Make PreferTunneledDirConns and TunnelDirConns work even when

we have no cached directory info. This means Tor clients can now
do all of their connections protected by TLS.


svn:r10035

ChangeLog

@@ -10,6 +10,9 @@ Changes in version 0.2.0.1-alpha - 2007-??-??
       especially on platforms where malloc() is inefficient.
     - Stop reading on edge connections when their corresponding circuit
       buffers are full; start again as the circuits empty out.
+    - Make PreferTunneledDirConns and TunnelDirConns work even when
+      we have no cached directory info. This means Tor clients can now
+      do all of their connections protected by TLS.
 
   o Security fixes:
     - Directory authorities now call routers stable if they have an

src/or/circuituse.c

@@ -91,10 +91,18 @@ circuit_is_acceptable(circuit_t *circ, edge_connection_t *conn,
         log_debug(LD_CIRC,"Skipping one-hop circuit.");
         return 0;
       }
+      tor_assert(conn->chosen_exit_name);
+      if (build_state->chosen_exit) {
+        char digest[DIGEST_LEN];
+        if (hexdigest_to_digest(conn->chosen_exit_name, digest) < 0 ||
+            memcmp(digest, build_state->chosen_exit->identity_digest,
+                   DIGEST_LEN))
+          return 0; /* this is a circuit to somewhere else */
+      }
     } else {
       if (conn->socks_request->command == SOCKS_COMMAND_CONNECT_DIR) {
         /* don't use three-hop circuits -- that could hurt our anonymity. */
-        log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR.");
+//        log_debug(LD_CIRC,"Skipping multi-hop circuit for CONNECT_DIR.");
         return 0;
       }
     }

src/or/directory.c

@@ -248,7 +248,8 @@ directory_initiate_command_routerstatus(routerstatus_t *status,
     tor_inet_ntoa(&in, address_buf, sizeof(address_buf));
     address = address_buf;
   }
-  directory_initiate_command(address, status->addr, status->dir_port,
+  directory_initiate_command(address, status->addr,
+                             status->or_port, status->dir_port,
                              status->version_supports_begindir,
                              status->identity_digest,
                              purpose, private_connection, resource,
@@ -365,7 +366,8 @@ connection_dir_download_routerdesc_failed(dir_connection_t *conn)
  * <b>digest</b>. */
 void
 directory_initiate_command(const char *address, uint32_t addr,
-                           uint16_t dir_port, int supports_begindir,
+                           uint16_t or_port, uint16_t dir_port,
+                           int supports_begindir,
                            const char *digest, uint8_t purpose,
                            int private_connection, const char *resource,
                            const char *payload, size_t payload_len)
@@ -373,7 +375,8 @@ directory_initiate_command(const char *address, uint32_t addr,
   dir_connection_t *conn;
   or_options_t *options = get_options();
   int want_to_tunnel = options->TunnelDirConns && supports_begindir &&
-                       router_get_by_digest(digest);
+                       !private_connection && or_port &&
+                       fascist_firewall_allows_address_or(addr, or_port);
 
   tor_assert(address);
   tor_assert(addr);
@@ -414,7 +417,7 @@ directory_initiate_command(const char *address, uint32_t addr,
 
   /* set up conn so it's got all the data we need to remember */
   conn->_base.addr = addr;
-  conn->_base.port = dir_port;
+  conn->_base.port = want_to_tunnel ? or_port : dir_port;
   conn->_base.address = tor_strdup(address);
   memcpy(conn->identity_digest, digest, DIGEST_LEN);
 

src/or/or.h

@@ -2487,7 +2487,8 @@ int connection_dir_finished_flushing(dir_connection_t *conn);
 int connection_dir_finished_connecting(dir_connection_t *conn);
 void connection_dir_request_failed(dir_connection_t *conn);
 void directory_initiate_command(const char *address, uint32_t addr,
-                                uint16_t dir_port, int supports_begindir,
+                                uint16_t or_port, uint16_t dir_port,
+                                int supports_begindir,
                                 const char *digest, uint8_t purpose,
                                 int private_connection, const char *resource,
                                 const char *payload, size_t payload_len);
@@ -3021,6 +3022,7 @@ routerinfo_t *router_choose_random_node(const char *preferred,
                                         int weight_for_exit);
 routerinfo_t *router_get_by_nickname(const char *nickname,
                                      int warn_if_unnamed);
+int hexdigest_to_digest(const char *hexdigest, char *digest);
 routerinfo_t *router_get_by_hexdigest(const char *hexdigest);
 routerinfo_t *router_get_by_digest(const char *digest);
 signed_descriptor_t *router_get_by_descriptor_digest(const char *digest);

src/or/router.c

@@ -507,7 +507,8 @@ consider_testing_reachability(int test_or, int test_dir)
                 CONN_TYPE_DIR, me->addr, me->dir_port,
                 DIR_PURPOSE_FETCH_SERVERDESC)) {
     /* ask myself, via tor, for my server descriptor. */
-    directory_initiate_command(me->address, me->addr, me->dir_port,
+    directory_initiate_command(me->address, me->addr,
+                               me->or_port, me->dir_port,
                                0, me->cache_info.identity_digest,
                                DIR_PURPOSE_FETCH_SERVERDESC,
                                1, "authority", NULL, 0);

src/or/routerlist.c

@@ -574,16 +574,15 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
     is_trusted = router_digest_is_trusted_dir(status->identity_digest);
     if (for_v2_directory && !(status->is_v2_dir || is_trusted))
       continue;
-    if (fascistfirewall &&
-        prefer_tunnel &&
+    if (prefer_tunnel &&
         status->version_supports_begindir &&
-        router_get_by_digest(status->identity_digest) &&
-        fascist_firewall_allows_address_or(status->addr, status->or_port))
+        (!fascistfirewall ||
+         fascist_firewall_allows_address_or(status->addr, status->or_port)))
       smartlist_add(is_trusted ? trusted_tunnel :
                       is_overloaded ? overloaded_tunnel : tunnel, status);
-    else if (!fascistfirewall || (fascistfirewall &&
+    else if (!fascistfirewall ||
              fascist_firewall_allows_address_dir(status->addr,
-                                                 status->dir_port)))
+                                                 status->dir_port))
       smartlist_add(is_trusted ? trusted_direct :
                       is_overloaded ? overloaded_direct : direct, status);
   });
@@ -652,17 +651,14 @@ router_pick_trusteddirserver_impl(authority_type_t type,
         continue;
       if (requireother && me && router_digest_is_me(d->digest))
           continue;
-
-      if (fascistfirewall &&
-          prefer_tunnel &&
+      if (prefer_tunnel &&
           d->or_port &&
-          router_get_by_digest(d->digest) &&
-          fascist_firewall_allows_address_or(d->addr, d->or_port))
+          (!fascistfirewall ||
+           fascist_firewall_allows_address_or(d->addr, d->or_port)))
         smartlist_add(is_overloaded ? overloaded_tunnel : tunnel,
                       &d->fake_status.status);
-      else if (!fascistfirewall || (fascistfirewall &&
-               fascist_firewall_allows_address_dir(d->addr,
-                                                   d->dir_port)))
+      else if (!fascistfirewall ||
+               fascist_firewall_allows_address_dir(d->addr, d->dir_port))
         smartlist_add(is_overloaded ? overloaded_direct : direct,
                       &d->fake_status.status);
     });
@@ -1379,6 +1375,21 @@ router_digest_is_trusted_dir(const char *digest)
   return 0;
 }
 
+/** If hexdigest is correctly formed, base16_decode it into
+ * digest, which must have DIGEST_LEN space in it.
+ * Return 0 on success, -1 on failure.
+ */
+int
+hexdigest_to_digest(const char *hexdigest, char *digest)
+{
+  if (hexdigest[0]=='$')
+    ++hexdigest;
+  if (strlen(hexdigest) < HEX_DIGEST_LEN ||
+      base16_decode(digest,DIGEST_LEN,hexdigest,HEX_DIGEST_LEN) < 0)
+    return -1;
+  return 0;
+}
+
 /** Return the router in our routerlist whose hexadecimal key digest
  * is <b>hexdigest</b>.  Return NULL if no such router is known. */
 routerinfo_t *
@@ -1394,8 +1405,7 @@ router_get_by_hexdigest(const char *hexdigest)
   if (hexdigest[0]=='$')
     ++hexdigest;
   len = strlen(hexdigest);
-  if (len < HEX_DIGEST_LEN ||
-      base16_decode(digest,DIGEST_LEN,hexdigest,HEX_DIGEST_LEN) < 0)
+  if (hexdigest_to_digest(hexdigest, digest) < 0)
     return NULL;
 
   ri = router_get_by_digest(digest);
@@ -3189,6 +3199,9 @@ add_trusted_dir_server(const char *nickname, const char *address,
   ent->fake_status.status.dir_port = ent->dir_port;
   ent->fake_status.status.or_port = ent->or_port;
 
+  if (ent->or_port)
+    ent->fake_status.status.version_supports_begindir = 1;
+
   smartlist_add(trusted_dir_servers, ent);
   router_dir_info_changed();
 }