diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-07-08 15:15:59 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-07-19 02:02:11 -0400 |
commit | 424063e3b2b882d72943bda41279bd29a711ec55 (patch) | |
tree | d40939c490c7069e46080f78b5eb158d9edba589 | |
parent | aef30547dc4aa77fc79517a6dcad7712b59af371 (diff) | |
download | tor-424063e3b2b882d72943bda41279bd29a711ec55.tar.gz tor-424063e3b2b882d72943bda41279bd29a711ec55.zip |
Implement destaddr-based isolation
The new candidate rule, which arma suggested and I like, is that
the original address as received from the client connection or as
rewritten by the controller is the address that counts.
-rw-r--r-- | src/or/connection.c | 2 | ||||
-rw-r--r-- | src/or/connection_edge.c | 45 | ||||
-rw-r--r-- | src/or/dnsserv.c | 1 | ||||
-rw-r--r-- | src/or/or.h | 4 |
4 files changed, 40 insertions, 12 deletions
diff --git a/src/or/connection.c b/src/or/connection.c index 09b45e03c9..5e5abca7aa 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -467,9 +467,9 @@ _connection_free(connection_t *conn) if (CONN_IS_EDGE(conn)) { edge_connection_t *edge_conn = TO_EDGE_CONN(conn); tor_free(edge_conn->chosen_exit_name); + tor_free(edge_conn->original_dest_address); if (edge_conn->socks_request) socks_request_free(edge_conn->socks_request); - rend_data_free(edge_conn->rend_data); } if (conn->type == CONN_TYPE_CONTROL) { diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 20f01b15f6..cfa6a3deb9 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1671,6 +1671,9 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn, safe_str_client(socks->address), socks->port); + if (! conn->original_dest_address) + conn->original_dest_address = tor_strdup(conn->socks_request->address); + if (socks->command == SOCKS_COMMAND_RESOLVE && !tor_inet_aton(socks->address, &addr_tmp) && options->AutomapHostsOnResolve && options->AutomapHostsSuffixes) { @@ -2512,6 +2515,7 @@ connection_ap_make_link(connection_t *partner, conn->socks_request->has_finished = 0; /* waiting for 'connected' */ strlcpy(conn->socks_request->address, address, sizeof(conn->socks_request->address)); + conn->original_dest_address = tor_strdup(address); conn->socks_request->port = port; conn->socks_request->command = SOCKS_COMMAND_CONNECT; conn->want_onehop = want_onehop; @@ -3274,12 +3278,23 @@ connection_edge_streams_are_compatible(const edge_connection_t *a, { const uint8_t iso = a->isolation_flags | b->isolation_flags; + if (! a->original_dest_address) { + log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without " + "having set a->original_dest_address"); + ((edge_connection_t*)a)->original_dest_address = + tor_strdup(a->socks_request->address); + } + if (! b->original_dest_address) { + log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without " + "having set b->original_dest_address"); + ((edge_connection_t*)b)->original_dest_address = + tor_strdup(a->socks_request->address); + } + if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port) return 0; - /* XXXX023 Not quite right: we care about addresses that resolve to the same - place */ if ((iso & ISO_DESTADDR) && - strcasecmp(a->socks_request->address, b->socks_request->address)) + strcasecmp(a->original_dest_address, b->original_dest_address)) return 0; /* XXXX023 Waititing for ticket #1666 */ /* @@ -3328,12 +3343,17 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn, return 0; } + if (! conn->original_dest_address) { + log_warn(LD_BUG, "Reached connection_edge_compatible_with_circuit without " + "having set conn->original_dest_address"); + ((edge_connection_t*)conn)->original_dest_address = + tor_strdup(conn->socks_request->address); + } + if ((iso & ISO_DESTPORT) && conn->socks_request->port != circ->dest_port) return 0; - /* XXXX023 Not quite right: we care about addresses that resolve to the same - place */ if ((iso & ISO_DESTADDR) && - strcasecmp(conn->socks_request->address, circ->dest_address)) + strcasecmp(conn->original_dest_address, circ->dest_address)) return 0; /* XXXX023 Waititing for ticket #1666 */ /* @@ -3369,11 +3389,18 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, origin_circuit_t *circ, int dry_run) { + if (! conn->original_dest_address) { + log_warn(LD_BUG, "Reached connection_update_circuit_isolation without " + "having set conn->original_dest_address"); + ((edge_connection_t*)conn)->original_dest_address = + tor_strdup(conn->socks_request->address); + } + if (!circ->isolation_values_set) { if (dry_run) return -1; circ->dest_port = conn->socks_request->port; - circ->dest_address = tor_strdup(conn->socks_request->address); + circ->dest_address = tor_strdup(conn->original_dest_address); circ->client_proto_type = TO_CONN(conn)->type; circ->client_proto_socksver = conn->socks_request->socks_version; tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr); @@ -3387,9 +3414,7 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, uint8_t mixed = 0; if (conn->socks_request->port != circ->dest_port) mixed |= ISO_DESTPORT; - /* XXXX023 Not quite right: we care about addresses that resolve to the - same place */ - if (strcasecmp(conn->socks_request->address, circ->dest_address)) + if (strcasecmp(conn->original_dest_address, circ->dest_address)) mixed |= ISO_DESTADDR; /* XXXX023 auth too, once #1666 is in. */ if ((TO_CONN(conn)->type != circ->client_proto_type || diff --git a/src/or/dnsserv.c b/src/or/dnsserv.c index 8612b4850f..c81d72f687 100644 --- a/src/or/dnsserv.c +++ b/src/or/dnsserv.c @@ -184,6 +184,7 @@ dnsserv_launch_request(const char *name, int reverse) strlcpy(conn->socks_request->address, name, sizeof(conn->socks_request->address)); + conn->original_dest_address = tor_strdup(name); if (connection_add(TO_CONN(conn))<0) { log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request"); diff --git a/src/or/or.h b/src/or/or.h index 09907c3a15..ace92ce1a7 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1214,10 +1214,12 @@ typedef struct edge_connection_t { int session_group; /** AP only: The newnym epoch in which we created this connection. */ unsigned nym_epoch; + /** AP only: The original requested address before we rewrote it. */ + char *original_dest_address; /* Other fields to isolate on already exist. The ClientAddr is addr. The ClientProtocol is a combination of type and socks_request-> socks_version. SocksAuth will be added to socks_request by ticket - #1666. DestAddr and DestPort are in socks_request->address. */ + #1666. DestAddr is in socks_request->address. */ /** Number of times we've reassigned this application connection to * a new circuit. We keep track because the timeout is longer if we've |