diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-11-27 08:29:51 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-11-29 19:10:19 -0500 |
commit | e27a26d568a257cf350814a9abfa47d3b41ad9f3 (patch) | |
tree | 1e4880f1256ca4e30d499f9727310304e5ae3424 | |
parent | 617617e21a2d30a86cea9c8f7043333078f2e8f8 (diff) | |
download | tor-e27a26d568a257cf350814a9abfa47d3b41ad9f3.tar tor-e27a26d568a257cf350814a9abfa47d3b41ad9f3.tar.gz |
Set renegotiation callbacks immediately on tls inititation
This way, we can't miss a renegotiation attempt in a v2 handshake,
or miss excess renegotiation attempts. Partial fix for bug 4587.
-rw-r--r-- | src/common/tortls.c | 2 | ||||
-rw-r--r-- | src/or/connection_or.c | 17 |
2 files changed, 7 insertions, 12 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index e052c85eb..aeb090bbf 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1563,7 +1563,6 @@ tor_tls_set_renegotiate_callbacks(tor_tls_t *tls, tls->excess_renegotiations_callback = cb2; tls->callback_arg = arg; tls->got_renegotiate = 0; - SSL_set_info_callback(tls->ssl, tor_tls_state_changed_callback); } /** If this version of openssl requires it, turn on renegotiation on @@ -1767,7 +1766,6 @@ tor_tls_finish_handshake(tor_tls_t *tls) { int r = TOR_TLS_DONE; if (tls->isServer) { - SSL_set_info_callback(tls->ssl, NULL); SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb); /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */ tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN; diff --git a/src/or/connection_or.c b/src/or/connection_or.c index e868b7b78..0f68feb60 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -42,6 +42,7 @@ static int connection_or_check_valid_tls_handshake(or_connection_t *conn, char *digest_rcvd_out); static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn); +static void connection_or_close_connection_cb(void *_conn); #ifdef USE_BUFFEREVENTS static void connection_or_handle_event_cb(struct bufferevent *bufev, @@ -1096,12 +1097,16 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving) conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING; tor_assert(!conn->tls); conn->tls = tor_tls_new(conn->_base.s, receiving); - tor_tls_set_logged_address(conn->tls, // XXX client and relay? - escaped_safe_str(conn->_base.address)); if (!conn->tls) { log_warn(LD_BUG,"tor_tls_new failed. Closing."); return -1; } + tor_tls_set_logged_address(conn->tls, // XXX client and relay? + escaped_safe_str(conn->_base.address)); + tor_tls_set_renegotiate_callbacks(conn->tls, + connection_or_tls_renegotiated_cb, + connection_or_close_connection_cb, + conn); #ifdef USE_BUFFEREVENTS if (connection_type_uses_bufferevent(TO_CONN(conn))) { const int filtering = get_options()->_UseFilteringSSLBufferevents; @@ -1213,10 +1218,6 @@ connection_tls_continue_handshake(or_connection_t *conn) /* v2/v3 handshake, but not a client. */ log_debug(LD_OR, "Done with initial SSL handshake (server-side). " "Expecting renegotiation or VERSIONS cell"); - tor_tls_set_renegotiate_callbacks(conn->tls, - connection_or_tls_renegotiated_cb, - connection_or_close_connection_cb, - conn); conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING; connection_stop_writing(TO_CONN(conn)); connection_start_reading(TO_CONN(conn)); @@ -1277,10 +1278,6 @@ connection_or_handle_event_cb(struct bufferevent *bufev, short event, } else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) { /* v2 or v3 handshake, as a server. Only got one handshake, so * wait for the next one. */ - tor_tls_set_renegotiate_callbacks(conn->tls, - connection_or_tls_renegotiated_cb, - connection_or_close_connection_cb, - conn); conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING; /* return 0; */ return; /* ???? */ |