Actually check for missing protocols and exit as appropriate.

2024-11-24 12:23:32 +01:00 · 2016-08-19 17:45:08 -04:00 · 2016-08-19 17:45:08 -04:00 · 7f718c46f3
commit 7f718c46f3
parent cca1e0acff
1 changed files with 40 additions and 0 deletions
--- a/src/or/networkstatus.c
+++ b/src/or/networkstatus.c
@ -1552,6 +1552,31 @@ networkstatus_set_current_consensus_from_ns(networkstatus_t *c,
 }
 #endif //TOR_UNIT_TESTS

+/** Called when we have received a networkstatus <b>c</b>. If there are
+ * any _required_ protocols we are missing, log an error and exit
+ * immediately. If there are any _recommended_ protocols we are missing,
+ * warn. */
+static void
+handle_missing_protocol_warning(const networkstatus_t *c,
+                                const or_options_t *options)
+{
+  char *protocol_warning = NULL;
+  int should_exit = networkstatus_check_required_protocols(c,
+                                                   !server_mode(options),
+                                                   &protocol_warning);
+  if (protocol_warning) {
+    tor_log(should_exit ? LOG_ERR : LOG_WARN,
+            LD_GENERAL,
+            "%s", protocol_warning);
+  }
+  if (should_exit) {
+    tor_assert_nonfatal(protocol_warning);
+  }
+  tor_free(protocol_warning);
+  if (should_exit)
+    exit(1);
+}
+
 /** Try to replace the current cached v3 networkstatus with the one in
 * <b>consensus</b>.  If we don't have enough certificates to validate it,
 * store it in consensus_waiting_for_certs and launch a certificate fetch.
@ -1595,6 +1620,7 @@ networkstatus_set_current_consensus(const char *consensus,
  time_t current_valid_after = 0;
  int free_consensus = 1; /* Free 'c' at the end of the function */
  int old_ewma_enabled;
+  int checked_protocols_already = 0;

  if (flav < 0) {
    /* XXXX we don't handle unrecognized flavors yet. */
@ -1610,6 +1636,16 @@ networkstatus_set_current_consensus(const char *consensus,
    goto done;
  }

+  if (from_cache && !was_waiting_for_certs) {
+    /* We previously stored this; check _now_ to make sure that version-kills
+     * really work.  This happens even before we check signatures: we did so
+     * before when we stored this to disk. This does mean an attacker who can
+     * write to the datadir can make us not start: such an attacker could
+     * already harm us by replacing our guards, which would be worse. */
+    checked_protocols_already = 1;
+    handle_missing_protocol_warning(c, options);
+  }
+
  if ((int)c->flavor != flav) {
    /* This wasn't the flavor we thought we were getting. */
    if (require_flavor) {
@ -1735,6 +1771,10 @@ networkstatus_set_current_consensus(const char *consensus,
  if (!from_cache && flav == usable_consensus_flavor())
    control_event_client_status(LOG_NOTICE, "CONSENSUS_ARRIVED");

+  if (!checked_protocols_already) {
+    handle_missing_protocol_warning(c, options);
+  }
+
  /* Are we missing any certificates at all? */
  if (r != 1 && dl_certs)
    authority_certs_fetch_missing(c, now, source_dir);