July 2011 - tor-commits - lists.torproject.org

[tor/master] Implement the client side of optimistic data (proposal 174)
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 326d5c156dce64c115a76427a4dabb0e93a90033 Author: Ian Goldberg <iang(a)cs.uwaterloo.ca> Date: Mon Jul 18 12:56:45 2011 -0400 Implement the client side of optimistic data (proposal 174) --- src/or/connection_edge.c | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index f2ddfc7..7551c39 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -157,13 +157,22 @@ connection_edge_process_inbuf(edge_connection_t *conn, int package_partial) case EXIT_CONN_STATE_CONNECTING: case AP_CONN_STATE_RENDDESC_WAIT: case AP_CONN_STATE_CIRCUIT_WAIT: - case AP_CONN_STATE_CONNECT_WAIT: case AP_CONN_STATE_RESOLVE_WAIT: case AP_CONN_STATE_CONTROLLER_WAIT: log_info(LD_EDGE, "data from edge while in '%s' state. Leaving it on buffer.", conn_state_to_string(conn->_base.type, conn->_base.state)); return 0; + case AP_CONN_STATE_CONNECT_WAIT: + log_info(LD_EDGE, + "data from edge while in '%s' state. Sending it anyway. package_partial=%d, buflen=%d", + conn_state_to_string(conn->_base.type, conn->_base.state), package_partial, buf_datalen(TO_CONN(conn)->inbuf)); + if (connection_edge_package_raw_inbuf(conn, package_partial, NULL) < 0) { + /* (We already sent an end cell if possible) */ + connection_mark_for_close(TO_CONN(conn)); + return -1; + } + return 0; } log_warn(LD_BUG,"Got unexpected state %d. Closing.",conn->_base.state); tor_fragile_assert(); @@ -2395,6 +2404,13 @@ connection_ap_handshake_send_begin(edge_connection_t *ap_conn) log_info(LD_APP,"Address/port sent, ap socket %d, n_circ_id %d", ap_conn->_base.s, circ->_base.n_circ_id); control_event_stream_status(ap_conn, STREAM_EVENT_SENT_CONNECT, 0); + + /* If there's queued-up data, send it now */ + log_warn(LD_APP, "Possibly sending queued-up data: %d", buf_datalen(TO_CONN(ap_conn)->inbuf)); + if (connection_edge_package_raw_inbuf(ap_conn, 1, NULL) < 0) { + connection_mark_for_close(TO_CONN(ap_conn)); + } + return 0; }

1 0

[tor/master] Only use optimistic data with exits that support it
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 1e441df2d0d06aa66eaf2c0e00a42d7fe9c39c87 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jul 18 13:56:22 2011 -0400 Only use optimistic data with exits that support it This adds a little code complexity: we need to remember for each node whether it supports the right feature, and then check for each connection whether it's exiting at such a node. We store this in a flag in the edge_connection_t, and set that flag at link time. --- src/or/circuituse.c | 21 +++++++++++++++++ src/or/connection_edge.c | 56 ++++++++++++++++++++++++++++++++------------- src/or/or.h | 8 ++++++ src/or/routerparse.c | 3 ++ 4 files changed, 72 insertions(+), 16 deletions(-) diff --git a/src/or/circuituse.c b/src/or/circuituse.c index 460c41f..3c8cacb 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -677,6 +677,7 @@ circuit_detach_stream(circuit_t *circ, edge_connection_t *conn) tor_assert(conn); conn->cpath_layer = NULL; /* make sure we don't keep a stale pointer */ + conn->exit_allows_optimistic_data = 0; conn->on_circuit = NULL; if (CIRCUIT_IS_ORIGIN(circ)) { @@ -1449,6 +1450,8 @@ static void link_apconn_to_circ(edge_connection_t *apconn, origin_circuit_t *circ, crypt_path_t *cpath) { + const node_t *exitnode; + /* add it into the linked list of streams on this circuit */ log_debug(LD_APP|LD_CIRC, "attaching new conn to circ. n_circ_id %d.", circ->_base.n_circ_id); @@ -1468,6 +1471,24 @@ link_apconn_to_circ(edge_connection_t *apconn, origin_circuit_t *circ, tor_assert(circ->cpath->prev->state == CPATH_STATE_OPEN); apconn->cpath_layer = circ->cpath->prev; } + + /* See if we can use optimistic data on this circuit */ + if (apconn->cpath_layer->extend_info && + (exitnode = node_get_by_id( + apconn->cpath_layer->extend_info->identity_digest)) && + exitnode->rs) { + /* Okay; we know what exit node this is. */ + if (circ->_base.purpose == CIRCUIT_PURPOSE_C_GENERAL && + exitnode->rs->version_supports_optimistic_data) + apconn->exit_allows_optimistic_data = 1; + else + apconn->exit_allows_optimistic_data = 0; + log_info(LD_APP, "Looks like completed circuit to %s %s allow " + "optimistic data for connection to %s", + safe_str_client(node_describe(exitnode)), + apconn->exit_allows_optimistic_data ? "does" : "doesn't", + safe_str_client(apconn->socks_request->address)); + } } /** Return true iff address is matched by one of the entries in diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 6f91d1a..20f8bc9 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -57,6 +57,7 @@ static int connection_exit_connect_dir(edge_connection_t *exitconn); static int address_is_in_virtual_range(const char *addr); static int consider_plaintext_ports(edge_connection_t *conn, uint16_t port); static void clear_trackexithost_mappings(const char *exitname); +static int connection_ap_supports_optimistic_data(const edge_connection_t *); /** An AP stream has failed/finished. If it hasn't already sent back * a socks reply, send one now (based on endreason). Also set @@ -154,6 +155,22 @@ connection_edge_process_inbuf(edge_connection_t *conn, int package_partial) return -1; } return 0; + case AP_CONN_STATE_CONNECT_WAIT: + if (connection_ap_supports_optimistic_data(conn)) { + log_info(LD_EDGE, + "data from edge while in '%s' state. Sending it anyway. " + "package_partial=%d, buflen=%ld", + conn_state_to_string(conn->_base.type, conn->_base.state), + package_partial, connection_get_inbuf_len(TO_CONN(conn))); + if (connection_edge_package_raw_inbuf(conn, package_partial, NULL)<0) { + /* (We already sent an end cell if possible) */ + connection_mark_for_close(TO_CONN(conn)); + return -1; + } + return 0; + } + /* Fall through if the connection is on a circuit without optimistic + * data support. */ case EXIT_CONN_STATE_CONNECTING: case AP_CONN_STATE_RENDDESC_WAIT: case AP_CONN_STATE_CIRCUIT_WAIT: @@ -163,18 +180,6 @@ connection_edge_process_inbuf(edge_connection_t *conn, int package_partial) "data from edge while in '%s' state. Leaving it on buffer.", conn_state_to_string(conn->_base.type, conn->_base.state)); return 0; - case AP_CONN_STATE_CONNECT_WAIT: - log_info(LD_EDGE, - "data from edge while in '%s' state. Sending it anyway. " - "package_partial=%d, buflen=%ld", - conn_state_to_string(conn->_base.type, conn->_base.state), - package_partial, connection_get_inbuf_len(TO_CONN(conn))); - if (connection_edge_package_raw_inbuf(conn, package_partial, NULL) < 0) { - /* (We already sent an end cell if possible) */ - connection_mark_for_close(TO_CONN(conn)); - return -1; - } - return 0; } log_warn(LD_BUG,"Got unexpected state %d. Closing.",conn->_base.state); tor_fragile_assert(); @@ -2345,6 +2350,22 @@ get_unique_stream_id_by_circ(origin_circuit_t *circ) return test_stream_id; } +/** Return true iff conn is linked to a circuit and configured to use + * an exit that supports optimistic data. */ +static int +connection_ap_supports_optimistic_data(const edge_connection_t *conn) +{ + tor_assert(conn->_base.type == CONN_TYPE_AP); + /* We can only send optimistic data if we're connected to an open + general circuit. */ + if (conn->on_circuit == NULL || + conn->on_circuit->state != CIRCUIT_STATE_OPEN || + conn->on_circuit->purpose != CIRCUIT_PURPOSE_C_GENERAL) + return 0; + + return conn->exit_allows_optimistic_data; +} + /** Write a relay begin cell, using destaddr and destport from ap_conn's * socks_request field, and send it down circ. * @@ -2408,10 +2429,13 @@ connection_ap_handshake_send_begin(edge_connection_t *ap_conn) control_event_stream_status(ap_conn, STREAM_EVENT_SENT_CONNECT, 0); /* If there's queued-up data, send it now */ - log_info(LD_APP, "Possibly sending queued-up data: %ld", - connection_get_inbuf_len(TO_CONN(ap_conn))); - if (connection_edge_package_raw_inbuf(ap_conn, 1, NULL) < 0) { - connection_mark_for_close(TO_CONN(ap_conn)); + if (connection_get_inbuf_len(TO_CONN(ap_conn)) && + connection_ap_supports_optimistic_data(ap_conn)) { + log_info(LD_APP, "Sending up to %ld bytes of queued-up data", + connection_get_inbuf_len(TO_CONN(ap_conn))); + if (connection_edge_package_raw_inbuf(ap_conn, 1, NULL) < 0) { + connection_mark_for_close(TO_CONN(ap_conn)); + } } return 0; diff --git a/src/or/or.h b/src/or/or.h index 7a2bde5..f805215 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1232,6 +1232,11 @@ typedef struct edge_connection_t { * NATd connection */ unsigned int is_transparent_ap:1; + /** Set if this connection's target exit node allows optimistic data. + * (That is, data sent on this stream before the exit has sent a + * CONNECTED cell.)*/ + unsigned int exit_allows_optimistic_data : 1; + /** If this is a DNSPort connection, this field holds the pending DNS * request that we're going to try to answer. */ struct evdns_server_request *dns_server_request; @@ -1667,6 +1672,9 @@ typedef struct routerstatus_t { /** True iff this router is a version that, if it caches directory info, * we can get microdescriptors from. */ unsigned int version_supports_microdesc_cache:1; + /** True iff this router is a version that allows DATA cells to arrive on + * a stream before it has sent a CONNECTED cell. */ + unsigned int version_supports_optimistic_data:1; unsigned int has_bandwidth:1; /**< The vote/consensus had bw info */ unsigned int has_exitsummary:1; /**< The vote/consensus had exit summaries */ diff --git a/src/or/routerparse.c b/src/or/routerparse.c index d1b2cd0..5f160d0 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -2092,6 +2092,7 @@ routerstatus_parse_entry_from_string(memarea_t *area, rs->version_supports_extrainfo_upload = 1; rs->version_supports_conditional_consensus = 1; rs->version_supports_microdesc_cache = 1; + rs->version_supports_optimistic_data = 1; } else { rs->version_supports_begindir = tor_version_as_new_as(tok->args[0], "0.2.0.1-alpha"); @@ -2109,6 +2110,8 @@ routerstatus_parse_entry_from_string(memarea_t *area, */ rs->version_supports_microdesc_cache = tor_version_as_new_as(tok->args[0], "0.2.3.0-alpha"); + rs->version_supports_optimistic_data = + tor_version_as_new_as(tok->args[0], "0.2.3.1-alpha"); } if (vote_rs) { vote_rs->version = tor_strdup(tok->args[0]);

1 0

[metrics-web/master] Handle files with multiple descriptors correctly.
by karsten＠torproject.org 20 Jul '11

20 Jul '11

commit 9134082c3ab911c1b283aaf0f1f074d37660060d Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Wed Jul 20 12:23:39 2011 +0200 Handle files with multiple descriptors correctly. --- .../ernie/cron/RelayDescriptorParser.java | 56 ++++++++++++++++++-- 1 files changed, 51 insertions(+), 5 deletions(-) diff --git a/src/org/torproject/ernie/cron/RelayDescriptorParser.java b/src/org/torproject/ernie/cron/RelayDescriptorParser.java index a9a0d3d..4b8a16c 100644 --- a/src/org/torproject/ernie/cron/RelayDescriptorParser.java +++ b/src/org/torproject/ernie/cron/RelayDescriptorParser.java @@ -55,17 +55,63 @@ public class RelayDescriptorParser { public void parse(byte[] data) { try { - /* Convert descriptor to ASCII for parsing. This means we'll lose - * the non-ASCII chars, but we don't care about them for parsing - * anyway. */ + /* Remove any @ lines at the beginning of the file and parse the + * first non-@ line to find out the descriptor type. */ BufferedReader br = new BufferedReader(new StringReader(new String( data, "US-ASCII"))); String line = br.readLine(); + while (line != null && line.startsWith("@")) { + line = br.readLine(); + } if (line == null) { - this.logger.fine("We were given an empty descriptor for " - + "parsing. Ignoring."); + this.logger.fine("We were given a file that doesn't contain a " + + "single descriptor for parsing. Ignoring."); return; } + br.close(); + + /* Split the byte[] possibly containing multiple descriptors into + * byte[]'s with one descriptor each and parse them. */ + String startToken = null; + if (line.equals("network-status-version 3")) { + startToken = "network-status-version 3"; + } else if (line.startsWith("router ")) { + startToken = "router "; + } else if (line.startsWith("extra-info ")) { + startToken = "extra-info "; + } else { + this.logger.warning("Unknown descriptor type. Ignoring."); + return; + } + String splitToken = "\n" + startToken; + String ascii = new String(data, "US-ASCII"); + int length = data.length, start = ascii.indexOf(startToken); + while (start < length) { + int end = ascii.indexOf(splitToken, start); + if (end < 0) { + end = length; + } else { + end += 1; + } + byte[] descBytes = new byte[end - start]; + System.arraycopy(data, start, descBytes, 0, end - start); + parseSingleDescriptor(descBytes); + start = end; + } + } catch (IOException e) { + this.logger.log(Level.WARNING, "Could not parse descriptor. " + + "Skipping.", e); + } + } + + private void parseSingleDescriptor(byte[] data) { + try { + /* Convert descriptor to ASCII for parsing. This means we'll lose + * the non-ASCII chars, but we don't care about them for parsing + * anyway. */ + BufferedReader br = new BufferedReader(new StringReader(new String( + data, "US-ASCII"))); + String line = br.readLine(); SimpleDateFormat parseFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); parseFormat.setTimeZone(TimeZone.getTimeZone("UTC"));

1 0

[torspec/master] Mark proposal 171 as implemented
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 6a2136dac7cbe9c8cff7965fb6050207c971a9fc Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 19 20:55:01 2011 -0400 Mark proposal 171 as implemented --- proposals/000-index.txt | 4 ++-- proposals/171-separate-streams.txt | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/proposals/000-index.txt b/proposals/000-index.txt index 43502ec..bd952ad 100644 --- a/proposals/000-index.txt +++ b/proposals/000-index.txt @@ -91,7 +91,7 @@ Proposals by number: 168 Reduce default circuit window [OPEN] 169 Eliminate TLS renegotiation for the Tor connection handshake [SUPERSEDED] 170 Configuration options regarding circuit building [SUPERSEDED] -171 Separate streams across circuits by connection metadata [ACCEPTED] +171 Separate streams across circuits by connection metadata [CLOSED] 172 GETINFO controller option for circuit information [ACCEPTED] 173 GETINFO Option Expansion [ACCEPTED] 174 Optimistic Data for Tor: Server Side [CLOSED] @@ -140,7 +140,6 @@ Proposals by status: 140 Provide diffs between consensuses 147 Eliminate the need for v2 directories in generating v3 directories [for 0.2.3.x] 157 Make certificate downloads specific [for 0.2.3.x] - 171 Separate streams across circuits by connection metadata [for 0.2.3.x] 172 GETINFO controller option for circuit information [for 0.2.3.x] 173 GETINFO Option Expansion [for 0.2.3.x] META: @@ -185,6 +184,7 @@ Proposals by status: 152 Optionally allow exit from single-hop circuits [in 0.2.1.6-alpha] 166 Including Network Statistics in Extra-Info Documents [for 0.2.2] 167 Vote on network parameters in consensus [in 0.2.2] + 171 Separate streams across circuits by connection metadata [in 0.2.3.3-alpha] 174 Optimistic Data for Tor: Server Side [in 0.2.3.1-alpha] SUPERSEDED: 112 Bring Back Pathlen Coin Weight diff --git a/proposals/171-separate-streams.txt b/proposals/171-separate-streams.txt index 3b8b826..01668a4 100644 --- a/proposals/171-separate-streams.txt +++ b/proposals/171-separate-streams.txt @@ -3,8 +3,8 @@ Title: Separate streams across circuits by connection metadata Author: Robert Hogan, Jacob Appelbaum, Damon McCoy, Nick Mathewson Created: 21-Oct-2008 Modified: 7-Dec-2010 -Status: Accepted -Target: 0.2.3.x +Status: Closed +Implemented-In: 0.2.3.3-alpha Summary:

1 0

[tor/master] Turn streq_opt into a generic strcmp_opt.
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 94f85f216ae4b6196d2a3438bfaf328375ebaad6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 19 02:36:11 2011 -0400 Turn streq_opt into a generic strcmp_opt. --- src/common/util.c | 17 +++++++++++++++++ src/common/util.h | 1 + src/or/config.c | 7 +------ 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/common/util.c b/src/common/util.c index bf0bbe0..15b6e71 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -521,6 +521,23 @@ tor_strisnonupper(const char *s) return 1; } +/** As strcmp, except that either string may be NULL. The NULL string is + * considered to be before any non-NULL string. */ +int +strcmp_opt(const char *s1, const char *s2) +{ + if (!s1) { + if (!s2) + return 0; + else + return -1; + } else if (!s2) { + return 1; + } else { + return strcmp(s1, s2); + } +} + /** Compares the first strlen(s2) characters of s1 with s2. Returns as for * strcmp. */ diff --git a/src/common/util.h b/src/common/util.h index de06c3c..9935587 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -175,6 +175,7 @@ void tor_strlower(char *s) ATTR_NONNULL((1)); void tor_strupper(char *s) ATTR_NONNULL((1)); int tor_strisprint(const char *s) ATTR_PURE ATTR_NONNULL((1)); int tor_strisnonupper(const char *s) ATTR_PURE ATTR_NONNULL((1)); +int strcmp_opt(const char *s1, const char *s2) ATTR_PURE; int strcmpstart(const char *s1, const char *s2) ATTR_PURE ATTR_NONNULL((1,2)); int strcmp_len(const char *s1, const char *s2, size_t len) ATTR_PURE ATTR_NONNULL((1,2)); diff --git a/src/or/config.c b/src/or/config.c index 86ccb92..cc1561b 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -3864,12 +3864,7 @@ options_validate(or_options_t *old_options, or_options_t *options, static int opt_streq(const char *s1, const char *s2) { - if (!s1 && !s2) - return 1; - else if (s1 && s2 && !strcmp(s1,s2)) - return 1; - else - return 0; + return 0 == strcmp_opt(s1, s2); } /** Check if any of the previous options have changed but aren't allowed to. */

1 0

[tor/master] Manpage updates for proposal 171 (isolated streams)
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 891ccd3cd0690e83f1dc4dde7698c3bd9d7fe98d Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Jul 8 16:37:29 2011 -0400 Manpage updates for proposal 171 (isolated streams) --- doc/tor.1.txt | 105 +++++++++++++++++++++++++++++++++++++++++++------------- 1 files changed, 80 insertions(+), 25 deletions(-) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 9607632..8241eeb 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -464,7 +464,7 @@ CLIENT OPTIONS -------------- The following options are useful only for clients (that is, if -**SocksPort** is non-zero): +**SocksPort**, **TransPort**, **DNSPort**, or **NATDPort** is non-zero): **AllowInvalidNodes** **entry**|**exit**|**middle**|**introduction**|**rendezvous**|**...**:: If some Tor servers are obviously not working right, the directory @@ -682,17 +682,50 @@ The following options are useful only for clients (that is, if the same circuit. Currently, two addresses are "too close" if they lie in the same /16 range. (Default: 1) -**SocksPort** __PORT__|**auto**:: - Advertise this port to listen for connections from Socks-speaking +**SOCKSPort** \['address':]__port__|**auto** [_isolation flags_]:: + Open this port to listen for connections from SOCKS-speaking applications. Set this to 0 if you don't want to allow application connections via SOCKS. Set it to "auto" to have Tor pick a port for - you. (Default: 9050) - -**SocksListenAddress** __IP__[:__PORT__]:: + you. This directive can be specified multiple times to bind + to multiple addresses/ports. (Default: 9050) + + + + The _isolation flags_ arguments give Tor rules for which streams + received on this SOCKSPort are allowed to share circuits with one + another. Recognized isolation flags are: + **IsolateClientAddr**;; + Don't share a circuits with streams from a different + client address. (On by default and strongly recommended; + you can disable it with **NoIsolateClientAddr**.) + **IsolateSOCKSAuth**;; + Don't share a circuits with streams for which different + SOCKS authentication was provided. (On by default; + you can disable it with **NoIsolateSOCKSAuth**.) + [NOT YET IMPLEMENTED.] + **IsolateClientProtocol**;; + Don't share circuits with streams using a different protocol. + (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections, + and DNSPort requests are all considered to be different protocols.) + **IsolateDestPort**;; + Don't share a circuits with streams targetting a different + destination port. + **IsolateDestAddr**;; + Don't share a circuits with streams targetting a different + destination address. + **SessionGroup=**__INT__;; + If no other isolation rules would prevent it, allow streams + on this port to share circuits with streams from every other + port with the same session group. (By default, streams received + on different ports are always isolated from one another.) + +**SOCKSListenAddress** __IP__[:__PORT__]:: Bind to this address to listen for connections from Socks-speaking applications. (Default: 127.0.0.1) You can also specify a port (e.g. 192.168.0.1:9100). This directive can be specified multiple times to bind - to multiple addresses/ports. + to multiple addresses/ports. (DEPRECATED: As of 0.2.3.x-alpha, you can + now use multiple SOCKSPort entries, and provide addresses for SOCKSPort + entries, so SOCKSListenAddress no longer has a purpose. For backward + compatibility, SOCKSListenAddress is only allowed when SOCKSPort is just + a port number.) **SocksPolicy** __policy__,__policy__,__...__:: Set an entrance policy for this server, to limit who can connect to the @@ -795,28 +828,44 @@ The following options are useful only for clients (that is, if operating as a relay, and it will never use the public key step if it doesn't yet know the onion key of the first hop. (Default: 1) -**TransPort** __PORT__|**auto**:: - If non-zero, enables transparent proxy support on __PORT__ (by convention, - 9040). Requires OS support for transparent proxies, such as BSDs' pf or +**TransPort** \['address':]__port__|**auto** [_isolation flags_]:: + Open this port to listen for transparent proxy connections. Set this to + 0 if you don't want to allow transparent proxy connections. Set the port + to "auto" to have Tor pick a port for you. This directive can be + specified multiple times to bind to multiple addresses/ports. See + SOCKSPort for an explanation of isolation flags. + + + + TransPort requires OS support for transparent proxies, such as BSDs' pf or Linux's IPTables. If you're planning to use Tor as a transparent proxy for a network, you'll want to examine and change VirtualAddrNetwork from the default setting. You'll also want to set the TransListenAddress option for - the network you'd like to proxy. Set it to "auto" to have Tor pick a - port for you. (Default: 0). + the network you'd like to proxy. (Default: 0). **TransListenAddress** __IP__[:__PORT__]:: Bind to this address to listen for transparent proxy connections. (Default: 127.0.0.1). This is useful for exporting a transparent proxy server to an - entire network. - -**NATDPort** __PORT__|**auto**:: - Allow old versions of ipfw (as included in old versions of FreeBSD, etc.) - to send connections through Tor using the NATD protocol. This option is - only for people who cannot use TransPort. Set it to "auto" to have Tor - pick a port for you. (Default: 0) + entire network. (DEPRECATED: As of 0.2.3.x-alpha, you can + now use multiple TransPort entries, and provide addresses for TransPort + entries, so TransListenAddress no longer has a purpose. For backward + compatibility, TransListenAddress is only allowed when TransPort is just + a port number.) + +**NATDPort** \['address':]__port__|**auto** [_isolation flags_]:: + Open this port to listen for connections from old versions of ipfw (as + included in old versions of FreeBSD, etc) using the NATD protocol. + Use 0 if you don't want to allow NATD connections. Set the port + to "auto" to have Tor pick a port for you. This directive can be + specified multiple times to bind to multiple addresses/ports. See + SOCKSPort for an explanation of isolation flags. + + + + This option is only for people who cannot use TransPort. (Default: 0) **NATDListenAddress** __IP__[:__PORT__]:: - Bind to this address to listen for NATD connections. (Default: 127.0.0.1). + Bind to this address to listen for NATD connections. (DEPRECATED: As of + 0.2.3.x-alpha, you can now use multiple NATDPort entries, and provide + addresses for NATDPort entries, so NATDListenAddress no longer has a + purpose. For backward compatibility, NATDListenAddress is only allowed + when NATDPort is just a port number.) **AutomapHostsOnResolve** **0**|**1**:: When this option is enabled, and we get a request to resolve an address @@ -829,13 +878,19 @@ The following options are useful only for clients (that is, if A comma-separated list of suffixes to use with **AutomapHostsOnResolve**. The "." suffix is equivalent to "all addresses." (Default: .exit,.onion). -**DNSPort** __PORT__|**auto**:: - If non-zero, Tor listens for UDP DNS requests on this port and resolves - them anonymously. Set it to "auto" to have Tor pick a port for - you. (Default: 0). +**DNSPort** \['address':]__port__|**auto** [_isolation flags_]:: + If non-zero, open this port to listen for UDP DNS requests, and resolve + them anonymously. Set the port to "auto" to have Tor pick a port for + you. This directive can be specified multiple times to bind to multiple + addresses/ports. See SOCKSPort for an explanation of isolation + flags. (Default: 0). **DNSListenAddress** __IP__[:__PORT__]:: - Bind to this address to listen for DNS connections. (Default: 127.0.0.1). + Bind to this address to listen for DNS connections. (DEPRECATED: As of + 0.2.3.x-alpha, you can now use multiple DNSPort entries, and provide + addresses for DNSPort entries, so DNSListenAddress no longer has a + purpose. For backward compatibility, DNSListenAddress is only allowed + when DNSPort is just a port number.) **ClientDNSRejectInternalAddresses** **0**|**1**:: If true, Tor does not believe any anonymously retrieved DNS answer that

1 0

[tor/master] Use socks username/password information in stream isolation
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 12dfb4f5d8cfb0f244b4a1ae3cc3af237a3034e7 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 19 02:36:59 2011 -0400 Use socks username/password information in stream isolation --- doc/tor.1.txt | 1 - src/or/circuitlist.c | 2 ++ src/or/connection.c | 2 +- src/or/connection_edge.c | 23 +++++++++++++---------- src/or/or.h | 7 ++++--- 5 files changed, 20 insertions(+), 15 deletions(-) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 8241eeb..821098b 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -700,7 +700,6 @@ The following options are useful only for clients (that is, if Don't share a circuits with streams for which different SOCKS authentication was provided. (On by default; you can disable it with **NoIsolateSOCKSAuth**.) - [NOT YET IMPLEMENTED.] **IsolateClientProtocol**;; Don't share circuits with streams using a different protocol. (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections, diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index 6f17697..28a7181 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -566,6 +566,8 @@ circuit_free(circuit_t *circ) rend_data_free(ocirc->rend_data); tor_free(ocirc->dest_address); + tor_free(ocirc->socks_username); + tor_free(ocirc->socks_password); } else { or_circuit_t *ocirc = TO_OR_CIRCUIT(circ); /* Remember cell statistics for this circuit before deallocating. */ diff --git a/src/or/connection.c b/src/or/connection.c index 0fae11e..59a7b80 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -1809,7 +1809,7 @@ retry_listener_ports(smartlist_t *old_conns, SMARTLIST_FOREACH_BEGIN(launch, const port_cfg_t *, port) { struct sockaddr *listensockaddr; socklen_t listensocklen = 0; - char *address; + char *address=NULL; connection_t *conn; if (port->is_unix_addr) { diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 42f74b7..63779f2 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -3305,12 +3305,10 @@ connection_edge_streams_are_compatible(const edge_connection_t *a, if ((iso & ISO_DESTADDR) && strcasecmp(a->original_dest_address, b->original_dest_address)) return 0; - /* XXXX023 Waititing for ticket #1666 */ - /* if ((iso & ISO_SOCKSAUTH) && - strcasecmp(a->socks_request->auth, b->socks_request->auth)) + (strcmp_opt(a->socks_request->username, b->socks_request->username) || + strcmp_opt(a->socks_request->password, b->socks_request->password))) return 0; - */ if ((iso & ISO_CLIENTPROTO) && (TO_CONN(a)->type != TO_CONN(b)->type || a->socks_request->socks_version != b->socks_request->socks_version)) @@ -3369,12 +3367,10 @@ connection_edge_compatible_with_circuit(const edge_connection_t *conn, if ((iso & ISO_DESTADDR) && strcasecmp(conn->original_dest_address, circ->dest_address)) return 0; - /* XXXX023 Waititing for ticket #1666 */ - /* if ((iso & ISO_SOCKSAUTH) && - strcasecmp(a->socks_request->auth, b->socks_request->auth)) + (strcmp_opt(conn->socks_request->username, circ->socks_username) || + strcmp_opt(conn->socks_request->password, circ->socks_password))) return 0; - */ if ((iso & ISO_CLIENTPROTO) && (TO_CONN(conn)->type != circ->client_proto_type || conn->socks_request->socks_version != circ->client_proto_socksver)) @@ -3420,7 +3416,10 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, tor_addr_copy(&circ->client_addr, &TO_CONN(conn)->addr); circ->session_group = conn->session_group; circ->nym_epoch = conn->nym_epoch; - /* XXXX023 auth too, once #1666 is in. */ + circ->socks_username = conn->socks_request->username ? + tor_strdup(conn->socks_request->username) : NULL; + circ->socks_password = conn->socks_request->password ? + tor_strdup(conn->socks_request->password) : NULL; circ->isolation_values_set = 1; return 0; @@ -3430,7 +3429,9 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, mixed |= ISO_DESTPORT; if (strcasecmp(conn->original_dest_address, circ->dest_address)) mixed |= ISO_DESTADDR; - /* XXXX023 auth too, once #1666 is in. */ + if (strcmp_opt(conn->socks_request->username, circ->socks_username) || + strcmp_opt(conn->socks_request->password, circ->socks_password)) + mixed |= ISO_SOCKSAUTH; if ((TO_CONN(conn)->type != circ->client_proto_type || conn->socks_request->socks_version != circ->client_proto_socksver)) mixed |= ISO_CLIENTPROTO; @@ -3486,5 +3487,7 @@ circuit_clear_isolation(origin_circuit_t *circ) tor_free(circ->dest_address); circ->session_group = -1; circ->nym_epoch = 0; + tor_free(circ->socks_username); + tor_free(circ->socks_password); } diff --git a/src/or/or.h b/src/or/or.h index 835f279..47cee35 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1218,8 +1218,8 @@ typedef struct edge_connection_t { char *original_dest_address; /* Other fields to isolate on already exist. The ClientAddr is addr. The ClientProtocol is a combination of type and socks_request-> - socks_version. SocksAuth will be added to socks_request by ticket - #1666. DestAddr is in socks_request->address. */ + socks_version. SocksAuth is socks_request->username/password. + DestAddr is in socks_request->address. */ /** Number of times we've reassigned this application connection to * a new circuit. We keep track because the timeout is longer if we've @@ -2501,7 +2501,8 @@ typedef struct origin_circuit_t { char *dest_address; int session_group; unsigned nym_epoch; - /* XXXX023 do auth once #1666 is merged */ + char *socks_username; + char *socks_password; /**@}*/ } origin_circuit_t;

1 0

[tor/master] Take a smarter approach to clearing isolation info
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit e8b9815711e7cd1ef0b83153aefcc0d05e817f4e Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 19 13:51:43 2011 -0400 Take a smarter approach to clearing isolation info Back when I added this logic in 20c0581a79, the rule was that whenever a circuit finished building, we cleared its isolation info. I did that so that we would still use the circuit even if all the streams that had previously led us to tentatively set its isolation info had closed. But there were problems with that approach: We could pretty easily get into a case where S1 had led us to launch C1 and S2 had led us to launch C2, but when C1 finished, we cleared its isolation and attached S2 first. Since C2 was still marked in a way that made S1 unattachable to it, we'd then launch another circuit needlessly. So instead, we try the following approach now: when a circuit is done building, we try to attach streams to it. If it remains unused after we try attaching streams, then we clear its isolation info, and try again to attach streams. Thanks to Sebastian for helping me figure this out. --- src/or/circuitlist.c | 18 ++---------------- src/or/circuituse.c | 16 ++++++++++++++++ src/or/connection_edge.c | 6 +++--- 3 files changed, 21 insertions(+), 19 deletions(-) diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index 28a7181..0fefe98 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -210,23 +210,9 @@ circuit_set_state(circuit_t *circ, uint8_t state) /* add to waiting-circuit list. */ smartlist_add(circuits_pending_or_conns, circ); } - - circ->state = state; - - if (state == CIRCUIT_STATE_OPEN) { + if (state == CIRCUIT_STATE_OPEN) tor_assert(!circ->n_conn_onionskin); - if (CIRCUIT_IS_ORIGIN(circ)) { - origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ); - if (origin_circ->isolation_values_set && - !origin_circ->isolation_any_streams_attached) { - /* If we have any isolation information set on this circuit, - * but we never attached any streams to it, then all of the - * isolation information was hypothetical. Clear it. - */ - circuit_clear_isolation(origin_circ); - } - } - } + circ->state = state; } /** Add circ to the global list of circuits. This is called only from diff --git a/src/or/circuituse.c b/src/or/circuituse.c index dcb6bfa..b486044 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -998,6 +998,7 @@ circuit_testing_failed(origin_circuit_t *circ, int at_last_hop) void circuit_has_opened(origin_circuit_t *circ) { + int can_try_clearing_isolation = 0, tried_clearing_isolation = 0; control_event_circuit_status(circ, CIRC_EVENT_BUILT, 0); /* Remember that this circuit has finished building. Now if we start @@ -1005,9 +1006,12 @@ circuit_has_opened(origin_circuit_t *circ) * to consider its build time. */ circ->has_opened = 1; + again: + switch (TO_CIRCUIT(circ)->purpose) { case CIRCUIT_PURPOSE_C_ESTABLISH_REND: rend_client_rendcirc_has_opened(circ); + can_try_clearing_isolation = 1; connection_ap_attach_pending(); break; case CIRCUIT_PURPOSE_C_INTRODUCING: @@ -1016,6 +1020,7 @@ circuit_has_opened(origin_circuit_t *circ) case CIRCUIT_PURPOSE_C_GENERAL: /* Tell any AP connections that have been waiting for a new * circuit that one is ready. */ + can_try_clearing_isolation = 1; connection_ap_attach_pending(); break; case CIRCUIT_PURPOSE_S_ESTABLISH_INTRO: @@ -1033,6 +1038,17 @@ circuit_has_opened(origin_circuit_t *circ) * This won't happen in normal operation, but might happen if the * controller did it. Just let it slide. */ } + + if (can_try_clearing_isolation && !tried_clearing_isolation && + circ->isolation_values_set && + !circ->isolation_any_streams_attached) { + /* If we have any isolation information set on this circuit, and + * we didn't manage to attach any streams to it, then we can + * and should clear it and try again. */ + circuit_clear_isolation(circ); + tried_clearing_isolation = 1; + goto again; + } } /** Called whenever a circuit could not be successfully built. diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 63779f2..4bbb080 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -3461,9 +3461,9 @@ connection_edge_update_circuit_isolation(const edge_connection_t *conn, * it, and whose isolation settings are hypothetical. (We set hypothetical * isolation settings on circuits as we're launching them, so that we * know whether they can handle more streams or whether we need to launch - * even more circuits. We clear the flags once the circuits are open, - * in case the streams that made us launch the circuits have closed - * since we began launching the circuits.) + * even more circuits. Once the circuit is open, if it turns out that + * we no longer have any streams to attach to it, we clear the isolation flags + * and data so that other streams can have a chance.) */ void circuit_clear_isolation(origin_circuit_t *circ)

1 0

[tor/master] Merge remote-tracking branch 'public/prop171_v2'
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 195bcb6150eeaebab31a44998e2c567d78f9b936 Merge: 553ae5d 1017322 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 19 20:43:28 2011 -0400 Merge remote-tracking branch 'public/prop171_v2' changes/prop171 | 22 ++ doc/tor.1.txt | 104 +++++++--- src/common/util.c | 43 ++++ src/common/util.h | 2 + src/or/circuitlist.c | 4 + src/or/circuituse.c | 147 ++++++++++++-- src/or/config.c | 451 +++++++++++++++++++++++++++++++++++------ src/or/config.h | 2 + src/or/connection.c | 503 ++++++++++++++++++++++++---------------------- src/or/connection.h | 1 + src/or/connection_edge.c | 229 +++++++++++++++++++++- src/or/connection_edge.h | 13 +- src/or/directory.c | 8 +- src/or/dnsserv.c | 29 ++- src/or/main.c | 13 +- src/or/main.h | 1 + src/or/or.h | 161 ++++++++++++++- src/or/router.c | 8 +- 18 files changed, 1358 insertions(+), 383 deletions(-)

1 0

[tor/master] Fix a compile warning in config.c reported by sebastian
by nickm＠torproject.org 20 Jul '11

20 Jul '11

commit 1017322b59c5c722b1db4e2f040db5cceb41dea9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jul 19 14:04:55 2011 -0400 Fix a compile warning in config.c reported by sebastian --- src/or/config.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index cc1561b..efee014 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -5057,8 +5057,8 @@ parse_client_port_config(smartlist_t *out, if (elt_sl_idx == 0) continue; /* Skip addr:port */ if (!strcasecmpstart(elt, "SessionGroup=")) { - int group = tor_parse_long(elt+strlen("SessionGroup="), - 10, 0, INT_MAX, &ok, NULL); + int group = (int)tor_parse_long(elt+strlen("SessionGroup="), + 10, 0, INT_MAX, &ok, NULL); if (!ok) { log_warn(LD_CONFIG, "Invalid %sPort option '%s'", portname, escaped(elt));

1 0