Infrastructure to test BEGIN_DIR cells.

New socks command CONNECT_DIR. New config option TunnelDirConns that
builds a circ ending at the directory server and delivers a BEGIN_DIR
cell if it's running 0.1.2.2-alpha or later. We still need to make
one-hop circs when appropriate, while making other conns avoid them.


svn:r9098

src/or/buffers.c

@@ -974,6 +974,7 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
         return 0; /* not yet */
       req->command = (unsigned char) *(buf->cur+1);
       if (req->command != SOCKS_COMMAND_CONNECT &&
+          req->command != SOCKS_COMMAND_CONNECT_DIR &&
           req->command != SOCKS_COMMAND_RESOLVE &&
           req->command != SOCKS_COMMAND_RESOLVE_PTR) {
         /* not a connect or resolve or a resolve_ptr? we don't support it. */
@@ -1065,6 +1066,7 @@ fetch_from_buf_socks(buf_t *buf, socks_request_t *req,
 
       req->command = (unsigned char) *(buf->cur+1);
       if (req->command != SOCKS_COMMAND_CONNECT &&
+          req->command != SOCKS_COMMAND_CONNECT_DIR &&
           req->command != SOCKS_COMMAND_RESOLVE) {
         /* not a connect or resolve? we don't support it. (No resolve_ptr with
          * socks4.) */

src/or/circuituse.c

@@ -902,16 +902,18 @@ circuit_get_open_circ_or_launch(edge_connection_t *conn,
                                 origin_circuit_t **circp)
 {
   origin_circuit_t *circ;
-  int is_resolve;
+  int check_exit_policy;
   int need_uptime, need_internal;
 
   tor_assert(conn);
   tor_assert(circp);
   tor_assert(conn->_base.state == AP_CONN_STATE_CIRCUIT_WAIT);
-  is_resolve = (conn->socks_request->command == SOCKS_COMMAND_RESOLVE ||
-                conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR);
+  check_exit_policy =
+      (conn->socks_request->command == SOCKS_COMMAND_CONNECT) &&
+      !connection_edge_is_rendezvous_stream(conn);
 
-  need_uptime = smartlist_string_num_isin(get_options()->LongLivedPorts,
+  need_uptime = (conn->socks_request->command == SOCKS_COMMAND_CONNECT) &&
+                smartlist_string_num_isin(get_options()->LongLivedPorts,
                                           conn->socks_request->port);
   need_internal = desired_circuit_purpose != CIRCUIT_PURPOSE_C_GENERAL;
 
@@ -941,7 +943,7 @@ circuit_get_open_circ_or_launch(edge_connection_t *conn,
   }
 
   /* Do we need to check exit policy? */
-  if (!is_resolve && !connection_edge_is_rendezvous_stream(conn)) {
+  if (check_exit_policy) {
     struct in_addr in;
     uint32_t addr = 0;
     if (tor_inet_aton(conn->socks_request->address, &in))
@@ -1125,13 +1127,17 @@ connection_ap_handshake_attach_chosen_circuit(edge_connection_t *conn,
 
   link_apconn_to_circ(conn, circ);
   tor_assert(conn->socks_request);
-  if (conn->socks_request->command == SOCKS_COMMAND_CONNECT) {
-    consider_recording_trackhost(conn, circ);
-    if (connection_ap_handshake_send_begin(conn, circ)<0)
-      return -1;
-  } else {
-    if (connection_ap_handshake_send_resolve(conn, circ)<0)
-      return -1;
+  switch (conn->socks_request->command) {
+    case SOCKS_COMMAND_CONNECT:
+      consider_recording_trackhost(conn, circ);
+      /* fall through */
+    case SOCKS_COMMAND_CONNECT_DIR:
+      if (connection_ap_handshake_send_begin(conn, circ)<0)
+        return -1;
+      break;
+    default:
+      if (connection_ap_handshake_send_resolve(conn, circ)<0)
+        return -1;
   }
 
   return 1;

src/or/config.c

@@ -247,6 +247,7 @@ static config_var_t _option_vars[] = {
   OBSOLETE("TrafficShaping"),
   VAR("TransListenAddress",  LINELIST, TransListenAddress,   NULL),
   VAR("TransPort",           UINT,     TransPort,            "0"),
+  VAR("TunnelDirConns",      BOOL,     TunnelDirConns,       "0"),
   VAR("UseEntryGuards",      BOOL,     UseEntryGuards,       "1"),
   VAR("User",                STRING,   User,                 NULL),
   VAR("V1AuthoritativeDirectory",BOOL, V1AuthoritativeDir,   "0"),

src/or/connection_edge.c

@@ -55,7 +55,7 @@ _connection_mark_unattached_ap(edge_connection_t *conn, int endreason,
                "Bug: stream (marked at %s:%d) sending two socks replies?",
                file, line);
 
-    if (conn->socks_request->command == SOCKS_COMMAND_CONNECT)
+    if (SOCKS_COMMAND_IS_CONNECT(conn->socks_request->command))
       connection_ap_handshake_socks_reply(conn, NULL, 0, endreason);
     else
       connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_ERROR,
@@ -1213,6 +1213,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
       // XXXX NM Do anything here?
 
       rep_hist_note_used_resolve(time(NULL)); /* help predict this next time */
+    } else if (socks->command == SOCKS_COMMAND_CONNECT_DIR) {
+      ; /* nothing */
     } else {
       tor_fragile_assert();
     }
@@ -1230,7 +1232,7 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
     rend_cache_entry_t *entry;
     int r;
 
-    if (socks->command != SOCKS_COMMAND_CONNECT) {
+    if (!SOCKS_COMMAND_IS_CONNECT(socks->command)) {
       /* if it's a resolve request, fail it right now, rather than
        * building all the circuits and then realizing it won't work. */
       log_warn(LD_APP,
@@ -1450,7 +1452,7 @@ connection_ap_handshake_process_socks(edge_connection_t *conn)
     return -1;
   }
 
-  if (socks->command == SOCKS_COMMAND_CONNECT)
+  if (SOCKS_COMMAND_IS_CONNECT(socks->command))
     control_event_stream_status(conn, STREAM_EVENT_NEW, 0);
   else
     control_event_stream_status(conn, STREAM_EVENT_NEW_RESOLVE, 0);
@@ -1546,7 +1548,7 @@ connection_ap_process_natd(edge_connection_t *conn)
 
   if (strcmpstart(tmp_buf, "[DEST ")) {
     log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
-             "said: '%s'",
+             "said: %s",
              escaped(tmp_buf));
     connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
     return -1;
@@ -1564,7 +1566,7 @@ connection_ap_process_natd(edge_connection_t *conn)
   socks->port = (uint16_t)
     tor_parse_long(tbuf, 10, 1, 65535, &port_ok, &daddr);
   if (!port_ok) {
-    log_warn(LD_APP,"Natd handshake failed; port '%s' is ill-formed or out "
+    log_warn(LD_APP,"Natd handshake failed; port %s is ill-formed or out "
              "of range.", escaped(tbuf));
     connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
     return -1;
@@ -1620,10 +1622,12 @@ connection_ap_handshake_send_begin(edge_connection_t *ap_conn,
 {
   char payload[CELL_PAYLOAD_SIZE];
   int payload_len;
+  int begin_type;
 
   tor_assert(ap_conn->_base.type == CONN_TYPE_AP);
   tor_assert(ap_conn->_base.state == AP_CONN_STATE_CIRCUIT_WAIT);
   tor_assert(ap_conn->socks_request);
+  tor_assert(SOCKS_COMMAND_IS_CONNECT(ap_conn->socks_request->command));
 
   ap_conn->stream_id = get_unique_stream_id_by_circ(circ);
   if (ap_conn->stream_id==0) {
@@ -1641,9 +1645,11 @@ connection_ap_handshake_send_begin(edge_connection_t *ap_conn,
   log_debug(LD_APP,
             "Sending relay cell to begin stream %d.", ap_conn->stream_id);
 
+  begin_type = ap_conn->socks_request->command == SOCKS_COMMAND_CONNECT ?
+                 RELAY_COMMAND_BEGIN : RELAY_COMMAND_BEGIN_DIR;
+
   if (connection_edge_send_command(ap_conn, TO_CIRCUIT(circ),
-                                   RELAY_COMMAND_BEGIN,
-                                   payload, payload_len,
+                                   begin_type, payload, payload_len,
                                    ap_conn->cpath_layer) < 0)
     return -1; /* circuit is closed, don't continue */
 
@@ -1669,15 +1675,14 @@ connection_ap_handshake_send_resolve(edge_connection_t *ap_conn,
   const char *string_addr;
   char inaddr_buf[32];
 
-  command = ap_conn->socks_request->command;
-
   tor_assert(ap_conn->_base.type == CONN_TYPE_AP);
   tor_assert(ap_conn->_base.state == AP_CONN_STATE_CIRCUIT_WAIT);
   tor_assert(ap_conn->socks_request);
-  tor_assert(command == SOCKS_COMMAND_RESOLVE ||
-             command == SOCKS_COMMAND_RESOLVE_PTR);
   tor_assert(circ->_base.purpose == CIRCUIT_PURPOSE_C_GENERAL);
 
+  command = ap_conn->socks_request->command;
+  tor_assert(SOCKS_COMMAND_IS_RESOLVE(command));
+
   ap_conn->stream_id = get_unique_stream_id_by_circ(circ);
   if (ap_conn->stream_id==0) {
     connection_mark_unattached_ap(ap_conn, END_STREAM_REASON_INTERNAL);
@@ -1729,7 +1734,8 @@ connection_ap_handshake_send_resolve(edge_connection_t *ap_conn,
  * Return the other end of the socketpair, or -1 if error.
  */
 int
-connection_ap_make_bridge(char *address, uint16_t port)
+connection_ap_make_bridge(char *address, uint16_t port,
+                          const char *digest, int command)
 {
   int fd[2];
   edge_connection_t *conn;
@@ -1761,7 +1767,13 @@ connection_ap_make_bridge(char *address, uint16_t port)
   strlcpy(conn->socks_request->address, address,
           sizeof(conn->socks_request->address));
   conn->socks_request->port = port;
-  conn->socks_request->command = SOCKS_COMMAND_CONNECT;
+  conn->socks_request->command = command;
+  if (command == SOCKS_COMMAND_CONNECT_DIR) {
+    conn->chosen_exit_name = tor_malloc(HEX_DIGEST_LEN+2);
+    conn->chosen_exit_name[0] = '$';
+    base16_encode(conn->chosen_exit_name+1,HEX_DIGEST_LEN+1,
+                  digest, DIGEST_LEN);
+  }
 
   conn->_base.address = tor_strdup("(local bridge)");
   conn->_base.addr = 0;
@@ -2396,8 +2408,7 @@ connection_ap_can_use_exit(edge_connection_t *conn, routerinfo_t *exit)
                                     exit->exit_policy);
     if (r == ADDR_POLICY_REJECTED || r == ADDR_POLICY_PROBABLY_REJECTED)
       return 0;
-  } else { /* Some kind of a resolve. */
-
+  } else if (SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command)) {
     /* Can't support reverse lookups without eventdns. */
     if (conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR &&
         exit->has_old_dnsworkers)

src/or/control.c

@@ -1619,8 +1619,7 @@ getinfo_helper_events(control_connection_t *control_conn,
         case AP_CONN_STATE_CONTROLLER_WAIT:
         case AP_CONN_STATE_CIRCUIT_WAIT:
           if (conn->socks_request &&
-              (conn->socks_request->command == SOCKS_COMMAND_RESOLVE ||
-               conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR))
+              SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command))
             state = "NEWRESOLVE";
           else
             state = "NEW";

src/or/directory.c

@@ -39,7 +39,7 @@ directory_initiate_command(const char *address, uint32_t addr, uint16_t port,
 
 static void
 directory_send_command(dir_connection_t *conn, const char *platform,
-                       int purpose, const char *resource,
+                       int purpose, int direct, const char *resource,
                        const char *payload, size_t payload_len);
 static int directory_handle_command(dir_connection_t *conn);
 static int body_is_plausible(const char *body, size_t body_len, int purpose);
@@ -370,12 +370,18 @@ directory_initiate_command(const char *address, uint32_t addr,
                            const char *payload, size_t payload_len)
 {
   dir_connection_t *conn;
+  or_options_t *options = get_options();
+  int want_to_tunnel = options->TunnelDirConns && platform &&
+                       tor_version_as_new_as(platform, "0.1.2.2-alpha");
 
   tor_assert(address);
   tor_assert(addr);
   tor_assert(dir_port);
   tor_assert(digest);
 
+  log_debug(LD_DIR, "private %d, want_to_tunnel %d.",
+            private_connection, want_to_tunnel);
+
   switch (purpose) {
     case DIR_PURPOSE_FETCH_DIR:
       log_debug(LD_DIR,"initiating directory fetch");
@@ -415,14 +421,14 @@ directory_initiate_command(const char *address, uint32_t addr,
 
   /* give it an initial state */
   conn->_base.state = DIR_CONN_STATE_CONNECTING;
-  conn->dirconn_direct = (private_connection == 0);
 
-  if (!private_connection) {
+  if (!private_connection && !want_to_tunnel) {
     /* then we want to connect directly */
 
-    if (get_options()->HttpProxy) {
-      addr = get_options()->HttpProxyAddr;
-      dir_port = get_options()->HttpProxyPort;
+    conn->dirconn_direct = 1;
+    if (options->HttpProxy) {
+      addr = options->HttpProxyAddr;
+      dir_port = options->HttpProxyPort;
     }
 
     switch (connection_connect(TO_CONN(conn), conn->_base.address, addr,
@@ -437,7 +443,7 @@ directory_initiate_command(const char *address, uint32_t addr,
         /* fall through */
       case 0:
         /* queue the command on the outbuf */
-        directory_send_command(conn, platform, purpose, resource,
+        directory_send_command(conn, platform, purpose, 1, resource,
                                payload, payload_len);
         connection_watch_events(TO_CONN(conn), EV_READ | EV_WRITE);
         /* writable indicates finish, readable indicates broken link,
@@ -448,8 +454,13 @@ directory_initiate_command(const char *address, uint32_t addr,
      * populate it and add it at the right state
      * socketpair and hook up both sides
      */
-    conn->_base.s = connection_ap_make_bridge(conn->_base.address,
-                                              conn->_base.port);
+    conn->dirconn_direct = 0;
+    conn->_base.s =
+      connection_ap_make_bridge(conn->_base.address, conn->_base.port,
+                                digest,
+                                private_connection ?
+                                  SOCKS_COMMAND_CONNECT :
+                                  SOCKS_COMMAND_CONNECT_DIR);
     if (conn->_base.s < 0) {
       log_warn(LD_NET,"Making AP bridge to dirserver failed.");
       connection_mark_for_close(TO_CONN(conn));
@@ -463,7 +474,7 @@ directory_initiate_command(const char *address, uint32_t addr,
     }
     conn->_base.state = DIR_CONN_STATE_CLIENT_SENDING;
     /* queue the command on the outbuf */
-    directory_send_command(conn, platform, purpose, resource,
+    directory_send_command(conn, platform, purpose, 0, resource,
                            payload, payload_len);
     connection_watch_events(TO_CONN(conn), EV_READ | EV_WRITE);
   }
@@ -474,7 +485,7 @@ directory_initiate_command(const char *address, uint32_t addr,
  */
 static void
 directory_send_command(dir_connection_t *conn, const char *platform,
-                       int purpose, const char *resource,
+                       int purpose, int direct, const char *resource,
                        const char *payload, size_t payload_len)
 {
   char proxystring[256];
@@ -501,7 +512,7 @@ directory_send_command(dir_connection_t *conn, const char *platform,
   }
 
   /* come up with some proxy lines, if we're using one. */
-  if (get_options()->HttpProxy) {
+  if (direct && get_options()->HttpProxy) {
     char *base64_authenticator=NULL;
     const char *authenticator = get_options()->HttpProxyAuthenticator;
 

src/or/or.h

@@ -1648,8 +1648,10 @@ typedef struct {
   char *ServerDNSResolvConfFile; /**< If provided, we configure our internal
                      * resolver from the file here rather than from
                      * /etc/resolv.conf (Unix) or the registry (Windows). */
-  int EnforceDistinctSubnets; /** If true, don't allow multiple routers in the
+  int EnforceDistinctSubnets; /**< If true, don't allow multiple routers in the
                                * same network zone in the same circuit. */
+  int TunnelDirConns; /**< If true, use BEGIN_DIR rather than BEGIN when
+                       * possible. */
 } or_options_t;
 
 /** Persistent state for an onion router, as saved to disk. */
@@ -1705,17 +1707,21 @@ static INLINE void or_state_mark_dirty(or_state_t *state, time_t when)
 
 #define MAX_SOCKS_REPLY_LEN 1024
 #define MAX_SOCKS_ADDR_LEN 256
+
 #define SOCKS_COMMAND_CONNECT 0x01
+#define SOCKS_COMMAND_CONNECT_DIR 0xE0
 #define SOCKS_COMMAND_RESOLVE 0xF0
 #define SOCKS_COMMAND_RESOLVE_PTR 0xF1
 
+#define SOCKS_COMMAND_IS_CONNECT(c) ((c)==SOCKS_COMMAND_CONNECT || \
+                                     (c)==SOCKS_COMMAND_CONNECT_DIR)
 #define SOCKS_COMMAND_IS_RESOLVE(c) ((c)==SOCKS_COMMAND_RESOLVE || \
                                      (c)==SOCKS_COMMAND_RESOLVE_PTR)
 
 /** State of a SOCKS request from a user to an OP */
 struct socks_request_t {
   char socks_version; /**< Which version of SOCKS did the client use? */
-  int command; /**< What has the user requested? One of CONNECT or RESOLVE. */
+  int command; /**< What has the user requested? One from the above list. */
   size_t replylen; /**< Length of <b>reply</b>. */
   char reply[MAX_SOCKS_REPLY_LEN]; /**< Write an entry into this string if
                                     * we want to specify our own socks reply,
@@ -2017,7 +2023,8 @@ int connection_ap_handshake_send_begin(edge_connection_t *ap_conn,
 int connection_ap_handshake_send_resolve(edge_connection_t *ap_conn,
                                          origin_circuit_t *circ);
 
-int connection_ap_make_bridge(char *address, uint16_t port);
+int connection_ap_make_bridge(char *address, uint16_t port,
+                              const char *digest, int command);
 void connection_ap_handshake_socks_reply(edge_connection_t *conn, char *reply,
                                          size_t replylen,
                                          int endreason);

src/or/relay.c

@@ -900,8 +900,7 @@ connection_edge_process_relay_cell_not_open(
              "not in state resolve_wait. Dropping.");
       return 0;
     }
-    tor_assert(conn->socks_request->command == SOCKS_COMMAND_RESOLVE ||
-               conn->socks_request->command == SOCKS_COMMAND_RESOLVE_PTR);
+    tor_assert(SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command));
     answer_len = cell->payload[RELAY_HEADER_SIZE+1];
     if (rh->length < 2 || answer_len+2>rh->length) {
       log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,

src/or/router.c

@@ -1015,7 +1015,8 @@ router_new_address_suggestion(const char *suggestion)
 
   /* first, learn what the IP address actually is */
   if (!tor_inet_aton(suggestion, &in)) {
-    log_debug(LD_DIR, "Malformed X-Your-Address-Is header. Ignoring.");
+    log_debug(LD_DIR, "Malformed X-Your-Address-Is header %s. Ignoring.",
+              escaped(suggestion));
     return;
   }
   addr = ntohl(in.s_addr);

src/or/routerparse.c

@@ -1821,6 +1821,8 @@ tor_version_as_new_as(const char *platform, const char *cutoff)
   char *s, *start;
   char tmp[128];
 
+  tor_assert(platform);
+
   if (tor_version_parse(cutoff, &cutoff_version)<0) {
     log_warn(LD_DIR,"Bug: cutoff version '%s' unparseable.",cutoff);
     return 0;