| blob | 2cd96688f23917bf84783b300c63d29fc539ca68 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2008, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 /* $Id$ */
10 /**
11 * \file connection_or.c
12 * \brief Functions to handle OR connections, TLS handshaking, and
13 * cells on the network.
14 **/
27 /**************************************************************/
29 /** Map from identity digest of connected OR or desired OR to a connection_t
30 * with that identity digest. If there is more than one such connection_t,
31 * they form a linked list, with next_with_same_id as the next pointer. */
34 /** If conn is listed in orconn_identity_map, remove it, and clear
35 * conn->identity_digest. Otherwise do nothing. */
36 void
38 {
49 }
51 }
56 else
63 }
65 }
66 }
69 }
71 /** Remove all entries from the identity-to-orconn map, and clear
72 * all identities in OR conns.*/
73 void
75 {
78 {
83 }
84 });
89 }
90 }
92 /** Change conn->identity_digest to digest, and add conn into
93 * orconn_digest_map. */
94 static void
96 {
106 /* If the identity was set previously, remove the old mapping. */
112 /* If we're setting the ID to zero, don't add a mapping. */
119 #if 1
120 /* Testing code to check for bugs in representation. */
124 }
125 #endif
126 }
128 /** Pack the cell_t host-order structure <b>src</b> into network-order
129 * in the buffer <b>dest</b>. See tor-spec.txt for details about the
130 * wire format.
131 *
132 * Note that this function doesn't touch <b>dst</b>-\>next: the caller
133 * should set it or clear it as appropriate.
134 */
135 void
137 {
142 }
144 /** Unpack the network-order buffer <b>src</b> into a host-order
145 * cell_t structure <b>dest</b>.
146 */
147 static void
149 {
153 }
155 /** Write the header of <b>cell</b> into the first VAR_CELL_HEADER_SIZE
156 * bytes of <b>hdr_out</b>. */
157 void
159 {
163 }
165 /** Allocate and return a new var_cell_t with <b>payload_len</b> bytes of
166 * payload space. */
167 var_cell_t *
169 {
175 }
177 /** Release all space held by <b>cell</b>. */
178 void
180 {
182 }
184 /** We've received an EOF from <b>conn</b>. Mark it for close and return. */
185 int
187 {
191 }
193 /** Read conn's inbuf. If the http response from the proxy is all
194 * here, make sure it's good news, and begin the tls handshake. If
195 * it's bad news, close the connection and return -1. Else return 0
196 * and hope for better luck next time.
197 */
198 static int
200 {
217 /* case 1, fall through */
218 }
227 }
236 /* TLS handshaking error of some kind. */
240 }
242 }
243 /* else, bad news on the status code */
245 "The https proxy sent back an unexpected status code %d (%s). "
251 }
253 /** Handle any new bytes that have come in on connection <b>conn</b>.
254 * If conn is in 'open' state, hand it to
255 * connection_or_process_cells_from_inbuf()
256 * (else do nothing).
257 */
258 int
260 {
271 }
272 }
274 /** When adding cells to an OR connection's outbuf, keep adding until the
275 * outbuf is at least this long, or we run out of cells. */
276 #define OR_CONN_HIGHWATER (32*1024)
278 /** Add cells to an OR connection's outbuf whenever the outbuf's data length
279 * drops below this size. */
280 #define OR_CONN_LOWWATER (16*1024)
282 /** Called whenever we have flushed some data on an or_conn: add more data
283 * from active circuits. */
284 int
286 {
289 /* If we're under the low water mark, add cells until we're just over the
290 * high water mark. */
298 }
299 }
301 }
303 /** Connection <b>conn</b> has finished writing and has no bytes left on
304 * its outbuf.
305 *
306 * Otherwise it's in state "open": stop writing and return.
307 *
308 * If <b>conn</b> is broken, mark it for close and return -1, else
309 * return 0.
310 */
311 int
313 {
331 }
333 }
335 /** Connected handler for OR connections: begin the TLS handshake.
336 */
337 int
339 {
358 }
368 }
372 }
375 /* TLS handshaking error of some kind. */
378 }
380 }
382 /** If we don't necessarily know the router we're connecting to, but we
383 * have an addr/port/id_digest, then fill in as much as we can. Start
384 * by checking to see if this describes a router we know. */
385 static void
390 {
401 /* XXXX021 proposal 118 will make this more complex. */
405 /* Override the addr/port, so our log messages will make sense.
406 * This is dangerous, since if we ever try looking up a conn by
407 * its actual addr/port, we won't remember. Careful! */
408 /* XXXX021 arma: this is stupid, and it's the reason we need real_addr
409 * to track is_canonical properly. What requires it? */
410 /* XXXX <arma> i believe the reason we did this, originally, is because
411 * we wanted to log what OR a connection was to, and if we logged the
412 * right IP address and port 56244, that wouldn't be as helpful. now we
413 * log the "right" port too, so we know if it's moria1 or moria2.
414 */
417 }
423 /* If we're an authoritative directory server, we may know a
424 * nickname for this router. */
433 }
436 }
437 }
439 /** Return the best connection of type OR with the
440 * digest <b>digest</b> that we have, or NULL if we have none.
441 *
442 * 1) Don't return it if it's marked for close.
443 * 2) If there are any open conns, ignore non-open conns.
444 * 3) If there are any non-obsolete conns, ignore obsolete conns.
445 * 4) Then if there are any non-empty conns, ignore empty conns.
446 * 5) Of the remaining conns, prefer newer conns.
447 */
448 or_connection_t *
450 {
468 }
481 /* We prefer canonical connections: */
483 /* We prefer non-obsolete connections: */
485 /* If both have circuits we prefer the newer: */
487 /* If neither has circuits we prefer the newer: */
489 /* We prefer connections with circuits: */
492 };
493 }
495 }
497 /** <b>conn</b> is in the 'connecting' state, and it failed to complete
498 * a TCP connection. Send notifications appropriately.
499 *
500 * <b>reason</b> specifies the or_conn_end_reason for the failure;
501 * <b>msg</b> specifies the strerror-style error message.
502 */
503 void
506 {
510 }
512 /** Launch a new OR connection to <b>addr</b>:<b>port</b> and expect to
513 * handshake with an OR with identity digest <b>id_digest</b>.
514 *
515 * If <b>id_digest</b> is me, do nothing. If we're already connected to it,
516 * return that connection. If the connect() is in progress, set the
517 * new conn's state to 'connecting' and return it. If connect() succeeds,
518 * call connection_tls_start_handshake() on it.
519 *
520 * This function is called from router_retry_connections(), for
521 * ORs connecting to ORs, and circuit_establish_circuit(), for
522 * OPs connecting to ORs.
523 *
524 * Return the launched conn, or NULL if it failed.
525 */
526 or_connection_t *
529 {
533 tor_addr_t addr;
542 }
546 /* set up conn so it's got all the data we need to remember */
552 /* we shouldn't connect directly. use the https proxy instead. */
555 }
560 /* If the connection failed immediately, and we're using
561 * an https proxy, our https proxy is down. Don't blame the
562 * Tor server. */
567 }
575 /* writable indicates finish, readable indicates broken link,
576 error indicates broken link on windows */
578 /* case 1: fall through */
579 }
582 /* already marked for close */
584 }
586 }
588 /** Begin the tls handshake with <b>conn</b>. <b>receiving</b> is 0 if
589 * we initiated the connection, else it's 1.
590 *
591 * Assign a new tls object to conn->tls, begin reading on <b>conn</b>, and
592 * pass <b>conn</b> to connection_tls_continue_handshake().
593 *
594 * Return -1 if <b>conn</b> is broken, else return 0.
595 */
596 int
598 {
605 }
612 }
614 }
616 /** Invoked on the server side from inside tor_tls_read() when the server
617 * gets a successful TLS renegotiation from the client. */
618 static void
620 {
624 /* Don't invoke this again. */
628 /* XXXX_TLS double-check that it's ok to do this from inside read. */
629 /* XXXX_TLS double-check that this verifies certificates. */
631 }
632 }
634 /** Move forward with the tls handshake. If it finishes, hand
635 * <b>conn</b> to connection_tls_finish_handshake().
636 *
637 * Return -1 if <b>conn</b> is broken, else return 0.
638 */
639 int
641 {
644 again:
646 // log_notice(LD_OR, "Renegotiate with %p", conn->tls);
648 // log_notice(LD_OR, "Result: %d", result);
651 // log_notice(LD_OR, "Continue handshake with %p", conn->tls);
653 // log_notice(LD_OR, "Result: %d", result);
654 }
656 CASE_TOR_TLS_ERROR_ANY:
664 // log_notice(LD_OR,"Done. state was TLS_HANDSHAKING.");
667 }
668 // log_notice(LD_OR,"Done. state was %d.", conn->_base.state);
670 /* improved handshake, but not a client. */
672 connection_or_tls_renegotiated_cb,
673 conn);
678 }
679 }
691 }
693 }
695 /** Return 1 if we initiated this connection, or 0 if it started
696 * out as an incoming connection.
697 */
698 int
700 {
707 }
709 /** <b>Conn</b> just completed its handshake. Return 0 if all is well, and
710 * return -1 if he is lying, broken, or otherwise something is wrong.
711 *
712 * If we initiated this connection (<b>started_here</b> is true), make sure
713 * the other side sent sent a correctly formed certificate. If I initiated the
714 * connection, make sure it's the right guy.
715 *
716 * Otherwise (if we _didn't_ initiate this connection), it's okay for
717 * the certificate to be weird or absent.
718 *
719 * If we return 0, and the certificate is as expected, write a hash of the
720 * identity key into digest_rcvd, which must have DIGEST_LEN space in it. (If
721 * we return -1 this buffer is undefined.) If the certificate is invalid
722 * or missing on an incoming connection, we return 0 and set digest_rcvd to
723 * DIGEST_LEN 0 bytes.
724 *
725 * As side effects,
726 * 1) Set conn->circ_id_type according to tor-spec.txt.
727 * 2) If we're an authdirserver and we initiated the connection: drop all
728 * descriptors that claim to be on that IP/port but that aren't
729 * this guy; and note that this guy is reachable.
730 */
731 static int
735 {
754 }
771 }
773 }
782 }
787 }
799 }
806 /* I was aiming for a particular digest. I didn't get it! */
811 DIGEST_LEN);
813 "Tried connecting to router at %s:%d, but identity key was not "
819 END_OR_CONN_REASON_OR_IDENTITY);
823 }
825 /* We initiated this connection to address:port. Drop all routers
826 * with the same address:port and a different key.
827 */
830 }
833 }
835 }
837 /** The tls handshake is finished.
838 *
839 * Make sure we are happy with the person we just handshaked with.
840 *
841 * If he initiated the connection, make sure he's not already connected,
842 * then initialize conn from the information in router.
843 *
844 * If all is successful, call circuit_n_conn_done() to handle events
845 * that have been pending on the <tls handshake completion. Also set the
846 * directory to be dirty (only matters if I'm an authdirserver).
847 */
848 static int
850 {
868 }
877 }
879 }
880 }
882 /** Allocate a new connection handshake state for the connection
883 * <b>conn</b>. Return 0 on success, -1 on failure. */
884 static int
886 {
891 }
893 /** Free all storage held by <b>state</b>. */
894 void
896 {
900 }
902 /** Set <b>conn</b>'s state to OR_CONN_STATE_OPEN, and tell other subsystems
903 * as appropriate. Called when we are done with all TLS and OR handshaking.
904 */
905 int
907 {
917 /* Close any circuits pending on this conn. We leave it in state
918 * 'open' though, because it didn't actually *fail* -- we just
919 * chose not to use it. (Otherwise
920 * connection_about_to_close_connection() will call a big pile of
921 * functions to indicate we shouldn't try it again.) */
926 }
929 /* only report it to the geoip module if it's not a known router */
932 /*XXXX021 IP6 support ipv6 geoip.*/
935 }
936 }
937 }
941 }
946 }
948 /** Pack <b>cell</b> into wire-format, and write it onto <b>conn</b>'s outbuf.
949 * For cells that use or affect a circuit, this should only be called by
950 * connection_or_flush_from_first_active_circuit().
951 */
952 void
954 {
955 packed_cell_t networkcell;
966 }
968 /** Pack a variable-length <b>cell</b> into wire-format, and write it onto
969 * <b>conn</b>'s outbuf. Right now, this <em>DOES NOT</em> support cells that
970 * affect a circuit.
971 */
972 void
975 {
984 }
986 /** See whether there's a variable-length cell waiting on <b>conn</b>'s
987 * inbuf. Return values as for fetch_var_cell_from_buf(). */
988 static int
990 {
992 }
994 /** Process cells from <b>conn</b>'s inbuf.
995 *
996 * Loop: while inbuf contains a cell, pull it off the inbuf, unpack it,
997 * and hand it to command_process_cell().
998 *
999 * Always return 0.
1000 */
1001 static int
1003 {
1018 cell_t cell;
1020 available? */
1025 /* retrieve cell info from buf (create the host-order struct from the
1026 * network-order string) */
1030 }
1031 }
1032 }
1034 /** Write a destroy cell with circ ID <b>circ_id</b> and reason <b>reason</b>
1035 * onto OR connection <b>conn</b>. Don't perform range-checking on reason:
1036 * we may want to propagate reasons from other cells.
1037 *
1038 * Return 0.
1039 */
1040 int
1042 {
1043 cell_t cell;
1053 /* XXXX It's possible that under some circumstances, we want the destroy
1054 * to take precedence over other data waiting on the circuit's cell queue.
1055 */
1059 }
1061 /** Array of recognized link protocol versions. */
1063 /** Number of versions in <b>or_protocol_versions</b>. */
1067 /** Return true iff <b>v</b> is a link protocol version that this Tor
1068 * implementation believes it can support. */
1069 int
1071 {
1076 }
1078 }
1080 /** Send a VERSIONS cell on <b>conn</b>, telling the other host about the
1081 * link protocol versions that this Tor can support. */
1082 static int
1084 {
1094 }
1101 }
1103 /** Send a NETINFO cell on <b>conn</b>, telling the other server what we know
1104 * about their address, our address, and the current time. */
1105 int
1107 {
1108 cell_t cell;
1117 /* Timestamp. */
1120 /* Their address. */
1127 /* My address. */
1129 tor_addr_t my_addr;
1139 }
1144 }