Get rid of tor_tls_block_renegotiation().

Since we check for naughty renegotiations using
tor_tls_t.server_handshake_count we don't need that semi-broken
function (at least till there is a way to disable rfc5746
renegotiations too).

diff --git a/src/common/tortls.c b/src/common/tortls.c
index 72697850bdcc811e25db3de7bad96e556c7d32cc..1150c42327e0fd2037997ec87da6f6fa0e3192e5 100644 (file)
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1540,16 +1540,6 @@ tor_tls_unblock_renegotiation(tor_tls_t *tls)
   }
 }
 
-/** If this version of openssl supports it, turn off renegotiation on
- * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
- * to use belt-and-suspenders here.)
- */
-void
-tor_tls_block_renegotiation(tor_tls_t *tls)
-{
-  tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
-}
-
 void
 tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls)
 {

diff --git a/src/common/tortls.h b/src/common/tortls.h
index 90e76e4a95130c320b9bac83eb68a1e6fafd0d96..1219b808166a3b05bb466a972dc60964150235b4 100644 (file)
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -75,7 +75,6 @@ int tor_tls_handshake(tor_tls_t *tls);
 int tor_tls_finish_handshake(tor_tls_t *tls);
 int tor_tls_renegotiate(tor_tls_t *tls);
 void tor_tls_unblock_renegotiation(tor_tls_t *tls);
-void tor_tls_block_renegotiation(tor_tls_t *tls);
 void tor_tls_assert_renegotiation_unblocked(tor_tls_t *tls);
 int tor_tls_shutdown(tor_tls_t *tls);
 int tor_tls_get_pending_bytes(tor_tls_t *tls);

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index bcae075c5610be5e9b5edda9bbf76b2bff784c07..6c56a61e546c41d1d3bbba1c3fbb15935e37dcda 100644 (file)
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -1139,10 +1139,6 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
   or_connection_t *conn = _conn;
   (void)tls;
 
-  /* Don't invoke this again. */
-  tor_tls_set_renegotiate_callback(tls, NULL, NULL);
-  tor_tls_block_renegotiation(tls);
-
   if (connection_tls_finish_handshake(conn) < 0) {
     /* XXXX_TLS double-check that it's ok to do this from inside read. */
     /* XXXX_TLS double-check that this verifies certificates. */
@@ -1529,7 +1525,6 @@ connection_tls_finish_handshake(or_connection_t *conn)
       connection_or_init_conn_from_address(conn, &conn->_base.addr,
                                            conn->_base.port, digest_rcvd, 0);
     }
-    tor_tls_block_renegotiation(conn->tls);
     return connection_or_set_state_open(conn);
   } else {
     conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING_V2;