[or-cvs] check for funny business from the remote peer
Roger Dingledine
arma at seul.org
Thu Sep 11 22:19:50 UTC 2003
Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or
Modified Files:
connection.c or.h
Log Message:
check for funny business from the remote peer
Index: connection.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection.c,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -d -r1.84 -r1.85
--- connection.c 11 Sep 2003 20:32:15 -0000 1.84
+++ connection.c 11 Sep 2003 22:19:48 -0000 1.85
@@ -319,18 +319,52 @@
if (!router) {
log_fn(LOG_INFO,"Unrecognized public key from peer. Closing.");
crypto_free_pk_env(pk);
+ return -1;
+ }
+ if(conn->pkey) { /* I initiated this connection. */
+ if(crypto_pk_cmp_keys(conn->pkey, pk)) {
+ log_fn(LOG_INFO,"We connected to '%s' but he gave us a different key. Closing.", router->nickname);
+ crypto_free_pk_env(pk);
+ return -1;
+ }
+ log_fn(LOG_DEBUG,"The router's pk matches the one we meant to connect to. Good.");
+ crypto_free_pk_env(pk);
+ } else {
+ if(connection_exact_get_by_addr_port(router->addr,router->or_port)) {
+ log_fn(LOG_INFO,"That router is already connected. Dropping.");
+ return -1;
+ }
+ conn->pkey = pk;
+ conn->bandwidth = router->bandwidth;
+ conn->addr = router->addr, conn->port = router->or_port;
+ conn->address = strdup(router->address);
}
- conn->bandwidth = router->bandwidth;
- conn->addr = router->addr, conn->port = router->or_port;
- conn->pkey = pk;
- if(conn->address)
- free(conn->address);
- conn->address = strdup(router->address);
} else { /* it's an OP */
conn->bandwidth = DEFAULT_BANDWIDTH_OP;
}
} else { /* I'm a client */
- /* XXX Clients should also verify certificates. */
+ if(!tor_tls_peer_has_cert(conn->tls)) { /* it's a client too?! */
+ log_fn(LOG_INFO,"Neither peer sent a cert! Closing.");
+ return -1;
+ }
+ pk = tor_tls_verify(conn->tls);
+ if(!pk) {
+ log_fn(LOG_INFO,"Other side has a cert but it's bad. Closing.");
+ return -1;
+ }
+ router = router_get_by_pk(pk);
+ if (!router) {
+ log_fn(LOG_INFO,"Unrecognized public key from peer. Closing.");
+ crypto_free_pk_env(pk);
+ return -1;
+ }
+ if(crypto_pk_cmp_keys(conn->pkey, pk)) {
+ log_fn(LOG_INFO,"We connected to '%s' but he gave us a different key. Closing.", router->nickname);
+ crypto_free_pk_env(pk);
+ return -1;
+ }
+ log_fn(LOG_DEBUG,"The router's pk matches the one we meant to connect to. Good.");
+ crypto_free_pk_env(pk);
conn->bandwidth = DEFAULT_BANDWIDTH_OP;
circuit_n_conn_open(conn); /* send the pending create */
}
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -d -r1.119 -r1.120
--- or.h 11 Sep 2003 20:32:15 -0000 1.119
+++ or.h 11 Sep 2003 22:19:48 -0000 1.120
@@ -7,6 +7,8 @@
#include "orconfig.h"
+#define USE_TLS
+
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
@@ -351,6 +353,7 @@
/* config stuff we know about the other ORs in the network */
typedef struct {
char *address;
+ char *nickname;
uint32_t addr; /* all host order */
uint16_t or_port;
More information about the tor-commits
mailing list