[tor-commits] [tor/master] Bug 7691 review fixes.

nickm at torproject.org nickm at torproject.org
Mon Jan 14 02:49:05 UTC 2013


commit d05ff310a5547b15433314617d6f1b9e9ccfe5b8
Author: Mike Perry <mikeperry-git at fscked.org>
Date:   Tue Jan 8 18:07:34 2013 -0800

    Bug 7691 review fixes.
    
    Also add in the random nonce generation.
---
 src/or/circuitbuild.c |   52 ++++++++++++++++++++++++++++++++++--------------
 src/or/circuitbuild.h |    2 +-
 src/or/or.h           |    4 +-
 3 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 73bd3d4..b304aeb 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -1505,7 +1505,19 @@ pathbias_count_build_success(origin_circuit_t *circ)
 }
 
 /**
- * Send a probe down a circuit that wasn't usable.
+ * Send a probe down a circuit that the client attempted to use,
+ * but for which the stream timed out/failed. The probe is a
+ * RELAY_BEGIN cell with a 0.a.b.c destination address, which
+ * the exit will reject and reply back, echoing that address.
+ *
+ * The reason for such probes is because it is possible to bias
+ * a user's paths simply by causing timeouts, and these timeouts
+ * are not possible to differentiate from unresponsive servers.
+ *
+ * The probe is sent at the end of the circuit lifetime for two
+ * reasons: to prevent cyptographic taggers from being able to
+ * drop cells to cause timeouts, and to prevent easy recognition
+ * of probes before any real client traffic happens.
  *
  * Returns -1 if we couldn't probe, 0 otherwise.
  */
@@ -1517,8 +1529,7 @@ pathbias_send_usable_probe(circuit_t *circ)
   int payload_len;
   origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
   crypt_path_t *cpath_layer = NULL;
-  // XXX: Generate a random 0.a.b.c adddress
-  const char *probe_nonce = "0.1.2.3";
+  char *probe_nonce = NULL;
 
   tor_assert(ocirc);
 
@@ -1548,9 +1559,13 @@ pathbias_send_usable_probe(circuit_t *circ)
   /* Update timestamp for circuit_expire_building to kill us */
   tor_gettimeofday(&circ->timestamp_began);
 
-  tor_snprintf(payload,RELAY_PAYLOAD_SIZE, "%s:25", probe_nonce);
-  tor_addr_parse(&ocirc->pathbias_probe_nonce, probe_nonce);
+  /* Generate a random address for the nonce */
+  crypto_rand((char*)&ocirc->pathbias_probe_nonce,
+              sizeof(ocirc->pathbias_probe_nonce));
+  ocirc->pathbias_probe_nonce &= 0x00ffffff;
+  probe_nonce = tor_dup_ip(ocirc->pathbias_probe_nonce);
 
+  tor_snprintf(payload,RELAY_PAYLOAD_SIZE, "%s:25", probe_nonce);
   payload_len = (int)strlen(payload)+1;
 
   // XXX: need this? Can we assume ipv4 will always be supported?
@@ -1567,12 +1582,14 @@ pathbias_send_usable_probe(circuit_t *circ)
     log_warn(LD_CIRC,
              "Ran out of stream IDs on circuit %u during "
              "pathbias probe attempt.", ocirc->global_identifier);
+    tor_free(probe_nonce);
     return -1;
   }
 
   log_info(LD_CIRC,
            "Sending pathbias testing cell to %s:25 on stream %d for circ %d.",
            probe_nonce, ocirc->pathbias_probe_id, ocirc->global_identifier);
+  tor_free(probe_nonce);
 
   /* Send a test relay cell */
   if (relay_send_command_from_edge(ocirc->pathbias_probe_id, circ,
@@ -1591,18 +1608,19 @@ pathbias_send_usable_probe(circuit_t *circ)
 }
 
 /**
- * Check the response to a pathbias probe.
+ * Check the response to a pathbias probe, to ensure the
+ * cell is recognized and the nonce and other probe
+ * characteristics are as expected.
  *
  * If the response is valid, return 0. Otherwise return < 0.
  */
 int
-pathbias_check_probe_response(circuit_t *circ, cell_t *cell)
+pathbias_check_probe_response(circuit_t *circ, const cell_t *cell)
 {
   /* Based on connection_edge_process_relay_cell() */
   relay_header_t rh;
   int reason;
   uint32_t ipv4_host;
-  tor_addr_t host;
   origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
 
   tor_assert(cell);
@@ -1620,24 +1638,28 @@ pathbias_check_probe_response(circuit_t *circ, cell_t *cell)
 
     /* Check length+extract host: It is in network order after the reason code.
      * See connection_edge_end(). */
-    if (rh.length != 9) { /* reason+ipv4+dns_ttl */
-      log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
-             "Path bias probe response length field is insane (%d).",
-             rh.length);
+    if (rh.length < 9) { /* reason+ipv4+dns_ttl */
+      log_notice(LD_PROTOCOL,
+             "Short path bias probe response length field (%d).", rh.length);
       return - END_CIRC_REASON_TORPROTOCOL;
     }
 
-    ipv4_host = get_uint32(cell->payload+RELAY_HEADER_SIZE+1);
-    tor_addr_from_ipv4n(&host, ipv4_host);
+    ipv4_host = ntohl(get_uint32(cell->payload+RELAY_HEADER_SIZE+1));
 
     /* Check nonce */
-    if (memcmp(&host, &ocirc->pathbias_probe_nonce, sizeof(tor_addr_t)) == 0) {
+    if (ipv4_host == ocirc->pathbias_probe_nonce) {
       ocirc->path_state = PATH_STATE_USE_SUCCEEDED;
       circuit_mark_for_close(circ, END_CIRC_REASON_FINISHED);
       log_info(LD_CIRC,
                "Got valid path bias probe back for circ %d, stream %d.",
                ocirc->global_identifier, ocirc->pathbias_probe_id);
       return 0;
+    } else {
+      log_notice(LD_CIRC,
+               "Got strange probe value 0x%x vs 0x%x back for circ %d, "
+               "stream %d.", ipv4_host, ocirc->pathbias_probe_nonce,
+               ocirc->global_identifier, ocirc->pathbias_probe_id);
+      return -1;
     }
   }
   log_info(LD_CIRC,
diff --git a/src/or/circuitbuild.h b/src/or/circuitbuild.h
index b1cedec..8d2b986 100644
--- a/src/or/circuitbuild.h
+++ b/src/or/circuitbuild.h
@@ -61,7 +61,7 @@ double pathbias_get_extreme_rate(const or_options_t *options);
 int pathbias_get_dropguards(const or_options_t *options);
 void pathbias_count_timeout(origin_circuit_t *circ);
 int pathbias_check_close(origin_circuit_t *circ, int reason);
-int pathbias_check_probe_response(circuit_t *circ, cell_t *cell);
+int pathbias_check_probe_response(circuit_t *circ, const cell_t *cell);
 
 #endif
 
diff --git a/src/or/or.h b/src/or/or.h
index 4b4806c..eb0dc81 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2894,8 +2894,8 @@ typedef struct origin_circuit_t {
   streamid_t pathbias_probe_id;
 
   /** For path probing. Store the temporary probe address nonce
-   * for response comparison. */
-  tor_addr_t pathbias_probe_nonce;
+   * (in host byte order) for response comparison. */
+  uint32_t pathbias_probe_nonce;
 
   /** Set iff this is a hidden-service circuit which has timed out
    * according to our current circuit-build timeout, but which has





More information about the tor-commits mailing list