[tor/maint-0.2.2] Merge branch 'maint-0.2.1_secfix' into maint-0.2.2_secfix - tor-commits

27 Oct 2011

commit df05e5ef4d5e379e50b38e29fa23228e5b260e8a
Merge: f85c561 a74e7fd
Author: Sebastian Hahn sebastian@torproject.org
Date:   Wed Oct 26 23:30:27 2011 +0200
Merge branch 'maint-0.2.1_secfix' into maint-0.2.2_secfix
Conflicts:
    	src/or/connection_or.c
changes/issue-2011-10-19L |   21 ++++++++++
 changes/issue-2011-10-23G |    9 ++++
 src/common/tortls.c       |   93 ++++++++++++++++++++++++++-------------------
 src/or/command.c          |   13 +++++-
 src/or/connection_or.c    |    7 +++
 src/or/or.h               |    6 +++
 6 files changed, 108 insertions(+), 41 deletions(-)
diff --cc src/common/tortls.c
index 10f4440,cc805f8..352c3d6

--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@@ -681,13 -655,16 +684,14 @@@ tor_tls_context_init(int is_public_serv
rv2 = tor_tls_context_init_one(&client_tls_context,
                                     client_identity,
-                                    key_lifetime);
+                                    key_lifetime,
+                                    1);
    }
-  return rv1 < rv2 ? rv1 : rv2;
 +  return MIN(rv1, rv2);
  }
-/** Create a new TLS context for use with Tor TLS handshakes.
 - * <b>identity</b> should be set to the identity key used to sign the
 - * certificate.
 +/** Create a new global TLS context.
   *
   * You can call this function multiple times.  Each time you call it,
   * it generates new certificates; all new connections will use
@@@ -785,30 -769,33 +796,34 @@@ tor_tls_context_new(crypto_pk_env_t *id
  #ifdef SSL_MODE_RELEASE_BUFFERS
    SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS);
  #endif
-   if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
-     goto error;
-   X509_free(cert); /* We just added a reference to cert. */
-   cert=NULL;
-   if (idcert) {
-     X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
-     tor_assert(s);
-     X509_STORE_add_cert(s, idcert);
-     X509_free(idcert); /* The context now owns the reference to idcert */
-     idcert = NULL;
+   if (! is_client) {
+     if (cert && !SSL_CTX_use_certificate(result->ctx,cert))
+       goto error;
+     X509_free(cert); /* We just added a reference to cert. */
+     cert=NULL;
+     if (idcert) {
+       X509_STORE *s = SSL_CTX_get_cert_store(result->ctx);
+       tor_assert(s);
+       X509_STORE_add_cert(s, idcert);
+       X509_free(idcert); /* The context now owns the reference to idcert */
+       idcert = NULL;
+     }
    }
    SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF);
-   tor_assert(rsa);
-   if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
-     goto error;
-   if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
-     goto error;
-   EVP_PKEY_free(pkey);
-   pkey = NULL;
-   if (!SSL_CTX_check_private_key(result->ctx))
-     goto error;
+   if (!is_client) {
+     tor_assert(rsa);
+     if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
+       goto error;
+     if (!SSL_CTX_use_PrivateKey(result->ctx, pkey))
+       goto error;
+     EVP_PKEY_free(pkey);
+     pkey = NULL;
+     if (!SSL_CTX_check_private_key(result->ctx))
+       goto error;
+   }
    {
      crypto_dh_env_t *dh = crypto_dh_new(DH_TYPE_TLS);
 +    tor_assert(dh);
      SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh));
      crypto_dh_free(dh);
    }
diff --cc src/or/connection_or.c
index c019f65,f019c79..27a34d3
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@@ -808,19 -776,12 +813,21 @@@ connection_or_connect(const tor_addr_t 
    conn->_base.state = OR_CONN_STATE_CONNECTING;
    control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0);
+   conn->is_outgoing = 1;
+ 
 -  if (options->HttpsProxy) {
 -    /* we shouldn't connect directly. use the https proxy instead. */
 -    tor_addr_from_ipv4h(&addr, options->HttpsProxyAddr);
 -    port = options->HttpsProxyPort;
 +  /* use a proxy server if available */
 +  if (options->HTTPSProxy) {
 +    using_proxy = 1;
 +    tor_addr_copy(&addr, &options->HTTPSProxyAddr);
 +    port = options->HTTPSProxyPort;
 +  } else if (options->Socks4Proxy) {
 +    using_proxy = 1;
 +    tor_addr_copy(&addr, &options->Socks4ProxyAddr);
 +    port = options->Socks4ProxyPort;
 +  } else if (options->Socks5Proxy) {
 +    using_proxy = 1;
 +    tor_addr_copy(&addr, &options->Socks5ProxyAddr);
 +    port = options->Socks5ProxyPort;
    }
switch (connection_connect(TO_CONN(conn), conn->_base.address,
diff --cc src/or/or.h
index 31deb89,edbb73c..8638f20
--- a/src/or/or.h
+++ b/src/or/or.h
@@@ -1062,12 -1028,15 +1062,18 @@@ typedef struct or_connection_t 
     * NETINFO cell listed the address we're connected to as recognized. */
    unsigned int is_canonical:1;
    /** True iff this connection shouldn't get any new circs attached to it,
 -   * because the connection is too old, or because there's a better one, etc.
 +   * because the connection is too old, or because there's a better one.
 +   * More generally, this flag is used to note an unhealthy connection;
 +   * for example, if a bad connection fails we shouldn't assume that the
 +   * router itself has a problem.
     */
    unsigned int is_bad_for_new_circs:1;
+   /** True iff we have decided that the other end of this connection
+    * is a client.  Connections with this flag set should never be used
+    * to satisfy an EXTEND request.  */
+   unsigned int is_connection_with_client:1;
+   /** True iff this is an outgoing connection. */
+   unsigned int is_outgoing:1;
    uint8_t link_proto; /**< What protocol version are we using? 0 for
                         * "none negotiated yet." */
    circid_t next_circ_id; /**< Which circ_id do we try to use next on

    