mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 20:33:31 +01:00
new config option DirAllowPrivateAddresses for authdirservers.
now by default they refuse router descriptors that have non-IP or private-IP addresses. svn:r3321
This commit is contained in:
parent
91bafc476e
commit
cd1f50d2f0
@ -103,6 +103,7 @@ static config_var_t config_vars[] = {
|
|||||||
VAR("CookieAuthentication",BOOL, CookieAuthentication, "0"),
|
VAR("CookieAuthentication",BOOL, CookieAuthentication, "0"),
|
||||||
VAR("DebugLogFile", STRING, DebugLogFile, NULL),
|
VAR("DebugLogFile", STRING, DebugLogFile, NULL),
|
||||||
VAR("DataDirectory", STRING, DataDirectory, NULL),
|
VAR("DataDirectory", STRING, DataDirectory, NULL),
|
||||||
|
VAR("DirAllowPrivateAddresses",BOOL, DirAllowPrivateAddresses, NULL),
|
||||||
VAR("DirPort", UINT, DirPort, "0"),
|
VAR("DirPort", UINT, DirPort, "0"),
|
||||||
VAR("DirBindAddress", LINELIST, DirBindAddress, NULL),
|
VAR("DirBindAddress", LINELIST, DirBindAddress, NULL),
|
||||||
/* XXX we'd like dirfetchperiod to be higher for people with dirport not
|
/* XXX we'd like dirfetchperiod to be higher for people with dirport not
|
||||||
|
@ -653,7 +653,7 @@ connection_dir_client_reached_eof(connection_t *conn)
|
|||||||
log_fn(LOG_WARN,"http status 400 (bad request) response from dirserver '%s'. Malformed server descriptor?", conn->address);
|
log_fn(LOG_WARN,"http status 400 (bad request) response from dirserver '%s'. Malformed server descriptor?", conn->address);
|
||||||
break;
|
break;
|
||||||
case 403:
|
case 403:
|
||||||
log_fn(LOG_WARN,"http status 403 (unapproved server) response from dirserver '%s'. Is your clock skewed? Have you mailed us your key fingerprint? Are you using the right key? See http://tor.eff.org/doc/tor-doc.html#server.", conn->address);
|
log_fn(LOG_WARN,"http status 403 (unapproved server) response from dirserver '%s'. Is your clock skewed? Have you mailed us your key fingerprint? Are you using the right key? Are you using a private IP address? See http://tor.eff.org/doc/tor-doc.html#server.", conn->address);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
log_fn(LOG_WARN,"http status %d response unrecognized (server '%s').", status_code, conn->address);
|
log_fn(LOG_WARN,"http status %d response unrecognized (server '%s').", status_code, conn->address);
|
||||||
|
@ -284,6 +284,27 @@ dirserv_free_descriptors()
|
|||||||
smartlist_clear(descriptor_list);
|
smartlist_clear(descriptor_list);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Return -1 if <b>ri</b> has a private or otherwise bad address,
|
||||||
|
* unless we're configured to not care. Return 0 if all ok. */
|
||||||
|
static int
|
||||||
|
dirserv_router_has_valid_address(routerinfo_t *ri)
|
||||||
|
{
|
||||||
|
struct in_addr iaddr;
|
||||||
|
if (get_options()->DirAllowPrivateAddresses)
|
||||||
|
return 0; /* whatever it is, we're fine with it */
|
||||||
|
if (!tor_inet_aton(ri->address, &iaddr)) {
|
||||||
|
log_fn(LOG_INFO,"Router '%s' published non-IP address '%s'. Refusing.",
|
||||||
|
ri->nickname, ri->address);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
if (is_internal_IP(ntohl(iaddr.s_addr))) {
|
||||||
|
log_fn(LOG_INFO,"Router '%s' published internal IP address '%s'. Refusing.",
|
||||||
|
ri->nickname, ri->address);
|
||||||
|
return -1; /* it's a private IP, we should reject it */
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/** Parse the server descriptor at *desc and maybe insert it into the
|
/** Parse the server descriptor at *desc and maybe insert it into the
|
||||||
* list of server descriptors, and (if the descriptor is well-formed)
|
* list of server descriptors, and (if the descriptor is well-formed)
|
||||||
* advance *desc immediately past the descriptor's end.
|
* advance *desc immediately past the descriptor's end.
|
||||||
@ -340,7 +361,7 @@ dirserv_add_descriptor(const char **desc)
|
|||||||
}
|
}
|
||||||
if (r==0) {
|
if (r==0) {
|
||||||
char fp[FINGERPRINT_LEN+1];
|
char fp[FINGERPRINT_LEN+1];
|
||||||
log_fn(LOG_INFO, "Unknown nickname '%s' (%s:%d). Adding.",
|
log_fn(LOG_INFO, "Unknown nickname '%s' (%s:%d). Will try to add.",
|
||||||
ri->nickname, ri->address, ri->or_port);
|
ri->nickname, ri->address, ri->or_port);
|
||||||
if (crypto_pk_get_fingerprint(ri->identity_pkey, fp, 1) < 0) {
|
if (crypto_pk_get_fingerprint(ri->identity_pkey, fp, 1) < 0) {
|
||||||
log_fn(LOG_WARN, "Error computing fingerprint for '%s'", ri->nickname);
|
log_fn(LOG_WARN, "Error computing fingerprint for '%s'", ri->nickname);
|
||||||
@ -363,6 +384,12 @@ dirserv_add_descriptor(const char **desc)
|
|||||||
*desc = end;
|
*desc = end;
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
if (dirserv_router_has_valid_address(ri) < 0) {
|
||||||
|
log_fn(LOG_NOTICE, "Router with nickname '%s' has invalid address '%s'. Not adding.", ri->nickname, ri->address);
|
||||||
|
routerinfo_free(ri);
|
||||||
|
*desc = end;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
/* Do we already have an entry for this router? */
|
/* Do we already have an entry for this router? */
|
||||||
for (i = 0; i < smartlist_len(descriptor_list); ++i) {
|
for (i = 0; i < smartlist_len(descriptor_list); ++i) {
|
||||||
|
@ -910,9 +910,11 @@ typedef struct {
|
|||||||
struct config_line_t *DirBindAddress;
|
struct config_line_t *DirBindAddress;
|
||||||
/** Local address to bind outbound sockets */
|
/** Local address to bind outbound sockets */
|
||||||
char *OutboundBindAddress;
|
char *OutboundBindAddress;
|
||||||
|
/** Directory server only: which versions of
|
||||||
|
* Tor should we tell users to run? */
|
||||||
struct config_line_t *RecommendedVersions;
|
struct config_line_t *RecommendedVersions;
|
||||||
/**< Directory server only: which versions of
|
/** Whether dirservers refuse router descriptors with private IPs. */
|
||||||
* Tor should we tell users to run? */
|
int DirAllowPrivateAddresses;
|
||||||
char *User; /**< Name of user to run Tor as. */
|
char *User; /**< Name of user to run Tor as. */
|
||||||
char *Group; /**< Name of group to run Tor as. */
|
char *Group; /**< Name of group to run Tor as. */
|
||||||
double PathlenCoinWeight; /**< Parameter used to configure average path
|
double PathlenCoinWeight; /**< Parameter used to configure average path
|
||||||
|
Loading…
Reference in New Issue
Block a user