commit c217699db1c5be02a59d7367decdb92b32827210
parent 681297cf5f444209ef7cd74ed067b69dc6e15771
Author: Cecylia Bocovich <cohosh@torproject.org>
Date: Wed, 25 Sep 2024 09:06:35 -0400
Bug 40976: Ensure conflux guards obey family and subnet restrictions
Diffstat:
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/changes/ticket40976 b/changes/ticket40976
@@ -0,0 +1,4 @@
+ o Major bugfixes (conflux):
+ - Ensure conflux guards obey family and subnet restrictions. Fixes bug
+ 40976; bugfix on 0.4.8.13.
+
diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c
@@ -1595,13 +1595,15 @@ guard_create_exit_restriction(const uint8_t *exit_id)
/* Allocate and return a new exit guard restriction that excludes all current
* and pending conflux guards */
STATIC entry_guard_restriction_t *
-guard_create_conflux_restriction(const origin_circuit_t *circ)
+guard_create_conflux_restriction(const origin_circuit_t *circ,
+ const uint8_t *exit_id)
{
entry_guard_restriction_t *rst = NULL;
rst = tor_malloc_zero(sizeof(entry_guard_restriction_t));
rst->type = RST_EXCL_LIST;
rst->excluded = smartlist_new();
conflux_add_guards_to_exclude_list(circ, rst->excluded);
+ memcpy(rst->exclude_id, exit_id, DIGEST_LEN);
return rst;
}
@@ -1653,7 +1655,8 @@ static int
guard_obeys_exit_restriction(const entry_guard_t *guard,
const entry_guard_restriction_t *rst)
{
- tor_assert(rst->type == RST_EXIT_NODE);
+ tor_assert(rst->type == RST_EXIT_NODE ||
+ rst->type == RST_EXCL_LIST);
// Exclude the exit ID and all of its family.
const node_t *node = node_get_by_id((const char*)rst->exclude_id);
@@ -1709,7 +1712,8 @@ entry_guard_obeys_restriction(const entry_guard_t *guard,
} else if (rst->type == RST_OUTDATED_MD_DIRSERVER) {
return guard_obeys_md_dirserver_restriction(guard);
} else if (rst->type == RST_EXCL_LIST) {
- return !smartlist_contains_digest(rst->excluded, guard->identity);
+ return guard_obeys_exit_restriction(guard, rst) &&
+ !smartlist_contains_digest(rst->excluded, guard->identity);
}
tor_assert_nonfatal_unreached();
@@ -3875,8 +3879,9 @@ guards_choose_guard(const origin_circuit_t *circ,
entry_guard_restriction_t *rst = NULL;
/* If we this is a conflux circuit, build an exclusion list for it. */
- if (CIRCUIT_IS_CONFLUX(TO_CIRCUIT(circ))) {
- rst = guard_create_conflux_restriction(circ);
+ if (CIRCUIT_IS_CONFLUX(TO_CIRCUIT(circ)) && state
+ && (exit_id = build_state_get_exit_rsa_id(state))) {
+ rst = guard_create_conflux_restriction(circ, exit_id);
/* Don't allow connecting back to the exit if there is one */
if (state && (exit_id = build_state_get_exit_rsa_id(state))) {
/* add the exit_id to the excluded list */
diff --git a/src/feature/client/entrynodes.h b/src/feature/client/entrynodes.h
@@ -605,7 +605,7 @@ STATIC entry_guard_restriction_t *guard_create_exit_restriction(
STATIC entry_guard_restriction_t *guard_create_dirserver_md_restriction(void);
STATIC entry_guard_restriction_t * guard_create_conflux_restriction(
- const origin_circuit_t *circ);
+ const origin_circuit_t *circ, const uint8_t *exit_id);
STATIC void entry_guard_restriction_free_(entry_guard_restriction_t *rst);
#define entry_guard_restriction_free(rst) \
