tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit da60d5c1e64a18dc12cdbd4de4480731c164d0e6
parent ae9a9422099652662c14949a52e9121b17dd9104
Author: Nick Mathewson <nickm@torproject.org>
Date:   Wed, 21 May 2025 13:19:58 -0400

Merge branch 'openssl-cleanup' into 'main'

Clean up some legacy OpenSSL code

See merge request tpo/core/tor!895
Diffstat:

Mconfigure.ac | 1-


Msrc/lib/tls/tortls.h | 2--


Msrc/lib/tls/tortls_nss.c | 24------------------------


Msrc/lib/tls/tortls_openssl.c | 22+---------------------


Msrc/lib/tls/tortls_st.h | 3---


Msrc/test/test_tortls_openssl.c | 155-------------------------------------------------------------------------------


6 files changed, 1 insertion(+), 206 deletions(-)

diff --git a/configure.ac b/configure.ac
@@ -1156,7 +1156,6 @@ dnl confusing with LibreSSL, OpenSSL, and various distributions' patches
 dnl to them.
 AC_CHECK_FUNCS([ \
 		EVP_PBE_scrypt \
-		SSL_CTX_set1_groups_list \
 		SSL_CTX_set_security_level
 	       ])
 
diff --git a/src/lib/tls/tortls.h b/src/lib/tls/tortls.h
@@ -136,8 +136,6 @@ int tor_tls_get_my_certs(int server,
                          const struct tor_x509_cert_t **link_cert_out,
                          const struct tor_x509_cert_t **id_cert_out);
 
-const char *tor_tls_get_ciphersuite_name(tor_tls_t *tls);
-
 int evaluate_ecgroup_for_tls(const char *ecgroup);
 
 #endif /* !defined(TOR_TORTLS_H) */
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
@@ -744,30 +744,6 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
   return (s == SECSuccess) ? 0 : -1;
 }
 
-const char *
-tor_tls_get_ciphersuite_name(tor_tls_t *tls)
-{
-  tor_assert(tls);
-
-  SSLChannelInfo channel_info;
-  SSLCipherSuiteInfo cipher_info;
-
-  memset(&channel_info, 0, sizeof(channel_info));
-  memset(&cipher_info, 0, sizeof(cipher_info));
-
-  SECStatus s = SSL_GetChannelInfo(tls->ssl,
-                                   &channel_info, sizeof(channel_info));
-  if (s != SECSuccess)
-    return NULL;
-
-  s = SSL_GetCipherSuiteInfo(channel_info.cipherSuite,
-                             &cipher_info, sizeof(cipher_info));
-  if (s != SECSuccess)
-    return NULL;
-
-  return cipher_info.cipherSuiteName;
-}
-
 /** The group we should use for ecdhe when none was selected. */
 #define SEC_OID_TOR_DEFAULT_ECDHE_GROUP SEC_OID_ANSIX962_EC_PRIME256V1
 
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
@@ -533,9 +533,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
     SSL_CTX_set_tmp_dh(result->ctx, dh);
     DH_free(dh);
   }
-/* We check for this function in two ways, since it might be either a symbol
- * or a macro. */
-#if defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1_GROUPS_LIST)
+
   {
     // We'd like to say something like:
     //    "?X25519MLKEM768:P-256:P-224"
@@ -591,17 +589,6 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
                "Using library defaults");
     }
   }
-#else /* !(defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SE...)) */
-  if (! is_client) {
-    int nid;
-    EC_KEY *ec_key;
-    nid = NID_tor_default_ecdhe_group;
-    ec_key = EC_KEY_new_by_curve_name(nid);
-    if (ec_key != NULL) /*XXXX Handle errors? */
-      SSL_CTX_set_tmp_ecdh(result->ctx, ec_key);
-    EC_KEY_free(ec_key);
-  }
-#endif /* defined(SSL_CTX_set1_groups_list) || defined(HAVE_SSL_CTX_SET1...) */
 
   if (is_client) {
     SSL_CTX_set_verify(result->ctx, SSL_VERIFY_PEER,
@@ -639,13 +626,6 @@ tor_tls_debug_state_callback(const SSL *ssl, int type, int val)
   /* LCOV_EXCL_STOP */
 }
 
-/* Return the name of the negotiated ciphersuite in use on <b>tls</b> */
-const char *
-tor_tls_get_ciphersuite_name(tor_tls_t *tls)
-{
-  return SSL_get_cipher(tls->ssl);
-}
-
 /** Create a new TLS object from a file descriptor, and a flag to
  * determine whether it is functioning as a server.
  */
diff --git a/src/lib/tls/tortls_st.h b/src/lib/tls/tortls_st.h
@@ -50,9 +50,6 @@ struct tor_tls_t {
                                        * have completed successfully. */
   unsigned int isServer:1; /**< True iff this is a server-side connection */
 #ifdef ENABLE_OPENSSL
-  /** Return value from tor_tls_classify_client_ciphers, or 0 if we haven't
-   * called that function yet. */
-  int8_t client_cipher_list_type;
   size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
                        * time. */
   /** Last values retrieved from BIO_number_read()/write(); see
diff --git a/src/test/test_tortls_openssl.c b/src/test/test_tortls_openssl.c
@@ -498,143 +498,6 @@ test_tortls_cert_get_key(void *ignored)
 #endif /* !defined(OPENSSL_OPAQUE) */
 
 #ifndef OPENSSL_OPAQUE
-static void
-test_tortls_get_ciphersuite_name(void *ignored)
-{
-  (void)ignored;
-  const char *ret;
-  tor_tls_t *ctx;
-  ctx = tor_malloc_zero(sizeof(tor_tls_t));
-  ctx->ssl = tor_malloc_zero(sizeof(SSL));
-
-  ret = tor_tls_get_ciphersuite_name(ctx);
-  tt_str_op(ret, OP_EQ, "(NONE)");
-
- done:
-  tor_free(ctx->ssl);
-  tor_free(ctx);
-}
-
-static SSL_CIPHER *
-get_cipher_by_id(uint16_t id)
-{
-  int i;
-  const SSL_METHOD *method = SSLv23_method();
-  int num = method->num_ciphers();
-  for (i = 0; i < num; ++i) {
-    const SSL_CIPHER *cipher = method->get_cipher(i);
-    if (id == (SSL_CIPHER_get_id(cipher) & 0xffff)) {
-      return (SSL_CIPHER *)cipher;
-    }
-  }
-
-  return NULL;
-}
-
-static void
-test_tortls_classify_client_ciphers(void *ignored)
-{
-  (void)ignored;
-  int i;
-  int ret;
-  SSL_CTX *ctx;
-  SSL *ssl;
-  tor_tls_t *tls;
-  STACK_OF(SSL_CIPHER) *ciphers;
-  SSL_CIPHER *tmp_cipher;
-
-  library_init();
-
-  tor_tls_allocate_tor_tls_object_ex_data_index();
-
-  tls = tor_malloc_zero(sizeof(tor_tls_t));
-  tls->magic = TOR_TLS_MAGIC;
-
-  ctx = SSL_CTX_new(TLSv1_method());
-  ssl = SSL_new(ctx);
-  tls->ssl = ssl;
-
-  ciphers = sk_SSL_CIPHER_new_null();
-
-  ret = tor_tls_classify_client_ciphers(ssl, NULL);
-  tt_int_op(ret, OP_EQ, -1);
-
-  SSL_set_ex_data(ssl, tor_tls_object_ex_data_index, tls);
-  tls->client_cipher_list_type = 42;
-
-  ret = tor_tls_classify_client_ciphers(ssl, NULL);
-  tt_int_op(ret, OP_EQ, 42);
-
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, ciphers);
-  tt_int_op(ret, OP_EQ, 1);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 1);
-
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, SSL_get_ciphers(ssl));
-  tt_int_op(ret, OP_EQ, 3);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
-
-  SSL_CIPHER *one = get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_128_SHA),
-    *two = get_cipher_by_name(TLS1_TXT_DHE_RSA_WITH_AES_256_SHA),
-    *three = get_cipher_by_name(SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA),
-    *four = NULL;
-  sk_SSL_CIPHER_push(ciphers, one);
-  sk_SSL_CIPHER_push(ciphers, two);
-  sk_SSL_CIPHER_push(ciphers, three);
-  sk_SSL_CIPHER_push(ciphers, four);
-
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, ciphers);
-  tt_int_op(ret, OP_EQ, 1);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 1);
-
-  sk_SSL_CIPHER_zero(ciphers);
-
-  one = get_cipher_by_name("ECDHE-RSA-AES256-GCM-SHA384");
-  tt_assert(one);
-  one->id = 0x00ff;
-  two = get_cipher_by_name("ECDHE-RSA-AES128-GCM-SHA256");
-  tt_assert(two);
-  two->id = 0x0000;
-  sk_SSL_CIPHER_push(ciphers, one);
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, ciphers);
-  tt_int_op(ret, OP_EQ, 3);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
-
-  sk_SSL_CIPHER_push(ciphers, two);
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, ciphers);
-  tt_int_op(ret, OP_EQ, 3);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
-
-  one->id = 0xC00A;
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, ciphers);
-  tt_int_op(ret, OP_EQ, 3);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 3);
-
-  sk_SSL_CIPHER_zero(ciphers);
-  for (i=0; v2_cipher_list[i]; i++) {
-    tmp_cipher = get_cipher_by_id(v2_cipher_list[i]);
-    tt_assert(tmp_cipher);
-    sk_SSL_CIPHER_push(ciphers, tmp_cipher);
-  }
-  tls->client_cipher_list_type = 0;
-  ret = tor_tls_classify_client_ciphers(ssl, ciphers);
-  tt_int_op(ret, OP_EQ, 2);
-  tt_int_op(tls->client_cipher_list_type, OP_EQ, 2);
-
- done:
-  sk_SSL_CIPHER_free(ciphers);
-  SSL_free(tls->ssl);
-  tor_free(tls);
-  SSL_CTX_free(ctx);
-}
-#endif /* !defined(OPENSSL_OPAQUE) */
-
-#ifndef OPENSSL_OPAQUE
 static int fixed_ssl_pending_result = 0;
 
 static int
@@ -952,24 +815,6 @@ test_tortls_set_renegotiate_callback(void *ignored)
 #endif /* !defined(OPENSSL_OPAQUE) */
 
 #ifndef OPENSSL_OPAQUE
-static SSL_CIPHER *fixed_cipher1 = NULL;
-static SSL_CIPHER *fixed_cipher2 = NULL;
-static const SSL_CIPHER *
-fake_get_cipher(unsigned ncipher)
-{
-
-  switch (ncipher) {
-  case 1:
-    return fixed_cipher1;
-  case 2:
-    return fixed_cipher2;
-  default:
-    return NULL;
-  }
-}
-#endif /* !defined(OPENSSL_OPAQUE) */
-
-#ifndef OPENSSL_OPAQUE
 static void
 test_tortls_debug_state_callback(void *ignored)
 {