[or-cvs] Simplify post-TLS-handshake checks, and add check for corre...

Nick Mathewson nickm at seul.org
Tue Nov 18 07:25:07 UTC 2003 

Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/tmp/cvs-serv32517/src/or

Modified Files:
	connection_or.c 
Log Message:
Simplify post-TLS-handshake checks, and add check for correct nickname

Index: connection_or.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection_or.c,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -d -r1.73 -r1.74
--- connection_or.c	12 Nov 2003 05:12:50 -0000	1.73
+++ connection_or.c	18 Nov 2003 07:25:04 -0000	1.74
@@ -185,75 +185,62 @@
   directory_set_dirty();
   connection_watch_events(conn, POLLIN);
   log_fn(LOG_DEBUG,"tls handshake done. verifying.");
-  if(options.OnionRouter) { /* I'm an OR */
-    if(tor_tls_peer_has_cert(conn->tls)) { /* it's another OR */
-      if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, 256)) {
-        log_fn(LOG_WARN,"Other side (%s:%d) has a cert without a valid nickname. Closing.",
-               conn->address, conn->port);
-        return -1;
-      }
-      log_fn(LOG_DEBUG,"Other side claims to be \"%s\"",nickname);
-      pk = tor_tls_verify(conn->tls);
-      if(!pk) {
-        log_fn(LOG_WARN,"Other side (%s:%d) has a cert but it's invalid. Closing.",
-               conn->address, conn->port);
-        return -1;
-      }
-      router = router_get_by_link_pk(pk);
-      if (!router) {
-        log_fn(LOG_WARN,"Unrecognized public key from peer (%s:%d). Closing.",
-               conn->address, conn->port);
-        crypto_free_pk_env(pk);
-        return -1;
-      }
-      if(conn->link_pkey) { /* I initiated this connection. */
-        if(crypto_pk_cmp_keys(conn->link_pkey, pk)) {
-          log_fn(LOG_WARN,"We connected to '%s' but he gave us a different key. Closing.",
-                 router->nickname);
-          crypto_free_pk_env(pk);
-          return -1;
-        }
-        log_fn(LOG_DEBUG,"The router's pk matches the one we meant to connect to. Good.");
-      } else {
-        if(connection_exact_get_by_addr_port(router->addr,router->or_port)) {
-          log_fn(LOG_INFO,"Router %s is already connected. Dropping.", router->nickname);
-          return -1;
-        }
-        connection_or_init_conn_from_router(conn, router);
-      }
-      crypto_free_pk_env(pk);
-    } else { /* it's an OP */
+  if (! tor_tls_peer_has_cert(conn->tls)) { /* It's an OP. */
+    if (options.OnionRouter) { /* I'm an OR; good. */
       conn->receiver_bucket = conn->bandwidth = DEFAULT_BANDWIDTH_OP;
-    }
-  } else { /* I'm a client */
-    if(!tor_tls_peer_has_cert(conn->tls)) { /* it's a client too?! */
+      return 0;
+    } else { /* Neither side sent a certificate: ouch. */
       log_fn(LOG_WARN,"Neither peer sent a cert! Closing.");
       return -1;
     }
-    pk = tor_tls_verify(conn->tls);
-    if(!pk) {
-      log_fn(LOG_WARN,"Other side (%s:%d) has a cert but it's invalid. Closing.",
-             conn->address, conn->port);
-      return -1;
-    }
-    router = router_get_by_link_pk(pk);
-    if (!router) {
-      log_fn(LOG_WARN,"Unrecognized public key from peer (%s:%d). Closing.",
-             conn->address, conn->port);
+  }
+  /* Okay; the other side is an OR. */
+  if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, 256)) {
+    log_fn(LOG_WARN,"Other side (%s:%d) has a cert without a valid nickname. Closing.",
+           conn->address, conn->port);
+    return -1;
+  }
+  log_fn(LOG_DEBUG, "Other side claims to be '%s'", nickname);
+  pk = tor_tls_verify(conn->tls);
+  if(!pk) {
+    log_fn(LOG_WARN,"Other side (%s:%d) has a cert but it's invalid. Closing.",
+           conn->address, conn->port);
+    return -1;
+  }
+  router = router_get_by_link_pk(pk);
+  if (!router) {
+    log_fn(LOG_WARN,"Unrecognized public key from peer '%s' (%s:%d). Closing.",
+           nickname, conn->address, conn->port);
+    crypto_free_pk_env(pk);
+    return -1;
+  }
+  if(conn->link_pkey) { /* I initiated this connection. */
+    if(crypto_pk_cmp_keys(conn->link_pkey, pk)) {
+      log_fn(LOG_WARN,"We connected to '%s' (%s:%d) but he gave us a different key. Closing.",
+             nickname, conn->address, conn->port);
       crypto_free_pk_env(pk);
       return -1;
     }
-    if(crypto_pk_cmp_keys(conn->link_pkey, pk)) {
-      log_fn(LOG_WARN,"We connected to '%s' but he gave us a different key. Closing.",
-             router->nickname);
+    log_fn(LOG_DEBUG,"The router's pk matches the one we meant to connect to. Good.");
+  } else {
+    if(connection_exact_get_by_addr_port(router->addr,router->or_port)) {
+      log_fn(LOG_INFO,"Router %s is already connected. Dropping.", router->nickname);
       crypto_free_pk_env(pk);
       return -1;
     }
-    log_fn(LOG_DEBUG,"The router's pk matches the one we meant to connect to. Good.");
+    connection_or_init_conn_from_router(conn, router);
     crypto_free_pk_env(pk);
+  } 
+  if (strcmp(conn->nickname, nickname)) {
+    log_fn(LOG_WARN,"Other side claims to be '%s', but we wanted '%s'",
+           nickname, conn->nickname);
+    return -1;
+  }
+  if (!options.OnionRouter) {
+    /* If I'm an OP... */
     conn->receiver_bucket = conn->bandwidth = DEFAULT_BANDWIDTH_OP;
-    circuit_n_conn_open(conn); /* send the pending create */
   }
+  circuit_n_conn_open(conn); /* send the pending creates, if any. */
   return 0;
 }

More information about the tor-commits mailing list