From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 1 Feb 2010 03:53:19 +0000 (-0500)
Subject: Merge remote branch 'origin/maint-0.2.1'
X-Git-Tag: tor-0.2.2.9-alpha~47
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=53144387997e6069b6c7bb23464c70b7f38b3dab;p=thirdparty%2Ftor.git

Merge remote branch 'origin/maint-0.2.1'
---

53144387997e6069b6c7bb23464c70b7f38b3dab
diff --cc src/common/tortls.c
index 344515b102,f552f2162d..cdd9f7ccbd
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -354,11 -330,35 +354,34 @@@ tor_tls_init(void
      long version;
      SSL_library_init();
      SSL_load_error_strings();
 -    crypto_global_init(-1);
  
      version = SSLeay();
-     if (version >= 0x009070c0L && version < 0x00908000L) {
-       log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.7l or later; "
-                  "I will try SSL3_FLAGS and SSL3_OP to enable renegotation",
+ 
+     /* OpenSSL 0.9.8l introdeced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION
+      * here, but without thinking too hard about it: it turns out that the
+      * flag in question needed to be set at the last minute, and that it
+      * conflicted with an existing flag number that had already been added
+      * in the OpenSSL 1.0.0 betas.  OpenSSL 0.9.8m thoughtfully replaced
+      * the flag with an option and (it seems) broke anything that used
+      * SSL3_FLAGS_* for the purpose.  So we need to know how to do both,
+      * and we mustn't use the SSL3_FLAGS option with anything besides
+      * OpenSSL 0.9.8l.
+      *
+      * No, we can't just set flag 0x0010 everywhere.  It breaks Tor with
+      * OpenSSL 1.0.0beta, since i.  No, we can't just set option
+      * 0x00040000L everywhere: before 0.9.8m, it meant something else.
+      *
+      * No, we can't simply detect whether the flag or the option is present
+      * in the headers at build-time: some vendors (notably Apple) like to
+      * leave their headers out of sync with their libraries.
+      *
+      * Yes, it _is_ almost as if the OpenSSL developers decided that no
+      * program should be allowed to use renegotiation its first passed an
+      * test of intelligence and determination.
+      */
+     if (version >= 0x009080c0L && version < 0x009080d0L) {
+       log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l; "
+                  "I will try SSL3_FLAGS  to enable renegotation.",
                   SSLeay_version(SSLEAY_VERSION));
        use_unsafe_renegotiation_flag = 1;
        use_unsafe_renegotiation_op = 1;
@@@ -943,8 -937,9 +960,9 @@@ tor_tls_new(int sock, int isServer
      SSL_set_info_callback(result->ssl, tor_tls_server_info_callback);
    }
  #endif
+ 
    /* Not expected to get called. */
 -  tls_log_errors(NULL, LOG_WARN, "generating TLS context");
 +  tls_log_errors(NULL, LOG_WARN, LD_NET, "generating TLS context");
    return result;
  }