From 0daa26a4732234333e67d04c9b215ff6704fa9cd Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 20 Aug 2013 14:52:56 -0400 Subject: [PATCH 1/2] Send NETINFO on receiving a NETINFO if we have not yet sent one. (Backport to Tor 0.2.3) Relays previously, when initiating a connection, would only send a NETINFO after sending an AUTHENTICATE. But bridges, when receiving a connection, would never send AUTH_CHALLENGE. So relays wouldn't AUTHENTICATE, and wouldn't NETINFO, and then bridges would be surprised to be receiving CREATE cells on a non-open circuit. Fixes bug 9546. --- bug9546 | 5 +++++ src/or/command.c | 10 ++++++++++ src/or/connection_or.c | 7 +++++++ src/or/or.h | 3 +++ 4 files changed, 25 insertions(+) create mode 100644 bug9546 diff --git a/bug9546 b/bug9546 new file mode 100644 index 0000000000..8596eac94a --- /dev/null +++ b/bug9546 @@ -0,0 +1,5 @@ + o Major bugfixes: + + - When a relay is extending a circuit to a bridge, it needs to send a + NETINFO cell, even when the bridge hasn't sent an AUTH_CHALLENGE + cell. Fixes bug 9546; bugfix on ????. diff --git a/src/or/command.c b/src/or/command.c index 8321e261e0..26e4e6897f 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -941,6 +941,16 @@ command_process_netinfo_cell(cell_t *cell, or_connection_t *conn) * trustworthy. */ (void)my_apparent_addr; + if (! conn->handshake_state->sent_netinfo) { + /* If we were prepared to authenticate, but we never got an AUTH_CHALLENGE + * cell, then we would not previously have sent a NETINFO cell. Do so + * now. */ + if (connection_or_send_netinfo(conn) < 0) { + connection_mark_for_close(TO_CONN(conn)); + return; + } + } + if (connection_or_set_state_open(conn)<0) { log_fn(LOG_PROTOCOL_WARN, LD_OR, "Got good NETINFO cell from %s:%d; but " "was unable to make the OR connection become open.", diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 5eecee0740..56c6ed520a 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1975,6 +1975,12 @@ connection_or_send_netinfo(or_connection_t *conn) tor_assert(conn->handshake_state); + if (conn->handshake_state->sent_netinfo) { + log_warn(LD_BUG, "Attempted to send an extra netinfo cell on a connection " + "where we already sent one."); + return 0; + } + memset(&cell, 0, sizeof(cell_t)); cell.command = CELL_NETINFO; @@ -2009,6 +2015,7 @@ connection_or_send_netinfo(or_connection_t *conn) } conn->handshake_state->digest_sent_data = 0; + conn->handshake_state->sent_netinfo = 1; connection_or_write_cell_to_buf(&cell, conn); return 0; diff --git a/src/or/or.h b/src/or/or.h index dd95c349c0..b8f334ece2 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1161,6 +1161,9 @@ typedef struct or_handshake_state_t { /* True iff we've received valid authentication to some identity. */ unsigned int authenticated : 1; + /* True iff we have sent a netinfo cell */ + unsigned int sent_netinfo : 1; + /** True iff we should feed outgoing cells into digest_sent and * digest_received respectively. * From 940cef3367591fd1ee86971c202ef92aba931cb7 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Aug 2013 10:10:35 -0400 Subject: [PATCH 2/2] Make bridges send AUTH_CHALLENGE cells The spec requires them to do so, and not doing so creates a situation where they can't send-test because relays won't extend to them because of the other part of bug 9546. Fixes bug 9546; bugfix on 0.2.3.6-alpha. --- bug9546 | 5 ----- changes/bug9546 | 11 +++++++++++ src/or/command.c | 4 ++-- src/or/connection_or.c | 2 +- 4 files changed, 14 insertions(+), 8 deletions(-) delete mode 100644 bug9546 create mode 100644 changes/bug9546 diff --git a/bug9546 b/bug9546 deleted file mode 100644 index 8596eac94a..0000000000 --- a/bug9546 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - - When a relay is extending a circuit to a bridge, it needs to send a - NETINFO cell, even when the bridge hasn't sent an AUTH_CHALLENGE - cell. Fixes bug 9546; bugfix on ????. diff --git a/changes/bug9546 b/changes/bug9546 new file mode 100644 index 0000000000..2145e35d8f --- /dev/null +++ b/changes/bug9546 @@ -0,0 +1,11 @@ + o Major bugfixes: + + - When a relay is extending a circuit to a bridge, it needs to send a + NETINFO cell, even when the bridge hasn't sent an AUTH_CHALLENGE + cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. + + - Bridges send AUTH_CHALLENGE cells during their handshakes; previously + they did not, which prevented relays from successfully connecting + to a bridge for self-test or bandwidth testing. Fixes bug 9546; + bugfix on 0.2.3.6-alpha. + diff --git a/src/or/command.c b/src/or/command.c index 26e4e6897f..61e1e13a71 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -755,8 +755,8 @@ command_process_versions_cell(var_cell_t *cell, or_connection_t *conn) const int send_versions = !started_here; /* If we want to authenticate, send a CERTS cell */ const int send_certs = !started_here || public_server_mode(get_options()); - /* If we're a relay that got a connection, ask for authentication. */ - const int send_chall = !started_here && public_server_mode(get_options()); + /* If we're a host that got a connection, ask for authentication. */ + const int send_chall = !started_here; /* If our certs cell will authenticate us, we can send a netinfo cell * right now. */ const int send_netinfo = !started_here; diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 56c6ed520a..fbb7c31e04 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -2144,7 +2144,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, const tor_cert_t *id_cert=NULL, *link_cert=NULL; const digests_t *my_digests, *their_digests; const uint8_t *my_id, *their_id, *client_id, *server_id; - if (tor_tls_get_my_certs(0, &link_cert, &id_cert)) + if (tor_tls_get_my_certs(server, &link_cert, &id_cert)) return -1; my_digests = tor_cert_get_id_digests(id_cert); their_digests = tor_cert_get_id_digests(conn->handshake_state->id_cert);