From 7c507f3d5bd855aa30ed4c11a2c43c0e42350ae3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Wed, 4 Nov 2020 22:28:50 +0100 Subject: [PATCH] Tor: allow enforcing distinct Guard relays or countries MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit In order to make deanonymisation harder, especially high-risk Tor users might want to use certain Guard relays only (for example operated by people they trust), enforce Tor to use Guard relays in certain countries only (for example countries with very strict data protection laws or poor diplomatic relations), or avoid Guard relays in certain countries entirely. Since Tor sticks to sampled Guards for a long time (usually within the range of months), restricting those is believed to cause less harm to a users' anonymity than restricting Exit relays, since their diversity of a generic Tor user is significantly higher. This patch extends the Tor CGI for restricting Guard nodes to certain countries or relays matching certain fingerprints. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- html/cgi-bin/tor.cgi | 93 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 90 insertions(+), 3 deletions(-) diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 78b7333d92..fe91ed399b 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -96,6 +96,8 @@ $settings{'TOR_ENABLED'} = 'off'; $settings{'TOR_SOCKS_PORT'} = 9050; $settings{'TOR_EXIT_COUNTRY'} = ''; $settings{'TOR_USE_EXIT_NODES'} = ''; +$settings{'TOR_GUARD_COUNTRY'} = ''; +$settings{'TOR_USE_GUARD_NODES'} = ''; $settings{'TOR_ALLOWED_SUBNETS'} = "$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}"; if (&Header::blue_used()) { $settings{'TOR_ALLOWED_SUBNETS'} .= ",$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}"; @@ -178,6 +180,15 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { } } + @temp = split(/[\n,]/,$settings{'TOR_USE_GUARD_NODES'}); + $settings{'TOR_USE_GUARD_NODES'} = ""; + foreach (@temp) { + s/^\s+//g; s/\s+$//g; + if ($_) { + $settings{'TOR_USE_GUARD_NODES'} .= $_.","; + } + } + # Burst bandwidth must be less or equal to bandwidth rate. if ($settings{'TOR_RELAY_BANDWIDTH_RATE'} == 0) { $settings{'TOR_RELAY_BANDWIDTH_BURST'} = 0; @@ -281,6 +292,9 @@ END @temp = split(",", $settings{'TOR_USE_EXIT_NODES'}); $settings{'TOR_USE_EXIT_NODES'} = join("\n", @temp); + @temp = split(",", $settings{'TOR_USE_GUARD_NODES'}); + $settings{'TOR_USE_GUARD_NODES'} = join("\n", @temp); + print <
@@ -303,8 +317,57 @@ END -
-
+
+
+ + + + + + + + + + + + + +
$Lang::tr{'tor guard nodes'}
$Lang::tr{'tor use guard nodes'}:
+ + +
+ +
+
@@ -321,7 +384,7 @@ END END my @country_codes = &Location::Functions::get_locations("no_special_locations"); - # Convert Exit/Guard country strings into lists to make comparison easier + # Convert Exit country strings into lists to make comparison easier my @exit_countries; if ($settings{'TOR_EXIT_COUNTRY'} ne '') { @exit_countries = split(/\|/, $settings{'TOR_EXIT_COUNTRY'}); @@ -680,6 +743,30 @@ sub BuildConfiguration() { } print FILE "SocksPolicy reject *\n" if (@subnets); + if ($settings{'TOR_GUARD_COUNTRY'} ne '') { + $strict_nodes = 1; + my $countrylist; + + for my $singlecountry (split(/\|/, $settings{'TOR_GUARD_COUNTRY'})) { + if ($countrylist eq '') { + $countrylist = "{" . lc $singlecountry . "}"; + } else { + $countrylist = $countrylist . "," . "{" . lc $singlecountry . "}"; + } + } + + print FILE "EntryNodes $countrylist\n"; + } + + if ($settings{'TOR_USE_GUARD_NODES'} ne '') { + $strict_nodes = 1; + + my @nodes = split(",", $settings{'TOR_USE_GUARD_NODES'}); + foreach (@nodes) { + print FILE "EntryNode $_\n"; + } + } + if ($settings{'TOR_EXIT_COUNTRY'} ne '') { $strict_nodes = 1; my $countrylist; -- 2.39.5