Make ClientDNSRejectInternalAddresses testing-only.

Undeprecate it;
rename it to TestingClientDNSRejectInternalAddresses;
add the old name as an alias;
reject configurations where it is set but TestingTorNetwork is not;
change the documentation accordingly.

Closes tickets 21031 and 21522.

changes/ticket21031

@@ -0,0 +1,5 @@
+  o Removed features:
+    - The ClientDNSRejectInternalAddresses flag can no longer be set on
+      non-testing networks. It has been deprecated since 0.2.9.2-alpha.
+      Closes ticket 21031.
+

doc/tor.1.txt

@@ -1408,12 +1408,6 @@ The following options are useful only for clients (that is, if
     addresses/ports. See SocksPort for an explanation of isolation
     flags. (Default: 0)
 
-[[ClientDNSRejectInternalAddresses]] **ClientDNSRejectInternalAddresses** **0**|**1**::
-    If true, Tor does not believe any anonymously retrieved DNS answer that
-    tells it that an address resolves to an internal address (like 127.0.0.1 or
-    192.168.0.1). This option prevents certain browser-based attacks; don't
-    turn it off unless you know what you're doing. (Default: 1)
-
 [[ClientRejectInternalAddresses]] **ClientRejectInternalAddresses** **0**|**1**::
     If true, Tor does not try to fulfill requests to connect to an internal
     address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
@@ -2468,7 +2462,7 @@ The following options are used for running a testing Tor network.
           4 (for 40 seconds), 8, 16, 32, 60
        ClientBootstrapConsensusMaxDownloadTries 80
        ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries 80
-       ClientDNSRejectInternalAddresses 0
+       TestingClientDNSRejectInternalAddresses 0
        ClientRejectInternalAddresses 0
        CountPrivateBandwidth 1
        ExitPolicyRejectPrivate 0
@@ -2670,6 +2664,13 @@ The following options are used for running a testing Tor network.
     we replace it and issue a new key?
     (Default: 3 hours for link and auth; 1 day for signing.)
 
+[[ClientDNSRejectInternalAddresses]] [[TestingClientDNSRejectInternalAddresses]] **TestingClientDNSRejectInternalAddresses** **0**|**1**::
+    If true, Tor does not believe any anonymously retrieved DNS answer that
+    tells it that an address resolves to an internal address (like 127.0.0.1 or
+    192.168.0.1). This option prevents certain browser-based attacks; don't
+    turn it off unless you know what you're doing. (Default: 1)
+
+
 NON-PERSISTENT OPTIONS
 ----------------------
 

src/or/config.c

@@ -169,6 +169,8 @@ static config_abbrev_t option_abbrevs_[] = {
   { "BridgeAuthoritativeDirectory", "BridgeAuthoritativeDir", 0, 0},
   { "HashedControlPassword", "__HashedControlSessionPassword", 1, 0},
   { "VirtualAddrNetwork", "VirtualAddrNetworkIPv4", 0, 0},
+  { "ClientDNSRejectInternalAddresses",
+    "TestingClientDNSRejectInternalAddresses", 0, 1, },
   { NULL, NULL, 0, 0},
 };
 
@@ -251,7 +253,7 @@ static config_var_t option_vars_[] = {
   V(CircuitsAvailableTimeout,    INTERVAL, "0"),
   V(CircuitStreamTimeout,        INTERVAL, "0"),
   V(CircuitPriorityHalflife,     DOUBLE,  "-100.0"), /*negative:'Use default'*/
-  V(ClientDNSRejectInternalAddresses, BOOL,"1"),
+  V(TestingClientDNSRejectInternalAddresses, BOOL,"1"),
   V(ClientOnly,                  BOOL,     "0"),
   V(ClientPreferIPv6ORPort,      AUTOBOOL, "auto"),
   V(ClientPreferIPv6DirPort,     AUTOBOOL, "auto"),
@@ -626,7 +628,7 @@ static const config_var_t testing_tor_network_defaults[] = {
     "0, 1, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 8, 16, 32, 60"),
   V(ClientBootstrapConsensusMaxDownloadTries, UINT, "80"),
   V(ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries, UINT, "80"),
-  V(ClientDNSRejectInternalAddresses, BOOL,"0"), // deprecated in 0.2.9.2-alpha
+  V(TestingClientDNSRejectInternalAddresses, BOOL,"0"),
   V(ClientRejectInternalAddresses, BOOL,   "0"),
   V(CountPrivateBandwidth,       BOOL,     "1"),
   V(ExitPolicyRejectPrivate,     BOOL,     "0"),
@@ -673,8 +675,6 @@ static const config_deprecation_t option_deprecation_notes_[] = {
   /* Deprecated since 0.2.9.2-alpha... */
   { "AllowDotExit", "Unrestricted use of the .exit notation can be used for "
     "a wide variety of application-level attacks." },
-  { "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
-    "easier to fingerprint, and may open you to esoteric attacks." },
   /* End of options deprecated since 0.2.9.2-alpha. */
 
   /* Deprecated since 0.3.2.0-alpha. */
@@ -4074,6 +4074,7 @@ options_validate(or_options_t *old_options, or_options_t *options,
   CHECK_DEFAULT(TestingSigningKeySlop);
   CHECK_DEFAULT(TestingAuthKeySlop);
   CHECK_DEFAULT(TestingLinkKeySlop);
+  CHECK_DEFAULT(TestingClientDNSRejectInternalAddresses);
 #undef CHECK_DEFAULT
 
   if (options->SigningKeyLifetime < options->TestingSigningKeySlop*2)

src/or/connection_edge.c

@@ -1343,7 +1343,7 @@ connection_ap_handshake_rewrite(entry_connection_t *conn,
     /* Hang on, did we find an answer saying that this is a reverse lookup for
      * an internal address?  If so, we should reject it if we're configured to
      * do so. */
-    if (options->ClientDNSRejectInternalAddresses) {
+    if (options->TestingClientDNSRejectInternalAddresses) {
       /* Don't let clients try to do a reverse lookup on 10.0.0.1. */
       tor_addr_t addr;
       int ok;

src/or/or.h

@@ -4203,7 +4203,7 @@ typedef struct {
   /** If true, do not believe anybody who tells us that a domain resolves
    * to an internal address, or that an internal address has a PTR mapping.
    * Helps avoid some cross-site attacks. */
-  int ClientDNSRejectInternalAddresses;
+  int TestingClientDNSRejectInternalAddresses;
 
   /** If true, do not accept any requests to connect to internal addresses
    * over randomly chosen exits. */

src/or/relay.c

@@ -930,7 +930,7 @@ connection_ap_process_end_not_open(
             connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
             return 0;
           }
-          if (get_options()->ClientDNSRejectInternalAddresses &&
+          if (get_options()->TestingClientDNSRejectInternalAddresses &&
               tor_addr_is_internal(&addr, 0)) {
             log_info(LD_APP,"Address '%s' resolved to internal. Closing,",
                      safe_str(conn->socks_request->address));
@@ -1347,7 +1347,7 @@ connection_edge_process_resolved_cell(edge_connection_t *conn,
     goto done;
   }
 
-  if (get_options()->ClientDNSRejectInternalAddresses) {
+  if (get_options()->TestingClientDNSRejectInternalAddresses) {
     int orig_len = smartlist_len(resolved_addresses);
     SMARTLIST_FOREACH_BEGIN(resolved_addresses, address_ttl_t *, addr) {
       if (addr->hostname == NULL && tor_addr_is_internal(&addr->addr, 0)) {
@@ -1440,7 +1440,7 @@ connection_edge_process_relay_cell_not_open(
     if (tor_addr_family(&addr) != AF_UNSPEC) {
       const sa_family_t family = tor_addr_family(&addr);
       if (tor_addr_is_null(&addr) ||
-          (get_options()->ClientDNSRejectInternalAddresses &&
+          (get_options()->TestingClientDNSRejectInternalAddresses &&
            tor_addr_is_internal(&addr, 0))) {
         log_info(LD_APP, "...but it claims the IP address was %s. Closing.",
                  fmt_addr(&addr));

src/test/test_relaycell.c

@@ -112,7 +112,7 @@ test_relaycell_resolved(void *arg)
   MOCK(connection_mark_unattached_ap_, mark_unattached_mock);
   MOCK(connection_ap_handshake_socks_resolved, socks_resolved_mock);
 
-  options->ClientDNSRejectInternalAddresses = 0;
+  options->TestingClientDNSRejectInternalAddresses = 0;
 
   SET_CELL(/* IPv4: 127.0.1.2, ttl 256 */
            "\x04\x04\x7f\x00\x01\x02\x00\x00\x01\x00"
@@ -151,7 +151,7 @@ test_relaycell_resolved(void *arg)
 
   /* But we may be discarding private answers. */
   MOCK_RESET();
-  options->ClientDNSRejectInternalAddresses = 1;
+  options->TestingClientDNSRejectInternalAddresses = 1;
   r = connection_edge_process_resolved_cell(edgeconn, &cell, &rh);
   tt_int_op(r, OP_EQ, 0);
   ASSERT_MARK_CALLED(END_STREAM_REASON_DONE|