nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 20:33:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add proxy headers as early as possible.

Browse Source 
This patch moves the logic that adds the proxy headers to an earlier
point in the exit connection lifetime, which ensures that the
application data cannot be written to the outbuf before the proxy header
is added.

See: https://bugs.torproject.org/4700
This commit is contained in:
Alexander Færøy 2018-09-15 22:17:57 +02:00
parent 9b511dc5d6
commit 3477a73af9
3 changed files with 16 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/core/or/connection_edge.c
View File

@ -600,8 +600,7 @@ connected_cell_format_payload(uint8_t *payload_out,
/* This is an onion service client connection: Export the client circuit ID /* This is an onion service client connection: Export the client circuit ID
* according to the HAProxy proxy protocol. */ * according to the HAProxy proxy protocol. */
STATIC void STATIC void
export_hs_client_circuit_id(const edge_connection_t *edge_conn, export_hs_client_circuit_id(edge_connection_t *edge_conn,
connection_t *conn,
hs_circuit_id_protocol_t protocol) hs_circuit_id_protocol_t protocol)
{ {
/* We only support HAProxy right now. */ /* We only support HAProxy right now. */
@ -633,7 +632,7 @@ export_hs_client_circuit_id(const edge_connection_t *edge_conn,
gid >> 16, gid & 0x0000ffff, gid >> 16, gid & 0x0000ffff,
dst_ipv6, src_port, dst_port); dst_ipv6, src_port, dst_port);
connection_buf_add(buf, strlen(buf), conn); connection_buf_add(buf, strlen(buf), TO_CONN(edge_conn));
tor_free(buf); tor_free(buf);
} }
@ -659,14 +658,6 @@ connection_edge_finished_connecting(edge_connection_t *edge_conn)
conn->state = EXIT_CONN_STATE_OPEN; conn->state = EXIT_CONN_STATE_OPEN;
/* If it's an onion service connection, we might want to include the proxy
* protocol header: */
if (edge_conn->hs_ident) {
hs_circuit_id_protocol_t circuit_id_protocol =
hs_service_exports_circuit_id(&edge_conn->hs_ident->identity_pk);
export_hs_client_circuit_id(edge_conn, conn, circuit_id_protocol);
}
connection_watch_events(conn, READ_EVENT); /* stop writing, keep reading */ connection_watch_events(conn, READ_EVENT); /* stop writing, keep reading */
if (connection_get_outbuf_len(conn)) /* in case there are any queued relay if (connection_get_outbuf_len(conn)) /* in case there are any queued relay
* cells */ * cells */
@ -3452,6 +3443,14 @@ handle_hs_exit_conn(circuit_t *circ, edge_connection_t *conn)
hs_inc_rdv_stream_counter(origin_circ); hs_inc_rdv_stream_counter(origin_circ);
/* If it's an onion service connection, we might want to include the proxy
* protocol header: */
if (conn->hs_ident) {
hs_circuit_id_protocol_t circuit_id_protocol =
hs_service_exports_circuit_id(&conn->hs_ident->identity_pk);
export_hs_client_circuit_id(conn, circuit_id_protocol);
}
/* Connect tor to the hidden service destination. */ /* Connect tor to the hidden service destination. */
connection_exit_connect(conn); connection_exit_connect(conn);

3
src/core/or/connection_edge.h
View File

@ -246,8 +246,7 @@ STATIC void connection_ap_handshake_rewrite(entry_connection_t *conn,
STATIC int connection_ap_process_http_connect(entry_connection_t *conn); STATIC int connection_ap_process_http_connect(entry_connection_t *conn);
STATIC void STATIC void
export_hs_client_circuit_id(const edge_connection_t *edge_conn, export_hs_client_circuit_id(edge_connection_t *edge_conn,
connection_t *conn,
hs_circuit_id_protocol_t protocol); hs_circuit_id_protocol_t protocol);
#endif /* defined(CONNECTION_EDGE_PRIVATE) */ #endif /* defined(CONNECTION_EDGE_PRIVATE) */

15
src/test/test_hs_service.c
View File

@ -2047,8 +2047,7 @@ test_export_client_circuit_id(void *arg)
or_circ->global_identifier = 666; or_circ->global_identifier = 666;
/* Export circuit ID */ /* Export circuit ID */
export_hs_client_circuit_id(edge_conn, conn, export_hs_client_circuit_id(edge_conn, service->config.circuit_id_protocol);
service->config.circuit_id_protocol);
/* Check contents */ /* Check contents */
cp1 = buf_get_contents(conn->outbuf, &sz); cp1 = buf_get_contents(conn->outbuf, &sz);
@ -2059,8 +2058,7 @@ test_export_client_circuit_id(void *arg)
or_circ->global_identifier = 22; or_circ->global_identifier = 22;
/* check changes */ /* check changes */
export_hs_client_circuit_id(edge_conn, conn, export_hs_client_circuit_id(edge_conn, service->config.circuit_id_protocol);
service->config.circuit_id_protocol);
cp2 = buf_get_contents(conn->outbuf, &sz); cp2 = buf_get_contents(conn->outbuf, &sz);
tt_str_op(cp1, OP_NE, cp2); tt_str_op(cp1, OP_NE, cp2);
tor_free(cp1); tor_free(cp1);
@ -2068,8 +2066,7 @@ test_export_client_circuit_id(void *arg)
/* Check that GID with UINT32_MAX works. */ /* Check that GID with UINT32_MAX works. */
or_circ->global_identifier = UINT32_MAX; or_circ->global_identifier = UINT32_MAX;
export_hs_client_circuit_id(edge_conn, conn, export_hs_client_circuit_id(edge_conn, service->config.circuit_id_protocol);
service->config.circuit_id_protocol);
cp1 = buf_get_contents(conn->outbuf, &sz); cp1 = buf_get_contents(conn->outbuf, &sz);
tt_str_op(cp1, OP_EQ, tt_str_op(cp1, OP_EQ,
"PROXY TCP6 fc00:dead:beef:4dad::ffff:ffff ::1 65535 42\r\n"); "PROXY TCP6 fc00:dead:beef:4dad::ffff:ffff ::1 65535 42\r\n");
@ -2078,8 +2075,7 @@ test_export_client_circuit_id(void *arg)
/* Check that GID with UINT16_MAX works. */ /* Check that GID with UINT16_MAX works. */
or_circ->global_identifier = UINT16_MAX; or_circ->global_identifier = UINT16_MAX;
export_hs_client_circuit_id(edge_conn, conn, export_hs_client_circuit_id(edge_conn, service->config.circuit_id_protocol);
service->config.circuit_id_protocol);
cp1 = buf_get_contents(conn->outbuf, &sz); cp1 = buf_get_contents(conn->outbuf, &sz);
tt_str_op(cp1, OP_EQ, tt_str_op(cp1, OP_EQ,
"PROXY TCP6 fc00:dead:beef:4dad::0:ffff ::1 65535 42\r\n"); "PROXY TCP6 fc00:dead:beef:4dad::0:ffff ::1 65535 42\r\n");
@ -2088,8 +2084,7 @@ test_export_client_circuit_id(void *arg)
/* Check that GID with UINT16_MAX + 7 works. */ /* Check that GID with UINT16_MAX + 7 works. */
or_circ->global_identifier = UINT16_MAX + 7; or_circ->global_identifier = UINT16_MAX + 7;
export_hs_client_circuit_id(edge_conn, conn, export_hs_client_circuit_id(edge_conn, service->config.circuit_id_protocol);
service->config.circuit_id_protocol);
cp1 = buf_get_contents(conn->outbuf, &sz); cp1 = buf_get_contents(conn->outbuf, &sz);
tt_str_op(cp1, OP_EQ, "PROXY TCP6 fc00:dead:beef:4dad::1:6 ::1 6 42\r\n"); tt_str_op(cp1, OP_EQ, "PROXY TCP6 fc00:dead:beef:4dad::1:6 ::1 6 42\r\n");