mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-24 14:51:11 +01:00
Code Issues Projects Releases Wiki Activity

Refactor the SSL_set_info_callback() callbacks.

Browse source 
Introduce tor_tls_state_changed_callback(), which handles every SSL
state change.

The new function tor_tls_got_server_hello() is called every time we
send a ServerHello during a v2 handshake, and plays the role of the
previous tor_tls_server_info_callback() function.
This commit is contained in:
George Kadianakis 2011-10-26 02:05:45 +02:00
parent 3b704fd166
commit 69a821ea1c
1 changed files with 44 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

97
src/common/tortls.c
View file

@ -1280,55 +1280,29 @@ tor_tls_client_is_using_v2_ciphers(const SSL *ssl, const char *address)
return 1; return 1;
} }
/** We sent the ServerHello part of an SSL handshake. This might mean
* that we completed a renegotiation and appropriate actions must be
* taken. */
static void static void
tor_tls_debug_state_callback(const SSL *ssl, int type, int val) tor_tls_got_server_hello(tor_tls_t *tls)
{ {
log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].", /* Check whether we're watching for renegotiates. If so, this is one! */
ssl, ssl_state_to_string(ssl->state), type, val); if (tls->negotiated_callback)
} tls->got_renegotiate = 1;
if (tls->server_handshake_count < 127) /*avoid any overflow possibility*/
/** Invoked when we're accepting a connection on <b>ssl</b>, and the connection ++tls->server_handshake_count;
* changes state. We use this:
* <ul><li>To alter the state of the handshake partway through, so we
* do not send or request extra certificates in v2 handshakes.</li>
* <li>To detect renegotiation</li></ul>
*/
static void
tor_tls_server_info_callback(const SSL *ssl, int type, int val)
{
tor_tls_t *tls;
(void) val;
tor_tls_debug_state_callback(ssl, type, val);
if (type != SSL_CB_ACCEPT_LOOP)
return;
if (ssl->state != SSL3_ST_SW_SRVR_HELLO_A)
return;
tls = tor_tls_get_by_ssl(ssl);
if (tls) {
/* Check whether we're watching for renegotiates. If so, this is one! */
if (tls->negotiated_callback)
tls->got_renegotiate = 1;
if (tls->server_handshake_count < 127) /*avoid any overflow possibility*/
++tls->server_handshake_count;
} else {
log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
return;
}
/* Now check the cipher list. */ /* Now check the cipher list. */
if (tor_tls_client_is_using_v2_ciphers(ssl, ADDR(tls))) { if (tor_tls_client_is_using_v2_ciphers(tls->ssl, ADDR(tls))) {
/*XXXX_TLS keep this from happening more than once! */ /*XXXX_TLS keep this from happening more than once! */
/* Yes, we're casting away the const from ssl. This is very naughty of us. /* Yes, we're casting away the const from ssl. This is very naughty of us.
* Let's hope openssl doesn't notice! */ * Let's hope openssl doesn't notice! */
/* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */ /* Set SSL_MODE_NO_AUTO_CHAIN to keep from sending back any extra certs. */
SSL_set_mode((SSL*) ssl, SSL_MODE_NO_AUTO_CHAIN); SSL_set_mode((SSL*) tls->ssl, SSL_MODE_NO_AUTO_CHAIN);
/* Don't send a hello request. */ /* Don't send a hello request. */
SSL_set_verify((SSL*) ssl, SSL_VERIFY_NONE, NULL); SSL_set_verify((SSL*) tls->ssl, SSL_VERIFY_NONE, NULL);
if (tls) { if (tls) {
tls->wasV2Handshake = 1; tls->wasV2Handshake = 1;
@ -1343,6 +1317,35 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val)
} }
#endif #endif
/** This is a callback function for SSL_set_info_callback() and it
* will be called in every SSL state change.
* It logs the SSL state change, and executes any actions that must be
* taken. */
static void
tor_tls_state_changed_callback(const SSL *ssl, int type, int val)
{
log_debug(LD_HANDSHAKE, "SSL %p is now in state %s [type=%d,val=%d].",
ssl, ssl_state_to_string(ssl->state), type, val);
#ifdef V2_HANDSHAKE_SERVER
if (type == SSL_CB_ACCEPT_LOOP &&
ssl->state == SSL3_ST_SW_SRVR_HELLO_A) {
/* Call tor_tls_got_server_hello() for every SSL ServerHello we
send. */
tor_tls_t *tls = tor_tls_get_by_ssl(ssl);
if (!tls) {
log_warn(LD_BUG, "Couldn't look up the tls for an SSL*. How odd!");
return;
}
tor_tls_got_server_hello(tls);
}
#endif
}
/** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically, /** Replace *<b>ciphers</b> with a new list of SSL ciphersuites: specifically,
* a list designed to mimic a common web browser. Some of the ciphers in the * a list designed to mimic a common web browser. Some of the ciphers in the
* list won't actually be implemented by OpenSSL: that's okay so long as the * list won't actually be implemented by OpenSSL: that's okay so long as the
@ -1484,14 +1487,8 @@ tor_tls_new(int sock, int isServer)
log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu", log_warn(LD_NET, "Newly created BIO has read count %lu, write count %lu",
result->last_read_count, result->last_write_count); result->last_read_count, result->last_write_count);
} }
#ifdef V2_HANDSHAKE_SERVER
if (isServer) { SSL_set_info_callback(result->ssl, tor_tls_state_changed_callback);
SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
} else
#endif
{
SSL_set_info_callback(result->ssl, tor_tls_debug_state_callback);
}
/* Not expected to get called. */ /* Not expected to get called. */
tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object"); tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
@ -1521,13 +1518,7 @@ tor_tls_set_renegotiate_callback(tor_tls_t *tls,
tls->negotiated_callback = cb; tls->negotiated_callback = cb;
tls->callback_arg = arg; tls->callback_arg = arg;
tls->got_renegotiate = 0; tls->got_renegotiate = 0;
#ifdef V2_HANDSHAKE_SERVER SSL_set_info_callback(tls->ssl, tor_tls_state_changed_callback);
if (cb) {
SSL_set_info_callback(tls->ssl, tor_tls_server_info_callback);
} else {
SSL_set_info_callback(tls->ssl, tor_tls_debug_state_callback);
}
#endif
} }
/** If this version of openssl requires it, turn on renegotiation on /** If this version of openssl requires it, turn on renegotiation on