summaryrefslogtreecommitdiff
path: root/src/or/connection_or.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2004-11-10 20:14:37 +0000
committerNick Mathewson <nickm@torproject.org>2004-11-10 20:14:37 +0000
commit954570486f6d468e9e88415d728965daae62094b (patch)
tree2d222365301f020c6874694e2e77b8393c0f5578 /src/or/connection_or.c
parent35d0d3c050f3ce1290792f1a2906b8b29941c66d (diff)
downloadtor-954570486f6d468e9e88415d728965daae62094b.tar.gz
tor-954570486f6d468e9e88415d728965daae62094b.zip
Resolve a FIXME: use identity comparison, not nickname comparison, to
choose circuit ID types. This is important because our view of "the nickname of the router on the other side of this connection" is skewed, and depends on whether we think the other rotuer is verified--and there's no way to know whether another router thinks you are verified. For backward compatibility, we notice when the other router chooses the same circuit ID type as us (because it's running an old version), and switch our type to be polite. svn:r2797
Diffstat (limited to 'src/or/connection_or.c')
-rw-r--r--src/or/connection_or.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 98dc8803bc..1b419e5570 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -339,7 +339,7 @@ connection_tls_finish_handshake(connection_t *conn) {
conn->state = OR_CONN_STATE_OPEN;
connection_watch_events(conn, POLLIN);
log_fn(LOG_DEBUG,"tls handshake done. verifying.");
- if (! tor_tls_peer_has_cert(conn->tls)) { /* It's an OP. */
+ if (! tor_tls_peer_has_cert(conn->tls)) { /* It's an old OP. */
if (server_mode(options)) { /* I'm an OR; good. */
conn->receiver_bucket = conn->bandwidth = DEFAULT_BANDWIDTH_OP;
return 0;
@@ -348,7 +348,7 @@ connection_tls_finish_handshake(connection_t *conn) {
return -1;
}
}
- /* Okay; the other side is an OR. */
+ /* Okay; the other side is an OR or a post-0.0.8 OP (with a cert). */
if (tor_tls_get_peer_cert_nickname(conn->tls, nickname, MAX_NICKNAME_LEN)) {
log_fn(LOG_WARN,"Other side (%s:%d) has a cert without a valid nickname. Closing.",
conn->address, conn->port);
@@ -366,6 +366,12 @@ connection_tls_finish_handshake(connection_t *conn) {
crypto_pk_get_digest(identity_rcvd, digest_rcvd);
crypto_free_pk_env(identity_rcvd);
+ if (crypto_pk_cmp_keys(get_identity_key(), identity_rcvd)<0) {
+ conn->circ_id_type = CIRC_ID_TYPE_LOWER;
+ } else {
+ conn->circ_id_type = CIRC_ID_TYPE_HIGHER;
+ }
+
router = router_get_by_nickname(nickname);
if(router && /* we know this nickname */
router->is_verified && /* make sure it's the right guy */
@@ -394,6 +400,7 @@ connection_tls_finish_handshake(connection_t *conn) {
if (!server_mode(options)) { /* If I'm an OP... */
conn->receiver_bucket = conn->bandwidth = DEFAULT_BANDWIDTH_OP;
}
+
directory_set_dirty();
circuit_n_conn_done(conn, 1); /* send the pending creates, if any. */
/* Note the success */