1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
$NetBSD: patch-aa,v 1.9 2014/06/07 09:11:36 wiz Exp $
From: Taylor R Campbell
Subject: patch for Tor to workaround OpenSSL renegotiation lossage on 5.1
Cc: athaba (pkgsrc/net/tor maintainer)
Date: Fri, 30 Jul 2010 01:31:50 +0000
Here's a patch to make Tor work on NetBSD 5.1, which implemented
OpenSSL 0.9.8l's ABI-incompatible SSL3_FLAGS method for reenabling TLS
renegotiation. Tor already jumps through a number of hoops to guess
the right way to reenable renegotiation in OpenSSL, but it guesses
wrong for the version of OpenSSL that comes with NetBSD 5.1, which,
being 0.9.9-dev, looks newer than 0.9.8m.
I'm posting this here rather than on a Tor list because I don't think
it should be Tor's responsibility to work around back-ports and
forward-ports of broken OpenSSL features. What I'd really rather see
is OpenSSL 0.9.8m's ABI-compatible SSL_OP method for reenabling TLS[*]
put into NetBSD 5.1 (and SSL_OP_ALLOW_UNSAFE_RENEGOTIATION defined in
ssl.h) so that this patch would be unnecessary.
[2. text/plain; nbsd51-reneg]
--- src/common/tortls.c.orig 2014-05-08 03:20:58.000000000 +0000
+++ src/common/tortls.c
@@ -487,6 +487,17 @@ tor_tls_init(void)
* program should be allowed to use renegotiation unless it first passed
* a test of intelligence and determination.
*/
+#ifdef __NetBSD__
+ /* In NetBSD 5.1, OpenSSL 0.9.9-dev was imported and `fixed' to use
+ the same scheme as 0.9.8l. */
+ if (version == OPENSSL_V_NOPATCH(0,9,9)) {
+ log_notice(LD_GENERAL, "OpenSSL %s on NetBSD looks like version 0.9.8l; "
+ "I will try SSL3_FLAGS and SSL_OP to enable renegotation.",
+ SSLeay_version(SSLEAY_VERSION));
+ use_unsafe_renegotiation_flag = 1;
+ use_unsafe_renegotiation_op = 1;
+ } else
+#endif
if (version > OPENSSL_V(0,9,8,'k') && version <= OPENSSL_V(0,9,8,'l')) {
log_info(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l, but "
"some vendors have backported renegotiation code from "
|
