Inicio Explorar Ayuda
Iniciar sesión
sengler
/
tor-parallel-relay-conn
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

Implement destaddr-based isolation

The new candidate rule, which arma suggested and I like, is that
the original address as received from the client connection or as
rewritten by the controller is the address that counts.
Nick Mathewson hace 14 años
padre
aef30547dc
commit
424063e3b2
Se han modificado 4 ficheros con 40 adiciones y 12 borrados
Dividir vista Mostrar estadísticas de diff
  1. 1 1
      src/or/connection.c
  2. 35 10
      src/or/connection_edge.c
  3. 1 0
      src/or/dnsserv.c
  4. 3 1
      src/or/or.h

+ 1 - 1
src/or/connection.c
Ver fichero 

@@ -467,9 +467,9 @@ _connection_free(connection_t *conn)
 
   if (CONN_IS_EDGE(conn)) {
 
     edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
 
     tor_free(edge_conn->chosen_exit_name);
 
+    tor_free(edge_conn->original_dest_address);
 
     if (edge_conn->socks_request)
 
       socks_request_free(edge_conn->socks_request);
 
-
 
     rend_data_free(edge_conn->rend_data);
 
   }
 
   if (conn->type == CONN_TYPE_CONTROL) {

+ 35 - 10
src/or/connection_edge.c
Ver fichero 

@@ -1671,6 +1671,9 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
 
             safe_str_client(socks->address),
 
             socks->port);
 
 
+  if (! conn->original_dest_address)
 
+    conn->original_dest_address = tor_strdup(conn->socks_request->address);
 
+
 
   if (socks->command == SOCKS_COMMAND_RESOLVE &&
 
       !tor_inet_aton(socks->address, &addr_tmp) &&
 
       options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) {
 
@@ -2512,6 +2515,7 @@ connection_ap_make_link(connection_t *partner,
 
   conn->socks_request->has_finished = 0; /* waiting for 'connected' */
 
   strlcpy(conn->socks_request->address, address,
 
           sizeof(conn->socks_request->address));
 
+  conn->original_dest_address = tor_strdup(address);
 
   conn->socks_request->port = port;
 
   conn->socks_request->command = SOCKS_COMMAND_CONNECT;
 
   conn->want_onehop = want_onehop;
 
@@ -3274,12 +3278,23 @@ connection_edge_streams_are_compatible(const edge_connection_t *a,
 
 {
 
   const uint8_t iso = a->isolation_flags | b->isolation_flags;
 
 
+  if (! a->original_dest_address) {
 
+    log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
 
+             "having set a->original_dest_address");
 
+    ((edge_connection_t*)a)->original_dest_address =
 
+      tor_strdup(a->socks_request->address);
 
+  }
 
+  if (! b->original_dest_address) {
 
+    log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
 
+             "having set b->original_dest_address");
 
+    ((edge_connection_t*)b)->original_dest_address =
 
+      tor_strdup(a->socks_request->address);
 
+  }
 
+
 
   if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port)
 
     return 0;
 
-  /* XXXX023 Not quite right: we care about addresses that resolve to the same
 
-     place */
 
   if ((iso & ISO_DESTADDR) &&
 
-      strcasecmp(a->socks_request->address, b->socks_request->address))
 
+      strcasecmp(a->original_dest_address, b->original_dest_address))
 
     return 0;
 
   /* XXXX023 Waititing for ticket #1666 */
 
   /*
 
@@ -3328,12 +3343,17 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn,
 
     return 0;
 
   }
 
 
+  if (! conn->original_dest_address) {
 
+    log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without "
 
+             "having set conn->original_dest_address");
 
+    ((edge_connection_t*)conn)->original_dest_address =
 
+      tor_strdup(conn->socks_request->address);
 
+  }
 
+
 
   if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
 
     return 0;
 
-  /* XXXX023 Not quite right: we care about addresses that resolve to the same
 
-     place */
 
   if ((iso & ISO_DESTADDR) &&
 
-      strcasecmp(conn->socks_request->address, circ->dest_address))
 
+      strcasecmp(conn->original_dest_address, circ->dest_address))
 
     return 0;
 
   /* XXXX023 Waititing for ticket #1666 */
 
   /*
 
@@ -3369,11 +3389,18 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
 
                                          origin_circuit_t *circ,
 
                                          int dry_run)
 
 {
 
+  if (! conn->original_dest_address) {
 
+    log_warn(LD_BUG, "Reached connection_update_circuit_isolation without "
 
+             "having set conn->original_dest_address");
 
+    ((edge_connection_t*)conn)->original_dest_address =
 
+      tor_strdup(conn->socks_request->address);
 
+  }
 
+
 
   if (!circ->isolation_values_set) {
 
     if (dry_run)
 
       return -1;
 
     circ->dest_port = conn->socks_request->port;
 
-    circ->dest_address = tor_strdup(conn->socks_request->address);
 
+    circ->dest_address = tor_strdup(conn->original_dest_address);
 
     circ->client_proto_type = TO_CONN(conn)->type;
 
     circ->client_proto_socksver = conn->socks_request->socks_version;
 
     tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr);
 
@@ -3387,9 +3414,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
 
     uint8_t mixed = 0;
 
     if (conn->socks_request->port != circ->dest_port)
 
       mixed |= ISO_DESTPORT;
 
-    /* XXXX023 Not quite right: we care about addresses that resolve to the
 
-       same place */
 
-    if (strcasecmp(conn->socks_request->address, circ->dest_address))
 
+    if (strcasecmp(conn->original_dest_address, circ->dest_address))
 
       mixed |= ISO_DESTADDR;
 
     /* XXXX023 auth too, once #1666 is in. */
 
     if ((TO_CONN(conn)->type != circ->client_proto_type ||

+ 1 - 0
src/or/dnsserv.c
Ver fichero 

@@ -184,6 +184,7 @@ dnsserv_launch_request(const char *name, int reverse)
 
 
   strlcpy(conn->socks_request->address, name,
 
           sizeof(conn->socks_request->address));
 
+  conn->original_dest_address = tor_strdup(name);
 
 
   if (connection_add(TO_CONN(conn))<0) {
 
     log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");

+ 3 - 1
src/or/or.h
Ver fichero 

@@ -1214,10 +1214,12 @@ typedef struct edge_connection_t {
 
   int session_group;
 
   /** AP only: The newnym epoch in which we created this connection. */
 
   unsigned nym_epoch;
 
+  /** AP only: The original requested address before we rewrote it. */
 
+  char *original_dest_address;
 
   /* Other fields to isolate on already exist.  The ClientAddr is addr.  The
 
      ClientProtocol is a combination of type and socks_request->
 
      socks_version.  SocksAuth will be added to socks_request by ticket
 
-     #1666. DestAddr and DestPort are in socks_request->address. */
 
+     #1666. DestAddr is in socks_request->address. */
 
 
   /** Number of times we've reassigned this application connection to
 
    * a new circuit. We keep track because the timeout is longer if we've