Lines 154-159
static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
Link Here
|
154 |
const char *cname, |
154 |
const char *cname, |
155 |
const char *cname_sign, |
155 |
const char *cname_sign, |
156 |
unsigned int lifetime); |
156 |
unsigned int lifetime); |
|
|
157 |
static void tor_tls_unblock_renegotiation(tor_tls_t *tls); |
157 |
|
158 |
|
158 |
/** Global tls context. We keep it here because nobody else needs to |
159 |
/** Global tls context. We keep it here because nobody else needs to |
159 |
* touch it. */ |
160 |
* touch it. */ |
Lines 904-909
tor_tls_set_renegotiate_callback(tor_tls_t *tls,
Link Here
|
904 |
#endif |
905 |
#endif |
905 |
} |
906 |
} |
906 |
|
907 |
|
|
|
908 |
/** If this version of openssl requires it, turn on renegotiation on |
909 |
* <b>tls</b>. (Our protocol never requires this for security, but it's nice |
910 |
* to use belt-and-suspenders here.) |
911 |
*/ |
912 |
static void |
913 |
tor_tls_unblock_renegotiation(tor_tls_t *tls) |
914 |
{ |
915 |
#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
916 |
/* Yes, we know what we are doing here. No, we do not treat a renegotiation |
917 |
* as authenticating any earlier-received data. */ |
918 |
tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; |
919 |
#else |
920 |
(void)tls; |
921 |
#endif |
922 |
} |
923 |
|
924 |
/** If this version of openssl supports it, turn off renegotiation on |
925 |
* <b>tls</b>. (Our protocol never requires this for security, but it's nice |
926 |
* to use belt-and-suspenders here.) |
927 |
*/ |
928 |
void |
929 |
tor_tls_block_renegotiation(tor_tls_t *tls) |
930 |
{ |
931 |
#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION |
932 |
tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; |
933 |
#else |
934 |
(void)tls; |
935 |
#endif |
936 |
} |
937 |
|
907 |
/** Return whether this tls initiated the connect (client) or |
938 |
/** Return whether this tls initiated the connect (client) or |
908 |
* received it (server). */ |
939 |
* received it (server). */ |
909 |
int |
940 |
int |
Lines 1026-1031
tor_tls_handshake(tor_tls_t *tls)
Link Here
|
1026 |
} else { |
1057 |
} else { |
1027 |
r = SSL_connect(tls->ssl); |
1058 |
r = SSL_connect(tls->ssl); |
1028 |
} |
1059 |
} |
|
|
1060 |
/* We need to call this here and not earlier, since OpenSSL has a penchant |
1061 |
* for clearing its flags when you say accept or connect. */ |
1062 |
tor_tls_unblock_renegotiation(tls); |
1029 |
r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO); |
1063 |
r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO); |
1030 |
if (ERR_peek_error() != 0) { |
1064 |
if (ERR_peek_error() != 0) { |
1031 |
tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, |
1065 |
tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, |