Merge branch 'maint-0.4.8'

author David Goulet <dgoulet@torproject.org>

Thu, 26 Jun 2025 16:16:45 +0000 (12:16 -0400)

committer David Goulet <dgoulet@torproject.org>

Thu, 26 Jun 2025 16:16:45 +0000 (12:16 -0400)
author David Goulet <dgoulet@torproject.org>
Thu, 26 Jun 2025 16:16:45 +0000 (12:16 -0400)
committer David Goulet <dgoulet@torproject.org>
Thu, 26 Jun 2025 16:16:45 +0000 (12:16 -0400)
diff --cc configure.ac

index bf388b447b82e49093d14c0f583f2c14c65276cd,64448ba945012714ce2ab2a306326b85437f82d6..ed1b92c4168056bb28f725f1970f1d34619f68df
--- 1/configure.ac
--- 2/configure.ac
+++ b/configure.ac
@@@ -1155,9 -1132,27 +1155,10 @@@ dnl check the openssl version number, b
   dnl confusing with LibreSSL, OpenSSL, and various distributions' patches
   dnl to them.
   AC_CHECK_FUNCS([ \
- -              ERR_load_KDF_strings \
                 EVP_PBE_scrypt \
-               SSL_CTX_set_security_level
-              ])
- -              SSL_CIPHER_find \
- -              SSL_CTX_set1_groups_list \
+               SSL_CTX_set_security_level \
- -              SSL_SESSION_get_master_key \
- -              SSL_get_client_ciphers \
- -              SSL_get_client_random \
- -              SSL_get_server_random \
- -                SSL_set_ciphersuites \
- -              TLS_method
- -             ])
- -
- -dnl Check if OpenSSL structures are opaque
- -AC_CHECK_MEMBERS([SSL.state], , ,
- -[#include <openssl/ssl.h>
- -])
- -
- -AC_CHECK_SIZEOF(SHA_CTX, , [AC_INCLUDES_DEFAULT()
- -#include <openssl/sha.h>
++        SSL_set_ciphersuites
+ ])
   
   fi # enable_nss
   
diff --cc src/lib/tls/tortls_openssl.c

index 120565aa6244b9e661ad16c33b1524a45ab90745,5654f7f654b57a003dd6735276767413b0c4c2b9..7c7ceecd0cb44133f0c8bc53cc1f7817f55b1e42
--- 1/src/lib/tls/tortls_openssl.c
--- 2/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@@ -666,9 -1142,24 +672,26 @@@ tor_tls_new(tor_socket_t sock, int isSe
     }
   #endif /* defined(SSL_CTRL_SET_MAX_PROTO_VERSION) */
   
-   if (!SSL_set_cipher_list(result->ssl,
-                            isServer ? UNRESTRICTED_TLS1_2_SERVER_CIPHER_LIST
-                                     : CLIENT_CIPHER_LIST)) {
+   /* Contrary to SSL_set_cipher_list(), TLSv1.3 SSL_set_ciphersuites() does NOT
+    * accept the final ':' so we have to strip it out. */
+   size_t TLSv13len = strlen(CLIENT_CIPHER_LIST_TLSv13);
+   if (TLSv13len && CLIENT_CIPHER_LIST_TLSv13[TLSv13len - 1] == ':') {
+     CLIENT_CIPHER_LIST_TLSv13[TLSv13len - 1] = '\0';
+   }
+ 
+   const bool tls12_ciphers_ok = SSL_set_cipher_list(
- -      result->ssl, isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST);
++      result->ssl,
++      isServer ? UNRESTRICTED_TLS1_2_SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST);
++
+   bool tls13_ciphers_ok = true;
+ #ifdef HAVE_SSL_SET_CIPHERSUITES
+   if (!isServer) {
+     tls13_ciphers_ok =
+       SSL_set_ciphersuites(result->ssl, CLIENT_CIPHER_LIST_TLSv13);
+   }
+ #endif
+ 
+   if (!tls12_ciphers_ok || !tls13_ciphers_ok) {
       tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
   #ifdef SSL_set_tlsext_host_name
       SSL_set_tlsext_host_name(result->ssl, NULL);
author	David Goulet <dgoulet@torproject.org>
	Thu, 26 Jun 2025 16:16:45 +0000 (12:16 -0400)
committer	David Goulet <dgoulet@torproject.org>
	Thu, 26 Jun 2025 16:16:45 +0000 (12:16 -0400)
		1	2
configure.ac	patch \|	diff1 \|	diff2 \|	blob \| history
src/lib/tls/tortls_openssl.c	patch \|	diff1 \|	diff2 \|	blob \| history