[tor-commits] [tor/master] Implement destaddr-based isolation

nickm at torproject.org nickm at torproject.org
Wed Jul 20 00:44:02 UTC 2011


commit 424063e3b2b882d72943bda41279bd29a711ec55
Author: Nick Mathewson <nickm at torproject.org>
Date:   Fri Jul 8 15:15:59 2011 -0400

    Implement destaddr-based isolation
    
    The new candidate rule, which arma suggested and I like, is that
    the original address as received from the client connection or as
    rewritten by the controller is the address that counts.
---
 src/or/connection.c      |    2 +-
 src/or/connection_edge.c |   45 +++++++++++++++++++++++++++++++++++----------
 src/or/dnsserv.c         |    1 +
 src/or/or.h              |    4 +++-
 4 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/src/or/connection.c b/src/or/connection.c
index 09b45e0..5e5abca 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -467,9 +467,9 @@ _connection_free(connection_t *conn)
   if (CONN_IS_EDGE(conn)) {
     edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
     tor_free(edge_conn->chosen_exit_name);
+    tor_free(edge_conn->original_dest_address);
     if (edge_conn->socks_request)
       socks_request_free(edge_conn->socks_request);
-
     rend_data_free(edge_conn->rend_data);
   }
   if (conn->type == CONN_TYPE_CONTROL) {
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 20f01b1..cfa6a3d 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1671,6 +1671,9 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
             safe_str_client(socks->address),
             socks->port);
 
+  if (! conn->original_dest_address)
+    conn->original_dest_address = tor_strdup(conn->socks_request->address);
+
   if (socks->command == SOCKS_COMMAND_RESOLVE &&
       !tor_inet_aton(socks->address, &addr_tmp) &&
       options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) {
@@ -2512,6 +2515,7 @@ connection_ap_make_link(connection_t *partner,
   conn->socks_request->has_finished = 0; /* waiting for 'connected' */
   strlcpy(conn->socks_request->address, address,
           sizeof(conn->socks_request->address));
+  conn->original_dest_address = tor_strdup(address);
   conn->socks_request->port = port;
   conn->socks_request->command = SOCKS_COMMAND_CONNECT;
   conn->want_onehop = want_onehop;
@@ -3274,12 +3278,23 @@ connection_edge_streams_are_compatible(const edge_connection_t *a,
 {
   const uint8_t iso = a->isolation_flags | b->isolation_flags;
 
+  if (! a->original_dest_address) {
+    log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
+             "having set a->original_dest_address");
+    ((edge_connection_t*)a)->original_dest_address =
+      tor_strdup(a->socks_request->address);
+  }
+  if (! b->original_dest_address) {
+    log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
+             "having set b->original_dest_address");
+    ((edge_connection_t*)b)->original_dest_address =
+      tor_strdup(a->socks_request->address);
+  }
+
   if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port)
     return 0;
-  /* XXXX023 Not quite right: we care about addresses that resolve to the same
-     place */
   if ((iso & ISO_DESTADDR) &&
-      strcasecmp(a->socks_request->address, b->socks_request->address))
+      strcasecmp(a->original_dest_address, b->original_dest_address))
     return 0;
   /* XXXX023 Waititing for ticket #1666 */
   /*
@@ -3328,12 +3343,17 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn,
     return 0;
   }
 
+  if (! conn->original_dest_address) {
+    log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without "
+             "having set conn->original_dest_address");
+    ((edge_connection_t*)conn)->original_dest_address =
+      tor_strdup(conn->socks_request->address);
+  }
+
   if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
     return 0;
-  /* XXXX023 Not quite right: we care about addresses that resolve to the same
-     place */
   if ((iso & ISO_DESTADDR) &&
-      strcasecmp(conn->socks_request->address, circ->dest_address))
+      strcasecmp(conn->original_dest_address, circ->dest_address))
     return 0;
   /* XXXX023 Waititing for ticket #1666 */
   /*
@@ -3369,11 +3389,18 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
                                          origin_circuit_t *circ,
                                          int dry_run)
 {
+  if (! conn->original_dest_address) {
+    log_warn(LD_BUG, "Reached connection_update_circuit_isolation without "
+             "having set conn->original_dest_address");
+    ((edge_connection_t*)conn)->original_dest_address =
+      tor_strdup(conn->socks_request->address);
+  }
+
   if (!circ->isolation_values_set) {
     if (dry_run)
       return -1;
     circ->dest_port = conn->socks_request->port;
-    circ->dest_address = tor_strdup(conn->socks_request->address);
+    circ->dest_address = tor_strdup(conn->original_dest_address);
     circ->client_proto_type = TO_CONN(conn)->type;
     circ->client_proto_socksver = conn->socks_request->socks_version;
     tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr);
@@ -3387,9 +3414,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
     uint8_t mixed = 0;
     if (conn->socks_request->port != circ->dest_port)
       mixed |= ISO_DESTPORT;
-    /* XXXX023 Not quite right: we care about addresses that resolve to the
-       same place */
-    if (strcasecmp(conn->socks_request->address, circ->dest_address))
+    if (strcasecmp(conn->original_dest_address, circ->dest_address))
       mixed |= ISO_DESTADDR;
     /* XXXX023 auth too, once #1666 is in. */
     if ((TO_CONN(conn)->type != circ->client_proto_type ||
diff --git a/src/or/dnsserv.c b/src/or/dnsserv.c
index 8612b48..c81d72f 100644
--- a/src/or/dnsserv.c
+++ b/src/or/dnsserv.c
@@ -184,6 +184,7 @@ dnsserv_launch_request(const char *name, int reverse)
 
   strlcpy(conn->socks_request->address, name,
           sizeof(conn->socks_request->address));
+  conn->original_dest_address = tor_strdup(name);
 
   if (connection_add(TO_CONN(conn))<0) {
     log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
diff --git a/src/or/or.h b/src/or/or.h
index 09907c3..ace92ce 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1214,10 +1214,12 @@ typedef struct edge_connection_t {
   int session_group;
   /** AP only: The newnym epoch in which we created this connection. */
   unsigned nym_epoch;
+  /** AP only: The original requested address before we rewrote it. */
+  char *original_dest_address;
   /* Other fields to isolate on already exist.  The ClientAddr is addr.  The
      ClientProtocol is a combination of type and socks_request->
      socks_version.  SocksAuth will be added to socks_request by ticket
-     #1666. DestAddr and DestPort are in socks_request->address. */
+     #1666. DestAddr is in socks_request->address. */
 
   /** Number of times we've reassigned this application connection to
    * a new circuit. We keep track because the timeout is longer if we've





More information about the tor-commits mailing list