const char *cname,
const char *cname_sign,
unsigned int lifetime);
-static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
+
static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
crypto_pk_env_t *identity,
- unsigned int key_lifetime);
+ unsigned int key_lifetime,
+ int is_client);
static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity,
- unsigned int key_lifetime);
+ unsigned int key_lifetime,
+ int is_client);
+static int check_cert_lifetime_internal(const X509 *cert, int tolerance);
/** Global TLS contexts. We keep them here because nobody else needs
* to touch them. */
* certificate.
*/
static tor_tls_context_t *
- tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
+ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
+ int is_client)
{
- crypto_pk_env_t *rsa = NULL;
+ crypto_pk_env_t *rsa = NULL, *rsa_auth = NULL;
EVP_PKEY *pkey = NULL;
tor_tls_context_t *result = NULL;
- X509 *cert = NULL, *idcert = NULL;
+ X509 *cert = NULL, *idcert = NULL, *authcert = NULL;
char *nickname = NULL, *nn2 = NULL;
tor_tls_init();
goto error;
if (crypto_pk_generate_key(rsa)<0)
goto error;
- /* Generate short-term RSA key for use in the in-protocol ("v3")
- * authentication handshake. */
- if (!(rsa_auth = crypto_new_pk_env()))
- goto error;
- if (crypto_pk_generate_key(rsa_auth)<0)
- goto error;
- /* Create a link certificate signed by identity key. */
- cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
- key_lifetime);
- /* Create self-signed certificate for identity key. */
- idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
- IDENTITY_CERT_LIFETIME);
- /* Create an authentication certificate signed by identity key. */
- authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2,
- key_lifetime);
- if (!cert || !idcert || !authcert) {
- log(LOG_WARN, LD_CRYPTO, "Error creating certificate");
- goto error;
+ if (!is_client) {
- /* Create certificate signed by identity key. */
++ /* Generate short-term RSA key for use in the in-protocol ("v3")
++ * authentication handshake. */
++ if (!(rsa_auth = crypto_new_pk_env()))
++ goto error;
++ if (crypto_pk_generate_key(rsa_auth)<0)
++ goto error;
++ /* Create a link certificate signed by identity key. */
+ cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
+ key_lifetime);
+ /* Create self-signed certificate for identity key. */
+ idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
+ IDENTITY_CERT_LIFETIME);
- if (!cert || !idcert) {
++ /* Create an authentication certificate signed by identity key. */
++ authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2,
++ key_lifetime);
++ if (!cert || !idcert || !authcert) {
+ log(LOG_WARN, LD_CRYPTO, "Error creating certificate");
+ goto error;
+ }
}
result = tor_malloc_zero(sizeof(tor_tls_context_t));
result->refcnt = 1;
- result->my_link_cert = tor_cert_new(X509_dup(cert));
- result->my_id_cert = tor_cert_new(X509_dup(idcert));
- result->my_auth_cert = tor_cert_new(X509_dup(authcert));
- if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert)
- goto error;
- result->link_key = crypto_pk_dup_key(rsa);
- result->auth_key = crypto_pk_dup_key(rsa_auth);
+ if (!is_client) {
- result->my_cert = X509_dup(cert);
- result->my_id_cert = X509_dup(idcert);
- result->key = crypto_pk_dup_key(rsa);
++ result->my_link_cert = tor_cert_new(X509_dup(cert));
++ result->my_id_cert = tor_cert_new(X509_dup(idcert));
++ result->my_auth_cert = tor_cert_new(X509_dup(authcert));
++ if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert)
++ goto error;
++ result->link_key = crypto_pk_dup_key(rsa);
++ result->auth_key = crypto_pk_dup_key(rsa_auth);
+ }
#ifdef EVERYONE_HAS_AES
/* Tell OpenSSL to only use TLS1 */
conn->_base.state = OR_CONN_STATE_CONNECTING;
control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0);
- /* use a proxy server if available */
- if (options->HTTPSProxy) {
- using_proxy = 1;
- tor_addr_copy(&addr, &options->HTTPSProxyAddr);
- port = options->HTTPSProxyPort;
- } else if (options->Socks4Proxy) {
- using_proxy = 1;
- tor_addr_copy(&addr, &options->Socks4ProxyAddr);
- port = options->Socks4ProxyPort;
- } else if (options->Socks5Proxy) {
- using_proxy = 1;
- tor_addr_copy(&addr, &options->Socks5ProxyAddr);
- port = options->Socks5ProxyPort;
+ conn->is_outgoing = 1;
+
+ /* If we are using a proxy server, find it and use it. */
+ r = get_proxy_addrport(&proxy_addr, &proxy_port, &proxy_type, TO_CONN(conn));
+ if (r == 0) {
+ conn->proxy_type = proxy_type;
+ if (proxy_type != PROXY_NONE) {
+ tor_addr_copy(&addr, &proxy_addr);
+ port = proxy_port;
+ conn->_base.proxy_state = PROXY_INFANT;
+ }
+ } else {
+ log_warn(LD_GENERAL, "Tried to connect through proxy, but proxy address "
+ "could not be found.");
+ connection_free(TO_CONN(conn));
+ return NULL;
}
switch (connection_connect(TO_CONN(conn), conn->_base.address,
(router_get_advertised_bandwidth(ri) >= BANDWIDTH_TO_GUARANTEE_GUARD ||
router_get_advertised_bandwidth(ri) >=
MIN(guard_bandwidth_including_exits,
- guard_bandwidth_excluding_exits))) {
- long tk = rep_hist_get_weighted_time_known(node->identity, now);
- double wfu = rep_hist_get_weighted_fractional_uptime(node->identity, now);
+ guard_bandwidth_excluding_exits)) &&
+ (options->GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays ||
+ is_router_version_good_for_possible_guard(ri->platform))) {
+ long tk = rep_hist_get_weighted_time_known(
- ri->cache_info.identity_digest, now);
++ node->identity, now);
+ double wfu = rep_hist_get_weighted_fractional_uptime(
- ri->cache_info.identity_digest, now);
++ node->identity, now);
rs->is_possible_guard = (wfu >= guard_wfu && tk >= guard_tk) ? 1 : 0;
} else {
rs->is_possible_guard = 0;
projects / thirdparty / tor.git / commitdiff
