Discard extraneous renegotiation attempts in the v3 link protocol

Failure to do so left us open to a remotely triggerable assertion
failure. Fixes CVE-2012-2249; bugfix on 0.2.3.6-alpha. Reported by
"some guy from France".

1 files changed, 12 insertions, 2 deletions

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index d016387935..6293fe881d 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -1186,6 +1186,17 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
   return 0;
 }
 
+/** Block all future attempts to renegotiate on 'conn' */
+void
+connection_or_block_renegotiation(or_connection_t *conn)
+{
+  tor_tls_t *tls = conn->tls;
+  if (!tls)
+    return;
+  tor_tls_set_renegotiate_callback(tls, NULL, NULL);
+  tor_tls_block_renegotiation(tls);
+}
+
 /** Invoked on the server side from inside tor_tls_read() when the server
  * gets a successful TLS renegotiation from the client. */
 static void
@@ -1195,8 +1206,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
   (void)tls;
 
   /* Don't invoke this again. */
-  tor_tls_set_renegotiate_callback(tls, NULL, NULL);
-  tor_tls_block_renegotiation(tls);
+  connection_or_block_renegotiation(conn);
 
   if (connection_tls_finish_handshake(conn) < 0) {
     /* XXXX_TLS double-check that it's ok to do this from inside read. */