mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Set renegotiation callbacks immediately on tls inititation
This way, we can't miss a renegotiation attempt in a v2 handshake, or miss excess renegotiation attempts. Partial fix for bug 4587.
This commit is contained in:
parent
617617e21a
commit
e27a26d568
@ -1563,7 +1563,6 @@ tor_tls_set_renegotiate_callbacks(tor_tls_t *tls,
|
|||||||
tls->excess_renegotiations_callback = cb2;
|
tls->excess_renegotiations_callback = cb2;
|
||||||
tls->callback_arg = arg;
|
tls->callback_arg = arg;
|
||||||
tls->got_renegotiate = 0;
|
tls->got_renegotiate = 0;
|
||||||
SSL_set_info_callback(tls->ssl, tor_tls_state_changed_callback);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** If this version of openssl requires it, turn on renegotiation on
|
/** If this version of openssl requires it, turn on renegotiation on
|
||||||
@ -1767,7 +1766,6 @@ tor_tls_finish_handshake(tor_tls_t *tls)
|
|||||||
{
|
{
|
||||||
int r = TOR_TLS_DONE;
|
int r = TOR_TLS_DONE;
|
||||||
if (tls->isServer) {
|
if (tls->isServer) {
|
||||||
SSL_set_info_callback(tls->ssl, NULL);
|
|
||||||
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
|
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
|
||||||
/* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
|
/* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
|
||||||
tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
|
tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;
|
||||||
|
@ -42,6 +42,7 @@ static int connection_or_check_valid_tls_handshake(or_connection_t *conn,
|
|||||||
char *digest_rcvd_out);
|
char *digest_rcvd_out);
|
||||||
|
|
||||||
static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn);
|
static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn);
|
||||||
|
static void connection_or_close_connection_cb(void *_conn);
|
||||||
|
|
||||||
#ifdef USE_BUFFEREVENTS
|
#ifdef USE_BUFFEREVENTS
|
||||||
static void connection_or_handle_event_cb(struct bufferevent *bufev,
|
static void connection_or_handle_event_cb(struct bufferevent *bufev,
|
||||||
@ -1096,12 +1097,16 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
|
|||||||
conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING;
|
conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING;
|
||||||
tor_assert(!conn->tls);
|
tor_assert(!conn->tls);
|
||||||
conn->tls = tor_tls_new(conn->_base.s, receiving);
|
conn->tls = tor_tls_new(conn->_base.s, receiving);
|
||||||
tor_tls_set_logged_address(conn->tls, // XXX client and relay?
|
|
||||||
escaped_safe_str(conn->_base.address));
|
|
||||||
if (!conn->tls) {
|
if (!conn->tls) {
|
||||||
log_warn(LD_BUG,"tor_tls_new failed. Closing.");
|
log_warn(LD_BUG,"tor_tls_new failed. Closing.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
tor_tls_set_logged_address(conn->tls, // XXX client and relay?
|
||||||
|
escaped_safe_str(conn->_base.address));
|
||||||
|
tor_tls_set_renegotiate_callbacks(conn->tls,
|
||||||
|
connection_or_tls_renegotiated_cb,
|
||||||
|
connection_or_close_connection_cb,
|
||||||
|
conn);
|
||||||
#ifdef USE_BUFFEREVENTS
|
#ifdef USE_BUFFEREVENTS
|
||||||
if (connection_type_uses_bufferevent(TO_CONN(conn))) {
|
if (connection_type_uses_bufferevent(TO_CONN(conn))) {
|
||||||
const int filtering = get_options()->_UseFilteringSSLBufferevents;
|
const int filtering = get_options()->_UseFilteringSSLBufferevents;
|
||||||
@ -1213,10 +1218,6 @@ connection_tls_continue_handshake(or_connection_t *conn)
|
|||||||
/* v2/v3 handshake, but not a client. */
|
/* v2/v3 handshake, but not a client. */
|
||||||
log_debug(LD_OR, "Done with initial SSL handshake (server-side). "
|
log_debug(LD_OR, "Done with initial SSL handshake (server-side). "
|
||||||
"Expecting renegotiation or VERSIONS cell");
|
"Expecting renegotiation or VERSIONS cell");
|
||||||
tor_tls_set_renegotiate_callbacks(conn->tls,
|
|
||||||
connection_or_tls_renegotiated_cb,
|
|
||||||
connection_or_close_connection_cb,
|
|
||||||
conn);
|
|
||||||
conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
|
conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
|
||||||
connection_stop_writing(TO_CONN(conn));
|
connection_stop_writing(TO_CONN(conn));
|
||||||
connection_start_reading(TO_CONN(conn));
|
connection_start_reading(TO_CONN(conn));
|
||||||
@ -1277,10 +1278,6 @@ connection_or_handle_event_cb(struct bufferevent *bufev, short event,
|
|||||||
} else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) {
|
} else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) {
|
||||||
/* v2 or v3 handshake, as a server. Only got one handshake, so
|
/* v2 or v3 handshake, as a server. Only got one handshake, so
|
||||||
* wait for the next one. */
|
* wait for the next one. */
|
||||||
tor_tls_set_renegotiate_callbacks(conn->tls,
|
|
||||||
connection_or_tls_renegotiated_cb,
|
|
||||||
connection_or_close_connection_cb,
|
|
||||||
conn);
|
|
||||||
conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
|
conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
|
||||||
/* return 0; */
|
/* return 0; */
|
||||||
return; /* ???? */
|
return; /* ???? */
|
||||||
|
Loading…
Reference in New Issue
Block a user