Make PreferTunneledDirConns and TunnelDirConns work even when

we have no cached directory info. This means Tor clients can now
do all of their connections protected by TLS.


svn:r10035
This commit is contained in:
Roger Dingledine 2007-04-27 10:26:09 +00:00
parent 3d00738ec7
commit 397afcc3f6
6 changed files with 53 additions and 23 deletions

View File

@ -10,6 +10,9 @@ Changes in version 0.2.0.1-alpha - 2007-??-??
especially on platforms where malloc() is inefficient. especially on platforms where malloc() is inefficient.
- Stop reading on edge connections when their corresponding circuit - Stop reading on edge connections when their corresponding circuit
buffers are full; start again as the circuits empty out. buffers are full; start again as the circuits empty out.
- Make PreferTunneledDirConns and TunnelDirConns work even when
we have no cached directory info. This means Tor clients can now
do all of their connections protected by TLS.
o Security fixes: o Security fixes:
- Directory authorities now call routers stable if they have an - Directory authorities now call routers stable if they have an

View File

@ -91,10 +91,18 @@ circuit_is_acceptable(circuit_t *circ, edge_connection_t *conn,
log_debug(LD_CIRC,"Skipping one-hop circuit."); log_debug(LD_CIRC,"Skipping one-hop circuit.");
return 0; return 0;
} }
tor_assert(conn->chosen_exit_name);
if (build_state->chosen_exit) {
char digest[DIGEST_LEN];
if (hexdigest_to_digest(conn->chosen_exit_name, digest) < 0 ||
memcmp(digest, build_state->chosen_exit->identity_digest,
DIGEST_LEN))
return 0; /* this is a circuit to somewhere else */
}
} else { } else {
if (conn->socks_request->command == SOCKS_COMMAND_CONNECT_DIR) { if (conn->socks_request->command == SOCKS_COMMAND_CONNECT_DIR) {
/* don't use three-hop circuits -- that could hurt our anonymity. */ /* don't use three-hop circuits -- that could hurt our anonymity. */
log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR."); // log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR.");
return 0; return 0;
} }
} }

View File

@ -248,7 +248,8 @@ directory_initiate_command_routerstatus(routerstatus_t *status,
tor_inet_ntoa(&in, address_buf, sizeof(address_buf)); tor_inet_ntoa(&in, address_buf, sizeof(address_buf));
address = address_buf; address = address_buf;
} }
directory_initiate_command(address, status->addr, status->dir_port, directory_initiate_command(address, status->addr,
status->or_port, status->dir_port,
status->version_supports_begindir, status->version_supports_begindir,
status->identity_digest, status->identity_digest,
purpose, private_connection, resource, purpose, private_connection, resource,
@ -365,7 +366,8 @@ connection_dir_download_routerdesc_failed(dir_connection_t *conn)
* <b>digest</b>. */ * <b>digest</b>. */
void void
directory_initiate_command(const char *address, uint32_t addr, directory_initiate_command(const char *address, uint32_t addr,
uint16_t dir_port, int supports_begindir, uint16_t or_port, uint16_t dir_port,
int supports_begindir,
const char *digest, uint8_t purpose, const char *digest, uint8_t purpose,
int private_connection, const char *resource, int private_connection, const char *resource,
const char *payload, size_t payload_len) const char *payload, size_t payload_len)
@ -373,7 +375,8 @@ directory_initiate_command(const char *address, uint32_t addr,
dir_connection_t *conn; dir_connection_t *conn;
or_options_t *options = get_options(); or_options_t *options = get_options();
int want_to_tunnel = options->TunnelDirConns && supports_begindir && int want_to_tunnel = options->TunnelDirConns && supports_begindir &&
router_get_by_digest(digest); !private_connection && or_port &&
fascist_firewall_allows_address_or(addr, or_port);
tor_assert(address); tor_assert(address);
tor_assert(addr); tor_assert(addr);
@ -414,7 +417,7 @@ directory_initiate_command(const char *address, uint32_t addr,
/* set up conn so it's got all the data we need to remember */ /* set up conn so it's got all the data we need to remember */
conn->_base.addr = addr; conn->_base.addr = addr;
conn->_base.port = dir_port; conn->_base.port = want_to_tunnel ? or_port : dir_port;
conn->_base.address = tor_strdup(address); conn->_base.address = tor_strdup(address);
memcpy(conn->identity_digest, digest, DIGEST_LEN); memcpy(conn->identity_digest, digest, DIGEST_LEN);

View File

@ -2487,7 +2487,8 @@ int connection_dir_finished_flushing(dir_connection_t *conn);
int connection_dir_finished_connecting(dir_connection_t *conn); int connection_dir_finished_connecting(dir_connection_t *conn);
void connection_dir_request_failed(dir_connection_t *conn); void connection_dir_request_failed(dir_connection_t *conn);
void directory_initiate_command(const char *address, uint32_t addr, void directory_initiate_command(const char *address, uint32_t addr,
uint16_t dir_port, int supports_begindir, uint16_t or_port, uint16_t dir_port,
int supports_begindir,
const char *digest, uint8_t purpose, const char *digest, uint8_t purpose,
int private_connection, const char *resource, int private_connection, const char *resource,
const char *payload, size_t payload_len); const char *payload, size_t payload_len);
@ -3021,6 +3022,7 @@ routerinfo_t *router_choose_random_node(const char *preferred,
int weight_for_exit); int weight_for_exit);
routerinfo_t *router_get_by_nickname(const char *nickname, routerinfo_t *router_get_by_nickname(const char *nickname,
int warn_if_unnamed); int warn_if_unnamed);
int hexdigest_to_digest(const char *hexdigest, char *digest);
routerinfo_t *router_get_by_hexdigest(const char *hexdigest); routerinfo_t *router_get_by_hexdigest(const char *hexdigest);
routerinfo_t *router_get_by_digest(const char *digest); routerinfo_t *router_get_by_digest(const char *digest);
signed_descriptor_t *router_get_by_descriptor_digest(const char *digest); signed_descriptor_t *router_get_by_descriptor_digest(const char *digest);

View File

@ -507,7 +507,8 @@ consider_testing_reachability(int test_or, int test_dir)
CONN_TYPE_DIR, me->addr, me->dir_port, CONN_TYPE_DIR, me->addr, me->dir_port,
DIR_PURPOSE_FETCH_SERVERDESC)) { DIR_PURPOSE_FETCH_SERVERDESC)) {
/* ask myself, via tor, for my server descriptor. */ /* ask myself, via tor, for my server descriptor. */
directory_initiate_command(me->address, me->addr, me->dir_port, directory_initiate_command(me->address, me->addr,
me->or_port, me->dir_port,
0, me->cache_info.identity_digest, 0, me->cache_info.identity_digest,
DIR_PURPOSE_FETCH_SERVERDESC, DIR_PURPOSE_FETCH_SERVERDESC,
1, "authority", NULL, 0); 1, "authority", NULL, 0);

View File

@ -574,16 +574,15 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
is_trusted = router_digest_is_trusted_dir(status->identity_digest); is_trusted = router_digest_is_trusted_dir(status->identity_digest);
if (for_v2_directory && !(status->is_v2_dir || is_trusted)) if (for_v2_directory && !(status->is_v2_dir || is_trusted))
continue; continue;
if (fascistfirewall && if (prefer_tunnel &&
prefer_tunnel &&
status->version_supports_begindir && status->version_supports_begindir &&
router_get_by_digest(status->identity_digest) && (!fascistfirewall ||
fascist_firewall_allows_address_or(status->addr, status->or_port)) fascist_firewall_allows_address_or(status->addr, status->or_port)))
smartlist_add(is_trusted ? trusted_tunnel : smartlist_add(is_trusted ? trusted_tunnel :
is_overloaded ? overloaded_tunnel : tunnel, status); is_overloaded ? overloaded_tunnel : tunnel, status);
else if (!fascistfirewall || (fascistfirewall && else if (!fascistfirewall ||
fascist_firewall_allows_address_dir(status->addr, fascist_firewall_allows_address_dir(status->addr,
status->dir_port))) status->dir_port))
smartlist_add(is_trusted ? trusted_direct : smartlist_add(is_trusted ? trusted_direct :
is_overloaded ? overloaded_direct : direct, status); is_overloaded ? overloaded_direct : direct, status);
}); });
@ -652,17 +651,14 @@ router_pick_trusteddirserver_impl(authority_type_t type,
continue; continue;
if (requireother && me && router_digest_is_me(d->digest)) if (requireother && me && router_digest_is_me(d->digest))
continue; continue;
if (prefer_tunnel &&
if (fascistfirewall &&
prefer_tunnel &&
d->or_port && d->or_port &&
router_get_by_digest(d->digest) && (!fascistfirewall ||
fascist_firewall_allows_address_or(d->addr, d->or_port)) fascist_firewall_allows_address_or(d->addr, d->or_port)))
smartlist_add(is_overloaded ? overloaded_tunnel : tunnel, smartlist_add(is_overloaded ? overloaded_tunnel : tunnel,
&d->fake_status.status); &d->fake_status.status);
else if (!fascistfirewall || (fascistfirewall && else if (!fascistfirewall ||
fascist_firewall_allows_address_dir(d->addr, fascist_firewall_allows_address_dir(d->addr, d->dir_port))
d->dir_port)))
smartlist_add(is_overloaded ? overloaded_direct : direct, smartlist_add(is_overloaded ? overloaded_direct : direct,
&d->fake_status.status); &d->fake_status.status);
}); });
@ -1379,6 +1375,21 @@ router_digest_is_trusted_dir(const char *digest)
return 0; return 0;
} }
/** If hexdigest is correctly formed, base16_decode it into
* digest, which must have DIGEST_LEN space in it.
* Return 0 on success, -1 on failure.
*/
int
hexdigest_to_digest(const char *hexdigest, char *digest)
{
if (hexdigest[0]=='$')
++hexdigest;
if (strlen(hexdigest) < HEX_DIGEST_LEN ||
base16_decode(digest,DIGEST_LEN,hexdigest,HEX_DIGEST_LEN) < 0)
return -1;
return 0;
}
/** Return the router in our routerlist whose hexadecimal key digest /** Return the router in our routerlist whose hexadecimal key digest
* is <b>hexdigest</b>. Return NULL if no such router is known. */ * is <b>hexdigest</b>. Return NULL if no such router is known. */
routerinfo_t * routerinfo_t *
@ -1394,8 +1405,7 @@ router_get_by_hexdigest(const char *hexdigest)
if (hexdigest[0]=='$') if (hexdigest[0]=='$')
++hexdigest; ++hexdigest;
len = strlen(hexdigest); len = strlen(hexdigest);
if (len < HEX_DIGEST_LEN || if (hexdigest_to_digest(hexdigest, digest) < 0)
base16_decode(digest,DIGEST_LEN,hexdigest,HEX_DIGEST_LEN) < 0)
return NULL; return NULL;
ri = router_get_by_digest(digest); ri = router_get_by_digest(digest);
@ -3189,6 +3199,9 @@ add_trusted_dir_server(const char *nickname, const char *address,
ent->fake_status.status.dir_port = ent->dir_port; ent->fake_status.status.dir_port = ent->dir_port;
ent->fake_status.status.or_port = ent->or_port; ent->fake_status.status.or_port = ent->or_port;
if (ent->or_port)
ent->fake_status.status.version_supports_begindir = 1;
smartlist_add(trusted_dir_servers, ent); smartlist_add(trusted_dir_servers, ent);
router_dir_info_changed(); router_dir_info_changed();
} }