[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r13122: Basic hacks to get TLS handshakes working: remove dead code; (in tor/trunk: . src/or)



Author: nickm
Date: 2008-01-12 19:20:47 -0500 (Sat, 12 Jan 2008)
New Revision: 13122

Modified:
   tor/trunk/
   tor/trunk/src/or/command.c
   tor/trunk/src/or/connection.c
   tor/trunk/src/or/connection_or.c
   tor/trunk/src/or/or.h
Log:
 r15891@tombo:  nickm | 2008-01-12 19:20:24 -0500
 Basic hacks to get TLS handshakes working: remove dead code; fix post-handshake logic; keep servers from writing while the client is supposed to be renegotiating.  This may work.  Needs testing.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r15891] on d9e39d38-0f13-419c-a857-e10a0ce2aa0c

Modified: tor/trunk/src/or/command.c
===================================================================
--- tor/trunk/src/or/command.c	2008-01-13 00:20:44 UTC (rev 13121)
+++ tor/trunk/src/or/command.c	2008-01-13 00:20:47 UTC (rev 13122)
@@ -461,10 +461,8 @@
   end = cell->payload + cell->payload_len;
   for (cp = cell->payload; cp+1 < end; ++cp) {
     uint16_t v = ntohs(get_uint16(cp));
-    if (v == 1 || v == 2) {
-      if (v > highest_supported_version)
-        highest_supported_version = v;
-    }
+    if (is_or_protocol_version_known(v) && v > highest_supported_version)
+      highest_supported_version = v;
   }
   if (!highest_supported_version) {
     log_fn(LOG_PROTOCOL_WARN, LD_OR,
@@ -476,20 +474,15 @@
   conn->link_proto = highest_supported_version;
   conn->handshake_state->received_versions = 1;
 
-#if 0
-  /*XXXX020 not right; references dead functions */
   if (highest_supported_version >= 2) {
-    if (connection_or_send_netinfo(conn) < 0 ||
-        connection_or_send_cert(conn) < 0) {
+    if (connection_or_send_netinfo(conn) < 0) {
       connection_mark_for_close(TO_CONN(conn));
       return;
     }
-    if (conn->handshake_state->started_here)
-      connection_or_send_link_auth(conn);
   } else {
-    /* XXXX020 finish v1 verification. */
+    /* Should be impossible. */
+    tor_fragile_assert();
   }
-#endif
 }
 
 /** Process a 'netinfo' cell. DOCDOC say more. */
@@ -577,7 +570,7 @@
   if (!conn->handshake_state)
     return -1;
 
-  tor_assert(conn->handshake_state->authenticated != 0);
+  tor_assert(conn->handshake_state->received_versions != 0);
 
   delta = conn->handshake_state->apparent_skew;
   /*XXXX020 magic number 3600 */
@@ -607,174 +600,3 @@
   return 0;
 }
 
-#if 0
-/*DOCDOC*/
-static void
-command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
-{
-  int n_certs = 0;
-  uint16_t conn_cert_len = 0, id_cert_len = 0;
-  const char *conn_cert = NULL, *id_cert = NULL;
-  const char *cp, *end;
-  int done = 0;
-
-  if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Got CERT cell when not handshaking. "
-           "Ignoring.");
-    return;
-  }
-  tor_assert(conn->handshake_state);
-  if (!conn->handshake_state->received_versions ||
-      !conn->handshake_state->received_netinfo) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Got CERT cell before VERSIONS and "
-           "NETINFO. Closing the connection.");
-    goto err;
-  }
-  if (conn->handshake_state->received_certs) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Got duplicate CERT cell. "
-           "Closing the connection.");
-    goto err;
-  }
-
-  cp = cell->payload;
-  end = cell->payload + cell->payload_len;
-
-  while (cp < end) {
-    uint16_t len;
-    if (end-cp == 1)
-      goto err;
-    len = ntohs(get_uint16(cp));
-    cp += 2;
-    if (end-cp < len)
-      goto err;
-    if (n_certs == 0) {
-      id_cert = cp;
-      id_cert_len = len;
-    } else if (n_certs == 1) {
-      conn_cert = id_cert;
-      conn_cert_len = id_cert_len;
-      id_cert = cp;
-      id_cert_len = len;
-    } else {
-      goto err;
-    }
-    cp += len;
-    ++n_certs;
-  }
-
-  /* Now we have 0, 1, or 2 certs. */
-  if (n_certs == 0) {
-    /* The other side is unauthenticated. */
-    done = 1;
-  } else {
-    int r;
-    r = tor_tls_verify_certs_v2(LOG_PROTOCOL_WARN, conn->tls,
-                                conn_cert, conn_cert_len,
-                                id_cert, id_cert_len,
-                                &conn->handshake_state->signing_key,
-                                (conn->handshake_state->started_here ?
-                                 conn->handshake_state->server_cert_digest :
-                                 conn->handshake_state->client_cert_digest),
-                                &conn->handshake_state->identity_key,
-                                conn->handshake_state->cert_id_digest);
-    if (r < 0)
-      goto err;
-    if (r == 1) {
-      done = 1;
-      conn->handshake_state->authenticated = 1;
-    }
-  }
-
-  conn->handshake_state->received_certs = 1;
-  if (done) {
-    if (connection_or_finish_or_handshake(conn) < 0)
-      goto err;
-  }
-  if (! conn->handshake_state->signing_key)
-    goto err;
-
-  return;
- err:
-  connection_mark_for_close(TO_CONN(conn));
-}
-
-#define LINK_AUTH_STRING "Tor initiator certificate verification"
-
-/** DOCDOC */
-static void
-command_process_link_auth_cell(cell_t *cell, or_connection_t *conn)
-{
-  or_handshake_state_t *s;
-  char hmac[DIGEST_LEN];
-  uint16_t len;
-  size_t sig_len;
-  const char *sig;
-  char *checked = NULL;
-  int checked_len;
-  tor_assert(conn);
-  if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR,
-           "Received a LINK_AUTH cell on connection in the wrong state; "
-           "dropping.");
-    return;
-  }
-  s = conn->handshake_state;
-  tor_assert(s);
-  if (s->started_here) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR,
-           "Got a LINK_AUTH cell from a server; closing the connection.");
-    goto err;
-  }
-  if (!s->received_netinfo || !s->received_versions || !s->received_certs) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Got a LINK_AUTH cell too early; "
-           "closing the connection");
-    goto err;
-  }
-  len = ntohs(get_uint16(cell->payload));
-  if (len < 2 || len > CELL_PAYLOAD_SIZE - 2) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Bad length field (%d) on LINK_AUTH cell;"
-           " closing the connection", (int)len);
-    goto err;
-  }
-  if (cell->payload[2] != 0x00) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Unrecognized LINK_AUTH signature "
-           "version; closing the connection");
-    goto err;
-  }
-  connection_or_compute_link_auth_hmac(conn, hmac);
-
-  tor_assert(s->signing_key);
-
-  sig = cell->payload+3;
-  sig_len = len-1;
-  checked = tor_malloc(crypto_pk_keysize(s->signing_key));
-  checked_len = crypto_pk_public_checksig(s->signing_key,checked,sig,sig_len);
-  if (checked_len < 0) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Bad signature on LINK_AUTH cell; "
-           "closing the connection");
-    goto err;
-  }
-  if (checked_len != DIGEST_LEN) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Bad length (%d) of signed material in "
-           "LINK_AUTH cell; closing the connection", checked_len);
-    goto err;
-  }
-  if (memcmp(checked, hmac, DIGEST_LEN) != 0) {
-    log_fn(LOG_PROTOCOL_WARN, LD_OR, "Bad signed data in LINK_AUTH cell; "
-           "closing the connection.");
-    goto err;
-  }
-
-  s->authenticated = 1;
-
-  if (connection_or_finish_or_handshake(conn)<0)
-    goto err;
-
-  tor_free(checked);
-  return;
- err:
-  tor_free(checked);
-  connection_mark_for_close(TO_CONN(conn));
-}
-#endif
-

Modified: tor/trunk/src/or/connection.c
===================================================================
--- tor/trunk/src/or/connection.c	2008-01-13 00:20:44 UTC (rev 13121)
+++ tor/trunk/src/or/connection.c	2008-01-13 00:20:47 UTC (rev 13122)
@@ -90,7 +90,10 @@
         case OR_CONN_STATE_PROXY_FLUSHING: return "proxy flushing";
         case OR_CONN_STATE_PROXY_READING: return "proxy reading";
         case OR_CONN_STATE_TLS_HANDSHAKING: return "handshaking (TLS)";
-        case OR_CONN_STATE_TLS_RENEGOTIATING: return "renegotiating (TLS)";
+        case OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING:
+          return "renegotiating (TLS)";
+        case OR_CONN_STATE_TLS_SERVER_RENEGOTIATING:
+          return "waiting for renegotiation (TLS)";
         case OR_CONN_STATE_OR_HANDSHAKING: return "handshaking (Tor)";
         case OR_CONN_STATE_OPEN: return "open";
       }
@@ -1896,7 +1899,7 @@
     int pending;
     or_connection_t *or_conn = TO_OR_CONN(conn);
     if (conn->state == OR_CONN_STATE_TLS_HANDSHAKING ||
-        conn->state == OR_CONN_STATE_TLS_RENEGOTIATING) {
+        conn->state == OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING) {
       /* continue handshaking even if global token bucket is empty */
       return connection_tls_continue_handshake(or_conn);
     }
@@ -2118,7 +2121,7 @@
       conn->state > OR_CONN_STATE_PROXY_READING) {
     or_connection_t *or_conn = TO_OR_CONN(conn);
     if (conn->state == OR_CONN_STATE_TLS_HANDSHAKING ||
-        conn->state == OR_CONN_STATE_TLS_RENEGOTIATING) {
+        conn->state == OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING) {
       connection_stop_writing(conn);
       if (connection_tls_continue_handshake(or_conn) < 0) {
         /* Don't flush; connection is dead. */
@@ -2127,6 +2130,8 @@
         return -1;
       }
       return 0;
+    } else if (conn->state == OR_CONN_STATE_TLS_SERVER_RENEGOTIATING) {
+      return connection_handle_read(conn);
     }
 
     /* else open, or closing */

Modified: tor/trunk/src/or/connection_or.c
===================================================================
--- tor/trunk/src/or/connection_or.c	2008-01-13 00:20:44 UTC (rev 13121)
+++ tor/trunk/src/or/connection_or.c	2008-01-13 00:20:47 UTC (rev 13122)
@@ -584,14 +584,18 @@
 connection_or_tls_renegotiated_cb(tor_tls_t *tls, void *_conn)
 {
   or_connection_t *conn = _conn;
-  char id_digest[DIGEST_LEN];
+  (void)tls;
 
-  if (connection_or_check_valid_tls_handshake(conn,
-                                              !tor_tls_is_server(tls),
-                                              id_digest) < 0)
-    return;
+  if (connection_tls_finish_handshake(conn) < 0) {
+    /* XXXX020 double-check that it's ok to do this from inside read. */
+    connection_mark_for_close(TO_CONN(conn));
+  }
+
+#if 0
+  /* XXXX020 this happens later, right? */
   connection_or_init_conn_from_address(conn, conn->_base.addr,
                                        conn->_base.port, id_digest, 0);
+#endif
 }
 
 /** Move forward with the tls handshake. If it finishes, hand
@@ -605,10 +609,12 @@
   int result;
   check_no_tls_errors();
  again:
-  if (conn->_base.state == OR_CONN_STATE_TLS_RENEGOTIATING)
+  if (conn->_base.state == OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING)
     result = tor_tls_renegotiate(conn->tls);
-  else
+  else {
+    tor_assert(conn->_base.state == OR_CONN_STATE_TLS_HANDSHAKING);
     result = tor_tls_handshake(conn->tls);
+  }
   switch (result) {
     CASE_TOR_TLS_ERROR_ANY:
     log_info(LD_OR,"tls error [%s]. breaking connection.",
@@ -618,7 +624,7 @@
       if (! tor_tls_used_v1_handshake(conn->tls)) {
         if (!tor_tls_is_server(conn->tls)) {
           if (conn->_base.state == OR_CONN_STATE_TLS_HANDSHAKING) {
-            conn->_base.state = OR_CONN_STATE_TLS_RENEGOTIATING;
+            conn->_base.state = OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING;
             goto again;
           }
         } else {
@@ -626,6 +632,10 @@
           tor_tls_set_renegotiate_callback(conn->tls,
                                            connection_or_tls_renegotiated_cb,
                                            conn);
+          conn->_base.state = OR_CONN_STATE_TLS_SERVER_RENEGOTIATING;
+          connection_stop_writing(TO_CONN(conn));
+          connection_start_reading(TO_CONN(conn));
+          return 0;
         }
       }
       return connection_tls_finish_handshake(conn);
@@ -829,22 +839,18 @@
 
   directory_set_dirty();
 
+  if (connection_or_check_valid_tls_handshake(conn, started_here,
+                                              digest_rcvd) < 0)
+    return -1;
+
   if (tor_tls_used_v1_handshake(conn->tls)) {
     conn->link_proto = 1;
-    if (connection_or_check_valid_tls_handshake(conn, started_here,
-                                                digest_rcvd) < 0)
-      return -1;
     if (!started_here) {
       connection_or_init_conn_from_address(conn,conn->_base.addr,
                                            conn->_base.port, digest_rcvd, 0);
     }
     return connection_or_set_state_open(conn);
   } else {
-    if (started_here) {
-      if (connection_or_check_valid_tls_handshake(conn, started_here,
-                                                  digest_rcvd) < 0)
-        return -1;
-    }
     conn->_base.state = OR_CONN_STATE_OR_HANDSHAKING;
     if (connection_init_or_handshake_state(conn, started_here) < 0)
       return -1;
@@ -859,21 +865,6 @@
   or_handshake_state_t *s;
   s = conn->handshake_state = tor_malloc_zero(sizeof(or_handshake_state_t));
   s->started_here = started_here ? 1 : 0;
-  if (tor_tls_get_random_values(conn->tls,
-                                conn->handshake_state->client_random,
-                                conn->handshake_state->server_random) < 0)
-    return -1;
-  if (started_here) {
-    if (tor_tls_get_cert_digests(conn->tls,
-                                 s->client_cert_digest,
-                                 s->server_cert_digest)<0)
-      return -1;
-  } else {
-    if (tor_tls_get_cert_digests(conn->tls,
-                                 s->server_cert_digest,
-                                 s->client_cert_digest)<0)
-      return -1;
-  }
   return 0;
 }
 
@@ -882,10 +873,6 @@
 or_handshake_state_free(or_handshake_state_t *state)
 {
   tor_assert(state);
-  if (state->signing_key)
-    crypto_free_pk_env(state->signing_key);
-  if (state->identity_key)
-    crypto_free_pk_env(state->identity_key);
   memset(state, 0xBE, sizeof(or_handshake_state_t));
   tor_free(state);
 }
@@ -1036,21 +1023,35 @@
   return 0;
 }
 
+/**DOCDOC*/
+static const uint16_t or_protocol_versions[] = { 1, 2 };
+static const int n_or_protocol_versions =
+  sizeof(or_protocol_versions)/sizeof(uint16_t);
+
+/**DOCDOC*/
+int
+is_or_protocol_version_known(uint16_t v)
+{
+  int i;
+  for (i = 0; i < n_or_protocol_versions; ++i) {
+    if (or_protocol_versions[i] == v)
+      return 1;
+  }
+  return 0;
+}
+
 /** DOCDOC */
 static int
 connection_or_send_versions(or_connection_t *conn)
 {
   var_cell_t *cell;
-  uint16_t versions[] = { 1, 2 };
-  int n_versions = sizeof(versions) / sizeof(uint8_t);
   int i;
   tor_assert(conn->handshake_state &&
              !conn->handshake_state->sent_versions_at);
-  /*XXXX020 docdoc 2-byte versions */
-  cell = var_cell_new(n_versions * 2);
+  cell = var_cell_new(n_or_protocol_versions * 2);
   cell->command = CELL_VERSIONS;
-  for (i = 0; i < n_versions; ++i) {
-    uint16_t v = versions[i];
+  for (i = 0; i < n_or_protocol_versions; ++i) {
+    uint16_t v = or_protocol_versions[i];
     set_uint16(cell->payload+(2*i), htons(v));
   }
 
@@ -1093,115 +1094,3 @@
   return 0;
 }
 
-#if 0
-#define LINK_AUTH_STRING "Tor initiator certificate verification"
-/** DOCDOC */
-int
-connection_or_compute_link_auth_hmac(or_connection_t *conn,
-                                     char *hmac_out)
-{
-  char buf[64 + 2*TOR_TLS_RANDOM_LEN + 2*DIGEST_LEN];
-  char *cp;
-  or_handshake_state_t *s;
-  tor_assert(conn);
-  tor_assert(conn->handshake_state);
-  tor_assert(conn->tls);
-  s = conn->handshake_state;
-
-  /* Fill the buffer. */
-  strlcpy(buf, LINK_AUTH_STRING, sizeof(buf));
-  cp = buf+strlen(buf);
-  ++cp; /* Skip the NUL */
-  memcpy(cp, s->client_random, TOR_TLS_RANDOM_LEN);
-  cp += TOR_TLS_RANDOM_LEN;
-  memcpy(cp, s->server_random, TOR_TLS_RANDOM_LEN);
-  cp += TOR_TLS_RANDOM_LEN;
-  memcpy(cp, s->client_cert_digest, DIGEST_LEN);
-  cp += DIGEST_LEN;
-  memcpy(cp, s->server_cert_digest, DIGEST_LEN);
-  cp += DIGEST_LEN;
-  tor_assert(cp < buf+sizeof(buf));
-
-  if (tor_tls_hmac_with_master_secret(conn->tls, hmac_out, buf, cp-buf) < 0)
-    return -1;
-  return 0;
-}
-
-/**DOCDOC*/
-int
-connection_or_send_cert(or_connection_t *conn)
-{
-  size_t conn_cert_len = 0, id_cert_len = 0, total_len = 0;
-  char *id_cert = NULL, *conn_cert = NULL;
-  var_cell_t *cell;
-  char *cp;
-
-  /* If we're a client, we can send no cert at all. XXXXX020 */
-  /* DOCDOC length of cert before cert. */
-  tor_assert(conn);
-  tor_assert(conn->handshake_state);
-  tor_assert(conn->handshake_state->received_versions == 1);
-  if (conn->handshake_state->started_here)
-    conn_cert = tor_tls_encode_my_certificate(conn->tls, &conn_cert_len, 1);
-  id_cert = tor_tls_encode_my_certificate(conn->tls, &id_cert_len, 0);
-  tor_assert(id_cert);
-  total_len = id_cert_len + conn_cert_len + conn_cert ? 4 : 2;
-
-  cell = var_cell_new(total_len);
-  cell->command = CELL_VERSIONS;
-  cp = cell->payload;
-  if (conn_cert) {
-    set_uint16(cp, htons(conn_cert_len));
-    cp += 2;
-    memcpy(cp, conn_cert, conn_cert_len);
-    cp += conn_cert_len;
-  }
-  set_uint16(cp, htons(id_cert_len));
-  cp += 2;
-  memcpy(cp, id_cert, id_cert_len);
-  cp += id_cert_len;
-  tor_assert(cp == cell->payload + total_len);
-
-  connection_or_write_var_cell_to_buf(cell, conn);
-
-  tor_free(conn_cert);
-  tor_free(id_cert);
-  var_cell_free(cell);
-  return 0;
-}
-
-/**DOCDOC*/
-int
-connection_or_send_link_auth(or_connection_t *conn)
-{
-  cell_t cell;
-  char hmac[DIGEST_LEN];
-  crypto_pk_env_t *key;
-  int r, len;
-
-  tor_assert(conn);
-  tor_assert(conn->tls);
-  tor_assert(conn->handshake_state);
-  tor_assert(conn->handshake_state->started_here == 1);
-  tor_assert(conn->handshake_state->received_certs == 1);
-
-  memset(&cell, 0, sizeof(cell));
-  cell.command = CELL_LINK_AUTH;
-  key = tor_tls_dup_private_key(conn->tls);
-  connection_or_compute_link_auth_hmac(conn, hmac);
-
-  cell.payload[2] = 0x00; /* Signature version */
-  r = crypto_pk_private_sign(key, cell.payload+3, hmac, sizeof(hmac));
-  crypto_free_pk_env(key);
-  if (r<0)
-    return -1;
-  len = r + 1;
-
-  set_uint16(cell.payload, htons(len));
-
-  connection_or_write_cell_to_buf(&cell, conn);
-
-  return 0;
-}
-#endif
-

Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h	2008-01-13 00:20:44 UTC (rev 13121)
+++ tor/trunk/src/or/or.h	2008-01-13 00:20:47 UTC (rev 13122)
@@ -248,14 +248,16 @@
 /** State for a connection to an OR: SSL is handshaking, not done yet. */
 #define OR_CONN_STATE_TLS_HANDSHAKING 4
 /** DOCDOC */
-#define OR_CONN_STATE_TLS_RENEGOTIATING 5
+#define OR_CONN_STATE_TLS_CLIENT_RENEGOTIATING 5
+/** DOCDOC */
+#define OR_CONN_STATE_TLS_SERVER_RENEGOTIATING 6
 /** State for a connection to an OR: We're done with our SSL handshake, but we
  * haven't yet negotiated link protocol versions and finished authenticating.
  */
-#define OR_CONN_STATE_OR_HANDSHAKING 6
+#define OR_CONN_STATE_OR_HANDSHAKING 7
 /** State for a connection to an OR: Ready to send/receive cells. */
-#define OR_CONN_STATE_OPEN 7
-#define _OR_CONN_STATE_MAX 7
+#define OR_CONN_STATE_OPEN 8
+#define _OR_CONN_STATE_MAX 8
 
 #define _EXIT_CONN_STATE_MIN 1
 /** State for an exit connection: waiting for response from dns farm. */
@@ -669,16 +671,8 @@
 #define CELL_CREATED_FAST 6
 #define CELL_VERSIONS 7
 #define CELL_NETINFO 8
-#if 0
-#define CELL_CERT 9
-#define CELL_LINK_AUTH 10
-#endif
-#define CELL_RELAY_EARLY 11 /*DOCDOC*/
+#define CELL_RELAY_EARLY 9
 
-#if 0
-#define CELL_COMMAND_IS_VAR_LENGTH(x) \
-  ((x) == CELL_CERT || (x) == CELL_VERSIONS)
-#endif
 #define CELL_COMMAND_IS_VAR_LENGTH(x) ((x) == CELL_VERSIONS)
 
 /** How long to test reachability before complaining to the user. */
@@ -823,7 +817,7 @@
                          * connections.  Set once we've set the stream end,
                          * and check in connection_about_to_close_connection().
                          */
-  /** Edge connections only: true if we've blocked writing until the
+  /** Edge connections only: true if we've blocked reading until the
    * circuit has fewer queued cells. */
   unsigned int edge_blocked_on_circ:1;
   /** Used for OR conns that shouldn't get any new circs attached to them. */
@@ -895,24 +889,11 @@
   unsigned int started_here : 1;
   unsigned int received_versions : 1;
   unsigned int received_netinfo : 1;
-  unsigned int received_certs : 1;
-  unsigned int authenticated : 1;
 
-  /* from tls */
-  char client_random[TOR_TLS_RANDOM_LEN];
-  char server_random[TOR_TLS_RANDOM_LEN];
-  char client_cert_digest[DIGEST_LEN]; /* may also be set by netinfo */
-  char server_cert_digest[DIGEST_LEN];
-
   /* from netinfo */
   long apparent_skew;
   uint32_t my_apparent_addr;
   unsigned int apparently_canonical;
-
-  /* from certs */
-  char cert_id_digest[DIGEST_LEN];
-  crypto_pk_env_t *signing_key;
-  crypto_pk_env_t *identity_key;
 } or_handshake_state_t;
 
 /** Subtype of connection_t for an "OR connection" -- that is, one that speaks
@@ -2873,6 +2854,7 @@
 int connection_or_send_link_auth(or_connection_t *conn);
 int connection_or_compute_link_auth_hmac(or_connection_t *conn,
                                          char *hmac_out);
+int is_or_protocol_version_known(uint16_t version);
 
 void cell_pack(packed_cell_t *dest, const cell_t *src);
 void var_cell_pack_header(const var_cell_t *cell, char *hdr_out);