diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-05-13 11:19:19 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-05-13 11:19:19 -0400 |
commit | fa63f991c06e9753108a57e2a26a62da6e78e822 (patch) | |
tree | 5b2a326ab7b2c561a4dd6e1a39601b1ef7ae5dad /src/common/tortls.c | |
parent | 53a347592aa5311f8910125cef1d1814cd7088d5 (diff) | |
download | tor-fa63f991c06e9753108a57e2a26a62da6e78e822.tar.gz tor-fa63f991c06e9753108a57e2a26a62da6e78e822.zip |
Stop accessing 'ssl->s3->flags' when we are using openssl 1.1
This field was only needed to work with the now-long-gone (I hope,
except for some horrible apples) openssl 0.9.8l; if your headers say
you have openssl 1.1, you won't even need it.
Diffstat (limited to 'src/common/tortls.c')
-rw-r--r-- | src/common/tortls.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index 97a82bf6e1..a90ae70af3 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -120,6 +120,13 @@ static int use_unsafe_renegotiation_op = 0; /** Does the run-time openssl version look like we need * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */ static int use_unsafe_renegotiation_flag = 0; +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,1,0) +/* If we have openssl 1.1, we just trust that the "mode" will work, and don't + * use the "flag" at all. Nobody would forward-port that weird little glitch + * from 0.9.8l to 1.1, would they? + */ +#define SUPPORT_UNSAFE_RENEGOTIATION_FLAG +#endif /** Structure that we use for a single certificate. */ struct tor_cert_t { @@ -1713,7 +1720,7 @@ tor_tls_server_info_callback(const SSL *ssl, int type, int val) if (tls) { tls->wasV2Handshake = 1; -#ifdef USE_BUFFEREVENTS +#if (defined(USE_BUFFEREVENTS) && defined(SUPPORT_UNSAFE_RENEGOTATION_FLAG)) if (use_unsafe_renegotiation_flag) tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; #endif @@ -2018,9 +2025,11 @@ tor_tls_unblock_renegotiation(tor_tls_t *tls) { /* Yes, we know what we are doing here. No, we do not treat a renegotiation * as authenticating any earlier-received data. */ +#ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG if (use_unsafe_renegotiation_flag) { tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; } +#endif if (use_unsafe_renegotiation_op) { SSL_set_options(tls->ssl, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); @@ -2034,17 +2043,23 @@ tor_tls_unblock_renegotiation(tor_tls_t *tls) void tor_tls_block_renegotiation(tor_tls_t *tls) { +#ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; +#else + (void) tls; +#endif } /** Assert that the flags that allow legacy renegotiation are still set */ void tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls) { +#ifdef SUPPORT_UNSAFE_RENEGOTIATION_FLAG if (use_unsafe_renegotiation_flag) { tor_assert(0 != (tls->ssl->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); } +#endif if (use_unsafe_renegotiation_op) { long options = SSL_get_options(tls->ssl); tor_assert(0 != (options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)); |