[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r13198: New config options WarnPlaintextPorts and RejectPlaintextPor (in tor/trunk: . doc/spec src/or)



Author: arma
Date: 2008-01-20 00:54:15 -0500 (Sun, 20 Jan 2008)
New Revision: 13198

Modified:
   tor/trunk/ChangeLog
   tor/trunk/doc/spec/control-spec.txt
   tor/trunk/src/or/config.c
   tor/trunk/src/or/connection_edge.c
   tor/trunk/src/or/or.h
   tor/trunk/src/or/relay.c
Log:
New config options WarnPlaintextPorts and RejectPlaintextPorts so
Tor can warn and/or refuse connections to ports commonly used with
vulnerable-plaintext protocols.

We still need to figure out some good defaults for them.


Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-01-20 02:26:47 UTC (rev 13197)
+++ tor/trunk/ChangeLog	2008-01-20 05:54:15 UTC (rev 13198)
@@ -6,6 +6,9 @@
     - If we've gone 12 hours since our last bandwidth check, and we
       estimate we have less than 50KB bandwidth capacity but we could
       handle more, do another bandwidth test.
+    - New config options WarnPlaintextPorts and RejectPlaintextPorts so
+      Tor can warn and/or refuse connections to ports commonly used with
+      vulnerable-plaintext protocols.
 
   o Minor features:
     - Don't answer "/tor/networkstatus-bridges" directory requests if

Modified: tor/trunk/doc/spec/control-spec.txt
===================================================================
--- tor/trunk/doc/spec/control-spec.txt	2008-01-20 02:26:47 UTC (rev 13197)
+++ tor/trunk/doc/spec/control-spec.txt	2008-01-20 05:54:15 UTC (rev 13198)
@@ -1300,9 +1300,22 @@
        to do so.}
        [Note: only REASON=CLOCK_JUMPED is implemented currently.]
 
+     DANGEROUS_PORT
+     "PORT=" port
+     "RESULT=" "REJECT" / "WARN"
+       A stream was initiated to a port that's commonly used for
+       vulnerable-plaintext protocols. If the Result is "reject", we
+       refused the connection; whereas if it's "warn", we allowed it.
+
+       {Controllers should warn their users when this occurs, unless they
+       happen to know that the application using Tor is in fact doing so
+       correctly (e.g., because it is part of a distributed bundle). They
+       might also want some sort of interface to let the user configure
+       their RejectPlaintextPorts and WarnPlaintextPorts config options.}
+
      DANGEROUS_SOCKS
-     "PROTOCOL=SOCKS4/SOCKS5"
-     "ADDRESS=IP:port"
+     "PROTOCOL=" "SOCKS4" / "SOCKS5"
+     "ADDRESS=" IP:port
        A connection was made to Tor's SOCKS port using one of the SOCKS
        approaches that doesn't support hostnames -- only raw IP addresses.
        If the client application got this address from gethostbyname(),

Modified: tor/trunk/src/or/config.c
===================================================================
--- tor/trunk/src/or/config.c	2008-01-20 02:26:47 UTC (rev 13197)
+++ tor/trunk/src/or/config.c	2008-01-20 05:54:15 UTC (rev 13198)
@@ -253,6 +253,7 @@
   V(RecommendedClientVersions,   LINELIST, NULL),
   V(RecommendedServerVersions,   LINELIST, NULL),
   V(RedirectExit,                LINELIST, NULL),
+  V(RejectPlaintextPorts,        CSV,      ""),
   V(RelayBandwidthBurst,         MEMUNIT,  "0"),
   V(RelayBandwidthRate,          MEMUNIT,  "0"),
   V(RendExcludeNodes,            STRING,   NULL),
@@ -300,6 +301,7 @@
   V(V3AuthNIntervalsValid,       UINT,     "3"),
   VAR("VersioningAuthoritativeDirectory",BOOL,VersioningAuthoritativeDir, "0"),
   V(VirtualAddrNetwork,          STRING,   "127.192.0.0/10"),
+  V(WarnPlaintextPorts,          CSV,      "23,109,110,143"),
   VAR("__AllDirActionsPrivate",  BOOL,  AllDirActionsPrivate,     "0"),
   VAR("__DisablePredictedCircuits",BOOL,DisablePredictedCircuits, "0"),
   VAR("__LeaveStreamsUnattached",BOOL,  LeaveStreamsUnattached,   "0"),
@@ -2898,6 +2900,14 @@
   if (validate_ports_csv(options->LongLivedPorts, "LongLivedPorts", msg) < 0)
     return -1;
 
+  if (validate_ports_csv(options->RejectPlaintextPorts,
+                         "RejectPlaintextPorts", msg) < 0)
+    return -1;
+
+  if (validate_ports_csv(options->WarnPlaintextPorts,
+                         "WarnPlaintextPorts", msg) < 0)
+    return -1;
+
   if (options->FascistFirewall && !options->ReachableAddresses) {
     if (options->FirewallPorts && smartlist_len(options->FirewallPorts)) {
       /* We already have firewall ports set, so migrate them to

Modified: tor/trunk/src/or/connection_edge.c
===================================================================
--- tor/trunk/src/or/connection_edge.c	2008-01-20 02:26:47 UTC (rev 13197)
+++ tor/trunk/src/or/connection_edge.c	2008-01-20 05:54:15 UTC (rev 13198)
@@ -32,6 +32,7 @@
 static int connection_ap_process_natd(edge_connection_t *conn);
 static int connection_exit_connect_dir(edge_connection_t *exitconn);
 static int address_is_in_virtual_range(const char *addr);
+static int consider_plaintext_ports(edge_connection_t *conn, uint16_t port);
 
 /** An AP stream has failed/finished. If it hasn't already sent back
  * a socks reply, send one now (based on endreason). Also set
@@ -470,6 +471,7 @@
   {
     if (conn->marked_for_close ||
         conn->type != CONN_TYPE_AP ||
+        conn->state != AP_CONN_STATE_CIRCUIT_WAIT ||
         !conn->chosen_exit_optional)
       continue;
     edge_conn = TO_EDGE_CONN(conn);
@@ -482,6 +484,9 @@
                escaped_safe_str(edge_conn->socks_request->address));
       conn->chosen_exit_optional = 0;
       tor_free(edge_conn->chosen_exit_name); /* clears it */
+      /* if this port is dangerous, warn or reject it now that we don't
+       * think it'll be using an enclave. */
+      consider_plaintext_ports(edge_conn, edge_conn->socks_request->port);
     }
   });
 }
@@ -1182,6 +1187,32 @@
    }
 }
 
+/** Check if <b>conn</b> is using a dangerous port. Then warn and/or
+ * reject depending on our config options. */
+static int
+consider_plaintext_ports(edge_connection_t *conn, uint16_t port)
+{
+  or_options_t *options = get_options();
+  int reject = smartlist_string_num_isin(options->RejectPlaintextPorts, port);
+
+  if (smartlist_string_num_isin(options->WarnPlaintextPorts, port)) {
+    log_warn(LD_APP, "Application request to port %d: this port is "
+             "commonly used for unencrypted protocols. Please make sure "
+             "you don't send anything you would mind the rest of the "
+             "Internet reading!%s", port, reject ? " Closing." : "");
+    control_event_client_status(LOG_WARN, "DANGEROUS_PORT PORT=%d RESULT=%s",
+                                port, reject ? "REJECT" : "WARN");
+  }
+
+  if (reject) {
+    log_info(LD_APP, "Port %d listed in RejectPlaintextPorts. Closing.", port);
+    connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
+    return -1;
+  }
+
+  return 0;
+}
+
 /** Connection <b>conn</b> just finished its socks handshake, or the
  * controller asked us to take care of it. If <b>circ</b> is defined,
  * then that's where we'll want to attach it. Otherwise we have to
@@ -1396,6 +1427,11 @@
         }
       }
 
+      /* warn or reject if it's using a dangerous port */
+      if (!conn->use_begindir && !conn->chosen_exit_name && !circ)
+        if (consider_plaintext_ports(conn, socks->port) < 0)
+          return -1;
+
       if (!conn->use_begindir) {
         /* help predict this next time */
         rep_hist_note_used_port(socks->port, time(NULL));

Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h	2008-01-20 02:26:47 UTC (rev 13197)
+++ tor/trunk/src/or/or.h	2008-01-20 05:54:15 UTC (rev 13198)
@@ -529,6 +529,7 @@
 #define END_STREAM_REASON_CONNRESET 12
 #define END_STREAM_REASON_TORPROTOCOL 13
 #define END_STREAM_REASON_NOTDIRECTORY 14
+#define END_STREAM_REASON_ENTRYPOLICY 15
 
 /* These high-numbered end reasons are not part of the official spec,
  * and are not intended to be put in relay end cells. They are here
@@ -2132,6 +2133,15 @@
   /** Application ports that require all nodes in circ to have sufficient
    * uptime. */
   smartlist_t *LongLivedPorts;
+  /** Application ports that are likely to be unencrypted and
+   * unauthenticated; we reject requests for them to prevent the
+   * user from screwing up and leaking plaintext secrets to an
+   * observer somewhere on the Internet. */
+  smartlist_t *RejectPlaintextPorts;
+  /** Related to RejectPlaintextPorts above, except this config option
+   * controls whether we warn (in the log and via a controller status
+   * event) every time a risky connection is attempted. */
+  smartlist_t *WarnPlaintextPorts;
   /** Should we try to reuse the same exit node for a given host */
   smartlist_t *TrackHostExits;
   int TrackHostExitsExpire; /**< Number of seconds until we expire an

Modified: tor/trunk/src/or/relay.c
===================================================================
--- tor/trunk/src/or/relay.c	2008-01-20 02:26:47 UTC (rev 13197)
+++ tor/trunk/src/or/relay.c	2008-01-20 05:54:15 UTC (rev 13198)
@@ -600,7 +600,10 @@
 
 /** Translate <b>reason</b> (as from a relay 'end' cell) into an
  * appropriate SOCKS5 reply code.
- * DODCDOC 0
+ *
+ * A reason of 0 means that we're not actually expecting to send
+ * this code back to the socks client; we just call it 'succeeded'
+ * to keep things simple.
  */
 socks5_reply_status_t
 connection_edge_end_reason_socks5_response(int reason)
@@ -614,6 +617,8 @@
       return SOCKS5_HOST_UNREACHABLE;
     case END_STREAM_REASON_CONNECTREFUSED:
       return SOCKS5_CONNECTION_REFUSED;
+    case END_STREAM_REASON_ENTRYPOLICY:
+      return SOCKS5_NOT_ALLOWED;
     case END_STREAM_REASON_EXITPOLICY:
       return SOCKS5_NOT_ALLOWED;
     case END_STREAM_REASON_DESTROY: