From f26950fa7a077de4b6a9329af397fce74182b1e5 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Wed, 27 Jan 2021 21:49:56 -0500 Subject: relay: Add bloomfiter of relay address + {OR|Dir}Port In order to deny re-entry in the network, we now keep a bloomfilter of relay ORPort + address and authorities ORPort + address and DirPort + address combinations. So when an Exit stream is handled, we deny anything connecting back into the network on the ORPorts for relays and on the ORPort+DirPort for the authorities. Related to #2667 Signed-off-by: David Goulet --- src/feature/nodelist/dirlist.c | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'src/feature/nodelist/dirlist.c') diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index 93baa6e4e0..25f769dd5a 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -49,6 +49,42 @@ static smartlist_t *trusted_dir_servers = NULL; * and all fallback directory servers. */ static smartlist_t *fallback_dir_servers = NULL; +/** Helper: From a given trusted directory entry, add the v4 or/and v6 address + * to the nodelist address set. */ +static void +add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) +{ + tor_addr_t tmp_addr; + + tor_assert(dir); + tor_assert(dir->is_authority); + + /* Add IPv4 and then IPv6 if applicable. For authorities, we add the ORPort + * and DirPort so re-entry into the network back to them is not possible. */ + tor_addr_from_ipv4h(&tmp_addr, dir->addr); + nodelist_add_addr_to_address_set(&tmp_addr, dir->or_port, dir->dir_port); + if (!tor_addr_is_null(&dir->ipv6_addr)) { + /* IPv6 DirPort is not a thing yet for authorities. */ + nodelist_add_addr_to_address_set(&dir->ipv6_addr, dir->ipv6_orport, 0); + } +} + +/** Go over the trusted directory server list and add their address(es) to the + * nodelist address set. This is called every time a new consensus is set. */ +void +dirlist_add_trusted_dir_addresses(void) +{ + if (!trusted_dir_servers) { + return; + } + + SMARTLIST_FOREACH_BEGIN(trusted_dir_servers, const dir_server_t *, ent) { + if (ent->is_authority) { + add_trusted_dir_to_nodelist_addr_set(ent); + } + } SMARTLIST_FOREACH_END(ent); +} + /** Return the number of directory authorities whose type matches some bit set * in type */ int -- cgit v1.2.3-54-g00ecf From 9eba65bd8b688497de139b57ac72e5b8a40bb728 Mon Sep 17 00:00:00 2001 From: George Kadianakis Date: Fri, 29 Jan 2021 18:21:30 +0200 Subject: test: Add test for exits blocking reentry to the network Signed-off-by: David Goulet --- src/feature/nodelist/dirlist.c | 4 +- src/feature/nodelist/dirlist.h | 2 +- src/test/test_address_set.c | 87 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 3 deletions(-) (limited to 'src/feature/nodelist/dirlist.c') diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index 25f769dd5a..b4abffad67 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -71,8 +71,8 @@ add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) /** Go over the trusted directory server list and add their address(es) to the * nodelist address set. This is called every time a new consensus is set. */ -void -dirlist_add_trusted_dir_addresses(void) +MOCK_IMPL(void, +dirlist_add_trusted_dir_addresses, (void)) { if (!trusted_dir_servers) { return; diff --git a/src/feature/nodelist/dirlist.h b/src/feature/nodelist/dirlist.h index 9354769bcf..527af35427 100644 --- a/src/feature/nodelist/dirlist.h +++ b/src/feature/nodelist/dirlist.h @@ -44,6 +44,6 @@ void dir_server_add(dir_server_t *ent); void clear_dir_servers(void); void dirlist_free_all(void); -void dirlist_add_trusted_dir_addresses(void); +MOCK_DECL(void, dirlist_add_trusted_dir_addresses, (void)); #endif diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c index fb8408b3c3..6d9fab67ab 100644 --- a/src/test/test_address_set.c +++ b/src/test/test_address_set.c @@ -4,6 +4,7 @@ #include "core/or/or.h" #include "lib/crypt_ops/crypto_rand.h" #include "core/or/address_set.h" +#include "feature/nodelist/dirlist.h" #include "feature/nodelist/microdesc.h" #include "feature/nodelist/networkstatus.h" #include "feature/nodelist/nodelist.h" @@ -31,6 +32,12 @@ mock_networkstatus_get_latest_consensus_by_flavor(consensus_flavor_t f) return dummy_ns; } +static void +mock_dirlist_add_trusted_dir_addresses(void) +{ + return; +} + /* Number of address a single node_t can have. Default to the production * value. This is to control the size of the bloom filter. */ static int addr_per_node = 2; @@ -169,11 +176,91 @@ test_nodelist(void *arg) UNMOCK(get_estimated_address_per_node); } +/** Test that the no-reentry exit filter works as intended */ +static void +test_exit_no_reentry(void *arg) +{ + routerstatus_t *rs = NULL; microdesc_t *md = NULL; routerinfo_t *ri = NULL; + (void) arg; + + MOCK(networkstatus_get_latest_consensus, + mock_networkstatus_get_latest_consensus); + MOCK(networkstatus_get_latest_consensus_by_flavor, + mock_networkstatus_get_latest_consensus_by_flavor); + MOCK(get_estimated_address_per_node, + mock_get_estimated_address_per_node); + MOCK(dirlist_add_trusted_dir_addresses, + mock_dirlist_add_trusted_dir_addresses); + + dummy_ns = tor_malloc_zero(sizeof(*dummy_ns)); + dummy_ns->flavor = FLAV_MICRODESC; + dummy_ns->routerstatus_list = smartlist_new(); + + tor_addr_t addr_v4, addr_v6, dummy_addr; + tor_addr_parse(&addr_v4, "42.42.42.42"); + tor_addr_parse(&addr_v6, "1:2:3:4::"); + memset(&dummy_addr, 'A', sizeof(dummy_addr)); + + /* This will make the nodelist bloom filter very large + * (the_nodelist->node_addrs) so we will fail the contain test rarely. */ + addr_per_node = 1024; + + /* After this point the nodelist is populated with the directory authorities + * address and ports */ + nodelist_set_consensus(dummy_ns); + + /* The address set is empty. Try it anyway */ + tt_assert(!nodelist_reentry_probably_contains(&addr_v4, 244)); + tt_assert(!nodelist_reentry_probably_contains(&addr_v6, 244)); + + /* Now let's populate the network */ + md = tor_malloc_zero(sizeof(*md)); + ri = tor_malloc_zero(sizeof(*ri)); + rs = tor_malloc_zero(sizeof(*rs)); + crypto_rand(rs->identity_digest, sizeof(rs->identity_digest)); + crypto_rand(md->digest, sizeof(md->digest)); + memcpy(rs->descriptor_digest, md->digest, DIGEST256_LEN); + + /* Setup the rs, ri and md addresses. */ + rs->addr = tor_addr_to_ipv4h(&addr_v4); + rs->or_port = 444; + tor_addr_parse(&rs->ipv6_addr, "1:2:3:4::"); + rs->ipv6_orport = 666; + ri->addr = tor_addr_to_ipv4h(&addr_v4); + tor_addr_parse(&ri->ipv6_addr, "1:2:3:4::"); + tor_addr_parse(&md->ipv6_addr, "1:2:3:4::"); + + /* Add the rs to the consensus becoming a node_t. */ + smartlist_add(dummy_ns->routerstatus_list, rs); + nodelist_set_consensus(dummy_ns); + + /* Now that the nodelist is populated let's do some retry attempts */ + + /* First let's try an address that is on the no-reentry list, but with a + different port */ + tt_assert(!nodelist_reentry_probably_contains(&addr_v4, 666)); + tt_assert(!nodelist_reentry_probably_contains(&addr_v6, 444)); + + /* OK now let's try with the right address and right port */ + tt_assert(nodelist_reentry_probably_contains(&addr_v4, 444)); + tt_assert(nodelist_reentry_probably_contains(&addr_v6, 666)); + + done: + routerstatus_free(rs); routerinfo_free(ri); microdesc_free(md); + smartlist_clear(dummy_ns->routerstatus_list); + networkstatus_vote_free(dummy_ns); + UNMOCK(networkstatus_get_latest_consensus); + UNMOCK(networkstatus_get_latest_consensus_by_flavor); + UNMOCK(get_estimated_address_per_node); + UNMOCK(dirlist_add_trusted_dir_addresses); +} + struct testcase_t address_set_tests[] = { { "contains", test_contains, TT_FORK, NULL, NULL }, { "nodelist", test_nodelist, TT_FORK, NULL, NULL }, + { "exit_no_reentry", test_exit_no_reentry, TT_FORK, NULL, NULL }, END_OF_TESTCASES }; -- cgit v1.2.3-54-g00ecf