nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-27 22:03:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

let people test the RefuseUnknownExits idea

Browse Source
This commit is contained in:
Roger Dingledine 2010-03-10 22:43:23 -05:00
parent 2d29c7be2d
commit 1108358e96
5 changed files with 33 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ChangeLog
View File

@ -1,4 +1,11 @@
Changes in version 0.2.2.11-alpha - 2010-03-?? Changes in version 0.2.2.11-alpha - 2010-03-??
o Minor features:
- Experiment with a more aggressive approach to preventing clients
from making one-hop exit streams. Exit relays who want to try it
out can set "RefuseUnknownExits 1" in their torrc, and then look
for "Attempt by %s to open a stream" log messages. Let us know
how it goes!
o Minor bugfixes: o Minor bugfixes:
- When we cleaned up the contrib/tor-exit-notice.html file, we left - When we cleaned up the contrib/tor-exit-notice.html file, we left
out some key text. Fixes bug 1295. out some key text. Fixes bug 1295.

1
src/or/config.c
View File

@ -299,6 +299,7 @@ static config_var_t _option_vars[] = {
V(RecommendedClientVersions, LINELIST, NULL), V(RecommendedClientVersions, LINELIST, NULL),
V(RecommendedServerVersions, LINELIST, NULL), V(RecommendedServerVersions, LINELIST, NULL),
OBSOLETE("RedirectExit"), OBSOLETE("RedirectExit"),
V(RefuseUnknownExits, BOOL, "0"),
V(RejectPlaintextPorts, CSV, ""), V(RejectPlaintextPorts, CSV, ""),
V(RelayBandwidthBurst, MEMUNIT, "0"), V(RelayBandwidthBurst, MEMUNIT, "0"),
V(RelayBandwidthRate, MEMUNIT, "0"), V(RelayBandwidthRate, MEMUNIT, "0"),

24
src/or/connection_edge.c
View File

@ -2505,16 +2505,28 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
tor_free(address); tor_free(address);
return 0; return 0;
} }
if (or_circ && or_circ->is_first_hop && if (or_circ && or_circ->p_conn && !get_options()->AllowSingleHopExits &&
!get_options()->AllowSingleHopExits) { (or_circ->is_first_hop ||
(!connection_or_digest_is_known_relay(
or_circ->p_conn->identity_digest) &&
// XXX022 commented out so we can test it first in 0.2.2.11 -RD
// networkstatus_get_param(NULL, "refuseunknownexits", 1)))) {
get_options()->RefuseUnknownExits))) {
/* Don't let clients use us as a single-hop proxy, unless the user /* Don't let clients use us as a single-hop proxy, unless the user
* has explicitly allowed that in the config. It attracts attackers * has explicitly allowed that in the config. It attracts attackers
* and users who'd be better off with, well, single-hop proxies. * and users who'd be better off with, well, single-hop proxies.
*/ */
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, // log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Attempt to open a stream on first hop of circuit. Closing."); log_notice(LD_PROTOCOL,
"Attempt by %s to open a stream %s. Closing.",
safe_str(or_circ->p_conn->_base.address),
or_circ->is_first_hop ? "on first hop of circuit" :
"from unknown relay");
relay_send_end_cell_from_edge(rh.stream_id, circ, relay_send_end_cell_from_edge(rh.stream_id, circ,
END_STREAM_REASON_TORPROTOCOL, NULL); or_circ->is_first_hop ?
END_STREAM_REASON_TORPROTOCOL :
END_STREAM_REASON_MISC,
NULL);
tor_free(address); tor_free(address);
return 0; return 0;
} }

2
src/or/connection_or.c
View File

@ -322,7 +322,7 @@ connection_or_finished_connecting(or_connection_t *or_conn)
/** Return 1 if identity digest <b>id_digest</b> is known to be a /** Return 1 if identity digest <b>id_digest</b> is known to be a
* currently or recently running relay. Otherwise return 0. */ * currently or recently running relay. Otherwise return 0. */
static int int
connection_or_digest_is_known_relay(const char *id_digest) connection_or_digest_is_known_relay(const char *id_digest)
{ {
if (router_get_consensus_status_by_id(id_digest)) if (router_get_consensus_status_by_id(id_digest))

6
src/or/or.h
View File

@ -2462,6 +2462,11 @@ typedef struct {
int ConstrainedSockets; /**< Shrink xmit and recv socket buffers. */ int ConstrainedSockets; /**< Shrink xmit and recv socket buffers. */
uint64_t ConstrainedSockSize; /**< Size of constrained buffers. */ uint64_t ConstrainedSockSize; /**< Size of constrained buffers. */
/** Whether we should drop exit streams from Tors that we don't know
* are relays. XXX022 In here for 0.2.2.11 as a temporary test before
* we switch over to putting it in consensusparams. -RD */
int RefuseUnknownExits;
/** Application ports that require all nodes in circ to have sufficient /** Application ports that require all nodes in circ to have sufficient
* uptime. */ * uptime. */
smartlist_t *LongLivedPorts; smartlist_t *LongLivedPorts;
@ -3532,6 +3537,7 @@ int connection_or_process_inbuf(or_connection_t *conn);
int connection_or_flushed_some(or_connection_t *conn); int connection_or_flushed_some(or_connection_t *conn);
int connection_or_finished_flushing(or_connection_t *conn); int connection_or_finished_flushing(or_connection_t *conn);
int connection_or_finished_connecting(or_connection_t *conn); int connection_or_finished_connecting(or_connection_t *conn);
int connection_or_digest_is_known_relay(const char *id_digest);
void connection_or_connect_failed(or_connection_t *conn, void connection_or_connect_failed(or_connection_t *conn,
int reason, const char *msg); int reason, const char *msg);