nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bug1751_enabling' into maint-0.2.2

Browse Source
This commit is contained in:
Nick Mathewson 2010-09-27 17:08:03 -04:00
commit c97072ef34
6 changed files with 69 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/or/config.c
View File

@ -327,7 +327,7 @@ static config_var_t _option_vars[] = {
V(RecommendedClientVersions, LINELIST, NULL), V(RecommendedClientVersions, LINELIST, NULL),
V(RecommendedServerVersions, LINELIST, NULL), V(RecommendedServerVersions, LINELIST, NULL),
OBSOLETE("RedirectExit"), OBSOLETE("RedirectExit"),
V(RefuseUnknownExits, BOOL, "0"), V(RefuseUnknownExits, STRING, "auto"),
V(RejectPlaintextPorts, CSV, ""), V(RejectPlaintextPorts, CSV, ""),
V(RelayBandwidthBurst, MEMUNIT, "0"), V(RelayBandwidthBurst, MEMUNIT, "0"),
V(RelayBandwidthRate, MEMUNIT, "0"), V(RelayBandwidthRate, MEMUNIT, "0"),
@ -1231,6 +1231,18 @@ options_act(or_options_t *old_options)
if (accounting_is_enabled(options)) if (accounting_is_enabled(options))
configure_accounting(time(NULL)); configure_accounting(time(NULL));
/* parse RefuseUnknownExits tristate */
if (!strcmp(options->RefuseUnknownExits, "0"))
options->RefuseUnknownExits_ = 0;
else if (!strcmp(options->RefuseUnknownExits, "1"))
options->RefuseUnknownExits_ = 1;
else if (!strcmp(options->RefuseUnknownExits, "auto"))
options->RefuseUnknownExits_ = -1;
else {
/* Should have caught this in options_validate */
return -1;
}
/* Change the cell EWMA settings */ /* Change the cell EWMA settings */
cell_ewma_set_scale_factor(options, networkstatus_get_latest_consensus()); cell_ewma_set_scale_factor(options, networkstatus_get_latest_consensus());
@ -2997,6 +3009,12 @@ options_validate(or_options_t *old_options, or_options_t *options,
REJECT("Failed to resolve/guess local address. See logs for details."); REJECT("Failed to resolve/guess local address. See logs for details.");
} }
if (strcmp(options->RefuseUnknownExits, "0") &&
strcmp(options->RefuseUnknownExits, "1") &&
strcmp(options->RefuseUnknownExits, "auto")) {
REJECT("RefuseUnknownExits must be 0, 1, or auto");
}
#ifndef MS_WINDOWS #ifndef MS_WINDOWS
if (options->RunAsDaemon && torrc_fname && path_is_relative(torrc_fname)) if (options->RunAsDaemon && torrc_fname && path_is_relative(torrc_fname))
REJECT("Can't use a relative path to torrc when RunAsDaemon is set."); REJECT("Can't use a relative path to torrc when RunAsDaemon is set.");

11
src/or/connection_edge.c
View File

@ -2488,6 +2488,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
char *address=NULL; char *address=NULL;
uint16_t port; uint16_t port;
or_circuit_t *or_circ = NULL; or_circuit_t *or_circ = NULL;
or_options_t *options = get_options();
assert_circuit_ok(circ); assert_circuit_ok(circ);
if (!CIRCUIT_IS_ORIGIN(circ)) if (!CIRCUIT_IS_ORIGIN(circ))
@ -2500,7 +2501,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
* that we have a stream connected to a circuit, and we don't connect to a * that we have a stream connected to a circuit, and we don't connect to a
* circuit until we have a pending/successful resolve. */ * circuit until we have a pending/successful resolve. */
if (!server_mode(get_options()) && if (!server_mode(options) &&
circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Relay begin cell at non-server. Closing."); "Relay begin cell at non-server. Closing.");
@ -2533,13 +2534,11 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
tor_free(address); tor_free(address);
return 0; return 0;
} }
if (or_circ && or_circ->p_conn && !get_options()->AllowSingleHopExits && if (or_circ && or_circ->p_conn && !options->AllowSingleHopExits &&
(or_circ->is_first_hop || (or_circ->is_first_hop ||
(!connection_or_digest_is_known_relay( (!connection_or_digest_is_known_relay(
or_circ->p_conn->identity_digest) && or_circ->p_conn->identity_digest) &&
// XXX022 commented out so we can test it first in 0.2.2.11 -RD should_refuse_unknown_exits(options)))) {
// networkstatus_get_param(NULL, "refuseunknownexits", 1)))) {
get_options()->RefuseUnknownExits))) {
/* Don't let clients use us as a single-hop proxy, unless the user /* Don't let clients use us as a single-hop proxy, unless the user
* has explicitly allowed that in the config. It attracts attackers * has explicitly allowed that in the config. It attracts attackers
* and users who'd be better off with, well, single-hop proxies. * and users who'd be better off with, well, single-hop proxies.
@ -2559,7 +2558,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
return 0; return 0;
} }
} else if (rh.command == RELAY_COMMAND_BEGIN_DIR) { } else if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
if (!directory_permits_begindir_requests(get_options()) || if (!directory_permits_begindir_requests(options) ||
circ->purpose != CIRCUIT_PURPOSE_OR) { circ->purpose != CIRCUIT_PURPOSE_OR) {
relay_send_end_cell_from_edge(rh.stream_id, circ, relay_send_end_cell_from_edge(rh.stream_id, circ,
END_STREAM_REASON_NOTDIRECTORY, NULL); END_STREAM_REASON_NOTDIRECTORY, NULL);

12
src/or/dirserv.c
View File

@ -1153,18 +1153,21 @@ directory_fetches_from_authorities(or_options_t *options)
{ {
routerinfo_t *me; routerinfo_t *me;
uint32_t addr; uint32_t addr;
int refuseunknown;
if (options->FetchDirInfoEarly) if (options->FetchDirInfoEarly)
return 1; return 1;
if (options->BridgeRelay == 1) if (options->BridgeRelay == 1)
return 0; return 0;
if (server_mode(options) && router_pick_published_address(options, &addr)<0) if (server_mode(options) && router_pick_published_address(options, &addr)<0)
return 1; /* we don't know our IP address; ask an authority. */ return 1; /* we don't know our IP address; ask an authority. */
if (options->DirPort == 0 && !options->RefuseUnknownExits) refuseunknown = router_my_exit_policy_is_reject_star() &&
should_refuse_unknown_exits(options);
if (options->DirPort == 0 && !refuseunknown)
return 0; return 0;
if (!server_mode(options) || !advertised_server_mode()) if (!server_mode(options) || !advertised_server_mode())
return 0; return 0;
me = router_get_my_routerinfo(); me = router_get_my_routerinfo();
if (!me || (!me->dir_port && !options->RefuseUnknownExits)) if (!me || (!me->dir_port && !refuseunknown))
return 0; /* if dirport not advertised, return 0 too */ return 0; /* if dirport not advertised, return 0 too */
return 1; return 1;
} }
@ -1208,7 +1211,10 @@ directory_caches_dir_info(or_options_t *options)
return 1; return 1;
if (!server_mode(options) || !advertised_server_mode()) if (!server_mode(options) || !advertised_server_mode())
return 0; return 0;
return options->RefuseUnknownExits; /* We need an up-to-date view of network info if we're going to try to
* block exit attempts from unknown relays. */
return router_my_exit_policy_is_reject_star() &&
should_refuse_unknown_exits(options);
} }
/** Return 1 if we want to allow remote people to ask us directory /** Return 1 if we want to allow remote people to ask us directory

11
src/or/or.h
View File

@ -2468,10 +2468,13 @@ typedef struct {
int ConstrainedSockets; /**< Shrink xmit and recv socket buffers. */ int ConstrainedSockets; /**< Shrink xmit and recv socket buffers. */
uint64_t ConstrainedSockSize; /**< Size of constrained buffers. */ uint64_t ConstrainedSockSize; /**< Size of constrained buffers. */
/** Whether we should drop exit streams from Tors that we don't know /** Whether we should drop exit streams from Tors that we don't know are
* are relays. XXX022 In here for 0.2.2.11 as a temporary test before * relays. One of "0" (never refuse), "1" (always refuse), or "auto" (do
* we switch over to putting it in consensusparams. -RD */ * what the consensus says, defaulting to 'refuse' if the consensus says
int RefuseUnknownExits; * nothing). */
char *RefuseUnknownExits;
/** Parsed version of RefuseUnknownExits. -1 for auto. */
int RefuseUnknownExits_;
/** Application ports that require all nodes in circ to have sufficient /** Application ports that require all nodes in circ to have sufficient
* uptime. */ * uptime. */

27
src/or/router.c
View File

@ -18,6 +18,7 @@
#include "geoip.h" #include "geoip.h"
#include "hibernate.h" #include "hibernate.h"
#include "main.h" #include "main.h"
#include "networkstatus.h"
#include "policies.h" #include "policies.h"
#include "relay.h" #include "relay.h"
#include "rephist.h" #include "rephist.h"
@ -975,6 +976,19 @@ server_mode(or_options_t *options)
return (options->ORPort != 0 || options->ORListenAddress); return (options->ORPort != 0 || options->ORListenAddress);
} }
/** Return true iff the combination of options in <b>options</b> and parameters
* in <b>consensus</b> mean that we don't want to allow exits from circuits
* we got from addresses not known to be servers. */
int
should_refuse_unknown_exits(or_options_t *options)
{
if (options->RefuseUnknownExits_ != -1) {
return options->RefuseUnknownExits_;
} else {
return networkstatus_get_param(NULL, "refuseunknownexits", 1);
}
}
/** Remember if we've advertised ourselves to the dirservers. */ /** Remember if we've advertised ourselves to the dirservers. */
static int server_is_advertised=0; static int server_is_advertised=0;
@ -1137,6 +1151,17 @@ router_compare_to_my_exit_policy(edge_connection_t *conn)
desc_routerinfo->exit_policy) != ADDR_POLICY_ACCEPTED; desc_routerinfo->exit_policy) != ADDR_POLICY_ACCEPTED;
} }
/** Return true iff my exit policy is reject *:*. Return -1 if we don't
* have a descriptor */
int
router_my_exit_policy_is_reject_star(void)
{
if (!router_get_my_routerinfo()) /* make sure desc_routerinfo exists */
return -1;
return desc_routerinfo->policy_is_reject_star;
}
/** Return true iff I'm a server and <b>digest</b> is equal to /** Return true iff I'm a server and <b>digest</b> is equal to
* my identity digest. */ * my identity digest. */
int int
@ -1300,6 +1325,8 @@ router_rebuild_descriptor(int force)
policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy, policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
options->ExitPolicyRejectPrivate, options->ExitPolicyRejectPrivate,
ri->address, !options->BridgeRelay); ri->address, !options->BridgeRelay);
ri->policy_is_reject_star =
policy_is_reject_star(ri->exit_policy);
if (desc_routerinfo) { /* inherit values */ if (desc_routerinfo) { /* inherit values */
ri->is_valid = desc_routerinfo->is_valid; ri->is_valid = desc_routerinfo->is_valid;

2
src/or/router.h
View File

@ -51,6 +51,7 @@ int server_mode(or_options_t *options);
int advertised_server_mode(void); int advertised_server_mode(void);
int proxy_mode(or_options_t *options); int proxy_mode(or_options_t *options);
void consider_publishable_server(int force); void consider_publishable_server(int force);
int should_refuse_unknown_exits(or_options_t *options);
void router_upload_dir_desc_to_dirservers(int force); void router_upload_dir_desc_to_dirservers(int force);
void mark_my_descriptor_dirty_if_older_than(time_t when); void mark_my_descriptor_dirty_if_older_than(time_t when);
@ -60,6 +61,7 @@ void check_descriptor_ipaddress_changed(time_t now);
void router_new_address_suggestion(const char *suggestion, void router_new_address_suggestion(const char *suggestion,
const dir_connection_t *d_conn); const dir_connection_t *d_conn);
int router_compare_to_my_exit_policy(edge_connection_t *conn); int router_compare_to_my_exit_policy(edge_connection_t *conn);
int router_my_exit_policy_is_reject_star(void);
routerinfo_t *router_get_my_routerinfo(void); routerinfo_t *router_get_my_routerinfo(void);
extrainfo_t *router_get_my_extrainfo(void); extrainfo_t *router_get_my_extrainfo(void);
const char *router_get_my_descriptor(void); const char *router_get_my_descriptor(void);