Implement destaddr-based isolation

The new candidate rule, which arma suggested and I like, is that
the original address as received from the client connection or as
rewritten by the controller is the address that counts.
This commit is contained in:
Nick Mathewson 2011-07-08 15:15:59 -04:00
parent aef30547dc
commit 424063e3b2
4 changed files with 40 additions and 12 deletions

View File

@ -467,9 +467,9 @@ _connection_free(connection_t *conn)
if (CONN_IS_EDGE(conn)) { if (CONN_IS_EDGE(conn)) {
edge_connection_t *edge_conn = TO_EDGE_CONN(conn); edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
tor_free(edge_conn->chosen_exit_name); tor_free(edge_conn->chosen_exit_name);
tor_free(edge_conn->original_dest_address);
if (edge_conn->socks_request) if (edge_conn->socks_request)
socks_request_free(edge_conn->socks_request); socks_request_free(edge_conn->socks_request);
rend_data_free(edge_conn->rend_data); rend_data_free(edge_conn->rend_data);
} }
if (conn->type == CONN_TYPE_CONTROL) { if (conn->type == CONN_TYPE_CONTROL) {

View File

@ -1671,6 +1671,9 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
safe_str_client(socks->address), safe_str_client(socks->address),
socks->port); socks->port);
if (! conn->original_dest_address)
conn->original_dest_address = tor_strdup(conn->socks_request->address);
if (socks->command == SOCKS_COMMAND_RESOLVE && if (socks->command == SOCKS_COMMAND_RESOLVE &&
!tor_inet_aton(socks->address, &addr_tmp) && !tor_inet_aton(socks->address, &addr_tmp) &&
options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) { options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) {
@ -2512,6 +2515,7 @@ connection_ap_make_link(connection_t *partner,
conn->socks_request->has_finished = 0; /* waiting for 'connected' */ conn->socks_request->has_finished = 0; /* waiting for 'connected' */
strlcpy(conn->socks_request->address, address, strlcpy(conn->socks_request->address, address,
sizeof(conn->socks_request->address)); sizeof(conn->socks_request->address));
conn->original_dest_address = tor_strdup(address);
conn->socks_request->port = port; conn->socks_request->port = port;
conn->socks_request->command = SOCKS_COMMAND_CONNECT; conn->socks_request->command = SOCKS_COMMAND_CONNECT;
conn->want_onehop = want_onehop; conn->want_onehop = want_onehop;
@ -3274,12 +3278,23 @@ connection_edge_streams_are_compatible(const edge_connection_t *a,
{ {
const uint8_t iso = a->isolation_flags | b->isolation_flags; const uint8_t iso = a->isolation_flags | b->isolation_flags;
if (! a->original_dest_address) {
log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
"having set a->original_dest_address");
((edge_connection_t*)a)->original_dest_address =
tor_strdup(a->socks_request->address);
}
if (! b->original_dest_address) {
log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
"having set b->original_dest_address");
((edge_connection_t*)b)->original_dest_address =
tor_strdup(a->socks_request->address);
}
if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port) if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port)
return 0; return 0;
/* XXXX023 Not quite right: we care about addresses that resolve to the same
place */
if ((iso & ISO_DESTADDR) && if ((iso & ISO_DESTADDR) &&
strcasecmp(a->socks_request->address, b->socks_request->address)) strcasecmp(a->original_dest_address, b->original_dest_address))
return 0; return 0;
/* XXXX023 Waititing for ticket #1666 */ /* XXXX023 Waititing for ticket #1666 */
/* /*
@ -3328,12 +3343,17 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn,
return 0; return 0;
} }
if (! conn->original_dest_address) {
log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without "
"having set conn->original_dest_address");
((edge_connection_t*)conn)->original_dest_address =
tor_strdup(conn->socks_request->address);
}
if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port) if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
return 0; return 0;
/* XXXX023 Not quite right: we care about addresses that resolve to the same
place */
if ((iso & ISO_DESTADDR) && if ((iso & ISO_DESTADDR) &&
strcasecmp(conn->socks_request->address, circ->dest_address)) strcasecmp(conn->original_dest_address, circ->dest_address))
return 0; return 0;
/* XXXX023 Waititing for ticket #1666 */ /* XXXX023 Waititing for ticket #1666 */
/* /*
@ -3369,11 +3389,18 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
origin_circuit_t *circ, origin_circuit_t *circ,
int dry_run) int dry_run)
{ {
if (! conn->original_dest_address) {
log_warn(LD_BUG, "Reached connection_update_circuit_isolation without "
"having set conn->original_dest_address");
((edge_connection_t*)conn)->original_dest_address =
tor_strdup(conn->socks_request->address);
}
if (!circ->isolation_values_set) { if (!circ->isolation_values_set) {
if (dry_run) if (dry_run)
return -1; return -1;
circ->dest_port = conn->socks_request->port; circ->dest_port = conn->socks_request->port;
circ->dest_address = tor_strdup(conn->socks_request->address); circ->dest_address = tor_strdup(conn->original_dest_address);
circ->client_proto_type = TO_CONN(conn)->type; circ->client_proto_type = TO_CONN(conn)->type;
circ->client_proto_socksver = conn->socks_request->socks_version; circ->client_proto_socksver = conn->socks_request->socks_version;
tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr); tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr);
@ -3387,9 +3414,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
uint8_t mixed = 0; uint8_t mixed = 0;
if (conn->socks_request->port != circ->dest_port) if (conn->socks_request->port != circ->dest_port)
mixed |= ISO_DESTPORT; mixed |= ISO_DESTPORT;
/* XXXX023 Not quite right: we care about addresses that resolve to the if (strcasecmp(conn->original_dest_address, circ->dest_address))
same place */
if (strcasecmp(conn->socks_request->address, circ->dest_address))
mixed |= ISO_DESTADDR; mixed |= ISO_DESTADDR;
/* XXXX023 auth too, once #1666 is in. */ /* XXXX023 auth too, once #1666 is in. */
if ((TO_CONN(conn)->type != circ->client_proto_type || if ((TO_CONN(conn)->type != circ->client_proto_type ||

View File

@ -184,6 +184,7 @@ dnsserv_launch_request(const char *name, int reverse)
strlcpy(conn->socks_request->address, name, strlcpy(conn->socks_request->address, name,
sizeof(conn->socks_request->address)); sizeof(conn->socks_request->address));
conn->original_dest_address = tor_strdup(name);
if (connection_add(TO_CONN(conn))<0) { if (connection_add(TO_CONN(conn))<0) {
log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request"); log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");

View File

@ -1214,10 +1214,12 @@ typedef struct edge_connection_t {
int session_group; int session_group;
/** AP only: The newnym epoch in which we created this connection. */ /** AP only: The newnym epoch in which we created this connection. */
unsigned nym_epoch; unsigned nym_epoch;
/** AP only: The original requested address before we rewrote it. */
char *original_dest_address;
/* Other fields to isolate on already exist. The ClientAddr is addr. The /* Other fields to isolate on already exist. The ClientAddr is addr. The
ClientProtocol is a combination of type and socks_request-> ClientProtocol is a combination of type and socks_request->
socks_version. SocksAuth will be added to socks_request by ticket socks_version. SocksAuth will be added to socks_request by ticket
#1666. DestAddr and DestPort are in socks_request->address. */ #1666. DestAddr is in socks_request->address. */
/** Number of times we've reassigned this application connection to /** Number of times we've reassigned this application connection to
* a new circuit. We keep track because the timeout is longer if we've * a new circuit. We keep track because the timeout is longer if we've