| blob | 21850d0fb60d628f4c96f03880dcd2d2251916e8 |
1 /* * Copyright (c) 2012-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file channeltls.c
6 *
7 * \brief A concrete subclass of channel_t using or_connection_t to transfer
8 * cells between Tor instances.
9 *
10 * This module fills in the various function pointers in channel_t, to
11 * implement the channel_tls_t channels as used in Tor today. These channels
12 * are created from channel_tls_connect() and
13 * channel_tls_handle_incoming(). Each corresponds 1:1 to or_connection_t
14 * object, as implemented in connection_or.c. These channels transmit cells
15 * to the underlying or_connection_t by calling
16 * connection_or_write_*_cell_to_buf(), and receive cells from the underlying
17 * or_connection_t when connection_or_process_cells_from_inbuf() calls
18 * channel_tls_handle_*_cell().
19 *
20 * Here we also implement the server (responder) side of the v3+ Tor link
21 * handshake, which uses CERTS and AUTHENTICATE cell to negotiate versions,
22 * exchange expected and observed IP and time information, and bootstrap a
23 * level of authentication higher than we have gotten on the raw TLS
24 * handshake.
25 *
26 * NOTE: Since there is currently only one type of channel, there are probably
27 * more than a few cases where functionality that is currently in
28 * channeltls.c, connection_or.c, and channel.c ought to be divided up
29 * differently. The right time to do this is probably whenever we introduce
30 * our next channel type.
31 **/
33 /*
34 * Define this so channel.h gives us things only channel_t subclasses
35 * should touch.
36 */
37 #define CHANNEL_OBJECT_PRIVATE
39 #define CHANNELTLS_PRIVATE
80 /** How many CELL_PADDING cells have we received, ever? */
82 /** How many CELL_VERSIONS cells have we received, ever? */
84 /** How many CELL_NETINFO cells have we received, ever? */
86 /** How many CELL_VPADDING cells have we received, ever? */
88 /** How many CELL_CERTS cells have we received, ever? */
90 /** How many CELL_AUTH_CHALLENGE cells have we received, ever? */
92 /** How many CELL_AUTHENTICATE cells have we received, ever? */
94 /** How many CELL_AUTHORIZE cells have we received, ever? */
97 /** Active listener, if any */
100 /* channel_tls_t method declarations */
108 static int
113 static int
127 /* channel_listener_tls_t method declarations */
133 /** Handle incoming cells for the handshake stuff here rather than
134 * passing them on up. */
146 /**
147 * Do parts of channel_tls_t initialization common to channel_tls_connect()
148 * and channel_tls_handle_incoming().
149 */
150 STATIC void
152 {
179 /* We only have one policy for now so always set it to EWMA. */
181 }
183 /**
184 * Start a new TLS channel.
185 *
186 * Launch a new OR connection to <b>addr</b>:<b>port</b> and expect to
187 * handshake with an OR with identity digest <b>id_digest</b>, and wrap
188 * it in a channel_tls_t.
189 */
190 channel_t *
194 {
201 "In channel_tls_connect() for channel %p "
203 tlschan,
216 }
220 /* Set up or_connection stuff */
222 /* connection_or_connect() will fill in tlschan->conn */
227 }
235 err:
240 done:
241 /* If we got one, we should register it */
245 }
247 /**
248 * Return the current channel_tls_t listener.
249 *
250 * Returns the current channel listener for incoming TLS connections, or
251 * NULL if none has been established
252 */
253 channel_listener_t *
255 {
257 }
259 /**
260 * Start a channel_tls_t listener if necessary.
261 *
262 * Return the current channel_tls_t listener, or start one if we haven't yet,
263 * and return that.
264 */
265 channel_listener_t *
267 {
276 channel_tls_listener_describe_transport_method;
288 }
290 /**
291 * Free everything on shutdown.
292 *
293 * Not much to do here, since channel_free_all() takes care of a lot, but let's
294 * get rid of the listener.
295 */
296 void
298 {
305 /*
306 * When we close it, channel_tls_listener will get nulled out, so save
307 * a pointer so we can free it.
308 */
311 "Closing channel_tls_listener with ID %"PRIu64
314 old_listener);
319 }
323 }
325 /**
326 * Create a new channel around an incoming or_connection_t.
327 */
328 channel_t *
330 {
339 /* Link the channel and orconn to each other */
353 }
357 /* Register it */
361 }
363 /**
364 * Set the `potentially_used_for_bootstrapping` flag on the or_connection_t
365 * corresponding to the provided channel.
366 *
367 * This flag indicates that if the connection fails, it might be interesting
368 * to the bootstrapping subsystem. (The bootstrapping system only cares about
369 * channels that we have tried to use for our own circuits. Other channels
370 * may have been launched in response to EXTEND cells from somebody else, and
371 * if they fail, it won't necessarily indicate a bootstrapping problem.)
372 **/
373 void
375 {
386 }
388 /*********
389 * Casts *
390 ********/
392 /**
393 * Cast a channel_tls_t to a channel_t.
394 */
395 channel_t *
397 {
401 }
403 /**
404 * Cast a channel_t to a channel_tls_t, with appropriate type-checking
405 * asserts.
406 */
407 channel_tls_t *
409 {
415 }
417 /**
418 * Cast a const channel_tls_t to a const channel_t.
419 */
422 {
424 }
426 /**
427 * Cast a const channel_t to a const channel_tls_t, with appropriate
428 * type-checking asserts.
429 */
432 {
434 }
436 /********************************************
437 * Method implementations for channel_tls_t *
438 *******************************************/
440 /**
441 * Close a channel_tls_t.
442 *
443 * This implements the close method for channel_tls_t.
444 */
445 static void
447 {
454 /* Weird - we'll have to change the state ourselves, I guess */
457 tlschan);
459 }
460 }
462 /**
463 * Describe the transport for a channel_tls_t.
464 *
465 * This returns the string "TLS channel on connection <id>" to the upper
466 * layer.
467 */
470 {
491 }
494 }
496 /**
497 * Free a channel_tls_t.
498 *
499 * This is called by the generic channel layer when freeing a channel_tls_t;
500 * this happens either on a channel which has already reached
501 * CHANNEL_STATE_CLOSED or CHANNEL_STATE_ERROR from channel_run_cleanup() or
502 * on shutdown from channel_free_all(). In the latter case we might still
503 * have an orconn active (which connection_free_all() will get to later),
504 * so we should null out its channel pointer now.
505 */
506 static void
508 {
516 }
517 }
519 /**
520 * Get an estimate of the average TLS overhead for the upper layer.
521 */
522 static double
524 {
531 /* Just return 1.0f if we don't have sensible data */
538 /*
539 * Never estimate more than 2.0; otherwise we get silly large estimates
540 * at the very start of a new TLS connection.
541 */
544 }
551 }
553 /**
554 * Get the remote address of a channel_tls_t.
555 *
556 * This implements the get_remote_addr method for channel_tls_t; copy the
557 * remote endpoint of the channel to addr_out and return 1. (Always
558 * succeeds if this channel is attached to an OR connection.)
559 *
560 * Always returns the real address of the peer, not the canonical address.
561 */
562 static int
565 {
574 }
576 /* They want the real address, so give it to them. */
580 }
582 /**
583 * Get the name of the pluggable transport used by a channel_tls_t.
584 *
585 * This implements the get_transport_name for channel_tls_t. If the
586 * channel uses a pluggable transport, copy its name to
587 * <b>transport_out</b> and return 0. If the channel did not use a
588 * pluggable transport, return -1.
589 */
590 static int
592 {
604 }
606 /**
607 * Get a human-readable endpoint description of a channel_tls_t.
608 *
609 * This format is intended for logging, and may change in the future;
610 * nothing should parse or rely on its particular details.
611 */
614 {
622 }
623 }
625 /**
626 * Tell the upper layer if we have queued writes.
627 *
628 * This implements the has_queued_writes method for channel_tls t_; it returns
629 * 1 iff we have queued writes on the outbuf of the underlying or_connection_t.
630 */
631 static int
633 {
640 "something called has_queued_writes on a tlschan "
643 }
650 }
652 /**
653 * Tell the upper layer if we're canonical.
654 *
655 * This implements the is_canonical method for channel_tls_t:
656 * it returns whether this is a canonical channel.
657 */
658 static int
660 {
667 /* If this bit is set to 0, and link_proto is sufficiently old, then we
668 * can't actually _rely_ on this being a non-canonical channel.
669 * Nonetheless, we're going to believe that this is a non-canonical
670 * channel in this case, since nobody should be using these link protocols
671 * any more. */
673 }
676 }
678 /**
679 * Check if we match an extend_info_t.
680 *
681 * This implements the matches_extend_info method for channel_tls_t; the upper
682 * layer wants to know if this channel matches an extend_info_t.
683 *
684 * NOTE that this function only checks for an address/port match, and should
685 * be used only when no identify is available.
686 */
687 static int
690 {
696 /* Never match if we have no conn */
699 "something called matches_extend_info on a tlschan "
703 }
706 // If the canonical address is set, then we'll allow matches based on that.
710 }
711 }
713 // We also want to match if the true address and port are listed in the
714 // extend info.
718 }
720 /**
721 * Check if we match a target address; return true iff we do.
722 *
723 * This implements the matches_target method for channel_tls t_; the upper
724 * layer wants to know if this channel matches a target address when extending
725 * a circuit.
726 */
727 static int
730 {
736 /* Never match if we have no conn */
739 "something called matches_target on a tlschan "
743 }
745 /* addr is the address this connection came from.
746 * canonical_orport is updated by connection_or_init_conn_from_address()
747 * to be the address in the descriptor. It may be tempting to
748 * allow either address to be allowed, but if we did so, it would
749 * enable someone who steals a relay's keys to covertly impersonate/MITM it
750 * from anywhere on the Internet! (Because they could make long-lived
751 * TLS connections from anywhere to all relays, and wait for them to
752 * be used for extends).
753 *
754 * An adversary who has stolen a relay's keys could also post a fake relay
755 * descriptor, but that attack is easier to detect.
756 */
758 }
760 /**
761 * Tell the upper layer how many bytes we have queued and not yet
762 * sent.
763 */
764 static size_t
766 {
773 }
775 /**
776 * Tell the upper layer how many cells we can accept to write.
777 *
778 * This implements the num_cells_writeable method for channel_tls_t; it
779 * returns an estimate of the number of cells we can accept with
780 * channel_tls_write_*_cell().
781 */
782 static int
784 {
786 ssize_t n;
795 /* Get the number of cells */
798 #if SIZEOF_SIZE_T > SIZEOF_INT
800 #endif
803 }
805 /**
806 * Write a cell to a channel_tls_t.
807 *
808 * This implements the write_cell method for channel_tls_t; given a
809 * channel_tls_t and a cell_t, transmit the cell_t.
810 */
811 static int
813 {
825 "something called write_cell on a tlschan "
828 }
831 }
833 /**
834 * Write a packed cell to a channel_tls_t.
835 *
836 * This implements the write_packed_cell method for channel_tls_t; given a
837 * channel_tls_t and a packed_cell_t, transmit the packed_cell_t.
838 *
839 * Return 0 on success or negative value on error. The caller must free the
840 * packed cell.
841 */
842 static int
845 {
858 "something called write_packed_cell on a tlschan "
862 }
865 }
867 /**
868 * Write a variable-length cell to a channel_tls_t.
869 *
870 * This implements the write_var_cell method for channel_tls_t; given a
871 * channel_tls_t and a var_cell_t, transmit the var_cell_t.
872 */
873 static int
875 {
887 "something called write_var_cell on a tlschan "
890 }
893 }
895 /*************************************************
896 * Method implementations for channel_listener_t *
897 ************************************************/
899 /**
900 * Close a channel_listener_t.
901 *
902 * This implements the close method for channel_listener_t.
903 */
904 static void
906 {
909 /*
910 * Listeners we just go ahead and change state through to CLOSED, but
911 * make sure to check if they're channel_tls_listener to NULL it out.
912 */
920 }
930 }
935 }
936 }
938 /**
939 * Describe the transport for a channel_listener_t.
940 *
941 * This returns the string "TLS channel (listening)" to the upper
942 * layer.
943 */
946 {
950 }
952 /*******************************************************
953 * Functions for handling events on an or_connection_t *
954 ******************************************************/
956 /**
957 * Handle an orconn state change.
958 *
959 * This function will be called by connection_or.c when the or_connection_t
960 * associated with this channel_tls_t changes state.
961 */
962 void
966 {
976 /* Make sure the base connection state makes sense - shouldn't be error
977 * or closed. */
984 /* Did we just go to state open? */
986 /*
987 * We can go to CHANNEL_STATE_OPEN from CHANNEL_STATE_OPENING or
988 * CHANNEL_STATE_MAINT on this.
989 */
991 /* We might have just become writeable; check and tell the scheduler */
994 }
996 /*
997 * Not open, so from CHANNEL_STATE_OPEN we go to CHANNEL_STATE_MAINT,
998 * otherwise no change.
999 */
1002 }
1003 }
1004 }
1006 #ifdef KEEP_TIMING_STATS
1008 /**
1009 * Timing states wrapper.
1010 *
1011 * This is a wrapper function around the actual function that processes the
1012 * <b>cell</b> that just arrived on <b>chan</b>. Increment <b>*time</b>
1013 * by the number of microseconds used by the call to <b>*func(cell, chan)</b>.
1014 */
1015 static void
1018 {
1031 }
1036 }
1039 }
1042 #ifdef KEEP_TIMING_STATS
1043 #define PROCESS_CELL(tp, cl, cn) STMT_BEGIN { \
1044 ++num ## tp; \
1045 channel_tls_time_process_cell(cl, cn, & tp ## time , \
1046 channel_tls_process_ ## tp ## _cell); \
1047 } STMT_END
1049 #define PROCESS_CELL(tp, cl, cn) channel_tls_process_ ## tp ## _cell(cl, cn)
1052 /**
1053 * Handle an incoming cell on a channel_tls_t.
1054 *
1055 * This is called from connection_or.c to handle an arriving cell; it checks
1056 * for cell types specific to the handshake for this transport protocol and
1057 * handles them, and queues all other cells to the channel_t layer, which
1058 * eventually will hand them off to command.c.
1059 *
1060 * The channel layer itself decides whether the cell should be queued or
1061 * can be handed off immediately to the upper-layer code. It is responsible
1062 * for copying in the case that it queues; we merely pass pointers through
1063 * which we get from connection_or_process_cells_from_inbuf().
1064 */
1065 void
1067 {
1080 }
1087 /* Reject all but VERSIONS and NETINFO when handshaking. */
1088 /* (VERSIONS actually indicates a protocol warning: it's variable-length,
1089 * so if it reaches this function, we're on a v1 connection.) */
1093 "Received unexpected cell command %d in chan state %s / "
1100 }
1105 /* We note that we're on the internet whenever we read a cell. This is
1106 * a fast operation. */
1119 /* do nothing */
1122 /* A VERSIONS cell should always be a variable-length cell, and
1123 * so should never reach this function (which handles constant-sized
1124 * cells). But if the connection is using the (obsolete) v1 link
1125 * protocol, all cells will be treated as constant-sized, and so
1126 * it's possible we'll reach this code.
1127 */
1129 "Received unexpected VERSIONS cell on a channel using link "
1149 /*
1150 * These are all transport independent and we pass them up through the
1151 * channel_t mechanism. They are ultimately handled in command.c.
1152 */
1157 "Cell of unknown type (%d) received in channeltls.c. "
1161 }
1162 }
1164 /**
1165 * Handle an incoming variable-length cell on a channel_tls_t.
1166 *
1167 * Process a <b>var_cell</b> that was just received on <b>conn</b>. Keep
1168 * internal statistics about how many of each cell we've processed so far
1169 * this second, and the total number of microseconds it took to
1170 * process each type of cell. All the var_cell commands are handshake-
1171 * related and live below the channel_t layer, so no variable-length
1172 * cells ever get delivered in the current implementation, but I've left
1173 * the mechanism in place for future use.
1174 *
1175 * If we were handing them off to the upper layer, the channel_t queueing
1176 * code would be responsible for memory management, and we'd just be passing
1177 * pointers through from connection_or_process_cells_from_inbuf(). That
1178 * caller always frees them after this function returns, so this function
1179 * should never free var_cell.
1180 */
1181 void
1183 {
1186 #ifdef KEEP_TIMING_STATS
1187 /* how many of each cell have we seen so far this second? needs better
1188 * name. */
1195 /* print stats */
1204 /* remember which second it is, for next time */
1206 }
1218 }
1227 "Received a cell with command %d in unexpected "
1235 /*
1236 * The code in connection_or.c will tell channel_t to close for
1237 * error; it will go to CHANNEL_STATE_CLOSING, and then to
1238 * CHANNEL_STATE_ERROR when conn is closed.
1239 */
1242 }
1245 /* If we're using bufferevents, it's entirely possible for us to
1246 * notice "hey, data arrived!" before we notice "hey, the handshake
1247 * finished!" And we need to be accepting both at once to handle both
1248 * the v2 and v3 handshakes. */
1249 /* But that should be happening any longer've disabled bufferevents. */
1251 FALLTHROUGH_UNLESS_ALL_BUGS_ARE_FATAL;
1255 "Received a cell with command %d in unexpected "
1263 /* see above comment about CHANNEL_STATE_ERROR */
1269 }
1279 "Received a variable-length cell with command %d in orconn "
1280 "state %s [%d], channel state %s [%d] with link protocol %d; "
1289 }
1293 "Received var-length cell with command %d in unexpected "
1302 }
1304 /* We note that we're on the internet whenever we read a cell. This is
1305 * a fast operation. */
1308 /* Now handle the cell */
1317 /* Do nothing */
1333 /* Ignored so far. */
1340 }
1341 }
1343 #undef PROCESS_CELL
1345 /**
1346 * Update channel marks after connection_or.c has changed an address.
1347 *
1348 * This is called from connection_or_init_conn_from_address() after the
1349 * connection's _base.addr or real_addr fields have potentially been changed
1350 * so we can recalculate the local mark. Notably, this happens when incoming
1351 * connections are reverse-proxied and we only learn the real address of the
1352 * remote router by looking it up in the consensus after we finish the
1353 * handshake and know an authenticated identity digest.
1354 */
1355 void
1357 {
1371 }
1378 }
1379 }
1380 }
1382 /**
1383 * Check if this cell type is allowed before the handshake is finished.
1384 *
1385 * Return true if <b>command</b> is a cell command that's allowed to start a
1386 * V3 handshake.
1387 */
1388 static int
1390 {
1398 }
1399 }
1401 /**
1402 * Start a V3 handshake on an incoming connection.
1403 *
1404 * Called when we as a server receive an appropriate cell while waiting
1405 * either for a cell or a TLS handshake. Set the connection's state to
1406 * "handshaking_v3', initializes the or_handshake_state field as needed,
1407 * and add the cell to the hash of incoming cells.)
1408 */
1409 static int
1411 {
1422 OR_CONN_STATE_TLS_SERVER_RENEGOTIATING);
1426 "Received a cell while TLS-handshaking, not in "
1428 }
1434 }
1438 }
1440 /**
1441 * Process a 'versions' cell.
1442 *
1443 * This function is called to handle an incoming VERSIONS cell; the current
1444 * link protocol version must be 0 to indicate that no version has yet been
1445 * negotiated. We compare the versions in the cell to the list of versions
1446 * we support, pick the highest version we have in common, and continue the
1447 * negotiation from there.
1448 */
1449 static void
1451 {
1461 "Received a VERSION cell with odd payload length %d; "
1465 }
1473 "Received a VERSIONS cell on a connection with its version "
1477 }
1479 {
1489 }
1493 {
1500 }
1501 }
1504 "Couldn't find a version in common between my version list and the "
1509 /* Negotiating version 1 makes no sense, since version 1 has no VERSIONS
1510 * cells. */
1512 "Used version negotiation protocol to negotiate a v1 connection. "
1519 "Negotiated link protocol 2 or lower after doing a v3 TLS "
1525 /* XXXX This should eventually be a log_protocol_warn */
1527 "Negotiated link with non-2 protocol after doing a v2 TLS "
1532 }
1542 highest_supported_version,
1548 }
1551 /* If we want to authenticate, send a CERTS cell */
1553 /* If we're a host that got a connection, ask for authentication. */
1555 /* If our certs cell will authenticate us, we can send a netinfo cell
1556 * right now. */
1564 highest_supported_version,
1572 #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
1576 }
1584 }
1585 }
1587 /* We set this after sending the versions cell. */
1588 /*XXXXX symbolic const.*/
1601 }
1602 }
1608 }
1609 }
1615 }
1616 }
1617 }
1618 }
1620 /**
1621 * Process a 'padding_negotiate' cell.
1622 *
1623 * This function is called to handle an incoming PADDING_NEGOTIATE cell;
1624 * enable or disable padding accordingly, and read and act on its timeout
1625 * value contents.
1626 */
1627 static void
1629 {
1640 }
1645 "Received malformed PADDING_NEGOTIATE cell on v%d connection; "
1649 }
1652 negotiation);
1655 }
1657 /**
1658 * Convert <b>netinfo_addr</b> into corresponding <b>tor_addr</b>.
1659 * Return 0 on success; on failure, return -1 and log a warning.
1660 */
1661 static int
1675 netinfo_addr);
1681 }
1684 }
1686 /**
1687 * Helper: compute the absolute value of a time_t.
1688 *
1689 * (we need this because labs() doesn't always work for time_t, since
1690 * long can be shorter than time_t.)
1691 */
1694 {
1696 }
1698 /** Return true iff the channel can process a NETINFO cell. For this to return
1699 * true, these channel conditions apply:
1700 *
1701 * 1. Link protocol is version 2 or higher (tor-spec.txt, NETINFO cells
1702 * section).
1703 *
1704 * 2. Underlying OR connection of the channel is either in v2 or v3
1705 * handshaking state.
1706 */
1707 static bool
1709 {
1710 /* NETINFO cells can only be negotiated on link protocol 2 or higher. */
1716 }
1718 /* Can't process a NETINFO cell if the connection is not handshaking. */
1724 }
1726 /* Make sure we do have handshake state. */
1731 }
1733 /** Mark the given channel endpoint as a client (which means either a tor
1734 * client or a tor bridge).
1735 *
1736 * This MUST be done on an _unauthenticated_ channel. It is a mistake to mark
1737 * an authenticated channel as a client.
1738 *
1739 * The following is done on the channel:
1740 *
1741 * 1. Marked as a client.
1742 * 2. Type of circuit ID type is set.
1743 * 3. The underlying OR connection is initialized with the address of the
1744 * endpoint.
1745 */
1746 static void
1748 {
1749 /* Ending up here for an authenticated link is a mistake. */
1752 }
1756 authenticated_rsa_peer_id)));
1760 /* If the client never authenticated, it's a tor client or bridge
1761 * relay, and we must not use it for EXTEND requests (nor could we, as
1762 * there are no authenticated peer IDs) */
1770 /* zero, checked above */
1772 authenticated_rsa_peer_id),
1775 }
1777 /**
1778 * Process a 'netinfo' cell
1779 *
1780 * This function is called to handle an incoming NETINFO cell; read and act
1781 * on its contents, and set the connection state to "open".
1782 */
1783 static void
1785 {
1802 /* Make sure we can process a NETINFO cell. Link protocol and state
1803 * validation is done to make sure of it. */
1806 }
1816 "Got a NETINFO cell from server, "
1820 }
1822 /* We're the server. If the client never authenticated, we have some
1823 * housekeeping to do.
1824 *
1825 * It's a tor client or bridge relay, and we must not use it for EXTEND
1826 * requests (nor could we, as there are no authenticated peer IDs) */
1829 }
1830 }
1831 }
1833 /* Decode the cell. */
1837 CELL_PAYLOAD_SIZE);
1844 }
1856 }
1857 /* We used to check:
1858 * if (my_addr_len >= CELL_PAYLOAD_SIZE - 6) {
1859 *
1860 * This is actually never going to happen, since my_addr_len is at most 255,
1861 * and CELL_PAYLOAD_LEN - 6 is 503. So we know that cp is < end. */
1867 }
1873 }
1880 }
1881 }
1884 /* We have a descriptor, so we are a relay: record the address that the
1885 * other side said we had. */
1888 }
1892 /* Consider all the other addresses; if any matches, this connection is
1893 * "canonical." */
1898 tor_addr_t addr;
1904 }
1905 /* A relay can connect from anywhere and be canonical, so
1906 * long as it tells you from where it came. This may sound a bit
1907 * concerning... but that's what "canonical" means: that the
1908 * address is one that the relay itself has claimed. The relay
1909 * might be doing something funny, but nobody else is doing a MITM
1910 * on the relay's TCP.
1911 */
1915 }
1916 }
1925 "We made a connection to a relay at %s (fp=%s) but we think "
1926 "they will not consider this connection canonical. They "
1933 }
1935 /* Act on apparent skew. */
1936 /** Warn when we get a netinfo skew with at least this value. */
1937 #define NETINFO_NOTICE_SKEW 3600
1944 }
1946 /* Consider our apparent address as a possible suggestion for our address if
1947 * we were unable to resolve it previously. The endpoint address is passed
1948 * in order to make sure to never consider an address that is the same as
1949 * our endpoint. */
1951 identity_digest);
1954 /* If we were prepared to authenticate, but we never got an AUTH_CHALLENGE
1955 * cell, then we would not previously have sent a NETINFO cell. Do so
1956 * now. */
1960 }
1961 }
1965 "Got good NETINFO cell on %s; but "
1971 "Got good NETINFO cell on %s; OR connection is now "
1972 "open, using protocol version %d. Its ID digest is %s. "
1980 }
1982 }
1984 /** Types of certificates that we know how to parse from CERTS cells. Each
1985 * type corresponds to a different encoding format. */
1989 * (Actually, it might not be RSA. We test that later.) */
1991 * encoded asa a tor_cert_t.*/
1995 /**
1996 * Given one of the certificate type codes used in a CERTS cell,
1997 * return the corresponding cert_encoding_t that we should use to parse
1998 * the certificate.
1999 */
2000 static cert_encoding_t
2002 {
2016 }
2017 }
2019 /**
2020 * Process a CERTS cell from a channel.
2021 *
2022 * This function is called to process an incoming CERTS cell on a
2023 * channel_tls_t:
2024 *
2025 * If the other side should not have sent us a CERTS cell, or the cell is
2026 * malformed, or it is supposed to authenticate the TLS key but it doesn't,
2027 * then mark the connection.
2028 *
2029 * If the cell has a good cert chain and we're doing a v3 handshake, then
2030 * store the certificates in or_handshake_state. If this is the client side
2031 * of the connection, we then authenticate the server or mark the connection.
2032 * If it's the server side, wait for an AUTHENTICATE cell.
2033 */
2034 STATIC void
2036 {
2037 #define MAX_CERT_TYPE_WANTED CERTTYPE_RSA1024_ID_EDID
2038 /* These arrays will be sparse, since a cert type can be at most one
2039 * of ed/x509 */
2056 #define ERR(s) \
2057 do { \
2058 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
2060 connection_describe(TO_CONN(chan->conn)), \
2061 (s)); \
2062 connection_or_close_for_error(chan->conn, 0); \
2063 goto err; \
2064 } while (0)
2066 /* Can't use connection_or_nonopen_was_started_here(); its conn->tls
2067 * check looks like it breaks
2068 * test_link_handshake_recv_certs_ok_server(). */
2078 /* Should be unreachable, but let's make sure. */
2080 }
2117 }
2118 }
2120 }
2125 "Received undecodable Ed certificate "
2134 }
2135 }
2137 }
2145 }
2147 }
2148 }
2149 }
2151 /* Move the certificates we (might) want into the handshake_state->certs
2152 * structure. */
2175 rsa_ed_cc_cert_len;
2179 /* Note that this warns more loudly about time and validity if we were
2180 * _trying_ to connect to an authority, not necessarily if we _did_ connect
2181 * to one. */
2185 else
2201 /* No more information is needed. */
2205 {
2214 }
2220 }
2226 }
2237 "Got some good certificates on %s: Authenticated it with "
2243 /* If we initiated the connection and we are not a public server, we
2244 * aren't planning to authenticate at all. At this point we know who we
2245 * are talking to, so we can just send a netinfo now. */
2247 }
2249 /* We can't call it authenticated till we see an AUTHENTICATE cell. */
2251 "Got some good RSA%s certificates on %s. "
2255 /* XXXX check more stuff? */
2256 }
2265 }
2266 }
2268 err:
2271 }
2274 }
2277 #undef ERR
2278 }
2280 /**
2281 * Process an AUTH_CHALLENGE cell from a channel_tls_t.
2282 *
2283 * This function is called to handle an incoming AUTH_CHALLENGE cell on a
2284 * channel_tls_t; if we weren't supposed to get one (for example, because we're
2285 * not the originator of the channel), or it's ill-formed, or we aren't doing
2286 * a v3 handshake, mark the channel. If the cell is well-formed but we don't
2287 * want to authenticate, just drop it. If the cell is well-formed *and* we
2288 * want to authenticate, send an AUTHENTICATE cell and then a NETINFO cell.
2289 */
2290 STATIC void
2292 {
2300 #define ERR(s) \
2301 do { \
2302 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
2304 connection_describe(TO_CONN(chan->conn)), \
2305 (s)); \
2306 connection_or_close_for_error(chan->conn, 0); \
2307 goto done; \
2308 } while (0)
2328 /* Now see if there is an authentication type we can use */
2335 }
2336 }
2337 }
2342 /* If we're not a public server then we don't want to authenticate on a
2343 connection we originated, and we already sent a NETINFO cell when we
2344 got the CERTS cell. We have nothing more to do. */
2346 }
2350 "Got an AUTH_CHALLENGE cell on %s: Sending "
2353 use_type);
2360 }
2363 "Got an AUTH_CHALLENGE cell on %s, but we don't "
2366 }
2372 }
2374 done:
2377 #undef ERR
2378 }
2380 /**
2381 * Process an AUTHENTICATE cell from a channel_tls_t.
2382 *
2383 * If it's ill-formed or we weren't supposed to get one or we're not doing a
2384 * v3 handshake, then mark the connection. If it does not authenticate the
2385 * other side of the connection successfully (because it isn't signed right,
2386 * we didn't get a CERTS cell, etc) mark the connection. Otherwise, accept
2387 * the identity of the router on the other side of the connection.
2388 */
2389 STATIC void
2391 {
2402 #define ERR(s) \
2403 do { \
2404 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
2406 connection_describe(TO_CONN(chan->conn)), \
2407 (s)); \
2408 connection_or_close_for_error(chan->conn, 0); \
2409 var_cell_free(expected_cell); \
2410 return; \
2411 } while (0)
2422 /* Should be impossible given other checks */
2424 }
2433 {
2445 }
2462 /* Our earlier check had better have made sure we had room
2463 * for an ed25519 sig (inadvertently) */
2467 }
2470 }
2472 /* Length of random part. */
2474 // LCOV_EXCL_START
2476 // LCOV_EXCL_STOP
2477 }
2498 }
2510 }
2514 }
2515 /* Note that we deliberately allow *more* than DIGEST256_LEN bytes here,
2516 * in case they're later used to hold a SHA3 digest or something. */
2520 }
2530 ed25519_signature_t sig;
2535 }
2536 }
2538 /* Okay, we are authenticated. */
2543 {
2551 ed_identity_received =
2555 }
2557 /* This must exist; we checked key type when reading the cert. */
2568 "Calling connection_or_init_conn_from_address on %s "
2571 __func__,
2578 authenticated_rsa_peer_id),
2579 ed_identity_received,
2585 authtype);
2586 }
2590 #undef ERR
2591 }