Merge branch 'maint-0.2.2_secfix' into master_secfix

Conflicts: src/common/tortls.c src/or/connection_or.c src/or/dirserv.c src/or/or.h
author: Sebastian Hahn <sebastian@torproject.org> 2011-10-27 00:15:25 +0200
committer: Sebastian Hahn <sebastian@torproject.org> 2011-10-27 00:38:45 +0200
commit: 2dec6597af4014eb731d8caac55a8a87964ce371 (patch)
tree: bb2b9020ab2d67f46a619026530c57ec607c07bb /src/or
parent: 2c4e89b86703f188f45f9edfc0fd3e4bbeac3511 (diff)
parent: 4684ced1b3fced0543fa65bf01f75c5d81eaf464 (diff)
download: tor-2dec6597af4014eb731d8caac55a8a87964ce371.tar.gz
tor-2dec6597af4014eb731d8caac55a8a87964ce371.zip
7 files changed, 108 insertions, 7 deletions
diff --git a/src/or/command.c b/src/or/command.c
index c85b057878..d35e2a9c80 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -316,6 +316,7 @@ static void
 command_process_create_cell(cell_t *cell, or_connection_t *conn)
 {
   or_circuit_t *circ;
+  const or_options_t *options = get_options();
   int id_is_high;
 
   if (we_are_hibernating()) {
@@ -327,9 +328,11 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     return;
   }
 
-  if (!server_mode(get_options())) {
+  if (!server_mode(options) ||
+      (!public_server_mode(options) && conn->is_outgoing)) {
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
-           "Received create cell (type %d) from %s:%d, but we're a client. "
+           "Received create cell (type %d) from %s:%d, but we're connected "
+           "to it as a client. "
            "Sending back a destroy.",
            (int)cell->command, conn->_base.address, conn->_base.port);
     connection_or_send_destroy(cell->circ_id, conn,
@@ -392,7 +395,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
      * a CPU worker. */
     char keys[CPATH_KEY_MATERIAL_LEN];
     char reply[DIGEST_LEN*2];
+
     tor_assert(cell->command == CELL_CREATE_FAST);
+
+    /* Make sure we never try to use the OR connection on which we
+     * received this cell to satisfy an EXTEND request,  */
+    conn->is_connection_with_client = 1;
+
     if (fast_server_handshake(cell->payload, (uint8_t*)reply,
                               (uint8_t*)keys, sizeof(keys))<0) {
       log_warn(LD_OR,"Failed to generate key material. Closing.");
diff --git a/src/or/config.c b/src/or/config.c
index c5322f5120..1b9f9fb475 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -282,6 +282,8 @@ static config_var_t _option_vars[] = {
   V(GeoIPFile,                   FILENAME,
     SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"),
 #endif
+  V(GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays,
+                                 BOOL,     "0"),
   OBSOLETE("Group"),
   V(HardwareAccel,               BOOL,     "0"),
   V(HeartbeatPeriod,             INTERVAL, "6 hours"),
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 14da69851e..4c0960ceca 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -767,6 +767,11 @@ connection_or_get_for_extend(const char *digest,
     tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN));
     if (conn->_base.marked_for_close)
       continue;
+    /* Never return a connection on which the other end appears to be
+     * a client. */
+    if (conn->is_connection_with_client) {
+      continue;
+    }
     /* Never return a non-open connection. */
     if (conn->_base.state != OR_CONN_STATE_OPEN) {
       /* If the address matches, don't launch a new connection for this
@@ -1031,6 +1036,8 @@ connection_or_connect(const tor_addr_t *_addr, uint16_t port,
   conn->_base.state = OR_CONN_STATE_CONNECTING;
   control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0);
 
+  conn->is_outgoing = 1;
+
   /* If we are using a proxy server, find it and use it. */
   r = get_proxy_addrport(&proxy_addr, &proxy_port, &proxy_type, TO_CONN(conn));
   if (r == 0) {
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index 5cb4aba5aa..288fca99b8 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -2288,6 +2288,74 @@ get_possible_sybil_list(const smartlist_t *routers)
   return omit_as_sybil;
 }
 
+/** Return non-zero iff a relay running the Tor version specified in
+ * <b>platform</b> is suitable for use as a potential entry guard. */
+static int
+is_router_version_good_for_possible_guard(const char *platform)
+{
+  static int parsed_versions_initialized = 0;
+  static tor_version_t first_good_0_2_1_guard_version;
+  static tor_version_t first_good_0_2_2_guard_version;
+  static tor_version_t first_good_later_guard_version;
+
+  tor_version_t router_version;
+
+  /* XXX023 This block should be extracted into its own function. */
+  /* XXXX Begin code copied from tor_version_as_new_as (in routerparse.c) */
+  {
+    char *s, *s2, *start;
+    char tmp[128];
+
+    tor_assert(platform);
+
+    if (strcmpstart(platform,"Tor ")) /* nonstandard Tor; be safe and say yes */
+      return 1;
+
+    start = (char *)eat_whitespace(platform+3);
+    if (!*start) return 0;
+    s = (char *)find_whitespace(start); /* also finds '\0', which is fine */
+    s2 = (char*)eat_whitespace(s);
+    if (!strcmpstart(s2, "(r") || !strcmpstart(s2, "(git-"))
+      s = (char*)find_whitespace(s2);
+
+    if ((size_t)(s-start+1) >= sizeof(tmp)) /* too big, no */
+      return 0;
+    strlcpy(tmp, start, s-start+1);
+
+    if (tor_version_parse(tmp, &router_version)<0) {
+      log_info(LD_DIR,"Router version '%s' unparseable.",tmp);
+      return 1; /* be safe and say yes */
+    }
+  }
+  /* XXXX End code copied from tor_version_as_new_as (in routerparse.c) */
+
+  if (!parsed_versions_initialized) {
+    /* CVE-2011-2769 was fixed on the relay side in Tor versions
+     * 0.2.1.31, 0.2.2.34, and 0.2.3.6-alpha. */
+    tor_assert(tor_version_parse("0.2.1.31",
+                                 &first_good_0_2_1_guard_version)>=0);
+    tor_assert(tor_version_parse("0.2.2.34",
+                                 &first_good_0_2_2_guard_version)>=0);
+    tor_assert(tor_version_parse("0.2.3.6-alpha",
+                                 &first_good_later_guard_version)>=0);
+
+    /* Don't parse these constant version strings once for every relay
+     * for every vote. */
+    parsed_versions_initialized = 1;
+  }
+
+  return ((tor_version_same_series(&first_good_0_2_1_guard_version,
+                                   &router_version) &&
+           tor_version_compare(&first_good_0_2_1_guard_version,
+                               &router_version) <= 0) ||
+          (tor_version_same_series(&first_good_0_2_2_guard_version,
+                                   &router_version) &&
+           tor_version_compare(&first_good_0_2_2_guard_version,
+                               &router_version) <= 0) ||
+          (tor_version_compare(&first_good_later_guard_version,
+                               &router_version) <= 0));
+}
+
 /** Extract status information from <b>ri</b> and from other authority
  * functions and store it in <b>rs</b>>.  If <b>naming</b>, consider setting
  * the named flag in <b>rs</b>.
@@ -2303,6 +2371,7 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
                                  int naming, int listbadexits,
                                  int listbaddirs, int vote_on_hsdirs)
 {
+  const or_options_t *options = get_options();
   int unstable_version =
     !tor_version_as_new_as(ri->platform,"0.1.1.16-rc-cvs");
   memset(rs, 0, sizeof(routerstatus_t));
@@ -2333,9 +2402,13 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
       (router_get_advertised_bandwidth(ri) >= BANDWIDTH_TO_GUARANTEE_GUARD ||
        router_get_advertised_bandwidth(ri) >=
                               MIN(guard_bandwidth_including_exits,
-                                  guard_bandwidth_excluding_exits))) {
-    long tk = rep_hist_get_weighted_time_known(node->identity, now);
-    double wfu = rep_hist_get_weighted_fractional_uptime(node->identity, now);
+                                  guard_bandwidth_excluding_exits)) &&
+      (options->GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays ||
+       is_router_version_good_for_possible_guard(ri->platform))) {
+    long tk = rep_hist_get_weighted_time_known(
+                                      node->identity, now);
+    double wfu = rep_hist_get_weighted_fractional_uptime(
+                                      node->identity, now);
     rs->is_possible_guard = (wfu >= guard_wfu && tk >= guard_tk) ? 1 : 0;
   } else {
     rs->is_possible_guard = 0;
diff --git a/src/or/or.h b/src/or/or.h
index 7a901e7ae2..e4f9b9b2b6 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1220,6 +1220,12 @@ typedef struct or_connection_t {
    * router itself has a problem.
    */
   unsigned int is_bad_for_new_circs:1;
+  /** True iff we have decided that the other end of this connection
+   * is a client.  Connections with this flag set should never be used
+   * to satisfy an EXTEND request.  */
+  unsigned int is_connection_with_client:1;
+  /** True iff this is an outgoing connection. */
+  unsigned int is_outgoing:1;
   unsigned int proxy_type:2; /**< One of PROXY_NONE...PROXY_SOCKS5 */
   uint8_t link_proto; /**< What protocol version are we using? 0 for
                        * "none negotiated yet." */
@@ -3152,6 +3158,10 @@ typedef struct {
                                      * number of servers per IP address shared
                                      * with an authority. */
 
+  /** Should we assign the Guard flag to relays which would allow
+   * exploitation of CVE-2011-2768 against their clients? */
+  int GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays;
+
   char *AccountingStart; /**< How long is the accounting interval, and when
                           * does it start? */
   uint64_t AccountingMax; /**< How many bytes do we allow per accounting
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 6fd8db296d..e8b2dd7d2b 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -570,7 +570,6 @@ static int check_signature_token(const char *digest,
                                  int flags,
                                  const char *doctype);
 static crypto_pk_env_t *find_dir_signing_key(const char *str, const char *eos);
-static int tor_version_same_series(tor_version_t *a, tor_version_t *b);
 
 #undef DEBUG_AREA_ALLOC
 
@@ -4568,7 +4567,7 @@ tor_version_compare(tor_version_t *a, tor_version_t *b)
 
 /** Return true iff versions <b>a</b> and <b>b</b> belong to the same series.
  */
-static int
+int
 tor_version_same_series(tor_version_t *a, tor_version_t *b)
 {
   tor_assert(a);
diff --git a/src/or/routerparse.h b/src/or/routerparse.h
index 8b8cde25f6..527de5dc8b 100644
--- a/src/or/routerparse.h
+++ b/src/or/routerparse.h
@@ -47,6 +47,7 @@ version_status_t tor_version_is_obsolete(const char *myversion,
 int tor_version_parse(const char *s, tor_version_t *out);
 int tor_version_as_new_as(const char *platform, const char *cutoff);
 int tor_version_compare(tor_version_t *a, tor_version_t *b);
+int tor_version_same_series(tor_version_t *a, tor_version_t *b);
 void sort_version_list(smartlist_t *lst, int remove_duplicates);
 void assert_addr_policy_ok(smartlist_t *t);
 void dump_distinct_digest_count(int severity);
author	Sebastian Hahn <sebastian@torproject.org>	2011-10-27 00:15:25 +0200
committer	Sebastian Hahn <sebastian@torproject.org>	2011-10-27 00:38:45 +0200
commit	2dec6597af4014eb731d8caac55a8a87964ce371 (patch)
tree	bb2b9020ab2d67f46a619026530c57ec607c07bb /src/or
parent	2c4e89b86703f188f45f9edfc0fd3e4bbeac3511 (diff)
parent	4684ced1b3fced0543fa65bf01f75c5d81eaf464 (diff)
download	tor-2dec6597af4014eb731d8caac55a8a87964ce371.tar.gz tor-2dec6597af4014eb731d8caac55a8a87964ce371.zip