Set renegotiation callbacks immediately on tls inititation

This way, we can't miss a renegotiation attempt in a v2 handshake,
or miss excess renegotiation attempts.  Partial fix for bug 4587.
This commit is contained in:
Nick Mathewson 2011-11-27 08:29:51 -05:00
parent 617617e21a
commit e27a26d568
2 changed files with 7 additions and 12 deletions

View File

@ -1563,7 +1563,6 @@ tor_tls_set_renegotiate_callbacks(tor_tls_t *tls,
tls->excess_renegotiations_callback = cb2; tls->excess_renegotiations_callback = cb2;
tls->callback_arg = arg; tls->callback_arg = arg;
tls->got_renegotiate = 0; tls->got_renegotiate = 0;
SSL_set_info_callback(tls->ssl, tor_tls_state_changed_callback);
} }
/** If this version of openssl requires it, turn on renegotiation on /** If this version of openssl requires it, turn on renegotiation on
@ -1767,7 +1766,6 @@ tor_tls_finish_handshake(tor_tls_t *tls)
{ {
int r = TOR_TLS_DONE; int r = TOR_TLS_DONE;
if (tls->isServer) { if (tls->isServer) {
SSL_set_info_callback(tls->ssl, NULL);
SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb); SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, always_accept_verify_cb);
/* There doesn't seem to be a clear OpenSSL API to clear mode flags. */ /* There doesn't seem to be a clear OpenSSL API to clear mode flags. */
tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN; tls->ssl->mode &= ~SSL_MODE_NO_AUTO_CHAIN;

View File

@ -42,6 +42,7 @@ static int connection_or_check_valid_tls_handshake(or_connection_t *conn,
char *digest_rcvd_out); char *digest_rcvd_out);
static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn); static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn);
static void connection_or_close_connection_cb(void *_conn);
#ifdef USE_BUFFEREVENTS #ifdef USE_BUFFEREVENTS
static void connection_or_handle_event_cb(struct bufferevent *bufev, static void connection_or_handle_event_cb(struct bufferevent *bufev,
@ -1096,12 +1097,16 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING; conn->_base.state = OR_CONN_STATE_TLS_HANDSHAKING;
tor_assert(!conn->tls); tor_assert(!conn->tls);
conn->tls = tor_tls_new(conn->_base.s, receiving); conn->tls = tor_tls_new(conn->_base.s, receiving);
tor_tls_set_logged_address(conn->tls, // XXX client and relay?
escaped_safe_str(conn->_base.address));
if (!conn->tls) { if (!conn->tls) {
log_warn(LD_BUG,"tor_tls_new failed. Closing."); log_warn(LD_BUG,"tor_tls_new failed. Closing.");
return -1; return -1;
} }
tor_tls_set_logged_address(conn->tls, // XXX client and relay?
escaped_safe_str(conn->_base.address));
tor_tls_set_renegotiate_callbacks(conn->tls,
connection_or_tls_renegotiated_cb,
connection_or_close_connection_cb,
conn);
#ifdef USE_BUFFEREVENTS #ifdef USE_BUFFEREVENTS
if (connection_type_uses_bufferevent(TO_CONN(conn))) { if (connection_type_uses_bufferevent(TO_CONN(conn))) {
const int filtering = get_options()->_UseFilteringSSLBufferevents; const int filtering = get_options()->_UseFilteringSSLBufferevents;
@ -1213,10 +1218,6 @@ connection_tls_continue_handshake(or_connection_t *conn)
/* v2/v3 handshake, but not a client. */ /* v2/v3 handshake, but not a client. */
log_debug(LD_OR, "Done with initial SSL handshake (server-side). " log_debug(LD_OR, "Done with initial SSL handshake (server-side). "
"Expecting renegotiation or VERSIONS cell"); "Expecting renegotiation or VERSIONS cell");
tor_tls_set_renegotiate_callbacks(conn->tls,
connection_or_tls_renegotiated_cb,
connection_or_close_connection_cb,
conn);
conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING; conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
connection_stop_writing(TO_CONN(conn)); connection_stop_writing(TO_CONN(conn));
connection_start_reading(TO_CONN(conn)); connection_start_reading(TO_CONN(conn));
@ -1277,10 +1278,6 @@ connection_or_handle_event_cb(struct bufferevent *bufev, short event,
} else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) { } else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) {
/* v2 or v3 handshake, as a server. Only got one handshake, so /* v2 or v3 handshake, as a server. Only got one handshake, so
* wait for the next one. */ * wait for the next one. */
tor_tls_set_renegotiate_callbacks(conn->tls,
connection_or_tls_renegotiated_cb,
connection_or_close_connection_cb,
conn);
conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING; conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
/* return 0; */ /* return 0; */
return; /* ???? */ return; /* ???? */