[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] phase out non-tls handshake, now that tls is stable.



Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or

Modified Files:
	connection.c connection_or.c main.c or.h 
Log Message:
phase out non-tls handshake, now that tls is stable.


Index: connection.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection.c,v
retrieving revision 1.96
retrieving revision 1.97
diff -u -d -r1.96 -r1.97
--- connection.c	16 Sep 2003 20:57:08 -0000	1.96
+++ connection.c	16 Sep 2003 21:20:09 -0000	1.97
@@ -33,22 +33,9 @@
     "close",             /* 2 */
     "close_wait" },      /* 3 */
   { "ready" }, /* or listener, 0 */
-#ifdef USE_TLS
   { "connect()ing",                 /* 0 */
     "handshaking",                  /* 1 */
     "open" },                       /* 2 */
-#else
-  { "connecting (as OP)",       /* or, 0 */
-    "sending keys (as OP)",         /* 1 */
-    "connecting (as client)",       /* 2 */
-    "sending auth (as client)",     /* 3 */
-    "waiting for auth (as client)", /* 4 */
-    "sending nonce (as client)",    /* 5 */
-    "waiting for auth (as server)", /* 6 */
-    "sending auth (as server)",     /* 7 */
-    "waiting for nonce (as server)",/* 8 */
-    "open" },                       /* 9 */
-#endif
   { "waiting for dest info",     /* exit, 0 */
     "connecting",                      /* 1 */
     "open" },                          /* 2 */
@@ -75,10 +62,8 @@
 /********* END VARIABLES ************/
 
 static int connection_init_accepted_conn(connection_t *conn);
-#ifdef USE_TLS
 static int connection_tls_continue_handshake(connection_t *conn);
 static int connection_tls_finish_handshake(connection_t *conn);
-#endif
 
 /**************************************************************/
 
@@ -103,21 +88,6 @@
   conn->timestamp_lastread = now.tv_sec;
   conn->timestamp_lastwritten = now.tv_sec;
 
-#ifndef USE_TLS
-  if (connection_speaks_cells(conn)) {
-    conn->f_crypto = crypto_new_cipher_env(CONNECTION_CIPHER);
-    if (!conn->f_crypto) {
-      free((void *)conn);
-      return NULL;
-    }
-    conn->b_crypto = crypto_new_cipher_env(CONNECTION_CIPHER);
-    if (!conn->b_crypto) {
-      crypto_free_cipher_env(conn->f_crypto);
-      free((void *)conn);
-      return NULL;
-    }
-  }
-#endif
   return conn;
 }
 
@@ -133,15 +103,8 @@
 
   if(connection_speaks_cells(conn)) {
     directory_set_dirty();
-#ifdef USE_TLS
     if (conn->tls)
       tor_tls_free(conn->tls);
-#else
-    if (conn->f_crypto)
-      crypto_free_cipher_env(conn->f_crypto);
-    if (conn->b_crypto)
-      crypto_free_cipher_env(conn->b_crypto);
-#endif
   }
 
   if (conn->pkey)
@@ -260,12 +223,8 @@
 
   switch(conn->type) {
     case CONN_TYPE_OR:
-#ifdef USE_TLS
       if(connection_tls_start_handshake(conn, 1) < 0)
         return -1;
-#else
-      conn->state = OR_CONN_STATE_SERVER_AUTH_WAIT;
-#endif
       break;
     case CONN_TYPE_AP:
       conn->state = AP_CONN_STATE_SOCKS_WAIT;
@@ -277,7 +236,6 @@
   return 0;
 }
 
-#ifdef USE_TLS
 int connection_tls_start_handshake(connection_t *conn, int receiving) {
   conn->state = OR_CONN_STATE_HANDSHAKING;
   conn->tls = tor_tls_new(conn->s, receiving);
@@ -383,7 +341,6 @@
   }
   return 0;
 }
-#endif
 
 /* take conn, make a nonblocking socket; try to connect to 
  * addr:port (they arrive in *host order*). If fail, return -1. Else
@@ -525,7 +482,6 @@
   if(conn->receiver_bucket >= 0 && at_most > conn->receiver_bucket)
     at_most = conn->receiver_bucket;
 
-#ifdef USE_TLS
   if(connection_speaks_cells(conn) && conn->state != OR_CONN_STATE_CONNECTING) {
     if(conn->state == OR_CONN_STATE_HANDSHAKING)
       return connection_tls_continue_handshake(conn);
@@ -546,9 +502,7 @@
       case TOR_TLS_DONE: /* no data read, so nothing to process */
         return 0;
     }
-  } else
-#endif
-  {
+  } else {
     result = read_to_buf(conn->s, at_most, &conn->inbuf, &conn->inbuflen,
                          &conn->inbuf_datalen, &conn->inbuf_reached_eof);
 //  log(LOG_DEBUG,"connection_read_to_buf(): read_to_buf returned %d.",read_result);
@@ -601,7 +555,6 @@
   my_gettimeofday(&now);
   conn->timestamp_lastwritten = now.tv_sec;
 
-#ifdef USE_TLS
   if(connection_speaks_cells(conn) && conn->state != OR_CONN_STATE_CONNECTING) {
     if(conn->state == OR_CONN_STATE_HANDSHAKING) {
       connection_stop_writing(conn);
@@ -634,9 +587,7 @@
        * is empty, so we can stop writing.
        */  
     }
-  } else
-#endif
-  {
+  } else {
     if(flush_buf(conn->s, &conn->outbuf, &conn->outbuflen,
                  &conn->outbuf_flushlen, &conn->outbuf_datalen) < 0)
       return -1;
@@ -802,10 +753,8 @@
     assert(conn->addr && conn->port);
     assert(conn->address);
     assert(conn->pkey);
-#ifdef USE_TLS
     if (conn->state != OR_CONN_STATE_CONNECTING)
       assert(conn->tls);
-#endif
   }
   
   if (conn->type != CONN_TYPE_EXIT && conn->type != CONN_TYPE_AP) {

Index: connection_or.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection_or.c,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -d -r1.50 -r1.51
--- connection_or.c	16 Sep 2003 05:41:49 -0000	1.50
+++ connection_or.c	16 Sep 2003 21:20:09 -0000	1.51
@@ -6,20 +6,6 @@
 
 extern or_options_t options; /* command-line and config-file options */
 
-#ifndef USE_TLS
-static int or_handshake_op_send_keys(connection_t *conn);
-static int or_handshake_op_finished_sending_keys(connection_t *conn);
-
-static int or_handshake_client_process_auth(connection_t *conn);
-static int or_handshake_client_send_auth(connection_t *conn);
-
-static int or_handshake_server_process_auth(connection_t *conn);
-static int or_handshake_server_process_nonce(connection_t *conn);
-
-static void conn_or_init_crypto(connection_t *conn);
-static void connection_or_set_open(connection_t *conn);
-#endif
-
 /**************************************************************/
 
 static void cell_pack(char *dest, const cell_t *src) {
@@ -49,27 +35,9 @@
     return -1;
   }
 
-#ifdef USE_TLS
   if(conn->state != OR_CONN_STATE_OPEN)
     return 0; /* don't do anything */
   return connection_process_cell_from_inbuf(conn);
-#else
-//  log(LOG_DEBUG,"connection_or_process_inbuf(): state %d.",conn->state);
-  switch(conn->state) {
-    case OR_CONN_STATE_CLIENT_AUTH_WAIT:
-      return or_handshake_client_process_auth(conn);
-    case OR_CONN_STATE_SERVER_AUTH_WAIT:
-      return or_handshake_server_process_auth(conn);
-    case OR_CONN_STATE_SERVER_NONCE_WAIT:
-      return or_handshake_server_process_nonce(conn);
-    case OR_CONN_STATE_OPEN:
-      return connection_process_cell_from_inbuf(conn);
-    default:
-      log_fn(LOG_DEBUG,"called in state where I'm writing. Ignoring buf for now.");
-  }
-
-  return 0;
-#endif
 }
 
 int connection_or_finished_flushing(connection_t *conn) {
@@ -78,13 +46,7 @@
   assert(conn && conn->type == CONN_TYPE_OR);
 
   switch(conn->state) {
-#ifndef USE_TLS
-    case OR_CONN_STATE_OP_SENDING_KEYS:
-      return or_handshake_op_finished_sending_keys(conn);
-    case OR_CONN_STATE_CLIENT_CONNECTING:
-#else
     case OR_CONN_STATE_CONNECTING:
-#endif
       if (getsockopt(conn->s, SOL_SOCKET, SO_ERROR, (void*)&e, &len) < 0)  { /* not yet */
         if(!ERRNO_CONN_EINPROGRESS(errno)){
           log_fn(LOG_DEBUG,"in-progress connect failed. Removing.");
@@ -98,31 +60,8 @@
       log_fn(LOG_DEBUG,"OR connect() to router %s:%u finished.",
           conn->address,conn->port);
 
-#ifdef USE_TLS
       if(connection_tls_start_handshake(conn, 0) < 0)
         return -1;
-#else
-      if(options.OnionRouter)
-        return or_handshake_client_send_auth(conn);
-      else
-        return or_handshake_op_send_keys(conn);
-    case OR_CONN_STATE_CLIENT_SENDING_AUTH:
-      log_fn(LOG_DEBUG,"client finished sending auth.");
-      conn->state = OR_CONN_STATE_CLIENT_AUTH_WAIT;
-      connection_watch_events(conn, POLLIN);
-      return 0;
-    case OR_CONN_STATE_CLIENT_SENDING_NONCE:
-      log_fn(LOG_DEBUG,"client finished sending nonce.");
-      conn_or_init_crypto(conn);
-      connection_or_set_open(conn);
-
-      return connection_process_inbuf(conn); /* in case there's anything waiting on it */
-    case OR_CONN_STATE_SERVER_SENDING_AUTH:
-      log_fn(LOG_DEBUG,"server finished sending auth.");
-      conn->state = OR_CONN_STATE_SERVER_NONCE_WAIT;
-      connection_watch_events(conn, POLLIN);
-      return 0;
-#endif
     case OR_CONN_STATE_OPEN:
       connection_stop_writing(conn);
       return 0;
@@ -178,25 +117,15 @@
       connection_watch_events(conn, POLLIN | POLLOUT | POLLERR); 
       /* writable indicates finish, readable indicates broken link,
          error indicates broken link on windows */
-#ifdef USE_TLS
       conn->state = OR_CONN_STATE_CONNECTING;
-#else
-      conn->state = OR_CONN_STATE_CLIENT_CONNECTING;
-#endif
       return conn;
     /* case 1: fall through */
   }
 
   connection_set_poll_socket(conn);
 
-#ifdef USE_TLS
   if(connection_tls_start_handshake(conn, 0) >= 0)
     return conn;
-#else
-  if((options.OnionRouter && or_handshake_client_send_auth(conn) >= 0) ||
-     (!options.OnionRouter && or_handshake_op_send_keys(conn) >= 0))
-    return conn; /* success! */
-#endif
 
   /* failure */
   connection_remove(conn);
@@ -206,473 +135,12 @@
 
 /* ********************************** */
 
-#ifndef USE_TLS
-/* Helper functions to implement handshaking */
-
-#define FLAGS_LEN 2
-#define KEY_LEN 16
-#define ADDR_LEN 4
-#define PORT_LEN 2
-#define PKEY_LEN 128
-
-static int 
-or_handshake_op_send_keys(connection_t *conn) {
-  unsigned char message[FLAGS_LEN + KEY_LEN + KEY_LEN];
-  unsigned char cipher[PKEY_LEN];
-  int retval;
-
-  assert(conn && conn->type == CONN_TYPE_OR);
-
-  conn->bandwidth = DEFAULT_BANDWIDTH_OP;
-
-  /* generate random keys */
-  if(crypto_cipher_generate_key(conn->f_crypto) ||
-     crypto_cipher_generate_key(conn->b_crypto)) {
-    log(LOG_ERR,"Cannot generate a secure symmetric key.");
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_op_send_keys() : Generated symmetric keys.");
-  /* compose the message */
-  *(uint16_t *)(message) = htons(HANDSHAKE_AS_OP);
-  memcpy((void *)(message+FLAGS_LEN), 
-         (void *)crypto_cipher_get_key(conn->f_crypto), 16);
-  memcpy((void *)(message+FLAGS_LEN+KEY_LEN), 
-         (void *)crypto_cipher_get_key(conn->b_crypto), 16);
-
-  /* encrypt with RSA */
-  if(crypto_pk_public_encrypt(conn->pkey, message, sizeof(message), cipher, RSA_PKCS1_PADDING) < 0) {
-    log(LOG_ERR,"or_handshake_op_send_keys(): Public key encryption failed.");
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_op_send_keys() : Encrypted authentication message.");
-
-  /* send message */
-
-  if(connection_write_to_buf(cipher, PKEY_LEN, conn) < 0) {
-    log(LOG_DEBUG,"or_handshake_op_send_keys(): my outbuf is full. Oops.");
-    return -1;
-  }
-  retval = connection_flush_buf(conn);
-  if(retval < 0) {
-    log(LOG_DEBUG,"or_handshake_op_send_keys(): bad socket while flushing.");
-    return -1;
-  }
-  if(retval > 0) {
-    /* still stuff on the buffer. */
-    conn->state = OR_CONN_STATE_OP_SENDING_KEYS;
-    connection_watch_events(conn, POLLOUT | POLLIN);
-    return 0;
-  }
-
-  /* it finished sending */
-  log(LOG_DEBUG,"or_handshake_op_send_keys(): Finished sending authentication message.");
-  return or_handshake_op_finished_sending_keys(conn);
-}
-
-static int 
-or_handshake_op_finished_sending_keys(connection_t *conn) {
-
-  /* do crypto initialization, etc */
-  conn_or_init_crypto(conn);
-
-  connection_or_set_open(conn);
-  circuit_n_conn_open(conn); /* send the pending onion(s) */
-  return 0;
-}
-
-static int 
-or_handshake_client_send_auth(connection_t *conn) {
-  int retval;
-  char buf[FLAGS_LEN+ADDR_LEN+PORT_LEN+ADDR_LEN+
-           PORT_LEN+KEY_LEN+KEY_LEN];
-  char cipher[PKEY_LEN];
-  struct sockaddr_in me; /* my router identity */
-
-  assert(conn);
-
-  if(learn_my_address(&me) < 0)
-    return -1;
-
-  /* generate random keys */
-  if(crypto_cipher_generate_key(conn->f_crypto) ||
-     crypto_cipher_generate_key(conn->b_crypto)) {
-    log(LOG_ERR,"Cannot generate a secure symmetric key.");
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_client_send_auth() : Generated symmetric keys.");
-
-  /* generate first message */
-  *(uint16_t*)buf = htons(HANDSHAKE_AS_OR);
-  *(uint32_t*)(buf+FLAGS_LEN) = me.sin_addr.s_addr; /* local address, network order */
-  *(uint16_t*)(buf+FLAGS_LEN+ADDR_LEN) = me.sin_port; /* local port, network order */
-  *(uint32_t*)(buf+FLAGS_LEN+ADDR_LEN+PORT_LEN) = htonl(conn->addr); /* remote address */
-  *(uint16_t*)(buf+FLAGS_LEN+ADDR_LEN+PORT_LEN+ADDR_LEN) = htons(conn->port); /* remote port */
-  memcpy(buf+FLAGS_LEN+ADDR_LEN+PORT_LEN+ADDR_LEN+PORT_LEN,
-         crypto_cipher_get_key(conn->f_crypto),16); /* keys */
-  memcpy(buf+FLAGS_LEN+ADDR_LEN+PORT_LEN+ADDR_LEN+PORT_LEN+KEY_LEN,
-         crypto_cipher_get_key(conn->b_crypto),16);
-  log(LOG_DEBUG,"or_handshake_client_send_auth() : Generated first authentication message.");
-
-  /* encrypt message */
-  retval = crypto_pk_public_encrypt(conn->pkey, buf, sizeof(buf), cipher,RSA_PKCS1_PADDING);
-  if (retval == -1) /* error */
-  { 
-    log(LOG_ERR,"Public-key encryption failed during authentication to %s:%u.",conn->address,conn->port);
-    log(LOG_DEBUG,"or_handshake_client_send_auth() : Reason : %s.",crypto_perror());
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_client_send_auth() : Encrypted authentication message.");
-
-  /* send message */
-  
-  if(connection_write_to_buf(cipher, PKEY_LEN, conn) < 0) {
-    log(LOG_DEBUG,"or_handshake_client_send_auth(): my outbuf is full. Oops.");
-    return -1;
-  }
-  retval = connection_flush_buf(conn);
-  if(retval < 0) {
-    log(LOG_DEBUG,"or_handshake_client_send_auth(): bad socket while flushing.");
-    return -1;
-  }
-  if(retval > 0) {
-    /* still stuff on the buffer. */
-    conn->state = OR_CONN_STATE_CLIENT_SENDING_AUTH;
-    connection_watch_events(conn, POLLOUT | POLLIN);
-    return 0;
-  }
-
-  /* it finished sending */
-  log(LOG_DEBUG,"or_handshake_client_send_auth(): Finished sending authentication message.");
-  conn->state = OR_CONN_STATE_CLIENT_AUTH_WAIT;
-  connection_watch_events(conn, POLLIN);
-  return 0;
-
-}
-
-static int 
-or_handshake_client_process_auth(connection_t *conn) {
-  char buf[128]; /* only 52 of this is expected to be used */
-  char cipher[128];
-  int retval;
-  struct sockaddr_in me; /* my router identity */
-
-  assert(conn);
-
-  if(learn_my_address(&me) < 0)
-    return -1;
-
-  if(conn->inbuf_datalen < 128) /* entire response available? */
-    return 0; /* not yet */
-
-  connection_fetch_from_buf(cipher,128,conn);
-  log(LOG_DEBUG,"or_handshake_client_process_auth() : Received auth.");
-
-  /* decrypt response */
-  retval = crypto_pk_private_decrypt(get_privatekey(), cipher, 128, buf, RSA_PKCS1_PADDING);
-  if (retval == -1)
-  { 
-    log(LOG_ERR,"Public-key decryption failed during authentication to %s:%u.",
-        conn->address,conn->port);
-    log(LOG_DEBUG,"or_handshake_client_process_auth() : Reason : %s.",
-        crypto_perror());
-    return -1;
-  }
-  else if (retval != 52)
-  { 
-    log(LOG_ERR,"client_process_auth: incorrect response from router %s:%u.",
-        conn->address,conn->port);
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_client_process_auth() : Decrypted response.");
-  /* check validity */
-  if ( (*(uint32_t*)buf != me.sin_addr.s_addr) || /* local address, network order */
-       (*(uint16_t*)(buf+4) != me.sin_port) || /* local port, network order */
-       (ntohl(*(uint32_t*)(buf+6)) != conn->addr) || /* remote address */
-       (ntohs(*(uint16_t*)(buf+10)) != conn->port) ) { /* remote port */
-    log(LOG_ERR,"client_process_auth: Router %s:%u: bad address info.", conn->address,conn->port);
-    return -1;
-  }
-  if ( (memcmp(crypto_cipher_get_key(conn->f_crypto), buf+12, 16)) ||/* keys */
-       (memcmp(crypto_cipher_get_key(conn->b_crypto), buf+28, 16)) ) {
-    log(LOG_ERR,"client_process_auth: Router %s:%u: bad key info.",conn->address,conn->port);
-    return -1;
-  }
-
-  log(LOG_DEBUG,"or_handshake_client_process_auth() : Response valid.");
-
-  /* reply is just local addr/port, remote addr/port, nonce */
-  memcpy(buf+12, buf+44, 8);
-
-  /* encrypt reply */
-  retval = crypto_pk_public_encrypt(conn->pkey, buf, 20, cipher,RSA_PKCS1_PADDING);
-  if (retval == -1) /* error */
-  { 
-    log(LOG_ERR,"Public-key encryption failed during authentication to %s:%u.",conn->address,conn->port);
-    log(LOG_DEBUG,"or_handshake_client_process_auth() : Reason : %s.",crypto_perror());
-    return -1;
-  }
-
-  /* send the message */
-
-  if(connection_write_to_buf(cipher, 128, conn) < 0) {
-    log(LOG_DEBUG,"or_handshake_client_process_auth(): my outbuf is full. Oops.");
-    return -1;
-  }
-  retval = connection_flush_buf(conn);
-  if(retval < 0) {
-    log(LOG_DEBUG,"or_handshake_client_process_auth(): bad socket while flushing.");
-    return -1;
-  }
-  if(retval > 0) {
-    /* still stuff on the buffer. */
-    conn->state = OR_CONN_STATE_CLIENT_SENDING_NONCE;
-    connection_watch_events(conn, POLLOUT | POLLIN);
-/*    return(connection_process_inbuf(conn)); process the rest of the inbuf */
-    return 0;   
-  }
-
-  /* it finished sending */
-  log(LOG_DEBUG,"or_handshake_client_process_auth(): Finished sending nonce.");
-  conn_or_init_crypto(conn);
-  connection_or_set_open(conn);
-  return connection_process_inbuf(conn); /* process the rest of the inbuf */
-}
-
-/* auth handshake, as performed by OR *receiving* the connection */
-static int or_handshake_server_process_auth(connection_t *conn) {
-  int retval;
-
-  char buf[128]; /* 50 of this is expected to be used for OR, 38 for OP */
-  char cipher[128];
-
-  unsigned char iv[16];
-
-  uint32_t addr;
-  uint16_t port;
-
-  routerinfo_t *router;
-
-  assert(conn);
-
-  log(LOG_DEBUG,"or_handshake_server_process_auth() entered.");
-
-  if(conn->inbuf_datalen < 128) /* entire response available? */
-    return 0; /* not yet */  
-
-  connection_fetch_from_buf(cipher,128,conn);
-  log(LOG_DEBUG,"or_handshake_server_process_auth() : Received auth.");
-
-  /* decrypt response */
-  retval = crypto_pk_private_decrypt(get_privatekey(), cipher, 128, buf, RSA_PKCS1_PADDING);
-  if (retval == -1) {
-    log(LOG_ERR,"or_handshake_server_process_auth: Public-key decryption failed.");
-    log(LOG_DEBUG,"or_handshake_server_process_auth() : Reason : %s.",
-        crypto_perror());
-    return -1;
-  }
-
-  if (retval == 46) {
-
-    log(LOG_DEBUG,"or_handshake_server_process_auth(): Decrypted OR-style auth message.");
-    if(ntohs(*(uint16_t*)buf) != HANDSHAKE_AS_OR) {
-      log(LOG_DEBUG,"or_handshake_server_process_auth(): ...but wasn't labelled OR. Dropping.");
-      return -1;
-    }
-
-    /* identify the router */
-    addr = ntohl(*(uint32_t*)(buf+2)); /* save the IP address */
-    port = ntohs(*(uint16_t*)(buf+6)); /* save the port */
-
-    router = router_get_by_addr_port(addr,port);
-    if (!router) {
-      log(LOG_DEBUG,"or_handshake_server_process_auth() : unknown router '%s:%d'. Will drop.", conn->address, port);
-      return -1;
-    }
-    log(LOG_DEBUG,"or_handshake_server_process_auth() : Router identified as %s:%u.",
-        router->address,router->or_port);
-
-    if(connection_exact_get_by_addr_port(addr,port)) {
-      log(LOG_DEBUG,"or_handshake_server_process_auth(): That router is already connected. Dropping.");
-      return -1;
-    }
-
-    /* save keys */
-    crypto_cipher_set_key(conn->b_crypto,buf+14);
-    crypto_cipher_set_key(conn->f_crypto,buf+30);
-
-    conn->bandwidth = router->bandwidth;
-
-    /* copy all relevant info to conn */
-    conn->addr = router->addr, conn->port = router->or_port;
-    conn->pkey = crypto_pk_dup_key(router->pkey);
-    if(conn->address)
-      free(conn->address);
-    conn->address = strdup(router->address);
-
-    /* generate a nonce */
-    retval = crypto_rand(8, conn->nonce);
-    if (retval) { /* error */
-      log(LOG_ERR,"Cannot generate a nonce.");
-      return -1;
-    }
-    log(LOG_DEBUG,"or_handshake_server_process_auth(): Nonce generated.");
-
-    memmove(buf, buf+2, 44);
-    memcpy(buf+44,conn->nonce,8); /* append the nonce to the end of the message */
-
-    /* encrypt message */
-    retval = crypto_pk_public_encrypt(conn->pkey, buf, 52, cipher,RSA_PKCS1_PADDING);
-    if (retval == -1) { /* error */
-      log(LOG_ERR,"Public-key encryption failed during authentication to %s:%u.",conn->address,conn->port);
-      log(LOG_DEBUG,"or_handshake_server_process_auth() : Reason : %s.",crypto_perror());
-      return -1;
-    }
-    log(LOG_DEBUG,"or_handshake_server_process_auth() : Reply encrypted.");
-
-    /* send message */
-
-    if(connection_write_to_buf(cipher, 128, conn) < 0) {
-      log(LOG_DEBUG,"or_handshake_server_process_auth(): my outbuf is full. Oops.");
-      return -1;
-    }
-    retval = connection_flush_buf(conn);
-    if(retval < 0) {
-      log(LOG_DEBUG,"or_handshake_server_process_auth(): bad socket while flushing.");
-      return -1;
-    }
-    if(retval > 0) {
-      /* still stuff on the buffer. */
-      conn->state = OR_CONN_STATE_SERVER_SENDING_AUTH;
-      connection_watch_events(conn, POLLOUT | POLLIN);
-      return 0;
-    }
-
-    /* it finished sending */
-    log(LOG_DEBUG,"or_handshake_server_process_auth(): Finished sending auth.");
-    conn->state = OR_CONN_STATE_SERVER_NONCE_WAIT;
-    connection_watch_events(conn, POLLIN);
-    return 0;
-  }
-
-  if(retval == 34) {
-    log(LOG_DEBUG,"or_handshake_server_process_auth(): Decrypted OP-style auth message.");
-    if(ntohs(*(uint16_t*)buf) != HANDSHAKE_AS_OP) {
-      log(LOG_DEBUG,"or_handshake_server_process_auth(): ...but wasn't labelled OP. Dropping.");
-      return -1;
-    }
-
-    crypto_cipher_set_key(conn->b_crypto, buf+2);
-    crypto_cipher_set_key(conn->f_crypto, buf+18);
-
-    memset(iv, 0, 16);
-    crypto_cipher_set_iv(conn->b_crypto, iv);
-    crypto_cipher_set_iv(conn->f_crypto, iv);
-
-    crypto_cipher_encrypt_init_cipher(conn->b_crypto);
-    crypto_cipher_decrypt_init_cipher(conn->f_crypto);
-
-    conn->state = OR_CONN_STATE_OPEN;
-    connection_watch_events(conn, POLLIN);
-
-    return connection_process_inbuf(conn); /* in case they sent some cells along with the keys */
-  }
-
-  log(LOG_ERR,"or_handshake_server_process_auth(): received an incorrect authentication request.");
-  return -1;
-}
-
-static int 
-or_handshake_server_process_nonce(connection_t *conn) {
-
-  char buf[128];
-  char cipher[128];
-  int retval;
-  struct sockaddr_in me; /* my router identity */
-
-  assert(conn);
-
-  if(learn_my_address(&me) < 0)
-    return -1;
-
-  if(conn->inbuf_datalen < 128) /* entire response available? */
-    return 0; /* not yet */
-
-  connection_fetch_from_buf(cipher,128,conn);
-  log(LOG_DEBUG,"or_handshake_server_process_nonce() : Received auth.");
-
-  /* decrypt response */
-  retval = crypto_pk_private_decrypt(get_privatekey(), cipher, 128, buf,RSA_PKCS1_PADDING);
-  if (retval == -1)
-  {
-    log(LOG_ERR,"Public-key decryption failed during authentication to %s:%u.",
-        conn->address,conn->port);
-    log(LOG_DEBUG,"or_handshake_server_process_nonce() : Reason : %s.",
-        crypto_perror());
-    return -1;
-  }
-  else if (retval != 20)
-  { 
-    log(LOG_ERR,"server_process_nonce: incorrect response from router %s:%u.",
-        conn->address,conn->port);
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_server_process_nonce() : Response decrypted.");
-
-  /* check validity */
-  if ((ntohl(*(uint32_t*)buf) != conn->addr) || /* remote address */
-      (ntohs(*(uint16_t*)(buf+4)) != conn->port) || /* remote port */ 
-       (*(uint32_t*)(buf+6) != me.sin_addr.s_addr) || /* local address, network order */
-       (*(uint16_t*)(buf+10) != me.sin_port) || /* local port, network order */
-      (memcmp(conn->nonce,buf+12,8))) /* nonce */
-  { 
-    log(LOG_ERR,"server_process_nonce: Router %s:%u gave bad response.",conn->address,conn->port);
-    return -1;
-  }
-  log(LOG_DEBUG,"or_handshake_server_process_nonce() : Response valid. Authentication complete.");
-
-  conn_or_init_crypto(conn);
-  connection_or_set_open(conn);
-  return connection_process_inbuf(conn); /* process the rest of the inbuf */
-
-}
-
-/*********************/
-
-static void 
-connection_or_set_open(connection_t *conn) {
-  conn->state = OR_CONN_STATE_OPEN;
-  directory_set_dirty();
-  connection_watch_events(conn, POLLIN);
-}
-
-static void 
-conn_or_init_crypto(connection_t *conn) {
-  unsigned char iv[16];
-
-  assert(conn);
-
-  memset((void *)iv, 0, 16);
-  crypto_cipher_set_iv(conn->f_crypto, iv);
-  crypto_cipher_set_iv(conn->b_crypto, iv);
-
-  crypto_cipher_encrypt_init_cipher(conn->f_crypto);
-  crypto_cipher_decrypt_init_cipher(conn->b_crypto);
-    /* always encrypt with f, always decrypt with b */
-}
-#endif
-
 int connection_write_cell_to_buf(const cell_t *cellp, connection_t *conn) {
   char networkcell[CELL_NETWORK_SIZE];
   char *n = networkcell;
 
   cell_pack(n, cellp);
  
-#ifndef USE_TLS
-  if(connection_encrypt_cell(n,conn)<0) {
-    return -1;
-  }
-#endif
- 
   return connection_write_to_buf(n, CELL_NETWORK_SIZE, conn);
 }
 
@@ -680,41 +148,13 @@
   /* check if there's a whole cell there.
    *    * if yes, pull it off, decrypt it if we're not doing TLS, and process it.
    *       */
-#ifndef USE_TLS
-  char networkcell[CELL_NETWORK_SIZE];
-#endif
   char buf[CELL_NETWORK_SIZE];
-//  int x;
   cell_t cell;
  
   if(conn->inbuf_datalen < CELL_NETWORK_SIZE) /* entire response available? */
     return 0; /* not yet */
  
-#ifdef USE_TLS
   connection_fetch_from_buf(buf, CELL_NETWORK_SIZE, conn);
-#else
-  connection_fetch_from_buf(networkcell, CELL_NETWORK_SIZE, conn);
-#if 0
-  printf("Cell header crypttext: ");
-  for(x=0;x<8;x++) {
-    printf("%u ",crypted[x]);
-  }
-  printf("\n");
-#endif
-  /* decrypt */
-  if(crypto_cipher_decrypt(conn->b_crypto, networkcell, CELL_NETWORK_SIZE, buf)) {
-    log_fn(LOG_ERR,"Decryption failed, dropping.");
-    return connection_process_inbuf(conn); /* process the remainder of the buffer */
-  }
-//  log_fn(LOG_DEBUG,"Cell decrypted (%d bytes).",outlen);
-#if 0
-  printf("Cell header plaintext: ");
-  for(x=0;x<8;x++) {
-    printf("%u ",outbuf[x]);
-  }
-  printf("\n");
-#endif
-#endif
  
   /* retrieve cell info from buf (create the host-order struct from the network-order string) */
   cell_unpack(&cell, buf);
@@ -724,24 +164,6 @@
  
   return connection_process_inbuf(conn); /* process the remainder of the buffer */
 }
-
-#ifndef USE_TLS
-int connection_encrypt_cell(char *cellp, connection_t *conn) {
-  char cryptcell[CELL_NETWORK_SIZE];
- 
-  assert(conn);
- 
-  if(crypto_cipher_encrypt(conn->f_crypto, cellp, CELL_NETWORK_SIZE, cryptcell)) {
-    log(LOG_ERR,"Could not encrypt cell for connection %s:%u.",conn->address,conn->port);
-    return -1;
-  }
-
-  memcpy(cellp,cryptcell,CELL_NETWORK_SIZE);
-  return 0;
-}
-#endif
-
-
 
 /*
   Local Variables:

Index: main.c
===================================================================
RCS file: /home/or/cvsroot/src/or/main.c,v
retrieving revision 1.94
retrieving revision 1.95
diff -u -d -r1.94 -r1.95
--- main.c	16 Sep 2003 20:57:08 -0000	1.94
+++ main.c	16 Sep 2003 21:20:09 -0000	1.95
@@ -449,7 +449,6 @@
     set_signing_privatekey(prkey);
   }
 
-#ifdef USE_TLS
   if(options.OnionRouter) {
     struct stat statbuf;
     if(stat(options.CertFile, &statbuf) < 0) {
@@ -472,7 +471,6 @@
       return -1;
     }
   }
-#endif
 
   /* start up the necessary connections based on which ports are
    * non-zero. This is where we try to connect to all the other ORs,

Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.130
retrieving revision 1.131
diff -u -d -r1.130 -r1.131
--- or.h	16 Sep 2003 20:57:09 -0000	1.130
+++ or.h	16 Sep 2003 21:20:09 -0000	1.131
@@ -7,7 +7,6 @@
 
 #include "orconfig.h"
 
-#define USE_TLS
 #define SEQUENTIAL_ACI
 
 #include <stdio.h>
@@ -105,11 +104,6 @@
 #define MAX_BUF_SIZE (640*1024)
 #define DEFAULT_BANDWIDTH_OP (1024 * 1000)
 
-#ifndef USE_TLS
-#define HANDSHAKE_AS_OP 1
-#define HANDSHAKE_AS_OR 2
-#endif
-
 #define ACI_TYPE_LOWER 0
 #define ACI_TYPE_HIGHER 1
 #define ACI_TYPE_BOTH 2
@@ -139,30 +133,11 @@
 
 #define CPUWORKER_TASK_ONION CPUWORKER_STATE_BUSY_ONION
 
-#ifndef USE_TLS
-/* how to read these states:
- * foo_CONN_STATE_bar_baz:
- * "I am acting as a bar, currently in stage baz of talking with a foo."
- */
-//#define OR_CONN_STATE_OP_CONNECTING 0 /* an application proxy wants me to connect to this OR */
-#define _OR_CONN_STATE_MIN 1
-#define OR_CONN_STATE_OP_SENDING_KEYS 1
-#define OR_CONN_STATE_CLIENT_CONNECTING 2 /* connecting to this OR */
-#define OR_CONN_STATE_CLIENT_SENDING_AUTH 3 /* sending address and info */
-#define OR_CONN_STATE_CLIENT_AUTH_WAIT 4 /* have sent address and info, waiting */
-#define OR_CONN_STATE_CLIENT_SENDING_NONCE 5 /* sending nonce, last piece of handshake */
-#define OR_CONN_STATE_SERVER_AUTH_WAIT 6 /* waiting for address and info */
-#define OR_CONN_STATE_SERVER_SENDING_AUTH 7 /* writing auth and nonce */
-#define OR_CONN_STATE_SERVER_NONCE_WAIT 8 /* waiting for confirmation of nonce */
-#define OR_CONN_STATE_OPEN 9 /* ready to send/receive cells. */
-#define _OR_CONN_STATE_MAX 9
-#else
 #define _OR_CONN_STATE_MIN 0
 #define OR_CONN_STATE_CONNECTING 0 /* waiting for connect() to finish */
 #define OR_CONN_STATE_HANDSHAKING 1 /* SSL is handshaking, not done yet */
 #define OR_CONN_STATE_OPEN 2 /* ready to send/receive cells. */
 #define _OR_CONN_STATE_MAX 2
-#endif
 
 #define _EXIT_CONN_STATE_MIN 0
 #define EXIT_CONN_STATE_RESOLVING 0 /* waiting for response from dns farm */
@@ -209,10 +184,6 @@
 #define DEFAULT_CIPHER CRYPTO_CIPHER_AES_CTR
 /* Used to en/decrypt onion skins */
 #define ONION_CIPHER      DEFAULT_CIPHER
-#ifndef USE_TLS
-/* Used to en/decrypt cells between ORs/OPs. */
-#define CONNECTION_CIPHER DEFAULT_CIPHER
-#endif
 /* Used to en/decrypt RELAY cells */
 #define CIRCUIT_CIPHER    DEFAULT_CIPHER
 
@@ -304,15 +275,7 @@
   crypto_pk_env_t *pkey; /* public RSA key for the other side */
 
 /* Used only by OR connections: */
-#ifdef USE_TLS
   tor_tls *tls;
-#else
-  /* link encryption */
-  crypto_cipher_env_t *f_crypto;
-  crypto_cipher_env_t *b_crypto;
-
-  char nonce[8];
-#endif
 #ifdef SEQUENTIAL_ACI
   uint16_t next_aci; /* Which ACI do we try to use next on this connection? 
                       * This is always in the range 0..1<<15-1.*/
@@ -532,9 +495,7 @@
 int connection_create_listener(struct sockaddr_in *bindaddr, int type);
 int connection_handle_listener_read(connection_t *conn, int new_type);
 
-#ifdef USE_TLS
 int connection_tls_start_handshake(connection_t *conn, int receiving);
-#endif
 
 int connection_connect(connection_t *conn, char *address, uint32_t addr, uint16_t port);
 int retry_all_connections(uint16_t or_listenport, uint16_t ap_listenport, uint16_t dir_listenport);
@@ -586,9 +547,6 @@
 
 int connection_write_cell_to_buf(const cell_t *cellp, connection_t *conn);
 int connection_process_cell_from_inbuf(connection_t *conn);
-#ifndef USE_TLS
-int connection_encrypt_cell(char *cellp, connection_t *conn);
-#endif
 
 /********************************* cpuworker.c *****************************/