mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 13:13:44 +01:00
Make PreferTunneledDirConns and TunnelDirConns work even when
we have no cached directory info. This means Tor clients can now do all of their connections protected by TLS. svn:r10035
This commit is contained in:
Roger Dingledine
parent
3d00738ec7
commit
397afcc3f6
@ -10,6 +10,9 @@ Changes in version 0.2.0.1-alpha - 2007-??-??
|
|||||||
especially on platforms where malloc() is inefficient.
|
especially on platforms where malloc() is inefficient.
|
||||||
- Stop reading on edge connections when their corresponding circuit
|
- Stop reading on edge connections when their corresponding circuit
|
||||||
buffers are full; start again as the circuits empty out.
|
buffers are full; start again as the circuits empty out.
|
||||||
|
- Make PreferTunneledDirConns and TunnelDirConns work even when
|
||||||
|
we have no cached directory info. This means Tor clients can now
|
||||||
|
do all of their connections protected by TLS.
|
||||||
|
|
||||||
o Security fixes:
|
o Security fixes:
|
||||||
- Directory authorities now call routers stable if they have an
|
- Directory authorities now call routers stable if they have an
|
||||||
|
|||||||
@ -91,10 +91,18 @@ circuit_is_acceptable(circuit_t *circ, edge_connection_t *conn,
|
|||||||
log_debug(LD_CIRC,"Skipping one-hop circuit.");
|
log_debug(LD_CIRC,"Skipping one-hop circuit.");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
tor_assert(conn->chosen_exit_name);
|
||||||
|
if (build_state->chosen_exit) {
|
||||||
|
char digest[DIGEST_LEN];
|
||||||
|
if (hexdigest_to_digest(conn->chosen_exit_name, digest) < 0 ||
|
||||||
|
memcmp(digest, build_state->chosen_exit->identity_digest,
|
||||||
|
DIGEST_LEN))
|
||||||
|
return 0; /* this is a circuit to somewhere else */
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
if (conn->socks_request->command == SOCKS_COMMAND_CONNECT_DIR) {
|
if (conn->socks_request->command == SOCKS_COMMAND_CONNECT_DIR) {
|
||||||
/* don't use three-hop circuits -- that could hurt our anonymity. */
|
/* don't use three-hop circuits -- that could hurt our anonymity. */
|
||||||
log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR.");
|
// log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR.");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -248,7 +248,8 @@ directory_initiate_command_routerstatus(routerstatus_t *status,
|
|||||||
tor_inet_ntoa(&in, address_buf, sizeof(address_buf));
|
tor_inet_ntoa(&in, address_buf, sizeof(address_buf));
|
||||||
address = address_buf;
|
address = address_buf;
|
||||||
}
|
}
|
||||||
directory_initiate_command(address, status->addr, status->dir_port,
|
directory_initiate_command(address, status->addr,
|
||||||
|
status->or_port, status->dir_port,
|
||||||
status->version_supports_begindir,
|
status->version_supports_begindir,
|
||||||
status->identity_digest,
|
status->identity_digest,
|
||||||
purpose, private_connection, resource,
|
purpose, private_connection, resource,
|
||||||
@ -365,7 +366,8 @@ connection_dir_download_routerdesc_failed(dir_connection_t *conn)
|
|||||||
* <b>digest</b>. */
|
* <b>digest</b>. */
|
||||||
void
|
void
|
||||||
directory_initiate_command(const char *address, uint32_t addr,
|
directory_initiate_command(const char *address, uint32_t addr,
|
||||||
uint16_t dir_port, int supports_begindir,
|
uint16_t or_port, uint16_t dir_port,
|
||||||
|
int supports_begindir,
|
||||||
const char *digest, uint8_t purpose,
|
const char *digest, uint8_t purpose,
|
||||||
int private_connection, const char *resource,
|
int private_connection, const char *resource,
|
||||||
const char *payload, size_t payload_len)
|
const char *payload, size_t payload_len)
|
||||||
@ -373,7 +375,8 @@ directory_initiate_command(const char *address, uint32_t addr,
|
|||||||
dir_connection_t *conn;
|
dir_connection_t *conn;
|
||||||
or_options_t *options = get_options();
|
or_options_t *options = get_options();
|
||||||
int want_to_tunnel = options->TunnelDirConns && supports_begindir &&
|
int want_to_tunnel = options->TunnelDirConns && supports_begindir &&
|
||||||
router_get_by_digest(digest);
|
!private_connection && or_port &&
|
||||||
|
fascist_firewall_allows_address_or(addr, or_port);
|
||||||
|
|
||||||
tor_assert(address);
|
tor_assert(address);
|
||||||
tor_assert(addr);
|
tor_assert(addr);
|
||||||
@ -414,7 +417,7 @@ directory_initiate_command(const char *address, uint32_t addr,
|
|||||||
|
|
||||||
/* set up conn so it's got all the data we need to remember */
|
/* set up conn so it's got all the data we need to remember */
|
||||||
conn->_base.addr = addr;
|
conn->_base.addr = addr;
|
||||||
conn->_base.port = dir_port;
|
conn->_base.port = want_to_tunnel ? or_port : dir_port;
|
||||||
conn->_base.address = tor_strdup(address);
|
conn->_base.address = tor_strdup(address);
|
||||||
memcpy(conn->identity_digest, digest, DIGEST_LEN);
|
memcpy(conn->identity_digest, digest, DIGEST_LEN);
|
||||||
|
|
||||||
|
|||||||
@ -2487,7 +2487,8 @@ int connection_dir_finished_flushing(dir_connection_t *conn);
|
|||||||
int connection_dir_finished_connecting(dir_connection_t *conn);
|
int connection_dir_finished_connecting(dir_connection_t *conn);
|
||||||
void connection_dir_request_failed(dir_connection_t *conn);
|
void connection_dir_request_failed(dir_connection_t *conn);
|
||||||
void directory_initiate_command(const char *address, uint32_t addr,
|
void directory_initiate_command(const char *address, uint32_t addr,
|
||||||
uint16_t dir_port, int supports_begindir,
|
uint16_t or_port, uint16_t dir_port,
|
||||||
|
int supports_begindir,
|
||||||
const char *digest, uint8_t purpose,
|
const char *digest, uint8_t purpose,
|
||||||
int private_connection, const char *resource,
|
int private_connection, const char *resource,
|
||||||
const char *payload, size_t payload_len);
|
const char *payload, size_t payload_len);
|
||||||
@ -3021,6 +3022,7 @@ routerinfo_t *router_choose_random_node(const char *preferred,
|
|||||||
int weight_for_exit);
|
int weight_for_exit);
|
||||||
routerinfo_t *router_get_by_nickname(const char *nickname,
|
routerinfo_t *router_get_by_nickname(const char *nickname,
|
||||||
int warn_if_unnamed);
|
int warn_if_unnamed);
|
||||||
|
int hexdigest_to_digest(const char *hexdigest, char *digest);
|
||||||
routerinfo_t *router_get_by_hexdigest(const char *hexdigest);
|
routerinfo_t *router_get_by_hexdigest(const char *hexdigest);
|
||||||
routerinfo_t *router_get_by_digest(const char *digest);
|
routerinfo_t *router_get_by_digest(const char *digest);
|
||||||
signed_descriptor_t *router_get_by_descriptor_digest(const char *digest);
|
signed_descriptor_t *router_get_by_descriptor_digest(const char *digest);
|
||||||
|
|||||||
@ -507,7 +507,8 @@ consider_testing_reachability(int test_or, int test_dir)
|
|||||||
CONN_TYPE_DIR, me->addr, me->dir_port,
|
CONN_TYPE_DIR, me->addr, me->dir_port,
|
||||||
DIR_PURPOSE_FETCH_SERVERDESC)) {
|
DIR_PURPOSE_FETCH_SERVERDESC)) {
|
||||||
/* ask myself, via tor, for my server descriptor. */
|
/* ask myself, via tor, for my server descriptor. */
|
||||||
directory_initiate_command(me->address, me->addr, me->dir_port,
|
directory_initiate_command(me->address, me->addr,
|
||||||
|
me->or_port, me->dir_port,
|
||||||
0, me->cache_info.identity_digest,
|
0, me->cache_info.identity_digest,
|
||||||
DIR_PURPOSE_FETCH_SERVERDESC,
|
DIR_PURPOSE_FETCH_SERVERDESC,
|
||||||
1, "authority", NULL, 0);
|
1, "authority", NULL, 0);
|
||||||
|
|||||||
@ -574,16 +574,15 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
|
|||||||
is_trusted = router_digest_is_trusted_dir(status->identity_digest);
|
is_trusted = router_digest_is_trusted_dir(status->identity_digest);
|
||||||
if (for_v2_directory && !(status->is_v2_dir || is_trusted))
|
if (for_v2_directory && !(status->is_v2_dir || is_trusted))
|
||||||
continue;
|
continue;
|
||||||
if (fascistfirewall &&
|
if (prefer_tunnel &&
|
||||||
prefer_tunnel &&
|
|
||||||
status->version_supports_begindir &&
|
status->version_supports_begindir &&
|
||||||
router_get_by_digest(status->identity_digest) &&
|
(!fascistfirewall ||
|
||||||
fascist_firewall_allows_address_or(status->addr, status->or_port))
|
fascist_firewall_allows_address_or(status->addr, status->or_port)))
|
||||||
smartlist_add(is_trusted ? trusted_tunnel :
|
smartlist_add(is_trusted ? trusted_tunnel :
|
||||||
is_overloaded ? overloaded_tunnel : tunnel, status);
|
is_overloaded ? overloaded_tunnel : tunnel, status);
|
||||||
else if (!fascistfirewall || (fascistfirewall &&
|
else if (!fascistfirewall ||
|
||||||
fascist_firewall_allows_address_dir(status->addr,
|
fascist_firewall_allows_address_dir(status->addr,
|
||||||
status->dir_port)))
|
status->dir_port))
|
||||||
smartlist_add(is_trusted ? trusted_direct :
|
smartlist_add(is_trusted ? trusted_direct :
|
||||||
is_overloaded ? overloaded_direct : direct, status);
|
is_overloaded ? overloaded_direct : direct, status);
|
||||||
});
|
});
|
||||||
@ -652,17 +651,14 @@ router_pick_trusteddirserver_impl(authority_type_t type,
|
|||||||
continue;
|
continue;
|
||||||
if (requireother && me && router_digest_is_me(d->digest))
|
if (requireother && me && router_digest_is_me(d->digest))
|
||||||
continue;
|
continue;
|
||||||
|
if (prefer_tunnel &&
|
||||||
if (fascistfirewall &&
|
|
||||||
prefer_tunnel &&
|
|
||||||
d->or_port &&
|
d->or_port &&
|
||||||
router_get_by_digest(d->digest) &&
|
(!fascistfirewall ||
|
||||||
fascist_firewall_allows_address_or(d->addr, d->or_port))
|
fascist_firewall_allows_address_or(d->addr, d->or_port)))
|
||||||
smartlist_add(is_overloaded ? overloaded_tunnel : tunnel,
|
smartlist_add(is_overloaded ? overloaded_tunnel : tunnel,
|
||||||
&d->fake_status.status);
|
&d->fake_status.status);
|
||||||
else if (!fascistfirewall || (fascistfirewall &&
|
else if (!fascistfirewall ||
|
||||||
fascist_firewall_allows_address_dir(d->addr,
|
fascist_firewall_allows_address_dir(d->addr, d->dir_port))
|
||||||
d->dir_port)))
|
|
||||||
smartlist_add(is_overloaded ? overloaded_direct : direct,
|
smartlist_add(is_overloaded ? overloaded_direct : direct,
|
||||||
&d->fake_status.status);
|
&d->fake_status.status);
|
||||||
});
|
});
|
||||||
@ -1379,6 +1375,21 @@ router_digest_is_trusted_dir(const char *digest)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** If hexdigest is correctly formed, base16_decode it into
|
||||||
|
* digest, which must have DIGEST_LEN space in it.
|
||||||
|
* Return 0 on success, -1 on failure.
|
||||||
|
*/
|
||||||
|
int
|
||||||
|
hexdigest_to_digest(const char *hexdigest, char *digest)
|
||||||
|
{
|
||||||
|
if (hexdigest[0]=='$')
|
||||||
|
++hexdigest;
|
||||||
|
if (strlen(hexdigest) < HEX_DIGEST_LEN ||
|
||||||
|
base16_decode(digest,DIGEST_LEN,hexdigest,HEX_DIGEST_LEN) < 0)
|
||||||
|
return -1;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/** Return the router in our routerlist whose hexadecimal key digest
|
/** Return the router in our routerlist whose hexadecimal key digest
|
||||||
* is <b>hexdigest</b>. Return NULL if no such router is known. */
|
* is <b>hexdigest</b>. Return NULL if no such router is known. */
|
||||||
routerinfo_t *
|
routerinfo_t *
|
||||||
@ -1394,8 +1405,7 @@ router_get_by_hexdigest(const char *hexdigest)
|
|||||||
if (hexdigest[0]=='$')
|
if (hexdigest[0]=='$')
|
||||||
++hexdigest;
|
++hexdigest;
|
||||||
len = strlen(hexdigest);
|
len = strlen(hexdigest);
|
||||||
if (len < HEX_DIGEST_LEN ||
|
if (hexdigest_to_digest(hexdigest, digest) < 0)
|
||||||
base16_decode(digest,DIGEST_LEN,hexdigest,HEX_DIGEST_LEN) < 0)
|
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
ri = router_get_by_digest(digest);
|
ri = router_get_by_digest(digest);
|
||||||
@ -3189,6 +3199,9 @@ add_trusted_dir_server(const char *nickname, const char *address,
|
|||||||
ent->fake_status.status.dir_port = ent->dir_port;
|
ent->fake_status.status.dir_port = ent->dir_port;
|
||||||
ent->fake_status.status.or_port = ent->or_port;
|
ent->fake_status.status.or_port = ent->or_port;
|
||||||
|
|
||||||
|
if (ent->or_port)
|
||||||
|
ent->fake_status.status.version_supports_begindir = 1;
|
||||||
|
|
||||||
smartlist_add(trusted_dir_servers, ent);
|
smartlist_add(trusted_dir_servers, ent);
|
||||||
router_dir_info_changed();
|
router_dir_info_changed();
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user