Make sure we stop putting cells into our hash at the right time.

src/or/command.c

@@ -243,7 +243,8 @@ command_process_var_cell(var_cell_t *cell, or_connection_t *conn)
         return; /*XXXX023 log*/
       break;
     case OR_CONN_STATE_OR_HANDSHAKING_V3:
-      or_handshake_state_record_var_cell(conn->handshake_state, cell, 1);
+      if (cell->command != CELL_AUTHENTICATE)
+        or_handshake_state_record_var_cell(conn->handshake_state, cell, 1);
       break; /* Everything is allowed */
     case OR_CONN_STATE_OPEN:
       if (conn->link_proto < 3)
@@ -1131,6 +1132,7 @@ command_process_authenticate_cell(var_cell_t *cell, or_connection_t *conn)
   /* Okay, we are authenticated. */
   conn->handshake_state->received_authenticate = 1;
   conn->handshake_state->authenticated = 1;
+  conn->handshake_state->digest_received_data = 0;
   {
     crypto_pk_env_t *identity_rcvd =
       tor_tls_cert_get_key(conn->handshake_state->id_cert);

src/or/connection_or.c

@@ -1573,6 +1573,8 @@ connection_init_or_handshake_state(or_connection_t *conn, int started_here)
   or_handshake_state_t *s;
   s = conn->handshake_state = tor_malloc_zero(sizeof(or_handshake_state_t));
   s->started_here = started_here ? 1 : 0;
+  s->digest_sent_data = 1;
+  s->digest_received_data = 1;
   return 0;
 }
 
@@ -1606,6 +1608,13 @@ or_handshake_state_record_cell(or_handshake_state_t *state,
 {
   crypto_digest_env_t *d, **dptr;
   packed_cell_t packed;
+  if (incoming) {
+    if (!state->digest_received_data)
+      return;
+  } else {
+    if (!state->digest_sent_data)
+      return;
+  }
   if (!incoming) {
     log_warn(LD_BUG, "We shouldn't be sending any non-variable-length cells "
              "while making a handshake digest.  But we think we are sending "
@@ -1638,6 +1647,13 @@ or_handshake_state_record_var_cell(or_handshake_state_t *state,
 {
   crypto_digest_env_t *d, **dptr;
   char buf[VAR_CELL_HEADER_SIZE];
+  if (incoming) {
+    if (!state->digest_received_data)
+      return;
+  } else {
+    if (!state->digest_sent_data)
+      return;
+  }
   dptr = incoming ? &state->digest_received : &state->digest_sent;
   if (! *dptr)
     *dptr = crypto_new_digest256_env(DIGEST_SHA256);
@@ -1891,6 +1907,8 @@ connection_or_send_netinfo(or_connection_t *conn)
   int len;
   uint8_t *out;
 
+  tor_assert(conn->handshake_state);
+
   memset(&cell, 0, sizeof(cell_t));
   cell.command = CELL_NETINFO;
 
@@ -1917,6 +1935,7 @@ connection_or_send_netinfo(or_connection_t *conn)
     *out = 0;
   }
 
+  conn->handshake_state->digest_sent_data = 0;
   connection_or_write_cell_to_buf(&cell, conn);
 
   return 0;

src/or/or.h

@@ -1145,6 +1145,19 @@ typedef struct or_handshake_state_t {
   /* True iff we've received valid authentication to some identity. */
   unsigned int authenticated : 1;
 
+  /** True iff we should feed outgoing cells into digest_sent and
+   * digest_received respectively.
+   *
+   * From the server's side of the v3 handshake, we want to capture everything
+   * from the VERSIONS cell through and including the AUTH_CHALLENGE cell.
+   * From the client's, we want to capture everything from the VERSIONS cell
+   * through but *not* including the AUTHENTICATE cell.
+   *
+   * @{ */
+  unsigned int digest_sent_data : 1;
+  unsigned int digest_received_data : 1;
+  /**@}*/
+
   /** Identity digest that we have received and authenticated for our peer
    * on this connection. */
   uint8_t authenticated_peer_id[DIGEST_LEN];