"
+#endif
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":"
+#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256
TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":"
#endif
+#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA
+ TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":"
+#endif
#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":"
#endif
-#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384
+ TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":"
+#endif
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256
+ TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":"
+#endif
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256
+ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":"
+#endif
+#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":"
#endif
-//#if TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA
-// TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":"
-//#endif
- /* These next two are mandatory. */
- TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
- TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
+ /* Required */
+ TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"
+ /* Required */
+ TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"
#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA
TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":"
#endif
- SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
+ /* Required */
+ SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA;
/* Note: to set up your own private testing network with link crypto
* disabled, set your Tors' cipher list to
diff --git a/src/or/config.c b/src/or/config.c
index ef0294626..09fdc0c49 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -2616,10 +2616,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
REJECT("If EntryNodes is set, UseEntryGuards must be enabled.");
}
- if (options->MaxMemInCellQueues < (500 << 20)) {
- log_warn(LD_CONFIG, "MaxMemInCellQueues must be at least 500 MB for now. "
+ if (options->MaxMemInCellQueues < (256 << 20)) {
+ log_warn(LD_CONFIG, "MaxMemInCellQueues must be at least 256 MB for now. "
"Ideally, have it as large as you can afford.");
- options->MaxMemInCellQueues = (500 << 20);
+ options->MaxMemInCellQueues = (256 << 20);
}
options->AllowInvalid_ = 0;
@@ -3062,6 +3062,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
REJECT("If you set UseBridges, you must specify at least one bridge.");
if (options->UseBridges && !options->TunnelDirConns)
REJECT("If you set UseBridges, you must set TunnelDirConns.");
+ if (options->RendConfigLines &&
+ (!options->TunnelDirConns || !options->PreferTunneledDirConns))
+ REJECT("If you are running a hidden service, you must set TunnelDirConns "
+ "and PreferTunneledDirConns");
for (cl = options->Bridges; cl; cl = cl->next) {
if (parse_bridge_line(cl->value, 1)<0)
diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c
index 2aa063cda..59770fa65 100644
--- a/src/or/entrynodes.c
+++ b/src/or/entrynodes.c
@@ -2115,8 +2115,12 @@ learned_bridge_descriptor(routerinfo_t *ri, int from_cache)
* our entry node list */
entry_guard_register_connect_status(ri->cache_info.identity_digest,
1, 0, now);
- if (first)
+ if (first) {
+ /* XXXX apparently, this is never called. See bug #9229. */
routerlist_retry_directory_downloads(now);
+ }
+
+ update_networkstatus_downloads(now);
}
}
}
diff --git a/src/or/microdesc.c b/src/or/microdesc.c
index 90ac0ac64..0e72c0b89 100644
--- a/src/or/microdesc.c
+++ b/src/or/microdesc.c
@@ -614,7 +614,7 @@ microdesc_free_(microdesc_t *md, const char *fname, int lineno)
}
});
if (found) {
- log_warn(LD_BUG, "microdesc_free() called from %s:%d, but md was still "
+ log_info(LD_BUG, "microdesc_free() called from %s:%d, but md was still "
"referenced %d node(s); held_by_nodes == %u",
fname, lineno, found, md->held_by_nodes);
} else {
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index b49dc1ac0..8fe496b51 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -635,10 +635,8 @@ authority_cert_dl_failed(const char *id_digest,
static const char *BAD_SIGNING_KEYS[] = {
"09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31
-// dizum still needs to rotate as of 2014-04-14
-//"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26
-// dannenberg still needs to rotate as of 2014-04-14
-//"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09
+ "0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26
+ "57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09
"87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09
"98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56
"9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index a9c711be0..01f65f262 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4374,11 +4374,13 @@ microdescs_parse_from_string(const char *s, const char *eos,
microdesc_free(md);
md = NULL;
+ SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
memarea_clear(area);
smartlist_clear(tokens);
s = start_of_next_microdesc;
}
+ SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
memarea_drop_all(area);
smartlist_free(tokens);
generated by cgit v1.2.3 (git 2.25.4) at 2024-05-23 03:45:43 +0000