commit 2dec6597af4014eb731d8caac55a8a87964ce371 Merge: 2c4e89b 4684ced Author: Sebastian Hahn sebastian@torproject.org Date: Thu Oct 27 00:15:25 2011 +0200
Merge branch 'maint-0.2.2_secfix' into master_secfix
Conflicts: src/common/tortls.c src/or/connection_or.c src/or/dirserv.c src/or/or.h
changes/issue-2011-10-19L | 28 +++++++++++ changes/issue-2011-10-23G | 9 +++ src/common/tortls.c | 119 +++++++++++++++++++++++++-------------------- src/or/command.c | 13 ++++- src/or/config.c | 2 + src/or/connection_or.c | 7 +++ src/or/dirserv.c | 79 ++++++++++++++++++++++++++++- src/or/or.h | 10 ++++ src/or/routerparse.c | 3 +- src/or/routerparse.h | 1 + 10 files changed, 212 insertions(+), 59 deletions(-)
diff --cc src/common/tortls.c index a8b6085,352c3d6..7aaa4e0 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@@ -204,13 -189,14 +204,15 @@@ static X509* tor_tls_create_certificate const char *cname, const char *cname_sign, unsigned int lifetime); -static void tor_tls_unblock_renegotiation(tor_tls_t *tls); + static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, crypto_pk_env_t *identity, - unsigned int key_lifetime); + unsigned int key_lifetime, + int is_client); static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity, - unsigned int key_lifetime); + unsigned int key_lifetime, + int is_client); +static int check_cert_lifetime_internal(const X509 *cert, int tolerance);
/** Global TLS contexts. We keep them here because nobody else needs * to touch them. */ @@@ -1085,12 -727,13 +1091,13 @@@ tor_tls_context_init_one(tor_tls_contex * certificate. */ static tor_tls_context_t * - tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) + tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, + int is_client) { - crypto_pk_env_t *rsa = NULL; + crypto_pk_env_t *rsa = NULL, *rsa_auth = NULL; EVP_PKEY *pkey = NULL; tor_tls_context_t *result = NULL; - X509 *cert = NULL, *idcert = NULL; + X509 *cert = NULL, *idcert = NULL, *authcert = NULL; char *nickname = NULL, *nn2 = NULL;
tor_tls_init(); @@@ -1106,35 -745,26 +1113,39 @@@ goto error; if (crypto_pk_generate_key(rsa)<0) goto error; - /* Generate short-term RSA key for use in the in-protocol ("v3") - * authentication handshake. */ - if (!(rsa_auth = crypto_new_pk_env())) - goto error; - if (crypto_pk_generate_key(rsa_auth)<0) - goto error; - /* Create a link certificate signed by identity key. */ - cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, - key_lifetime); - /* Create self-signed certificate for identity key. */ - idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, - IDENTITY_CERT_LIFETIME); - /* Create an authentication certificate signed by identity key. */ - authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2, - key_lifetime); - if (!cert || !idcert || !authcert) { - log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); - goto error; + if (!is_client) { - /* Create certificate signed by identity key. */ ++ /* Generate short-term RSA key for use in the in-protocol ("v3") ++ * authentication handshake. */ ++ if (!(rsa_auth = crypto_new_pk_env())) ++ goto error; ++ if (crypto_pk_generate_key(rsa_auth)<0) ++ goto error; ++ /* Create a link certificate signed by identity key. */ + cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, + key_lifetime); + /* Create self-signed certificate for identity key. */ + idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, + IDENTITY_CERT_LIFETIME); - if (!cert || !idcert) { ++ /* Create an authentication certificate signed by identity key. */ ++ authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2, ++ key_lifetime); ++ if (!cert || !idcert || !authcert) { + log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); + goto error; + } }
result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; - result->my_link_cert = tor_cert_new(X509_dup(cert)); - result->my_id_cert = tor_cert_new(X509_dup(idcert)); - result->my_auth_cert = tor_cert_new(X509_dup(authcert)); - if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert) - goto error; - result->link_key = crypto_pk_dup_key(rsa); - result->auth_key = crypto_pk_dup_key(rsa_auth); + if (!is_client) { - result->my_cert = X509_dup(cert); - result->my_id_cert = X509_dup(idcert); - result->key = crypto_pk_dup_key(rsa); ++ result->my_link_cert = tor_cert_new(X509_dup(cert)); ++ result->my_id_cert = tor_cert_new(X509_dup(idcert)); ++ result->my_auth_cert = tor_cert_new(X509_dup(authcert)); ++ if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert) ++ goto error; ++ result->link_key = crypto_pk_dup_key(rsa); ++ result->auth_key = crypto_pk_dup_key(rsa_auth); + }
#ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ diff --cc src/or/command.c index c85b057,1fa8bc6..d35e2a9 --- a/src/or/command.c +++ b/src/or/command.c @@@ -316,6 -232,7 +316,7 @@@ static voi command_process_create_cell(cell_t *cell, or_connection_t *conn) { or_circuit_t *circ; - or_options_t *options = get_options(); ++ const or_options_t *options = get_options(); int id_is_high;
if (we_are_hibernating()) { diff --cc src/or/config.c index c5322f5,78e4336..1b9f9fb --- a/src/or/config.c +++ b/src/or/config.c @@@ -282,9 -269,10 +282,11 @@@ static config_var_t _option_vars[] = V(GeoIPFile, FILENAME, SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"), #endif + V(GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays, + BOOL, "0"), OBSOLETE("Group"), V(HardwareAccel, BOOL, "0"), + V(HeartbeatPeriod, INTERVAL, "6 hours"), V(AccelName, STRING, NULL), V(AccelDir, FILENAME, NULL), V(HashedControlPassword, LINELIST, NULL), diff --cc src/or/connection_or.c index 14da698,27a34d3..4c0960c --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@@ -1031,20 -813,21 +1036,22 @@@ connection_or_connect(const tor_addr_t conn->_base.state = OR_CONN_STATE_CONNECTING; control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0);
+ conn->is_outgoing = 1; + - /* use a proxy server if available */ - if (options->HTTPSProxy) { - using_proxy = 1; - tor_addr_copy(&addr, &options->HTTPSProxyAddr); - port = options->HTTPSProxyPort; - } else if (options->Socks4Proxy) { - using_proxy = 1; - tor_addr_copy(&addr, &options->Socks4ProxyAddr); - port = options->Socks4ProxyPort; - } else if (options->Socks5Proxy) { - using_proxy = 1; - tor_addr_copy(&addr, &options->Socks5ProxyAddr); - port = options->Socks5ProxyPort; + /* If we are using a proxy server, find it and use it. */ + r = get_proxy_addrport(&proxy_addr, &proxy_port, &proxy_type, TO_CONN(conn)); + if (r == 0) { + conn->proxy_type = proxy_type; + if (proxy_type != PROXY_NONE) { + tor_addr_copy(&addr, &proxy_addr); + port = proxy_port; + conn->_base.proxy_state = PROXY_INFANT; + } + } else { + log_warn(LD_GENERAL, "Tried to connect through proxy, but proxy address " + "could not be found."); + connection_free(TO_CONN(conn)); + return NULL; }
switch (connection_connect(TO_CONN(conn), conn->_base.address, diff --cc src/or/dirserv.c index 5cb4aba,c427fe2..288fca9 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@@ -2333,9 -2363,13 +2402,13 @@@ set_routerstatus_from_routerinfo(router (router_get_advertised_bandwidth(ri) >= BANDWIDTH_TO_GUARANTEE_GUARD || router_get_advertised_bandwidth(ri) >= MIN(guard_bandwidth_including_exits, - guard_bandwidth_excluding_exits))) { - long tk = rep_hist_get_weighted_time_known(node->identity, now); - double wfu = rep_hist_get_weighted_fractional_uptime(node->identity, now); + guard_bandwidth_excluding_exits)) && + (options->GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays || + is_router_version_good_for_possible_guard(ri->platform))) { + long tk = rep_hist_get_weighted_time_known( - ri->cache_info.identity_digest, now); ++ node->identity, now); + double wfu = rep_hist_get_weighted_fractional_uptime( - ri->cache_info.identity_digest, now); ++ node->identity, now); rs->is_possible_guard = (wfu >= guard_wfu && tk >= guard_tk) ? 1 : 0; } else { rs->is_possible_guard = 0; diff --cc src/or/or.h index 7a901e7,7d50e1f..e4f9b9b --- a/src/or/or.h +++ b/src/or/or.h @@@ -1220,7 -1068,12 +1220,13 @@@ typedef struct or_connection_t * router itself has a problem. */ unsigned int is_bad_for_new_circs:1; + /** True iff we have decided that the other end of this connection + * is a client. Connections with this flag set should never be used + * to satisfy an EXTEND request. */ + unsigned int is_connection_with_client:1; + /** True iff this is an outgoing connection. */ + unsigned int is_outgoing:1; + unsigned int proxy_type:2; /**< One of PROXY_NONE...PROXY_SOCKS5 */ uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on