February 2021 - tor-commits - lists.torproject.org

[tor/maint-0.4.4] Merge branch 'maint-0.4.3' into maint-0.4.4
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit eda81ea27ee72682d5533ee072cdf1061becfdc9 Merge: 903bfc4eca cc5d5a5d1e Author: David Goulet <dgoulet(a)torproject.org> Date: Wed Feb 3 08:56:38 2021 -0500 Merge branch 'maint-0.4.3' into maint-0.4.4 src/core/or/connection_edge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

1 0

[tor/maint-0.4.4] Merge branch 'maint-0.3.5' into maint-0.4.3
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit 890a9e89bab8378a511470787253a4aee14fafd0 Merge: cc5d5a5d1e f322ea3fa8 Author: David Goulet <dgoulet(a)torproject.org> Date: Wed Feb 3 09:11:14 2021 -0500 Merge branch 'maint-0.3.5' into maint-0.4.3 src/core/or/address_set.c | 75 ----------------------------------------------- src/core/or/address_set.h | 15 ---------- 2 files changed, 90 deletions(-) diff --cc src/core/or/address_set.c index fcddc55e9f,7ada4446c4..9bd3cc0f2d --- a/src/core/or/address_set.c +++ b/src/core/or/address_set.c @@@ -15,9 -15,8 +15,8 @@@ #include "lib/net/address.h" #include "lib/container/bloomfilt.h" #include "lib/crypt_ops/crypto_rand.h" - #include "siphash.h" -/* Wrap our hash function to have the signature that the bloom filter +/** Wrap our hash function to have the signature that the bloom filter * needs. */ static uint64_t bloomfilt_addr_hash(const struct sipkey *key,

1 0

[tor/maint-0.4.4] Merge branch 'ticket40270_035_01' into maint-0.3.5
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit a3cef41fc375b3a004eca3d090be0ebe9801cdb0 Merge: c2cee6c780 59f1a41a7f Author: David Goulet <dgoulet(a)torproject.org> Date: Wed Feb 3 08:56:30 2021 -0500 Merge branch 'ticket40270_035_01' into maint-0.3.5 src/core/or/connection_edge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

1 0

[tor/maint-0.4.4] Merge branch 'ticket40269_035_01' into maint-0.3.5
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit f322ea3fa8e86b9f284ed6df030c9744d731300e Merge: a3cef41fc3 6f95cdf87e Author: David Goulet <dgoulet(a)torproject.org> Date: Wed Feb 3 09:11:09 2021 -0500 Merge branch 'ticket40269_035_01' into maint-0.3.5 src/core/or/address_set.c | 75 ----------------------------------------------- src/core/or/address_set.h | 15 ---------- 2 files changed, 90 deletions(-)

1 0

[tor/maint-0.4.5] test: Add test for exits blocking reentry to the network
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit 9eba65bd8b688497de139b57ac72e5b8a40bb728 Author: George Kadianakis <desnacked(a)riseup.net> Date: Fri Jan 29 18:21:30 2021 +0200 test: Add test for exits blocking reentry to the network Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/feature/nodelist/dirlist.c | 4 +- src/feature/nodelist/dirlist.h | 2 +- src/test/test_address_set.c | 87 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 90 insertions(+), 3 deletions(-) diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index 25f769dd5a..b4abffad67 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -71,8 +71,8 @@ add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) /** Go over the trusted directory server list and add their address(es) to the * nodelist address set. This is called every time a new consensus is set. */ -void -dirlist_add_trusted_dir_addresses(void) +MOCK_IMPL(void, +dirlist_add_trusted_dir_addresses, (void)) { if (!trusted_dir_servers) { return; diff --git a/src/feature/nodelist/dirlist.h b/src/feature/nodelist/dirlist.h index 9354769bcf..527af35427 100644 --- a/src/feature/nodelist/dirlist.h +++ b/src/feature/nodelist/dirlist.h @@ -44,6 +44,6 @@ void dir_server_add(dir_server_t *ent); void clear_dir_servers(void); void dirlist_free_all(void); -void dirlist_add_trusted_dir_addresses(void); +MOCK_DECL(void, dirlist_add_trusted_dir_addresses, (void)); #endif diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c index fb8408b3c3..6d9fab67ab 100644 --- a/src/test/test_address_set.c +++ b/src/test/test_address_set.c @@ -4,6 +4,7 @@ #include "core/or/or.h" #include "lib/crypt_ops/crypto_rand.h" #include "core/or/address_set.h" +#include "feature/nodelist/dirlist.h" #include "feature/nodelist/microdesc.h" #include "feature/nodelist/networkstatus.h" #include "feature/nodelist/nodelist.h" @@ -31,6 +32,12 @@ mock_networkstatus_get_latest_consensus_by_flavor(consensus_flavor_t f) return dummy_ns; } +static void +mock_dirlist_add_trusted_dir_addresses(void) +{ + return; +} + /* Number of address a single node_t can have. Default to the production * value. This is to control the size of the bloom filter. */ static int addr_per_node = 2; @@ -169,11 +176,91 @@ test_nodelist(void *arg) UNMOCK(get_estimated_address_per_node); } +/** Test that the no-reentry exit filter works as intended */ +static void +test_exit_no_reentry(void *arg) +{ + routerstatus_t *rs = NULL; microdesc_t *md = NULL; routerinfo_t *ri = NULL; + (void) arg; + + MOCK(networkstatus_get_latest_consensus, + mock_networkstatus_get_latest_consensus); + MOCK(networkstatus_get_latest_consensus_by_flavor, + mock_networkstatus_get_latest_consensus_by_flavor); + MOCK(get_estimated_address_per_node, + mock_get_estimated_address_per_node); + MOCK(dirlist_add_trusted_dir_addresses, + mock_dirlist_add_trusted_dir_addresses); + + dummy_ns = tor_malloc_zero(sizeof(*dummy_ns)); + dummy_ns->flavor = FLAV_MICRODESC; + dummy_ns->routerstatus_list = smartlist_new(); + + tor_addr_t addr_v4, addr_v6, dummy_addr; + tor_addr_parse(&addr_v4, "42.42.42.42"); + tor_addr_parse(&addr_v6, "1:2:3:4::"); + memset(&dummy_addr, 'A', sizeof(dummy_addr)); + + /* This will make the nodelist bloom filter very large + * (the_nodelist->node_addrs) so we will fail the contain test rarely. */ + addr_per_node = 1024; + + /* After this point the nodelist is populated with the directory authorities + * address and ports */ + nodelist_set_consensus(dummy_ns); + + /* The address set is empty. Try it anyway */ + tt_assert(!nodelist_reentry_probably_contains(&addr_v4, 244)); + tt_assert(!nodelist_reentry_probably_contains(&addr_v6, 244)); + + /* Now let's populate the network */ + md = tor_malloc_zero(sizeof(*md)); + ri = tor_malloc_zero(sizeof(*ri)); + rs = tor_malloc_zero(sizeof(*rs)); + crypto_rand(rs->identity_digest, sizeof(rs->identity_digest)); + crypto_rand(md->digest, sizeof(md->digest)); + memcpy(rs->descriptor_digest, md->digest, DIGEST256_LEN); + + /* Setup the rs, ri and md addresses. */ + rs->addr = tor_addr_to_ipv4h(&addr_v4); + rs->or_port = 444; + tor_addr_parse(&rs->ipv6_addr, "1:2:3:4::"); + rs->ipv6_orport = 666; + ri->addr = tor_addr_to_ipv4h(&addr_v4); + tor_addr_parse(&ri->ipv6_addr, "1:2:3:4::"); + tor_addr_parse(&md->ipv6_addr, "1:2:3:4::"); + + /* Add the rs to the consensus becoming a node_t. */ + smartlist_add(dummy_ns->routerstatus_list, rs); + nodelist_set_consensus(dummy_ns); + + /* Now that the nodelist is populated let's do some retry attempts */ + + /* First let's try an address that is on the no-reentry list, but with a + different port */ + tt_assert(!nodelist_reentry_probably_contains(&addr_v4, 666)); + tt_assert(!nodelist_reentry_probably_contains(&addr_v6, 444)); + + /* OK now let's try with the right address and right port */ + tt_assert(nodelist_reentry_probably_contains(&addr_v4, 444)); + tt_assert(nodelist_reentry_probably_contains(&addr_v6, 666)); + + done: + routerstatus_free(rs); routerinfo_free(ri); microdesc_free(md); + smartlist_clear(dummy_ns->routerstatus_list); + networkstatus_vote_free(dummy_ns); + UNMOCK(networkstatus_get_latest_consensus); + UNMOCK(networkstatus_get_latest_consensus_by_flavor); + UNMOCK(get_estimated_address_per_node); + UNMOCK(dirlist_add_trusted_dir_addresses); +} + struct testcase_t address_set_tests[] = { { "contains", test_contains, TT_FORK, NULL, NULL }, { "nodelist", test_nodelist, TT_FORK, NULL, NULL }, + { "exit_no_reentry", test_exit_no_reentry, TT_FORK, NULL, NULL }, END_OF_TESTCASES };

1 0

[tor/maint-0.4.5] relay: Send back CONNECTION_REFUSED on reentry
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit 59f1a41a7fdc03f5008e859e7e56e9c159b8a8d9 Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Feb 1 12:45:32 2021 -0500 relay: Send back CONNECTION_REFUSED on reentry The TORPROTOCOL reason causes the client to close the circuit which is not what we want because other valid streams might be on it. Instead, CONNECTION_REFUSED will leave it open but will not allow more streams to be attached to it. The client then open a new circuit to the destination. Closes #40270 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/core/or/connection_edge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c index b40fa3e567..895e73ac1b 100644 --- a/src/core/or/connection_edge.c +++ b/src/core/or/connection_edge.c @@ -4066,7 +4066,7 @@ connection_exit_connect(edge_connection_t *edge_conn) log_info(LD_EXIT, "%s:%d tried to connect back to a known relay address. " "Closing.", escaped_safe_str_client(conn->address), conn->port); - connection_edge_end(edge_conn, END_STREAM_REASON_TORPROTOCOL); + connection_edge_end(edge_conn, END_STREAM_REASON_CONNECTREFUSED); circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn); connection_free(conn); return;

1 0

[tor/maint-0.4.5] relay: Follow consensus parameter for network reentry
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit ce3af5dd5948cd9c24fc5b5f70814b38cbca46a9 Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Feb 1 08:56:27 2021 -0500 relay: Follow consensus parameter for network reentry Obey the "allow-network-reentry" consensus parameters in order to decide to allow it or not at the Exit. Closes #40268 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/core/or/connection_edge.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c index f9a9bbdb73..b40fa3e567 100644 --- a/src/core/or/connection_edge.c +++ b/src/core/or/connection_edge.c @@ -4003,6 +4003,15 @@ my_exit_policy_rejects(const tor_addr_t *addr, return 0; } +/** Return true iff the consensus allows network reentry. The default value is + * false if the parameter is not found. */ +static bool +network_reentry_is_allowed(void) +{ + /* Default is false, re-entry is not allowed. */ + return !!networkstatus_get_param(NULL, "allow-network-reentry", 0, 0, 1); +} + /** Connect to conn's specified addr and port. If it worked, conn * has now been added to the connection_array. * @@ -4040,6 +4049,8 @@ connection_exit_connect(edge_connection_t *edge_conn) * infinite-length circuits (see "A Practical Congestion Attack on Tor Using * Long Paths", Usenix Security 2009). See also ticket 2667. * + * Skip this if the network reentry is allowed (known from the consensus). + * * The TORPROTOCOL reason is used instead of EXITPOLICY so client do NOT * attempt to retry connecting onto another circuit that will also fail * bringing considerable more load on the network if so. @@ -4050,6 +4061,7 @@ connection_exit_connect(edge_connection_t *edge_conn) * reason that makes the client retry results in much worst consequences in * case of an attack so this is a small price to pay. */ if (!connection_edge_is_rendezvous_stream(edge_conn) && + !network_reentry_is_allowed() && nodelist_reentry_probably_contains(&conn->addr, conn->port)) { log_info(LD_EXIT, "%s:%d tried to connect back to a known relay address. " "Closing.", escaped_safe_str_client(conn->address),

1 0

[tor/maint-0.4.5] exit: Deny re-entry into the network
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit 93ac6ec4d3d19aaff7fed2ea97b0a30528da3767 Author: Roger Dingledine <arma(a)torproject.org> Date: Wed Jan 27 23:48:57 2021 -0500 exit: Deny re-entry into the network Exit relays now reject exit attempts to known relay addresses + ORPort and also to authorities on the ORPort and DirPort. Closes #2667 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- changes/ticket2667 | 4 ++++ src/core/or/connection_edge.c | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/changes/ticket2667 b/changes/ticket2667 new file mode 100644 index 0000000000..cc42286ef9 --- /dev/null +++ b/changes/ticket2667 @@ -0,0 +1,4 @@ + o Major feature (exit): + - Re-entry into the network is now denied at the Exit level to all relays' + ORPort and authorities' ORPort+DirPort. This is to help mitigate a series + of attacks. See ticket for more information. Closes ticket 2667. diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c index 67a772be08..f9a9bbdb73 100644 --- a/src/core/or/connection_edge.c +++ b/src/core/or/connection_edge.c @@ -4035,6 +4035,31 @@ connection_exit_connect(edge_connection_t *edge_conn) return; } + /* Next, check for attempts to connect back into the Tor network. We don't + * want to allow these for the same reason we don't want to allow + * infinite-length circuits (see "A Practical Congestion Attack on Tor Using + * Long Paths", Usenix Security 2009). See also ticket 2667. + * + * The TORPROTOCOL reason is used instead of EXITPOLICY so client do NOT + * attempt to retry connecting onto another circuit that will also fail + * bringing considerable more load on the network if so. + * + * Since the address+port set here is a bloomfilter, in very rare cases, the + * check will create a false positive meaning that the destination could + * actually be legit and thus being denied exit. However, sending back a + * reason that makes the client retry results in much worst consequences in + * case of an attack so this is a small price to pay. */ + if (!connection_edge_is_rendezvous_stream(edge_conn) && + nodelist_reentry_probably_contains(&conn->addr, conn->port)) { + log_info(LD_EXIT, "%s:%d tried to connect back to a known relay address. " + "Closing.", escaped_safe_str_client(conn->address), + conn->port); + connection_edge_end(edge_conn, END_STREAM_REASON_TORPROTOCOL); + circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn); + connection_free(conn); + return; + } + #ifdef HAVE_SYS_UN_H if (conn->socket_family != AF_UNIX) { #else

1 0

[tor/maint-0.4.5] Merge branch 'tor-gitlab/mr/285' into ticket2667_044_01
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit b2434d30d2c1071f01d9331752fc7d357169332f Merge: ea38016202 705fd37875 Author: David Goulet <dgoulet(a)torproject.org> Date: Fri Jan 29 14:54:21 2021 -0500 Merge branch 'tor-gitlab/mr/285' into ticket2667_044_01 changes/ticket2667 | 4 ++ src/core/or/address_set.c | 74 +++++++++++++++++++++++++++++++++++ src/core/or/address_set.h | 18 ++++++++- src/core/or/connection_edge.c | 25 ++++++++++++ src/feature/nodelist/dirlist.c | 11 ++++-- src/feature/nodelist/nodelist.c | 87 +++++++++++++++++++++++++++++------------ src/feature/nodelist/nodelist.h | 6 ++- src/test/test_address_set.c | 80 +++++++++++++++++++++++++++++++++++++ 8 files changed, 274 insertions(+), 31 deletions(-)

1 0

[tor/maint-0.4.5] Merge branch 'maint-0.3.5' into maint-0.4.3
by dgoulet＠torproject.org 03 Feb '21

03 Feb '21

commit 0f8195406e0a2a97a3167d4bb40484f4bd091289 Merge: 705fd37875 98590621bb Author: David Goulet <dgoulet(a)torproject.org> Date: Wed Feb 3 08:51:36 2021 -0500 Merge branch 'maint-0.3.5' into maint-0.4.3 src/core/or/connection_edge.c | 12 ++++++++++++ src/feature/nodelist/nodelist.c | 8 ++++++-- 2 files changed, 18 insertions(+), 2 deletions(-)

1 0