| blob | f67f4768b325dc83ca3b957b67b0b84be7483225 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2008, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 /* $Id$ */
10 /**
11 * \file connection_or.c
12 * \brief Functions to handle OR connections, TLS handshaking, and
13 * cells on the network.
14 **/
27 /**************************************************************/
29 /** Map from identity digest of connected OR or desired OR to a connection_t
30 * with that identity digest. If there is more than one such connection_t,
31 * they form a linked list, with next_with_same_id as the next pointer. */
34 /** If conn is listed in orconn_identity_map, remove it, and clear
35 * conn->identity_digest. Otherwise do nothing. */
36 void
38 {
49 }
51 }
56 else
63 }
65 }
66 }
69 }
71 /** Remove all entries from the identity-to-orconn map, and clear
72 * all identities in OR conns.*/
73 void
75 {
78 {
83 }
84 });
89 }
90 }
92 /** Change conn->identity_digest to digest, and add conn into
93 * orconn_digest_map. */
94 static void
96 {
106 /* If the identity was set previously, remove the old mapping. */
112 /* If we're setting the ID to zero, don't add a mapping. */
119 #if 1
120 /* Testing code to check for bugs in representation. */
124 }
125 #endif
126 }
128 /** Pack the cell_t host-order structure <b>src</b> into network-order
129 * in the buffer <b>dest</b>. See tor-spec.txt for details about the
130 * wire format.
131 *
132 * Note that this function doesn't touch <b>dst</b>-\>next: the caller
133 * should set it or clear it as appropriate.
134 */
135 void
137 {
142 }
144 /** Unpack the network-order buffer <b>src</b> into a host-order
145 * cell_t structure <b>dest</b>.
146 */
147 static void
149 {
153 }
155 /** Write the header of <b>cell</b> into the first VAR_CELL_HEADER_SIZE
156 * bytes of <b>hdr_out</b>. */
157 void
159 {
163 }
165 /** Allocate and return a new var_cell_t with <b>payload_len</b> bytes of
166 * payload space. */
167 var_cell_t *
169 {
175 }
177 /** Release all space held by <b>cell</b>. */
178 void
180 {
182 }
184 /** We've received an EOF from <b>conn</b>. Mark it for close and return. */
185 int
187 {
191 }
193 /** Read conn's inbuf. If the http response from the proxy is all
194 * here, make sure it's good news, and begin the tls handshake. If
195 * it's bad news, close the connection and return -1. Else return 0
196 * and hope for better luck next time.
197 */
198 static int
200 {
217 /* case 1, fall through */
218 }
227 }
236 /* TLS handshaking error of some kind. */
240 }
242 }
243 /* else, bad news on the status code */
245 "The https proxy sent back an unexpected status code %d (%s). "
251 }
253 /** Handle any new bytes that have come in on connection <b>conn</b>.
254 * If conn is in 'open' state, hand it to
255 * connection_or_process_cells_from_inbuf()
256 * (else do nothing).
257 */
258 int
260 {
271 }
272 }
274 /** When adding cells to an OR connection's outbuf, keep adding until the
275 * outbuf is at least this long, or we run out of cells. */
276 #define OR_CONN_HIGHWATER (32*1024)
278 /** Add cells to an OR connection's outbuf whenever the outbuf's data length
279 * drops below this size. */
280 #define OR_CONN_LOWWATER (16*1024)
282 /** Called whenever we have flushed some data on an or_conn: add more data
283 * from active circuits. */
284 int
286 {
289 /* If we're under the low water mark, add cells until we're just over the
290 * high water mark. */
298 }
299 }
301 }
303 /** Connection <b>conn</b> has finished writing and has no bytes left on
304 * its outbuf.
305 *
306 * Otherwise it's in state "open": stop writing and return.
307 *
308 * If <b>conn</b> is broken, mark it for close and return -1, else
309 * return 0.
310 */
311 int
313 {
331 }
333 }
335 /** Connected handler for OR connections: begin the TLS handshake.
336 */
337 int
339 {
358 }
368 }
372 }
375 /* TLS handshaking error of some kind. */
378 }
380 }
382 /** If we don't necessarily know the router we're connecting to, but we
383 * have an addr/port/id_digest, then fill in as much as we can. Start
384 * by checking to see if this describes a router we know. */
385 static void
390 {
401 /* XXXX021 proposal 118 will make this more complex. */
405 /* Override the addr/port, so our log messages will make sense.
406 * This is dangerous, since if we ever try looking up a conn by
407 * its actual addr/port, we won't remember. Careful! */
408 /* XXXX021 arma: this is stupid, and it's the reason we need real_addr
409 * to track is_canonical properly. What requires it? */
410 /* XXXX <arma> i believe the reason we did this, originally, is because
411 * we wanted to log what OR a connection was to, and if we logged the
412 * right IP address and port 56244, that wouldn't be as helpful. now we
413 * log the "right" port too, so we know if it's moria1 or moria2.
414 */
417 }
423 /* If we're an authoritative directory server, we may know a
424 * nickname for this router. */
433 }
436 }
437 }
439 /** Return the best connection of type OR with the
440 * digest <b>digest</b> that we have, or NULL if we have none.
441 *
442 * 1) Don't return it if it's marked for close.
443 * 2) If there are any open conns, ignore non-open conns.
444 * 3) If there are any non-obsolete conns, ignore obsolete conns.
445 * 4) Then if there are any non-empty conns, ignore empty conns.
446 * 5) Of the remaining conns, prefer newer conns.
447 */
448 or_connection_t *
450 {
468 }
481 /* We prefer non-obsolete connections: */
483 /* If both have circuits we prefer the newer: */
485 /* If neither has circuits we prefer the newer: */
487 /* We prefer connections with circuits: */
490 };
491 }
493 }
495 /** Launch a new OR connection to <b>addr</b>:<b>port</b> and expect to
496 * handshake with an OR with identity digest <b>id_digest</b>.
497 *
498 * If <b>id_digest</b> is me, do nothing. If we're already connected to it,
499 * return that connection. If the connect() is in progress, set the
500 * new conn's state to 'connecting' and return it. If connect() succeeds,
501 * call connection_tls_start_handshake() on it.
502 *
503 * This function is called from router_retry_connections(), for
504 * ORs connecting to ORs, and circuit_establish_circuit(), for
505 * OPs connecting to ORs.
506 *
507 * Return the launched conn, or NULL if it failed.
508 */
509 or_connection_t *
512 {
516 tor_addr_t addr;
525 }
529 /* set up conn so it's got all the data we need to remember */
535 /* we shouldn't connect directly. use the https proxy instead. */
538 }
543 /* If the connection failed immediately, and we're using
544 * an https proxy, our https proxy is down. Don't blame the
545 * Tor server. */
550 }
560 /* writable indicates finish, readable indicates broken link,
561 error indicates broken link on windows */
563 /* case 1: fall through */
564 }
567 /* already marked for close */
569 }
571 }
573 /** Begin the tls handshake with <b>conn</b>. <b>receiving</b> is 0 if
574 * we initiated the connection, else it's 1.
575 *
576 * Assign a new tls object to conn->tls, begin reading on <b>conn</b>, and
577 * pass <b>conn</b> to connection_tls_continue_handshake().
578 *
579 * Return -1 if <b>conn</b> is broken, else return 0.
580 */
581 int
583 {
590 }
597 }
599 }
601 /** Invoked on the server side from inside tor_tls_read() when the server
602 * gets a successful TLS renegotiation from the client. */
603 static void
605 {
609 /* Don't invoke this again. */
613 /* XXXX_TLS double-check that it's ok to do this from inside read. */
614 /* XXXX_TLS double-check that this verifies certificates. */
616 }
617 }
619 /** Move forward with the tls handshake. If it finishes, hand
620 * <b>conn</b> to connection_tls_finish_handshake().
621 *
622 * Return -1 if <b>conn</b> is broken, else return 0.
623 */
624 int
626 {
629 again:
631 // log_notice(LD_OR, "Renegotiate with %p", conn->tls);
633 // log_notice(LD_OR, "Result: %d", result);
636 // log_notice(LD_OR, "Continue handshake with %p", conn->tls);
638 // log_notice(LD_OR, "Result: %d", result);
639 }
641 CASE_TOR_TLS_ERROR_ANY:
649 // log_notice(LD_OR,"Done. state was TLS_HANDSHAKING.");
652 }
653 // log_notice(LD_OR,"Done. state was %d.", conn->_base.state);
655 /* improved handshake, but not a client. */
657 connection_or_tls_renegotiated_cb,
658 conn);
663 }
664 }
676 }
678 }
680 /** Return 1 if we initiated this connection, or 0 if it started
681 * out as an incoming connection.
682 */
683 int
685 {
692 }
694 /** <b>Conn</b> just completed its handshake. Return 0 if all is well, and
695 * return -1 if he is lying, broken, or otherwise something is wrong.
696 *
697 * If we initiated this connection (<b>started_here</b> is true), make sure
698 * the other side sent sent a correctly formed certificate. If I initiated the
699 * connection, make sure it's the right guy.
700 *
701 * Otherwise (if we _didn't_ initiate this connection), it's okay for
702 * the certificate to be weird or absent.
703 *
704 * If we return 0, and the certificate is as expected, write a hash of the
705 * identity key into digest_rcvd, which must have DIGEST_LEN space in it. (If
706 * we return -1 this buffer is undefined.) If the certificate is invalid
707 * or missing on an incoming connection, we return 0 and set digest_rcvd to
708 * DIGEST_LEN 0 bytes.
709 *
710 * As side effects,
711 * 1) Set conn->circ_id_type according to tor-spec.txt.
712 * 2) If we're an authdirserver and we initiated the connection: drop all
713 * descriptors that claim to be on that IP/port but that aren't
714 * this guy; and note that this guy is reachable.
715 */
716 static int
720 {
739 }
756 }
758 }
767 }
772 }
784 }
791 /* I was aiming for a particular digest. I didn't get it! */
796 DIGEST_LEN);
798 "Tried connecting to router at %s:%d, but identity key was not "
804 END_OR_CONN_REASON_OR_IDENTITY);
808 }
810 /* We initiated this connection to address:port. Drop all routers
811 * with the same address:port and a different key.
812 */
815 }
818 }
820 }
822 /** The tls handshake is finished.
823 *
824 * Make sure we are happy with the person we just handshaked with.
825 *
826 * If he initiated the connection, make sure he's not already connected,
827 * then initialize conn from the information in router.
828 *
829 * If all is successful, call circuit_n_conn_done() to handle events
830 * that have been pending on the <tls handshake completion. Also set the
831 * directory to be dirty (only matters if I'm an authdirserver).
832 */
833 static int
835 {
853 }
862 }
864 }
865 }
867 /** Allocate a new connection handshake state for the connection
868 * <b>conn</b>. Return 0 on success, -1 on failure. */
869 static int
871 {
876 }
878 /** Free all storage held by <b>state</b>. */
879 void
881 {
885 }
887 /** Set <b>conn</b>'s state to OR_CONN_STATE_OPEN, and tell other subsystems
888 * as appropriate. Called when we are done with all TLS and OR handshaking.
889 */
890 int
892 {
902 /* Close any circuits pending on this conn. We leave it in state
903 * 'open' though, because it didn't actually *fail* -- we just
904 * chose not to use it. (Otherwise
905 * connection_about_to_close_connection() will call a big pile of
906 * functions to indicate we shouldn't try it again.) */
911 }
914 /* only report it to the geoip module if it's not a known router */
917 /*XXXX021 IP6 support ipv6 geoip.*/
920 }
921 }
922 }
926 }
931 }
933 /** Pack <b>cell</b> into wire-format, and write it onto <b>conn</b>'s outbuf.
934 * For cells that use or affect a circuit, this should only be called by
935 * connection_or_flush_from_first_active_circuit().
936 */
937 void
939 {
940 packed_cell_t networkcell;
951 }
953 /** Pack a variable-length <b>cell</b> into wire-format, and write it onto
954 * <b>conn</b>'s outbuf. Right now, this <em>DOES NOT</em> support cells that
955 * affect a circuit.
956 */
957 void
960 {
969 }
971 /** See whether there's a variable-length cell waiting on <b>conn</b>'s
972 * inbuf. Return values as for fetch_var_cell_from_buf(). */
973 static int
975 {
977 }
979 /** Process cells from <b>conn</b>'s inbuf.
980 *
981 * Loop: while inbuf contains a cell, pull it off the inbuf, unpack it,
982 * and hand it to command_process_cell().
983 *
984 * Always return 0.
985 */
986 static int
988 {
1003 cell_t cell;
1005 available? */
1010 /* retrieve cell info from buf (create the host-order struct from the
1011 * network-order string) */
1015 }
1016 }
1017 }
1019 /** Write a destroy cell with circ ID <b>circ_id</b> and reason <b>reason</b>
1020 * onto OR connection <b>conn</b>. Don't perform range-checking on reason:
1021 * we may want to propagate reasons from other cells.
1022 *
1023 * Return 0.
1024 */
1025 int
1027 {
1028 cell_t cell;
1038 /* XXXX It's possible that under some circumstances, we want the destroy
1039 * to take precedence over other data waiting on the circuit's cell queue.
1040 */
1044 }
1046 /** Array of recognized link protocol versions. */
1048 /** Number of versions in <b>or_protocol_versions</b>. */
1052 /** Return true iff <b>v</b> is a link protocol version that this Tor
1053 * implementation believes it can support. */
1054 int
1056 {
1061 }
1063 }
1065 /** Send a VERSIONS cell on <b>conn</b>, telling the other host about the
1066 * link protocol versions that this Tor can support. */
1067 static int
1069 {
1079 }
1086 }
1088 /** Send a NETINFO cell on <b>conn</b>, telling the other server what we know
1089 * about their address, our address, and the current time. */
1090 int
1092 {
1093 cell_t cell;
1102 /* Timestamp. */
1105 /* Their address. */
1112 /* My address. */
1114 tor_addr_t my_addr;
1124 }
1129 }