| blob | 7723d9d2bd65724bfd3ced751f04ed0cc4910b84 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2017, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file connection_or.c
9 * \brief Functions to handle OR connections, TLS handshaking, and
10 * cells on the network.
11 *
12 * An or_connection_t is a subtype of connection_t (as implemented in
13 * connection.c) that uses a TLS connection to send and receive cells on the
14 * Tor network. (By sending and receiving cells connection_or.c, it cooperates
15 * with channeltls.c to implement a the channel interface of channel.c.)
16 *
17 * Every OR connection has an underlying tortls_t object (as implemented in
18 * tortls.c) which it uses as its TLS stream. It is responsible for
19 * sending and receiving cells over that TLS.
20 *
21 * This module also implements the client side of the v3 Tor link handshake,
22 **/
26 /*
27 * Define this so we get channel internal functions, since we're implementing
28 * part of a subclass (channel_tls_t).
29 */
30 #define TOR_CHANNEL_INTERNAL_
31 #define CONNECTION_OR_PRIVATE
71 static unsigned int
75 /*
76 * Call this when changing connection state, so notifications to the owning
77 * channel can be handled.
78 */
85 /**************************************************************/
87 /** Global map between Extended ORPort identifiers and OR
88 * connections. */
91 /** Clear clear conn->identity_digest and update other data
92 * structures as appropriate.*/
93 void
95 {
98 }
100 /** Clear all identities in OR conns.*/
101 void
103 {
106 {
109 }
110 });
111 }
113 /** Change conn->identity_digest to digest, and add conn into
114 * the appropriate digest maps.
115 *
116 * NOTE that this function only allows two kinds of transitions: from
117 * unset identity to set identity, and from idempotent re-settings
118 * of the same identity. It's not allowed to clear an identity or to
119 * change an identity. Return 0 on success, and -1 if the transition
120 * is not allowed.
121 **/
122 static void
126 {
135 conn,
157 /* If the identity was set previously, remove the old mapping. */
162 }
166 /* If we're initializing the IDs to zero, don't add a mapping yet. */
171 /* Deal with channels */
174 }
176 /** Remove the Extended ORPort identifier of <b>conn</b> from the
177 * global identifier list. Also, clear the identifier from the
178 * connection itself. */
179 void
181 {
193 }
195 /** Return the connection whose ext_or_id is <b>id</b>. Return NULL if no such
196 * connection is found. */
197 or_connection_t *
199 {
203 }
205 /** Deallocate the global Extended ORPort identifier list */
206 void
208 {
211 }
213 /** Creates an Extended ORPort identifier for <b>conn</b> and deposits
214 * it into the global list of identifiers. */
215 void
217 {
224 /* Remove any previous identifiers: */
239 }
241 /**************************************************************/
243 /** Map from a string describing what a non-open OR connection was doing when
244 * failed, to an intptr_t describing the count of connections that failed that
245 * way. Note that the count is stored _as_ the pointer.
246 */
249 /** If true, do not record information in <b>broken_connection_counts</b>. */
252 /** Record that an OR connection failed in <b>state</b>. */
253 static void
255 {
266 val++;
269 }
271 /** Forget all recorded states for failed connections. If
272 * <b>stop_recording</b> is true, don't record any more. */
273 void
275 {
281 }
283 /** Write a detailed description the state of <b>orconn</b> into the
284 * <b>buflen</b>-byte buffer at <b>buf</b>. This description includes not
285 * only the OR-conn level state but also the TLS state. It's useful for
286 * diagnosing broken handshakes. */
287 static void
290 {
301 }
303 /** Record the current state of <b>orconn</b> as the state of a broken
304 * connection. */
305 static void
307 {
314 }
316 /** Helper type used to sort connection states and find the most frequent. */
322 /** Helper function used to sort broken_state_count_t by frequency. */
323 static int
325 {
331 else
333 }
335 /** Upper limit on the number of different states to report for connection
336 * failure. */
337 #define MAX_REASONS_TO_REPORT 10
339 /** Report a list of the top states for failed OR connections at log level
340 * <b>severity</b>, in log domain <b>domain</b>. */
341 void
343 {
373 }
375 /** Call this to change or_connection_t states, so the owning channel_tls_t can
376 * be notified.
377 */
379 static void
381 {
392 }
394 /** Return the number of circuits using an or_connection_t; this used to
395 * be an or_connection_t field, but it got moved to channel_t and we
396 * shouldn't maintain two copies. */
400 {
406 }
408 /**************************************************************/
410 /** Pack the cell_t host-order structure <b>src</b> into network-order
411 * in the buffer <b>dest</b>. See tor-spec.txt for details about the
412 * wire format.
413 *
414 * Note that this function doesn't touch <b>dst</b>-\>next: the caller
415 * should set it or clear it as appropriate.
416 */
417 void
419 {
425 /* Clear the last two bytes of dest, in case we can accidentally
426 * send them to the network somehow. */
430 }
433 }
435 /** Unpack the network-order buffer <b>src</b> into a host-order
436 * cell_t structure <b>dest</b>.
437 */
438 static void
440 {
447 }
450 }
452 /** Write the header of <b>cell</b> into the first VAR_CELL_MAX_HEADER_SIZE
453 * bytes of <b>hdr_out</b>. Returns number of bytes used. */
454 int
456 {
466 }
470 }
472 /** Allocate and return a new var_cell_t with <b>payload_len</b> bytes of
473 * payload space. */
474 var_cell_t *
476 {
483 }
485 /**
486 * Copy a var_cell_t
487 */
489 var_cell_t *
491 {
502 }
505 }
507 /** Release all space held by <b>cell</b>. */
508 void
510 {
512 }
514 /** We've received an EOF from <b>conn</b>. Mark it for close and return. */
515 int
517 {
524 }
526 /** Handle any new bytes that have come in on connection <b>conn</b>.
527 * If conn is in 'open' state, hand it to
528 * connection_or_process_cells_from_inbuf()
529 * (else do nothing).
530 */
531 int
533 {
534 /** Don't let the inbuf of a nonopen OR connection grow beyond this many
535 * bytes: it's either a broken client, a non-Tor client, or a DOS
536 * attempt. */
537 #define MAX_OR_INBUF_WHEN_NONOPEN 0
546 /* start TLS after handshake completion, or deal with error */
551 /* Touch the channel's active timestamp if there is one */
554 }
557 }
567 }
569 /* This check was necessary with 0.2.2, when the TLS_SERVER_RENEGOTIATING
570 * check would otherwise just let data accumulate. It serves no purpose
571 * in 0.2.3.
572 *
573 * XXXX Remove this check once we verify that the above paragraph is
574 * 100% true. */
584 }
587 }
589 /** Called whenever we have flushed some data on an or_conn: add more data
590 * from active circuits. */
591 int
593 {
596 /* Update the channel's active timestamp if there is one */
600 /* If we're under the low water mark, add cells until we're just over the
601 * high water mark. */
604 /* Let the scheduler know */
606 }
609 }
611 /** This is for channeltls.c to ask how many cells we could accept if
612 * they were available. */
613 ssize_t
615 {
621 /*
622 * If we're under the high water mark, we're potentially
623 * writeable; note this is different from the calculation above
624 * used to trigger when to start writing after we've stopped.
625 */
630 }
633 }
635 /** Connection <b>conn</b> has finished writing and has no bytes left on
636 * its outbuf.
637 *
638 * Otherwise it's in state "open": stop writing and return.
639 *
640 * If <b>conn</b> is broken, mark it for close and return -1, else
641 * return 0.
642 */
643 int
645 {
659 }
661 /* Update the channel's active timestamp if there is one */
666 }
668 /** Connected handler for OR connections: begin the TLS handshake.
669 */
670 int
672 {
685 /* start proxy handshake */
689 }
694 }
697 /* TLS handshaking error of some kind. */
700 }
702 }
704 /** Called when we're about to finally unlink and free an OR connection:
705 * perform necessary accounting and cleanup */
706 void
708 {
711 /* Tell the controlling channel we're closed */
714 /*
715 * NULL this out because the channel might hang around a little
716 * longer before channel_run_cleanup() gets it.
717 */
720 }
722 /* Remember why we're closing this connection. */
724 /* now mark things down as needed */
728 /* Tell the new guard API about the channel failure */
733 reason);
738 }
739 }
741 /* We only set hold_open_until_flushed when we're intentionally
742 * closing a connection. */
748 }
749 }
751 /** Return 1 if identity digest <b>id_digest</b> is known to be a
752 * currently or recently running relay. Otherwise return 0. */
753 int
755 {
760 * it. Probably it was in a recent consensus. "Yes". */
762 }
764 /** Set the per-conn read and write limits for <b>conn</b>. If it's a known
765 * relay, we will rely on the global read and write buckets, so give it
766 * per-conn limits that are big enough they'll never matter. But if it's
767 * not a known relay, first check if we set PerConnBwRate/Burst, then
768 * check if the consensus sets them, else default to 'big enough'.
769 *
770 * If <b>reset</b> is true, set the bucket to be full. Otherwise, just
771 * clip the bucket if it happens to be <em>too</em> full.
772 */
773 static void
776 {
779 /* It's in the consensus, or we have a descriptor for it meaning it
780 * was probably in a recent consensus. It's a recognized relay:
781 * give it full bandwidth. */
785 /* Not a recognized relay. Squeeze it down based on the suggested
786 * bandwidth parameters in the consensus, but allow local config
787 * options to override. */
794 }
799 }
800 }
802 /** Either our set of relays or our per-conn rate limits have changed.
803 * Go through all the OR connections and update their token buckets to make
804 * sure they don't exceed their maximum values. */
805 void
808 {
810 {
813 });
814 }
816 /* Mark <b>or_conn</b> as canonical if <b>is_canonical</b> is set, and
817 * non-canonical otherwise. Adjust idle_timeout accordingly.
818 */
819 void
822 {
825 /* Don't recalculate an existing idle_timeout unless the canonical
826 * status changed. */
828 }
839 }
841 /** If we don't necessarily know the router we're connecting to, but we
842 * have an addr/port/id_digest, then fill in as much as we can. Start
843 * by checking to see if this describes a router we know.
844 * <b>started_here</b> is 1 if we are the initiator of <b>conn</b> and
845 * 0 if it's an incoming connection. */
846 void
852 {
857 started_here);
867 }
869 /** Check whether the identity of <b>conn</b> matches a known node. If it
870 * does, check whether the address of conn matches the expected address, and
871 * update the connection's is_canonical flag, nickname, and address fields as
872 * appropriate. */
873 static void
875 {
886 /* If this node is capable of proving an ed25519 ID,
887 * we can't call this a canonical connection unless both IDs match. */
889 }
892 tor_addr_port_t node_ap;
894 /* XXXX proposal 186 is making this more complex. For now, a conn
895 is canonical when it uses the _preferred_ address. */
899 /* Override the addr/port, so our log messages will make sense.
900 * This is dangerous, since if we ever try looking up a conn by
901 * its actual addr/port, we won't remember. Careful! */
902 /* XXXX arma: this is stupid, and it's the reason we need real_addr
903 * to track is_canonical properly. What requires it? */
904 /* XXXX <arma> i believe the reason we did this, originally, is because
905 * we wanted to log what OR a connection was to, and if we logged the
906 * right IP address and port 56244, that wouldn't be as helpful. now we
907 * log the "right" port too, so we know if it's moria1 or moria2.
908 */
911 }
925 }
927 /*
928 * We have to tell channeltls.c to update the channel marks (local, in
929 * particular), since we may have changed the address.
930 */
934 }
935 }
937 /** These just pass all the is_bad_for_new_circs manipulation on to
938 * channel_t */
940 static unsigned int
942 {
948 }
950 static void
952 {
957 }
959 /** How old do we let a connection to an OR get before deciding it's
960 * too old for new circuits? */
961 #define TIME_BEFORE_OR_CONN_IS_TOO_OLD (60*60*24*7)
963 /** Expire an or_connection if it is too old. Helper for
964 * connection_or_group_set_badness_ and fast path for
965 * channel_rsa_id_group_set_badness.
966 *
967 * Returns 1 if the connection was already expired, else 0.
968 */
969 int
973 {
974 /* XXXX this function should also be about channels? */
983 "Marking OR conn to %s:%d as too old for new circuits "
988 }
991 }
993 /** Given a list of all the or_connections with a given
994 * identity, set elements of that list as is_bad_for_new_circs as
995 * appropriate. Helper for connection_or_set_bad_connections().
996 *
997 * Specifically, we set the is_bad_for_new_circs flag on:
998 * - all connections if <b>force</b> is true.
999 * - all connections that are too old.
1000 * - all open non-canonical connections for which a canonical connection
1001 * exists to the same router.
1002 * - all open canonical connections for which a 'better' canonical
1003 * connection exists to the same router.
1004 * - all open non-canonical connections for which a 'better' non-canonical
1005 * connection exists to the same router at the same address.
1006 *
1007 * See channel_is_better() in channel.c for our idea of what makes one OR
1008 * connection better than another.
1009 */
1010 void
1012 {
1013 /* XXXX this function should be entirely about channels, not OR
1014 * XXXX connections. */
1020 /* Pass 1: expire everything that's old, and see what the status of
1021 * everything else is. */
1034 }
1037 /* Pass 2: We know how about how good the best connection is.
1038 * expire everything that's worse, and find the very best if we can. */
1045 * when the connection finishes. */
1047 /* We have at least one open canonical connection to this router,
1048 * and this one is open but not canonical. Mark it bad. */
1050 "Marking OR conn to %s:%d as unsuitable for new circuits: "
1057 }
1063 }
1069 /* Pass 3: One connection to OR is best. If it's canonical, mark as bad
1070 * every other open connection. If it's non-canonical, mark as bad
1071 * every other open connection to the same address.
1072 *
1073 * XXXX This isn't optimal; if we have connections to an OR at multiple
1074 * addresses, we'd like to pick the best _for each address_, and mark as
1075 * bad every open connection that isn't best for its address. But this
1076 * can only occur in cases where the other OR is old (so we have no
1077 * canonical connection to it), or where all the connections to the OR are
1078 * at noncanonical addresses and we have no good direct connection (which
1079 * means we aren't at risk of attaching circuits to it anyway). As
1080 * 0.1.2.x dies out, the first case will go away, and the second one is
1081 * "mostly harmless", so a fix can wait until somebody is bored.
1082 */
1091 /* This isn't the best conn, _and_ the best conn is better than it */
1094 "Marking OR conn to %s:%d as unsuitable for new circuits: "
1096 "We have a better canonical one "
1105 "Marking OR conn to %s:%d as unsuitable for new circuits: "
1107 "one with the "
1113 }
1114 }
1116 }
1118 /* Lifetime of a connection failure. After that, we'll retry. This is in
1119 * seconds. */
1120 #define OR_CONNECT_FAILURE_LIFETIME 60
1121 /* The interval to use with when to clean up the failure cache. */
1122 #define OR_CONNECT_FAILURE_CLEANUP_INTERVAL 60
1124 /* When is the next time we have to cleanup the failure map. We keep this
1125 * because we clean it opportunistically. */
1128 /* OR connection failure entry data structure. It is kept in the connection
1129 * failure map defined below and indexed by OR identity digest, address and
1130 * port.
1131 *
1132 * We need to identify a connection failure with these three values because we
1133 * want to avoid to wrongfully blacklist a relay if someone is trying to
1134 * extend to a known identity digest but with the wrong IP/port. For instance,
1135 * it can happen if a relay changed its port but the client still has an old
1136 * descriptor with the old port. We want to stop connecting to that
1137 * IP/port/identity all together, not only the relay identity. */
1140 /* Identity digest of the connection where it is connecting to. */
1142 /* This is the connection address from the base connection_t. After the
1143 * connection is checked for canonicity, the base address should represent
1144 * what we know instead of where we are connecting to. This is what we need
1145 * so we can correlate known relays within the consensus. */
1146 tor_addr_t addr;
1148 /* Last time we were unable to connect. */
1152 /* Map where we keep connection failure entries. They are indexed by addr,
1153 * port and identity digest. */
1157 /* Helper: Hashtable equal function. Return 1 if equal else 0. */
1158 static int
1161 {
1165 }
1167 /* Helper: Return the hash for the hashtable of the given entry. For this
1168 * table, it is a combination of address, port and identity digest. */
1169 static unsigned int
1171 {
1174 /* Largest size is IPv6 and IPv4 is smaller so it is fine. */
1177 /* Get the right address bytes depending on the family. */
1190 }
1200 }
1209 /* Initialize a given connect failure entry with the given identity_digest,
1210 * addr and port. All field are optional except ocf. */
1211 static void
1214 {
1219 }
1222 }
1224 }
1226 /* Return a newly allocated connection failure entry. It is initialized with
1227 * the given or_conn data. This can't fail. */
1230 {
1235 }
1237 /* Return a connection failure entry matching the given or_conn. NULL is
1238 * returned if not found. */
1241 {
1242 or_connect_failure_entry_t lookup;
1247 }
1249 /* Note down in the connection failure cache that a failure occurred on the
1250 * given or_conn. */
1251 STATIC void
1253 {
1262 }
1264 }
1266 /* Cleanup the connection failure cache and remove all entries below the
1267 * given cutoff. */
1268 static void
1270 {
1281 }
1282 }
1283 }
1285 /* Return true iff the given OR connection can connect to its destination that
1286 * is the triplet identity_digest, address and port.
1287 *
1288 * The or_conn MUST have gone through connection_or_check_canonicity() so the
1289 * base address is properly set to what we know or doesn't know. */
1290 STATIC int
1292 {
1302 /* Opportunistically try to cleanup the failure cache. We do that at regular
1303 * interval so it doesn't grow too big. */
1306 or_connect_failure_map_next_cleanup_ts =
1308 }
1310 /* Look if we have failed previously to the same destination as this
1311 * OR connection. */
1315 }
1316 /* If we do have an unable to connect timestamp and it is below cutoff, we
1317 * can connect. Or we have never failed before so let it connect. */
1320 }
1322 /* Ok we can connect! */
1324 no_connect:
1326 }
1328 /** <b>conn</b> is in the 'connecting' state, and it failed to complete
1329 * a TCP connection. Send notifications appropriately.
1330 *
1331 * <b>reason</b> specifies the or_conn_end_reason for the failure;
1332 * <b>msg</b> specifies the strerror-style error message.
1333 */
1334 void
1337 {
1342 }
1344 /** <b>conn</b> got an error in connection_handle_read_impl() or
1345 * connection_handle_write_impl() and is going to die soon.
1346 *
1347 * <b>reason</b> specifies the or_conn_end_reason for the failure;
1348 * <b>msg</b> specifies the strerror-style error message.
1349 */
1350 void
1353 {
1358 /* If we're connecting, call connect_failed() too */
1362 /* Tell the controlling channel if we have one */
1365 /* Don't transition if we're already in closing, closed or error */
1368 }
1369 }
1371 /* No need to mark for error because connection.c is about to do that */
1372 }
1374 /** Launch a new OR connection to <b>addr</b>:<b>port</b> and expect to
1375 * handshake with an OR with identity digest <b>id_digest</b>. Optionally,
1376 * pass in a pointer to a channel using this connection.
1377 *
1378 * If <b>id_digest</b> is me, do nothing. If we're already connected to it,
1379 * return that connection. If the connect() is in progress, set the
1380 * new conn's state to 'connecting' and return it. If connect() succeeds,
1381 * call connection_tls_start_handshake() on it.
1382 *
1383 * This function is called from router_retry_connections(), for
1384 * ORs connecting to ORs, and circuit_establish_circuit(), for
1385 * OPs connecting to ORs.
1386 *
1387 * Return the launched conn, or NULL if it failed.
1388 */
1395 {
1399 tor_addr_t addr;
1402 tor_addr_t proxy_addr;
1413 }
1418 }
1422 /*
1423 * Set up conn so it's got all the data we need to remember for channels
1424 *
1425 * This stuff needs to happen before connection_or_init_conn_from_address()
1426 * so connection_or_set_identity_digest() and such know where to look to
1427 * keep the channel up to date.
1428 */
1433 /* We have a proper OR connection setup, now check if we can connect to it
1434 * that is we haven't had a failure earlier. This is to avoid to try to
1435 * constantly connect to relays that we think are not reachable. */
1443 }
1450 /* If we are using a proxy server, find it and use it. */
1458 }
1460 /* get_proxy_addrport() might fail if we have a Bridge line that
1461 references a transport, but no ClientTransportPlugin lines
1462 defining its transport proxy. If this is the case, let's try to
1463 output a useful log message to the user. */
1470 "using pluggable transport '%s', but we can't find a pluggable "
1471 "transport proxy supporting '%s'. This can happen if you "
1472 "haven't provided a ClientTransportPlugin line, or if "
1479 END_OR_CONN_REASON_PT_MISSING,
1480 conn);
1486 }
1490 }
1495 /* We failed to establish a connection probably because of a local
1496 * error. No need to blame the guard in this case. Notify the networking
1497 * system of this failure. */
1505 /* writable indicates finish, readable indicates broken link,
1506 error indicates broken link on windows */
1508 /* case 1: fall through */
1509 }
1512 /* already marked for close */
1514 }
1516 }
1518 /** Mark orconn for close and transition the associated channel, if any, to
1519 * the closing state.
1520 *
1521 * It's safe to call this and connection_or_close_for_error() any time, and
1522 * channel layer will treat it as a connection closing for reasons outside
1523 * its control, like the remote end closing it. It can also be a local
1524 * reason that's specific to connection_t/or_connection_t rather than
1525 * the channel mechanism, such as expiration of old connections in
1526 * run_connection_housekeeping(). If you want to close a channel_t
1527 * from somewhere that logically works in terms of generic channels
1528 * rather than connections, use channel_mark_for_close(); see also
1529 * the comment on that function in channel.c.
1530 */
1532 void
1534 {
1542 /* Don't transition if we're already in closing, closed or error */
1545 }
1546 }
1547 }
1549 /** Mark orconn for close and transition the associated channel, if any, to
1550 * the error state.
1551 */
1555 {
1563 /* Don't transition if we're already in closing, closed or error */
1566 }
1567 }
1568 }
1570 /** Begin the tls handshake with <b>conn</b>. <b>receiving</b> is 0 if
1571 * we initiated the connection, else it's 1.
1572 *
1573 * Assign a new tls object to conn->tls, begin reading on <b>conn</b>, and
1574 * pass <b>conn</b> to connection_tls_continue_handshake().
1575 *
1576 * Return -1 if <b>conn</b> is broken, else return 0.
1577 */
1580 {
1584 /* Incoming connections will need a new channel passed to the
1585 * channel_tls_listener */
1587 /* It shouldn't already be set */
1593 }
1596 }
1604 }
1616 }
1618 /** Block all future attempts to renegotiate on 'conn' */
1619 void
1621 {
1627 }
1629 /** Invoked on the server side from inside tor_tls_read() when the server
1630 * gets a successful TLS renegotiation from the client. */
1631 static void
1633 {
1637 /* Don't invoke this again. */
1641 /* XXXX_TLS double-check that it's ok to do this from inside read. */
1642 /* XXXX_TLS double-check that this verifies certificates. */
1644 }
1645 }
1647 /** Move forward with the tls handshake. If it finishes, hand
1648 * <b>conn</b> to connection_tls_finish_handshake().
1649 *
1650 * Return -1 if <b>conn</b> is broken, else return 0.
1651 */
1652 int
1654 {
1659 // log_notice(LD_OR, "Continue handshake with %p", conn->tls);
1661 // log_notice(LD_OR, "Result: %d", result);
1664 CASE_TOR_TLS_ERROR_ANY:
1674 /* v2/v3 handshake, but we are not a client. */
1678 connection_or_tls_renegotiated_cb,
1679 conn);
1681 OR_CONN_STATE_TLS_SERVER_RENEGOTIATING);
1685 }
1686 }
1699 }
1701 }
1703 /** Return 1 if we initiated this connection, or 0 if it started
1704 * out as an incoming connection.
1705 */
1706 int
1708 {
1716 }
1718 /** <b>Conn</b> just completed its handshake. Return 0 if all is well, and
1719 * return -1 if they are lying, broken, or otherwise something is wrong.
1720 *
1721 * If we initiated this connection (<b>started_here</b> is true), make sure
1722 * the other side sent a correctly formed certificate. If I initiated the
1723 * connection, make sure it's the right relay by checking the certificate.
1724 *
1725 * Otherwise (if we _didn't_ initiate this connection), it's okay for
1726 * the certificate to be weird or absent.
1727 *
1728 * If we return 0, and the certificate is as expected, write a hash of the
1729 * identity key into <b>digest_rcvd_out</b>, which must have DIGEST_LEN
1730 * space in it.
1731 * If the certificate is invalid or missing on an incoming connection,
1732 * we return 0 and set <b>digest_rcvd_out</b> to DIGEST_LEN NUL bytes.
1733 * (If we return -1, the contents of this buffer are undefined.)
1734 *
1735 * As side effects,
1736 * 1) Set conn->circ_id_type according to tor-spec.txt.
1737 * 2) If we're an authdirserver and we initiated the connection: drop all
1738 * descriptors that claim to be on that IP/port but that aren't
1739 * this relay; and note that this relay is reachable.
1740 * 3) If this is a bridge and we didn't configure its identity
1741 * fingerprint, remember the keyid we just learned.
1742 */
1743 static int
1747 {
1767 }
1783 "The certificate seems to be valid on %s connection "
1785 }
1787 }
1793 }
1796 }
1804 /* A TLS handshake can't teach us an Ed25519 ID, so we set it to NULL
1805 * here. */
1810 NULL);
1811 }
1814 }
1816 /** Called when we (as a connection initiator) have definitively,
1817 * authenticatedly, learned that ID of the Tor instance on the other
1818 * side of <b>conn</b> is <b>rsa_peer_id</b> and optionally <b>ed_peer_id</b>.
1819 * For v1 and v2 handshakes,
1820 * this is right after we get a certificate chain in a TLS handshake
1821 * or renegotiation. For v3+ handshakes, this is right after we get a
1822 * certificate chain in a CERTS cell.
1823 *
1824 * If we did not know the ID before, record the one we got.
1825 *
1826 * If we wanted an ID, but we didn't get the one we expected, log a message
1827 * and return -1.
1828 * On relays:
1829 * - log a protocol warning whenever the fingerprints don't match;
1830 * On clients:
1831 * - if a relay's fingerprint doesn't match, log a warning;
1832 * - if we don't have updated relay fingerprints from a recent consensus, and
1833 * a fallback directory mirror's hard-coded fingerprint has changed, log an
1834 * info explaining that we will try another fallback.
1835 *
1836 * If we're testing reachability, remember what we learned.
1837 *
1838 * Return 0 on success, -1 on failure.
1839 */
1840 int
1844 {
1857 conn,
1875 /* if it's a bridge and we didn't know its identity fingerprint, now
1876 * we do -- remember it for future attempts. */
1880 }
1884 /* It only counts as an ed25519 mismatch if we wanted an ed25519 identity
1885 * and didn't get it. It's okay if we get one that we didn't ask for. */
1887 expected_ed_key &&
1892 /* I was aiming for a particular digest. I didn't get it! */
1900 DIGEST_LEN);
1905 }
1910 }
1925 /* We need to do the checks in this order, because the list of
1926 * fallbacks includes the list of authorities */
1930 /* we expect a small number of fallbacks to change from their
1931 * hard-coded fingerprints over the life of a release */
1935 /* it's a bridge, it's either a misconfiguration, or unexpected */
1937 }
1939 /* a relay has changed its fingerprint from the one in the consensus */
1941 }
1942 }
1945 "Tried connecting to router at %s:%d, but RSA identity key was not "
1950 /* Tell the new guard API about the channel failure */
1953 END_OR_CONN_REASON_OR_IDENTITY);
1957 END_OR_CONN_REASON_OR_IDENTITY,
1958 conn);
1960 }
1968 }
1971 /* If we learned an identity for this connection, then we might have
1972 * just discovered it to be canonical. */
1974 }
1979 }
1982 }
1984 /** Return when we last used this channel for client activity (origin
1985 * circuits). This is called from connection.c, since client_used is now one
1986 * of the timestamps in channel_t */
1988 time_t
1990 {
1996 }
1998 /** The v1/v2 TLS handshake is finished.
1999 *
2000 * Make sure we are happy with the peer we just handshaked with.
2001 *
2002 * If they initiated the connection, make sure they're not already connected,
2003 * then initialize conn from the information in router.
2004 *
2005 * If all is successful, call circuit_n_conn_done() to handle events
2006 * that have been pending on the <tls handshake completion. Also set the
2007 * directory to be dirty (only matters if I'm an authdirserver).
2008 *
2009 * If this is a v2 TLS handshake, send a versions cell.
2010 */
2011 static int
2013 {
2022 conn,
2048 }
2049 }
2051 /**
2052 * Called as client when initial TLS handshake is done, and we notice
2053 * that we got a v3-handshake signalling certificate from the server.
2054 * Set up structures, do bookkeeping, and send the versions cell.
2055 * Return 0 on success and -1 on failure.
2056 */
2057 static int
2059 {
2069 }
2071 /** Allocate a new connection handshake state for the connection
2072 * <b>conn</b>. Return 0 on success, -1 on failure. */
2073 int
2075 {
2080 }
2087 }
2091 }
2093 /** Free all storage held by <b>state</b>. */
2094 void
2096 {
2105 }
2107 /**
2108 * Remember that <b>cell</b> has been transmitted (if <b>incoming</b> is
2109 * false) or received (if <b>incoming</b> is true) during a V3 handshake using
2110 * <b>state</b>.
2111 *
2112 * (We don't record the cell, but we keep a digest of everything sent or
2113 * received during the v3 handshake, and the client signs it in an
2114 * authenticate cell.)
2115 */
2116 void
2121 {
2124 packed_cell_t packed;
2131 }
2134 "while making a handshake digest. But we think we are sending "
2136 }
2142 /* Re-packing like this is a little inefficient, but we don't have to do
2143 this very often at all. */
2147 }
2149 /** Remember that a variable-length <b>cell</b> has been transmitted (if
2150 * <b>incoming</b> is false) or received (if <b>incoming</b> is true) during a
2151 * V3 handshake using <b>state</b>.
2152 *
2153 * (We don't record the cell, but we keep a digest of everything sent or
2154 * received during the v3 handshake, and the client signs it in an
2155 * authenticate cell.)
2156 */
2157 void
2162 {
2172 }
2184 }
2186 /** Set <b>conn</b>'s state to OR_CONN_STATE_OPEN, and tell other subsystems
2187 * as appropriate. Called when we are done with all TLS and OR handshaking.
2188 */
2189 int
2191 {
2195 /* Link protocol 3 appeared in Tor 0.2.3.6-alpha, so any connection
2196 * that uses an earlier link protocol should not be treated as a relay. */
2199 }
2206 }
2208 /** Pack <b>cell</b> into wire-format, and write it onto <b>conn</b>'s outbuf.
2209 * For cells that use or affect a circuit, this should only be called by
2210 * connection_or_flush_from_first_active_circuit().
2211 */
2212 void
2214 {
2215 packed_cell_t networkcell;
2229 /* Touch the channel's active timestamp if there is one */
2237 }
2238 }
2242 }
2244 /** Pack a variable-length <b>cell</b> into wire-format, and write it onto
2245 * <b>conn</b>'s outbuf. Right now, this <em>DOES NOT</em> support cells that
2246 * affect a circuit.
2247 */
2251 {
2263 /* Touch the channel's active timestamp if there is one */
2266 }
2268 /** See whether there's a variable-length cell waiting on <b>or_conn</b>'s
2269 * inbuf. Return values as for fetch_var_cell_from_buf(). */
2270 static int
2272 {
2275 }
2277 /** Process cells from <b>conn</b>'s inbuf.
2278 *
2279 * Loop: while inbuf contains a cell, pull it off the inbuf, unpack it,
2280 * and hand it to command_process_cell().
2281 *
2282 * Always return 0.
2283 */
2284 static int
2286 {
2289 /*
2290 * Note on memory management for incoming cells: below the channel layer,
2291 * we shouldn't need to consider its internal queueing/copying logic. It
2292 * is safe to pass cells to it on the stack or on the heap, but in the
2293 * latter case we must be sure we free them later.
2294 *
2295 * The incoming cell queue code in channel.c will (in the common case)
2296 * decide it can pass them to the upper layer immediately, in which case
2297 * those functions may run directly on the cell pointers we pass here, or
2298 * it may decide to queue them, in which case it will allocate its own
2299 * buffer and copy the cell.
2300 */
2304 TOR_SOCKET_T_FORMAT": starting, inbuf_datalen %d "
2312 /* Touch the channel's active timestamp if there is one */
2323 cell_t cell;
2328 /* Touch the channel's active timestamp if there is one */
2335 /* retrieve cell info from buf (create the host-order struct from the
2336 * network-order string) */
2340 }
2341 }
2342 }
2344 /** Array of recognized link protocol versions. */
2346 /** Number of versions in <b>or_protocol_versions</b>. */
2350 /** Return true iff <b>v</b> is a link protocol version that this Tor
2351 * implementation believes it can support. */
2352 int
2354 {
2359 }
2361 }
2363 /** Send a VERSIONS cell on <b>conn</b>, telling the other host about the
2364 * link protocol versions that this Tor can support.
2365 *
2366 * If <b>v3_plus</b>, this is part of a V3 protocol handshake, so only
2367 * allow protocol version v3 or later. If not <b>v3_plus</b>, this is
2368 * not part of a v3 protocol handshake, so don't allow protocol v3 or
2369 * later.
2370 **/
2371 int
2373 {
2389 }
2397 }
2399 /** Send a NETINFO cell on <b>conn</b>, telling the other server what we know
2400 * about their address, our address, and the current time. */
2403 {
2404 cell_t cell;
2416 }
2421 /* Timestamp, if we're a relay. */
2425 /* Their address. */
2427 /* We use &conn->real_addr below, unless it hasn't yet been set. If it
2428 * hasn't yet been set, we know that base_.addr hasn't been tampered with
2429 * yet either. */
2436 /* My address -- only include it if I'm a public relay, or if I'm a
2437 * bridge and this is an incoming connection. If I'm a bridge and this
2438 * is an outgoing connection, act like a normal client and omit it. */
2441 tor_addr_t my_addr;
2454 }
2457 }
2464 }
2466 /** Helper used to add an encoded certs to a cert cell */
2467 static void
2472 {
2481 }
2483 /** Add an encoded X509 cert (stored as <b>cert_len</b> bytes at
2484 * <b>cert_encoded</b>) to the trunnel certs_cell_t object that we are
2485 * building in <b>certs_cell</b>. Set its type field to <b>cert_type</b>.
2486 * (If <b>cert</b> is NULL, take no action.) */
2487 static void
2491 {
2500 }
2502 /** Add an Ed25519 cert from <b>cert</b> to the trunnel certs_cell_t object
2503 * that we are building in <b>certs_cell</b>. Set its type field to
2504 * <b>cert_type</b>. (If <b>cert</b> is NULL, take no action.) */
2505 static void
2509 {
2515 }
2517 #ifdef TOR_UNIT_TESTS
2519 #else
2520 #define certs_cell_ed25519_disabled_for_testing 0
2521 #endif
2523 /** Send a CERTS cell on the connection <b>conn</b>. Return 0 on success, -1
2524 * on failure. */
2525 int
2527 {
2541 /* Get the encoded values of the X509 certificates */
2548 }
2553 /* Start adding certs. First the link cert or auth1024 cert. */
2562 }
2564 /* Next the RSA->RSA ID cert */
2568 /* Next the Ed25519 certs */
2570 CERTTYPE_ED_ID_SIGN,
2574 certs_cell_ed25519_disabled_for_testing);
2576 CERTTYPE_ED_SIGN_LINK,
2580 CERTTYPE_ED_SIGN_AUTH,
2582 }
2584 /* And finally the crosscert. */
2585 {
2591 CERTTYPE_RSA1024_ID_EDID,
2593 }
2594 }
2596 /* We've added all the certs; make the cell. */
2613 }
2615 /** Return true iff <b>challenge_type</b> is an AUTHCHALLENGE type that
2616 * we can send and receive. */
2617 int
2619 {
2627 }
2628 }
2630 /** Return true iff <b>challenge_type_a</b> is one that we would rather
2631 * use than <b>challenge_type_b</b>. */
2632 int
2635 {
2636 /* Any supported type is better than an unsupported one;
2637 * all unsupported types are equally bad. */
2642 /* It happens that types are superior in numerically ascending order.
2643 * If that ever changes, this must change too. */
2645 }
2647 /** Send an AUTH_CHALLENGE cell on the connection <b>conn</b>. Return 0
2648 * on success, -1 on failure. */
2649 int
2651 {
2665 /* Disabled, because everything that supports this method also supports
2666 * the much-superior ED25519_SHA256_RFC5705 */
2667 /* auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_RFC5705); */
2674 ac);
2676 /* LCOV_EXCL_START */
2679 /* LCOV_EXCL_STOP */
2680 }
2686 done:
2691 }
2693 /** Compute the main body of an AUTHENTICATE cell that a client can use
2694 * to authenticate itself on a v3 handshake for <b>conn</b>. Return it
2695 * in a var_cell_t.
2696 *
2697 * If <b>server</b> is true, only calculate the first
2698 * V3_AUTH_FIXED_PART_LEN bytes -- the part of the authenticator that's
2699 * determined by the rest of the handshake, and which match the provided value
2700 * exactly.
2701 *
2702 * If <b>server</b> is false and <b>signing_key</b> is NULL, calculate the
2703 * first V3_AUTH_BODY_LEN bytes of the authenticator (that is, everything
2704 * that should be signed), but don't actually sign it.
2705 *
2706 * If <b>server</b> is false and <b>signing_key</b> is provided, calculate the
2707 * entire authenticator, signed with <b>signing_key</b>.
2708 *
2709 * Return the length of the cell body on success, and -1 on failure.
2710 */
2711 var_cell_t *
2717 {
2726 /* assert state is reasonable XXXX */
2742 }
2747 /* Type: 8 bytes. */
2750 {
2757 their_digests =
2767 /* Client ID digest: 32 octets. */
2770 /* Server ID digest: 32 octets. */
2772 }
2779 }
2788 }
2790 {
2798 }
2800 /* Server log digest : 32 octets */
2803 /* Client log digest : 32 octets */
2805 }
2807 {
2808 /* Digest of cert used on TLS link : 32 octets. */
2814 }
2817 authtype_str);
2819 }
2825 }
2827 /* HMAC of clientrandom and serverrandom using master key : 32 octets */
2836 label);
2837 }
2839 /* 8 octets were reserved for the current time, but we're trying to get out
2840 * of the habit of sending time around willynilly. Fortunately, nothing
2841 * checks it. That's followed by 16 bytes of nonce. */
2849 }
2855 ssize_t len;
2861 /* LCOV_EXCL_START */
2864 /* LCOV_EXCL_STOP */
2865 }
2871 /* LCOV_EXCL_START */
2875 /* LCOV_EXCL_STOP */
2876 }
2881 /* LCOV_EXCL_START */
2884 /* LCOV_EXCL_STOP */
2885 }
2887 }
2890 ed25519_signature_t sig;
2892 /* LCOV_EXCL_START */
2895 /* LCOV_EXCL_STOP */
2896 }
2912 }
2915 }
2919 /* LCOV_EXCL_START */
2922 /* LCOV_EXCL_STOP */
2923 }
2930 err:
2933 done:
2937 }
2939 /** Send an AUTHENTICATE cell on the connection <b>conn</b>. Return 0 on
2940 * success, -1 on failure */
2943 {
2946 /* XXXX make sure we're actually supposed to send this! */
2951 }
2956 }
2959 authtype,
2960 pk,
2964 /* LCOV_EXCL_START */
2967 /* LCOV_EXCL_STOP */
2968 }
2973 }