Discard extraneous renegotiation attempts in the v3 link protocol

Failure to do so left us open to a remotely triggerable assertion
failure. Fixes CVE-2012-2249; bugfix on 0.2.3.6-alpha. Reported by
"some guy from France".

This patch is a forward-port to 0.2.4, to work with the new channel
logic.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 877ddf1315..92feb53af1 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -1251,6 +1251,17 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
   return 0;
 }
 
+/** Block all future attempts to renegotiate on 'conn' */
+void
+connection_or_block_renegotiation(or_connection_t *conn)
+{
+  tor_tls_t *tls = conn->tls;
+  if (!tls)
+    return;
+  tor_tls_set_renegotiate_callback(tls, NULL, NULL);
+  tor_tls_block_renegotiation(tls);
+}
+
 /** Invoked on the server side from inside tor_tls_read() when the server
  * gets a successful TLS renegotiation from the client. */
 static void
@@ -1260,8 +1271,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
   (void)tls;
 
   /* Don't invoke this again. */
-  tor_tls_set_renegotiate_callback(tls, NULL, NULL);
-  tor_tls_block_renegotiation(tls);
+  connection_or_block_renegotiation(conn);
 
   if (connection_tls_finish_handshake(conn) < 0) {
     /* XXXX_TLS double-check that it's ok to do this from inside read. */