summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2015-05-14 08:42:08 -0400
committerNick Mathewson <nickm@torproject.org>2015-05-20 15:27:36 -0400
commit67964cfa787461bc56380fe46439fd5c9863bb4f (patch)
tree3db93cadba09ec1d72250cd6becd454d83b1459f
parent2f7c9b6ecb1a7855167b2c65781b2c4b1b014807 (diff)
downloadtor-67964cfa787461bc56380fe46439fd5c9863bb4f.tar.gz
tor-67964cfa787461bc56380fe46439fd5c9863bb4f.zip
Try using SSL_get_ciphers in place of session->ciphers
This should help openssl 1.1. On pre-1.1, we double-check that these two methods give us the same list, since the underlying code is awfully hairy.
-rw-r--r--src/common/tortls.c34
1 files changed, 29 insertions, 5 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 08966b6419..75d390f909 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1663,13 +1663,37 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
static int
tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
{
- SSL_SESSION *session;
- if (!(session = SSL_get_session((SSL *)ssl))) {
- log_info(LD_NET, "No session on TLS?");
- return CIPHERS_ERR;
+ STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
+
+#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
+ {
+ SSL_SESSION *session;
+ STACK_OF(SSL_CIPHER) *c1;
+ int i;
+ if (!(session = SSL_get_session((SSL *)ssl))) {
+ log_info(LD_NET, "No session on TLS?");
+ return CIPHERS_ERR;
+ }
+ c1 = session->ciphers;
+
+ if (sk_SSL_CIPHER_num(c1) != sk_SSL_CIPHER_num(ciphers)) {
+ log_warn(LD_BUG, "Whoops. session->ciphers doesn't "
+ "match SSL_get_ciphers()");
+ return 0;
+ }
+ for (i = 0; i < sk_SSL_CIPHER_num(c1); ++i) {
+ SSL_CIPHER *a = sk_SSL_CIPHER_value(ciphers, i);
+ SSL_CIPHER *b = sk_SSL_CIPHER_value(c1, i);
+ if (a->id != b->id) {
+ log_warn(LD_BUG, "Cipher mismatch between session->ciphers and "
+ "SSL_get_ciphers() at %d: %u vs %u", i,
+ (unsigned)a, (unsigned)b);
+ }
+ }
}
+#endif
- return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2;
+ return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
}
/** Invoked when we're accepting a connection on <b>ssl</b>, and the connection