diff options
Diffstat (limited to 'src/or/connection_or.c')
-rw-r--r-- | src/or/connection_or.c | 40 |
1 files changed, 15 insertions, 25 deletions
diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 5e122c8480..a68c870423 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -84,7 +84,6 @@ void connection_or_init_conn_from_router(connection_t *conn, routerinfo_t *route conn->port = router->or_port; conn->receiver_bucket = conn->bandwidth = router->bandwidthburst; conn->onion_pkey = crypto_pk_dup_key(router->onion_pkey); - conn->link_pkey = crypto_pk_dup_key(router->link_pkey); conn->identity_pkey = crypto_pk_dup_key(router->identity_pkey); conn->nickname = tor_strdup(router->nickname); tor_free(conn->address); @@ -178,7 +177,6 @@ int connection_tls_continue_handshake(connection_t *conn) { } static int connection_tls_finish_handshake(connection_t *conn) { - crypto_pk_env_t *pk; routerinfo_t *router; char nickname[MAX_NICKNAME_LEN+1]; connection_t *c; @@ -203,42 +201,34 @@ static int connection_tls_finish_handshake(connection_t *conn) { return -1; } log_fn(LOG_DEBUG, "Other side claims to be '%s'", nickname); - pk = tor_tls_verify(conn->tls); - if(!pk) { - log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a cert but it's invalid. Closing.", - nickname, conn->address, conn->port); + router = router_get_by_nickname(nickname); + if (!router) { + log_fn(LOG_INFO, "Unrecognized router with nickname '%s'", nickname); return -1; } - router = router_get_by_link_pk(pk); - if (!router) { - log_fn(LOG_INFO,"Unrecognized public key from peer '%s' (%s:%d). Closing.", + if(tor_tls_verify(conn->tls, router->identity_pkey)<0) { + log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a cert but it's invalid. Closing.", nickname, conn->address, conn->port); - crypto_free_pk_env(pk); return -1; } - if(conn->link_pkey) { /* I initiated this connection. */ - if(crypto_pk_cmp_keys(conn->link_pkey, pk)) { - log_fn(LOG_WARN,"We connected to '%s' (%s:%d) but he gave us a different key. Closing.", - nickname, conn->address, conn->port); - crypto_free_pk_env(pk); + log_fn(LOG_DEBUG,"The router's cert is valid."); + + if (conn->nickname) { + /* I initiated this connection. */ + if (strcmp(conn->nickname, nickname)) { + log_fn(options.DirPort ? LOG_WARN : LOG_INFO, + "Other side is '%s', but we tried to connect to '%s'", + nickname, conn->nickname); return -1; } - log_fn(LOG_DEBUG,"The router's pk matches the one we meant to connect to. Good."); } else { if((c=connection_exact_get_by_addr_port(router->addr,router->or_port))) { log_fn(LOG_INFO,"Router %s is already connected on fd %d. Dropping fd %d.", router->nickname, c->s, conn->s); - crypto_free_pk_env(pk); return -1; } - connection_or_init_conn_from_router(conn, router); - } - crypto_free_pk_env(pk); - if (strcmp(conn->nickname, nickname)) { - log_fn(options.DirPort ? LOG_WARN : LOG_INFO, - "Other side claims to be '%s', but we expected '%s'", - nickname, conn->nickname); - return -1; + connection_or_init_conn_from_router(conn,router); } + if (!options.ORPort) { /* If I'm an OP... */ conn->receiver_bucket = conn->bandwidth = DEFAULT_BANDWIDTH_OP; } |