nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 13:13:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote branch 'origin/maint-0.2.2'

Browse Source 
Conflicts:
	src/or/config.c
	src/or/cpuworker.c
This commit is contained in:
Nick Mathewson 2010-11-15 14:14:13 -05:00
commit 8c2affe637
14 changed files with 111 additions and 635 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes/HTTP Normal file
View File

@ -0,0 +1,4 @@
o Code simplifications and refactoring:
- Some options used different conventions for uppercasing of acronyms
when comparing manpage and source. Fix those in favor of the
manpage, as it makes sense to capitalize acronyms.

3
changes/minuptimehs Normal file
View File

@ -0,0 +1,3 @@
o Minor features:
- Make hidden services work better in private networks by not requiring
any uptime to join the dht. Implements ticket 2088.

4
changes/torrc.complete Normal file
View File

@ -0,0 +1,4 @@
o Code simplifications and refactorings:
- Remove the torrc.complete file. It hasn't been kept up to date
and users will have better luck checking out the manpage.

14
contrib/checkOptionDocs.pl
View File

@ -4,17 +4,14 @@ use strict;
my %options = ();
my %descOptions = ();
my %torrcSampleOptions = ();
my %torrcCompleteOptions = ();
my %manPageOptions = ();
# Load the canonical list as actually accepted by Tor.
my $mostRecentOption;
open(F, "./src/or/tor --list-torrc-options |") or die;
while (<F>) {
next if m!\[notice\] Tor v0\.!;
if (m!^([A-Za-z0-9_]+)!) {
$mostRecentOption = lc $1;
$options{$mostRecentOption} = 1;
$options{$1} = 1;
} else {
print "Unrecognized output> ";
print;
@ -22,7 +19,7 @@ while (<F>) {
}
close F;
# Load the contents of torrc.sample and torrc.complete
# Load the contents of torrc.sample
sub loadTorrc {
my ($fname, $options) = @_;
local *F;
@ -30,7 +27,7 @@ sub loadTorrc {
while (<F>) {
next if (m!##+!);
if (m!#([A-Za-z0-9_]+)!) {
$options->{lc $1} = 1;
$options->{$1} = 1;
}
}
close F;
@ -38,7 +35,6 @@ sub loadTorrc {
}
loadTorrc("./src/config/torrc.sample.in", \%torrcSampleOptions);
loadTorrc("./src/config/torrc.complete.in", \%torrcCompleteOptions);
# Try to figure out what's in the man page.
@ -46,7 +42,7 @@ my $considerNextLine = 0;
open(F, "./doc/tor.1.txt") or die;
while (<F>) {
if (m!^\*\*([A-Za-z0-9_]+)\*\*!) {
$manPageOptions{lc $1} = 1;
$manPageOptions{$1} = 1;
}
}
close F;
@ -66,8 +62,6 @@ sub subtractHashes {
# subtractHashes("No online docs", \%options, \%descOptions);
# subtractHashes("Orphaned online docs", \%descOptions, \%options);
subtractHashes("Not in torrc.complete.in", \%options, \%torrcCompleteOptions);
subtractHashes("Orphaned in torrc.complete.in", \%torrcCompleteOptions, \%options);
subtractHashes("Orphaned in torrc.sample.in", \%torrcSampleOptions, \%options);
subtractHashes("Not in man page", \%options, \%manPageOptions);

2
doc/spec/address-spec.txt
View File

@ -12,7 +12,7 @@
These hostnames can be passed to Tor as the address part of a SOCKS4a or
SOCKS5 request. If the application is connected to Tor using an IP-only
method (such as SOCKS4, TransPort, or NatdPort), these hostnames can be
method (such as SOCKS4, TransPort, or NATDPort), these hostnames can be
substituted for certain IP addresses using the MapAddress configuration
option or the MAPADDRESS control command.

27
doc/tor.1.txt
View File

@ -89,14 +89,14 @@ Other options can be specified either on the command-line (--option
without impacting network performance.
**RelayBandwidthRate** __N__ **bytes**|**KB**|**MB**|**GB**::
If defined, a separate token bucket limits the average incoming bandwidth
If not 0, a separate token bucket limits the average incoming bandwidth
usage for \_relayed traffic_ on this node to the specified number of bytes
per second, and the average outgoing bandwidth usage to that same value.
Relayed traffic currently is calculated to include answers to directory
requests, but that may change in future versions. (Default: 0)
**RelayBandwidthBurst** __N__ **bytes**|**KB**|**MB**|**GB**::
Limit the maximum token bucket size (also known as the burst) for
If not 0, limit the maximum token bucket size (also known as the burst) for
\_relayed traffic_ to the given number of bytes in each direction.
(Default: 0)
@ -110,7 +110,7 @@ Other options can be specified either on the command-line (--option
You should never need to change this value, since a network-wide value is
published in the consensus and your relay will use that value. (Default: 0)
**ConLimit** __NUM__::
**ConnLimit** __NUM__::
The minimum number of file descriptors that must be available to the Tor
process before it will start. Tor will ask the OS for as many file
descriptors as the OS will allow (you can find this by "ulimit -H -n").
@ -426,7 +426,9 @@ The following options are useful only for clients (that is, if
This option controls whether circuits built by Tor will include relays with
the AllowSingleHopExits flag set to true. If ExcludeSingleHopRelays is set
to 0, these relays will be included. Note that these relays might be at
higher risk of being seized or observed, so they are not normally included.
higher risk of being seized or observed, so they are not normally
included. Also note that relatively few clients turn off this option,
so using these relays might make your client stand out.
(Default: 1)
**Bridge** __IP__:__ORPort__ [fingerprint]::
@ -683,7 +685,7 @@ The following options are useful only for clients (that is, if
**AllowDotExit** **0**|**1**::
If enabled, we convert "www.google.com.foo.exit" addresses on the
SocksPort/TransPort/NatdPort into "www.google.com" addresses that exit from
SocksPort/TransPort/NATDPort into "www.google.com" addresses that exit from
the node "foo". Disabled by default since attacking websites and exit
relays can use it to manipulate your path selection. (Default: 0)
@ -764,6 +766,11 @@ The following options are useful only for clients (that is, if
Like WarnPlaintextPorts, but instead of warning about risky port uses, Tor
will instead refuse to make the connection. (Default: None).
**AllowSingleHopCircuits** **0**|**1**::
When this option is set, the attached Tor controller can use relays
that have the **AllowSingleHopExits** option turned on to build
one-hop Tor connections. (Default: 0)
SERVER OPTIONS
--------------
@ -781,7 +788,9 @@ is non-zero):
**AllowSingleHopExits** **0**|**1**::
This option controls whether clients can use this server as a single hop
proxy. If set to 1, clients can use this server as an exit even if it is
the only hop in the circuit. (Default: 0)
the only hop in the circuit. Note that most clients will refuse to use
servers that set this option, since most clients have
ExcludeSingleHopRelays set. (Default: 0)
**AssumeReachable** **0**|**1**::
This option is used when bootstrapping a new Tor network. If set to 1,
@ -1216,6 +1225,11 @@ DIRECTORY AUTHORITY SERVER OPTIONS
server's preferred number, but the consensus of all preferences. Must be at
least 2. (Default: 3.)
**V3BandwidthsFile** __FILENAME__::
V3 authoritative directories only. Configures the location of the
bandiwdth-authority generated file storing information on relays' measured
bandwidth capacities. (Default: unset.)
HIDDEN SERVICE OPTIONS
----------------------
@ -1284,6 +1298,7 @@ The following options are used for running a testing Tor network.
V3AuthVotingInterval 5 minutes
V3AuthVoteDelay 20 seconds
V3AuthDistDelay 20 seconds
MinUptimeHidServDirectoryV2 0 seconds
TestingV3AuthInitialVotingInterval 5 minutes
TestingV3AuthInitialVoteDelay 20 seconds
TestingV3AuthInitialDistDelay 20 seconds

534
src/config/torrc.complete.in
View File

@ -1,534 +0,0 @@
####################################################################
## This config file is divided into four sections. They are:
## 1. Global Options (clients and servers)
## 2. Client Options Only
## 3. Server Options Only
## 4. Directory Server Options (for running your own Tor network)
## 5. Hidden Service Options (clients and servers)
##
## The conventions used are:
## double hash (##) is for summary text about the config option;
## single hash (#) is for the config option; and,
## the config option is always after the text.
####################################################################
## Section 1: Global Options (clients and servers)
## A token bucket limits the average incoming bandwidth on this node
## to the specified number of bytes per second. (Default: 2MB)
#BandwidthRate N bytes|KB|MB|GB|TB
## Limit the maximum token bucket size (also known as the burst) to
## the given number of bytes. (Default: 5 MB)
#BandwidthBurst N bytes|KB|MB|GB|TB
## If set, we will not advertise more than this amount of bandwidth
## for our BandwidthRate. Server operators who want to reduce the
## number of clients who ask to build circuits through them (since
## this is proportional to advertised bandwidth rate) can thus
## reduce the CPU demands on their server without impacting
## network performance.
#MaxAdvertisedBandwidth N bytes|KB|MB|GB|TB
## If set, Tor will accept connections from the same machine
## (localhost only) on this port, and allow those connections to
## control the Tor process using the Tor Control Protocol
## (described in control-spec.txt). Note: unless you also specify
## one of HashedControlPassword or CookieAuthentication, setting
## this option will cause Tor to allow any process on the local
## host to control it.
#ControlPort Port
## Dont allow any connections on the control port except when the
## other process knows the password whose one-way hash is
## hashed_password. You can compute the hash of a password by
## running "tor --hash-password password".
#HashedControlPassword hashed_password
## If this option is set to 1, dont allow any connections on the
## control port except when the connecting process knows the
## contents of a file named "control_auth_cookie", which Tor will
## create in its data directory. This authentication method
## should only be used on systems with good filesystem security.
## (Default: 0)
#CookieAuthentication 0|1
## Store working data in DIR (Default: /usr/local/var/lib/tor)
#DataDirectory DIR
## Every time the specified period elapses, Tor downloads a direc-
## tory. A directory contains a signed list of all known servers
## as well as their current liveness status. A value of "0 sec-
## onds" tells Tor to choose an appropriate default.
## (Default: 1 hour for clients, 20 minutes for servers)
#DirFetchPeriod N seconds|minutes|hours|days|weeks
## Tor only trusts directories signed with one of these keys, and
## uses the given addresses to connect to the trusted directory
## servers. If no DirServer lines are specified, Tor uses the built-in
## defaults (moria1, moria2, tor26), so you can leave this alone unless
## you need to change it.
##
## WARNING! Changing these options will make your Tor behave
## differently from everyone else's, and hurt your anonymity. Even
## uncommenting these lines is a bad idea. They are the defaults now,
## but the defaults may change in the future, leaving you behind.
##
#DirServer moria1 v1 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
#DirServer moria2 v1 18.244.0.114:80 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF
#DirServer tor26 v1 86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D
## Attempt to lock current and future memory pages and effectively disable swap
# DisableAllSwap 0|1
## On startup, setgid to this user.
#Group GID
## Tor will make all its directory requests through this host:port
## (or host:80 if port is not specified), rather than connecting
## directly to any directory servers.
#HttpProxy host[:port]
## If defined, Tor will use this username:password for Basic Http
## proxy authentication, as in RFC 2617. This is currently the
## only form of Http proxy authentication that Tor supports; feel
## free to submit a patch if you want it to support others.
#HttpProxyAuthenticator username:password
## Tor will make all its OR (SSL) connections through this
## host:port (or host:443 if port is not specified), via HTTP CON-
## NECT rather than connecting directly to servers. You may want
## to set FascistFirewall to restrict the set of ports you might
## try to connect to, if your Https proxy only allows connecting
## to certain ports.
#HttpsProxy host[:port]
## If defined, Tor will use this username:password for Basic Https
## proxy authentication, as in RFC 2617. This is currently the
## only form of Https proxy authentication that Tor supports; feel
## free to submit a patch if you want it to support others.
#HttpsProxyAuthenticator username:password
## To keep firewalls from expiring connections, send a padding
## keepalive cell every NUM seconds on open connections that are
## in use. If the connection has no open circuits, it will instead
## be closed after NUM seconds of idleness. (Default: 5 minutes)
#KeepalivePeriod NUM
## Send all messages between minSeverity and maxSeverity to the
## standard output stream, the standard error stream, or to the
## system log. (The "syslog" value is only supported on Unix.)
## Recognized severity levels are debug, info, notice, warn, and
## err. If only one severity level is given, all messages of that
## level or higher will be sent to the listed destination.
#Log minSeverity[-maxSeverity] stderr|stdout|syslog
## As above, but send log messages to the listed filename. The
## "Log" option may appear more than once in a configuration file.
## Messages are sent to all the logs that match their severity
## level.
#Log minSeverity[-maxSeverity] file FILENAME
## Maximum number of simultaneous sockets allowed. You probably
## dont need to adjust this. (Default: 1024)
#MaxConn NUM
## Make all outbound connections originate from the IP address
## specified. This is only useful when you have multiple network
## interfaces, and you want all of Tors outgoing connections to
## use a single one.
#OutboundBindAddress IP
## On startup, write our PID to FILE. On clean shutdown, remove
## FILE.
#PIDFile FILE
## If 1, Tor forks and daemonizes to the background. (Default: 0)
#RunAsDaemon 0|1
## If 1, Tor replaces potentially sensitive strings in the logs
## (e.g. addresses) with the string [scrubbed]. This way logs can
## still be useful, but they dont leave behind personally identi-
## fying information about what sites a user might have visited.
## (Default: 1)
#SafeLogging 0|1
## Every time the specified period elapses, Tor downloads signed
## status information about the current state of known servers. A
## value of "0 seconds" tells Tor to choose an appropriate
## default. (Default: 30 minutes for clients, 15 minutes for
## servers)
#StatusFetchPeriod N seconds|minutes|hours|days|weeks
## On startup, setuid to this user.
#User UID
## If non-zero, try to use crypto hardware acceleration when
## available. (Default: 1)
#HardwareAccel 0|1
## Section 2: Client Options Only
## Where on our circuits should we allow Tor servers that the
## directory servers havent authenticated as "verified"?
## (Default: middle,rendezvous)
#AllowUnverifiedNodes entry|exit|middle|introduction|rendezvous|...
## If set to 1, Tor will under no circumstances run as a server.
## The default is to run as a client unless ORPort is configured.
## (Usually, you dont need to set this; Tor is pretty smart at
## figuring out whether you are reliable and high-bandwidth enough
## to be a useful server.)
## This option will likely be deprecated in the future; see the
## NoPublish option below. (Default: 0)
#ClientOnly 0|1
## A list of preferred nodes to use for the first hop in the
## circuit, if possible.
#EntryNodes nickname,nickname,...
## A list of preferred nodes to use for the last hop in the
## circuit, if possible.
#ExitNodes nickname,nickname,...
## A list of nodes to never use when building a circuit.
#ExcludeNodes nickname,nickname,...
## If 1, Tor will never use any nodes besides those listed in
## "exitnodes" for the last hop of a circuit.
#StrictExitNodes 0|1
## If 1, Tor will never use any nodes besides those listed in
## "entrynodes" for the first hop of a circuit.
#StrictEntryNodes 0|1
## If 1, Tor will only create outgoing connections to ORs running
## on ports that your firewall allows (defaults to 80 and 443; see
## FirewallPorts). This will allow you to run Tor as a client
## behind a firewall with restrictive policies, but will not allow
## you to run as a server behind such a firewall.
#FascistFirewall 0|1
## A list of ports that your firewall allows you to connect to.
## Only used when FascistFirewall is set. (Default: 80, 443)
#FirewallPorts PORTS
## A comma-separated list of IPs that your firewall allows you to
## connect to. Only used when FascistFirewall is set. The format
## is as for the addresses in ExitPolicy.
## For example, FirewallIPs 99.0.0.0/8, *:80 means that your
## firewall allows connections to everything inside net 99, and
## to port 80 outside.
#FirewallIPs ADDR[/MASK][:PORT]...
## A list of ports for services that tend to have long-running
## connections (e.g. chat and interactive shells). Circuits for
## streams that use these ports will contain only high-uptime
## nodes, to reduce the chance that a node will go down before the
## stream is finished. (Default: 21, 22, 706, 1863, 5050, 5190,
## 5222, 5223, 6667, 8300, 8888)
#LongLivedPorts PORTS
## When a request for address arrives to Tor, it will rewrite it
## to newaddress before processing it. For example, if you always
## want connections to www.indymedia.org to exit via torserver
## (where torserver is the nickname of the server),
## use "MapAddress www.indymedia.org www.indymedia.org.torserver.exit".
#MapAddress address newaddress
## Every NUM seconds consider whether to build a new circuit.
## (Default: 30 seconds)
#NewCircuitPeriod NUM
## Feel free to reuse a circuit that was first used at most NUM
## seconds ago, but never attach a new stream to a circuit that is
## too old. (Default: 10 minutes)
#MaxCircuitDirtiness NUM
## The named Tor servers constitute a "family" of similar or co-
## administered servers, so never use any two of them in the same
## circuit. Defining a NodeFamily is only needed when a server
## doesnt list the family itself (with MyFamily). This option can
## be used multiple times.
#NodeFamily nickname,nickname,...
## A list of preferred nodes to use for the rendezvous point, if
## possible.
#RendNodes nickname,nickname,...
## A list of nodes to never use when choosing a rendezvous point.
#RendExcludeNodes nickname,nickname,...
## Advertise this port to listen for connections from SOCKS-speak-
## ing applications. Set this to 0 if you dont want to allow
## application connections. (Default: 9050)
#SOCKSPort PORT
## Bind to this address to listen for connections from SOCKS-
## speaking applications. (Default: 127.0.0.1) You can also spec-
## ify a port (e.g. 192.168.0.1:9100). This directive can be spec-
## ified multiple times to bind to multiple addresses/ports.
#SOCKSBindAddress IP[:PORT]
## Set an entrance policy for this server, to limit who can con-
## nect to the SOCKS ports. The policies have the same form as
## exit policies below.
#SOCKSPolicy policy,policy,...
## For each value in the comma separated list, Tor will track
## recent connections to hosts that match this value and attempt
## to reuse the same exit node for each. If the value is prepended
## with a ., it is treated as matching an entire domain. If one
## of the values is just a ., it means match everything. This
## option is useful if you frequently connect to sites that will
## expire all your authentication cookies (ie log you out) if your
## IP address changes. Note that this option does have the disad-
## vantage of making it more clear that a given history is associ-
## ated with a single user. However, most people who would wish to
## observe this will observe it through cookies or other protocol-
## specific means anyhow.
#TrackHostExits host,.domain,...
## Since exit servers go up and down, it is desirable to expire
## the association between host and exit server after NUM seconds.
## The default is 1800 seconds (30 minutes).
#TrackHostExitsExpire NUM
## If this option is set to 1, we pick a few entry servers as our
## "helpers", and try to use only those fixed entry servers. This
## is desirable, because constantly changing servers increases the
## odds that an adversary who owns some servers will observe a
## fraction of your paths. (Defaults to 0; will eventually
## default to 1.)
#UseHelperNodes 0|1
## If UseHelperNodes is set to 1, we will try to pick a total of
## NUM helper nodes as entries for our circuits. (Defaults to 3.)
#NumHelperNodes NUM
## Section 3: Server Options Only
## The IP or fqdn of this server (e.g. moria.mit.edu). You can
## leave this unset, and Tor will guess your IP.
#Address address
## Administrative contact information for server.
#ContactInfo email_address
## Set an exit policy for this server. Each policy is of the form
## "accept|reject ADDR[/MASK][:PORT]". If /MASK is omitted then
## this policy just applies to the host given. Instead of giving
## a host or network you can also use "*" to denote the universe
## (0.0.0.0/0). PORT can be a single port number, an interval of
## ports "FROM_PORT-TO_PORT", or "*". If PORT is omitted, that
## means "*".
##
## For example, "reject 127.0.0.1:*,reject 192.168.1.0/24:*,accept
## *:*" would reject any traffic destined for localhost and any
## 192.168.1.* address, but accept anything else.
##
## This directive can be specified multiple times so you dont
## have to put it all on one line.
##
## See RFC 3330 for more details about internal and reserved IP
## address space. Policies are considered first to last, and the
## first match wins. If you want to _replace_ the default exit
## policy, end your exit policy with either a reject *:* or an
## accept *:*. Otherwise, youre _augmenting_ (prepending to) the
## default exit policy. The default exit policy is:
## reject 0.0.0.0/8
## reject 169.254.0.0/16
## reject 127.0.0.0/8
## reject 192.168.0.0/16
## reject 10.0.0.0/8
## reject 172.16.0.0/12
## reject *:25
## reject *:119
## reject *:135-139
## reject *:445
## reject *:1214
## reject *:4661-4666
## reject *:6346-6429
## reject *:6699
## reject *:6881-6999
## accept *:*
#ExitPolicy policy,policy,...
## If you have more than this number of onionskins queued for
## decrypt, reject new ones. (Default: 100)
#MaxOnionsPending NUM
## Declare that this Tor server is controlled or administered by a
## group or organization identical or similar to that of the other
## named servers. When two servers both declare that they are in
## the same family, Tor clients will not use them in the same
## circuit. (Each server only needs to list the other servers in
## its family; it doesnt need to list itself, but it wont hurt.)
#MyFamily nickname,nickname,...
## Set the servers nickname to name.
#Nickname name
## If you set NoPublish 1, Tor will act as a server if you have an
## ORPort defined, but it will not publish its descriptor to the
## dirservers. This option is useful if you're testing out your
## server, or if you're using alternate dirservers (e.g. for other
## Tor networks such as Blossom). (Default: 0)
#NoPublish 0|1
## How many processes to use at once for decrypting onionskins.
## (Default: 1)
#NumCPUs num
## Advertise this port to listen for connections from Tor clients
## and servers.
#ORPort PORT
## Bind to this IP address to listen for connections from Tor
## clients and servers. If you specify a port, bind to this port
## rather than the one specified in ORPort. (Default: 0.0.0.0)
#ORBindAddress IP[:PORT]
## Whenever an outgoing connection tries to connect to one of a
## given set of addresses, connect to target (an address:port
## pair) instead. The address pattern is given in the same format
## as for an exit policy. The address translation applies after
## exit policies are applied. Multiple RedirectExit options can
## be used: once any one has matched successfully, no subsequent
## rules are considered. You can specify that no redirection is
## to be performed on a given set of addresses by using the spe-
## cial target string "pass", which prevents subsequent rules from
## being considered.
#RedirectExit pattern target
## When we get a SIGINT and we're a server, we begin shutting
## down: we close listeners and start refusing new circuits. After
## NUM seconds, we exit. If we get a second SIGINT, we exit imme-
## diately. (Default: 30 seconds)
#ShutdownWaitLengthNUM
## Every time the specified period elapses, Tor uploads its server
## descriptors to the directory servers. This information is also
## uploaded whenever it changes. (Default: 20 minutes)
#DirPostPeriod N seconds|minutes|hours|days|weeks
## A token bucket limits the average relayed bandwidth (server
## traffic only, not client traffic) on this node to the specified
## number of bytes per second.
#RelayBandwidthRate N bytes|KB|MB|GB|TB
## Limit the maximum token bucket size (also known as the burst) for
## relayed traffic (server traffic only, not client traffic) to the
## given number of bytes.
#RelayBandwidthBurst N bytes|KB|MB|GB|TB
## Never send more than the specified number of bytes in a given
## accounting period, or receive more than that number in the
## period. For example, with AccountingMax set to 1 GB, a server
## could send 900 MB and receive 800 MB and continue running. It
## will only hibernate once one of the two reaches 1 GB. When the
## number of bytes is exhausted, Tor will hibernate until some
## time in the next accounting period. To prevent all servers
## from waking at the same time, Tor will also wait until a random
## point in each period before waking up. If you have bandwidth
## cost issues, enabling hibernation is preferable to setting a
## low bandwidth, since it provides users with a collection of
## fast servers that are up some of the time, which is more useful
## than a set of slow servers that are always "available".
#AccountingMax N bytes|KB|MB|GB|TB
## Specify how long accounting periods last. If month is given,
## each accounting period runs from the time HH:MM on the dayth
## day of one month to the same day and time of the next. (The
## day must be between 1 and 28.) If week is given, each account-
## ing period runs from the time HH:MM of the dayth day of one
## week to the same day and time of the next week, with Monday as
## day 1 and Sunday as day 7. If day is given, each accounting
## period runs from the time HH:MM each day to the same time on
## the next day. All times are local, and given in 24-hour time.
## (Defaults to "month 1 0:00".)
#AccountingStart day|week|month [day] HH:MM
## Section 4: Directory Server Options (for running your own Tor
## network)
## When this option is set to 1, Tor operates as an authoritative
## directory server. Instead of caching the directory, it gener-
## ates its own list of good servers, signs it, and sends that to
## the clients. Unless the clients already have you listed as a
## trusted directory, you probably do not want to set this option.
## Please coordinate with the other admins at
## tor-ops@freehaven.net if you think you should be a directory.
#AuthoritativeDirectory 0|1
## Advertise the directory service on this port.
#DirPort PORT
## Bind the directory service to this address. If you specify a
## port, bind to this port rather than the one specified in DirPort.
## (Default: 0.0.0.0)
#DirBindAddress IP[:PORT]
## Set an entrance policy for this server, to limit who can con-
## nect to the directory ports. The policies have the same form
## as exit policies above.
#DirPolicy policy,policy,...
## STRING is a command-separated list of Tor versions currently
## believed to be safe. The list is included in each directory,
## and nodes which pull down the directory learn whether they need
## to upgrade. This option can appear multiple times: the values
## from multiple lines are spliced together.
#RecommendedVersions STRING
## If set to 1, Tor will accept router descriptors with arbitrary
## "Address" elements. Otherwise, if the address is not an IP or
## is a private IP, it will reject the router descriptor. Defaults
## to 0.
#DirAllowPrivateAddresses 0|1
## If set to 1, Tor tries to build circuits through all of the
## servers it knows about, so it can tell which are up and which
## are down. This option is only useful for authoritative direc-
## tories, so you probably don't want to use it.
#RunTesting 0|1
## Section 5: Hidden Service Options (clients and servers)
## Store data files for a hidden service in DIRECTORY. Every hid-
## den service must have a separate directory. You may use this
## option multiple times to specify multiple services.
#HiddenServiceDir DIRECTORY
## Configure a virtual port VIRTPORT for a hidden service. You
## may use this option multiple times; each time applies to the
## service using the most recent hiddenservicedir. By default,
## this option maps the virtual port to the same port on
## 127.0.0.1. You may override the target port, address, or both
## by specifying a target of addr, port, or addr:port.
#HiddenServicePort VIRTPORT [TARGET]
## If possible, use the specified nodes as introduction points for
## the hidden service. If this is left unset, Tor will be smart
## and pick some reasonable ones; most people can leave this unset.
#HiddenServiceNodes nickname,nickname,...
## Do not use the specified nodes as introduction points for the
## hidden service. In normal use there is no reason to set this.
#HiddenServiceExcludeNodes nickname,nickname,...
## Publish the given rendezvous service descriptor versions for the
## hidden service.
#HiddenServiceVersion 0,2
## Every time the specified period elapses, Tor uploads any ren-
## dezvous service descriptors to the directory servers. This
## information is also uploaded whenever it changes.
## (Default: 1 hour)
#RendPostPeriod N seconds|minutes|hours|days|weeks
#

92
src/or/config.c
View File

@ -85,7 +85,7 @@ static config_abbrev_t _option_abbrevs[] = {
PLURAL(LongLivedPort),
PLURAL(HiddenServiceNode),
PLURAL(HiddenServiceExcludeNode),
PLURAL(NumCpu),
PLURAL(NumCPU),
PLURAL(RendNode),
PLURAL(RendExcludeNode),
PLURAL(StrictEntryNode),
@ -279,10 +279,10 @@ static config_var_t _option_vars[] = {
V(HidServAuth, LINELIST, NULL),
V(HSAuthoritativeDir, BOOL, "0"),
OBSOLETE("HSAuthorityRecordStats"),
V(HttpProxy, STRING, NULL),
V(HttpProxyAuthenticator, STRING, NULL),
V(HttpsProxy, STRING, NULL),
V(HttpsProxyAuthenticator, STRING, NULL),
V(HTTPProxy, STRING, NULL),
V(HTTPProxyAuthenticator, STRING, NULL),
V(HTTPSProxy, STRING, NULL),
V(HTTPSProxyAuthenticator, STRING, NULL),
V(Socks4Proxy, STRING, NULL),
V(Socks5Proxy, STRING, NULL),
V(Socks5ProxyUsername, STRING, NULL),
@ -304,13 +304,13 @@ static config_var_t _option_vars[] = {
V(MyFamily, STRING, NULL),
V(NewCircuitPeriod, INTERVAL, "30 seconds"),
VAR("NamingAuthoritativeDirectory",BOOL, NamingAuthoritativeDir, "0"),
V(NatdListenAddress, LINELIST, NULL),
V(NatdPort, UINT, "0"),
V(NATDListenAddress, LINELIST, NULL),
V(NATDPort, UINT, "0"),
V(Nickname, STRING, NULL),
V(WarnUnsafeSocks, BOOL, "1"),
V(NoPublish, BOOL, "0"),
OBSOLETE("NoPublish"),
VAR("NodeFamily", LINELIST, NodeFamilies, NULL),
V(NumCpus, UINT, "0"),
V(NumCPUs, UINT, "0"),
V(NumEntryGuards, UINT, "3"),
V(ORListenAddress, LINELIST, NULL),
V(ORPort, UINT, "0"),
@ -343,7 +343,8 @@ static config_var_t _option_vars[] = {
V(RephistTrackTime, INTERVAL, "24 hours"),
OBSOLETE("RouterFile"),
V(RunAsDaemon, BOOL, "0"),
V(RunTesting, BOOL, "0"),
// V(RunTesting, BOOL, "0"),
OBSOLETE("RunTesting"), // currently unused
V(SafeLogging, STRING, "1"),
V(SafeSocks, BOOL, "0"),
V(ServerDNSAllowBrokenConfig, BOOL, "1"),
@ -2952,8 +2953,8 @@ options_validate(or_options_t *old_options, or_options_t *options,
if (options->TransPort == 0 && options->TransListenAddress != NULL)
REJECT("TransPort must be defined if TransListenAddress is defined.");
if (options->NatdPort == 0 && options->NatdListenAddress != NULL)
REJECT("NatdPort must be defined if NatdListenAddress is defined.");
if (options->NATDPort == 0 && options->NATDListenAddress != NULL)
REJECT("NATDPort must be defined if NATDListenAddress is defined.");
/* Don't gripe about SocksPort 0 with SocksListenAddress set; a standard
* configuration does this. */
@ -2972,8 +2973,8 @@ options_validate(or_options_t *old_options, or_options_t *options,
old = old_options ? old_options->TransListenAddress : NULL;
tp = "transparent proxy";
} else {
opt = options->NatdListenAddress;
old = old_options ? old_options->NatdListenAddress : NULL;
opt = options->NATDListenAddress;
old = old_options ? old_options->NATDListenAddress : NULL;
tp = "natd proxy";
}
@ -3030,14 +3031,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
if (options_init_logs(options, 1)<0) /* Validate the log(s) */
REJECT("Failed to validate Log options. See logs for details.");
if (options->NoPublish) {
log(LOG_WARN, LD_CONFIG,
"NoPublish is obsolete. Use PublishServerDescriptor instead.");
SMARTLIST_FOREACH(options->PublishServerDescriptor, char *, s,
tor_free(s));
smartlist_clear(options->PublishServerDescriptor);
}
if (authdir_mode(options)) {
/* confirm that our address isn't broken, so we can complain now */
uint32_t tmp;
@ -3065,14 +3058,14 @@ options_validate(or_options_t *old_options, or_options_t *options,
if (options->TransPort < 0 || options->TransPort > 65535)
REJECT("TransPort option out of bounds.");
if (options->NatdPort < 0 || options->NatdPort > 65535)
REJECT("NatdPort option out of bounds.");
if (options->NATDPort < 0 || options->NATDPort > 65535)
REJECT("NATDPort option out of bounds.");
if (options->SocksPort == 0 && options->TransPort == 0 &&
options->NatdPort == 0 && options->ORPort == 0 &&
options->NATDPort == 0 && options->ORPort == 0 &&
options->DNSPort == 0 && !options->RendConfigLines)
log(LOG_WARN, LD_CONFIG,
"SocksPort, TransPort, NatdPort, DNSPort, and ORPort are all "
"SocksPort, TransPort, NATDPort, DNSPort, and ORPort are all "
"undefined, and there aren't any hidden services configured. "
"Tor will still run, but probably won't do anything.");
@ -3435,32 +3428,32 @@ options_validate(or_options_t *old_options, or_options_t *options,
if (accounting_parse_options(options, 1)<0)
REJECT("Failed to parse accounting options. See logs for details.");
if (options->HttpProxy) { /* parse it now */
if (tor_addr_port_parse(options->HttpProxy,
&options->HttpProxyAddr, &options->HttpProxyPort) < 0)
REJECT("HttpProxy failed to parse or resolve. Please fix.");
if (options->HttpProxyPort == 0) { /* give it a default */
options->HttpProxyPort = 80;
if (options->HTTPProxy) { /* parse it now */
if (tor_addr_port_parse(options->HTTPProxy,
&options->HTTPProxyAddr, &options->HTTPProxyPort) < 0)
REJECT("HTTPProxy failed to parse or resolve. Please fix.");
if (options->HTTPProxyPort == 0) { /* give it a default */
options->HTTPProxyPort = 80;
}
}
if (options->HttpProxyAuthenticator) {
if (strlen(options->HttpProxyAuthenticator) >= 48)
REJECT("HttpProxyAuthenticator is too long (>= 48 chars).");
if (options->HTTPProxyAuthenticator) {
if (strlen(options->HTTPProxyAuthenticator) >= 48)
REJECT("HTTPProxyAuthenticator is too long (>= 48 chars).");
}
if (options->HttpsProxy) { /* parse it now */
if (tor_addr_port_parse(options->HttpsProxy,
&options->HttpsProxyAddr, &options->HttpsProxyPort) <0)
REJECT("HttpsProxy failed to parse or resolve. Please fix.");
if (options->HttpsProxyPort == 0) { /* give it a default */
options->HttpsProxyPort = 443;
if (options->HTTPSProxy) { /* parse it now */
if (tor_addr_port_parse(options->HTTPSProxy,
&options->HTTPSProxyAddr, &options->HTTPSProxyPort) <0)
REJECT("HTTPSProxy failed to parse or resolve. Please fix.");
if (options->HTTPSProxyPort == 0) { /* give it a default */
options->HTTPSProxyPort = 443;
}
}
if (options->HttpsProxyAuthenticator) {
if (strlen(options->HttpsProxyAuthenticator) >= 48)
REJECT("HttpsProxyAuthenticator is too long (>= 48 chars).");
if (options->HTTPSProxyAuthenticator) {
if (strlen(options->HTTPSProxyAuthenticator) >= 48)
REJECT("HTTPSProxyAuthenticator is too long (>= 48 chars).");
}
if (options->Socks4Proxy) { /* parse it now */
@ -3661,10 +3654,10 @@ options_validate(or_options_t *old_options, or_options_t *options,
REJECT("Must set TunnelDirConns if PreferTunneledDirConns is set.");
if ((options->Socks4Proxy || options->Socks5Proxy) &&
!options->HttpProxy && !options->PreferTunneledDirConns)
!options->HTTPProxy && !options->PreferTunneledDirConns)
REJECT("When Socks4Proxy or Socks5Proxy is configured, "
"PreferTunneledDirConns and TunnelDirConns must both be "
"set to 1, or HttpProxy must be configured.");
"set to 1, or HTTPProxy must be configured.");
if (options->AutomapHostsSuffixes) {
SMARTLIST_FOREACH(options->AutomapHostsSuffixes, char *, suf,
@ -3845,7 +3838,7 @@ options_transition_affects_workers(or_options_t *old_options,
or_options_t *new_options)
{
if (!opt_streq(old_options->DataDirectory, new_options->DataDirectory) ||
old_options->NumCpus != new_options->NumCpus ||
old_options->NumCPUs != new_options->NumCPUs ||
old_options->ORPort != new_options->ORPort ||
old_options->ServerDNSSearchDomains !=
new_options->ServerDNSSearchDomains ||
@ -3877,7 +3870,6 @@ options_transition_affects_descriptor(or_options_t *old_options,
old_options->ORPort != new_options->ORPort ||
old_options->DirPort != new_options->DirPort ||
old_options->ClientOnly != new_options->ClientOnly ||
old_options->NoPublish != new_options->NoPublish ||
old_options->_PublishServerDescriptor !=
new_options->_PublishServerDescriptor ||
get_effective_bwrate(old_options) != get_effective_bwrate(new_options) ||
@ -5000,11 +4992,11 @@ config_parse_interval(const char *s, int *ok)
int
get_num_cpus(const or_options_t *options)
{
if (options->NumCpus == 0) {
if (options->NumCPUs == 0) {
int n = compute_num_cpus();
return (n >= 1) ? n : 1;
} else {
return options->NumCpus;
return options->NumCPUs;
}
}

8
src/or/connection.c
View File

@ -623,7 +623,7 @@ connection_about_to_close_connection(connection_t *conn)
or_options_t *options = get_options();
rep_hist_note_connect_failed(or_conn->identity_digest, now);
entry_guard_register_connect_status(or_conn->identity_digest,0,
!options->HttpsProxy, now);
!options->HTTPSProxy, now);
if (conn->state >= OR_CONN_STATE_TLS_HANDSHAKING) {
int reason = tls_error_to_orconn_end_reason(or_conn->tls_error);
control_event_or_conn_status(or_conn, OR_CONN_EVENT_FAILED,
@ -1413,7 +1413,7 @@ connection_proxy_connect(connection_t *conn, int type)
case PROXY_CONNECT: {
char buf[1024];
char *base64_authenticator=NULL;
const char *authenticator = options->HttpsProxyAuthenticator;
const char *authenticator = options->HTTPSProxyAuthenticator;
/* Send HTTP CONNECT and authentication (if available) in
* one request */
@ -1918,8 +1918,8 @@ retry_all_listeners(smartlist_t *replaced_conns,
replaced_conns, new_conns, 0,
AF_INET)<0)
return -1;
if (retry_listeners(CONN_TYPE_AP_NATD_LISTENER, options->NatdListenAddress,
options->NatdPort, "127.0.0.1",
if (retry_listeners(CONN_TYPE_AP_NATD_LISTENER, options->NATDListenAddress,
options->NATDPort, "127.0.0.1",
replaced_conns, new_conns, 0,
AF_INET)<0)
return -1;

8
src/or/connection_edge.c
View File

@ -2004,13 +2004,13 @@ connection_ap_process_natd(edge_connection_t *conn)
if (err == 0)
return 0;
if (err < 0) {
log_warn(LD_APP,"Natd handshake failed (DEST too long). Closing");
log_warn(LD_APP,"NATD handshake failed (DEST too long). Closing");
connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
return -1;
}
if (strcmpstart(tmp_buf, "[DEST ")) {
log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
log_warn(LD_APP,"NATD handshake was ill-formed; closing. The client "
"said: %s",
escaped(tmp_buf));
connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
@ -2019,7 +2019,7 @@ connection_ap_process_natd(edge_connection_t *conn)
daddr = tbuf = &tmp_buf[0] + 6; /* after end of "[DEST " */
if (!(tbuf = strchr(tbuf, ' '))) {
log_warn(LD_APP,"Natd handshake was ill-formed; closing. The client "
log_warn(LD_APP,"NATD handshake was ill-formed; closing. The client "
"said: %s",
escaped(tmp_buf));
connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
@ -2033,7 +2033,7 @@ connection_ap_process_natd(edge_connection_t *conn)
socks->port = (uint16_t)
tor_parse_long(tbuf, 10, 1, 65535, &port_ok, &daddr);
if (!port_ok) {
log_warn(LD_APP,"Natd handshake failed; port %s is ill-formed or out "
log_warn(LD_APP,"NATD handshake failed; port %s is ill-formed or out "
"of range.", escaped(tbuf));
connection_mark_unattached_ap(conn, END_STREAM_REASON_INVALID_NATD_DEST);
return -1;

8
src/or/connection_or.c
View File

@ -326,7 +326,7 @@ connection_or_finished_connecting(or_connection_t *or_conn)
proxy_type = PROXY_NONE;
if (get_options()->HttpsProxy)
if (get_options()->HTTPSProxy)
proxy_type = PROXY_CONNECT;
else if (get_options()->Socks4Proxy)
proxy_type = PROXY_SOCKS4;
@ -842,10 +842,10 @@ connection_or_connect(const tor_addr_t *_addr, uint16_t port,
control_event_or_conn_status(conn, OR_CONN_EVENT_LAUNCHED, 0);
/* use a proxy server if available */
if (options->HttpsProxy) {
if (options->HTTPSProxy) {
using_proxy = 1;
tor_addr_copy(&addr, &options->HttpsProxyAddr);
port = options->HttpsProxyPort;
tor_addr_copy(&addr, &options->HTTPSProxyAddr);
port = options->HTTPSProxyPort;
} else if (options->Socks4Proxy) {
using_proxy = 1;
tor_addr_copy(&addr, &options->Socks4ProxyAddr);

12
src/or/directory.c
View File

@ -860,7 +860,7 @@ directory_initiate_command_rend(const char *address, const tor_addr_t *_addr,
/* ensure that we don't make direct connections when a SOCKS server is
* configured. */
if (!anonymized_connection && !use_begindir && !options->HttpProxy &&
if (!anonymized_connection && !use_begindir && !options->HTTPProxy &&
(options->Socks4Proxy || options->Socks5Proxy)) {
log_warn(LD_DIR, "Cannot connect to a directory server through a "
"SOCKS proxy!");
@ -891,9 +891,9 @@ directory_initiate_command_rend(const char *address, const tor_addr_t *_addr,
if (!anonymized_connection && !use_begindir) {
/* then we want to connect to dirport directly */
if (options->HttpProxy) {
tor_addr_copy(&addr, &options->HttpProxyAddr);
dir_port = options->HttpProxyPort;
if (options->HTTPProxy) {
tor_addr_copy(&addr, &options->HTTPProxyAddr);
dir_port = options->HTTPProxyPort;
}
switch (connection_connect(TO_CONN(conn), conn->_base.address, &addr,
@ -1084,9 +1084,9 @@ directory_send_command(dir_connection_t *conn,
}
/* come up with some proxy lines, if we're using one. */
if (direct && get_options()->HttpProxy) {
if (direct && get_options()->HTTPProxy) {
char *base64_authenticator=NULL;
const char *authenticator = get_options()->HttpProxyAuthenticator;
const char *authenticator = get_options()->HTTPProxyAuthenticator;
tor_snprintf(proxystring, sizeof(proxystring),"http://%s", hoststring);
if (authenticator) {

28
src/or/or.h
View File

@ -2535,7 +2535,7 @@ typedef struct {
* connections. */
config_line_t *TransListenAddress;
/** Addresses to bind for listening for transparent natd connections */
config_line_t *NatdListenAddress;
config_line_t *NATDListenAddress;
/** Addresses to bind for listening for SOCKS connections. */
config_line_t *DNSListenAddress;
/** Addresses to bind for listening for OR connections. */
@ -2559,7 +2559,7 @@ typedef struct {
int SocksPort; /**< Port to listen on for SOCKS connections. */
/** Port to listen on for transparent pf/netfilter connections. */
int TransPort;
int NatdPort; /**< Port to listen on for transparent natd connections. */
int NATDPort; /**< Port to listen on for transparent natd connections. */
int ControlPort; /**< Port to listen on for control connections. */
config_line_t *ControlSocket; /**< List of Unix Domain Sockets to listen on
* for control connections. */
@ -2603,8 +2603,6 @@ typedef struct {
int AvoidDiskWrites; /**< Boolean: should we never cache things to disk?
* Not used yet. */
int ClientOnly; /**< Boolean: should we never evolve into a server role? */
/** Boolean: should we never publish a descriptor? Deprecated. */
int NoPublish;
/** To what authority types do we publish our descriptor? Choices are
* "v1", "v2", "v3", "bridge", or "". */
smartlist_t *PublishServerDescriptor;
@ -2703,24 +2701,24 @@ typedef struct {
* use in a second for all relayed conns? */
uint64_t PerConnBWRate; /**< Long-term bw on a single TLS conn, if set. */
uint64_t PerConnBWBurst; /**< Allowed burst on a single TLS conn, if set. */
int NumCpus; /**< How many CPUs should we try to use? */
int RunTesting; /**< If true, create testing circuits to measure how well the
* other ORs are running. */
int NumCPUs; /**< How many CPUs should we try to use? */
//int RunTesting; /**< If true, create testing circuits to measure how well the
// * other ORs are running. */
config_line_t *RendConfigLines; /**< List of configuration lines
* for rendezvous services. */
config_line_t *HidServAuth; /**< List of configuration lines for client-side
* authorizations for hidden services */
char *ContactInfo; /**< Contact info to be published in the directory. */
char *HttpProxy; /**< hostname[:port] to use as http proxy, if any. */
tor_addr_t HttpProxyAddr; /**< Parsed IPv4 addr for http proxy, if any. */
uint16_t HttpProxyPort; /**< Parsed port for http proxy, if any. */
char *HttpProxyAuthenticator; /**< username:password string, if any. */
char *HTTPProxy; /**< hostname[:port] to use as http proxy, if any. */
tor_addr_t HTTPProxyAddr; /**< Parsed IPv4 addr for http proxy, if any. */
uint16_t HTTPProxyPort; /**< Parsed port for http proxy, if any. */
char *HTTPProxyAuthenticator; /**< username:password string, if any. */
char *HttpsProxy; /**< hostname[:port] to use as https proxy, if any. */
tor_addr_t HttpsProxyAddr; /**< Parsed addr for https proxy, if any. */
uint16_t HttpsProxyPort; /**< Parsed port for https proxy, if any. */
char *HttpsProxyAuthenticator; /**< username:password string, if any. */
char *HTTPSProxy; /**< hostname[:port] to use as https proxy, if any. */
tor_addr_t HTTPSProxyAddr; /**< Parsed addr for https proxy, if any. */
uint16_t HTTPSProxyPort; /**< Parsed port for https proxy, if any. */
char *HTTPSProxyAuthenticator; /**< username:password string, if any. */
char *Socks4Proxy; /**< hostname:port to use as a SOCKS4 proxy, if any. */
tor_addr_t Socks4ProxyAddr; /**< Derived from Socks4Proxy. */

2
src/or/router.c
View File

@ -1104,7 +1104,7 @@ proxy_mode(or_options_t *options)
{
return (options->SocksPort != 0 || options->SocksListenAddress ||
options->TransPort != 0 || options->TransListenAddress ||
options->NatdPort != 0 || options->NatdListenAddress ||
options->NATDPort != 0 || options->NATDListenAddress ||
options->DNSPort != 0 || options->DNSListenAddress);
}