Commit e2e0d09d authored by George Kadianakis's avatar George Kadianakis Committed by Nick Mathewson
Browse files

Various Extended ORPort code improvements. 

* Add documentation.
* Free ext_or_auth_correct_client_hash.
* Use VPORT(ExtORPort) instead of V(ExtORPOrt).
  See dfe03d36 for details.
parent 85b7c731

src/or/connection.c

+1 −0
Original line number Diff line number Diff line
@@ -601,6 +601,7 @@ connection_free_(connection_t *conn) 
  if (conn->type == CONN_TYPE_OR || conn->type == CONN_TYPE_EXT_OR) {

    connection_or_remove_from_ext_or_id_map(TO_OR_CONN(conn));

    tor_free(TO_OR_CONN(conn)->ext_or_conn_id);

    tor_free(TO_OR_CONN(conn)->ext_or_auth_correct_client_hash);

  }



#ifdef USE_BUFFEREVENTS

src/or/connection_or.c

+52 −15
Original line number Diff line number Diff line
@@ -179,8 +179,8 @@ connection_or_set_identity_digest(or_connection_t *conn, const char *digest) 
}



/** Remove the Extended ORPort identifier of <b>conn</b> from the

    global identifier list. Also, clear the identifier from the

    connection itself. */

 *  global identifier list. Also, clear the identifier from the

 *  connection itself. */

void

connection_or_remove_from_ext_or_id_map(or_connection_t *conn)

{
@@ -2443,7 +2443,10 @@ connection_or_send_authenticate_cell(or_connection_t *conn, int authtype) 
  return 0;

}



/** Get an Extended ORPort message from <b>conn</b>, and place it in <b>out</b>. */

/** Get an Extended ORPort message from <b>conn</b>, and place it in

 *  <b>out</b>. Return -1 on fail, 0 if we need more data, and 1 if we

 *  successfully extracted an Extended ORPort command from the

 *  buffer.  */

static int

connection_fetch_ext_or_cmd_from_buf(connection_t *conn, ext_or_cmd_t **out)

{
@@ -2490,13 +2493,19 @@ connection_ext_or_transition(or_connection_t *conn) 
  connection_tls_start_handshake(conn, 1);

}



/** DOCDOCDOC */

/** Length of authentication cookie. */

#define EXT_OR_PORT_AUTH_COOKIE_LEN 32

/** Length of the header of the cookie file. */

#define EXT_OR_PORT_AUTH_COOKIE_HEADER_LEN 32

/** Total length of the cookie file. */

#define EXT_OR_PORT_AUTH_COOKIE_FILE_LEN EXT_OR_PORT_AUTH_COOKIE_LEN+EXT_OR_PORT_AUTH_COOKIE_HEADER_LEN

/** Static cookie file header. */

#define EXT_OR_PORT_AUTH_COOKIE_HEADER "! Extended ORPort Auth Cookie !\x0a"

/** Length of safe-cookie protocol hashes. */

#define EXT_OR_PORT_AUTH_HASH_LEN DIGEST256_LEN

/** Length of safe-cookie protocol nonces. */

#define EXT_OR_PORT_AUTH_NONCE_LEN 32

/** Safe-cookie protocol constants. */

#define EXT_OR_PORT_AUTH_SERVER_TO_CLIENT_CONST "ExtORPort authentication server-to-client hash"

#define EXT_OR_PORT_AUTH_CLIENT_TO_SERVER_CONST "ExtORPort authentication client-to-server hash"
@@ -2541,14 +2550,15 @@ init_ext_or_auth_cookie_authentication(int is_enabled) 
  if (ext_or_auth_cookie_is_set)

    return 0; /* all set */



  fname = get_ext_or_auth_cookie_file();

  crypto_rand(ext_or_auth_cookie, EXT_OR_PORT_AUTH_COOKIE_LEN);

  if (crypto_rand(ext_or_auth_cookie, EXT_OR_PORT_AUTH_COOKIE_LEN) < 0)

    return -1;

  ext_or_auth_cookie_is_set = 1;



  memcpy(cookie_file_string, EXT_OR_PORT_AUTH_COOKIE_HEADER, EXT_OR_PORT_AUTH_COOKIE_HEADER_LEN);

  memcpy(cookie_file_string+EXT_OR_PORT_AUTH_COOKIE_HEADER_LEN,

         ext_or_auth_cookie, EXT_OR_PORT_AUTH_COOKIE_LEN);



  fname = get_ext_or_auth_cookie_file();

  if (write_bytes_to_file(fname, cookie_file_string,

                          EXT_OR_PORT_AUTH_COOKIE_FILE_LEN, 1)) {

    log_warn(LD_FS,"Error writing authentication cookie to %s.",
@@ -2564,11 +2574,15 @@ init_ext_or_auth_cookie_authentication(int is_enabled) 
  return 0;

}



/** DOCDOCDOC

    Return -1 on error. 0 on unsufficient data. 1 on correct.

*/

/** Read data from <b>conn</b> and see if the client sent us the

 *  authentication type that she prefers to use in this session.

 *

 *  Return -1 if we received corrupted data or if we don't support the

 *  authentication type. Return 0 if we need more data in

 *  <b>conn</b>. Return 1 if the authentication type negotiation was

 *  successful. */

static int

connection_ext_or_auth_neg_auth_type(connection_t *conn) /* XXX unit tests */

connection_ext_or_auth_neg_auth_type(connection_t *conn)

{

  char authtype[1] = {0};
@@ -2582,10 +2596,16 @@ connection_ext_or_auth_neg_auth_type(connection_t *conn) /* XXX unit tests */ 
  if (authtype[0] != 1) /* '1' is the only auth type supported atm */

    return -1;



  conn->state = EXT_OR_CONN_STATE_AUTH_WAIT_CLIENT_NONCE; /* XXX maybe do state transition in process_inbuf ? */

  conn->state = EXT_OR_CONN_STATE_AUTH_WAIT_CLIENT_NONCE;

  return 1;

}



/** Read the client's nonce out of <b>conn</b>, setup the safe-cookie

 *  crypto, and then send our own hash and nonce to the client

 *

 *  Return -1 if there was an error; return 0 if we need more data in

 *  <b>conn</b>, and return 1 if we successfully retrieved the

 *  client's nonce and sent our own. */

static int

connection_ext_or_auth_handle_client_nonce(connection_t *conn)

{
@@ -2692,6 +2712,8 @@ connection_ext_or_auth_handle_client_nonce(connection_t *conn) 
#define connection_ext_or_auth_send_result_fail(c)  \

  connection_ext_or_auth_send_result(c, 0)



/** Send authentication results to <b>conn</b>. Successful results if

 *  <b>success</b> is set; failure results otherwise. */

static void

connection_ext_or_auth_send_result(connection_t *conn, int success)

{
@@ -2701,6 +2723,13 @@ connection_ext_or_auth_send_result(connection_t *conn, int success) 
    connection_write_to_buf("\x00", 1, conn);

}



/** Receive the client's hash from <b>conn</b>, validate that it's

 *  correct, and then send the authentication results to the client.

 *

 *  Return -1 if there was an error during validation; return 0 if we

 *  need more data in <b>conn</b>, and return 1 if we successfully

 *  validated the client's hash and sent a happy authentication

 *  result. */

static int

connection_ext_or_auth_handle_client_hash(connection_t *conn)

{
@@ -2727,9 +2756,8 @@ connection_ext_or_auth_handle_client_hash(connection_t *conn) 
  return 1;

}



/** DOCDOCDOC

    Return -1 on error. 0 on unsufficient data. 1 on correct.

*/

/** Handle data from <b>or_conn</b> received on Extended ORPort.

 *  Return -1 on error. 0 on unsufficient data. 1 on correct. */

static int

connection_ext_or_auth_process_inbuf(or_connection_t *or_conn)

{
@@ -2761,6 +2789,14 @@ connection_ext_or_auth_process_inbuf(or_connection_t *or_conn) 
#define EXT_OR_CMD_BT_DENY 0x1001

#define EXT_OR_CMD_BT_CONTROL 0x1002





/** Process a USERADDR command from the Extended

 *  ORPort. <b>payload</b> is a payload of size <b>len</b>.

 *

 *  If the USERADDR command was well formed, change the address of

 *  <b>conn</b> to the address on the USERADDR command.

 *

 *  Return 0 on success and -1 on error. */

static int

connection_ext_or_handle_useraddr(connection_t *conn, char *payload, uint16_t len)

{
@@ -2883,7 +2919,8 @@ connection_ext_or_finished_flushing(or_connection_t *conn) 
  return 0;

}



/* DOCDOCDOC */

/** Initiate Extended ORPort authentication, by sending the list of

 *  supported authentication types to the client. */

int

connection_ext_or_start_auth(or_connection_t *or_conn)

{

src/or/transports.c

+1 −1
Original line number Diff line number Diff line
@@ -1261,7 +1261,7 @@ create_managed_proxy_environment(const managed_proxy_t *mp) 
     * variable in Tor's environment and crash PTs that try to parse

     * it even when not run in server mode.) */



    if (options->ExtORPort) {

    if (options->ExtORPort_lines) {

      char *ext_or_addrport_tmp =

        get_first_listener_addrport_string(CONN_TYPE_EXT_OR_LISTENER);

      char *cookie_file_loc = get_ext_or_auth_cookie_file();