[tor-commits] [tor/master] Revert "Try using SSL_get_ciphers in place of session->ciphers"

[nickm at torproject.org]

commit c8024b633eeff6161292666b209b538fda9df4ab
Author: Nick Mathewson <nickm at torproject.org>
Date:   Fri May 22 10:22:11 2015 -0400

    Revert "Try using SSL_get_ciphers in place of session->ciphers"
    
    This reverts commit 67964cfa787461bc56380fe46439fd5c9863bb4f.
    
    It was the cause of #16153, and was not in any released Tor.  We need
    a better solution for getting session->ciphers.
---
 src/common/tortls.c |   36 +++++-------------------------------
 1 file changed, 5 insertions(+), 31 deletions(-)

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 57d5408..2b8daaa 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1597,39 +1597,13 @@ tor_tls_classify_client_ciphers(const SSL *ssl,
 static int
 tor_tls_client_is_using_v2_ciphers(const SSL *ssl)
 {
-  STACK_OF(SSL_CIPHER) *ciphers = SSL_get_ciphers(ssl);
-
-#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0)
-  {
-    SSL_SESSION *session;
-    STACK_OF(SSL_CIPHER) *c1;
-    int i;
-    if (!(session = SSL_get_session((SSL *)ssl))) {
-      log_info(LD_NET, "No session on TLS?");
-      return CIPHERS_ERR;
-    }
-    c1 = session->ciphers;
-
-    if (sk_SSL_CIPHER_num(c1) != sk_SSL_CIPHER_num(ciphers)) {
-      log_warn(LD_BUG, "Whoops. session->ciphers doesn't "
-               "match SSL_get_ciphers()");
-      return 0;
-    }
-    for (i = 0; i < sk_SSL_CIPHER_num(c1); ++i) {
-      SSL_CIPHER *a = sk_SSL_CIPHER_value(ciphers, i);
-      SSL_CIPHER *b = sk_SSL_CIPHER_value(c1, i);
-      unsigned long a_id = SSL_CIPHER_get_id(a);
-      unsigned long b_id = SSL_CIPHER_get_id(b);
-      if (a_id != b_id) {
-        log_warn(LD_BUG, "Cipher mismatch between session->ciphers and "
-                 "SSL_get_ciphers() at %d: %lx vs %lx", i,
-                 a_id, b_id);
-      }
-    }
+  SSL_SESSION *session;
+  if (!(session = SSL_get_session((SSL *)ssl))) {
+    log_info(LD_NET, "No session on TLS?");
+    return CIPHERS_ERR;
   }
-#endif
 
-  return tor_tls_classify_client_ciphers(ssl, ciphers) >= CIPHERS_V2;
+  return tor_tls_classify_client_ciphers(ssl, session->ciphers) >= CIPHERS_V2;
 }
 
 /** Invoked when we're accepting a connection on <b>ssl</b>, and the connection