From 8d5dcdbda2160b6375cb479827d8cc2f16e06777 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Tue, 30 Jan 2018 18:05:39 -0500 Subject: [PATCH 1/3] backport to make channel_is_client() accurate This commit takes a piece of commit af8cadf3a9 and a piece of commit 46fe353f25, with the goal of making channel_is_client() be based on what sort of connection handshake the other side used, rather than seeing whether the other side ever sent a create_fast cell to us. --- changes/bug24898-029 | 7 +++++++ src/or/channeltls.c | 4 ++++ src/or/connection_or.c | 6 ++++++ 3 files changed, 17 insertions(+) create mode 100644 changes/bug24898-029 diff --git a/changes/bug24898-029 b/changes/bug24898-029 new file mode 100644 index 000000000..f56dee5c7 --- /dev/null +++ b/changes/bug24898-029 @@ -0,0 +1,7 @@ + o Minor bugfixes: + - Make the internal channel_is_client() function look at what sort + of connection handshake the other side used, rather than whether + the other side ever sent a create_fast cell to us. Backports part + of the fixes from bug 24898. + + diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 09cca95b6..31641c3db 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1640,6 +1640,10 @@ channel_tls_process_netinfo_cell(cell_t *cell, channel_tls_t *chan) tor_assert(tor_digest_is_zero( (const char*)(chan->conn->handshake_state-> authenticated_peer_id))); + /* If the client never authenticated, it's a tor client or bridge + * relay, and we must not use it for EXTEND requests (nor could we, as + * there are no authenticated peer IDs) */ + channel_mark_client(TLS_CHAN_TO_BASE(chan)); channel_set_circid_type(TLS_CHAN_TO_BASE(chan), NULL, chan->conn->link_proto < MIN_LINK_PROTO_FOR_WIDE_CIRC_IDS); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index dadfdc438..8beedcae7 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1880,6 +1880,12 @@ connection_or_set_state_open(or_connection_t *conn) connection_or_change_state(conn, OR_CONN_STATE_OPEN); control_event_or_conn_status(conn, OR_CONN_EVENT_CONNECTED, 0); + /* Link protocol 3 appeared in Tor 0.2.3.6-alpha, so any connection + * that uses an earlier link protocol should not be treated as a relay. */ + if (conn->link_proto < 3) { + channel_mark_client(TLS_CHAN_TO_BASE(conn->chan)); + } + or_handshake_state_free(conn->handshake_state); conn->handshake_state = NULL; connection_start_reading(TO_CONN(conn)); From 2b99350ca4c905db1bd4f1aecc630b4f55933e96 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Wed, 31 Jan 2018 03:21:27 -0500 Subject: [PATCH 2/3] stop calling channel_mark_client in response to a create_fast since all it does is produce false positives this commit should get merged into 0.2.9 and 0.3.0 *and* 0.3.1, even though the code in the previous commit is already present in 0.3.1. sorry for the mess. --- changes/bug24898-029 | 5 ++--- src/or/command.c | 4 ---- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/changes/bug24898-029 b/changes/bug24898-029 index f56dee5c7..b33f09384 100644 --- a/changes/bug24898-029 +++ b/changes/bug24898-029 @@ -1,7 +1,6 @@ - o Minor bugfixes: + o Minor bugfixes (relay): - Make the internal channel_is_client() function look at what sort of connection handshake the other side used, rather than whether the other side ever sent a create_fast cell to us. Backports part - of the fixes from bug 24898. - + of the fixes from bugs 22805 and 24898. diff --git a/src/or/command.c b/src/or/command.c index 5866c386e..8831446f0 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -344,10 +344,6 @@ command_process_create_cell(cell_t *cell, channel_t *chan) int len; created_cell_t created_cell; - /* Make sure we never try to use the OR connection on which we - * received this cell to satisfy an EXTEND request, */ - channel_mark_client(chan); - memset(&created_cell, 0, sizeof(created_cell)); len = onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_FAST, create_cell->onionskin, From d21e5cfc241204ccc6b8b0a484573edaea086772 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Wed, 31 Jan 2018 03:21:27 -0500 Subject: [PATCH 3/3] stop calling channel_mark_client in response to a create_fast since all it does is produce false positives this commit should get merged into 0.2.9 and 0.3.0 *and* 0.3.1, even though the code in the previous commit is already present in 0.3.1. sorry for the mess. [Cherry-picked] --- changes/bug24898-029 | 6 ++++++ src/or/command.c | 10 ---------- 2 files changed, 6 insertions(+), 10 deletions(-) create mode 100644 changes/bug24898-029 diff --git a/changes/bug24898-029 b/changes/bug24898-029 new file mode 100644 index 000000000..b33f09384 --- /dev/null +++ b/changes/bug24898-029 @@ -0,0 +1,6 @@ + o Minor bugfixes (relay): + - Make the internal channel_is_client() function look at what sort + of connection handshake the other side used, rather than whether + the other side ever sent a create_fast cell to us. Backports part + of the fixes from bugs 22805 and 24898. + diff --git a/src/or/command.c b/src/or/command.c index 894483e00..e7eb07161 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -347,16 +347,6 @@ command_process_create_cell(cell_t *cell, channel_t *chan) int len; created_cell_t created_cell; - /* If the client used CREATE_FAST, it's probably a tor client or bridge - * relay, and we must not use it for EXTEND requests (in most cases, we - * won't have an authenticated peer ID for the extend). - * Public relays on 0.2.9 and later will use CREATE_FAST if they have no - * ntor onion key for this relay, but that should be a rare occurrence. - * Clients on 0.3.1 and later avoid using CREATE_FAST as much as they can, - * even during bootstrap, so the CREATE_FAST check is most accurate for - * earlier tor client versions. */ - channel_mark_client(chan); - memset(&created_cell, 0, sizeof(created_cell)); len = onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_FAST, create_cell->onionskin,