Opened 11 years ago

Last modified 7 years ago

#752 closed defect (Fixed)

Unable to Specify Exit without Exit-flag in Domain Name

Reported by: BarkerJr Owned by:
Priority: Low Milestone: 0.2.1.x-final
Component: Core Tor/Tor Version: 0.2.1.2-alpha
Severity: Keywords:
Cc: BarkerJr, nickm, arma, rovv Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When attempting to access http://barkerjr.net.barkerjrhttp.exit , because:
[warn] Requested exit point 'barkerjrhttp' would refuse request. Closing.

This is in err, because the router's exit policy explicitly allows exiting to that hostname's IP. However, because it
doesn't allow exits on *:80, it's rejected. Considering that the user thinks that exit will accept it, we should give
it a try even though it returns ADDR_POLICY_PROBABLY_REJECTED.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Attachments (1)

torfix.patch (3.1 KB) - added by BarkerJr 11 years ago.
A Potential Fix

Download all attachments as: .zip

Change History (10)

Changed 11 years ago by BarkerJr

Attachment: torfix.patch added

A Potential Fix

comment:1 Changed 11 years ago by arma

You're right. Here's a patch that should work:

Index: connection_edge.c
===================================================================
--- connection_edge.c (revision 16933)
+++ connection_edge.c (working copy)
@@ -2857,7 +2857,8 @@

addr = ntohl(in.s_addr);

r = compare_addr_to_addr_policy(addr, conn->socks_request->port,

exit->exit_policy);

if (r == ADDR_POLICY_REJECTED + if (r == ADDR_POLICY_REJECTED
r == ADDR_POLICY_PROBABLY_REJECTED)

+ (r == ADDR_POLICY_PROBABLY_REJECTED && !conn->chosen_exit_name))

return 0;

} else if (SOCKS_COMMAND_IS_RESOLVE(conn->socks_request->command)) {

/* Can't support reverse lookups without eventdns. */

comment:2 Changed 11 years ago by nickm

Applied; thanks!

comment:3 Changed 11 years ago by nickm

Reopened by request from rovv.

comment:4 Changed 11 years ago by rovv

Tor shouldn't call router_exit_policy_all_routers_reject() for
chosen .exit, comparisions for policies can returns

ADDR_POLICY_REJECTED or ADDR_POLICY_PROBABLY_REJECTED for

all servers as for chosen .exit
if policy for some router even '_ACCEPTED', thats policy exactly not
for chosen .exit

--- circuituse.original.c Mon Jun 30 23:26:38 2008
+++ circuituse.c Thu Oct 16 11:15:24 2008
@@ -1014,7 +1014,7 @@

}


/* Do we need to check exit policy? */

  • if (check_exit_policy) {

+ if (check_exit_policy && !conn->chosen_exit_name) {

struct in_addr in;
uint32_t addr = 0;
if (tor_inet_aton(conn->socks_request->address, &in))

@@ -1027,6 +1027,21 @@

conn->socks_request->port);

return -1;

}

+ } else if (check_exit_policy && conn->chosen_exit_name) {
+ /* duplicate of current checks for .exit/enclave */
+ routerinfo_t *router = router_get_by_nickname(conn->chosen_exit_name, 1);
+ int opt = conn->_base.chosen_exit_optional;
+ if (router && !connection_ap_can_use_exit(conn, router)) {
+ log_fn(opt ? LOG_INFO : LOG_WARN, LD_APP,
+ "Requested exit point '%s' would refuse request. %s.",
+ conn->chosen_exit_name, opt ? "Trying others" : "Closing");
+ if (opt) {
+ conn->_base.chosen_exit_optional = 0;
+ tor_free(conn->chosen_exit_name);
+ return 0;
+ }
+ return -1;
+ }

}


/* is one already on the way? */

comment:5 Changed 11 years ago by nickm

Is the "return 0" there correct? That function is supposed to return 0 only when it's launched a circuit for the
stream in question, but the code there doesn't launch the stream.

I'm checking in a version of the code that replaces return 0 with a new call to the function.

comment:6 Changed 11 years ago by rovv

No, "return 0" there is incorrect. You are right.

also, circuit_get_open_circ_or_launch() contain yet one incorrect "return 0"

--- circuituse.original.c Wed Oct 22 05:00:52 2008
+++ circuituse.c Wed Oct 22 08:05:50 2008
@@ -1176,6 +1176,7 @@

if (opt) {

conn->_base.chosen_exit_optional = 0;
tor_free(conn->chosen_exit_name);

+ /* we should try again */

return 0;

}
return -1;

But I am still confused with needs sure checking of requested exit
point in circuit_get_open_circ_or_launch(), not adds a hard-to-enforce
requirement checking it before. if duplicates will removed from
connection_ap_handshake_attach_circuit(), then (as example)
circuit_get_best() will be called surely without result for two times
if requested exit point is not known; and one time because its policy.
However this has nothing to do with the ongoing task.

comment:7 Changed 10 years ago by nickm

Remaining case (maybe unreachable) fixed in r18451.

comment:8 Changed 10 years ago by nickm

flyspray2trac: bug closed.

comment:9 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.