[tor-commits] [tor/master] Implement destaddr-based isolation
nickm at torproject.org
nickm at torproject.org
Wed Jul 20 00:44:02 UTC 2011
commit 424063e3b2b882d72943bda41279bd29a711ec55
Author: Nick Mathewson <nickm at torproject.org>
Date: Fri Jul 8 15:15:59 2011 -0400
Implement destaddr-based isolation
The new candidate rule, which arma suggested and I like, is that
the original address as received from the client connection or as
rewritten by the controller is the address that counts.
---
src/or/connection.c | 2 +-
src/or/connection_edge.c | 45 +++++++++++++++++++++++++++++++++++----------
src/or/dnsserv.c | 1 +
src/or/or.h | 4 +++-
4 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/src/or/connection.c b/src/or/connection.c
index 09b45e0..5e5abca 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -467,9 +467,9 @@ _connection_free(connection_t *conn)
if (CONN_IS_EDGE(conn)) {
edge_connection_t *edge_conn = TO_EDGE_CONN(conn);
tor_free(edge_conn->chosen_exit_name);
+ tor_free(edge_conn->original_dest_address);
if (edge_conn->socks_request)
socks_request_free(edge_conn->socks_request);
-
rend_data_free(edge_conn->rend_data);
}
if (conn->type == CONN_TYPE_CONTROL) {
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 20f01b1..cfa6a3d 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1671,6 +1671,9 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
safe_str_client(socks->address),
socks->port);
+ if (! conn->original_dest_address)
+ conn->original_dest_address = tor_strdup(conn->socks_request->address);
+
if (socks->command == SOCKS_COMMAND_RESOLVE &&
!tor_inet_aton(socks->address, &addr_tmp) &&
options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) {
@@ -2512,6 +2515,7 @@ connection_ap_make_link(connection_t *partner,
conn->socks_request->has_finished = 0; /* waiting for 'connected' */
strlcpy(conn->socks_request->address, address,
sizeof(conn->socks_request->address));
+ conn->original_dest_address = tor_strdup(address);
conn->socks_request->port = port;
conn->socks_request->command = SOCKS_COMMAND_CONNECT;
conn->want_onehop = want_onehop;
@@ -3274,12 +3278,23 @@ connection_edge_streams_are_compatible(const edge_connection_t *a,
{
const uint8_t iso = a->isolation_flags | b->isolation_flags;
+ if (! a->original_dest_address) {
+ log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
+ "having set a->original_dest_address");
+ ((edge_connection_t*)a)->original_dest_address =
+ tor_strdup(a->socks_request->address);
+ }
+ if (! b->original_dest_address) {
+ log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without "
+ "having set b->original_dest_address");
+ ((edge_connection_t*)b)->original_dest_address =
+ tor_strdup(a->socks_request->address);
+ }
+
if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port)
return 0;
- /* XXXX023 Not quite right: we care about addresses that resolve to the same
- place */
if ((iso & ISO_DESTADDR) &&
- strcasecmp(a->socks_request->address, b->socks_request->address))
+ strcasecmp(a->original_dest_address, b->original_dest_address))
return 0;
/* XXXX023 Waititing for ticket #1666 */
/*
@@ -3328,12 +3343,17 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn,
return 0;
}
+ if (! conn->original_dest_address) {
+ log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without "
+ "having set conn->original_dest_address");
+ ((edge_connection_t*)conn)->original_dest_address =
+ tor_strdup(conn->socks_request->address);
+ }
+
if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port)
return 0;
- /* XXXX023 Not quite right: we care about addresses that resolve to the same
- place */
if ((iso & ISO_DESTADDR) &&
- strcasecmp(conn->socks_request->address, circ->dest_address))
+ strcasecmp(conn->original_dest_address, circ->dest_address))
return 0;
/* XXXX023 Waititing for ticket #1666 */
/*
@@ -3369,11 +3389,18 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
origin_circuit_t *circ,
int dry_run)
{
+ if (! conn->original_dest_address) {
+ log_warn(LD_BUG, "Reached connection_update_circuit_isolation without "
+ "having set conn->original_dest_address");
+ ((edge_connection_t*)conn)->original_dest_address =
+ tor_strdup(conn->socks_request->address);
+ }
+
if (!circ->isolation_values_set) {
if (dry_run)
return -1;
circ->dest_port = conn->socks_request->port;
- circ->dest_address = tor_strdup(conn->socks_request->address);
+ circ->dest_address = tor_strdup(conn->original_dest_address);
circ->client_proto_type = TO_CONN(conn)->type;
circ->client_proto_socksver = conn->socks_request->socks_version;
tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr);
@@ -3387,9 +3414,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn,
uint8_t mixed = 0;
if (conn->socks_request->port != circ->dest_port)
mixed |= ISO_DESTPORT;
- /* XXXX023 Not quite right: we care about addresses that resolve to the
- same place */
- if (strcasecmp(conn->socks_request->address, circ->dest_address))
+ if (strcasecmp(conn->original_dest_address, circ->dest_address))
mixed |= ISO_DESTADDR;
/* XXXX023 auth too, once #1666 is in. */
if ((TO_CONN(conn)->type != circ->client_proto_type ||
diff --git a/src/or/dnsserv.c b/src/or/dnsserv.c
index 8612b48..c81d72f 100644
--- a/src/or/dnsserv.c
+++ b/src/or/dnsserv.c
@@ -184,6 +184,7 @@ dnsserv_launch_request(const char *name, int reverse)
strlcpy(conn->socks_request->address, name,
sizeof(conn->socks_request->address));
+ conn->original_dest_address = tor_strdup(name);
if (connection_add(TO_CONN(conn))<0) {
log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
diff --git a/src/or/or.h b/src/or/or.h
index 09907c3..ace92ce 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1214,10 +1214,12 @@ typedef struct edge_connection_t {
int session_group;
/** AP only: The newnym epoch in which we created this connection. */
unsigned nym_epoch;
+ /** AP only: The original requested address before we rewrote it. */
+ char *original_dest_address;
/* Other fields to isolate on already exist. The ClientAddr is addr. The
ClientProtocol is a combination of type and socks_request->
socks_version. SocksAuth will be added to socks_request by ticket
- #1666. DestAddr and DestPort are in socks_request->address. */
+ #1666. DestAddr is in socks_request->address. */
/** Number of times we've reassigned this application connection to
* a new circuit. We keep track because the timeout is longer if we've
More information about the tor-commits
mailing list