nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-11 13:43:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ticket40042_squashed'

Browse Source
This commit is contained in:
Nick Mathewson 2020-07-17 11:44:27 -04:00
commit 2225c3c369
14 changed files with 128 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
changes/ticket33898 Normal file
View File

@ -0,0 +1,7 @@
o Minor features (relay address tracking):
- We store relay addresses for OR connections in a more logical way.
Previously we would sometimes overwrite the actual address of a
connection with a "canonical address", and then store the "real
address" elsewhere to remember it. We now track the "canonical address"
elsewhere for the cases where we need it, and leave the connection's
address alone. Closes ticket 33898.

32
src/core/mainloop/connection.c
View File

@ -434,14 +434,6 @@ connection_describe_peer_internal(const connection_t *conn,
} else if (conn->type == CONN_TYPE_OR) {
/* For OR connections, we have a lot to do. */
const or_connection_t *or_conn = CONST_TO_OR_CONN(conn);
/* we report 'real_addr' as the address we're talking with, if it's set.
*
* TODO: Eventually we should have 'addr' always mean the address on the
* internet, and have a separate 'canonical_addr' field.
*/
if (!tor_addr_is_null(&or_conn->real_addr)) {
addr = &or_conn->real_addr;
}
/* We report the IDs we're talking to... */
if (fast_digest_is_zero(or_conn->identity_digest)) {
// This could be a client, so scrub it. No identity to report.
@ -453,13 +445,17 @@ connection_describe_peer_internal(const connection_t *conn,
tor_snprintf(extra_buf, sizeof(extra_buf),
" ID=%s", id_buf);
}
if (! tor_addr_eq(addr, &conn->addr) && !scrub) {
if (! scrub && (! tor_addr_eq(addr, &or_conn->canonical_orport.addr) ||
conn->port != or_conn->canonical_orport.port)) {
/* We report canonical address, if it's different */
char canonical_addr_buf[TOR_ADDR_BUF_LEN];
if (tor_addr_to_str(canonical_addr_buf, &conn->addr,
if (tor_addr_to_str(canonical_addr_buf, &or_conn->canonical_orport.addr,
sizeof(canonical_addr_buf), 1)) {
strlcat(extra_buf, " canonical_addr=", sizeof(extra_buf));
strlcat(extra_buf, canonical_addr_buf, sizeof(extra_buf));
tor_snprintf(extra_buf+strlen(extra_buf),
sizeof(extra_buf)-strlen(extra_buf),
" canonical_addr=%s:%"PRIu16,
canonical_addr_buf,
or_conn->canonical_orport.port);
}
}
} else if (conn->type == CONN_TYPE_EXIT) {
@ -570,6 +566,7 @@ or_connection_new(int type, int socket_family)
tor_assert(type == CONN_TYPE_OR || type == CONN_TYPE_EXT_OR);
connection_init(now, TO_CONN(or_conn), type, socket_family);
tor_addr_make_unspec(&or_conn->canonical_orport.addr);
connection_or_set_canonical(or_conn, 0);
if (type == CONN_TYPE_EXT_OR)
@ -2252,16 +2249,7 @@ connection_connect_log_client_use_ip_version(const connection_t *conn)
? fascist_firewall_prefer_ipv6_orport(options)
: fascist_firewall_prefer_ipv6_dirport(options));
tor_addr_t real_addr;
tor_addr_make_null(&real_addr, AF_UNSPEC);
/* OR conns keep the original address in real_addr, as addr gets overwritten
* with the descriptor address */
if (conn->type == CONN_TYPE_OR) {
const or_connection_t *or_conn = CONST_TO_OR_CONN(conn);
tor_addr_copy(&real_addr, &or_conn->real_addr);
} else if (conn->type == CONN_TYPE_DIR) {
tor_addr_copy(&real_addr, &conn->addr);
}
tor_addr_copy(&real_addr, &conn->addr);
/* Check if we broke a mandatory address family restriction */
if ((must_ipv4 && tor_addr_family(&real_addr) == AF_INET6)

3
src/core/or/channel.c
View File

@ -3255,6 +3255,9 @@ channel_when_last_xmit(channel_t *chan)
*
* This function calls the lower layer and asks if this channel matches a
* given extend_info_t.
*
* NOTE that this function only checks for an address/port match, and should
* be used only when no identity is available.
*/
int
channel_matches_extend_info(channel_t *chan, extend_info_t *extend_info)

33
src/core/or/channeltls.c
View File

@ -548,14 +548,8 @@ channel_tls_get_remote_addr_method(const channel_t *chan,
return 0;
}
if (! tor_addr_is_null(&tlschan->conn->real_addr)) {
/* They want the real address, and real_addr is set. */
tor_addr_copy(addr_out, &(tlschan->conn->real_addr));
} else {
/* We'll have to give them the nominal address, which hopefully has
* not been overwritten yet. */
tor_addr_copy(addr_out, &TO_CONN(tlschan->conn)->addr);
}
/* They want the real address, so give it to them. */
tor_addr_copy(addr_out, &TO_CONN(tlschan->conn)->addr);
return 1;
}
@ -673,6 +667,9 @@ channel_tls_is_canonical_method(channel_t *chan, int req)
*
* This implements the matches_extend_info method for channel_tls_t; the upper
* layer wants to know if this channel matches an extend_info_t.
*
* NOTE that this function only checks for an address/port match, and should
* be used only when no identify is available.
*/
static int
channel_tls_matches_extend_info_method(channel_t *chan,
@ -692,6 +689,16 @@ channel_tls_matches_extend_info_method(channel_t *chan,
return 0;
}
const tor_addr_port_t *orport = &tlschan->conn->canonical_orport;
// If the canonical address is set, then we'll allow matches based on that.
if (! tor_addr_is_unspec(&orport->addr)) {
if (extend_info_has_orport(extend_info, &orport->addr, orport->port)) {
return 1;
}
}
// We also want to match if the true address and port are listed in the
// extend info.
return extend_info_has_orport(extend_info,
&TO_CONN(tlschan->conn)->addr,
TO_CONN(tlschan->conn)->port);
@ -722,8 +729,8 @@ channel_tls_matches_target_method(channel_t *chan,
return 0;
}
/* real_addr is the address this connection came from.
* base_.addr is updated by connection_or_init_conn_from_address()
/* addr is the address this connection came from.
* canonical_orport is updated by connection_or_init_conn_from_address()
* to be the address in the descriptor. It may be tempting to
* allow either address to be allowed, but if we did so, it would
* enable someone who steals a relay's keys to covertly impersonate/MITM it
@ -734,7 +741,7 @@ channel_tls_matches_target_method(channel_t *chan,
* An adversary who has stolen a relay's keys could also post a fake relay
* descriptor, but that attack is easier to detect.
*/
return tor_addr_eq(&(tlschan->conn->real_addr), target);
return tor_addr_eq(&TO_CONN(tlschan->conn)->addr, target);
}
/**
@ -1883,7 +1890,7 @@ channel_tls_process_netinfo_cell(cell_t *cell, channel_tls_t *chan)
* might be doing something funny, but nobody else is doing a MITM
* on the relay's TCP.
*/
if (tor_addr_eq(&addr, &(chan->conn->real_addr))) {
if (tor_addr_eq(&addr, &TO_CONN(chan->conn)->addr)) {
connection_or_set_canonical(chan->conn, 1);
break;
}
@ -1921,7 +1928,7 @@ channel_tls_process_netinfo_cell(cell_t *cell, channel_tls_t *chan)
* we were unable to resolve it previously. The endpoint address is passed
* in order to make sure to never consider an address that is the same as
* our endpoint. */
relay_address_new_suggestion(&my_apparent_addr, &chan->conn->real_addr,
relay_address_new_suggestion(&my_apparent_addr, &TO_CONN(chan->conn)->addr,
identity_digest);
if (! chan->conn->handshake_state->sent_netinfo) {

67
src/core/or/connection_or.c
View File

@ -893,7 +893,9 @@ connection_or_init_conn_from_address(or_connection_t *conn,
conn->base_.port = port;
tor_addr_copy(&conn->base_.addr, addr);
tor_addr_copy(&conn->real_addr, addr);
if (! conn->base_.address) {
conn->base_.address = tor_strdup(fmt_addr(addr));
}
connection_or_check_canonicity(conn, started_here);
}
@ -905,9 +907,10 @@ connection_or_init_conn_from_address(or_connection_t *conn,
static void
connection_or_check_canonicity(or_connection_t *conn, int started_here)
{
(void) started_here;
const char *id_digest = conn->identity_digest;
const ed25519_public_key_t *ed_id = NULL;
const tor_addr_t *addr = &conn->real_addr;
if (conn->chan)
ed_id = & TLS_CHAN_TO_BASE(conn->chan)->ed25519_identity;
@ -936,34 +939,17 @@ connection_or_check_canonicity(or_connection_t *conn, int started_here)
} else {
node_ap = &node_ipv6_ap;
}
if (!started_here) {
/* Override the addr/port, so our log messages will make sense.
* This is dangerous, since if we ever try looking up a conn by
* its actual addr/port, we won't remember. Careful! */
/* XXXX arma: this is stupid, and it's the reason we need real_addr
* to track is_canonical properly. What requires it? */
/* XXXX <arma> i believe the reason we did this, originally, is because
* we wanted to log what OR a connection was to, and if we logged the
* right IP address and port 56244, that wouldn't be as helpful. now we
* log the "right" port too, so we know if it's moria1 or moria2.
*/
/* See #33898 for a ticket that resolves this technical debt. */
tor_addr_copy(&conn->base_.addr, &node_ap->addr);
conn->base_.port = node_ap->port;
}
/* Remember the canonical addr/port so our log messages will make
sense. */
tor_addr_port_copy(&conn->canonical_orport, node_ap);
tor_free(conn->nickname);
conn->nickname = tor_strdup(node_get_nickname(r));
tor_free(conn->base_.address);
conn->base_.address = tor_addr_to_str_dup(&node_ap->addr);
} else {
tor_free(conn->nickname);
conn->nickname = tor_malloc(HEX_DIGEST_LEN+2);
conn->nickname[0] = '$';
base16_encode(conn->nickname+1, HEX_DIGEST_LEN+1,
conn->identity_digest, DIGEST_LEN);
tor_free(conn->base_.address);
conn->base_.address = tor_addr_to_str_dup(addr);
}
/*
@ -1144,8 +1130,8 @@ connection_or_group_set_badness_(smartlist_t *group, int force)
(int)(now - or_conn->base_.timestamp_created),
best->base_.s, (int)(now - best->base_.timestamp_created));
connection_or_mark_bad_for_new_circs(or_conn);
} else if (!tor_addr_compare(&or_conn->real_addr,
&best->real_addr, CMP_EXACT)) {
} else if (tor_addr_eq(&TO_CONN(or_conn)->addr,
&TO_CONN(best)->addr)) {
log_info(LD_OR,
"Marking %s unsuitable for new circuits: "
"(fd "TOR_SOCKET_T_FORMAT", %d secs old). We have a better "
@ -1275,7 +1261,7 @@ static or_connect_failure_entry_t *
or_connect_failure_new(const or_connection_t *or_conn)
{
or_connect_failure_entry_t *ocf = tor_malloc_zero(sizeof(*ocf));
or_connect_failure_init(or_conn->identity_digest, &or_conn->real_addr,
or_connect_failure_init(or_conn->identity_digest, &TO_CONN(or_conn)->addr,
TO_CONN(or_conn)->port, ocf);
return ocf;
}
@ -1653,8 +1639,8 @@ connection_tls_start_handshake,(or_connection_t *conn, int receiving))
log_warn(LD_BUG,"tor_tls_new failed. Closing.");
return -1;
}
tor_tls_set_logged_address(conn->tls, // XXX client and relay?
escaped_safe_str(conn->base_.address));
tor_tls_set_logged_address(conn->tls,
connection_describe_peer(TO_CONN(conn)));
connection_start_reading(TO_CONN(conn));
log_debug(LD_HANDSHAKE,"starting TLS handshake on fd "TOR_SOCKET_T_FORMAT,
@ -1801,18 +1787,15 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn,
crypto_pk_t *identity_rcvd=NULL;
const or_options_t *options = get_options();
int severity = server_mode(options) ? LOG_PROTOCOL_WARN : LOG_WARN;
const char *safe_address =
started_here ? conn->base_.address :
safe_str_client(conn->base_.address);
const char *conn_type = started_here ? "outgoing" : "incoming";
int has_cert = 0;
check_no_tls_errors();
has_cert = tor_tls_peer_has_cert(conn->tls);
if (started_here && !has_cert) {
log_info(LD_HANDSHAKE,"Tried connecting to router at %s:%d, but it didn't "
log_info(LD_HANDSHAKE,"Tried connecting to router at %s, but it didn't "
"send a cert! Closing.",
safe_address, conn->base_.port);
connection_describe_peer(TO_CONN(conn)));
return -1;
} else if (!has_cert) {
log_debug(LD_HANDSHAKE,"Got incoming connection with no certificate. "
@ -1824,9 +1807,9 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn,
int v = tor_tls_verify(started_here?severity:LOG_INFO,
conn->tls, &identity_rcvd);
if (started_here && v<0) {
log_fn(severity,LD_HANDSHAKE,"Tried connecting to router at %s:%d: It"
log_fn(severity,LD_HANDSHAKE,"Tried connecting to router at %s: It"
" has a cert but it's invalid. Closing.",
safe_address, conn->base_.port);
connection_describe_peer(TO_CONN(conn)));
return -1;
} else if (v<0) {
log_info(LD_HANDSHAKE,"Incoming connection gave us an invalid cert "
@ -1834,7 +1817,8 @@ connection_or_check_valid_tls_handshake(or_connection_t *conn,
} else {
log_debug(LD_HANDSHAKE,
"The certificate seems to be valid on %s connection "
"with %s:%d", conn_type, safe_address, conn->base_.port);
"with %s", conn_type,
connection_describe_peer(TO_CONN(conn)));
}
check_no_tls_errors();
}
@ -2027,9 +2011,14 @@ connection_or_client_learned_peer_id(or_connection_t *conn,
/* If we learned an identity for this connection, then we might have
* just discovered it to be canonical. */
connection_or_check_canonicity(conn, conn->handshake_state->started_here);
if (conn->tls)
tor_tls_set_logged_address(conn->tls,
connection_describe_peer(TO_CONN(conn)));
}
if (authdir_mode_tests_reachability(options)) {
// We don't want to use canonical_orport here -- we want the address
// that we really used.
dirserv_orconn_tls_done(&conn->base_.addr, conn->base_.port,
(const char*)rsa_peer_id, ed_peer_id);
}
@ -2507,11 +2496,9 @@ connection_or_send_netinfo,(or_connection_t *conn))
netinfo_cell_set_timestamp(netinfo_cell, (uint32_t)now);
/* Their address. */
const tor_addr_t *remote_tor_addr =
!tor_addr_is_null(&conn->real_addr) ? &conn->real_addr : &conn->base_.addr;
/* We use &conn->real_addr below, unless it hasn't yet been set. If it
* hasn't yet been set, we know that base_.addr hasn't been tampered with
* yet either. */
const tor_addr_t *remote_tor_addr = &TO_CONN(conn)->addr;
/* We can safely use TO_CONN(conn)->addr here, since we no longer replace
* it with a canonical address. */
netinfo_addr_t *their_addr = netinfo_addr_from_tor_addr(remote_tor_addr);
netinfo_cell_set_other_addr(netinfo_cell, their_addr);

9
src/core/or/connection_st.h
View File

@ -137,15 +137,11 @@ struct connection_t {
* any more!
*
* The misuses of this field include:
* * Setting it to the canonical address of a relay on an OR connection.
* * Setting it on linked connections, possibly.
* * Updating it based on the Forwarded-For header-- Forwarded-For is
* set by a proxy, but not a local trusted troxy.
* set by a proxy, but not a local trusted proxy.
**/
tor_addr_t addr; /**< IP that socket "s" is directly connected to;
* may be the IP address for a proxy or pluggable transport,
* see "address" for the address of the final destination.
*/
tor_addr_t addr;
uint16_t port; /**< If non-zero, port that socket "s" is directly connected
* to; may be the port for a proxy or pluggable transport,
* see "address" for the port at the final destination. */
@ -165,7 +161,6 @@ struct connection_t {
*
* * An address we're trying to resolve (as an exit).
* * A unix address we're trying to bind to (as a listener).
* * A canonical address for an OR connection.
**/
char *address;
/** Another connection that's connected to this one in lieu of a socket. */

12
src/core/or/dos.c
View File

@ -584,7 +584,7 @@ dos_geoip_entry_about_to_free(const clientmap_entry_t *geoip_ent)
SMARTLIST_FOREACH_BEGIN(get_connection_array(), connection_t *, conn) {
if (conn->type == CONN_TYPE_OR) {
or_connection_t *or_conn = TO_OR_CONN(conn);
if (!tor_addr_compare(&geoip_ent->addr, &or_conn->real_addr,
if (!tor_addr_compare(&geoip_ent->addr, &TO_CONN(or_conn)->addr,
CMP_EXACT)) {
or_conn->tracked_for_dos_mitigation = 0;
}
@ -696,12 +696,12 @@ dos_new_client_conn(or_connection_t *or_conn, const char *transport_name)
* reason to do so is because network reentry is possible where a client
* connection comes from an Exit node. Even when we'll fix reentry, this is
* a robust defense to keep in place. */
if (nodelist_probably_contains_address(&or_conn->real_addr)) {
if (nodelist_probably_contains_address(&TO_CONN(or_conn)->addr)) {
goto end;
}
/* We are only interested in client connection from the geoip cache. */
entry = geoip_lookup_client(&or_conn->real_addr, transport_name,
entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, transport_name,
GEOIP_CLIENT_CONNECT);
if (BUG(entry == NULL)) {
/* Should never happen because we note down the address in the geoip
@ -712,7 +712,7 @@ dos_new_client_conn(or_connection_t *or_conn, const char *transport_name)
entry->dos_stats.concurrent_count++;
or_conn->tracked_for_dos_mitigation = 1;
log_debug(LD_DOS, "Client address %s has now %u concurrent connections.",
fmt_addr(&or_conn->real_addr),
fmt_addr(&TO_CONN(or_conn)->addr),
entry->dos_stats.concurrent_count);
end:
@ -735,7 +735,7 @@ dos_close_client_conn(const or_connection_t *or_conn)
}
/* We are only interested in client connection from the geoip cache. */
entry = geoip_lookup_client(&or_conn->real_addr, NULL,
entry = geoip_lookup_client(&TO_CONN(or_conn)->addr, NULL,
GEOIP_CLIENT_CONNECT);
if (entry == NULL) {
/* This can happen because we can close a connection before the channel
@ -753,7 +753,7 @@ dos_close_client_conn(const or_connection_t *or_conn)
entry->dos_stats.concurrent_count--;
log_debug(LD_DOS, "Client address %s has lost a connection. Concurrent "
"connections are now at %u",
fmt_addr(&or_conn->real_addr),
fmt_addr(&TO_CONN(or_conn)->addr),
entry->dos_stats.concurrent_count);
end:

17
src/core/or/or_connection_st.h
View File

@ -50,17 +50,18 @@ struct or_connection_t {
channel_tls_t *chan;
/**
* The actual address (as modified by any proxies) that this connection
* came from or went to. (See connection_t.addr for caveats.)
* The "canonical" address and port for this relay's ORPort, if this is
* a known relay.
*
* TECHNICAL DEBT:
* An ORPort is "canonical" in this sense only if it is the same ORPort
* that is listed for this identity in the consensus we have.
*
* This field shouldn't really exist. We need it because our code
* overwrites conenction_t.addr with the "canonical address" of the OR we
* are talking to, taken from the descriptor of the authenticated OR.
* That's a bad choice.
* This field may be set on outbound connections for _any_ relay, and on
* inbound connections after authentication. If we don't know the relay's
* identity, or if we don't have the relay's identity in our consensus, we
* leave this address as UNSPEC.
**/
tor_addr_t real_addr;
tor_addr_port_t canonical_orport;
/** Should this connection be used for extending circuits to the server
* matching the <b>identity_digest</b> field? Set to true if we're pretty

12
src/lib/net/address.c
View File

@ -2114,6 +2114,18 @@ tor_addr_port_eq(const tor_addr_port_t *a,
return tor_addr_eq(&a->addr, &b->addr) && a->port == b->port;
}
/**
* Copy a tor_addr_port_t from @a source to @a dest.
**/
void
tor_addr_port_copy(tor_addr_port_t *dest,
const tor_addr_port_t *source)
{
tor_assert(dest);
tor_assert(source);
memcpy(dest, source, sizeof(tor_addr_port_t));
}
/** Return true if <b>string</b> represents a valid IPv4 adddress in
* 'a.b.c.d' form.
*/

1
src/lib/net/address.h
View File

@ -394,6 +394,7 @@ get_interface_address_list(int severity, int include_internal)
tor_addr_port_t *tor_addr_port_new(const tor_addr_t *addr, uint16_t port);
int tor_addr_port_eq(const tor_addr_port_t *a,
const tor_addr_port_t *b);
void tor_addr_port_copy(tor_addr_port_t *dest, const tor_addr_port_t *source);
int string_is_valid_dest(const char *string);
int string_is_valid_nonrfc_hostname(const char *string);

4
src/test/test_channel.c
View File

@ -1554,11 +1554,11 @@ test_channel_listener(void *arg)
#define TEST_SETUP_MATCHES_ADDR(orcon, addr, src, rv) STMT_BEGIN \
rv = tor_inet_pton(addr.family, src, &addr.addr); \
tt_int_op(rv, OP_EQ, 1); \
orcon->real_addr = addr; \
orcon->base_.addr = addr; \
STMT_END;
#define TEST_MATCHES_ADDR(chan, addr4, addr6, rv, exp) STMT_BEGIN \
rv = channel_matches_target_addr_for_extend(chan, addr4, addr6); \
rv = channel_matches_target_addr_for_extend(chan, addr4, addr6); \
tt_int_op(rv, OP_EQ, exp); \
STMT_END;

2
src/test/test_channeltls.c
View File

@ -293,7 +293,7 @@ tlschan_connection_or_connect_mock(const tor_addr_t *addr,
result->base_.port = port;
memcpy(result->identity_digest, digest, DIGEST_LEN);
result->chan = tlschan;
memcpy(&(result->real_addr), addr, sizeof(tor_addr_t));
memcpy(&result->base_.addr, addr, sizeof(tor_addr_t));
result->tls = (tor_tls_t *)((void *)(&fake_tortls));
done:

18
src/test/test_connection.c
View File

@ -911,7 +911,8 @@ test_failed_orconn_tracker(void *arg)
/* Prepare the OR connection that will be used in this test */
or_connection_t or_conn;
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&or_conn.real_addr, "18.0.0.1"));
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&or_conn.canonical_orport.addr,
"18.0.0.1"));
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&or_conn.base_.addr, "18.0.0.1"));
or_conn.base_.port = 1;
memset(or_conn.identity_digest, 'c', sizeof(or_conn.identity_digest));
@ -1048,17 +1049,20 @@ test_conn_describe(void *arg)
tt_str_op(connection_describe(conn), OP_EQ,
"OR connection (open) with [ffff:3333:1111::2]:8080 "
"ID=0000000700000000000000000000000000000000");
// Add a 'real address' that is the same as the one we have.
tor_addr_parse(&TO_OR_CONN(conn)->real_addr, "[ffff:3333:1111::2]");
// Add a 'canonical address' that is the same as the one we have.
tor_addr_parse(&TO_OR_CONN(conn)->canonical_orport.addr,
"[ffff:3333:1111::2]");
TO_OR_CONN(conn)->canonical_orport.port = 8080;
tt_str_op(connection_describe(conn), OP_EQ,
"OR connection (open) with [ffff:3333:1111::2]:8080 "
"ID=0000000700000000000000000000000000000000");
// Add a different 'real address'
tor_addr_parse(&TO_OR_CONN(conn)->real_addr, "[ffff:3333:1111::8]");
// Add a different 'canonical address'
tor_addr_parse(&TO_OR_CONN(conn)->canonical_orport.addr,
"[ffff:3333:1111::8]");
tt_str_op(connection_describe(conn), OP_EQ,
"OR connection (open) with [ffff:3333:1111::8]:8080 "
"OR connection (open) with [ffff:3333:1111::2]:8080 "
"ID=0000000700000000000000000000000000000000 "
"canonical_addr=[ffff:3333:1111::2]");
"canonical_addr=[ffff:3333:1111::8]:8080");
// Clear identity_digest so that free_minimal won't complain.
memset(TO_OR_CONN(conn)->identity_digest, 0, DIGEST_LEN);

30
src/test/test_dos.c
View File

@ -66,9 +66,9 @@ test_dos_conn_creation(void *arg)
/* Initialize test data */
or_connection_t or_conn;
time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&or_conn.real_addr,
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
"18.0.0.1"));
tor_addr_t *addr = &or_conn.real_addr;
tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
/* Get DoS subsystem limits */
dos_init();
@ -139,9 +139,9 @@ test_dos_circuit_creation(void *arg)
/* Initialize test data */
or_connection_t or_conn;
time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&or_conn.real_addr,
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
"18.0.0.1"));
tor_addr_t *addr = &or_conn.real_addr;
tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
/* Get DoS subsystem limits */
dos_init();
@ -202,9 +202,9 @@ test_dos_bucket_refill(void *arg)
channel_init(chan);
chan->is_client = 1;
or_connection_t or_conn;
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&or_conn.real_addr,
tt_int_op(AF_INET,OP_EQ, tor_addr_parse(&TO_CONN(&or_conn)->addr,
"18.0.0.1"));
tor_addr_t *addr = &or_conn.real_addr;
tor_addr_t *addr = &TO_CONN(&or_conn)->addr;
/* Initialize DoS subsystem and get relevant limits */
dos_init();
@ -443,10 +443,10 @@ test_known_relay(void *arg)
/* Setup an OR conn so we can pass it to the DoS subsystem. */
or_connection_t or_conn;
tor_addr_parse(&or_conn.real_addr, "42.42.42.42");
tor_addr_parse(&TO_CONN(&or_conn)->addr, "42.42.42.42");
rs = tor_malloc_zero(sizeof(*rs));
tor_addr_copy(&rs->ipv4_addr, &or_conn.real_addr);
tor_addr_copy(&rs->ipv4_addr, &TO_CONN(&or_conn)->addr);
crypto_rand(rs->identity_digest, sizeof(rs->identity_digest));
smartlist_add(dummy_ns->routerstatus_list, rs);
@ -457,7 +457,8 @@ test_known_relay(void *arg)
/* We have now a node in our list so we'll make sure we don't count it as a
* client connection. */
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &or_conn.real_addr, NULL, 0);
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &TO_CONN(&or_conn)->addr,
NULL, 0);
/* Suppose we have 5 connections in rapid succession, the counter should
* always be 0 because we should ignore this. */
dos_new_client_conn(&or_conn, NULL);
@ -465,18 +466,21 @@ test_known_relay(void *arg)
dos_new_client_conn(&or_conn, NULL);
dos_new_client_conn(&or_conn, NULL);
dos_new_client_conn(&or_conn, NULL);
entry = geoip_lookup_client(&or_conn.real_addr, NULL, GEOIP_CLIENT_CONNECT);
entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL,
GEOIP_CLIENT_CONNECT);
tt_assert(entry);
/* We should have a count of 0. */
tt_uint_op(entry->dos_stats.concurrent_count, OP_EQ, 0);
/* To make sure that his is working properly, make a unknown client
* connection and see if we do get it. */
tor_addr_parse(&or_conn.real_addr, "42.42.42.43");
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &or_conn.real_addr, NULL, 0);
tor_addr_parse(&TO_CONN(&or_conn)->addr, "42.42.42.43");
geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &TO_CONN(&or_conn)->addr,
NULL, 0);
dos_new_client_conn(&or_conn, NULL);
dos_new_client_conn(&or_conn, NULL);
entry = geoip_lookup_client(&or_conn.real_addr, NULL, GEOIP_CLIENT_CONNECT);
entry = geoip_lookup_client(&TO_CONN(&or_conn)->addr, NULL,
GEOIP_CLIENT_CONNECT);
tt_assert(entry);
/* We should have a count of 2. */
tt_uint_op(entry->dos_stats.concurrent_count, OP_EQ, 2);