Merge branch 'feature15482_squashed'

2024-11-10 13:13:44 +01:00 · 2015-09-08 14:03:04 -04:00 · 2015-09-08 14:03:04 -04:00 · fcec1f3381
commit fcec1f3381
parent 4c6fd7106f 54510d4d1a
5 changed files with 38 additions and 3 deletions
--- a/changes/feature15482
+++ b/changes/feature15482
@ -0,0 +1,5 @@
+  o Minor features (client-side privacy)
+    - Indefinitely extend circuit lifespan by resetting dirtyness, if
+      IsolateSOCKSAuth is in use, the new `KeepAliveIsolateSOCKSAuth`
+      option is set, and streams with SOCKS authentication are attached
+      to the circuit. Implements feature 15482.
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@ -934,7 +934,9 @@ The following options are useful only for clients (that is, if
    Feel free to reuse a circuit that was first used at most NUM seconds ago,
    but never attach a new stream to a circuit that is too old.  For hidden
    services, this applies to the __last__ time a circuit was used, not the
-    first.  (Default: 10 minutes)
+    first. Circuits with streams constructed with SOCKS authentication via
+    SocksPorts that have **KeepAliveIsolateSOCKSAuth** ignore this value.
+    (Default: 10 minutes)

 [[MaxClientCircuitsPending]] **MaxClientCircuitsPending** __NUM__::
    Do not allow more than NUM circuits to be pending at a time for handling
@ -991,6 +993,9 @@ The following options are useful only for clients (that is, if
    **IsolateDestAddr**;;
        Don't share circuits with streams targeting a different
        destination address.
+    **KeepAliveIsolateSOCKSAuth**;;
+        If **IsolateSOCKSAuth** is enabled, keep alive circuits that have
+        streams with SOCKS authentication set indefinitely.
    **SessionGroup=**__INT__;;
        If no other isolation rules would prevent it, allow streams
        on this port to share circuits with streams from every other
--- a/src/or/circuituse.c
+++ b/src/or/circuituse.c
@ -2284,8 +2284,15 @@ connection_ap_handshake_attach_chosen_circuit(entry_connection_t *conn,

  base_conn->state = AP_CONN_STATE_CIRCUIT_WAIT;

-  if (!circ->base_.timestamp_dirty)
-    circ->base_.timestamp_dirty = time(NULL);
+  if (!circ->base_.timestamp_dirty ||
+      ((conn->entry_cfg.isolation_flags & ISO_SOCKSAUTH) &&
+       (conn->entry_cfg.socks_iso_keep_alive) &&
+       (conn->socks_request->usernamelen ||
+        conn->socks_request->passwordlen))) {
+    /* When stream isolation is in use and controlled by an application
+     * we are willing to keep using the stream. */
+    circ->base_.timestamp_dirty = approx_time();
+  }

  pathbias_count_use_attempt(circ);

--- a/src/or/config.c
+++ b/src/or/config.c
@ -6037,6 +6037,7 @@ parse_port_config(smartlist_t *out,
    int sessiongroup = SESSION_GROUP_UNSET;
    unsigned isolation = ISO_DEFAULT;
    int prefer_no_auth = 0;
+    int socks_iso_keep_alive = 0;

    char *addrport;
    uint16_t ptmp=0;
@ -6261,6 +6262,8 @@ parse_port_config(smartlist_t *out,
          isoflag = ISO_CLIENTPROTO;
        } else if (!strcasecmp(elt, "IsolateClientAddr")) {
          isoflag = ISO_CLIENTADDR;
+        } else if (!strcasecmp(elt, "KeepAliveIsolateSOCKSAuth")) {
+          socks_iso_keep_alive = 1;
        } else {
          log_warn(LD_CONFIG, "Unrecognized %sPort option '%s'",
                   portname, escaped(elt_orig));
@ -6291,6 +6294,13 @@ parse_port_config(smartlist_t *out,
      goto err;
    }

+    if (!(isolation & ISO_SOCKSAUTH) && socks_iso_keep_alive) {
+      log_warn(LD_CONFIG, "You have a %sPort entry with both "
+               "NoIsolateSOCKSAuth and KeepAliveIsolateSOCKSAuth set.",
+               portname);
+      goto err;
+    }
+
    if (out && port) {
      size_t namelen = unix_socket_path ? strlen(unix_socket_path) : 0;
      port_cfg_t *cfg = port_cfg_new(namelen);
@ -6324,6 +6334,7 @@ parse_port_config(smartlist_t *out,
      cfg->entry_cfg.socks_prefer_no_auth = prefer_no_auth;
      if (! (isolation & ISO_SOCKSAUTH))
        cfg->entry_cfg.socks_prefer_no_auth = 1;
+      cfg->entry_cfg.socks_iso_keep_alive = socks_iso_keep_alive;

      smartlist_add(out, cfg);
    }
--- a/src/or/or.h
+++ b/src/or/or.h
@ -1155,6 +1155,8 @@ typedef struct entry_port_cfg_t {
  /** When both no-auth and user/pass are advertised by a SOCKS client, select
   * no-auth. */
  unsigned int socks_prefer_no_auth : 1;
+  /** When ISO_SOCKSAUTH is in use, Keep-Alive circuits indefinitely. */
+  unsigned int socks_iso_keep_alive : 1;

  /* Client port types only: */
  unsigned int ipv4_traffic : 1;
@ -2877,6 +2879,11 @@ typedef struct circuit_t {
   * circuits entered certain states.  This usage probably won't
   * interfere with this field's primary purpose, but we should
   * document it more thoroughly to make sure of that.
+   *
+   * XXX027 The SocksPort option KeepaliveIsolateSOCKSAuth will artificially
+   * adjust this value forward each time a suitable stream is attached to an
+   * already constructed circuit, potentially keeping the circuit alive
+   * indefinitely.
   */
  time_t timestamp_dirty;