| blob | a79f5c36e88e2544a4f2e9a96e57184bf621b163 |
1 /* * Copyright (c) 2012-2021, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
4 /**
5 * \file channeltls.c
6 *
7 * \brief A concrete subclass of channel_t using or_connection_t to transfer
8 * cells between Tor instances.
9 *
10 * This module fills in the various function pointers in channel_t, to
11 * implement the channel_tls_t channels as used in Tor today. These channels
12 * are created from channel_tls_connect() and
13 * channel_tls_handle_incoming(). Each corresponds 1:1 to or_connection_t
14 * object, as implemented in connection_or.c. These channels transmit cells
15 * to the underlying or_connection_t by calling
16 * connection_or_write_*_cell_to_buf(), and receive cells from the underlying
17 * or_connection_t when connection_or_process_cells_from_inbuf() calls
18 * channel_tls_handle_*_cell().
19 *
20 * Here we also implement the server (responder) side of the v3+ Tor link
21 * handshake, which uses CERTS and AUTHENTICATE cell to negotiate versions,
22 * exchange expected and observed IP and time information, and bootstrap a
23 * level of authentication higher than we have gotten on the raw TLS
24 * handshake.
25 *
26 * NOTE: Since there is currently only one type of channel, there are probably
27 * more than a few cases where functionality that is currently in
28 * channeltls.c, connection_or.c, and channel.c ought to be divided up
29 * differently. The right time to do this is probably whenever we introduce
30 * our next channel type.
31 **/
33 /*
34 * Define this so channel.h gives us things only channel_t subclasses
35 * should touch.
36 */
37 #define CHANNEL_OBJECT_PRIVATE
39 #define CHANNELTLS_PRIVATE
83 /** How many CELL_PADDING cells have we received, ever? */
85 /** How many CELL_VERSIONS cells have we received, ever? */
87 /** How many CELL_NETINFO cells have we received, ever? */
89 /** How many CELL_VPADDING cells have we received, ever? */
91 /** How many CELL_CERTS cells have we received, ever? */
93 /** How many CELL_AUTH_CHALLENGE cells have we received, ever? */
95 /** How many CELL_AUTHENTICATE cells have we received, ever? */
97 /** How many CELL_AUTHORIZE cells have we received, ever? */
100 /** Active listener, if any */
103 /* channel_tls_t method declarations */
111 static int
116 static int
130 /* channel_listener_tls_t method declarations */
136 /** Handle incoming cells for the handshake stuff here rather than
137 * passing them on up. */
149 /**
150 * Do parts of channel_tls_t initialization common to channel_tls_connect()
151 * and channel_tls_handle_incoming().
152 */
153 STATIC void
155 {
182 /* We only have one policy for now so always set it to EWMA. */
184 }
186 /**
187 * Start a new TLS channel.
188 *
189 * Launch a new OR connection to <b>addr</b>:<b>port</b> and expect to
190 * handshake with an OR with identity digest <b>id_digest</b>, and wrap
191 * it in a channel_tls_t.
192 */
193 channel_t *
197 {
204 "In channel_tls_connect() for channel %p "
206 tlschan,
219 }
223 /* Set up or_connection stuff */
225 /* connection_or_connect() will fill in tlschan->conn */
230 }
238 err:
243 done:
244 /* If we got one, we should register it */
248 }
250 /**
251 * Return the current channel_tls_t listener.
252 *
253 * Returns the current channel listener for incoming TLS connections, or
254 * NULL if none has been established
255 */
256 channel_listener_t *
258 {
260 }
262 /**
263 * Start a channel_tls_t listener if necessary.
264 *
265 * Return the current channel_tls_t listener, or start one if we haven't yet,
266 * and return that.
267 */
268 channel_listener_t *
270 {
279 channel_tls_listener_describe_transport_method;
291 }
293 /**
294 * Free everything on shutdown.
295 *
296 * Not much to do here, since channel_free_all() takes care of a lot, but let's
297 * get rid of the listener.
298 */
299 void
301 {
308 /*
309 * When we close it, channel_tls_listener will get nulled out, so save
310 * a pointer so we can free it.
311 */
314 "Closing channel_tls_listener with ID %"PRIu64
317 old_listener);
322 }
326 }
328 /**
329 * Create a new channel around an incoming or_connection_t.
330 */
331 channel_t *
333 {
342 /* Link the channel and orconn to each other */
356 }
360 /* Register it */
367 }
368 /* Start tracking TLS connections in the DoS subsystem as soon as possible,
369 * so we can protect against attacks that use partially open connections.
370 */
378 }
380 /**
381 * Set the `potentially_used_for_bootstrapping` flag on the or_connection_t
382 * corresponding to the provided channel.
383 *
384 * This flag indicates that if the connection fails, it might be interesting
385 * to the bootstrapping subsystem. (The bootstrapping system only cares about
386 * channels that we have tried to use for our own circuits. Other channels
387 * may have been launched in response to EXTEND cells from somebody else, and
388 * if they fail, it won't necessarily indicate a bootstrapping problem.)
389 **/
390 void
392 {
403 }
405 /*********
406 * Casts *
407 ********/
409 /**
410 * Cast a channel_tls_t to a channel_t.
411 */
412 channel_t *
414 {
418 }
420 /**
421 * Cast a channel_t to a channel_tls_t, with appropriate type-checking
422 * asserts.
423 */
424 channel_tls_t *
426 {
432 }
434 /**
435 * Cast a const channel_tls_t to a const channel_t.
436 */
439 {
441 }
443 /**
444 * Cast a const channel_t to a const channel_tls_t, with appropriate
445 * type-checking asserts.
446 */
449 {
451 }
453 /********************************************
454 * Method implementations for channel_tls_t *
455 *******************************************/
457 /**
458 * Close a channel_tls_t.
459 *
460 * This implements the close method for channel_tls_t.
461 */
462 static void
464 {
471 /* Weird - we'll have to change the state ourselves, I guess */
474 tlschan);
476 }
477 }
479 /**
480 * Describe the transport for a channel_tls_t.
481 *
482 * This returns the string "TLS channel on connection <id>" to the upper
483 * layer.
484 */
487 {
508 }
511 }
513 /**
514 * Free a channel_tls_t.
515 *
516 * This is called by the generic channel layer when freeing a channel_tls_t;
517 * this happens either on a channel which has already reached
518 * CHANNEL_STATE_CLOSED or CHANNEL_STATE_ERROR from channel_run_cleanup() or
519 * on shutdown from channel_free_all(). In the latter case we might still
520 * have an orconn active (which connection_free_all() will get to later),
521 * so we should null out its channel pointer now.
522 */
523 static void
525 {
533 }
534 }
536 /**
537 * Get an estimate of the average TLS overhead for the upper layer.
538 */
539 static double
541 {
548 /* Just return 1.0f if we don't have sensible data */
555 /*
556 * Never estimate more than 2.0; otherwise we get silly large estimates
557 * at the very start of a new TLS connection.
558 */
561 }
568 }
570 /**
571 * Get the remote address of a channel_tls_t.
572 *
573 * This implements the get_remote_addr method for channel_tls_t; copy the
574 * remote endpoint of the channel to addr_out and return 1. (Always
575 * succeeds if this channel is attached to an OR connection.)
576 *
577 * Always returns the real address of the peer, not the canonical address.
578 */
579 static int
582 {
591 }
593 /* They want the real address, so give it to them. */
597 }
599 /**
600 * Get the name of the pluggable transport used by a channel_tls_t.
601 *
602 * This implements the get_transport_name for channel_tls_t. If the
603 * channel uses a pluggable transport, copy its name to
604 * <b>transport_out</b> and return 0. If the channel did not use a
605 * pluggable transport, return -1.
606 */
607 static int
609 {
621 }
623 /**
624 * Get a human-readable endpoint description of a channel_tls_t.
625 *
626 * This format is intended for logging, and may change in the future;
627 * nothing should parse or rely on its particular details.
628 */
631 {
639 }
640 }
642 /**
643 * Tell the upper layer if we have queued writes.
644 *
645 * This implements the has_queued_writes method for channel_tls t_; it returns
646 * 1 iff we have queued writes on the outbuf of the underlying or_connection_t.
647 */
648 static int
650 {
657 "something called has_queued_writes on a tlschan "
660 }
667 }
669 /**
670 * Tell the upper layer if we're canonical.
671 *
672 * This implements the is_canonical method for channel_tls_t:
673 * it returns whether this is a canonical channel.
674 */
675 static int
677 {
684 /* If this bit is set to 0, and link_proto is sufficiently old, then we
685 * can't actually _rely_ on this being a non-canonical channel.
686 * Nonetheless, we're going to believe that this is a non-canonical
687 * channel in this case, since nobody should be using these link protocols
688 * any more. */
690 }
693 }
695 /**
696 * Check if we match an extend_info_t.
697 *
698 * This implements the matches_extend_info method for channel_tls_t; the upper
699 * layer wants to know if this channel matches an extend_info_t.
700 *
701 * NOTE that this function only checks for an address/port match, and should
702 * be used only when no identify is available.
703 */
704 static int
707 {
713 /* Never match if we have no conn */
716 "something called matches_extend_info on a tlschan "
720 }
723 // If the canonical address is set, then we'll allow matches based on that.
727 }
728 }
730 // We also want to match if the true address and port are listed in the
731 // extend info.
735 }
737 /**
738 * Check if we match a target address; return true iff we do.
739 *
740 * This implements the matches_target method for channel_tls t_; the upper
741 * layer wants to know if this channel matches a target address when extending
742 * a circuit.
743 */
744 static int
747 {
753 /* Never match if we have no conn */
756 "something called matches_target on a tlschan "
760 }
762 /* addr is the address this connection came from.
763 * canonical_orport is updated by connection_or_init_conn_from_address()
764 * to be the address in the descriptor. It may be tempting to
765 * allow either address to be allowed, but if we did so, it would
766 * enable someone who steals a relay's keys to covertly impersonate/MITM it
767 * from anywhere on the Internet! (Because they could make long-lived
768 * TLS connections from anywhere to all relays, and wait for them to
769 * be used for extends).
770 *
771 * An adversary who has stolen a relay's keys could also post a fake relay
772 * descriptor, but that attack is easier to detect.
773 */
775 }
777 /**
778 * Tell the upper layer how many bytes we have queued and not yet
779 * sent.
780 */
781 static size_t
783 {
790 }
792 /**
793 * Tell the upper layer how many cells we can accept to write.
794 *
795 * This implements the num_cells_writeable method for channel_tls_t; it
796 * returns an estimate of the number of cells we can accept with
797 * channel_tls_write_*_cell().
798 */
799 static int
801 {
803 ssize_t n;
812 /* Get the number of cells */
815 #if SIZEOF_SIZE_T > SIZEOF_INT
817 #endif
820 }
822 /**
823 * Write a cell to a channel_tls_t.
824 *
825 * This implements the write_cell method for channel_tls_t; given a
826 * channel_tls_t and a cell_t, transmit the cell_t.
827 */
828 static int
830 {
842 "something called write_cell on a tlschan "
845 }
848 }
850 /**
851 * Write a packed cell to a channel_tls_t.
852 *
853 * This implements the write_packed_cell method for channel_tls_t; given a
854 * channel_tls_t and a packed_cell_t, transmit the packed_cell_t.
855 *
856 * Return 0 on success or negative value on error. The caller must free the
857 * packed cell.
858 */
859 static int
862 {
875 "something called write_packed_cell on a tlschan "
879 }
882 }
884 /**
885 * Write a variable-length cell to a channel_tls_t.
886 *
887 * This implements the write_var_cell method for channel_tls_t; given a
888 * channel_tls_t and a var_cell_t, transmit the var_cell_t.
889 */
890 static int
892 {
904 "something called write_var_cell on a tlschan "
907 }
910 }
912 /*************************************************
913 * Method implementations for channel_listener_t *
914 ************************************************/
916 /**
917 * Close a channel_listener_t.
918 *
919 * This implements the close method for channel_listener_t.
920 */
921 static void
923 {
926 /*
927 * Listeners we just go ahead and change state through to CLOSED, but
928 * make sure to check if they're channel_tls_listener to NULL it out.
929 */
937 }
947 }
952 }
953 }
955 /**
956 * Describe the transport for a channel_listener_t.
957 *
958 * This returns the string "TLS channel (listening)" to the upper
959 * layer.
960 */
963 {
967 }
969 /*******************************************************
970 * Functions for handling events on an or_connection_t *
971 ******************************************************/
973 /**
974 * Handle an orconn state change.
975 *
976 * This function will be called by connection_or.c when the or_connection_t
977 * associated with this channel_tls_t changes state.
978 */
979 void
983 {
993 /* Make sure the base connection state makes sense - shouldn't be error
994 * or closed. */
1001 /* Did we just go to state open? */
1003 /*
1004 * We can go to CHANNEL_STATE_OPEN from CHANNEL_STATE_OPENING or
1005 * CHANNEL_STATE_MAINT on this.
1006 */
1008 /* We might have just become writeable; check and tell the scheduler */
1011 }
1013 /*
1014 * Not open, so from CHANNEL_STATE_OPEN we go to CHANNEL_STATE_MAINT,
1015 * otherwise no change.
1016 */
1019 }
1020 }
1021 }
1023 #ifdef KEEP_TIMING_STATS
1025 /**
1026 * Timing states wrapper.
1027 *
1028 * This is a wrapper function around the actual function that processes the
1029 * <b>cell</b> that just arrived on <b>chan</b>. Increment <b>*time</b>
1030 * by the number of microseconds used by the call to <b>*func(cell, chan)</b>.
1031 */
1032 static void
1035 {
1048 }
1053 }
1056 }
1059 #ifdef KEEP_TIMING_STATS
1060 #define PROCESS_CELL(tp, cl, cn) STMT_BEGIN { \
1061 ++num ## tp; \
1062 channel_tls_time_process_cell(cl, cn, & tp ## time , \
1063 channel_tls_process_ ## tp ## _cell); \
1064 } STMT_END
1066 #define PROCESS_CELL(tp, cl, cn) channel_tls_process_ ## tp ## _cell(cl, cn)
1069 /**
1070 * Handle an incoming cell on a channel_tls_t.
1071 *
1072 * This is called from connection_or.c to handle an arriving cell; it checks
1073 * for cell types specific to the handshake for this transport protocol and
1074 * handles them, and queues all other cells to the channel_t layer, which
1075 * eventually will hand them off to command.c.
1076 *
1077 * The channel layer itself decides whether the cell should be queued or
1078 * can be handed off immediately to the upper-layer code. It is responsible
1079 * for copying in the case that it queues; we merely pass pointers through
1080 * which we get from connection_or_process_cells_from_inbuf().
1081 */
1082 void
1084 {
1097 }
1104 /* Reject all but VERSIONS and NETINFO when handshaking. */
1105 /* (VERSIONS actually indicates a protocol warning: it's variable-length,
1106 * so if it reaches this function, we're on a v1 connection.) */
1110 "Received unexpected cell command %d in chan state %s / "
1117 }
1122 /* We note that we're on the internet whenever we read a cell. This is
1123 * a fast operation. */
1136 /* do nothing */
1139 /* A VERSIONS cell should always be a variable-length cell, and
1140 * so should never reach this function (which handles constant-sized
1141 * cells). But if the connection is using the (obsolete) v1 link
1142 * protocol, all cells will be treated as constant-sized, and so
1143 * it's possible we'll reach this code.
1144 */
1146 "Received unexpected VERSIONS cell on a channel using link "
1166 /*
1167 * These are all transport independent and we pass them up through the
1168 * channel_t mechanism. They are ultimately handled in command.c.
1169 */
1174 "Cell of unknown type (%d) received in channeltls.c. "
1178 }
1179 }
1181 /**
1182 * Handle an incoming variable-length cell on a channel_tls_t.
1183 *
1184 * Process a <b>var_cell</b> that was just received on <b>conn</b>. Keep
1185 * internal statistics about how many of each cell we've processed so far
1186 * this second, and the total number of microseconds it took to
1187 * process each type of cell. All the var_cell commands are handshake-
1188 * related and live below the channel_t layer, so no variable-length
1189 * cells ever get delivered in the current implementation, but I've left
1190 * the mechanism in place for future use.
1191 *
1192 * If we were handing them off to the upper layer, the channel_t queueing
1193 * code would be responsible for memory management, and we'd just be passing
1194 * pointers through from connection_or_process_cells_from_inbuf(). That
1195 * caller always frees them after this function returns, so this function
1196 * should never free var_cell.
1197 */
1198 void
1200 {
1203 #ifdef KEEP_TIMING_STATS
1204 /* how many of each cell have we seen so far this second? needs better
1205 * name. */
1212 /* print stats */
1221 /* remember which second it is, for next time */
1223 }
1235 }
1244 "Received a cell with command %d in unexpected "
1252 /*
1253 * The code in connection_or.c will tell channel_t to close for
1254 * error; it will go to CHANNEL_STATE_CLOSING, and then to
1255 * CHANNEL_STATE_ERROR when conn is closed.
1256 */
1259 }
1262 /* If we're using bufferevents, it's entirely possible for us to
1263 * notice "hey, data arrived!" before we notice "hey, the handshake
1264 * finished!" And we need to be accepting both at once to handle both
1265 * the v2 and v3 handshakes. */
1266 /* But that should be happening any longer've disabled bufferevents. */
1268 FALLTHROUGH_UNLESS_ALL_BUGS_ARE_FATAL;
1272 "Received a cell with command %d in unexpected "
1280 /* see above comment about CHANNEL_STATE_ERROR */
1286 }
1296 "Received a variable-length cell with command %d in orconn "
1297 "state %s [%d], channel state %s [%d] with link protocol %d; "
1306 }
1310 "Received var-length cell with command %d in unexpected "
1319 }
1321 /* We note that we're on the internet whenever we read a cell. This is
1322 * a fast operation. */
1325 /* Now handle the cell */
1334 /* Do nothing */
1350 /* Ignored so far. */
1357 }
1358 }
1360 #undef PROCESS_CELL
1362 /**
1363 * Update channel marks after connection_or.c has changed an address.
1364 *
1365 * This is called from connection_or_init_conn_from_address() after the
1366 * connection's _base.addr or real_addr fields have potentially been changed
1367 * so we can recalculate the local mark. Notably, this happens when incoming
1368 * connections are reverse-proxied and we only learn the real address of the
1369 * remote router by looking it up in the consensus after we finish the
1370 * handshake and know an authenticated identity digest.
1371 */
1372 void
1374 {
1388 }
1395 }
1396 }
1397 }
1399 /**
1400 * Check if this cell type is allowed before the handshake is finished.
1401 *
1402 * Return true if <b>command</b> is a cell command that's allowed to start a
1403 * V3 handshake.
1404 */
1405 static int
1407 {
1415 }
1416 }
1418 /**
1419 * Start a V3 handshake on an incoming connection.
1420 *
1421 * Called when we as a server receive an appropriate cell while waiting
1422 * either for a cell or a TLS handshake. Set the connection's state to
1423 * "handshaking_v3', initializes the or_handshake_state field as needed,
1424 * and add the cell to the hash of incoming cells.)
1425 */
1426 static int
1428 {
1439 OR_CONN_STATE_TLS_SERVER_RENEGOTIATING);
1443 "Received a cell while TLS-handshaking, not in "
1445 }
1451 }
1455 }
1457 /**
1458 * Process a 'versions' cell.
1459 *
1460 * This function is called to handle an incoming VERSIONS cell; the current
1461 * link protocol version must be 0 to indicate that no version has yet been
1462 * negotiated. We compare the versions in the cell to the list of versions
1463 * we support, pick the highest version we have in common, and continue the
1464 * negotiation from there.
1465 */
1466 static void
1468 {
1478 "Received a VERSION cell with odd payload length %d; "
1482 }
1490 "Received a VERSIONS cell on a connection with its version "
1494 }
1496 {
1506 }
1510 {
1517 }
1518 }
1521 "Couldn't find a version in common between my version list and the "
1526 /* Negotiating version 1 makes no sense, since version 1 has no VERSIONS
1527 * cells. */
1529 "Used version negotiation protocol to negotiate a v1 connection. "
1536 "Negotiated link protocol 2 or lower after doing a v3 TLS "
1542 /* XXXX This should eventually be a log_protocol_warn */
1544 "Negotiated link with non-2 protocol after doing a v2 TLS "
1549 }
1559 highest_supported_version,
1565 }
1568 /* If we want to authenticate, send a CERTS cell */
1570 /* If we're a host that got a connection, ask for authentication. */
1572 /* If our certs cell will authenticate us, we can send a netinfo cell
1573 * right now. */
1581 highest_supported_version,
1589 #ifdef DISABLE_V3_LINKPROTO_SERVERSIDE
1593 }
1601 }
1602 }
1604 /* We set this after sending the versions cell. */
1605 /*XXXXX symbolic const.*/
1618 }
1619 }
1625 }
1626 }
1632 }
1633 }
1634 }
1635 }
1637 /**
1638 * Process a 'padding_negotiate' cell.
1639 *
1640 * This function is called to handle an incoming PADDING_NEGOTIATE cell;
1641 * enable or disable padding accordingly, and read and act on its timeout
1642 * value contents.
1643 */
1644 static void
1646 {
1657 }
1662 "Received malformed PADDING_NEGOTIATE cell on v%d connection; "
1666 }
1669 negotiation);
1672 }
1674 /**
1675 * Convert <b>netinfo_addr</b> into corresponding <b>tor_addr</b>.
1676 * Return 0 on success; on failure, return -1 and log a warning.
1677 */
1678 static int
1692 netinfo_addr);
1698 }
1701 }
1703 /**
1704 * Helper: compute the absolute value of a time_t.
1705 *
1706 * (we need this because labs() doesn't always work for time_t, since
1707 * long can be shorter than time_t.)
1708 */
1711 {
1713 }
1715 /** Return true iff the channel can process a NETINFO cell. For this to return
1716 * true, these channel conditions apply:
1717 *
1718 * 1. Link protocol is version 2 or higher (tor-spec.txt, NETINFO cells
1719 * section).
1720 *
1721 * 2. Underlying OR connection of the channel is either in v2 or v3
1722 * handshaking state.
1723 */
1724 static bool
1726 {
1727 /* NETINFO cells can only be negotiated on link protocol 2 or higher. */
1733 }
1735 /* Can't process a NETINFO cell if the connection is not handshaking. */
1741 }
1743 /* Make sure we do have handshake state. */
1748 }
1750 /** Mark the given channel endpoint as a client (which means either a tor
1751 * client or a tor bridge).
1752 *
1753 * This MUST be done on an _unauthenticated_ channel. It is a mistake to mark
1754 * an authenticated channel as a client.
1755 *
1756 * The following is done on the channel:
1757 *
1758 * 1. Marked as a client.
1759 * 2. Type of circuit ID type is set.
1760 * 3. The underlying OR connection is initialized with the address of the
1761 * endpoint.
1762 */
1763 static void
1765 {
1766 /* Ending up here for an authenticated link is a mistake. */
1769 }
1773 authenticated_rsa_peer_id)));
1777 /* If the client never authenticated, it's a tor client or bridge
1778 * relay, and we must not use it for EXTEND requests (nor could we, as
1779 * there are no authenticated peer IDs) */
1787 /* zero, checked above */
1789 authenticated_rsa_peer_id),
1792 }
1794 /**
1795 * Process a 'netinfo' cell
1796 *
1797 * This function is called to handle an incoming NETINFO cell; read and act
1798 * on its contents, and set the connection state to "open".
1799 */
1800 static void
1802 {
1819 /* Make sure we can process a NETINFO cell. Link protocol and state
1820 * validation is done to make sure of it. */
1823 }
1833 "Got a NETINFO cell from server, "
1837 }
1839 /* We're the server. If the client never authenticated, we have some
1840 * housekeeping to do.
1841 *
1842 * It's a tor client or bridge relay, and we must not use it for EXTEND
1843 * requests (nor could we, as there are no authenticated peer IDs) */
1846 }
1847 }
1848 }
1850 /* Decode the cell. */
1854 CELL_PAYLOAD_SIZE);
1861 }
1873 }
1874 /* We used to check:
1875 * if (my_addr_len >= CELL_PAYLOAD_SIZE - 6) {
1876 *
1877 * This is actually never going to happen, since my_addr_len is at most 255,
1878 * and CELL_PAYLOAD_LEN - 6 is 503. So we know that cp is < end. */
1884 }
1890 }
1897 }
1898 }
1901 /* We have a descriptor, so we are a relay: record the address that the
1902 * other side said we had. */
1905 }
1909 /* Consider all the other addresses; if any matches, this connection is
1910 * "canonical." */
1915 tor_addr_t addr;
1921 }
1922 /* A relay can connect from anywhere and be canonical, so
1923 * long as it tells you from where it came. This may sound a bit
1924 * concerning... but that's what "canonical" means: that the
1925 * address is one that the relay itself has claimed. The relay
1926 * might be doing something funny, but nobody else is doing a MITM
1927 * on the relay's TCP.
1928 */
1932 }
1933 }
1942 "We made a connection to a relay at %s (fp=%s) but we think "
1943 "they will not consider this connection canonical. They "
1950 }
1952 /* Act on apparent skew. */
1953 /** Warn when we get a netinfo skew with at least this value. */
1954 #define NETINFO_NOTICE_SKEW 3600
1961 }
1963 /* Consider our apparent address as a possible suggestion for our address if
1964 * we were unable to resolve it previously. The endpoint address is passed
1965 * in order to make sure to never consider an address that is the same as
1966 * our endpoint. */
1968 identity_digest);
1971 /* If we were prepared to authenticate, but we never got an AUTH_CHALLENGE
1972 * cell, then we would not previously have sent a NETINFO cell. Do so
1973 * now. */
1977 }
1978 }
1982 "Got good NETINFO cell on %s; but "
1988 "Got good NETINFO cell on %s; OR connection is now "
1989 "open, using protocol version %d. Its ID digest is %s. "
1997 }
1999 }
2001 /** Types of certificates that we know how to parse from CERTS cells. Each
2002 * type corresponds to a different encoding format. */
2006 * (Actually, it might not be RSA. We test that later.) */
2008 * encoded asa a tor_cert_t.*/
2012 /**
2013 * Given one of the certificate type codes used in a CERTS cell,
2014 * return the corresponding cert_encoding_t that we should use to parse
2015 * the certificate.
2016 */
2017 static cert_encoding_t
2019 {
2033 }
2034 }
2036 /**
2037 * Process a CERTS cell from a channel.
2038 *
2039 * This function is called to process an incoming CERTS cell on a
2040 * channel_tls_t:
2041 *
2042 * If the other side should not have sent us a CERTS cell, or the cell is
2043 * malformed, or it is supposed to authenticate the TLS key but it doesn't,
2044 * then mark the connection.
2045 *
2046 * If the cell has a good cert chain and we're doing a v3 handshake, then
2047 * store the certificates in or_handshake_state. If this is the client side
2048 * of the connection, we then authenticate the server or mark the connection.
2049 * If it's the server side, wait for an AUTHENTICATE cell.
2050 */
2051 STATIC void
2053 {
2054 #define MAX_CERT_TYPE_WANTED CERTTYPE_RSA1024_ID_EDID
2055 /* These arrays will be sparse, since a cert type can be at most one
2056 * of ed/x509 */
2073 #define ERR(s) \
2074 do { \
2075 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
2077 connection_describe(TO_CONN(chan->conn)), \
2078 (s)); \
2079 connection_or_close_for_error(chan->conn, 0); \
2080 goto err; \
2081 } while (0)
2083 /* Can't use connection_or_nonopen_was_started_here(); its conn->tls
2084 * check looks like it breaks
2085 * test_link_handshake_recv_certs_ok_server(). */
2095 /* Should be unreachable, but let's make sure. */
2097 }
2134 }
2135 }
2137 }
2142 "Received undecodable Ed certificate "
2151 }
2152 }
2154 }
2162 }
2164 }
2165 }
2166 }
2168 /* Move the certificates we (might) want into the handshake_state->certs
2169 * structure. */
2192 rsa_ed_cc_cert_len;
2196 /* Note that this warns more loudly about time and validity if we were
2197 * _trying_ to connect to an authority, not necessarily if we _did_ connect
2198 * to one. */
2202 else
2218 /* No more information is needed. */
2222 {
2231 }
2237 }
2243 }
2254 "Got some good certificates on %s: Authenticated it with "
2260 /* If we initiated the connection and we are not a public server, we
2261 * aren't planning to authenticate at all. At this point we know who we
2262 * are talking to, so we can just send a netinfo now. */
2264 }
2266 /* We can't call it authenticated till we see an AUTHENTICATE cell. */
2268 "Got some good RSA%s certificates on %s. "
2272 /* XXXX check more stuff? */
2273 }
2282 }
2283 }
2285 err:
2288 }
2291 }
2294 #undef ERR
2295 }
2297 /**
2298 * Process an AUTH_CHALLENGE cell from a channel_tls_t.
2299 *
2300 * This function is called to handle an incoming AUTH_CHALLENGE cell on a
2301 * channel_tls_t; if we weren't supposed to get one (for example, because we're
2302 * not the originator of the channel), or it's ill-formed, or we aren't doing
2303 * a v3 handshake, mark the channel. If the cell is well-formed but we don't
2304 * want to authenticate, just drop it. If the cell is well-formed *and* we
2305 * want to authenticate, send an AUTHENTICATE cell and then a NETINFO cell.
2306 */
2307 STATIC void
2309 {
2317 #define ERR(s) \
2318 do { \
2319 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
2321 connection_describe(TO_CONN(chan->conn)), \
2322 (s)); \
2323 connection_or_close_for_error(chan->conn, 0); \
2324 goto done; \
2325 } while (0)
2345 /* Now see if there is an authentication type we can use */
2352 }
2353 }
2354 }
2359 /* If we're not a public server then we don't want to authenticate on a
2360 connection we originated, and we already sent a NETINFO cell when we
2361 got the CERTS cell. We have nothing more to do. */
2363 }
2367 "Got an AUTH_CHALLENGE cell on %s: Sending "
2370 use_type);
2377 }
2380 "Got an AUTH_CHALLENGE cell on %s, but we don't "
2383 }
2389 }
2391 done:
2394 #undef ERR
2395 }
2397 /**
2398 * Process an AUTHENTICATE cell from a channel_tls_t.
2399 *
2400 * If it's ill-formed or we weren't supposed to get one or we're not doing a
2401 * v3 handshake, then mark the connection. If it does not authenticate the
2402 * other side of the connection successfully (because it isn't signed right,
2403 * we didn't get a CERTS cell, etc) mark the connection. Otherwise, accept
2404 * the identity of the router on the other side of the connection.
2405 */
2406 STATIC void
2408 {
2419 #define ERR(s) \
2420 do { \
2421 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, \
2423 connection_describe(TO_CONN(chan->conn)), \
2424 (s)); \
2425 connection_or_close_for_error(chan->conn, 0); \
2426 var_cell_free(expected_cell); \
2427 return; \
2428 } while (0)
2439 /* Should be impossible given other checks */
2441 }
2450 {
2462 }
2479 /* Our earlier check had better have made sure we had room
2480 * for an ed25519 sig (inadvertently) */
2484 }
2487 }
2489 /* Length of random part. */
2491 // LCOV_EXCL_START
2493 // LCOV_EXCL_STOP
2494 }
2515 }
2527 }
2531 }
2532 /* Note that we deliberately allow *more* than DIGEST256_LEN bytes here,
2533 * in case they're later used to hold a SHA3 digest or something. */
2537 }
2547 ed25519_signature_t sig;
2552 }
2553 }
2555 /* Okay, we are authenticated. */
2560 {
2568 ed_identity_received =
2572 }
2574 /* This must exist; we checked key type when reading the cert. */
2585 "Calling connection_or_init_conn_from_address on %s "
2588 __func__,
2595 authenticated_rsa_peer_id),
2596 ed_identity_received,
2602 authtype);
2603 }
2607 #undef ERR
2608 }