From 7e82d036c3b56f70855caf8656dd05c31ba3f018 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 4 Nov 2022 16:01:47 +0100 Subject: [PATCH] Add safe fallbacks for untrusted home nodes --- firewall/tunnel.go | 17 ++++++++++++++--- profile/config.go | 6 +++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/firewall/tunnel.go b/firewall/tunnel.go index e062512c..ccaf81ff 100644 --- a/firewall/tunnel.go +++ b/firewall/tunnel.go @@ -137,12 +137,23 @@ func requestTunneling(ctx context.Context, conn *network.Connection) error { conn.TunnelOpts.RequireVerifiedOwners = captain.NonCommunityVerifiedOwners } - // If we have any exit hub policies, we need to raise the routing algorithm at least to single-hop. - if conn.TunnelOpts.RoutingProfile == navigator.RoutingProfileHomeID && - conn.TunnelOpts.HubPoliciesAreSet() { + // Get routing profile for checking for upgrades. + routingProfile := navigator.GetRoutingProfile(conn.TunnelOpts.RoutingProfile) + + // If we have any exit hub policies, we must be able to hop in order to follow the policy. + // Switch to single-hop routing to allow for routing with hub selection. + if routingProfile.MaxHops <= 1 && conn.TunnelOpts.HubPoliciesAreSet() { conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileSingleHopID } + // If the current home node is not trusted, then upgrade at least to two hops. + if routingProfile.MinHops < 2 { + homeNode, _ := navigator.Main.GetHome() + if homeNode != nil && !homeNode.State.Has(navigator.StateTrusted) { + conn.TunnelOpts.RoutingProfile = navigator.RoutingProfileDoubleHopID + } + } + // Special handling for the internal DNS resolver. if conn.Process().Pid == ownPID && resolver.IsResolverAddress(conn.Entity.IP, conn.Entity.Port) { dnsExitHubPolicy, err := captain.GetDNSExitHubPolicy() diff --git a/profile/config.go b/profile/config.go index 9ca174ed..f71495b7 100644 --- a/profile/config.go +++ b/profile/config.go @@ -6,6 +6,7 @@ import ( "github.com/safing/portbase/config" "github.com/safing/portmaster/profile/endpoints" "github.com/safing/portmaster/status" + "github.com/safing/spn/navigator" ) // Configuration Keys. @@ -680,13 +681,12 @@ By default, the Portmaster tries to choose the node closest to the destination a cfgStringArrayOptions[CfgOptionExitHubPolicyKey] = cfgOptionExitHubPolicy // Select SPN Routing Algorithm - defaultRoutingAlg := "double-hop" err = config.Register(&config.Option{ Name: "Select SPN Routing Algorithm", Key: CfgOptionRoutingAlgorithmKey, Description: "Select the routing algorithm for your connections through the SPN. Configure your preferred balance between speed and privacy.", OptType: config.OptTypeString, - DefaultValue: defaultRoutingAlg, + DefaultValue: navigator.DefaultRoutingProfileID, Annotations: config.Annotations{ config.DisplayHintAnnotation: config.DisplayHintOneOf, config.DisplayOrderAnnotation: cfgOptionRoutingAlgorithmOrder, @@ -718,7 +718,7 @@ By default, the Portmaster tries to choose the node closest to the destination a if err != nil { return err } - cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, defaultRoutingAlg) + cfgOptionRoutingAlgorithm = config.Concurrent.GetAsString(CfgOptionRoutingAlgorithmKey, navigator.DefaultRoutingProfileID) cfgStringOptions[CfgOptionRoutingAlgorithmKey] = cfgOptionRoutingAlgorithm return nil