Ticket #26425: 0001-Implement-ClientSNI-option-to-set-SNI-for-client-TLS.patch

File 0001-Implement-ClientSNI-option-to-set-SNI-for-client-TLS.patch, 4.5 KB (added by twim, 10 months ago)
  • doc/tor.1.txt

    From 5afdc98ef4aa098e59c9a43f06734f94ed86f3a3 Mon Sep 17 00:00:00 2001
    From: Ivan Markin <sw@nogoegst.net>
    Date: Fri, 1 Jun 2018 19:36:34 +0000
    Subject: [PATCH] Implement ClientSNI option to set SNI for client TLS
     connections
    
    ---
     doc/tor.1.txt          | 5 +++++
     src/common/tortls.c    | 9 +++++++--
     src/common/tortls.h    | 2 +-
     src/or/config.c        | 1 +
     src/or/connection_or.c | 2 +-
     src/or/or.h            | 4 ++++
     6 files changed, 19 insertions(+), 4 deletions(-)
    
    diff --git a/doc/tor.1.txt b/doc/tor.1.txt
    index f42ad0dd3..f02025986 100644
    a b GENERAL OPTIONS 
    251251    field, Tor will use it for separate rate limiting for each connection
    252252    from a non-relay. (Default: 0)
    253253
     254[[ClientSNI]] **ClientSNI** __hostname__::
     255    Set Server Name Indication (SNI) extension for all client TLS connections
     256    to \'hostname' instead of generating a random one. This can help going around
     257    the firewalls which block Tor based on the way it manipulates SNI.
     258
    254259[[ClientTransportPlugin]] **ClientTransportPlugin** __transport__ socks4|socks5 __IP__:__PORT__::
    255260**ClientTransportPlugin** __transport__ exec __path-to-binary__ [options]::
    256261    In its first form, when set along with a corresponding Bridge line, the Tor
  • src/common/tortls.c

    diff --git a/src/common/tortls.c b/src/common/tortls.c
    index 669742c9d..7d71bd599 100644
    a b tor_tls_setup_session_secret_cb(tor_tls_t *tls) 
    16721672 * determine whether it is functioning as a server.
    16731673 */
    16741674tor_tls_t *
    1675 tor_tls_new(int sock, int isServer)
     1675tor_tls_new(int sock, int isServer, char *client_sni)
    16761676{
    16771677  BIO *bio = NULL;
    16781678  tor_tls_t *result = tor_malloc_zero(sizeof(tor_tls_t));
    tor_tls_new(int sock, int isServer) 
    16911691#ifdef SSL_set_tlsext_host_name
    16921692  /* Browsers use the TLS hostname extension, so we should too. */
    16931693  if (!isServer) {
    1694     char *fake_hostname = crypto_random_hostname(4,25, "www.",".com");
     1694    char *fake_hostname;
     1695    if (client_sni != NULL) {
     1696       fake_hostname = tor_strdup(client_sni);
     1697    } else {
     1698       fake_hostname = crypto_random_hostname(4,25, "www.",".com");
     1699    }
    16951700    SSL_set_tlsext_host_name(result->ssl, fake_hostname);
    16961701    tor_free(fake_hostname);
    16971702  }
  • src/common/tortls.h

    diff --git a/src/common/tortls.h b/src/common/tortls.h
    index 7c867bfff..09a8da6b3 100644
    a b int tor_tls_context_init(unsigned flags, 
    210210                         crypto_pk_t *client_identity,
    211211                         crypto_pk_t *server_identity,
    212212                         unsigned int key_lifetime);
    213 tor_tls_t *tor_tls_new(int sock, int is_server);
     213tor_tls_t *tor_tls_new(int sock, int is_server, char *client_sni);
    214214void tor_tls_set_logged_address(tor_tls_t *tls, const char *address);
    215215void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
    216216                                      void (*cb)(tor_tls_t *, void *arg),
  • src/or/config.c

    diff --git a/src/or/config.c b/src/or/config.c
    index 94a58f348..dac5415ab 100644
    a b static config_var_t option_vars_[] = { 
    297297  V(ClientTransportPlugin,       LINELIST, NULL),
    298298  V(ClientUseIPv6,               BOOL,     "0"),
    299299  V(ClientUseIPv4,               BOOL,     "1"),
     300  V(ClientSNI,                   STRING,   NULL),
    300301  V(ConsensusParams,             STRING,   NULL),
    301302  V(ConnLimit,                   UINT,     "1000"),
    302303  V(ConnDirectionStatistics,     BOOL,     "0"),
  • src/or/connection_or.c

    diff --git a/src/or/connection_or.c b/src/or/connection_or.c
    index 7898fbd42..05e23cbfc 100644
    a b connection_tls_start_handshake,(or_connection_t *conn, int receiving)) 
    15991599
    16001600  connection_or_change_state(conn, OR_CONN_STATE_TLS_HANDSHAKING);
    16011601  tor_assert(!conn->tls);
    1602   conn->tls = tor_tls_new(conn->base_.s, receiving);
     1602  conn->tls = tor_tls_new(conn->base_.s, receiving, get_options()->ClientSNI);
    16031603  if (!conn->tls) {
    16041604    log_warn(LD_BUG,"tor_tls_new failed. Closing.");
    16051605    return -1;
  • src/or/or.h

    diff --git a/src/or/or.h b/src/or/or.h
    index 750c79fd4..9181bfd20 100644
    a b typedef struct { 
    42944294   * accessing this value directly.  */
    42954295  int ClientPreferIPv6DirPort;
    42964296
     4297  /** If set, the value will be set as Server Name Indication (SNI) for
     4298   * all client TLS connections instead of generating a random one. */
     4299  char *ClientSNI;
     4300
    42974301  /** The length of time that we think a consensus should be fresh. */
    42984302  int V3AuthVotingInterval;
    42994303  /** The length of time we think it will take to distribute votes. */