76de59575e
The simple version: Tor provides a distributed network of servers ("onion
routers"). Users bounce their TCP streams (web traffic, FTP, SSH, etc.) around
the routers. This makes it hard for recipients, observers, and even the onion
routers themselves to track the source of the stream.
The complex version: Onion Routing is a connection-oriented anonymizing
communication service. Users choose a source-routed path through a set of
nodes, and negotiate a "virtual circuit" through the network, in which each
node knows its predecessor and successor, but no others. Traffic flowing down
the circuit is unwrapped by a symmetric key at each node, which reveals the
downstream node.
42 lines
2 KiB
Text
42 lines
2 KiB
Text
$NetBSD: patch-aa,v 1.4 2014/11/29 14:13:48 athaba Exp $
|
|
|
|
From: Taylor R Campbell
|
|
Subject: patch for Tor to workaround OpenSSL renegotiation lossage on 5.1
|
|
Cc: athaba (pkgsrc/net/tor maintainer)
|
|
Date: Fri, 30 Jul 2010 01:31:50 +0000
|
|
|
|
Here's a patch to make Tor work on NetBSD 5.1, which implemented
|
|
OpenSSL 0.9.8l's ABI-incompatible SSL3_FLAGS method for reenabling TLS
|
|
renegotiation. Tor already jumps through a number of hoops to guess
|
|
the right way to reenable renegotiation in OpenSSL, but it guesses
|
|
wrong for the version of OpenSSL that comes with NetBSD 5.1, which,
|
|
being 0.9.9-dev, looks newer than 0.9.8m.
|
|
|
|
I'm posting this here rather than on a Tor list because I don't think
|
|
it should be Tor's responsibility to work around back-ports and
|
|
forward-ports of broken OpenSSL features. What I'd really rather see
|
|
is OpenSSL 0.9.8m's ABI-compatible SSL_OP method for reenabling TLS[*]
|
|
put into NetBSD 5.1 (and SSL_OP_ALLOW_UNSAFE_RENEGOTIATION defined in
|
|
ssl.h) so that this patch would be unnecessary.
|
|
[2. text/plain; nbsd51-reneg]
|
|
|
|
--- src/common/tortls.c.orig 2014-11-29 13:13:35.000000000 +0000
|
|
+++ src/common/tortls.c
|
|
@@ -481,6 +481,17 @@ tor_tls_init(void)
|
|
* program should be allowed to use renegotiation unless it first passed
|
|
* a test of intelligence and determination.
|
|
*/
|
|
+#ifdef __NetBSD__
|
|
+ /* In NetBSD 5.1, OpenSSL 0.9.9-dev was imported and `fixed' to use
|
|
+ the same scheme as 0.9.8l. */
|
|
+ if (version == OPENSSL_V_NOPATCH(0,9,9)) {
|
|
+ log_info(LD_GENERAL, "OpenSSL %s on NetBSD looks like version 0.9.8l; "
|
|
+ "I will try SSL3_FLAGS and SSL_OP to enable renegotation.",
|
|
+ SSLeay_version(SSLEAY_VERSION));
|
|
+ use_unsafe_renegotiation_flag = 1;
|
|
+ use_unsafe_renegotiation_op = 1;
|
|
+ } else
|
|
+#endif
|
|
if (version > OPENSSL_V(0,9,8,'k') && version <= OPENSSL_V(0,9,8,'l')) {
|
|
log_info(LD_GENERAL, "OpenSSL %s looks like version 0.9.8l, but "
|
|
"some vendors have backported renegotiation code from "
|