archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-14 05:11:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add Broker Allowed Relay Pattern Indication Rejection for Proxy

Browse source
This commit is contained in:
Shelikhoo 2022-04-14 11:15:35 +01:00
parent 2ebdc89c42
commit b18a9431b2
No known key found for this signature in database
GPG key ID: C4D5E79D22B25316
2 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

19
broker/broker.go
View file

@ -20,6 +20,7 @@ import (
"syscall" "syscall"
"time" "time"
"git.torproject.org/pluggable-transports/snowflake.git/v2/common/namematcher"
"git.torproject.org/pluggable-transports/snowflake.git/v2/common/safelog" "git.torproject.org/pluggable-transports/snowflake.git/v2/common/safelog"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp" "github.com/prometheus/client_golang/prometheus/promhttp"
@ -40,6 +41,7 @@ type BrokerContext struct {
bridgeList BridgeListHolderFileBased bridgeList BridgeListHolderFileBased
allowedRelayPattern string allowedRelayPattern string
presumedPatternForLegacyClient string
} }
func (ctx *BrokerContext) GetBridgeInfo(fingerprint [20]byte) (BridgeInfo, error) { func (ctx *BrokerContext) GetBridgeInfo(fingerprint [20]byte) (BridgeInfo, error) {
@ -154,14 +156,24 @@ func (ctx *BrokerContext) AddSnowflake(id string, proxyType string, natType stri
return snowflake return snowflake
} }
func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader, relayPattern string) error { func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader, relayPattern, presumedPatternForLegacyClient string) error {
if err := ctx.bridgeList.LoadBridgeInfo(reader); err != nil { if err := ctx.bridgeList.LoadBridgeInfo(reader); err != nil {
return err return err
} }
ctx.allowedRelayPattern = relayPattern ctx.allowedRelayPattern = relayPattern
ctx.presumedPatternForLegacyClient = presumedPatternForLegacyClient
return nil return nil
} }
func (ctx *BrokerContext) CheckProxyRelayPattern(pattern string, nonSupported bool) bool {
if nonSupported {
pattern = ctx.presumedPatternForLegacyClient
}
proxyPattern := namematcher.NewNameMatcher(pattern)
brokerPattern := namematcher.NewNameMatcher(ctx.allowedRelayPattern)
return proxyPattern.IsSupersetOf(brokerPattern)
}
// Client offer contains an SDP, bridge fingerprint and the NAT type of the client // Client offer contains an SDP, bridge fingerprint and the NAT type of the client
type ClientOffer struct { type ClientOffer struct {
natType string natType string
@ -176,7 +188,7 @@ func main() {
var addr string var addr string
var geoipDatabase string var geoipDatabase string
var geoip6Database string var geoip6Database string
var bridgeListFilePath, allowedRelayPattern string var bridgeListFilePath, allowedRelayPattern, presumedPatternForLegacyClient string
var disableTLS bool var disableTLS bool
var certFilename, keyFilename string var certFilename, keyFilename string
var disableGeoip bool var disableGeoip bool
@ -193,6 +205,7 @@ func main() {
flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes") flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes")
flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile") flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile")
flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name") flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name")
flag.StringVar(&presumedPatternForLegacyClient, "default-relay-pattern", "", "presumed pattern for legacy client")
flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS") flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS")
flag.BoolVar(&disableGeoip, "disable-geoip", false, "don't use geoip for stats collection") flag.BoolVar(&disableGeoip, "disable-geoip", false, "don't use geoip for stats collection")
flag.StringVar(&metricsFilename, "metrics-log", "", "path to metrics logging output") flag.StringVar(&metricsFilename, "metrics-log", "", "path to metrics logging output")
@ -230,7 +243,7 @@ func main() {
if err != nil { if err != nil {
log.Fatal(err.Error()) log.Fatal(err.Error())
} }
err = ctx.InstallBridgeListProfile(bridgeListFile, allowedRelayPattern) err = ctx.InstallBridgeListProfile(bridgeListFile, allowedRelayPattern, presumedPatternForLegacyClient)
if err != nil { if err != nil {
log.Fatal(err.Error()) log.Fatal(err.Error())
} }

6
broker/ipc.go
View file

@ -67,12 +67,14 @@ func (i *IPC) Debug(_ interface{}, response *string) error {
func (i *IPC) ProxyPolls(arg messages.Arg, response *[]byte) error { func (i *IPC) ProxyPolls(arg messages.Arg, response *[]byte) error {
sid, proxyType, natType, clients, relayPattern, relayPatternSupported, err := messages.DecodeProxyPollRequestWithRelayPrefix(arg.Body) sid, proxyType, natType, clients, relayPattern, relayPatternSupported, err := messages.DecodeProxyPollRequestWithRelayPrefix(arg.Body)
_ = relayPattern
_ = relayPatternSupported
if err != nil { if err != nil {
return messages.ErrBadRequest return messages.ErrBadRequest
} }
if !i.ctx.CheckProxyRelayPattern(relayPattern, !relayPatternSupported) {
return fmt.Errorf("bad request: rejected relay pattern from proxy = %v", messages.ErrBadRequest)
}
// Log geoip stats // Log geoip stats
remoteIP, _, err := net.SplitHostPort(arg.RemoteAddr) remoteIP, _, err := net.SplitHostPort(arg.RemoteAddr)
if err != nil { if err != nil {