[or-cvs] r12624: server-side code (for when v2 negotiation occurred) to check (in tor/trunk: . doc src/or)

nickm at seul.org nickm at seul.org
Sat Dec 1 08:47:13 UTC 2007 

Author: nickm
Date: 2007-12-01 03:47:13 -0500 (Sat, 01 Dec 2007)
New Revision: 12624

Modified:
   tor/trunk/
   tor/trunk/doc/TODO
   tor/trunk/src/or/connection_or.c
Log:
 r15094 at tombo:  nickm | 2007-12-01 03:46:07 -0500
 server-side code (for when v2 negotiation occurred) to check for renegotiation and adjust client ID info accordingly.  server-side of new TLS code is now implemented, but needs testing and debugging.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r15094] on d9e39d38-0f13-419c-a857-e10a0ce2aa0c

Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO	2007-12-01 08:09:48 UTC (rev 12623)
+++ tor/trunk/doc/TODO	2007-12-01 08:47:13 UTC (rev 12624)
@@ -41,10 +41,10 @@
           that renegotiation happens according to the old rules.
         o Clients initiate renegotiation immediately on completing
           a v2 connection.
-        - Servers detect renegotiation, and if there is now a client
+        o Servers detect renegotiation, and if there is now a client
           cert, they adust the client ID.
           o Detect.
-          - Adjust.
+          o Adjust.
       o Add a separate handshake structure that handles version negotiation,
         and stores netinfo data until authentication is done.
       o Revise versions and netinfo to use separate structure; make
@@ -68,19 +68,17 @@
         o Code to generate
           o Remember certificate digests from TLS
         o Code to parse and check
-      * Revised handshake: TLS
-        - Server checks for new cipher types, and if it finds them, sends
-          only one cert and does not ask for client certs.
-        - Client sends certs only if server asks for them.
-        - Client sends new cipher list.
-        - Client sends correct extension list.
-      - Revised handshake: post-TLS.
+      X Revised handshake: post-TLS.
         o If in 'handshaking' state (since v2+ conn is in use), accept
           VERSIONS and NETINFO and CERT and LINK_AUTH.
         o After we send NETINFO, send CERT and LINK_AUTH if needed.
         o Once we get a good LINK_AUTH, the connection is OPEN.
         - Ban most cell types on a non-OPEN connection.
         o Close connections on handshake failure.
+      - New revised handshake: post-TLS:
+        - start by sending VERSIONS cells
+        - once we have a version, send a netinfo and become open
+        - Ban most cell types on a non-OPEN connection.
       o Make code work right wrt TLS context rotation.
       - NETINFO fallout
         - Don't extend a circuit over a noncanonical connection with

Modified: tor/trunk/src/or/connection_or.c
===================================================================
--- tor/trunk/src/or/connection_or.c	2007-12-01 08:09:48 UTC (rev 12623)
+++ tor/trunk/src/or/connection_or.c	2007-12-01 08:47:13 UTC (rev 12624)
@@ -19,6 +19,9 @@
 static int connection_or_send_versions(or_connection_t *conn);
 static int connection_init_or_handshake_state(or_connection_t *conn,
                                               int started_here);
+static int connection_or_check_valid_tls_handshake(or_connection_t *conn,
+                                                   int started_here,
+                                                   char *digest_rcvd_out);
 
 /**************************************************************/
 
@@ -573,6 +576,21 @@
   return 0;
 }
 
+/*DOCDOC*/
+static void
+connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
+{
+  or_connection_t *conn = _conn;
+  char id_digest[DIGEST_LEN];
+
+  if (connection_or_check_valid_tls_handshake(conn,
+                                              !tor_tls_is_server(tls),
+                                              id_digest) < 0)
+    return;
+  connection_or_init_conn_from_address(conn, conn->_base.addr,
+                                       conn->_base.port, id_digest, 0);
+}
+
 /** Move forward with the tls handshake. If it finishes, hand
  * <b>conn</b> to connection_tls_finish_handshake().
  *
@@ -594,11 +612,18 @@
              tor_tls_err_to_string(result));
       return -1;
     case TOR_TLS_DONE:
-      if (!tor_tls_is_server(conn->tls) &&
-          !tor_tls_used_v1_handshake(conn->tls) &&
-          conn->_base.state == OR_CONN_STATE_TLS_HANDSHAKING) {
-        conn->_base.state = OR_CONN_STATE_TLS_RENEGOTIATING;
-        goto again;
+      if (tor_tls_used_v1_handshake(conn->tls)) {
+        if (!tor_tls_is_server(conn->tls)) {
+          if (conn->_base.state == OR_CONN_STATE_TLS_HANDSHAKING) {
+            conn->_base.state = OR_CONN_STATE_TLS_RENEGOTIATING;
+            goto again;
+          }
+        } else {
+          /* improved handshake, but not a client. */
+          tor_tls_set_renegotiate_callback(conn->tls,
+                                           connection_or_tls_renegotiated_cb,
+                                           conn);
+        }
       }
       return connection_tls_finish_handshake(conn);
     case TOR_TLS_WANTWRITE:
@@ -812,6 +837,11 @@
     }
     return connection_or_set_state_open(conn);
   } else {
+    if (started_here) {
+      if (connection_or_check_valid_tls_handshake(conn, started_here,
+                                                  digest_rcvd) < 0)
+        return -1;
+    }
     conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;
     if (connection_init_or_handshake_state(conn, started_here) < 0)
       return -1;

More information about the tor-commits mailing list