From 5cce710e2b86ffcaf3bad81b95ba94f26f1d2838 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Wed, 13 Dec 2006 22:42:52 +0000 Subject: [PATCH] Some more documentation and specs for CONNECT_DIR and BEGIN_DIR. Demand that BEGIN_DIR cells have an empty payload. svn:r9104 --- doc/TODO | 5 ++++- doc/socks-extensions.txt | 10 +++++++++- doc/tor-spec.txt | 3 +++ src/or/connection_edge.c | 5 +++-- src/or/or.h | 25 ++++++++++++++++++------- 5 files changed, 37 insertions(+), 11 deletions(-) diff --git a/doc/TODO b/doc/TODO index 96f452f975..3c250ab31d 100644 --- a/doc/TODO +++ b/doc/TODO @@ -54,7 +54,10 @@ R - Specify actual events. o Implement o Use for something, so we can be sure it works. o Test and debug - - be able to connect without having a server descriptor, to bootstrap + - turn the received socks addr:port into a digest for setting .exit + - be able to connect without having a server descriptor, to bootstrap. + - handle connect-dir streams that don't have a chosen_exit_name set. + - include ORPort in DirServers lines so we can know where to connect. N - Document .noconnect addresses... but where? diff --git a/doc/socks-extensions.txt b/doc/socks-extensions.txt index 46cd983f84..8097c66456 100644 --- a/doc/socks-extensions.txt +++ b/doc/socks-extensions.txt @@ -53,7 +53,15 @@ Tor's extensions to the SOCKS protocol address" portion of the reply. (This command was not supported before Tor 0.1.2.2-alpha.) -3. HTTP-resistance +3. Other command extensions. + + Tor 0.1.2.4-alpha added a new command value: "CONNECT_DIR" [F2]. + In this case, Tor will open an encrypted direct TCP connection to the + directory port of the Tor server specified by address:port (the port + specified should be the ORPort of the server). It uses a one-hop tunnel + and a "BEGIN_DIR" relay cell to accomplish this secure connection. + +4. HTTP-resistance Tor checks the first byte of each SOCKS request to see whether it looks more like an HTTP request (that is, it starts with a "G", "H", or "P"). If diff --git a/doc/tor-spec.txt b/doc/tor-spec.txt index 1f18f199c6..ca82e1cd74 100644 --- a/doc/tor-spec.txt +++ b/doc/tor-spec.txt @@ -733,6 +733,9 @@ TODO: If the Tor server is not running a directory service, it should respond with a REASON_NOTDIRECTORY RELAY_END cell. + Clients MUST generate an all-zero payload for RELAY_BEGIN_DIR cells, + and servers MUST ignore the payload. + [RELAY_BEGIN_DIR was not supported before Tor 0.1.2.2-alpha; clients SHOULD NOT send it to routers running earlier versions of Tor.] diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index ad42e178d2..be0c9a4820 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1651,8 +1651,9 @@ connection_ap_handshake_send_begin(edge_connection_t *ap_conn, tor_assert(circ->build_state->onehop_tunnel == 0); } - if (connection_edge_send_command(ap_conn, TO_CIRCUIT(circ), - begin_type, payload, payload_len, + if (connection_edge_send_command(ap_conn, TO_CIRCUIT(circ), begin_type, + begin_type == RELAY_COMMAND_BEGIN ? payload : NULL, + begin_type == RELAY_COMMAND_BEGIN ? payload_len : 0, ap_conn->cpath_layer) < 0) return -1; /* circuit is closed, don't continue */ diff --git a/src/or/or.h b/src/or/or.h index 78355b3071..c3b442d3e6 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1185,7 +1185,9 @@ typedef struct { int need_capacity; /** Whether the last hop was picked with exiting in mind. */ int is_internal; - /** Did we pick this as a one-hop tunnel (not safe for other conns)? */ + /** Did we pick this as a one-hop tunnel (not safe for other conns)? + * These are for encrypted connections that exit to this router, not + * for arbitrary exits from the circuit. */ int onehop_tunnel; /** The crypt_path_t to append after rendezvous: used for rendezvous. */ crypt_path_t *pending_final_cpath; @@ -1710,10 +1712,16 @@ static INLINE void or_state_mark_dirty(or_state_t *state, time_t when) #define MAX_SOCKS_REPLY_LEN 1024 #define MAX_SOCKS_ADDR_LEN 256 -#define SOCKS_COMMAND_CONNECT 0x01 -#define SOCKS_COMMAND_CONNECT_DIR 0xE0 -#define SOCKS_COMMAND_RESOLVE 0xF0 -#define SOCKS_COMMAND_RESOLVE_PTR 0xF1 +/** Please open a TCP connection to this addr:port. */ +#define SOCKS_COMMAND_CONNECT 0x01 +/** Please turn this FQDN into an IP address, privately. */ +#define SOCKS_COMMAND_RESOLVE 0xF0 +/** Please turn this IP address into an FQDN, privately. */ +#define SOCKS_COMMAND_RESOLVE_PTR 0xF1 +/** Please open an encrypted direct TCP connection to the directory port + * of the Tor server specified by address:port. (In this case address:port + * specifies the ORPort of the server.) */ +#define SOCKS_COMMAND_CONNECT_DIR 0xF2 #define SOCKS_COMMAND_IS_CONNECT(c) ((c)==SOCKS_COMMAND_CONNECT || \ (c)==SOCKS_COMMAND_CONNECT_DIR) @@ -1722,8 +1730,11 @@ static INLINE void or_state_mark_dirty(or_state_t *state, time_t when) /** State of a SOCKS request from a user to an OP */ struct socks_request_t { - char socks_version; /**< Which version of SOCKS did the client use? */ - int command; /**< What has the user requested? One from the above list. */ + /** Which version of SOCKS did the client use? One of "0, 4, 5" -- where + * 0 means that no socks handshake ever took place, and this is just a + * stub connection (e.g. see connection_ap_make_bridge()). */ + char socks_version; + int command; /**< What is this stream's goal? One from the above list. */ size_t replylen; /**< Length of reply. */ char reply[MAX_SOCKS_REPLY_LEN]; /**< Write an entry into this string if * we want to specify our own socks reply,