[or-cvs] [tor/master] Drop debian/patches/0a58567c-work-with-reneg-ssl.dpatch (part of upstream)

arma at seul.org arma at seul.org
Mon Nov 23 19:30:12 UTC 2009 

Author: Peter Palfrader <peter at palfrader.org>
Date: Mon, 23 Nov 2009 18:59:05 +0100
Subject: Drop debian/patches/0a58567c-work-with-reneg-ssl.dpatch (part of upstream)
Commit: 50feca0dcbf9934f2bbe6fa4b84ea76d06890100

---
 debian/changelog                                   |    2 +
 debian/patches/00list                              |    1 -
 debian/patches/0a58567c-work-with-reneg-ssl.dpatch |  129 --------------------
 3 files changed, 2 insertions(+), 130 deletions(-)
 delete mode 100644 debian/patches/0a58567c-work-with-reneg-ssl.dpatch

diff --git a/debian/changelog b/debian/changelog
index 17364f4..11b2dc3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 tor (0.2.2.6-alpha-1) experimental; urgency=low
 
   * New upstream version.
+    - Drop debian/patches/0a58567c-work-with-reneg-ssl.dpatch
+      (part of upstream).
 
  -- Peter Palfrader <weasel at debian.org>  Mon, 23 Nov 2009 18:52:04 +0100
 
diff --git a/debian/patches/00list b/debian/patches/00list
index 63c5216..9260bb7 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -3,4 +3,3 @@
 06_add_compile_time_defaults.dpatch
 07_log_to_file_by_default.dpatch
 14_fix_geoip_warning
-0a58567c-work-with-reneg-ssl.dpatch
diff --git a/debian/patches/0a58567c-work-with-reneg-ssl.dpatch b/debian/patches/0a58567c-work-with-reneg-ssl.dpatch
deleted file mode 100644
index 886e2d1..0000000
--- a/debian/patches/0a58567c-work-with-reneg-ssl.dpatch
+++ /dev/null
@@ -1,129 +0,0 @@
-#! /bin/sh -e
-
-if [ $# -lt 1 ]; then
-    echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
-    exit 1
-fi
-
-[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts
-patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}"
-
-case "$1" in
-    -patch) patch -p1 ${patch_opts} < $0;;
-    -unpatch) patch -R -p1 ${patch_opts} < $0;;
-    *)
-        echo "`basename $0`: script expects -patch|-unpatch as argument" >&2
-        exit 1;;
-esac
-
-exit 0
-
-#diff --git a/ChangeLog b/ChangeLog
-#index 0109ff5..679d576 100644
-#--- a/ChangeLog
-#+++ b/ChangeLog
-#@@ -311,6 +311,12 @@ Changes in version 0.2.2.1-alpha - 2009-08-26
-# 
-# 
-# Changes in Version 0.2.1.21 - 20??-??-??
-#+  o Major bugfixes:
-#+    - Work around a security feature in OpenSSL 0.9.8l that prevents our
-#+      handshake from working unless we explicitly tell OpenSSL that we are
-#+      using SSL renegotiation safely.  We are, of course, but OpenSSL
-#+      0.9.8l won't work unless we say we are.
-#+
-#   o Minor bugfixes:
-#     - Do not refuse to learn about authority certs and v2 networkstatus
-#       documents that are older than the latest consensus.  This bug might
- at DPATCH@
-diff --git a/src/common/tortls.c b/src/common/tortls.c
-index 6e09325..ff49ecf 100644
---- a/src/common/tortls.c
-+++ b/src/common/tortls.c
-@@ -154,6 +154,7 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
-                                         const char *cname,
-                                         const char *cname_sign,
-                                         unsigned int lifetime);
-+static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
- 
- /** Global tls context. We keep it here because nobody else needs to
-  * touch it. */
-@@ -927,6 +928,36 @@ tor_tls_set_renegotiate_callback(tor_tls_t *tls,
- #endif
- }
- 
-+/** If this version of openssl requires it, turn on renegotiation on
-+ * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
-+ * to use belt-and-suspenders here.)
-+ */
-+static void
-+tor_tls_unblock_renegotiation(tor_tls_t *tls)
-+{
-+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-+  /* Yes, we know what we are doing here.  No, we do not treat a renegotiation
-+   * as authenticating any earlier-received data. */
-+  tls->ssl->s3->flags |= SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
-+#else
-+  (void)tls;
-+#endif
-+}
-+
-+/** If this version of openssl supports it, turn off renegotiation on
-+ * <b>tls</b>.  (Our protocol never requires this for security, but it's nice
-+ * to use belt-and-suspenders here.)
-+ */
-+void
-+tor_tls_block_renegotiation(tor_tls_t *tls)
-+{
-+#ifdef SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
-+  tls->ssl->s3->flags &= ~SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
-+#else
-+  (void)tls;
-+#endif
-+}
-+
- /** Return whether this tls initiated the connect (client) or
-  * received it (server). */
- int
-@@ -1058,6 +1089,9 @@ tor_tls_handshake(tor_tls_t *tls)
-   if (oldstate != tls->ssl->state)
-     log_debug(LD_HANDSHAKE, "After call, %p was in state %s",
-               tls, ssl_state_to_string(tls->ssl->state));
-+  /* We need to call this here and not earlier, since OpenSSL has a penchant
-+   * for clearing its flags when you say accept or connect. */
-+  tor_tls_unblock_renegotiation(tls);
-   r = tor_tls_get_error(tls,r,0, "handshaking", LOG_INFO, LD_HANDSHAKE);
-   if (ERR_peek_error() != 0) {
-     tls_log_errors(tls, tls->isServer ? LOG_INFO : LOG_WARN, LD_HANDSHAKE,
-diff --git a/src/common/tortls.h b/src/common/tortls.h
-index d006909..871fec3 100644
---- a/src/common/tortls.h
-+++ b/src/common/tortls.h
-@@ -65,6 +65,7 @@ int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
- int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
- int tor_tls_handshake(tor_tls_t *tls);
- int tor_tls_renegotiate(tor_tls_t *tls);
-+void tor_tls_block_renegotiation(tor_tls_t *tls);
- int tor_tls_shutdown(tor_tls_t *tls);
- int tor_tls_get_pending_bytes(tor_tls_t *tls);
- size_t tor_tls_get_forced_write_size(tor_tls_t *tls);
-diff --git a/src/or/connection_or.c b/src/or/connection_or.c
-index c3d35e1..bbd6439 100644
---- a/src/or/connection_or.c
-+++ b/src/or/connection_or.c
-@@ -799,6 +799,7 @@ connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
- 
-   /* Don't invoke this again. */
-   tor_tls_set_renegotiate_callback(tls, NULL, NULL);
-+  tor_tls_block_renegotiation(tls);
- 
-   if (connection_tls_finish_handshake(conn) < 0) {
-     /* XXXX_TLS double-check that it's ok to do this from inside read. */
-@@ -1045,6 +1046,7 @@ connection_tls_finish_handshake(or_connection_t *conn)
-       connection_or_init_conn_from_address(conn, &conn->_base.addr,
-                                            conn->_base.port, digest_rcvd, 0);
-     }
-+    tor_tls_block_renegotiation(conn->tls);
-     return connection_or_set_state_open(conn);
-   } else {
-     conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;
-- 
1.5.6.5

More information about the tor-commits mailing list