mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Pick 0a58567ce3
from master git tree
work with libssl that has renegotiation disabled by default. (debian/patches/0a58567c-work-with-reneg-ssl.dpatch)
This commit is contained in:
parent
6d01081fb3
commit
a28b5628c2
5
debian/changelog
vendored
5
debian/changelog
vendored
@ -1,8 +1,11 @@
|
||||
tor (0.2.2.5-alpha-1) experimental; urgency=low
|
||||
|
||||
* New upstream version.
|
||||
* Pick 0a58567ce3418f410cf1dd0143dd3e56b4a4bd1f from master git tree:
|
||||
- work with libssl that has renegotiation disabled by default.
|
||||
(debian/patches/0a58567c-work-with-reneg-ssl.dpatch)
|
||||
|
||||
-- Peter Palfrader <weasel@debian.org> Sun, 15 Nov 2009 10:37:05 +0100
|
||||
-- Peter Palfrader <weasel@debian.org> Sun, 15 Nov 2009 10:38:36 +0100
|
||||
|
||||
tor (0.2.2.4-alpha-1) experimental; urgency=low
|
||||
|
||||
|
1
debian/patches/00list
vendored
1
debian/patches/00list
vendored
@ -3,3 +3,4 @@
|
||||
06_add_compile_time_defaults.dpatch
|
||||
07_log_to_file_by_default.dpatch
|
||||
14_fix_geoip_warning
|
||||
0a58567c-work-with-reneg-ssl.dpatch
|
||||
|
129
debian/patches/0a58567c-work-with-reneg-ssl.dpatch
vendored
Normal file
129
debian/patches/0a58567c-work-with-reneg-ssl.dpatch
vendored
Normal file
@ -0,0 +1,129 @@
|
||||
#! /bin/sh -e
|
||||
|
||||
if [ $# -lt 1 ]; then
|
||||
echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
|
||||
patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
|
||||
|
||||
case "$1" in
|
||||
-patch) patch -p1 ${patch_opts} < $0;;
|
||||
-unpatch) patch -R -p1 ${patch_opts} < $0;;
|
||||
*)
|
||||
echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
|
||||
exit 1;;
|
||||
esac
|
||||
|
||||
exit 0
|
||||
|
||||
#diff --git a/ChangeLog b/ChangeLog
|
||||
#index 0109ff5..679d576 100644
|
||||
#--- a/ChangeLog
|
||||
#+++ b/ChangeLog
|
||||
#@@ -311,6 +311,12 @@ Changes in version 0.2.2.1-alpha - 2009-08-26
|
||||
#
|
||||
#
|
||||
# Changes in Version 0.2.1.21 - 20??-??-??
|
||||
#+ o Major bugfixes:
|
||||
#+ - Work around a security feature in OpenSSL 0.9.8l that prevents our
|
||||
#+ handshake from working unless we explicitly tell OpenSSL that we are
|
||||
#+ using SSL renegotiation safely. We are, of course, but OpenSSL
|
||||
#+ 0.9.8l won't work unless we say we are.
|
||||
#+
|
||||
# o Minor bugfixes:
|
||||
# - Do not refuse to learn about authority certs and v2 networkstatus
|
||||
# documents that are older than the latest consensus. This bug might
|
||||
@DPATCH@
|
||||
diff --git a/src/common/tortls.c b/src/common/tortls.c
|
||||
index 6e09325..ff49ecf 100644
|
||||
--- a/src/common/tortls.c
|
||||
+++ b/src/common/tortls.c
|
||||
@@ -154,6 +154,7 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
||||
const char *cname,
|
||||
const char *cname_sign,
|
||||
unsigned int lifetime);
|
||||
+static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
|
||||
|
||||
/** Global tls context. We keep it here because nobody else needs to
|
||||
* touch it. */
|
||||
@@ -927,6 +928,36 @@ tor_tls_set_renegotiate_callback(tor_tls_t *tls,
|
||||
#endif
|
||||
}
|
||||
|
||||
+/** If this version of openssl requires it, turn on renegotiation on
|
||||
+ * <b>tls</b>. (Our protocol never requires this for security, but it's nice
|
||||
+ * to use belt-and-suspenders here.)
|
||||
+ */
|
||||
+static void
|
||||
+tor_tls_unblock_renegotiation(tor_tls_t *tls)
|
||||
+{
|
||||
+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
|
||||
+ /* Yes, we know what we are doing here. No, we do not treat a renegotiation
|
||||
+ * as authenticating any earlier-received data. */
|
||||
+ tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
+#else
|
||||
+ (void)tls;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+/** If this version of openssl supports it, turn off renegotiation on
|
||||
+ * <b>tls</b>. (Our protocol never requires this for security, but it's nice
|
||||
+ * to use belt-and-suspenders here.)
|
||||
+ */
|
||||
+void
|
||||
+tor_tls_block_renegotiation(tor_tls_t *tls)
|
||||
+{
|
||||
+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
|
||||
+ tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
|
||||
+#else
|
||||
+ (void)tls;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
/** Return whether this tls initiated the connect (client) or
|
||||
* received it (server). */
|
||||
int
|
||||
@@ -1058,6 +1089,9 @@ tor_tls_handshake(tor_tls_t *tls)
|
||||
if (oldstate != tls->ssl->state)
|
||||
log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
|
||||
tls, ssl_state_to_string(tls->ssl->state));
|
||||
+ /* We need to call this here and not earlier, since OpenSSL has a penchant
|
||||
+ * for clearing its flags when you say accept or connect. */
|
||||
+ tor_tls_unblock_renegotiation(tls);
|
||||
r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
|
||||
if (ERR_peek_error() != 0) {
|
||||
tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
|
||||
diff --git a/src/common/tortls.h b/src/common/tortls.h
|
||||
index d006909..871fec3 100644
|
||||
--- a/src/common/tortls.h
|
||||
+++ b/src/common/tortls.h
|
||||
@@ -65,6 +65,7 @@ int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
|
||||
int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
|
||||
int tor_tls_handshake(tor_tls_t *tls);
|
||||
int tor_tls_renegotiate(tor_tls_t *tls);
|
||||
+void tor_tls_block_renegotiation(tor_tls_t *tls);
|
||||
int tor_tls_shutdown(tor_tls_t *tls);
|
||||
int tor_tls_get_pending_bytes(tor_tls_t *tls);
|
||||
size_t tor_tls_get_forced_write_size(tor_tls_t *tls);
|
||||
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
|
||||
index c3d35e1..bbd6439 100644
|
||||
--- a/src/or/connection_or.c
|
||||
+++ b/src/or/connection_or.c
|
||||
@@ -799,6 +799,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
|
||||
|
||||
/* Don't invoke this again. */
|
||||
tor_tls_set_renegotiate_callback(tls, NULL, NULL);
|
||||
+ tor_tls_block_renegotiation(tls);
|
||||
|
||||
if (connection_tls_finish_handshake(conn) < 0) {
|
||||
/* XXXX_TLS double-check that it's ok to do this from inside read. */
|
||||
@@ -1045,6 +1046,7 @@ connection_tls_finish_handshake(or_connection_t *conn)
|
||||
connection_or_init_conn_from_address(conn, &conn->_base.addr,
|
||||
conn->_base.port, digest_rcvd, 0);
|
||||
}
|
||||
+ tor_tls_block_renegotiation(conn->tls);
|
||||
return connection_or_set_state_open(conn);
|
||||
} else {
|
||||
conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;
|
Loading…
Reference in New Issue
Block a user