[tor-commits] [pluggable-transports/snowflake] 15/31: Add Broker Allowed Relay Pattern Indication Rejection for Proxy

gitolite role git at cupani.torproject.org
Thu Jun 16 17:04:02 UTC 2022 

This is an automated email from the git hooks/post-receive script.

shelikhoo pushed a commit to branch main
in repository pluggable-transports/snowflake.

commit b18a9431b26af8c4e3c908f6e34c2340fc4911bc
Author: Shelikhoo <xiaokangwang at outlook.com>
AuthorDate: Thu Apr 14 11:15:35 2022 +0100

    Add Broker Allowed Relay Pattern Indication Rejection for Proxy
---
 broker/broker.go | 23 ++++++++++++++++++-----
 broker/ipc.go    |  6 ++++--
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/broker/broker.go b/broker/broker.go
index 476bc81..8ca0120 100644
--- a/broker/broker.go
+++ b/broker/broker.go
@@ -20,6 +20,7 @@ import (
 	"syscall"
 	"time"
 
+	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/namematcher"
 	"git.torproject.org/pluggable-transports/snowflake.git/v2/common/safelog"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -38,8 +39,9 @@ type BrokerContext struct {
 	proxyPolls    chan *ProxyPoll
 	metrics       *Metrics
 
-	bridgeList          BridgeListHolderFileBased
-	allowedRelayPattern string
+	bridgeList                     BridgeListHolderFileBased
+	allowedRelayPattern            string
+	presumedPatternForLegacyClient string
 }
 
 func (ctx *BrokerContext) GetBridgeInfo(fingerprint [20]byte) (BridgeInfo, error) {
@@ -154,14 +156,24 @@ func (ctx *BrokerContext) AddSnowflake(id string, proxyType string, natType stri
 	return snowflake
 }
 
-func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader, relayPattern string) error {
+func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader, relayPattern, presumedPatternForLegacyClient string) error {
 	if err := ctx.bridgeList.LoadBridgeInfo(reader); err != nil {
 		return err
 	}
 	ctx.allowedRelayPattern = relayPattern
+	ctx.presumedPatternForLegacyClient = presumedPatternForLegacyClient
 	return nil
 }
 
+func (ctx *BrokerContext) CheckProxyRelayPattern(pattern string, nonSupported bool) bool {
+	if nonSupported {
+		pattern = ctx.presumedPatternForLegacyClient
+	}
+	proxyPattern := namematcher.NewNameMatcher(pattern)
+	brokerPattern := namematcher.NewNameMatcher(ctx.allowedRelayPattern)
+	return proxyPattern.IsSupersetOf(brokerPattern)
+}
+
 // Client offer contains an SDP, bridge fingerprint and the NAT type of the client
 type ClientOffer struct {
 	natType     string
@@ -176,7 +188,7 @@ func main() {
 	var addr string
 	var geoipDatabase string
 	var geoip6Database string
-	var bridgeListFilePath, allowedRelayPattern string
+	var bridgeListFilePath, allowedRelayPattern, presumedPatternForLegacyClient string
 	var disableTLS bool
 	var certFilename, keyFilename string
 	var disableGeoip bool
@@ -193,6 +205,7 @@ func main() {
 	flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes")
 	flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile")
 	flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name")
+	flag.StringVar(&presumedPatternForLegacyClient, "default-relay-pattern", "", "presumed pattern for legacy client")
 	flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS")
 	flag.BoolVar(&disableGeoip, "disable-geoip", false, "don't use geoip for stats collection")
 	flag.StringVar(&metricsFilename, "metrics-log", "", "path to metrics logging output")
@@ -230,7 +243,7 @@ func main() {
 		if err != nil {
 			log.Fatal(err.Error())
 		}
-		err = ctx.InstallBridgeListProfile(bridgeListFile, allowedRelayPattern)
+		err = ctx.InstallBridgeListProfile(bridgeListFile, allowedRelayPattern, presumedPatternForLegacyClient)
 		if err != nil {
 			log.Fatal(err.Error())
 		}
diff --git a/broker/ipc.go b/broker/ipc.go
index fbaed48..97f26ef 100644
--- a/broker/ipc.go
+++ b/broker/ipc.go
@@ -67,12 +67,14 @@ func (i *IPC) Debug(_ interface{}, response *string) error {
 
 func (i *IPC) ProxyPolls(arg messages.Arg, response *[]byte) error {
 	sid, proxyType, natType, clients, relayPattern, relayPatternSupported, err := messages.DecodeProxyPollRequestWithRelayPrefix(arg.Body)
-	_ = relayPattern
-	_ = relayPatternSupported
 	if err != nil {
 		return messages.ErrBadRequest
 	}
 
+	if !i.ctx.CheckProxyRelayPattern(relayPattern, !relayPatternSupported) {
+		return fmt.Errorf("bad request: rejected relay pattern from proxy = %v", messages.ErrBadRequest)
+	}
+
 	// Log geoip stats
 	remoteIP, _, err := net.SplitHostPort(arg.RemoteAddr)
 	if err != nil {

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the tor-commits mailing list