Try using SSL_get_ciphers in place of session->ciphers

This should help openssl 1.1.  On pre-1.1, we double-check that these
two methods give us the same list, since the underlying code is awfully
hairy.
This commit is contained in:
Nick Mathewson 2015-05-14 08:42:08 -04:00
parent 2f7c9b6ecb
commit 67964cfa78

View File

@ -1663,13 +1663,37 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
static int static int
tor_tls_client_is_using_v2_ciphers(const SSL *ssl) tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
{ {
STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
{
SSL_SESSION *session; SSL_SESSION *session;
STACK_OF(SSL_CIPHER) *c1;
int i;
if (!(session = SSL_get_session((SSL *)ssl))) { if (!(session = SSL_get_session((SSL *)ssl))) {
log_info(LD_NET, "No session on TLS?"); log_info(LD_NET, "No session on TLS?");
return CIPHERS_ERR; return CIPHERS_ERR;
} }
c1 = session->ciphers;
return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2; if (sk_SSL_CIPHER_num(c1) != sk_SSL_CIPHER_num(ciphers)) {
log_warn(LD_BUG, "Whoops. session->ciphers doesn't "
"match SSL_get_ciphers()");
return 0;
}
for (i = 0; i < sk_SSL_CIPHER_num(c1); ++i) {
SSL_CIPHER *a = sk_SSL_CIPHER_value(ciphers, i);
SSL_CIPHER *b = sk_SSL_CIPHER_value(c1, i);
if (a->id != b->id) {
log_warn(LD_BUG, "Cipher mismatch between session->ciphers and "
"SSL_get_ciphers() at %d: %u vs %u", i,
(unsigned)a, (unsigned)b);
}
}
}
#endif
return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
} }
/** Invoked when we're accepting a connection on <b>ssl</b>, and the connection /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection