[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r8566: Fix bug 303: reject attempts to use Tor as a one-hop proxy. (in tor/trunk: . doc src/or)
- To: or-cvs@xxxxxxxxxxxxx
- Subject: [or-cvs] r8566: Fix bug 303: reject attempts to use Tor as a one-hop proxy. (in tor/trunk: . doc src/or)
- From: nickm@xxxxxxxx
- Date: Sun, 1 Oct 2006 16:50:14 -0400 (EDT)
- Delivered-to: archiver@seul.org
- Delivered-to: or-cvs-outgoing@seul.org
- Delivered-to: or-cvs@seul.org
- Delivery-date: Sun, 01 Oct 2006 16:50:22 -0400
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-cvs@xxxxxxxxxxxxx
Author: nickm
Date: 2006-10-01 16:50:11 -0400 (Sun, 01 Oct 2006)
New Revision: 8566
Modified:
tor/trunk/
tor/trunk/ChangeLog
tor/trunk/doc/TODO
tor/trunk/doc/tor-spec.txt
tor/trunk/src/or/circuitbuild.c
tor/trunk/src/or/circuitlist.c
tor/trunk/src/or/connection_edge.c
tor/trunk/src/or/control.c
tor/trunk/src/or/or.h
Log:
r8822@totoro: nickm | 2006-10-01 16:24:22 -0400
Fix bug 303: reject attempts to use Tor as a one-hop proxy.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r8822] on 96637b51-b116-0410-a10e-9941ebb49b64
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/ChangeLog 2006-10-01 20:50:11 UTC (rev 8566)
@@ -55,6 +55,9 @@
- Fix NetBSD bug that could allow someone to force uninitialized RAM
to be sent to a server's DNS resolver. This only affects NetBSD
and other platforms that do not bounds-check tolower().
+ - Reject (most) attempts to use Tor as a one-hop proxy; if many people
+ start using Tor as a one-hop proxy, exit nodes become a more attractive
+ target for compromise. (Fixes bug 303.)
o Major bugfixes:
- Avoiding crashing on race condition in dns.c:
Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/doc/TODO 2006-10-01 20:50:11 UTC (rev 8566)
@@ -41,15 +41,17 @@
- If 2/3 support port X, weight exits 1/2; weight non-exits 1.
- (Exit fraction - 1/3):Non-exit fraction
- (e - 1/3)/(1-e)
-N - Bug 303: block exit from circuits created with create-fast
- - Specify and document
- - Implement
- - Note that we'd like a better speed-bump too.
+ o Bug 303: block exit from circuits created with create-fast
+ o Specify and document
+ o Implement
+ o Note that we'd like a better speed-bump too.
o Bug 336: CIRC events should have digests when appropriate.
N - figure out the right thing to do when telling nicknames to
controllers. We should always give digest, and possibly sometimes give
nickname? Or digest, and nickname, with indication of whether name is
canonical?
+ - edmanm likes $DIGEST~nickname for unNamed routers, and
+ $DIGEST=nickname for Named routers. So do I.
N - Bug 326: make eventdns thrash less.
N - Test guard unreachable logic; make sure that we actually attempt to
connect to guards that we think are unreachable from time to time.
@@ -84,6 +86,7 @@
- Use for something, so we can be sure it works.
- Test and debug
+N - Send back RELAY_END cells on malformed RELAY_BEGIN.
x - We should ship with a list of stable dir mirrors -- they're not
trusted like the authorities, but they'll provide more robustness
@@ -390,6 +393,8 @@
Future version:
- Configuration format really wants sections.
- Good RBL substitute.
+ - Our current approach to block attempts to use Tor as a single-hop proxy
+ is pretty lame; we should get a better one.
. Update the hidden service stuff for the new dir approach.
- switch to an ascii format, maybe sexpr?
- authdirservers publish blobs of them.
Modified: tor/trunk/doc/tor-spec.txt
===================================================================
--- tor/trunk/doc/tor-spec.txt 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/doc/tor-spec.txt 2006-10-01 20:50:11 UTC (rev 8566)
@@ -410,6 +410,11 @@
[Versions of Tor before 0.1.0.6-rc did not support these cell types;
clients should not send CREATE_FAST cells to older Tor servers.]
+ If an OR sees a circuit created with CREATE_FAST, the OR is sure to be the
+ first hop of a circuit. ORs SHOULD reject attempts to create streams with
+ RELAY_BEGIN exiting the circuit at the first hop: letting Tor be used as a
+ single hop proxy makes exit nodes a more attractive target for compromise.
+
5.2. Setting circuit keys
Once the handshake between the OP and an OR is completed, both can
Modified: tor/trunk/src/or/circuitbuild.c
===================================================================
--- tor/trunk/src/or/circuitbuild.c 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/src/or/circuitbuild.c 2006-10-01 20:50:11 UTC (rev 8566)
@@ -925,6 +925,8 @@
else
memcpy(circ->handshake_digest, cell.payload+DIGEST_LEN, DIGEST_LEN);
+ circ->is_first_hop = (cell_type == CELL_CREATED_FAST);
+
connection_or_write_cell_to_buf(&cell, circ->p_conn);
log_debug(LD_CIRC,"Finished sending 'created' cell.");
Modified: tor/trunk/src/or/circuitlist.c
===================================================================
--- tor/trunk/src/or/circuitlist.c 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/src/or/circuitlist.c 2006-10-01 20:50:11 UTC (rev 8566)
@@ -770,6 +770,21 @@
return best;
}
+/** Return the number of hops in circuit's path. */
+int
+circuit_get_cpath_len(origin_circuit_t *circ)
+{
+ int n = 0;
+ if (circ && circ->cpath) {
+ crypt_path_t *cpath, *cpath_next = NULL;
+ for (cpath = circ->cpath; cpath_next != circ->cpath; cpath = cpath_next) {
+ cpath_next = cpath->next;
+ ++n;
+ }
+ }
+ return n;
+}
+
/** Go through the circuitlist; mark-for-close each circuit that starts
* at us but has not yet been used. */
void
Modified: tor/trunk/src/or/connection_edge.c
===================================================================
--- tor/trunk/src/or/connection_edge.c 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/src/or/connection_edge.c 2006-10-01 20:50:11 UTC (rev 8566)
@@ -1877,6 +1877,15 @@
return 0;
}
#endif
+ if (!CIRCUIT_IS_ORIGIN(circ) && TO_OR_CIRCUIT(circ)->is_first_hop) {
+ /* Don't let clients use us as a single-hop proxy; it attracts attackers
+ * and users who'd be better off with, well, single-hop proxies.
+ */
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+ "Attempt to open a stream on first hop of circuit. Rejecting.");
+ tor_free(address);
+ return 0;
+ }
} else if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
or_options_t *options = get_options();
address = tor_strdup("127.0.0.1");
Modified: tor/trunk/src/or/control.c
===================================================================
--- tor/trunk/src/or/control.c 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/src/or/control.c 2006-10-01 20:50:11 UTC (rev 8566)
@@ -1997,6 +1997,16 @@
conn);
return 0;
}
+ if (circ && circuit_get_cpath_len(circ) < 2) {
+ if (STATE_IS_V0(conn->_base.state))
+ send_control0_error(conn, ERR_INTERNAL,
+ "Refuse to attach stream to one-hop circuit.");
+ else
+ connection_write_str_to_buf(
+ "551 Can't attach stream to one-hop circuit.\r\n",
+ conn);
+ return 0;
+ }
if (connection_ap_handshake_rewrite_and_attach(ap_conn, circ) < 0) {
if (STATE_IS_V0(conn->_base.state))
send_control0_error(conn, ERR_INTERNAL, "Unable to attach stream.");
Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h 2006-10-01 18:29:10 UTC (rev 8565)
+++ tor/trunk/src/or/or.h 2006-10-01 20:50:11 UTC (rev 8566)
@@ -1232,8 +1232,6 @@
* for this circuit. This includes ciphers for each hop,
* integrity-checking digests for each hop, and package/delivery
* windows for each hop.
- *
- * The cpath field is defined only when we are the circuit's origin.
*/
crypt_path_t *cpath;
@@ -1307,10 +1305,15 @@
/** A hash of location-hidden service's PK if purpose is INTRO_POINT, or a
* rendezvous cookie if purpose is REND_POINT_WAITING. Filled with zeroes
* otherwise.
+ * ???? move to a subtype or adjunct structure? Wastes 20 bytes. -NM
*/
char rend_token[REND_TOKEN_LEN];
+ /* ???? move to a subtype or adjunct structure? Wastes 20 bytes -NM */
char handshake_digest[DIGEST_LEN]; /**< Stores KH for the handshake. */
+
+ /** True iff this circuit was made with a CREATE_FAST cell. */
+ unsigned int is_first_hop : 1;
} or_circuit_t;
/** Convert a circuit subtype to a circuit_t.*/
@@ -1751,6 +1754,7 @@
void circuit_expire_all_dirty_circs(void);
void _circuit_mark_for_close(circuit_t *circ, int reason,
int line, const char *file);
+int circuit_get_cpath_len(origin_circuit_t *circ);
#define circuit_mark_for_close(c, reason) \
_circuit_mark_for_close((c), (reason), __LINE__, _SHORT_FILE_)