瀏覽代碼

Merge remote branch 'origin/maint-0.2.2'

Nick Mathewson 14 年之前
父節點
當前提交
4c71be65d8
共有 2 個文件被更改,包括 18 次插入10 次删除
  1. 6 0
      changes/bug1994
  2. 12 10
      src/common/tortls.c

+ 6 - 0
changes/bug1994

@@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - Correctly describe errors that occur when generating a TLS object
+      when logging them.  Previously we would attribtue them to a failure
+      while generating a TLS context.  Bugfix by Robert Ransom.  Bugfix 
+      on 0.1.0.4-rc.
+

+ 12 - 10
src/common/tortls.c

@@ -93,7 +93,9 @@ static int use_unsafe_renegotiation_op = 0;
  * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
  * SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION? */
 static int use_unsafe_renegotiation_flag = 0;
 static int use_unsafe_renegotiation_flag = 0;
 
 
-/** Structure holding the TLS state for a single connection. */
+/** Holds a SSL_CTX object and related state used to configure TLS
+ * connections.
+ */
 typedef struct tor_tls_context_t {
 typedef struct tor_tls_context_t {
   int refcnt;
   int refcnt;
   SSL_CTX *ctx;
   SSL_CTX *ctx;
@@ -379,7 +381,7 @@ tor_tls_init(void)
 
 
     version = SSLeay();
     version = SSLeay();
 
 
-    /* OpenSSL 0.9.8l introduced SSL3_FLAGS_ALLOW_UNSAGE_LEGACY_RENEGOTIATION
+    /* OpenSSL 0.9.8l introduced SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
      * here, but without thinking too hard about it: it turns out that the
      * here, but without thinking too hard about it: it turns out that the
      * flag in question needed to be set at the last minute, and that it
      * flag in question needed to be set at the last minute, and that it
      * conflicted with an existing flag number that had already been added
      * conflicted with an existing flag number that had already been added
@@ -562,9 +564,9 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
   (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"           \
   (TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":"           \
    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"           \
    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":"           \
    SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
    SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA)
-/* Note: for setting up your own private testing network with link crypto
- * disabled, set the cipher lists to your cipher list to
- * SSL3_TXT_RSA_NULL_SHA.  If you do this, you won't be able to communicate
+/* Note: to set up your own private testing network with link crypto
+ * disabled, set your Tors' cipher list to
+ * (SSL3_TXT_RSA_NULL_SHA).  If you do this, you won't be able to communicate
  * with any of the "real" Tors, though. */
  * with any of the "real" Tors, though. */
 
 
 #ifdef V2_HANDSHAKE_CLIENT
 #ifdef V2_HANDSHAKE_CLIENT
@@ -625,7 +627,7 @@ tor_tls_context_incref(tor_tls_context_t *ctx)
 
 
 /** Create a new TLS context for use with Tor TLS handshakes.
 /** Create a new TLS context for use with Tor TLS handshakes.
  * <b>identity</b> should be set to the identity key used to sign the
  * <b>identity</b> should be set to the identity key used to sign the
- * certificate, and <b>nickname</b> set to the nickname to use.
+ * certificate.
  *
  *
  * You can call this function multiple times.  Each time you call it,
  * You can call this function multiple times.  Each time you call it,
  * it generates new certificates; all new connections will use
  * it generates new certificates; all new connections will use
@@ -728,8 +730,8 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
   SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
   SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
   /* Free the old context if one exists. */
   /* Free the old context if one exists. */
   if (global_tls_context) {
   if (global_tls_context) {
-    /* This is safe even if there are open connections: OpenSSL does
-     * reference counting with SSL and SSL_CTX objects. */
+    /* This is safe even if there are open connections: we reference-
+     * count tor_tls_context_t objects. */
     tor_tls_context_decref(global_tls_context);
     tor_tls_context_decref(global_tls_context);
   }
   }
   global_tls_context = result;
   global_tls_context = result;
@@ -935,7 +937,7 @@ tor_tls_new(int sock, int isServer)
 
 
   tor_assert(global_tls_context); /* make sure somebody made it first */
   tor_assert(global_tls_context); /* make sure somebody made it first */
   if (!(result->ssl = SSL_new(global_tls_context->ctx))) {
   if (!(result->ssl = SSL_new(global_tls_context->ctx))) {
-    tls_log_errors(NULL, LOG_WARN, LD_NET, "generating TLS context");
+    tls_log_errors(NULL, LOG_WARN, LD_NET, "creating SSL object");
     tor_free(result);
     tor_free(result);
     return NULL;
     return NULL;
   }
   }
@@ -992,7 +994,7 @@ tor_tls_new(int sock, int isServer)
 #endif
 #endif
 
 
   /* Not expected to get called. */
   /* Not expected to get called. */
-  tls_log_errors(NULL, LOG_WARN, LD_NET, "generating TLS context");
+  tls_log_errors(NULL, LOG_WARN, LD_NET, "creating tor_tls_t object");
   return result;
   return result;
 }
 }