| blob | fcd281da2605b92f1f854d906160083cc2b3683d |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2017, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 /**
8 * \file connection_or.c
9 * \brief Functions to handle OR connections, TLS handshaking, and
10 * cells on the network.
11 *
12 * An or_connection_t is a subtype of connection_t (as implemented in
13 * connection.c) that uses a TLS connection to send and receive cells on the
14 * Tor network. (By sending and receiving cells connection_or.c, it cooperates
15 * with channeltls.c to implement a the channel interface of channel.c.)
16 *
17 * Every OR connection has an underlying tortls_t object (as implemented in
18 * tortls.c) which it uses as its TLS stream. It is responsible for
19 * sending and receiving cells over that TLS.
20 *
21 * This module also implements the client side of the v3 Tor link handshake,
22 **/
26 /*
27 * Define this so we get channel internal functions, since we're implementing
28 * part of a subclass (channel_tls_t).
29 */
30 #define TOR_CHANNEL_INTERNAL_
69 static unsigned int
73 /*
74 * Call this when changing connection state, so notifications to the owning
75 * channel can be handled.
76 */
83 /**************************************************************/
85 /** Global map between Extended ORPort identifiers and OR
86 * connections. */
89 /** Clear clear conn->identity_digest and update other data
90 * structures as appropriate.*/
91 void
93 {
96 }
98 /** Clear all identities in OR conns.*/
99 void
101 {
104 {
107 }
108 });
109 }
111 /** Change conn->identity_digest to digest, and add conn into
112 * the appropriate digest maps.
113 *
114 * NOTE that this function only allows two kinds of transitions: from
115 * unset identity to set identity, and from idempotent re-settings
116 * of the same identity. It's not allowed to clear an identity or to
117 * change an identity. Return 0 on success, and -1 if the transition
118 * is not allowed.
119 **/
120 static void
124 {
133 conn,
155 /* If the identity was set previously, remove the old mapping. */
160 }
164 /* If we're initializing the IDs to zero, don't add a mapping yet. */
169 /* Deal with channels */
172 }
174 /** Remove the Extended ORPort identifier of <b>conn</b> from the
175 * global identifier list. Also, clear the identifier from the
176 * connection itself. */
177 void
179 {
191 }
193 /** Return the connection whose ext_or_id is <b>id</b>. Return NULL if no such
194 * connection is found. */
195 or_connection_t *
197 {
201 }
203 /** Deallocate the global Extended ORPort identifier list */
204 void
206 {
209 }
211 /** Creates an Extended ORPort identifier for <b>conn</b> and deposits
212 * it into the global list of identifiers. */
213 void
215 {
222 /* Remove any previous identifiers: */
237 }
239 /**************************************************************/
241 /** Map from a string describing what a non-open OR connection was doing when
242 * failed, to an intptr_t describing the count of connections that failed that
243 * way. Note that the count is stored _as_ the pointer.
244 */
247 /** If true, do not record information in <b>broken_connection_counts</b>. */
250 /** Record that an OR connection failed in <b>state</b>. */
251 static void
253 {
264 val++;
267 }
269 /** Forget all recorded states for failed connections. If
270 * <b>stop_recording</b> is true, don't record any more. */
271 void
273 {
279 }
281 /** Write a detailed description the state of <b>orconn</b> into the
282 * <b>buflen</b>-byte buffer at <b>buf</b>. This description includes not
283 * only the OR-conn level state but also the TLS state. It's useful for
284 * diagnosing broken handshakes. */
285 static void
288 {
299 }
301 /** Record the current state of <b>orconn</b> as the state of a broken
302 * connection. */
303 static void
305 {
312 }
314 /** Helper type used to sort connection states and find the most frequent. */
320 /** Helper function used to sort broken_state_count_t by frequency. */
321 static int
323 {
329 else
331 }
333 /** Upper limit on the number of different states to report for connection
334 * failure. */
335 #define MAX_REASONS_TO_REPORT 10
337 /** Report a list of the top states for failed OR connections at log level
338 * <b>severity</b>, in log domain <b>domain</b>. */
339 void
341 {
371 }
373 /** Call this to change or_connection_t states, so the owning channel_tls_t can
374 * be notified.
375 */
377 static void
379 {
390 }
392 /** Return the number of circuits using an or_connection_t; this used to
393 * be an or_connection_t field, but it got moved to channel_t and we
394 * shouldn't maintain two copies. */
398 {
404 }
406 /**************************************************************/
408 /** Pack the cell_t host-order structure <b>src</b> into network-order
409 * in the buffer <b>dest</b>. See tor-spec.txt for details about the
410 * wire format.
411 *
412 * Note that this function doesn't touch <b>dst</b>-\>next: the caller
413 * should set it or clear it as appropriate.
414 */
415 void
417 {
423 /* Clear the last two bytes of dest, in case we can accidentally
424 * send them to the network somehow. */
428 }
431 }
433 /** Unpack the network-order buffer <b>src</b> into a host-order
434 * cell_t structure <b>dest</b>.
435 */
436 static void
438 {
445 }
448 }
450 /** Write the header of <b>cell</b> into the first VAR_CELL_MAX_HEADER_SIZE
451 * bytes of <b>hdr_out</b>. Returns number of bytes used. */
452 int
454 {
464 }
468 }
470 /** Allocate and return a new var_cell_t with <b>payload_len</b> bytes of
471 * payload space. */
472 var_cell_t *
474 {
481 }
483 /**
484 * Copy a var_cell_t
485 */
487 var_cell_t *
489 {
500 }
503 }
505 /** Release all space held by <b>cell</b>. */
506 void
508 {
510 }
512 /** We've received an EOF from <b>conn</b>. Mark it for close and return. */
513 int
515 {
522 }
524 /** Handle any new bytes that have come in on connection <b>conn</b>.
525 * If conn is in 'open' state, hand it to
526 * connection_or_process_cells_from_inbuf()
527 * (else do nothing).
528 */
529 int
531 {
532 /** Don't let the inbuf of a nonopen OR connection grow beyond this many
533 * bytes: it's either a broken client, a non-Tor client, or a DOS
534 * attempt. */
535 #define MAX_OR_INBUF_WHEN_NONOPEN 0
544 /* start TLS after handshake completion, or deal with error */
549 /* Touch the channel's active timestamp if there is one */
552 }
555 }
565 }
567 /* This check was necessary with 0.2.2, when the TLS_SERVER_RENEGOTIATING
568 * check would otherwise just let data accumulate. It serves no purpose
569 * in 0.2.3.
570 *
571 * XXXX Remove this check once we verify that the above paragraph is
572 * 100% true. */
582 }
585 }
587 /** Called whenever we have flushed some data on an or_conn: add more data
588 * from active circuits. */
589 int
591 {
594 /* The channel will want to update its estimated queue size */
597 /* If we're under the low water mark, add cells until we're just over the
598 * high water mark. */
601 /* Let the scheduler know */
603 }
606 }
608 /** This is for channeltls.c to ask how many cells we could accept if
609 * they were available. */
610 ssize_t
612 {
618 /*
619 * If we're under the high water mark, we're potentially
620 * writeable; note this is different from the calculation above
621 * used to trigger when to start writing after we've stopped.
622 */
627 }
630 }
632 /** Connection <b>conn</b> has finished writing and has no bytes left on
633 * its outbuf.
634 *
635 * Otherwise it's in state "open": stop writing and return.
636 *
637 * If <b>conn</b> is broken, mark it for close and return -1, else
638 * return 0.
639 */
640 int
642 {
656 }
658 }
660 /** Connected handler for OR connections: begin the TLS handshake.
661 */
662 int
664 {
677 /* start proxy handshake */
681 }
686 }
689 /* TLS handshaking error of some kind. */
692 }
694 }
696 /** Called when we're about to finally unlink and free an OR connection:
697 * perform necessary accounting and cleanup */
698 void
700 {
704 /* Tell the controlling channel we're closed */
707 /*
708 * NULL this out because the channel might hang around a little
709 * longer before channel_run_cleanup() gets it.
710 */
713 }
715 /* Remember why we're closing this connection. */
717 /* now mark things down as needed */
722 /* Tell the new guard API about the channel failure */
727 reason);
732 }
733 }
735 /* We only set hold_open_until_flushed when we're intentionally
736 * closing a connection. */
744 }
745 }
747 /** Return 1 if identity digest <b>id_digest</b> is known to be a
748 * currently or recently running relay. Otherwise return 0. */
749 int
751 {
756 * it. Probably it was in a recent consensus. "Yes". */
758 }
760 /** Set the per-conn read and write limits for <b>conn</b>. If it's a known
761 * relay, we will rely on the global read and write buckets, so give it
762 * per-conn limits that are big enough they'll never matter. But if it's
763 * not a known relay, first check if we set PerConnBwRate/Burst, then
764 * check if the consensus sets them, else default to 'big enough'.
765 *
766 * If <b>reset</b> is true, set the bucket to be full. Otherwise, just
767 * clip the bucket if it happens to be <em>too</em> full.
768 */
769 static void
772 {
775 /* It's in the consensus, or we have a descriptor for it meaning it
776 * was probably in a recent consensus. It's a recognized relay:
777 * give it full bandwidth. */
781 /* Not a recognized relay. Squeeze it down based on the suggested
782 * bandwidth parameters in the consensus, but allow local config
783 * options to override. */
790 }
797 }
798 /* If the new token bucket is smaller, take out the extra tokens.
799 * (If it's larger, don't -- the buckets can grow to reach the cap.) */
804 }
806 /** Either our set of relays or our per-conn rate limits have changed.
807 * Go through all the OR connections and update their token buckets to make
808 * sure they don't exceed their maximum values. */
809 void
812 {
814 {
817 });
818 }
820 /* Mark <b>or_conn</b> as canonical if <b>is_canonical</b> is set, and
821 * non-canonical otherwise. Adjust idle_timeout accordingly.
822 */
823 void
826 {
829 /* Don't recalculate an existing idle_timeout unless the canonical
830 * status changed. */
832 }
843 }
845 /** If we don't necessarily know the router we're connecting to, but we
846 * have an addr/port/id_digest, then fill in as much as we can. Start
847 * by checking to see if this describes a router we know.
848 * <b>started_here</b> is 1 if we are the initiator of <b>conn</b> and
849 * 0 if it's an incoming connection. */
850 void
856 {
861 started_here);
871 }
873 /** Check whether the identity of <b>conn</b> matches a known node. If it
874 * does, check whether the address of conn matches the expected address, and
875 * update the connection's is_canonical flag, nickname, and address fields as
876 * appropriate. */
877 static void
879 {
890 /* If this node is capable of proving an ed25519 ID,
891 * we can't call this a canonical connection unless both IDs match. */
893 }
896 tor_addr_port_t node_ap;
898 /* XXXX proposal 186 is making this more complex. For now, a conn
899 is canonical when it uses the _preferred_ address. */
903 /* Override the addr/port, so our log messages will make sense.
904 * This is dangerous, since if we ever try looking up a conn by
905 * its actual addr/port, we won't remember. Careful! */
906 /* XXXX arma: this is stupid, and it's the reason we need real_addr
907 * to track is_canonical properly. What requires it? */
908 /* XXXX <arma> i believe the reason we did this, originally, is because
909 * we wanted to log what OR a connection was to, and if we logged the
910 * right IP address and port 56244, that wouldn't be as helpful. now we
911 * log the "right" port too, so we know if it's moria1 or moria2.
912 */
915 }
929 }
931 /*
932 * We have to tell channeltls.c to update the channel marks (local, in
933 * particular), since we may have changed the address.
934 */
938 }
939 }
941 /** These just pass all the is_bad_for_new_circs manipulation on to
942 * channel_t */
944 static unsigned int
946 {
952 }
954 static void
956 {
961 }
963 /** How old do we let a connection to an OR get before deciding it's
964 * too old for new circuits? */
965 #define TIME_BEFORE_OR_CONN_IS_TOO_OLD (60*60*24*7)
967 /** Given a list of all the or_connections with a given
968 * identity, set elements of that list as is_bad_for_new_circs as
969 * appropriate. Helper for connection_or_set_bad_connections().
970 *
971 * Specifically, we set the is_bad_for_new_circs flag on:
972 * - all connections if <b>force</b> is true.
973 * - all connections that are too old.
974 * - all open non-canonical connections for which a canonical connection
975 * exists to the same router.
976 * - all open canonical connections for which a 'better' canonical
977 * connection exists to the same router.
978 * - all open non-canonical connections for which a 'better' non-canonical
979 * connection exists to the same router at the same address.
980 *
981 * See channel_is_better() in channel.c for our idea of what makes one OR
982 * connection better than another.
983 */
984 void
986 {
987 /* XXXX this function should be entirely about channels, not OR
988 * XXXX connections. */
994 /* Pass 1: expire everything that's old, and see what the status of
995 * everything else is. */
1004 "Marking OR conn to %s:%d as too old for new circuits "
1009 }
1019 }
1022 /* Pass 2: We know how about how good the best connection is.
1023 * expire everything that's worse, and find the very best if we can. */
1030 * when the connection finishes. */
1032 /* We have at least one open canonical connection to this router,
1033 * and this one is open but not canonical. Mark it bad. */
1035 "Marking OR conn to %s:%d as unsuitable for new circuits: "
1042 }
1048 }
1054 /* Pass 3: One connection to OR is best. If it's canonical, mark as bad
1055 * every other open connection. If it's non-canonical, mark as bad
1056 * every other open connection to the same address.
1057 *
1058 * XXXX This isn't optimal; if we have connections to an OR at multiple
1059 * addresses, we'd like to pick the best _for each address_, and mark as
1060 * bad every open connection that isn't best for its address. But this
1061 * can only occur in cases where the other OR is old (so we have no
1062 * canonical connection to it), or where all the connections to the OR are
1063 * at noncanonical addresses and we have no good direct connection (which
1064 * means we aren't at risk of attaching circuits to it anyway). As
1065 * 0.1.2.x dies out, the first case will go away, and the second one is
1066 * "mostly harmless", so a fix can wait until somebody is bored.
1067 */
1076 /* This isn't the best conn, _and_ the best conn is better than it */
1079 "Marking OR conn to %s:%d as unsuitable for new circuits: "
1081 "We have a better canonical one "
1090 "Marking OR conn to %s:%d as unsuitable for new circuits: "
1092 "one with the "
1098 }
1099 }
1101 }
1103 /** <b>conn</b> is in the 'connecting' state, and it failed to complete
1104 * a TCP connection. Send notifications appropriately.
1105 *
1106 * <b>reason</b> specifies the or_conn_end_reason for the failure;
1107 * <b>msg</b> specifies the strerror-style error message.
1108 */
1109 void
1112 {
1116 }
1118 /** <b>conn</b> got an error in connection_handle_read_impl() or
1119 * connection_handle_write_impl() and is going to die soon.
1120 *
1121 * <b>reason</b> specifies the or_conn_end_reason for the failure;
1122 * <b>msg</b> specifies the strerror-style error message.
1123 */
1124 void
1127 {
1132 /* If we're connecting, call connect_failed() too */
1136 /* Tell the controlling channel if we have one */
1139 /* Don't transition if we're already in closing, closed or error */
1142 }
1143 }
1145 /* No need to mark for error because connection.c is about to do that */
1146 }
1148 /** Launch a new OR connection to <b>addr</b>:<b>port</b> and expect to
1149 * handshake with an OR with identity digest <b>id_digest</b>. Optionally,
1150 * pass in a pointer to a channel using this connection.
1151 *
1152 * If <b>id_digest</b> is me, do nothing. If we're already connected to it,
1153 * return that connection. If the connect() is in progress, set the
1154 * new conn's state to 'connecting' and return it. If connect() succeeds,
1155 * call connection_tls_start_handshake() on it.
1156 *
1157 * This function is called from router_retry_connections(), for
1158 * ORs connecting to ORs, and circuit_establish_circuit(), for
1159 * OPs connecting to ORs.
1160 *
1161 * Return the launched conn, or NULL if it failed.
1162 */
1169 {
1173 tor_addr_t addr;
1176 tor_addr_t proxy_addr;
1187 }
1192 }
1196 /*
1197 * Set up conn so it's got all the data we need to remember for channels
1198 *
1199 * This stuff needs to happen before connection_or_init_conn_from_address()
1200 * so connection_or_set_identity_digest() and such know where to look to
1201 * keep the channel up to date.
1202 */
1211 /* If we are using a proxy server, find it and use it. */
1219 }
1221 /* get_proxy_addrport() might fail if we have a Bridge line that
1222 references a transport, but no ClientTransportPlugin lines
1223 defining its transport proxy. If this is the case, let's try to
1224 output a useful log message to the user. */
1231 "using pluggable transport '%s', but we can't find a pluggable "
1232 "transport proxy supporting '%s'. This can happen if you "
1233 "haven't provided a ClientTransportPlugin line, or if "
1240 END_OR_CONN_REASON_PT_MISSING,
1241 conn);
1247 }
1251 }
1256 /* We failed to establish a connection probably because of a local
1257 * error. No need to blame the guard in this case. Notify the networking
1258 * system of this failure. */
1266 /* writable indicates finish, readable indicates broken link,
1267 error indicates broken link on windows */
1269 /* case 1: fall through */
1270 }
1273 /* already marked for close */
1275 }
1277 }
1279 /** Mark orconn for close and transition the associated channel, if any, to
1280 * the closing state.
1281 *
1282 * It's safe to call this and connection_or_close_for_error() any time, and
1283 * channel layer will treat it as a connection closing for reasons outside
1284 * its control, like the remote end closing it. It can also be a local
1285 * reason that's specific to connection_t/or_connection_t rather than
1286 * the channel mechanism, such as expiration of old connections in
1287 * run_connection_housekeeping(). If you want to close a channel_t
1288 * from somewhere that logically works in terms of generic channels
1289 * rather than connections, use channel_mark_for_close(); see also
1290 * the comment on that function in channel.c.
1291 */
1293 void
1295 {
1303 /* Don't transition if we're already in closing, closed or error */
1306 }
1307 }
1308 }
1310 /** Mark orconn for close and transition the associated channel, if any, to
1311 * the error state.
1312 */
1316 {
1324 /* Don't transition if we're already in closing, closed or error */
1327 }
1328 }
1329 }
1331 /** Begin the tls handshake with <b>conn</b>. <b>receiving</b> is 0 if
1332 * we initiated the connection, else it's 1.
1333 *
1334 * Assign a new tls object to conn->tls, begin reading on <b>conn</b>, and
1335 * pass <b>conn</b> to connection_tls_continue_handshake().
1336 *
1337 * Return -1 if <b>conn</b> is broken, else return 0.
1338 */
1341 {
1345 /* Incoming connections will need a new channel passed to the
1346 * channel_tls_listener */
1348 /* It shouldn't already be set */
1354 }
1357 }
1365 }
1378 }
1380 /** Block all future attempts to renegotiate on 'conn' */
1381 void
1383 {
1389 }
1391 /** Invoked on the server side from inside tor_tls_read() when the server
1392 * gets a successful TLS renegotiation from the client. */
1393 static void
1395 {
1399 /* Don't invoke this again. */
1403 /* XXXX_TLS double-check that it's ok to do this from inside read. */
1404 /* XXXX_TLS double-check that this verifies certificates. */
1406 }
1407 }
1409 /** Move forward with the tls handshake. If it finishes, hand
1410 * <b>conn</b> to connection_tls_finish_handshake().
1411 *
1412 * Return -1 if <b>conn</b> is broken, else return 0.
1413 */
1414 int
1416 {
1421 // log_notice(LD_OR, "Continue handshake with %p", conn->tls);
1423 // log_notice(LD_OR, "Result: %d", result);
1426 CASE_TOR_TLS_ERROR_ANY:
1436 /* v2/v3 handshake, but we are not a client. */
1440 connection_or_tls_renegotiated_cb,
1441 conn);
1443 OR_CONN_STATE_TLS_SERVER_RENEGOTIATING);
1447 }
1448 }
1461 }
1463 }
1465 /** Return 1 if we initiated this connection, or 0 if it started
1466 * out as an incoming connection.
1467 */
1468 int
1470 {
1478 }
1480 /** <b>Conn</b> just completed its handshake. Return 0 if all is well, and
1481 * return -1 if they are lying, broken, or otherwise something is wrong.
1482 *
1483 * If we initiated this connection (<b>started_here</b> is true), make sure
1484 * the other side sent a correctly formed certificate. If I initiated the
1485 * connection, make sure it's the right relay by checking the certificate.
1486 *
1487 * Otherwise (if we _didn't_ initiate this connection), it's okay for
1488 * the certificate to be weird or absent.
1489 *
1490 * If we return 0, and the certificate is as expected, write a hash of the
1491 * identity key into <b>digest_rcvd_out</b>, which must have DIGEST_LEN
1492 * space in it.
1493 * If the certificate is invalid or missing on an incoming connection,
1494 * we return 0 and set <b>digest_rcvd_out</b> to DIGEST_LEN NUL bytes.
1495 * (If we return -1, the contents of this buffer are undefined.)
1496 *
1497 * As side effects,
1498 * 1) Set conn->circ_id_type according to tor-spec.txt.
1499 * 2) If we're an authdirserver and we initiated the connection: drop all
1500 * descriptors that claim to be on that IP/port but that aren't
1501 * this relay; and note that this relay is reachable.
1502 * 3) If this is a bridge and we didn't configure its identity
1503 * fingerprint, remember the keyid we just learned.
1504 */
1505 static int
1509 {
1529 }
1545 "The certificate seems to be valid on %s connection "
1547 }
1549 }
1554 }
1557 }
1565 /* A TLS handshake can't teach us an Ed25519 ID, so we set it to NULL
1566 * here. */
1571 NULL);
1572 }
1575 }
1577 /** Called when we (as a connection initiator) have definitively,
1578 * authenticatedly, learned that ID of the Tor instance on the other
1579 * side of <b>conn</b> is <b>rsa_peer_id</b> and optionally <b>ed_peer_id</b>.
1580 * For v1 and v2 handshakes,
1581 * this is right after we get a certificate chain in a TLS handshake
1582 * or renegotiation. For v3+ handshakes, this is right after we get a
1583 * certificate chain in a CERTS cell.
1584 *
1585 * If we did not know the ID before, record the one we got.
1586 *
1587 * If we wanted an ID, but we didn't get the one we expected, log a message
1588 * and return -1.
1589 * On relays:
1590 * - log a protocol warning whenever the fingerprints don't match;
1591 * On clients:
1592 * - if a relay's fingerprint doesn't match, log a warning;
1593 * - if we don't have updated relay fingerprints from a recent consensus, and
1594 * a fallback directory mirror's hard-coded fingerprint has changed, log an
1595 * info explaining that we will try another fallback.
1596 *
1597 * If we're testing reachability, remember what we learned.
1598 *
1599 * Return 0 on success, -1 on failure.
1600 */
1601 int
1605 {
1618 conn,
1636 /* if it's a bridge and we didn't know its identity fingerprint, now
1637 * we do -- remember it for future attempts. */
1641 }
1645 /* It only counts as an ed25519 mismatch if we wanted an ed25519 identity
1646 * and didn't get it. It's okay if we get one that we didn't ask for. */
1648 expected_ed_key &&
1653 /* I was aiming for a particular digest. I didn't get it! */
1661 DIGEST_LEN);
1666 }
1671 }
1686 /* We need to do the checks in this order, because the list of
1687 * fallbacks includes the list of authorities */
1691 /* we expect a small number of fallbacks to change from their
1692 * hard-coded fingerprints over the life of a release */
1696 /* it's a bridge, it's either a misconfiguration, or unexpected */
1698 }
1700 /* a relay has changed its fingerprint from the one in the consensus */
1702 }
1703 }
1706 "Tried connecting to router at %s:%d, but RSA identity key was not "
1711 /* Tell the new guard API about the channel failure */
1714 END_OR_CONN_REASON_OR_IDENTITY);
1718 END_OR_CONN_REASON_OR_IDENTITY,
1719 conn);
1721 }
1729 }
1732 /* If we learned an identity for this connection, then we might have
1733 * just discovered it to be canonical. */
1735 }
1740 }
1743 }
1745 /** Return when a client used this, for connection.c, since client_used
1746 * is now one of the timestamps of channel_t */
1748 time_t
1750 {
1756 }
1758 /** The v1/v2 TLS handshake is finished.
1759 *
1760 * Make sure we are happy with the person we just handshaked with.
1761 *
1762 * If they initiated the connection, make sure they're not already connected,
1763 * then initialize conn from the information in router.
1764 *
1765 * If all is successful, call circuit_n_conn_done() to handle events
1766 * that have been pending on the <tls handshake completion. Also set the
1767 * directory to be dirty (only matters if I'm an authdirserver).
1768 *
1769 * If this is a v2 TLS handshake, send a versions cell.
1770 */
1771 static int
1773 {
1782 conn,
1808 }
1809 }
1811 /**
1812 * Called as client when initial TLS handshake is done, and we notice
1813 * that we got a v3-handshake signalling certificate from the server.
1814 * Set up structures, do bookkeeping, and send the versions cell.
1815 * Return 0 on success and -1 on failure.
1816 */
1817 static int
1819 {
1829 }
1831 /** Allocate a new connection handshake state for the connection
1832 * <b>conn</b>. Return 0 on success, -1 on failure. */
1833 int
1835 {
1840 }
1847 }
1851 }
1853 /** Free all storage held by <b>state</b>. */
1854 void
1856 {
1865 }
1867 /**
1868 * Remember that <b>cell</b> has been transmitted (if <b>incoming</b> is
1869 * false) or received (if <b>incoming</b> is true) during a V3 handshake using
1870 * <b>state</b>.
1871 *
1872 * (We don't record the cell, but we keep a digest of everything sent or
1873 * received during the v3 handshake, and the client signs it in an
1874 * authenticate cell.)
1875 */
1876 void
1881 {
1884 packed_cell_t packed;
1891 }
1894 "while making a handshake digest. But we think we are sending "
1896 }
1902 /* Re-packing like this is a little inefficient, but we don't have to do
1903 this very often at all. */
1907 }
1909 /** Remember that a variable-length <b>cell</b> has been transmitted (if
1910 * <b>incoming</b> is false) or received (if <b>incoming</b> is true) during a
1911 * V3 handshake using <b>state</b>.
1912 *
1913 * (We don't record the cell, but we keep a digest of everything sent or
1914 * received during the v3 handshake, and the client signs it in an
1915 * authenticate cell.)
1916 */
1917 void
1922 {
1932 }
1944 }
1946 /** Set <b>conn</b>'s state to OR_CONN_STATE_OPEN, and tell other subsystems
1947 * as appropriate. Called when we are done with all TLS and OR handshaking.
1948 */
1949 int
1951 {
1955 /* Link protocol 3 appeared in Tor 0.2.3.6-alpha, so any connection
1956 * that uses an earlier link protocol should not be treated as a relay. */
1959 }
1966 }
1968 /** Pack <b>cell</b> into wire-format, and write it onto <b>conn</b>'s outbuf.
1969 * For cells that use or affect a circuit, this should only be called by
1970 * connection_or_flush_from_first_active_circuit().
1971 */
1972 void
1974 {
1975 packed_cell_t networkcell;
1989 /* Touch the channel's active timestamp if there is one */
1997 }
1998 }
2002 }
2004 /** Pack a variable-length <b>cell</b> into wire-format, and write it onto
2005 * <b>conn</b>'s outbuf. Right now, this <em>DOES NOT</em> support cells that
2006 * affect a circuit.
2007 */
2011 {
2023 /* Touch the channel's active timestamp if there is one */
2026 }
2028 /** See whether there's a variable-length cell waiting on <b>or_conn</b>'s
2029 * inbuf. Return values as for fetch_var_cell_from_buf(). */
2030 static int
2032 {
2035 }
2037 /** Process cells from <b>conn</b>'s inbuf.
2038 *
2039 * Loop: while inbuf contains a cell, pull it off the inbuf, unpack it,
2040 * and hand it to command_process_cell().
2041 *
2042 * Always return 0.
2043 */
2044 static int
2046 {
2049 /*
2050 * Note on memory management for incoming cells: below the channel layer,
2051 * we shouldn't need to consider its internal queueing/copying logic. It
2052 * is safe to pass cells to it on the stack or on the heap, but in the
2053 * latter case we must be sure we free them later.
2054 *
2055 * The incoming cell queue code in channel.c will (in the common case)
2056 * decide it can pass them to the upper layer immediately, in which case
2057 * those functions may run directly on the cell pointers we pass here, or
2058 * it may decide to queue them, in which case it will allocate its own
2059 * buffer and copy the cell.
2060 */
2064 TOR_SOCKET_T_FORMAT": starting, inbuf_datalen %d "
2072 /* Touch the channel's active timestamp if there is one */
2083 cell_t cell;
2088 /* Touch the channel's active timestamp if there is one */
2095 /* retrieve cell info from buf (create the host-order struct from the
2096 * network-order string) */
2100 }
2101 }
2102 }
2104 /** Array of recognized link protocol versions. */
2106 /** Number of versions in <b>or_protocol_versions</b>. */
2110 /** Return true iff <b>v</b> is a link protocol version that this Tor
2111 * implementation believes it can support. */
2112 int
2114 {
2119 }
2121 }
2123 /** Send a VERSIONS cell on <b>conn</b>, telling the other host about the
2124 * link protocol versions that this Tor can support.
2125 *
2126 * If <b>v3_plus</b>, this is part of a V3 protocol handshake, so only
2127 * allow protocol version v3 or later. If not <b>v3_plus</b>, this is
2128 * not part of a v3 protocol handshake, so don't allow protocol v3 or
2129 * later.
2130 **/
2131 int
2133 {
2149 }
2157 }
2159 /** Send a NETINFO cell on <b>conn</b>, telling the other server what we know
2160 * about their address, our address, and the current time. */
2163 {
2164 cell_t cell;
2176 }
2181 /* Timestamp, if we're a relay. */
2185 /* Their address. */
2187 /* We use &conn->real_addr below, unless it hasn't yet been set. If it
2188 * hasn't yet been set, we know that base_.addr hasn't been tampered with
2189 * yet either. */
2196 /* My address -- only include it if I'm a public relay, or if I'm a
2197 * bridge and this is an incoming connection. If I'm a bridge and this
2198 * is an outgoing connection, act like a normal client and omit it. */
2201 tor_addr_t my_addr;
2214 }
2217 }
2224 }
2226 /** Helper used to add an encoded certs to a cert cell */
2227 static void
2232 {
2241 }
2243 /** Add an encoded X509 cert (stored as <b>cert_len</b> bytes at
2244 * <b>cert_encoded</b>) to the trunnel certs_cell_t object that we are
2245 * building in <b>certs_cell</b>. Set its type field to <b>cert_type</b>.
2246 * (If <b>cert</b> is NULL, take no action.) */
2247 static void
2251 {
2260 }
2262 /** Add an Ed25519 cert from <b>cert</b> to the trunnel certs_cell_t object
2263 * that we are building in <b>certs_cell</b>. Set its type field to
2264 * <b>cert_type</b>. (If <b>cert</b> is NULL, take no action.) */
2265 static void
2269 {
2275 }
2277 #ifdef TOR_UNIT_TESTS
2279 #else
2280 #define certs_cell_ed25519_disabled_for_testing 0
2281 #endif
2283 /** Send a CERTS cell on the connection <b>conn</b>. Return 0 on success, -1
2284 * on failure. */
2285 int
2287 {
2301 /* Get the encoded values of the X509 certificates */
2308 }
2313 /* Start adding certs. First the link cert or auth1024 cert. */
2322 }
2324 /* Next the RSA->RSA ID cert */
2328 /* Next the Ed25519 certs */
2330 CERTTYPE_ED_ID_SIGN,
2334 certs_cell_ed25519_disabled_for_testing);
2336 CERTTYPE_ED_SIGN_LINK,
2340 CERTTYPE_ED_SIGN_AUTH,
2342 }
2344 /* And finally the crosscert. */
2345 {
2351 CERTTYPE_RSA1024_ID_EDID,
2353 }
2354 }
2356 /* We've added all the certs; make the cell. */
2373 }
2375 /** Return true iff <b>challenge_type</b> is an AUTHCHALLENGE type that
2376 * we can send and receive. */
2377 int
2379 {
2387 }
2388 }
2390 /** Return true iff <b>challenge_type_a</b> is one that we would rather
2391 * use than <b>challenge_type_b</b>. */
2392 int
2395 {
2396 /* Any supported type is better than an unsupported one;
2397 * all unsupported types are equally bad. */
2402 /* It happens that types are superior in numerically ascending order.
2403 * If that ever changes, this must change too. */
2405 }
2407 /** Send an AUTH_CHALLENGE cell on the connection <b>conn</b>. Return 0
2408 * on success, -1 on failure. */
2409 int
2411 {
2425 /* Disabled, because everything that supports this method also supports
2426 * the much-superior ED25519_SHA256_RFC5705 */
2427 /* auth_challenge_cell_add_methods(ac, AUTHTYPE_RSA_SHA256_RFC5705); */
2434 ac);
2436 /* LCOV_EXCL_START */
2439 /* LCOV_EXCL_STOP */
2440 }
2446 done:
2451 }
2453 /** Compute the main body of an AUTHENTICATE cell that a client can use
2454 * to authenticate itself on a v3 handshake for <b>conn</b>. Return it
2455 * in a var_cell_t.
2456 *
2457 * If <b>server</b> is true, only calculate the first
2458 * V3_AUTH_FIXED_PART_LEN bytes -- the part of the authenticator that's
2459 * determined by the rest of the handshake, and which match the provided value
2460 * exactly.
2461 *
2462 * If <b>server</b> is false and <b>signing_key</b> is NULL, calculate the
2463 * first V3_AUTH_BODY_LEN bytes of the authenticator (that is, everything
2464 * that should be signed), but don't actually sign it.
2465 *
2466 * If <b>server</b> is false and <b>signing_key</b> is provided, calculate the
2467 * entire authenticator, signed with <b>signing_key</b>.
2468 *
2469 * Return the length of the cell body on success, and -1 on failure.
2470 */
2471 var_cell_t *
2477 {
2486 /* assert state is reasonable XXXX */
2502 }
2507 /* Type: 8 bytes. */
2510 {
2517 their_digests =
2527 /* Client ID digest: 32 octets. */
2530 /* Server ID digest: 32 octets. */
2532 }
2539 }
2548 }
2550 {
2558 }
2560 /* Server log digest : 32 octets */
2563 /* Client log digest : 32 octets */
2565 }
2567 {
2568 /* Digest of cert used on TLS link : 32 octets. */
2574 }
2577 authtype_str);
2579 }
2585 }
2587 /* HMAC of clientrandom and serverrandom using master key : 32 octets */
2596 label);
2597 }
2599 /* 8 octets were reserved for the current time, but we're trying to get out
2600 * of the habit of sending time around willynilly. Fortunately, nothing
2601 * checks it. That's followed by 16 bytes of nonce. */
2609 }
2615 ssize_t len;
2621 /* LCOV_EXCL_START */
2624 /* LCOV_EXCL_STOP */
2625 }
2631 /* LCOV_EXCL_START */
2635 /* LCOV_EXCL_STOP */
2636 }
2641 /* LCOV_EXCL_START */
2644 /* LCOV_EXCL_STOP */
2645 }
2647 }
2650 ed25519_signature_t sig;
2652 /* LCOV_EXCL_START */
2655 /* LCOV_EXCL_STOP */
2656 }
2672 }
2675 }
2679 /* LCOV_EXCL_START */
2682 /* LCOV_EXCL_STOP */
2683 }
2690 err:
2693 done:
2697 }
2699 /** Send an AUTHENTICATE cell on the connection <b>conn</b>. Return 0 on
2700 * success, -1 on failure */
2703 {
2706 /* XXXX make sure we're actually supposed to send this! */
2711 }
2716 }
2719 authtype,
2720 pk,
2724 /* LCOV_EXCL_START */
2727 /* LCOV_EXCL_STOP */
2728 }
2733 }