[tor-commits] [tor/master] Stop looking at session->ciphers when possible

commit 95375963981bb2346429de86b0cbb558d6b399d5 Author: Nick Mathewson nickm@torproject.org Date: Tue May 26 11:05:36 2015 -0400

Stop looking at session->ciphers when possible

If the OpenSSL team accepts my patch to add an SSL_get_client_ciphers function, this patch will make Tor use it when available, thereby working better with openssl 1.1. --- configure.ac | 17 +++++++++++++++++ src/common/tortls.c | 8 +++++++- 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac index cc271c8..ede8f84 100644 --- a/configure.ac +++ b/configure.ac @@ -623,10 +623,27 @@ else fi AC_SUBST(TOR_OPENSSL_LIBS)

+dnl Now check for particular openssl functions. +save_LIBS="$LIBS" +save_LDFLAGS="$LDFLAGS" +save_CPPFLAGS="$CPPFLAGS" +LIBS="$TOR_OPENSSL_LIBS $LIBS" +LDFLAGS="$TOR_LDFLAGS_openssl $LDFLAGS" +CPPFLAGS="$TOR_CPPFLAGS_openssl $CPPFLAGS" AC_CHECK_MEMBERS([struct ssl_method_st.get_cipher_by_char], , , [#include <openssl/ssl.h> ])

+AC_CHECK_FUNCS([ \ + SSL_SESSION_get_master_key \ + SSL_get_server_random \ + SSL_get_client_ciphers \ + SSL_get_client_random \ + ]) +LIBS="$save_LIBS" +LDFLAGS="$save_LDFLAGS" +CPPFLAGS="$save_CPPFLAGS" + dnl ------------------------------------------------------ dnl Where do you live, zlib? And how do we call you?

diff --git a/src/common/tortls.c b/src/common/tortls.c index 01bccd7..d4a565c 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1644,13 +1644,19 @@ tor_tls_classify_client_ciphers(const SSL *ssl, static int tor_tls_client_is_using_v2_ciphers(const SSL *ssl) { + STACK_OF(SSL_CIPHER) *ciphers; +#ifdef HAVE_SSL_GET_CLIENT_CIPHERS + ciphers = SSL_get_client_ciphers(ssl); +#else SSL_SESSION *session; if (!(session = SSL_get_session((SSL *)ssl))) { log_info(LD_NET, "No session on TLS?"); return CIPHERS_ERR; } + ciphers = session->ciphers; +#endif

- return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2; + return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2; }

/** Invoked when we're accepting a connection on <b>ssl</b>, and the connection