[tor-commits] [tor/maint-0.2.2] Merge branch 'maint-0.2.1_secfix' into maint-0.2.2_secfix
arma at torproject.org
arma at torproject.org
Thu Oct 27 23:52:16 UTC 2011
commit df05e5ef4d5e379e50b38e29fa23228e5b260e8a
Merge: f85c561 a74e7fd
Author: Sebastian Hahn <sebastian at torproject.org>
Date: Wed Oct 26 23:30:27 2011 +0200
Merge branch 'maint-0.2.1_secfix' into maint-0.2.2_secfix
Conflicts:
src/or/connection_or.c
changes/issue-2011-10-19L | 21 ++++++++++
changes/issue-2011-10-23G | 9 ++++
src/common/tortls.c | 93 ++++++++++++++++++++++++++-------------------
src/or/command.c | 13 +++++-
src/or/connection_or.c | 7 +++
src/or/or.h | 6 +++
6 files changed, 108 insertions(+), 41 deletions(-)
diff --cc src/common/tortls.c
index 10f4440,cc805f8..352c3d6
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -681,13 -655,16 +684,14 @@@ tor_tls_context_init(int is_public_serv
rv2 = tor_tls_context_init_one(&client_tls_context,
client_identity,
- key_lifetime);
+ key_lifetime,
+ 1);
}
- return rv1 < rv2 ? rv1 : rv2;
+ return MIN(rv1, rv2);
}
-/** Create a new TLS context for use with Tor TLS handshakes.
- * <b>identity</b> should be set to the identity key used to sign the
- * certificate.
+/** Create a new global TLS context.
*
* You can call this function multiple times. Each time you call it,
* it generates new certificates; all new connections will use
@@@ -785,30 -769,33 +796,34 @@@ tor_tls_context_new(crypto_pk_env_t *id
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
- if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
- goto error;
- X509_free(cert); /* We just added a reference to cert. */
- cert=NULL;
- if (idcert) {
- X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
- tor_assert(s);
- X509_STORE_add_cert(s, idcert);
- X509_free(idcert); /* The context now owns the reference to idcert */
- idcert = NULL;
+ if (! is_client) {
+ if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
+ goto error;
+ X509_free(cert); /* We just added a reference to cert. */
+ cert=NULL;
+ if (idcert) {
+ X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
+ tor_assert(s);
+ X509_STORE_add_cert(s, idcert);
+ X509_free(idcert); /* The context now owns the reference to idcert */
+ idcert = NULL;
+ }
}
SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
- tor_assert(rsa);
- if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
- goto error;
- if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
- goto error;
- EVP_PKEY_free(pkey);
- pkey = NULL;
- if (!SSL_CTX_check_private_key(result->ctx))
- goto error;
+ if (!is_client) {
+ tor_assert(rsa);
+ if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
+ goto error;
+ if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
+ goto error;
+ EVP_PKEY_free(pkey);
+ pkey = NULL;
+ if (!SSL_CTX_check_private_key(result->ctx))
+ goto error;
+ }
{
crypto_dh_env_t *dh = crypto_dh_new(DH_TYPE_TLS);
+ tor_assert(dh);
SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh));
crypto_dh_free(dh);
}
diff --cc src/or/connection_or.c
index c019f65,f019c79..27a34d3
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@@ -808,19 -776,12 +813,21 @@@ connection_or_connect(const tor_addr_t
conn->_base.state = OR_CONN_STATE_CONNECTING;
control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0);
+ conn->is_outgoing = 1;
+
- if (options->HttpsProxy) {
- /* we shouldn't connect directly. use the https proxy instead. */
- tor_addr_from_ipv4h(&addr, options->HttpsProxyAddr);
- port = options->HttpsProxyPort;
+ /* use a proxy server if available */
+ if (options->HTTPSProxy) {
+ using_proxy = 1;
+ tor_addr_copy(&addr, &options->HTTPSProxyAddr);
+ port = options->HTTPSProxyPort;
+ } else if (options->Socks4Proxy) {
+ using_proxy = 1;
+ tor_addr_copy(&addr, &options->Socks4ProxyAddr);
+ port = options->Socks4ProxyPort;
+ } else if (options->Socks5Proxy) {
+ using_proxy = 1;
+ tor_addr_copy(&addr, &options->Socks5ProxyAddr);
+ port = options->Socks5ProxyPort;
}
switch (connection_connect(TO_CONN(conn), conn->_base.address,
diff --cc src/or/or.h
index 31deb89,edbb73c..8638f20
--- a/src/or/or.h
+++ b/src/or/or.h
@@@ -1062,12 -1028,15 +1062,18 @@@ typedef struct or_connection_t
* NETINFO cell listed the address we're connected to as recognized. */
unsigned int is_canonical:1;
/** True iff this connection shouldn't get any new circs attached to it,
- * because the connection is too old, or because there's a better one, etc.
+ * because the connection is too old, or because there's a better one.
+ * More generally, this flag is used to note an unhealthy connection;
+ * for example, if a bad connection fails we shouldn't assume that the
+ * router itself has a problem.
*/
unsigned int is_bad_for_new_circs:1;
+ /** True iff we have decided that the other end of this connection
+ * is a client. Connections with this flag set should never be used
+ * to satisfy an EXTEND request. */
+ unsigned int is_connection_with_client:1;
+ /** True iff this is an outgoing connection. */
+ unsigned int is_outgoing:1;
uint8_t link_proto; /**< What protocol version are we using? 0 for
* "none negotiated yet." */
circid_t next_circ_id; /**< Which circ_id do we try to use next on
More information about the tor-commits
mailing list