diff --git a/src/or/channel.c b/src/or/channel.c index 4712891857..e9bda24a63 100644 --- a/src/or/channel.c +++ b/src/or/channel.c @@ -1471,7 +1471,8 @@ channel_clear_identity_digest(channel_t *chan) void channel_set_identity_digest(channel_t *chan, - const char *identity_digest) + const char *identity_digest, + const ed25519_public_key_t *ed_identity) { int was_in_digest_map, should_be_in_digest_map, state_not_in_map; @@ -1510,6 +1511,9 @@ channel_set_identity_digest(channel_t *chan, memset(chan->identity_digest, 0, sizeof(chan->identity_digest)); } + if (ed_identity) { + memcpy(&chan->ed25519_identity, ed_identity, sizeof(*ed_identity)); + } /* Put it in the digest map if we should */ if (should_be_in_digest_map) diff --git a/src/or/channel.h b/src/or/channel.h index 3f0bb37af5..26aa93b5e2 100644 --- a/src/or/channel.h +++ b/src/or/channel.h @@ -443,7 +443,8 @@ void channel_mark_incoming(channel_t *chan); void channel_mark_outgoing(channel_t *chan); void channel_mark_remote(channel_t *chan); void channel_set_identity_digest(channel_t *chan, - const char *identity_digest); + const char *identity_digest, + const ed25519_public_key_t *ed_identity); void channel_set_remote_end(channel_t *chan, const char *identity_digest, const char *nickname); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 4449d3f3ae..a22c4ad1ef 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -111,7 +111,6 @@ connection_or_set_identity_digest(or_connection_t *conn, const char *rsa_digest, const ed25519_public_key_t *ed_id) { - (void) ed_id; // DOCDOC // XXXX not implemented yet. 15056 tor_assert(conn); tor_assert(rsa_digest); @@ -133,7 +132,8 @@ connection_or_set_identity_digest(or_connection_t *conn, /* Deal with channels */ if (conn->chan) - channel_set_identity_digest(TLS_CHAN_TO_BASE(conn->chan), rsa_digest); + channel_set_identity_digest(TLS_CHAN_TO_BASE(conn->chan), + rsa_digest, ed_id); } /** Remove the Extended ORPort identifier of conn from the @@ -831,7 +831,6 @@ connection_or_init_conn_from_address(or_connection_t *conn, const ed25519_public_key_t *ed_id, int started_here) { - (void) ed_id; // not fully used yet. 15056 const node_t *r = node_get_by_id(id_digest); connection_or_set_identity_digest(conn, id_digest, ed_id); connection_or_update_token_buckets_helper(conn, 1, get_options()); @@ -1116,7 +1115,6 @@ connection_or_connect, (const tor_addr_t *_addr, uint16_t port, const ed25519_public_key_t *ed_id, channel_tls_t *chan)) { - (void) ed_id; // XXXX not fully used yet. 15056 or_connection_t *conn; const or_options_t *options = get_options(); int socket_error = 0; @@ -1135,6 +1133,11 @@ connection_or_connect, (const tor_addr_t *_addr, uint16_t port, log_info(LD_PROTOCOL,"Client asked me to connect to myself. Refusing."); return NULL; } + if (server_mode(options) && router_ed25519_id_is_me(ed_id)) { + log_info(LD_PROTOCOL,"Client asked me to connect to myself by Ed25519 " + "identity. Refusing."); + return NULL; + } conn = or_connection_new(CONN_TYPE_OR, tor_addr_family(&addr)); @@ -1504,11 +1507,13 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn, crypto_pk_free(identity_rcvd); - if (started_here) + if (started_here) { + /* A TLS handshake can't teach us an Ed25519 ID, so we set it to NULL + * here. */ return connection_or_client_learned_peer_id(conn, (const uint8_t*)digest_rcvd_out, - NULL // Ed25519 ID 15056 - ); + NULL); + } return 0; } @@ -1541,8 +1546,6 @@ connection_or_client_learned_peer_id(or_connection_t *conn, const uint8_t *rsa_peer_id, const ed25519_public_key_t *ed_peer_id) { - (void) ed_peer_id; // not used yet. 15056 - const or_options_t *options = get_options(); if (tor_digest_is_zero(conn->identity_digest)) { @@ -1559,7 +1562,7 @@ connection_or_client_learned_peer_id(or_connection_t *conn, /* if it's a bridge and we didn't know its identity fingerprint, now * we do -- remember it for future attempts. */ learned_router_identity(&conn->base_.addr, conn->base_.port, - (const char*)rsa_peer_id /*, ed_peer_id XXXX */); + (const char*)rsa_peer_id, ed_peer_id); } if (tor_memneq(rsa_peer_id, conn->identity_digest, DIGEST_LEN)) { @@ -1617,9 +1620,12 @@ connection_or_client_learned_peer_id(or_connection_t *conn, conn); return -1; } + + /* XXXX 15056 -- use the Ed25519 key */ + if (authdir_mode_tests_reachability(options)) { dirserv_orconn_tls_done(&conn->base_.addr, conn->base_.port, - (const char*)rsa_peer_id /*, ed_id XXXX 15056 */); + (const char*)rsa_peer_id, ed_peer_id); } return 0; diff --git a/src/or/dirserv.c b/src/or/dirserv.c index c797c9aa0e..54b434d2eb 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -3170,8 +3170,10 @@ dirserv_get_routerdescs(smartlist_t *descs_out, const char *key, void dirserv_orconn_tls_done(const tor_addr_t *addr, uint16_t or_port, - const char *digest_rcvd) + const char *digest_rcvd, + const ed25519_public_key_t *ed_id_rcvd) { + (void)ed_id_rcvd; // XXXX 15056 use this. node_t *node = NULL; tor_addr_port_t orport; routerinfo_t *ri = NULL; diff --git a/src/or/dirserv.h b/src/or/dirserv.h index 1e4f27e3d7..e83da5e5ac 100644 --- a/src/or/dirserv.h +++ b/src/or/dirserv.h @@ -73,7 +73,8 @@ int dirserv_get_routerdescs(smartlist_t *descs_out, const char *key, const char **msg); void dirserv_orconn_tls_done(const tor_addr_t *addr, uint16_t or_port, - const char *digest_rcvd); + const char *digest_rcvd, + const ed25519_public_key_t *ed_id_rcvd); int dirserv_should_launch_reachability_test(const routerinfo_t *ri, const routerinfo_t *ri_old); void dirserv_single_reachability_test(time_t now, routerinfo_t *router); diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index c8215d3910..af1b1a39ab 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -2108,18 +2108,34 @@ node_is_a_configured_bridge(const node_t *node) */ void learned_router_identity(const tor_addr_t *addr, uint16_t port, - const char *digest) + const char *digest, + const ed25519_public_key_t *ed_id) { + // XXXX prop220 use ed_id here, once there is some way to specify + (void)ed_id; + int learned = 0; bridge_info_t *bridge = get_configured_bridge_by_addr_port_digest(addr, port, digest); if (bridge && tor_digest_is_zero(bridge->identity)) { + memcpy(bridge->identity, digest, DIGEST_LEN); + learned = 1; + } + /* XXXX prop220 remember bridge ed25519 identities -- add a field */ +#if 0 + if (bridge && ed_id && + ed25519_public_key_is_zero(&bridge->ed25519_identity) && + !ed25519_public_key_is_zero(ed_id)) { + memcpy(&bridge->ed25519_identity, ed_id, sizeof(*ed_id)); + learned = 1; + } +#endif + if (learned) { char *transport_info = NULL; const char *transport_name = find_transport_name_by_bridge_addrport(addr, port); if (transport_name) tor_asprintf(&transport_info, " (with transport '%s')", transport_name); - - memcpy(bridge->identity, digest, DIGEST_LEN); + // XXXX prop220 log both fingerprints. log_notice(LD_DIR, "Learned fingerprint %s for bridge %s%s.", hex_str(digest, DIGEST_LEN), fmt_addrport(addr, port), transport_info ? transport_info : ""); @@ -2216,6 +2232,8 @@ bridge_add_from_config(bridge_line_t *bridge_line) { bridge_info_t *b; + // XXXX prop220 add a way to specify ed25519 ID to bridge_line_t. + { /* Log the bridge we are about to register: */ log_debug(LD_GENERAL, "Registering bridge at %s (transport: %s) (%s)", fmt_addrport(&bridge_line->addr, bridge_line->port), diff --git a/src/or/entrynodes.h b/src/or/entrynodes.h index 00f96916b6..f8aaedf171 100644 --- a/src/or/entrynodes.h +++ b/src/or/entrynodes.h @@ -167,7 +167,8 @@ int extend_info_is_a_configured_bridge(const extend_info_t *ei); int routerinfo_is_a_configured_bridge(const routerinfo_t *ri); int node_is_a_configured_bridge(const node_t *node); void learned_router_identity(const tor_addr_t *addr, uint16_t port, - const char *digest); + const char *digest, + const ed25519_public_key_t *ed_id); struct bridge_line_t; void bridge_add_from_config(struct bridge_line_t *bridge_line); void retry_bridge_descriptor_fetch_directly(const char *digest);