mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 23:53:32 +01:00
Implement destaddr-based isolation
The new candidate rule, which arma suggested and I like, is that the original address as received from the client connection or as rewritten by the controller is the address that counts.
This commit is contained in:
parent
aef30547dc
commit
424063e3b2
@ -467,9 +467,9 @@ _connection_free(connection_t *conn)
|
|||||||
if (CONN_IS_EDGE(conn)) {
|
if (CONN_IS_EDGE(conn)) {
|
||||||
edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
|
edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
|
||||||
tor_free(edge_conn->chosen_exit_name);
|
tor_free(edge_conn->chosen_exit_name);
|
||||||
|
tor_free(edge_conn->original_dest_address);
|
||||||
if (edge_conn->socks_request)
|
if (edge_conn->socks_request)
|
||||||
socks_request_free(edge_conn->socks_request);
|
socks_request_free(edge_conn->socks_request);
|
||||||
|
|
||||||
rend_data_free(edge_conn->rend_data);
|
rend_data_free(edge_conn->rend_data);
|
||||||
}
|
}
|
||||||
if (conn->type == CONN_TYPE_CONTROL) {
|
if (conn->type == CONN_TYPE_CONTROL) {
|
||||||
|
@ -1671,6 +1671,9 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
|
|||||||
safe_str_client(socks->address),
|
safe_str_client(socks->address),
|
||||||
socks->port);
|
socks->port);
|
||||||
|
|
||||||
|
if (! conn->original_dest_address)
|
||||||
|
conn->original_dest_address = tor_strdup(conn->socks_request->address);
|
||||||
|
|
||||||
if (socks->command == SOCKS_COMMAND_RESOLVE &&
|
if (socks->command == SOCKS_COMMAND_RESOLVE &&
|
||||||
!tor_inet_aton(socks->address, &addr_tmp) &&
|
!tor_inet_aton(socks->address, &addr_tmp) &&
|
||||||
options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) {
|
options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) {
|
||||||
@ -2512,6 +2515,7 @@ connection_ap_make_link(connection_t *partner,
|
|||||||
conn->socks_request->has_finished = 0; /* waiting for 'connected' */
|
conn->socks_request->has_finished = 0; /* waiting for 'connected' */
|
||||||
strlcpy(conn->socks_request->address, address,
|
strlcpy(conn->socks_request->address, address,
|
||||||
sizeof(conn->socks_request->address));
|
sizeof(conn->socks_request->address));
|
||||||
|
conn->original_dest_address = tor_strdup(address);
|
||||||
conn->socks_request->port = port;
|
conn->socks_request->port = port;
|
||||||
conn->socks_request->command = SOCKS_COMMAND_CONNECT;
|
conn->socks_request->command = SOCKS_COMMAND_CONNECT;
|
||||||
conn->want_onehop = want_onehop;
|
conn->want_onehop = want_onehop;
|
||||||
@ -3274,12 +3278,23 @@ connection_edge_streams_are_compatible(const edge_connection_t *a,
|
|||||||
{
|
{
|
||||||
const uint8_t iso = a->isolation_flags | b->isolation_flags;
|
const uint8_t iso = a->isolation_flags | b->isolation_flags;
|
||||||
|
|
||||||
|
if (! a->original_dest_address) {
|
||||||
|
log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
|
||||||
|
"having set a->original_dest_address");
|
||||||
|
((edge_connection_t*)a)->original_dest_address =
|
||||||
|
tor_strdup(a->socks_request->address);
|
||||||
|
}
|
||||||
|
if (! b->original_dest_address) {
|
||||||
|
log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
|
||||||
|
"having set b->original_dest_address");
|
||||||
|
((edge_connection_t*)b)->original_dest_address =
|
||||||
|
tor_strdup(a->socks_request->address);
|
||||||
|
}
|
||||||
|
|
||||||
if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port)
|
if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port)
|
||||||
return 0;
|
return 0;
|
||||||
/* XXXX023 Not quite right: we care about addresses that resolve to the same
|
|
||||||
place */
|
|
||||||
if ((iso & ISO_DESTADDR) &&
|
if ((iso & ISO_DESTADDR) &&
|
||||||
strcasecmp(a->socks_request->address, b->socks_request->address))
|
strcasecmp(a->original_dest_address, b->original_dest_address))
|
||||||
return 0;
|
return 0;
|
||||||
/* XXXX023 Waititing for ticket #1666 */
|
/* XXXX023 Waititing for ticket #1666 */
|
||||||
/*
|
/*
|
||||||
@ -3328,12 +3343,17 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn,
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (! conn->original_dest_address) {
|
||||||
|
log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without "
|
||||||
|
"having set conn->original_dest_address");
|
||||||
|
((edge_connection_t*)conn)->original_dest_address =
|
||||||
|
tor_strdup(conn->socks_request->address);
|
||||||
|
}
|
||||||
|
|
||||||
if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
|
if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
|
||||||
return 0;
|
return 0;
|
||||||
/* XXXX023 Not quite right: we care about addresses that resolve to the same
|
|
||||||
place */
|
|
||||||
if ((iso & ISO_DESTADDR) &&
|
if ((iso & ISO_DESTADDR) &&
|
||||||
strcasecmp(conn->socks_request->address, circ->dest_address))
|
strcasecmp(conn->original_dest_address, circ->dest_address))
|
||||||
return 0;
|
return 0;
|
||||||
/* XXXX023 Waititing for ticket #1666 */
|
/* XXXX023 Waititing for ticket #1666 */
|
||||||
/*
|
/*
|
||||||
@ -3369,11 +3389,18 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
|
|||||||
origin_circuit_t *circ,
|
origin_circuit_t *circ,
|
||||||
int dry_run)
|
int dry_run)
|
||||||
{
|
{
|
||||||
|
if (! conn->original_dest_address) {
|
||||||
|
log_warn(LD_BUG, "Reached connection_update_circuit_isolation without "
|
||||||
|
"having set conn->original_dest_address");
|
||||||
|
((edge_connection_t*)conn)->original_dest_address =
|
||||||
|
tor_strdup(conn->socks_request->address);
|
||||||
|
}
|
||||||
|
|
||||||
if (!circ->isolation_values_set) {
|
if (!circ->isolation_values_set) {
|
||||||
if (dry_run)
|
if (dry_run)
|
||||||
return -1;
|
return -1;
|
||||||
circ->dest_port = conn->socks_request->port;
|
circ->dest_port = conn->socks_request->port;
|
||||||
circ->dest_address = tor_strdup(conn->socks_request->address);
|
circ->dest_address = tor_strdup(conn->original_dest_address);
|
||||||
circ->client_proto_type = TO_CONN(conn)->type;
|
circ->client_proto_type = TO_CONN(conn)->type;
|
||||||
circ->client_proto_socksver = conn->socks_request->socks_version;
|
circ->client_proto_socksver = conn->socks_request->socks_version;
|
||||||
tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr);
|
tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr);
|
||||||
@ -3387,9 +3414,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
|
|||||||
uint8_t mixed = 0;
|
uint8_t mixed = 0;
|
||||||
if (conn->socks_request->port != circ->dest_port)
|
if (conn->socks_request->port != circ->dest_port)
|
||||||
mixed |= ISO_DESTPORT;
|
mixed |= ISO_DESTPORT;
|
||||||
/* XXXX023 Not quite right: we care about addresses that resolve to the
|
if (strcasecmp(conn->original_dest_address, circ->dest_address))
|
||||||
same place */
|
|
||||||
if (strcasecmp(conn->socks_request->address, circ->dest_address))
|
|
||||||
mixed |= ISO_DESTADDR;
|
mixed |= ISO_DESTADDR;
|
||||||
/* XXXX023 auth too, once #1666 is in. */
|
/* XXXX023 auth too, once #1666 is in. */
|
||||||
if ((TO_CONN(conn)->type != circ->client_proto_type ||
|
if ((TO_CONN(conn)->type != circ->client_proto_type ||
|
||||||
|
@ -184,6 +184,7 @@ dnsserv_launch_request(const char *name, int reverse)
|
|||||||
|
|
||||||
strlcpy(conn->socks_request->address, name,
|
strlcpy(conn->socks_request->address, name,
|
||||||
sizeof(conn->socks_request->address));
|
sizeof(conn->socks_request->address));
|
||||||
|
conn->original_dest_address = tor_strdup(name);
|
||||||
|
|
||||||
if (connection_add(TO_CONN(conn))<0) {
|
if (connection_add(TO_CONN(conn))<0) {
|
||||||
log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
|
log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
|
||||||
|
@ -1214,10 +1214,12 @@ typedef struct edge_connection_t {
|
|||||||
int session_group;
|
int session_group;
|
||||||
/** AP only: The newnym epoch in which we created this connection. */
|
/** AP only: The newnym epoch in which we created this connection. */
|
||||||
unsigned nym_epoch;
|
unsigned nym_epoch;
|
||||||
|
/** AP only: The original requested address before we rewrote it. */
|
||||||
|
char *original_dest_address;
|
||||||
/* Other fields to isolate on already exist. The ClientAddr is addr. The
|
/* Other fields to isolate on already exist. The ClientAddr is addr. The
|
||||||
ClientProtocol is a combination of type and socks_request->
|
ClientProtocol is a combination of type and socks_request->
|
||||||
socks_version. SocksAuth will be added to socks_request by ticket
|
socks_version. SocksAuth will be added to socks_request by ticket
|
||||||
#1666. DestAddr and DestPort are in socks_request->address. */
|
#1666. DestAddr is in socks_request->address. */
|
||||||
|
|
||||||
/** Number of times we've reassigned this application connection to
|
/** Number of times we've reassigned this application connection to
|
||||||
* a new circuit. We keep track because the timeout is longer if we've
|
* a new circuit. We keep track because the timeout is longer if we've
|
||||||
|
Loading…
Reference in New Issue
Block a user