mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 21:23:58 +01:00
Merge branch 'bug4360'
This commit is contained in:
commit
0539c34c35
3
changes/bug4360
Normal file
3
changes/bug4360
Normal file
@ -0,0 +1,3 @@
|
||||
o Code simplification and refactoring:
|
||||
- Use the name "CERTS" consistently to refer to the new cell type;
|
||||
we were calling it CERT in some places and CERTS in others.
|
@ -49,7 +49,7 @@ uint64_t stats_n_netinfo_cells_processed = 0;
|
||||
/** How many CELL_VPADDING cells have we received, ever? */
|
||||
uint64_t stats_n_vpadding_cells_processed = 0;
|
||||
/** How many CELL_CERTS cells have we received, ever? */
|
||||
uint64_t stats_n_cert_cells_processed = 0;
|
||||
uint64_t stats_n_certs_cells_processed = 0;
|
||||
/** How many CELL_AUTH_CHALLENGE cells have we received, ever? */
|
||||
uint64_t stats_n_auth_challenge_cells_processed = 0;
|
||||
/** How many CELL_AUTHENTICATE cells have we received, ever? */
|
||||
@ -63,7 +63,7 @@ static void command_process_destroy_cell(cell_t *cell, or_connection_t *conn);
|
||||
static void command_process_versions_cell(var_cell_t *cell,
|
||||
or_connection_t *conn);
|
||||
static void command_process_netinfo_cell(cell_t *cell, or_connection_t *conn);
|
||||
static void command_process_cert_cell(var_cell_t *cell,
|
||||
static void command_process_certs_cell(var_cell_t *cell,
|
||||
or_connection_t *conn);
|
||||
static void command_process_auth_challenge_cell(var_cell_t *cell,
|
||||
or_connection_t *conn);
|
||||
@ -214,19 +214,19 @@ command_process_var_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
#ifdef KEEP_TIMING_STATS
|
||||
/* how many of each cell have we seen so far this second? needs better
|
||||
* name. */
|
||||
static int num_versions=0, num_cert=0;
|
||||
static int num_versions=0, num_certs=0;
|
||||
|
||||
time_t now = time(NULL);
|
||||
|
||||
if (now > current_second) { /* the second has rolled over */
|
||||
/* print stats */
|
||||
log_info(LD_OR,
|
||||
"At end of second: %d versions (%d ms), %d cert (%d ms)",
|
||||
"At end of second: %d versions (%d ms), %d certs (%d ms)",
|
||||
num_versions, versions_time/1000,
|
||||
cert, cert_time/1000);
|
||||
num_certs, certs_time/1000);
|
||||
|
||||
num_versions = num_cert = 0;
|
||||
versions_time = cert_time = 0;
|
||||
num_versions = num_certs = 0;
|
||||
versions_time = certs_time = 0;
|
||||
|
||||
/* remember which second it is, for next time */
|
||||
current_second = now;
|
||||
@ -293,9 +293,9 @@ command_process_var_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
++stats_n_vpadding_cells_processed;
|
||||
/* Do nothing */
|
||||
break;
|
||||
case CELL_CERT:
|
||||
++stats_n_cert_cells_processed;
|
||||
PROCESS_CELL(cert, cell, conn);
|
||||
case CELL_CERTS:
|
||||
++stats_n_certs_cells_processed;
|
||||
PROCESS_CELL(certs, cell, conn);
|
||||
break;
|
||||
case CELL_AUTH_CHALLENGE:
|
||||
++stats_n_auth_challenge_cells_processed;
|
||||
@ -719,8 +719,8 @@ command_process_versions_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
}
|
||||
}
|
||||
if (send_certs) {
|
||||
if (connection_or_send_cert_cell(conn) < 0) {
|
||||
log_warn(LD_OR, "Couldn't send cert cell");
|
||||
if (connection_or_send_certs_cell(conn) < 0) {
|
||||
log_warn(LD_OR, "Couldn't send certs cell");
|
||||
connection_mark_for_close(TO_CONN(conn));
|
||||
return;
|
||||
}
|
||||
@ -887,9 +887,9 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
|
||||
assert_connection_ok(TO_CONN(conn),time(NULL));
|
||||
}
|
||||
|
||||
/** Process a CERT cell from an OR connection.
|
||||
/** Process a CERTS cell from an OR connection.
|
||||
*
|
||||
* If the other side should not have sent us a CERT cell, or the cell is
|
||||
* If the other side should not have sent us a CERTS cell, or the cell is
|
||||
* malformed, or it is supposed to authenticate the TLS key but it doesn't,
|
||||
* then mark the connection.
|
||||
*
|
||||
@ -899,12 +899,12 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn)
|
||||
* If it's the server side, wait for an AUTHENTICATE cell.
|
||||
*/
|
||||
static void
|
||||
command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
command_process_certs_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
{
|
||||
#define ERR(s) \
|
||||
do { \
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
|
||||
"Received a bad CERT cell from %s:%d: %s", \
|
||||
"Received a bad CERTS cell from %s:%d: %s", \
|
||||
safe_str(conn->_base.address), conn->_base.port, (s)); \
|
||||
connection_mark_for_close(TO_CONN(conn)); \
|
||||
goto err; \
|
||||
@ -921,7 +921,7 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
ERR("We're not doing a v3 handshake!");
|
||||
if (conn->link_proto < 3)
|
||||
ERR("We're not using link protocol >= 3");
|
||||
if (conn->handshake_state->received_cert_cell)
|
||||
if (conn->handshake_state->received_certs_cell)
|
||||
ERR("We already got one");
|
||||
if (conn->handshake_state->authenticated) {
|
||||
/* Should be unreachable, but let's make sure. */
|
||||
@ -951,7 +951,7 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
tor_cert_t *cert = tor_cert_decode(ptr + 3, cert_len);
|
||||
if (!cert) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
|
||||
"Received undecodable certificate in CERT cell from %s:%d",
|
||||
"Received undecodable certificate in CERTS cell from %s:%d",
|
||||
safe_str(conn->_base.address), conn->_base.port);
|
||||
} else {
|
||||
if (cert_type == OR_CERT_TYPE_TLS_LINK) {
|
||||
@ -1050,7 +1050,7 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
id_cert = auth_cert = NULL;
|
||||
}
|
||||
|
||||
conn->handshake_state->received_cert_cell = 1;
|
||||
conn->handshake_state->received_certs_cell = 1;
|
||||
err:
|
||||
tor_cert_free(id_cert);
|
||||
tor_cert_free(link_cert);
|
||||
@ -1064,7 +1064,7 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
* originator of the connection), or it's ill-formed, or we aren't doing a v3
|
||||
* handshake, mark the connection. If the cell is well-formed but we don't
|
||||
* want to authenticate, just drop it. If the cell is well-formed *and* we
|
||||
* want to authenticate, send an AUTHENTICATE cell. */
|
||||
* want to authenticate, send an AUTHENTICATE cell and then a NETINFO cell. */
|
||||
static void
|
||||
command_process_auth_challenge_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
{
|
||||
@ -1088,7 +1088,7 @@ command_process_auth_challenge_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
ERR("We didn't originate this connection");
|
||||
if (conn->handshake_state->received_auth_challenge)
|
||||
ERR("We already received one");
|
||||
if (! conn->handshake_state->received_cert_cell)
|
||||
if (! conn->handshake_state->received_certs_cell)
|
||||
ERR("We haven't gotten a CERTS cell yet");
|
||||
if (cell->payload_len < OR_AUTH_CHALLENGE_LEN + 2)
|
||||
ERR("It was too short");
|
||||
@ -1146,7 +1146,7 @@ command_process_auth_challenge_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
* If it's ill-formed or we weren't supposed to get one or we're not doing a
|
||||
* v3 handshake, then mark the connection. If it does not authenticate the
|
||||
* other side of the connection successfully (because it isn't signed right,
|
||||
* we didn't get a CERT cell, etc) mark the connection. Otherwise, accept
|
||||
* we didn't get a CERTS cell, etc) mark the connection. Otherwise, accept
|
||||
* the identity of the router on the other side of the connection.
|
||||
*/
|
||||
static void
|
||||
@ -1177,8 +1177,8 @@ command_process_authenticate_cell(var_cell_t *cell, or_connection_t *conn)
|
||||
/* Should be impossible given other checks */
|
||||
ERR("The peer is already authenticated");
|
||||
}
|
||||
if (! conn->handshake_state->received_cert_cell)
|
||||
ERR("We never got a cert cell");
|
||||
if (! conn->handshake_state->received_certs_cell)
|
||||
ERR("We never got a certs cell");
|
||||
if (conn->handshake_state->auth_cert == NULL)
|
||||
ERR("We never got an authentication certificate");
|
||||
if (conn->handshake_state->id_cert == NULL)
|
||||
|
@ -1435,7 +1435,7 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn,
|
||||
* side of <b>conn</b> is <b>peer_id</b>. For v1 and v2 handshakes,
|
||||
* this is right after we get a certificate chain in a TLS handshake
|
||||
* or renegotiation. For v3 handshakes, this is right after we get a
|
||||
* certificate chain in a CERT cell.
|
||||
* certificate chain in a CERTS cell.
|
||||
*
|
||||
* If we want any particular ID before, record the one we got.
|
||||
*
|
||||
@ -1954,10 +1954,10 @@ connection_or_send_netinfo(or_connection_t *conn)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Send a CERT cell on the connection <b>conn</b>. Return 0 on success, -1
|
||||
/** Send a CERTS cell on the connection <b>conn</b>. Return 0 on success, -1
|
||||
* on failure. */
|
||||
int
|
||||
connection_or_send_cert_cell(or_connection_t *conn)
|
||||
connection_or_send_certs_cell(or_connection_t *conn)
|
||||
{
|
||||
const tor_cert_t *link_cert = NULL, *id_cert = NULL;
|
||||
const uint8_t *link_encoded = NULL, *id_encoded = NULL;
|
||||
@ -1981,7 +1981,7 @@ connection_or_send_cert_cell(or_connection_t *conn)
|
||||
2 * ( 1 + 2 ) /* For each cert: 1 byte for type, 2 for length */ +
|
||||
link_len + id_len;
|
||||
cell = var_cell_new(cell_len);
|
||||
cell->command = CELL_CERT;
|
||||
cell->command = CELL_CERTS;
|
||||
cell->payload[0] = 2;
|
||||
pos = 1;
|
||||
|
||||
|
@ -69,7 +69,7 @@ int connection_or_send_destroy(circid_t circ_id, or_connection_t *conn,
|
||||
int reason);
|
||||
int connection_or_send_versions(or_connection_t *conn, int v3_plus);
|
||||
int connection_or_send_netinfo(or_connection_t *conn);
|
||||
int connection_or_send_cert_cell(or_connection_t *conn);
|
||||
int connection_or_send_certs_cell(or_connection_t *conn);
|
||||
int connection_or_send_auth_challenge_cell(or_connection_t *conn);
|
||||
int connection_or_compute_authenticate_cell_body(or_connection_t *conn,
|
||||
uint8_t *out, size_t outlen,
|
||||
|
12
src/or/or.h
12
src/or/or.h
@ -826,7 +826,7 @@ typedef enum {
|
||||
#define CELL_RELAY_EARLY 9
|
||||
|
||||
#define CELL_VPADDING 128
|
||||
#define CELL_CERT 129
|
||||
#define CELL_CERTS 129
|
||||
#define CELL_AUTH_CHALLENGE 130
|
||||
#define CELL_AUTHENTICATE 131
|
||||
|
||||
@ -1088,10 +1088,10 @@ typedef struct listener_connection_t {
|
||||
#define OR_AUTH_CHALLENGE_LEN 32
|
||||
|
||||
/**
|
||||
* @name Certificate types for CERT cells.
|
||||
* @name Certificate types for CERTS cells.
|
||||
*
|
||||
* These values are defined by the protocol, and affect how an X509
|
||||
* certificate in a CERT cell is interpreted and used.
|
||||
* certificate in a CERTS cell is interpreted and used.
|
||||
*
|
||||
* @{ */
|
||||
/** A certificate that authenticates a TLS link key. The subject key
|
||||
@ -1137,8 +1137,8 @@ typedef struct or_handshake_state_t {
|
||||
unsigned int received_versions : 1;
|
||||
/** True iff we have received and processed an AUTH_CHALLENGE cell */
|
||||
unsigned int received_auth_challenge : 1;
|
||||
/** True iff we have received and processed a CERT cell. */
|
||||
unsigned int received_cert_cell : 1;
|
||||
/** True iff we have received and processed a CERTS cell. */
|
||||
unsigned int received_certs_cell : 1;
|
||||
/** True iff we have received and processed an AUTHENTICATE cell */
|
||||
unsigned int received_authenticate : 1;
|
||||
|
||||
@ -1171,7 +1171,7 @@ typedef struct or_handshake_state_t {
|
||||
crypto_digest_env_t *digest_received;
|
||||
/** @} */
|
||||
|
||||
/** Certificates that a connection initiator sent us in a CERT cell; we're
|
||||
/** Certificates that a connection initiator sent us in a CERTS cell; we're
|
||||
* holding on to them until we get an AUTHENTICATE cell.
|
||||
*
|
||||
* @{
|
||||
|
Loading…
Reference in New Issue
Block a user