$NetBSD: patch-aa,v 1.6 2010/08/02 07:06:04 wiz Exp $

From: Taylor R Campbell
Subject: patch for Tor to workaround OpenSSL renegotiation lossage on 5.1
Cc: athaba (pkgsrc/net/tor maintainer)
Date: Fri, 30 Jul 2010 01:31:50 +0000

Here's a patch to make Tor work on NetBSD 5.1, which implemented
OpenSSL 0.9.8l's ABI-incompatible SSL3_FLAGS method for reenabling TLS
renegotiation.  Tor already jumps through a number of hoops to guess
the right way to reenable renegotiation in OpenSSL, but it guesses
wrong for the version of OpenSSL that comes with NetBSD 5.1, which,
being 0.9.9-dev, looks newer than 0.9.8m.

I'm posting this here rather than on a Tor list because I don't think
it should be Tor's responsibility to work around back-ports and
forward-ports of broken OpenSSL features.  What I'd really rather see
is OpenSSL 0.9.8m's ABI-compatible SSL_OP method for reenabling TLS[*]
put into NetBSD 5.1 (and SSL_OP_ALLOW_UNSAFE_RENEGOTIATION defined in
ssl.h) so that this patch would be unnecessary.
[2. text/plain; nbsd51-reneg]

--- ./src/common/tortls.c.~1~	2010-05-02 22:02:50.000000000 +0000
+++ ./src/common/tortls.c	2010-07-30 00:34:00.000000000 +0000
@@ -356,6 +356,17 @@
      * program should be allowed to use renegotiation its first passed an
      * test of intelligence and determination.
      */
+#ifdef __NetBSD__
+    /* In NetBSD 5.1, OpenSSL 0.9.9-dev was imported and `fixed' to use
+       the same scheme as 0.9.8l.  */
+    if (version == 0x00909000L) {
+      log_notice(LD_GENERAL, "OpenSSL %s on NetBSD looks like version 0.9.8l; "
+                 "I will try SSL3_FLAGS to enable renegotation.",
+                 SSLeay_version(SSLEAY_VERSION));
+      use_unsafe_renegotiation_flag = 1;
+      use_unsafe_renegotiation_op = 1;
+    } else
+#endif
     if (version >= 0x009080c0L && version < 0x009080d0L) {
       log_notice(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l; "
                  "I will try SSL3_FLAGS to enable renegotation.",