1 files changed, 57 insertions, 15 deletions

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 069c3e133..467f7be90 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -22,6 +22,7 @@
 #include "geoip.h"
 #include "main.h"
 #include "networkstatus.h"
+#include "nodelist.h"
 #include "reasons.h"
 #include "relay.h"
 #include "rephist.h"
@@ -41,6 +42,8 @@ static int connection_or_check_valid_tls_handshake(or_connection_t *conn,
                                                    int started_here,
                                                    char *digest_rcvd_out);
 
+static void connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn);
+
 #ifdef USE_BUFFEREVENTS
 static void connection_or_handle_event_cb(struct bufferevent *bufev,
                                           short event, void *arg);
@@ -237,6 +240,12 @@ connection_or_process_inbuf(or_connection_t *conn)
       }
 
       return ret;
+    case OR_CONN_STATE_TLS_SERVER_RENEGOTIATING:
+      if (tor_tls_server_got_renegotiate(conn->tls))
+        connection_or_tls_renegotiated_cb(conn->tls, conn);
+      if (conn->_base.marked_for_close)
+        return 0;
+      /* fall through. */
     case OR_CONN_STATE_OPEN:
     case OR_CONN_STATE_OR_HANDSHAKING:
       return connection_or_process_cells_from_inbuf(conn);
@@ -351,7 +360,7 @@ connection_or_digest_is_known_relay(const char *id_digest)
 {
   if (router_get_consensus_status_by_id(id_digest))
     return 1; /* It's in the consensus: "yes" */
-  if (router_get_by_digest(id_digest))
+  if (router_get_by_id_digest(id_digest))
     return 1; /* Not in the consensus, but we have a descriptor for
                * it. Probably it was in a recent consensus. "Yes". */
   return 0;
@@ -438,7 +447,7 @@ connection_or_init_conn_from_address(or_connection_t *conn,
                                      const char *id_digest,
                                      int started_here)
 {
-  routerinfo_t *r = router_get_by_digest(id_digest);
+  const node_t *r = node_get_by_id(id_digest);
   connection_or_set_identity_digest(conn, id_digest);
   connection_or_update_token_buckets_helper(conn, 1, get_options());
 
@@ -446,8 +455,10 @@ connection_or_init_conn_from_address(or_connection_t *conn,
   tor_addr_copy(&conn->_base.addr, addr);
   tor_addr_copy(&conn->real_addr, addr);
   if (r) {
+    tor_addr_t node_addr;
+    node_get_addr(r, &node_addr);
     /* XXXX proposal 118 will make this more complex. */
-    if (tor_addr_eq_ipv4h(&conn->_base.addr, r->addr))
+    if (tor_addr_eq(&conn->_base.addr, &node_addr))
       conn->is_canonical = 1;
     if (!started_here) {
       /* Override the addr/port, so our log messages will make sense.
@@ -460,12 +471,12 @@ connection_or_init_conn_from_address(or_connection_t *conn,
        * right IP address and port 56244, that wouldn't be as helpful. now we
        * log the "right" port too, so we know if it's moria1 or moria2.
        */
-      tor_addr_from_ipv4h(&conn->_base.addr, r->addr);
-      conn->_base.port = r->or_port;
+      tor_addr_copy(&conn->_base.addr, &node_addr);
+      conn->_base.port = node_get_orport(r);
     }
-    conn->nickname = tor_strdup(r->nickname);
+    conn->nickname = tor_strdup(node_get_nickname(r));
     tor_free(conn->_base.address);
-    conn->_base.address = tor_strdup(r->address);
+    conn->_base.address = tor_dup_addr(&node_addr);
   } else {
     const char *n;
     /* If we're an authoritative directory server, we may know a
@@ -906,9 +917,12 @@ connection_tls_start_handshake(or_connection_t *conn, int receiving)
     if (conn->bucket_cfg)
       bufferevent_set_rate_limit(conn->_base.bufev, conn->bucket_cfg);
     connection_enable_rate_limiting(TO_CONN(conn));
-    bufferevent_setcb(b, connection_handle_read_cb,
+
+    connection_configure_bufferevent_callbacks(TO_CONN(conn));
+    bufferevent_setcb(b,
+                      connection_handle_read_cb,
                       connection_handle_write_cb,
-                      connection_or_handle_event_cb,
+                      connection_or_handle_event_cb,/* overriding this one*/
                       TO_CONN(conn));
   }
 #endif
@@ -1034,14 +1048,29 @@ connection_or_handle_event_cb(struct bufferevent *bufev, short event,
           tor_tls_unblock_renegotiation(conn->tls);
           return; /* ???? */
         }
-      } else {
-        /* improved handshake, but not a client. */
+      } else if (tor_tls_get_num_server_handshakes(conn->tls) == 1) {
+        /* improved handshake, as a server. Only got one handshake, so
+         * wait for the next one. */
         tor_tls_set_renegotiate_callback(conn->tls,
                                          connection_or_tls_renegotiated_cb,
                                          conn);
         conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
         /* return 0; */
         return; /* ???? */
+      } else {
+        const int handshakes = tor_tls_get_num_server_handshakes(conn->tls);
+        tor_assert(handshakes >= 2);
+        if (handshakes == 2) {
+          /* improved handshake, as a server.  Two handshakes happened already,
+           * so we treat renegotiation as done.
+           */
+          connection_or_tls_renegotiated_cb(conn->tls, conn);
+        } else {
+          log_warn(LD_OR, "More than two handshakes done on connection. "
+                   "Closing.");
+          connection_mark_for_close(TO_CONN(conn));
+        }
+        return;
       }
     }
     connection_watch_events(TO_CONN(conn), READ_EVENT|WRITE_EVENT);
@@ -1050,6 +1079,14 @@ connection_or_handle_event_cb(struct bufferevent *bufev, short event,
     return;
   }
 
+  if (event & BEV_EVENT_ERROR) {
+    unsigned long err;
+    while ((err = bufferevent_get_openssl_error(bufev))) {
+      tor_tls_log_one_error(conn->tls, err, LOG_WARN, LD_OR,
+                            "handshaking (with bufferevent)");
+    }
+  }
+
   connection_handle_event_cb(bufev, event, arg);
 }
 #endif
@@ -1105,6 +1142,9 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn,
     started_here ? conn->_base.address :
                    safe_str_client(conn->_base.address);
   const char *conn_type = started_here ? "outgoing" : "incoming";
+  crypto_pk_env_t *our_identity =
+    started_here ? get_tlsclient_identity_key() :
+                   get_server_identity_key();
   int has_cert = 0, has_identity=0;
 
   check_no_tls_errors();
@@ -1142,7 +1182,7 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn,
   if (identity_rcvd) {
     has_identity = 1;
     crypto_pk_get_digest(identity_rcvd, digest_rcvd_out);
-    if (crypto_pk_cmp_keys(get_identity_key(), identity_rcvd)<0) {
+    if (crypto_pk_cmp_keys(our_identity, identity_rcvd)<0) {
       conn->circ_id_type = CIRC_ID_TYPE_LOWER;
     } else {
       conn->circ_id_type = CIRC_ID_TYPE_HIGHER;
@@ -1222,7 +1262,9 @@ connection_tls_finish_handshake(or_connection_t *conn)
   char digest_rcvd[DIGEST_LEN];
   int started_here = connection_or_nonopen_was_started_here(conn);
 
-  log_debug(LD_HANDSHAKE,"tls handshake with %s done. verifying.",
+  log_debug(LD_HANDSHAKE,"%s tls handshake on %p with %s done. verifying.",
+            started_here?"outgoing":"incoming",
+            conn,
             safe_str_client(conn->_base.address));
 
   directory_set_dirty();
@@ -1303,7 +1345,7 @@ connection_or_set_state_open(or_connection_t *conn)
     router_set_status(conn->identity_digest, 1);
   } else {
     /* only report it to the geoip module if it's not a known router */
-    if (!router_get_by_digest(conn->identity_digest)) {
+    if (!router_get_by_id_digest(conn->identity_digest)) {
       if (tor_addr_family(&TO_CONN(conn)->addr) == AF_INET) {
         /*XXXX IP6 support ipv6 geoip.*/
         uint32_t a = tor_addr_to_ipv4h(&TO_CONN(conn)->addr);
@@ -1491,7 +1533,7 @@ connection_or_send_netinfo(or_connection_t *conn)
 {
   cell_t cell;
   time_t now = time(NULL);
-  routerinfo_t *me;
+  const routerinfo_t *me;
   int len;
   char *out;