Merge remote-tracking branch 'public/bug10849_025'

Conflicts:
	src/or/config.c

changes/bug10849_025

@@ -0,0 +1,6 @@
+  o Removed code:
+    - The TunnelDirConns and PreferTunnelledDirConns options no longer
+      exist; tunneled directory connections have been available since
+      0.1.2.5-alpha, and turning them off is not a good idea. This is a
+      brute-force fix for 10849, where "TunnelDirConns 0" would break
+      hidden services.

doc/tor.1.txt

@@ -593,15 +593,6 @@ GENERAL OPTIONS
     This is useful when running on flash memory or other media that support
     only a limited number of writes. (Default: 0)
 
-[[TunnelDirConns]] **TunnelDirConns** **0**|**1**::
-    If non-zero, when a directory server we contact supports it, we will build
-    a one-hop circuit and make an encrypted connection via its ORPort.
-    (Default: 1)
-
-[[PreferTunneledDirConns]] **PreferTunneledDirConns** **0**|**1**::
-    If non-zero, we will avoid directory servers that don't support tunneled
-    directory connections, when possible. (Default: 1)
-
 [[CircuitPriorityHalflife]] **CircuitPriorityHalflife** __NUM1__::
     If this value is set, we override the default algorithm for choosing which
     circuit's cell to deliver or relay next. When the value is 0, we

src/or/config.c

@@ -357,7 +357,7 @@ static config_var_t option_vars_[] = {
   V(OptimisticData,              AUTOBOOL, "auto"),
   V(PortForwarding,              BOOL,     "0"),
   V(PortForwardingHelper,        FILENAME, "tor-fw-helper"),
-  V(PreferTunneledDirConns,      BOOL,     "1"),
+  OBSOLETE("PreferTunneledDirConns"),
   V(ProtocolWarnings,            BOOL,     "0"),
   V(PublishServerDescriptor,     CSV,      "1"),
   V(PublishHidServDescriptors,   BOOL,     "1"),
@@ -412,7 +412,7 @@ static config_var_t option_vars_[] = {
   V(TransListenAddress,          LINELIST, NULL),
   VPORT(TransPort,                   LINELIST, NULL),
   V(TransProxyType,              STRING,   "default"),
-  V(TunnelDirConns,              BOOL,     "1"),
+  OBSOLETE("TunnelDirConns"),
   V(UpdateBridgesFromAuthority,  BOOL,     "0"),
   V(UseBridges,                  BOOL,     "0"),
   V(UseEntryGuards,              BOOL,     "1"),
@@ -3275,12 +3275,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
 
   if (options->UseBridges && !options->Bridges)
     REJECT("If you set UseBridges, you must specify at least one bridge.");
-  if (options->UseBridges && !options->TunnelDirConns)
-    REJECT("If you set UseBridges, you must set TunnelDirConns.");
-  if (options->RendConfigLines &&
-      (!options->TunnelDirConns || !options->PreferTunneledDirConns))
-    REJECT("If you are running a hidden service, you must set TunnelDirConns "
-           "and PreferTunneledDirConns");
 
   for (cl = options->Bridges; cl; cl = cl->next) {
       bridge_line_t *bridge_line = parse_bridge_line(cl->value);
@@ -3393,15 +3387,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
                                  AF_INET6, 1, msg)<0)
     return -1;
 
-  if (options->PreferTunneledDirConns && !options->TunnelDirConns)
-    REJECT("Must set TunnelDirConns if PreferTunneledDirConns is set.");
-
-  if ((options->Socks4Proxy || options->Socks5Proxy) &&
-      !options->HTTPProxy && !options->PreferTunneledDirConns)
-    REJECT("When Socks4Proxy or Socks5Proxy is configured, "
-           "PreferTunneledDirConns and TunnelDirConns must both be "
-           "set to 1, or HTTPProxy must be configured.");
-
   if (options->AutomapHostsSuffixes) {
     SMARTLIST_FOREACH(options->AutomapHostsSuffixes, char *, suf,
     {

src/or/directory.c

@@ -338,8 +338,6 @@ should_use_directory_guards(const or_options_t *options)
   if (options->DownloadExtraInfo || options->FetchDirInfoEarly ||
       options->FetchDirInfoExtraEarly || options->FetchUselessDescriptors)
     return 0;
-  if (! options->PreferTunneledDirConns)
-    return 0;
   return 1;
 }
 
@@ -834,6 +832,7 @@ directory_command_should_use_begindir(const or_options_t *options,
                                       int or_port, uint8_t router_purpose,
                                       dir_indirection_t indirection)
 {
+  (void) router_purpose;
   if (!or_port)
     return 0; /* We don't know an ORPort -- no chance. */
   if (indirection == DIRIND_DIRECT_CONN || indirection == DIRIND_ANON_DIRPORT)
@@ -842,9 +841,6 @@ directory_command_should_use_begindir(const or_options_t *options,
     if (!fascist_firewall_allows_address_or(addr, or_port) ||
         directory_fetches_from_authorities(options))
       return 0; /* We're firewalled or are acting like a relay -- also no. */
-  if (!options->TunnelDirConns &&
-      router_purpose != ROUTER_PURPOSE_BRIDGE)
-    return 0; /* We prefer to avoid using begindir conns. Fine. */
   return 1;
 }
 

src/or/entrynodes.c

@@ -378,7 +378,7 @@ add_an_entry_guard(const node_t *chosen, int reset_status, int prepend,
   } else {
     const routerstatus_t *rs;
     rs = router_pick_directory_server(MICRODESC_DIRINFO|V3_DIRINFO,
-                              PDS_PREFER_TUNNELED_DIR_CONNS_|PDS_FOR_GUARD);
+                                      PDS_FOR_GUARD);
     if (!rs)
       return NULL;
     node = node_get_by_id(rs->identity_digest);

src/or/or.h

@@ -3886,10 +3886,6 @@ typedef struct {
                                         * testing our DNS server. */
   int EnforceDistinctSubnets; /**< If true, don't allow multiple routers in the
                                * same network zone in the same circuit. */
-  int TunnelDirConns; /**< If true, use BEGIN_DIR rather than BEGIN when
-                       * possible. */
-  int PreferTunneledDirConns; /**< If true, avoid dirservers that don't
-                               * support BEGIN_DIR, when possible. */
   int PortForwarding; /**< If true, use NAT-PMP or UPnP to automatically
                        * forward the DirPort and ORPort on the NAT device */
   char *PortForwardingHelper; /** < Filename or full path of the port
@@ -4974,8 +4970,6 @@ typedef struct dir_server_t {
  * node that's currently a guard. */
 #define PDS_FOR_GUARD (1<<5)
 
-#define PDS_PREFER_TUNNELED_DIR_CONNS_ (1<<16)
-
 /** Possible ways to weight routers when choosing one randomly.  See
  * routerlist_sl_choose_by_bandwidth() for more information.*/
 typedef enum bandwidth_weight_rule_t {

src/or/routerlist.c

@@ -1282,8 +1282,6 @@ const routerstatus_t *
 router_pick_directory_server(dirinfo_type_t type, int flags)
 {
   const routerstatus_t *choice;
-  if (get_options()->PreferTunneledDirConns)
-    flags |= PDS_PREFER_TUNNELED_DIR_CONNS_;
 
   if (!routerlist)
     return NULL;
@@ -1385,8 +1383,6 @@ router_pick_dirserver_generic(smartlist_t *sourcelist,
 {
   const routerstatus_t *choice;
   int busy = 0;
-  if (get_options()->PreferTunneledDirConns)
-    flags |= PDS_PREFER_TUNNELED_DIR_CONNS_;
 
   choice = router_pick_trusteddirserver_impl(sourcelist, type, flags, &busy);
   if (choice || !(flags & PDS_RETRY_IF_NO_SERVERS))
@@ -1411,10 +1407,7 @@ router_pick_dirserver_generic(smartlist_t *sourcelist,
 
 /** Pick a random running valid directory server/mirror from our
  * routerlist.  Arguments are as for router_pick_directory_server(), except
- * that RETRY_IF_NO_SERVERS is ignored, and:
+ * that RETRY_IF_NO_SERVERS is ignored.
- *
- * If the PDS_PREFER_TUNNELED_DIR_CONNS_ flag is set, prefer directory servers
- * that we can use with BEGINDIR.
  */
 static const routerstatus_t *
 router_pick_directory_server_impl(dirinfo_type_t type, int flags)
@@ -1428,7 +1421,6 @@ router_pick_directory_server_impl(dirinfo_type_t type, int flags)
   const networkstatus_t *consensus = networkstatus_get_latest_consensus();
   int requireother = ! (flags & PDS_ALLOW_SELF);
   int fascistfirewall = ! (flags & PDS_IGNORE_FASCISTFIREWALL);
-  int prefer_tunnel = (flags & PDS_PREFER_TUNNELED_DIR_CONNS_);
   int for_guard = (flags & PDS_FOR_GUARD);
   int try_excluding = 1, n_excluded = 0;
 
@@ -1481,8 +1473,7 @@ router_pick_directory_server_impl(dirinfo_type_t type, int flags)
 
     is_overloaded = status->last_dir_503_at + DIR_503_TIMEOUT > now;
 
-    if (prefer_tunnel &&
+    if ((!fascistfirewall ||
-        (!fascistfirewall ||
          fascist_firewall_allows_address_or(&addr, status->or_port)))
       smartlist_add(is_trusted ? trusted_tunnel :
                     is_overloaded ? overloaded_tunnel : tunnel, (void*)node);
@@ -1569,7 +1560,6 @@ router_pick_trusteddirserver_impl(const smartlist_t *sourcelist,
   time_t now = time(NULL);
   const int requireother = ! (flags & PDS_ALLOW_SELF);
   const int fascistfirewall = ! (flags & PDS_IGNORE_FASCISTFIREWALL);
-  const int prefer_tunnel = (flags & PDS_PREFER_TUNNELED_DIR_CONNS_);
   const int no_serverdesc_fetching =(flags & PDS_NO_EXISTING_SERVERDESC_FETCH);
   const int no_microdesc_fetching =(flags & PDS_NO_EXISTING_MICRODESC_FETCH);
   const double auth_weight = (sourcelist == fallback_dir_servers) ?
@@ -1630,8 +1620,7 @@ router_pick_trusteddirserver_impl(const smartlist_t *sourcelist,
         }
       }
 
-      if (prefer_tunnel &&
+      if (d->or_port &&
-          d->or_port &&
           (!fascistfirewall ||
            fascist_firewall_allows_address_or(&addr, d->or_port)))
         smartlist_add(is_overloaded ? overloaded_tunnel : tunnel, (void*)d);