[or-cvs] r24143: {arm} Utility for checking if destinations can be exited to or not (in arm/trunk/src: . util)

Damian Johnson atagar1 at gmail.com
Thu Jan 27 16:58:39 UTC 2011


Author: atagar
Date: 2011-01-27 16:58:39 +0000 (Thu, 27 Jan 2011)
New Revision: 24143

Modified:
   arm/trunk/src/test.py
   arm/trunk/src/util/torTools.py
Log:
Utility for checking if destinations can be exited to or not.



Modified: arm/trunk/src/test.py
===================================================================
--- arm/trunk/src/test.py	2011-01-27 08:00:17 UTC (rev 24142)
+++ arm/trunk/src/test.py	2011-01-27 16:58:39 UTC (rev 24143)
@@ -11,6 +11,7 @@
   1. Resolver Performance Test
   2. Resolver Dump
   3. Glyph Demo
+  4. Exit Policy Check
   q. Quit
 
 Selection: """
@@ -23,7 +24,7 @@
   userInput = raw_input(MENU)
   
   # initiate the TorCtl connection if the test needs it
-  if userInput in ("1", "2") and not conn:
+  if userInput in ("1", "2", "4") and not conn:
     conn = torTools.getConn()
     conn.init()
     
@@ -101,6 +102,42 @@
     # Switching to a curses context and back repeatedly seems to screw up the
     # terminal. Just to be safe this ends the process after the demo.
     break
+  elif userInput == "4":
+    # display the current exit policy and query if destinations are allowed by it
+    exitPolicy = conn.getExitPolicy()
+    print("Exit Policy: %s" % exitPolicy)
+    printDivider()
+    
+    while True:
+      # provide the selection options
+      userSelection = raw_input("\nCheck if destination is allowed (q to go back): ")
+      userSelection = userSelection.replace(" ", "").strip() # removes all whitespace
+      
+      isValidQuery, isExitAllowed = True, False
+      if userSelection == "q":
+        printDivider()
+        break
+      elif connections.isValidIpAddress(userSelection):
+        # just an ip address (use port 80)
+        isExitAllowed = exitPolicy.check(userSelection, 80)
+      elif userSelection.isdigit():
+        # just a port (use a common ip like 4.2.2.2)
+        isExitAllowed = exitPolicy.check("4.2.2.2", userSelection)
+      elif ":" in userSelection:
+        # ip/port combination
+        ipAddr, port = userSelection.split(":", 1)
+        
+        if connections.isValidIpAddress(ipAddr) and port.isdigit():
+          isExitAllowed = exitPolicy.check(ipAddr, port)
+        else: isValidQuery = False
+      else: isValidQuery = False # invalid input
+      
+      if isValidQuery:
+        resultStr = "is" if isExitAllowed else "is *not*"
+        print("Exiting %s allowed to that destination" % resultStr)
+      else:
+        print("'%s' isn't a valid destination (should be an ip, port, or ip:port)\n" % userSelection)
+    
   else:
     print("'%s' isn't a valid selection\n" % userInput)
 

Modified: arm/trunk/src/util/torTools.py
===================================================================
--- arm/trunk/src/util/torTools.py	2011-01-27 08:00:17 UTC (rev 24142)
+++ arm/trunk/src/util/torTools.py	2011-01-27 16:58:39 UTC (rev 24143)
@@ -81,6 +81,9 @@
 # provides int -> str mappings for torctl event runlevels
 TORCTL_RUNLEVELS = dict([(val, key) for (key, val) in TorUtil.loglevels.items()])
 
+# ip address ranges substituted by the 'private' keyword
+PRIVATE_IP_RANGES = ("0.0.0.0/8", "169.254.0.0/16", "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12")
+
 # This prevents controllers from spawning worker threads (and by extension
 # notifying status listeners). This is important when shutting down to prevent
 # rogue threads from being alive during shutdown.
@@ -238,6 +241,9 @@
     self._statusTime = 0                # unix time-stamp for the duration of the status
     self.lastHeartbeat = 0              # time of the last tor event
     
+    self._exitPolicyChecker = None
+    self._exitPolicyLookupCache = {}    # mappings of ip/port tuples to if they were accepted by the policy or not
+    
     # Logs issues and notices when fetching the path prefix if true. This is
     # only done once for the duration of the application to avoid pointless
     # messages.
@@ -283,6 +289,9 @@
       self._fingerprintsAttachedCache = None
       self._nicknameLookupCache = {}
       
+      self._exitPolicyChecker = self.getExitPolicy()
+      self._exitPolicyLookupCache = {}
+      
       # sets the events listened for by the new controller (incompatible events
       # are dropped with a logged warning)
       self.setControllerEvents(self.controllerEvents)
@@ -471,9 +480,9 @@
     result = {} if fetchType == "map" else []
     
     if self.isAlive():
-      if (param, fetchType) in self._cachedConf:
+      if (param.lower(), fetchType) in self._cachedConf:
         isFromCache = True
-        result = self._cachedConf[(param, fetchType)]
+        result = self._cachedConf[(param.lower(), fetchType)]
       else:
         try:
           if fetchType == "str":
@@ -494,7 +503,7 @@
       cacheValue = result
       if fetchType == "list": cacheValue = list(result)
       elif fetchType == "map": cacheValue = dict(result)
-      self._cachedConf[(param, fetchType)] = cacheValue
+      self._cachedConf[(param.lower(), fetchType)] = cacheValue
     
     runtimeLabel = "cache fetch" if isFromCache else "runtime: %0.4f" % (time.time() - startTime)
     msg = "GETCONF %s (%s)" % (param, runtimeLabel)
@@ -528,10 +537,15 @@
         
         # flushing cached values (needed until we can detect SETCONF calls)
         for fetchType in ("str", "list", "map"):
-          entry = (param, fetchType)
+          entry = (param.lower(), fetchType)
           
           if entry in self._cachedConf:
             del self._cachedConf[entry]
+        
+        # special caches for the exit policy
+        if param.lower() == "exitpolicy":
+          self._exitPolicyChecker = self.getExitPolicy()
+          self._exitPolicyLookupCache = {}
       except (socket.error, TorCtl.ErrorReply, TorCtl.TorCtlClosed), exc:
         if type(exc) == TorCtl.TorCtlClosed: self.close()
         elif type(exc) == TorCtl.ErrorReply:
@@ -697,6 +711,67 @@
     
     return (self._status, self._statusTime)
   
+  def isExitingAllowed(self, ipAddress, port):
+    """
+    Checks if the given destination can be exited to by this relay, returning
+    True if so and False otherwise.
+    """
+    
+    self.connLock.acquire()
+    
+    result = False
+    if self.isAlive():
+      # query the policy if it isn't yet cached
+      if not (ipAddress, port) in self._exitPolicyLookupCache:
+        isAccepted = self._exitPolicyChecker.check(ipAddress, port)
+        self._exitPolicyLookupCache[(ipAddress, port)] = isAccepted
+      
+      result = self._exitPolicyLookupCache[(ipAddress, port)]
+    
+    self.connLock.release()
+    
+    return result
+  
+  def getExitPolicy(self):
+    """
+    Provides an ExitPolicy instance for the head of this relay's exit policy
+    chain. If there's no active connection then this provides None.
+    """
+    
+    self.connLock.acquire()
+    
+    result = None
+    if self.isAlive():
+      policyEntries = []
+      for exitPolicy in self.getOption("ExitPolicy", [], True):
+        policyEntries += [policy.strip() for policy in exitPolicy.split(",")]
+      
+      # appends the default exit policy
+      defaultExitPolicy = self.getInfo("exit-policy/default")
+      
+      if defaultExitPolicy:
+        policyEntries += defaultExitPolicy.split(",")
+      
+      # construct the policy chain backwards
+      policyEntries.reverse()
+      
+      for entry in policyEntries:
+        result = ExitPolicy(entry, result)
+      
+      # Checks if we are rejecting private connections. If set, this appends
+      # 'reject private' and 'reject <my ip>' to the start of our policy chain.
+      isPrivateRejected = self.getOption("ExitPolicyRejectPrivate", True)
+      
+      if isPrivateRejected:
+        result = ExitPolicy("reject private", result)
+        
+        myAddress = self.getInfo("address")
+        if myAddress: result = ExitPolicy("reject %s" % myAddress, result)
+    
+    self.connLock.release()
+    
+    return result
+  
   def getRelayFingerprint(self, relayAddress, relayPort = None):
     """
     Provides the fingerprint associated with the given address. If there's
@@ -1422,3 +1497,136 @@
     for callback in self.statusListeners:
       callback(self, eventType)
 
+class ExitPolicy:
+  """
+  Single rule from the user's exit policy. These are chained together to form
+  complete policies.
+  """
+  
+  def __init__(self, ruleEntry, nextRule):
+    """
+    Exit policy rule constructor.
+    
+    Arguments:
+      ruleEntry - tor exit policy rule (for instance, "reject *:135-139")
+      nextRule  - next rule to be checked when queries don't match this policy
+    """
+    
+    # sanitize the input a bit, cleaning up tabs and stripping quotes
+    ruleEntry = ruleEntry.replace("\\t", " ").replace("\"", "")
+    
+    self.ruleEntry = ruleEntry
+    self.nextRule = nextRule
+    self.isAccept = ruleEntry.startswith("accept")
+    
+    # strips off "accept " or "reject " and extra spaces
+    ruleEntry = ruleEntry[7:].replace(" ", "")
+    
+    # split ip address (with mask if provided) and port
+    if ":" in ruleEntry: entryIp, entryPort = ruleEntry.split(":", 1)
+    else: entryIp, entryPort = ruleEntry, "*"
+    
+    # sets the ip address component
+    self.isIpWildcard = entryIp == "*" or entryIp.endswith("/0")
+    
+    # checks for the private alias (which expands this to a chain of entries)
+    if entryIp.lower() == "private":
+      entryIp = PRIVATE_IP_RANGES[0]
+      
+      # constructs the chain backwards (last first)
+      lastHop = self.nextRule
+      prefix = "accept " if self.isAccept else "reject "
+      suffix = ":" + entryPort
+      for addr in PRIVATE_IP_RANGES[-1:0:-1]:
+        lastHop = ExitPolicy(prefix + addr + suffix, lastHop)
+      
+      self.nextRule = lastHop # our next hop is the start of the chain
+    
+    if "/" in entryIp:
+      ipComp = entryIp.split("/", 1)
+      self.ipAddress = ipComp[0]
+      self.ipMask = int(ipComp[1])
+    else:
+      self.ipAddress = entryIp
+      self.ipMask = 32
+    
+    # constructs the binary address just in case of comparison with a mask
+    if self.ipAddress != "*":
+      self.ipAddressBin = ""
+      for octet in self.ipAddress.split("."):
+        # bin converts the int to a binary string, then we pad with zeros
+        self.ipAddressBin += ("%8s" % bin(int(octet))[2:]).replace(" ", "0")
+    else:
+      self.ipAddressBin = "0" * 32
+    
+    # sets the port component
+    self.minPort, self.maxPort = 0, 0
+    self.isPortWildcard = entryPort == "*"
+    
+    if entryPort != "*":
+      if "-" in entryPort:
+        portComp = entryPort.split("-", 1)
+        self.minPort = int(portComp[0])
+        self.maxPort = int(portComp[1])
+      else:
+        self.minPort = int(entryPort)
+        self.maxPort = int(entryPort)
+    
+    # if both the address and port are wildcards then we're effectively the
+    # last entry so cut off the remaining chain
+    if self.isIpWildcard and self.isPortWildcard:
+      self.nextRule = None
+  
+  def check(self, ipAddress, port):
+    """
+    Checks if the rule chain allows exiting to this address, returning true if
+    so and false otherwise.
+    """
+    
+    port = int(port)
+    
+    # does the port check first since comparing ip masks is more work
+    isPortMatch = self.isPortWildcard or (port >= self.minPort and port <= self.maxPort)
+    
+    if isPortMatch:
+      isIpMatch = self.isIpWildcard or self.ipAddress == ipAddress
+      
+      # expands the check to include the mask if it has one
+      if not isIpMatch and self.ipMask != 32:
+        inputAddressBin = ""
+        for octet in ipAddress.split("."):
+          inputAddressBin += ("%8s" % bin(int(octet))[2:]).replace(" ", "0")
+        
+        cropSize = 32 - self.ipMask
+        isIpMatch = self.ipAddressBin[:cropSize] == inputAddressBin[:cropSize]
+      
+      if isIpMatch: return self.isAccept
+    
+    # our policy doesn't concern this address, move on to the next one
+    if self.nextRule: return self.nextRule.check(ipAddress, port)
+    else: return True # fell off the chain without a conclusion (shouldn't happen...)
+  
+  def __str__(self):
+    # This provides the actual policy rather than the entry used to construct
+    # it so the 'private' keyword is expanded.
+    
+    acceptanceLabel = "accept" if self.isAccept else "reject"
+    
+    if self.isIpWildcard:
+      ipLabel = "*"
+    elif self.ipMask != 32:
+      ipLabel = "%s/%i" % (self.ipAddress, self.ipMask)
+    else: ipLabel = self.ipAddress
+    
+    if self.isPortWildcard:
+      portLabel = "*"
+    elif self.minPort != self.maxPort:
+      portLabel = "%i-%i" % (self.minPort, self.maxPort)
+    else: portLabel = str(self.minPort)
+    
+    myPolicy = "%s %s:%s" % (acceptanceLabel, ipLabel, portLabel)
+    
+    if self.nextRule:
+      return myPolicy + ", " + str(self.nextRule)
+    else: return myPolicy
+



More information about the tor-commits mailing list