r17953@catbus: nickm | 2008-02-06 15:00:44 -0500

Implement a better means for testing for renegotiation.


svn:r13408
This commit is contained in:
Nick Mathewson 2008-02-06 20:00:47 +00:00
parent 4d70094b6e
commit 46532d8111

View File

@ -75,7 +75,6 @@ struct tor_tls_t {
} state : 3; /**< The current SSL state, depending on which operations have } state : 3; /**< The current SSL state, depending on which operations have
* completed successfully. */ * completed successfully. */
unsigned int isServer:1; /**< True iff this is a server-side connection */ unsigned int isServer:1; /**< True iff this is a server-side connection */
unsigned int hadCert:1; /**< Docdoc */
unsigned int wasV2Handshake:1; /**< DOCDOC */ unsigned int wasV2Handshake:1; /**< DOCDOC */
size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
* time. */ * time. */
@ -115,11 +114,11 @@ HT_GENERATE(tlsmap, tor_tls_t, node, tor_tls_entry_hash,
/** Helper: given a SSL* pointer, return the tor_tls_t object using that /** Helper: given a SSL* pointer, return the tor_tls_t object using that
* pointer. */ * pointer. */
static INLINE tor_tls_t * static INLINE tor_tls_t *
tor_tls_get_by_ssl(SSL *ssl) tor_tls_get_by_ssl(const SSL *ssl)
{ {
tor_tls_t search, *result; tor_tls_t search, *result;
memset(&search, 0, sizeof(search)); memset(&search, 0, sizeof(search));
search.ssl = ssl; search.ssl = (SSL*)ssl;
result = HT_FIND(tlsmap, &tlsmap_root, &search); result = HT_FIND(tlsmap, &tlsmap_root, &search);
return result; return result;
} }
@ -786,12 +785,12 @@ tor_tls_read(tor_tls_t *tls, char *cp, size_t len)
r = SSL_read(tls->ssl, cp, len); r = SSL_read(tls->ssl, cp, len);
if (r > 0) { if (r > 0) {
#ifdef V2_HANDSHAKE_SERVER #ifdef V2_HANDSHAKE_SERVER
if (!tls->hadCert && tls->ssl->session && tls->ssl->session->peer) { if (SSL_num_renegotiations(tls->ssl)) {
tls->hadCert = 1;
/* New certificate! */ /* New certificate! */
log_info(LD_NET, "Got a TLS renegotiation."); log_notice(LD_NET, "Got a TLS renegotiation from %p", tls);
if (tls->negotiated_callback) if (tls->negotiated_callback)
tls->negotiated_callback(tls, tls->callback_arg); tls->negotiated_callback(tls, tls->callback_arg);
SSL_clear_num_renegotiations(tls->ssl);
} }
#endif #endif
return r; return r;
@ -866,7 +865,6 @@ tor_tls_handshake(tor_tls_t *tls)
} }
if (r == TOR_TLS_DONE) { if (r == TOR_TLS_DONE) {
tls->state = TOR_TLS_ST_OPEN; tls->state = TOR_TLS_ST_OPEN;
tls->hadCert = tor_tls_peer_has_cert(tls) ? 1 : 0;
if (tls->isServer) { if (tls->isServer) {
SSL_set_info_callback(tls->ssl, NULL); SSL_set_info_callback(tls->ssl, NULL);
SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, always_accept_verify_cb); SSL_set_verify(tls->ssl, SSL_VERIFY_NONE, always_accept_verify_cb);
@ -895,7 +893,7 @@ tor_tls_handshake(tor_tls_t *tls)
if (n_certs > 1 || (n_certs == 1 && cert != sk_X509_value(chain, 0))) if (n_certs > 1 || (n_certs == 1 && cert != sk_X509_value(chain, 0)))
tls->wasV2Handshake = 0; tls->wasV2Handshake = 0;
else { else {
log_notice(LD_NET, "I think I got a v2 handshake!"); log_notice(LD_NET, "I think I got a v2 handshake on %p!", tls);
tls->wasV2Handshake = 1; tls->wasV2Handshake = 1;
} }
if (cert) if (cert)