Verified Commit b18a9431 authored by shelikhoo's avatar shelikhoo
Browse files

Add Broker Allowed Relay Pattern Indication Rejection for Proxy

parent 2ebdc89c
......@@ -20,6 +20,7 @@ import (
"syscall"
"time"
"git.torproject.org/pluggable-transports/snowflake.git/v2/common/namematcher"
"git.torproject.org/pluggable-transports/snowflake.git/v2/common/safelog"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promhttp"
......@@ -38,8 +39,9 @@ type BrokerContext struct {
proxyPolls chan *ProxyPoll
metrics *Metrics
bridgeList BridgeListHolderFileBased
allowedRelayPattern string
bridgeList BridgeListHolderFileBased
allowedRelayPattern string
presumedPatternForLegacyClient string
}
func (ctx *BrokerContext) GetBridgeInfo(fingerprint [20]byte) (BridgeInfo, error) {
......@@ -154,14 +156,24 @@ func (ctx *BrokerContext) AddSnowflake(id string, proxyType string, natType stri
return snowflake
}
func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader, relayPattern string) error {
func (ctx *BrokerContext) InstallBridgeListProfile(reader io.Reader, relayPattern, presumedPatternForLegacyClient string) error {
if err := ctx.bridgeList.LoadBridgeInfo(reader); err != nil {
return err
}
ctx.allowedRelayPattern = relayPattern
ctx.presumedPatternForLegacyClient = presumedPatternForLegacyClient
return nil
}
func (ctx *BrokerContext) CheckProxyRelayPattern(pattern string, nonSupported bool) bool {
if nonSupported {
pattern = ctx.presumedPatternForLegacyClient
}
proxyPattern := namematcher.NewNameMatcher(pattern)
brokerPattern := namematcher.NewNameMatcher(ctx.allowedRelayPattern)
return proxyPattern.IsSupersetOf(brokerPattern)
}
// Client offer contains an SDP, bridge fingerprint and the NAT type of the client
type ClientOffer struct {
natType string
......@@ -176,7 +188,7 @@ func main() {
var addr string
var geoipDatabase string
var geoip6Database string
var bridgeListFilePath, allowedRelayPattern string
var bridgeListFilePath, allowedRelayPattern, presumedPatternForLegacyClient string
var disableTLS bool
var certFilename, keyFilename string
var disableGeoip bool
......@@ -193,6 +205,7 @@ func main() {
flag.StringVar(&geoip6Database, "geoip6db", "/usr/share/tor/geoip6", "path to correctly formatted geoip database mapping IPv6 address ranges to country codes")
flag.StringVar(&bridgeListFilePath, "bridge-list-path", "", "file path for bridgeListFile")
flag.StringVar(&allowedRelayPattern, "allowed-relay-pattern", "", "allowed pattern for relay host name")
flag.StringVar(&presumedPatternForLegacyClient, "default-relay-pattern", "", "presumed pattern for legacy client")
flag.BoolVar(&disableTLS, "disable-tls", false, "don't use HTTPS")
flag.BoolVar(&disableGeoip, "disable-geoip", false, "don't use geoip for stats collection")
flag.StringVar(&metricsFilename, "metrics-log", "", "path to metrics logging output")
......@@ -230,7 +243,7 @@ func main() {
if err != nil {
log.Fatal(err.Error())
}
err = ctx.InstallBridgeListProfile(bridgeListFile, allowedRelayPattern)
err = ctx.InstallBridgeListProfile(bridgeListFile, allowedRelayPattern, presumedPatternForLegacyClient)
if err != nil {
log.Fatal(err.Error())
}
......
......@@ -67,12 +67,14 @@ func (i *IPC) Debug(_ interface{}, response *string) error {
func (i *IPC) ProxyPolls(arg messages.Arg, response *[]byte) error {
sid, proxyType, natType, clients, relayPattern, relayPatternSupported, err := messages.DecodeProxyPollRequestWithRelayPrefix(arg.Body)
_ = relayPattern
_ = relayPatternSupported
if err != nil {
return messages.ErrBadRequest
}
if !i.ctx.CheckProxyRelayPattern(relayPattern, !relayPatternSupported) {
return fmt.Errorf("bad request: rejected relay pattern from proxy = %v", messages.ErrBadRequest)
}
// Log geoip stats
remoteIP, _, err := net.SplitHostPort(arg.RemoteAddr)
if err != nil {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment