[tor-bugs] #13155 [Tor]: I can use an extend cell to remotely determine whether two relays have a connection open
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 13 23:29:45 UTC 2014
#13155: I can use an extend cell to remotely determine whether two relays have a
connection open
--------------------+------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.???
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
--------------------+------------------------------
Send an extend cell to relay A, listing the address and identity key of
relay B but the wrong port.
Relay A calls {{{circuit_extend()}}} for the new cell, which calls
{{{channel_get_for_extend()}}}, which tries to figure out if there's a
canonical connection already established. To do that, it asks
{{{
if (!channel_is_canonical(chan) &&
channel_is_canonical_is_reliable(chan) &&
!channel_matches_target_addr_for_extend(chan, target_addr)) {
++n_noncanonical;
continue;
}
}}}
and {{{channel_matches_target_addr_for_extend()}}} turns into
{{{channel_tls_matches_target_method()}}} which basically is
{{{
return tor_addr_eq(&(tlschan->conn->real_addr), target);
}}}
It doesn't consider the port. So if there is a canonical channel open,
bingo we use it.
But if there isn't one open, then off we go to make one:
{{{
n_chan = channel_connect_for_circuit(&ec.orport_ipv4.addr,
ec.orport_ipv4.port,
(const char*)ec.node_id);
}}}
where {{{ec.orport_ipv4.port}}} was set from {{{extend_cell_parse()}}},
i.e. it came from our extend cell. If we specify the wrong port, that
connect attempt will fail. Now we can distinguish, remotely, which
situation we're in.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13155>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list