From e27a26d568a257cf350814a9abfa47d3b41ad9f3 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Sun, 27 Nov 2011 08:29:51 -0500
Subject: Set renegotiation callbacks immediately on tls inititation

This way, we can't miss a renegotiation attempt in a v2 handshake,
or miss excess renegotiation attempts.  Partial fix for bug 4587.
---
 src/common/tortls.c    |  2 --
 src/or/connection_or.c | 17 +++++++----------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/src/common/tortls.c b/src/common/tortls.c
index e052c85eb..aeb090bbf 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1563,7 +1563,6 @@ tor_tls_set_renegotiate_callbacks(tor_tls_t *tls,
   tls->excess_renegotiations_callback = cb2;
   tls->callback_arg = arg;
   tls->got_renegotiate = 0;
-  SSL_set_info_callback(tls->ssl, tor_tls_state_changed_callback);
 }
 
 /** If this version of openssl requires it, turn on renegotiation on
@@ -1767,7 +1766,6 @@ tor_tls_finish_handshake(tor_tls_t *tls)
 {
   int r = TOR_TLS_DONE;
   if (tls->isServer) {
-    SSL_set_info_callback(tls->ssl, NULL);
     SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
     /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
     tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index e868b7b78..0f68feb60 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -42,6 +42,7 @@ static int connection_or_check_valid_tls_handshake(or_connection_t *conn,
                                                    char *digest_rcvd_out);
 
 static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn);
+static void connection_or_close_connection_cb(void *_conn);
 
 #ifdef USE_BUFFEREVENTS
 static void connection_or_handle_event_cb(struct bufferevent *bufev,
@@ -1096,12 +1097,16 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
   conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING;
   tor_assert(!conn->tls);
   conn->tls = tor_tls_new(conn->_base.s, receiving);
-  tor_tls_set_logged_address(conn->tls, // XXX client and relay?
-      escaped_safe_str(conn->_base.address));
   if (!conn->tls) {
     log_warn(LD_BUG,"tor_tls_new failed. Closing.");
     return -1;
   }
+  tor_tls_set_logged_address(conn->tls, // XXX client and relay?
+      escaped_safe_str(conn->_base.address));
+  tor_tls_set_renegotiate_callbacks(conn->tls,
+                                    connection_or_tls_renegotiated_cb,
+                                    connection_or_close_connection_cb,
+                                    conn);
 #ifdef USE_BUFFEREVENTS
   if (connection_type_uses_bufferevent(TO_CONN(conn))) {
     const int filtering = get_options()->_UseFilteringSSLBufferevents;
@@ -1213,10 +1218,6 @@ connection_tls_continue_handshake(or_connection_t *conn)
           /* v2/v3 handshake, but not a client. */
           log_debug(LD_OR, "Done with initial SSL handshake (server-side). "
                            "Expecting renegotiation or VERSIONS cell");
-          tor_tls_set_renegotiate_callbacks(conn->tls,
-                                           connection_or_tls_renegotiated_cb,
-                                           connection_or_close_connection_cb,
-                                           conn);
           conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
           connection_stop_writing(TO_CONN(conn));
           connection_start_reading(TO_CONN(conn));
@@ -1277,10 +1278,6 @@ connection_or_handle_event_cb(struct bufferevent *bufev, short event,
       } else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) {
         /* v2 or v3 handshake, as a server. Only got one handshake, so
          * wait for the next one. */
-        tor_tls_set_renegotiate_callbacks(conn->tls,
-                                         connection_or_tls_renegotiated_cb,
-                                         connection_or_close_connection_cb,
-                                         conn);
         conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
         /* return 0; */
         return; /* ???? */
-- 
cgit v1.2.3