64 #define CONFIG_PRIVATE
80 #include "core/or/dos.h"
130 #ifdef HAVE_SYS_STAT_H
131 #include <sys/stat.h>
133 #ifdef HAVE_SYS_PARAM_H
134 #include <sys/param.h>
162 # if defined(__COVERITY__) && !defined(__INCLUDE_LEVEL__)
166 # define __INCLUDE_LEVEL__ 2
168 #include <systemd/sd-daemon.h>
172 static const char unix_socket_prefix[] =
"unix:";
175 static const char unix_q_socket_prefix[] =
"unix:\"";
178 #define MIN_CONSTRAINED_TCP_BUFFER 2048
179 #define MAX_CONSTRAINED_TCP_BUFFER 262144
184 #define DOWNLOAD_SCHEDULE(name) \
185 { (#name "DownloadSchedule"), (#name "DownloadInitialDelay"), 0, 1 }
187 #define DOWNLOAD_SCHEDULE(name) { NULL, NULL, 0, 1 }
196 PLURAL(AuthDirMiddleOnlyCC),
202 PLURAL(HiddenServiceNode),
203 PLURAL(HiddenServiceExcludeNode),
206 PLURAL(RecommendedPackage),
212 {
"AllowUnverifiedNodes",
"AllowInvalidNodes", 0, 0},
213 {
"AutomapHostSuffixes",
"AutomapHostsSuffixes", 0, 0},
214 {
"AutomapHostOnResolve",
"AutomapHostsOnResolve", 0, 0},
215 {
"BandwidthRateBytes",
"BandwidthRate", 0, 0},
216 {
"BandwidthBurstBytes",
"BandwidthBurst", 0, 0},
217 {
"DirFetchPostPeriod",
"StatusFetchPeriod", 0, 0},
218 {
"DirServer",
"DirAuthority", 0, 0},
219 {
"MaxConn",
"ConnLimit", 0, 1},
220 {
"MaxMemInCellQueues",
"MaxMemInQueues", 0, 0},
221 {
"ORBindAddress",
"ORListenAddress", 0, 0},
222 {
"DirBindAddress",
"DirListenAddress", 0, 0},
223 {
"SocksBindAddress",
"SocksListenAddress", 0, 0},
224 {
"UseHelperNodes",
"UseEntryGuards", 0, 0},
225 {
"NumHelperNodes",
"NumEntryGuards", 0, 0},
226 {
"UseEntryNodes",
"UseEntryGuards", 0, 0},
227 {
"NumEntryNodes",
"NumEntryGuards", 0, 0},
228 {
"ResolvConf",
"ServerDNSResolvConfFile", 0, 1},
229 {
"SearchDomains",
"ServerDNSSearchDomains", 0, 1},
230 {
"ServerDNSAllowBrokenResolvConf",
"ServerDNSAllowBrokenConfig", 0, 0},
231 {
"PreferTunnelledDirConns",
"PreferTunneledDirConns", 0, 0},
232 {
"BridgeAuthoritativeDirectory",
"BridgeAuthoritativeDir", 0, 0},
233 {
"HashedControlPassword",
"__HashedControlSessionPassword", 1, 0},
234 {
"VirtualAddrNetwork",
"VirtualAddrNetworkIPv4", 0, 0},
235 {
"SocksSocketsGroupWritable",
"UnixSocksGroupWritable", 0, 1},
236 {
"_HSLayer2Nodes",
"HSLayer2Nodes", 0, 1 },
237 {
"_HSLayer3Nodes",
"HSLayer3Nodes", 0, 1 },
260 #define VAR(varname,conftype,member,initvalue) \
261 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, 0, initvalue)
264 #define VAR_D(varname,conftype,member,initvalue) \
265 CONFIG_VAR_DEFN(or_options_t, varname, conftype, member, 0, initvalue)
267 #define VAR_NODUMP(varname,conftype,member,initvalue) \
268 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
269 CFLG_NODUMP, initvalue)
270 #define VAR_NODUMP_IMMUTABLE(varname,conftype,member,initvalue) \
271 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
272 CFLG_NODUMP | CFLG_IMMUTABLE, initvalue)
273 #define VAR_INVIS(varname,conftype,member,initvalue) \
274 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
275 CFLG_NODUMP | CFLG_NOSET | CFLG_NOLIST, initvalue)
277 #define V(member,conftype,initvalue) \
278 VAR(#member, conftype, member, initvalue)
280 #define VAR_IMMUTABLE(varname, conftype, member, initvalue) \
281 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
282 CFLG_IMMUTABLE, initvalue)
284 #define V_IMMUTABLE(member,conftype,initvalue) \
285 VAR_IMMUTABLE(#member, conftype, member, initvalue)
288 #define V_D(member,type,initvalue) \
289 VAR_D(#member, type, member, initvalue)
292 #define OBSOLETE(varname) CONFIG_VAR_OBSOLETE(varname)
301 #define VPORT(member) \
302 VAR(#member "Lines", LINELIST_V, member ## _lines, NULL), \
303 VAR(#member, LINELIST_S, member ## _lines, NULL), \
304 VAR_NODUMP("__" #member, LINELIST_S, member ## _lines, NULL)
307 #define UINT64_MAX_STRING "18446744073709551615"
314 V(AccountingMax, MEMUNIT,
"0 bytes"),
315 VAR(
"AccountingRule", STRING, AccountingRule_option,
"max"),
316 V(AccountingStart, STRING, NULL),
317 V(Address, LINELIST, NULL),
318 V(AddressDisableIPv6, BOOL,
"0"),
321 V(AllowNonRFC953Hostnames, BOOL,
"0"),
324 V(AlternateBridgeAuthority, LINELIST, NULL),
325 V(AlternateDirAuthority, LINELIST, NULL),
327 V(AssumeReachable, BOOL,
"0"),
328 V(AssumeReachableIPv6, AUTOBOOL,
"auto"),
331 V(AuthDirBadExit, LINELIST, NULL),
332 V(AuthDirBadExitCCs, CSV,
""),
333 V(AuthDirInvalid, LINELIST, NULL),
334 V(AuthDirInvalidCCs, CSV,
""),
335 V(AuthDirMiddleOnly, LINELIST, NULL),
336 V(AuthDirMiddleOnlyCCs, CSV,
""),
337 V(AuthDirReject, LINELIST, NULL),
338 V(AuthDirRejectCCs, CSV,
""),
341 OBSOLETE(
"AuthDirMaxServersPerAuthAddr"),
342 VAR(
"AuthoritativeDirectory", BOOL, AuthoritativeDir,
"0"),
343 V(AutomapHostsOnResolve, BOOL,
"0"),
344 V(AutomapHostsSuffixes, CSV,
".onion,.exit"),
345 V(AvoidDiskWrites, BOOL,
"0"),
346 V(BandwidthBurst, MEMUNIT,
"1 GB"),
347 V(BandwidthRate, MEMUNIT,
"1 GB"),
348 V(BridgeAuthoritativeDir, BOOL,
"0"),
349 VAR(
"Bridge", LINELIST, Bridges, NULL),
350 V(BridgePassword, STRING, NULL),
351 V(BridgeRecordUsageByCountry, BOOL,
"1"),
352 V(BridgeRelay, BOOL,
"0"),
353 V(BridgeDistribution, STRING, NULL),
354 VAR_IMMUTABLE(
"CacheDirectory",FILENAME, CacheDirectory_option, NULL),
355 V(CacheDirectoryGroupReadable, AUTOBOOL,
"auto"),
356 V(CellStatistics, BOOL,
"0"),
357 V(PaddingStatistics, BOOL,
"1"),
358 V(OverloadStatistics, BOOL,
"1"),
359 V(LearnCircuitBuildTimeout, BOOL,
"1"),
360 V(CircuitBuildTimeout, INTERVAL,
"0"),
362 V(CircuitsAvailableTimeout, INTERVAL,
"0"),
363 V(CircuitStreamTimeout, INTERVAL,
"0"),
364 V(CircuitPriorityHalflife, DOUBLE,
"-1.0"),
365 V(ClientDNSRejectInternalAddresses, BOOL,
"1"),
366 #if defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS)
368 V(ClientOnly, BOOL,
"0"),
371 V(ClientOnly, BOOL,
"1"),
373 V(ClientPreferIPv6ORPort, AUTOBOOL,
"auto"),
374 V(ClientPreferIPv6DirPort, AUTOBOOL,
"auto"),
376 V(ClientRejectInternalAddresses, BOOL,
"1"),
377 V(ClientTransportPlugin, LINELIST, NULL),
378 V(ClientUseIPv6, BOOL,
"0"),
379 V(ClientUseIPv4, BOOL,
"1"),
380 V(ConnLimit, POSINT,
"1000"),
381 V(ConnDirectionStatistics, BOOL,
"0"),
382 V(ConstrainedSockets, BOOL,
"0"),
383 V(ConstrainedSockSize, MEMUNIT,
"8192"),
384 V(ContactInfo, STRING, NULL),
387 V(ControlPortFileGroupReadable,BOOL,
"0"),
388 V(ControlPortWriteToFile, FILENAME, NULL),
389 V(ControlSocket, LINELIST, NULL),
390 V(ControlSocketsGroupWritable, BOOL,
"0"),
391 V(UnixSocksGroupWritable, BOOL,
"0"),
392 V(CookieAuthentication, BOOL,
"0"),
393 V(CookieAuthFileGroupReadable, BOOL,
"0"),
394 V(CookieAuthFile, FILENAME, NULL),
395 V(CountPrivateBandwidth, BOOL,
"0"),
396 VAR_IMMUTABLE(
"DataDirectory", FILENAME, DataDirectory_option, NULL),
397 V(DataDirectoryGroupReadable, BOOL,
"0"),
398 V(DisableOOSCheck, BOOL,
"1"),
399 V(DisableNetwork, BOOL,
"0"),
400 V(DirAllowPrivateAddresses, BOOL,
"0"),
402 V(DirPolicy, LINELIST, NULL),
404 V(DirPortFrontPage, FILENAME, NULL),
405 VAR(
"DirReqStatistics", BOOL, DirReqStatistics_option,
"1"),
406 VAR(
"DirAuthority", LINELIST, DirAuthorities, NULL),
407 #if defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS)
409 V(DirCache, BOOL,
"1"),
412 V(DirCache, BOOL,
"0"),
421 V(DirAuthorityFallbackRate, DOUBLE,
"0.1"),
422 V_IMMUTABLE(DisableAllSwap, BOOL,
"0"),
423 V_IMMUTABLE(DisableDebuggerAttachment, BOOL,
"1"),
425 OBSOLETE(
"DisableV2DirectoryInfo_"),
429 V(DormantClientTimeout, INTERVAL,
"24 hours"),
430 V(DormantTimeoutEnabled, BOOL,
"1"),
431 V(DormantTimeoutDisabledByIdleStreams, BOOL,
"1"),
432 V(DormantOnFirstStartup, BOOL,
"0"),
433 V(DormantCanceledByStartup, BOOL,
"0"),
434 V(DownloadExtraInfo, BOOL,
"0"),
435 V(TestingEnableConnBwEvent, BOOL,
"0"),
436 V(TestingEnableCellStatsEvent, BOOL,
"0"),
437 OBSOLETE(
"TestingEnableTbEmptyEvent"),
438 V(EnforceDistinctSubnets, BOOL,
"1"),
439 V_D(EntryNodes, ROUTERSET, NULL),
440 V(EntryStatistics, BOOL,
"0"),
441 OBSOLETE(
"TestingEstimatedDescriptorPropagationTime"),
442 V_D(ExcludeNodes, ROUTERSET, NULL),
443 V_D(ExcludeExitNodes, ROUTERSET, NULL),
445 V_D(ExitNodes, ROUTERSET, NULL),
449 V_D(MiddleNodes, ROUTERSET, NULL),
450 V(ExitPolicy, LINELIST, NULL),
451 V(ExitPolicyRejectPrivate, BOOL,
"1"),
452 V(ExitPolicyRejectLocalInterfaces, BOOL,
"0"),
453 V(ExitPortStatistics, BOOL,
"0"),
454 V(ExtendAllowPrivateAddresses, BOOL,
"0"),
455 V(ExitRelay, AUTOBOOL,
"auto"),
457 V(ExtORPortCookieAuthFile, FILENAME, NULL),
458 V(ExtORPortCookieAuthFileGroupReadable, BOOL,
"0"),
459 V(ExtraInfoStatistics, BOOL,
"1"),
460 V(ExtendByEd25519ID, AUTOBOOL,
"auto"),
461 V(FallbackDir, LINELIST, NULL),
463 V(UseDefaultFallbackDirs, BOOL,
"1"),
465 OBSOLETE(
"FallbackNetworkstatusFile"),
466 V(FascistFirewall, BOOL,
"0"),
467 V(FirewallPorts, CSV,
""),
469 V(FetchDirInfoEarly, BOOL,
"0"),
470 V(FetchDirInfoExtraEarly, BOOL,
"0"),
471 V(FetchServerDescriptors, BOOL,
"1"),
472 V(FetchHidServDescriptors, BOOL,
"1"),
473 V(FetchUselessDescriptors, BOOL,
"0"),
475 V(GeoIPExcludeUnknown, AUTOBOOL,
"auto"),
477 V(GeoIPFile, FILENAME,
"<default>"),
478 V(GeoIPv6File, FILENAME,
"<default>"),
480 V(GeoIPFile, FILENAME,
481 SHARE_DATADIR PATH_SEPARATOR
"tor" PATH_SEPARATOR
"geoip"),
482 V(GeoIPv6File, FILENAME,
483 SHARE_DATADIR PATH_SEPARATOR
"tor" PATH_SEPARATOR
"geoip6"),
486 V(GuardLifetime, INTERVAL,
"0 minutes"),
487 V(HeartbeatPeriod, INTERVAL,
"6 hours"),
488 V(MainloopStats, BOOL,
"0"),
489 V(HashedControlPassword, LINELIST, NULL),
491 OBSOLETE(
"HiddenServiceAuthorizeClient"),
493 VAR(
"HiddenServiceDir", LINELIST_S, RendConfigLines, NULL),
494 VAR(
"HiddenServiceDirGroupReadable", LINELIST_S, RendConfigLines, NULL),
495 VAR(
"HiddenServiceOptions",LINELIST_V, RendConfigLines, NULL),
496 VAR(
"HiddenServicePort", LINELIST_S, RendConfigLines, NULL),
497 VAR(
"HiddenServiceVersion",LINELIST_S, RendConfigLines, NULL),
498 VAR(
"HiddenServiceAllowUnknownPorts",LINELIST_S, RendConfigLines, NULL),
499 VAR(
"HiddenServiceMaxStreams",LINELIST_S, RendConfigLines, NULL),
500 VAR(
"HiddenServiceMaxStreamsCloseCircuit",LINELIST_S, RendConfigLines, NULL),
501 VAR(
"HiddenServiceNumIntroductionPoints", LINELIST_S, RendConfigLines, NULL),
502 VAR(
"HiddenServiceExportCircuitID", LINELIST_S, RendConfigLines, NULL),
503 VAR(
"HiddenServiceEnableIntroDoSDefense", LINELIST_S, RendConfigLines, NULL),
504 VAR(
"HiddenServiceEnableIntroDoSRatePerSec",
505 LINELIST_S, RendConfigLines, NULL),
506 VAR(
"HiddenServiceEnableIntroDoSBurstPerSec",
507 LINELIST_S, RendConfigLines, NULL),
508 VAR(
"HiddenServiceOnionBalanceInstance",
509 LINELIST_S, RendConfigLines, NULL),
510 VAR(
"HiddenServiceStatistics", BOOL, HiddenServiceStatistics_option,
"1"),
511 V(ClientOnionAuthDir, FILENAME, NULL),
512 OBSOLETE(
"CloseHSClientCircuitsImmediatelyOnTimeout"),
513 OBSOLETE(
"CloseHSServiceRendCircuitsImmediatelyOnTimeout"),
514 V_IMMUTABLE(HiddenServiceSingleHopMode, BOOL,
"0"),
515 V_IMMUTABLE(HiddenServiceNonAnonymousMode,BOOL,
"0"),
516 V(HTTPProxy, STRING, NULL),
517 V(HTTPProxyAuthenticator, STRING, NULL),
518 V(HTTPSProxy, STRING, NULL),
519 V(HTTPSProxyAuthenticator, STRING, NULL),
520 VPORT(HTTPTunnelPort),
521 V(IPv6Exit, BOOL,
"0"),
522 VAR(
"ServerTransportPlugin", LINELIST, ServerTransportPlugin, NULL),
523 V(ServerTransportListenAddr, LINELIST, NULL),
524 V(ServerTransportOptions, LINELIST, NULL),
525 V(SigningKeyLifetime, INTERVAL,
"30 days"),
526 V(Socks4Proxy, STRING, NULL),
527 V(Socks5Proxy, STRING, NULL),
528 V(Socks5ProxyUsername, STRING, NULL),
529 V(Socks5ProxyPassword, STRING, NULL),
530 V(TCPProxy, STRING, NULL),
531 VAR_IMMUTABLE(
"KeyDirectory", FILENAME, KeyDirectory_option, NULL),
532 V(KeyDirectoryGroupReadable, AUTOBOOL,
"auto"),
533 VAR_D(
"HSLayer2Nodes", ROUTERSET, HSLayer2Nodes, NULL),
534 VAR_D(
"HSLayer3Nodes", ROUTERSET, HSLayer3Nodes, NULL),
535 V(KeepalivePeriod, INTERVAL,
"5 minutes"),
536 V_IMMUTABLE(KeepBindCapabilities, AUTOBOOL,
"auto"),
537 VAR(
"Log", LINELIST, Logs, NULL),
538 V(LogMessageDomains, BOOL,
"0"),
539 V(LogTimeGranularity, MSEC_INTERVAL,
"1 second"),
540 V(TruncateLogFile, BOOL,
"0"),
541 V_IMMUTABLE(SyslogIdentityTag, STRING, NULL),
543 V(LongLivedPorts, CSV,
544 "21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300"),
545 VAR(
"MapAddress", LINELIST, AddressMap, NULL),
546 V(MaxAdvertisedBandwidth, MEMUNIT,
"1 GB"),
547 V(MaxCircuitDirtiness, INTERVAL,
"10 minutes"),
548 V(MaxClientCircuitsPending, POSINT,
"32"),
549 V(MaxConsensusAgeForDiffs, INTERVAL,
"0 seconds"),
550 VAR(
"MaxMemInQueues", MEMUNIT, MaxMemInQueues_raw,
"0"),
552 V(MaxOnionQueueDelay, MSEC_INTERVAL,
"0"),
553 V(MaxUnparseableDescSizeToLog, MEMUNIT,
"10 MB"),
555 V(MetricsPortPolicy, LINELIST, NULL),
556 V(TestingMinTimeToReportBandwidth, INTERVAL,
"1 day"),
557 VAR(
"MyFamily", LINELIST, MyFamily_lines, NULL),
558 V(NewCircuitPeriod, INTERVAL,
"30 seconds"),
559 OBSOLETE(
"NamingAuthoritativeDirectory"),
562 V(Nickname, STRING, NULL),
563 OBSOLETE(
"PredictedPortsRelevanceTime"),
565 VAR(
"NodeFamily", LINELIST, NodeFamilies, NULL),
566 V_IMMUTABLE(NoExec, BOOL,
"0"),
567 V(NumCPUs, POSINT,
"0"),
568 V(NumDirectoryGuards, POSINT,
"0"),
569 V(NumEntryGuards, POSINT,
"0"),
570 V(NumPrimaryGuards, POSINT,
"0"),
571 V(OfflineMasterKey, BOOL,
"0"),
574 V(OutboundBindAddress, LINELIST, NULL),
575 V(OutboundBindAddressOR, LINELIST, NULL),
576 V(OutboundBindAddressExit, LINELIST, NULL),
577 V(OutboundBindAddressPT, LINELIST, NULL),
580 V(PathBiasCircThreshold, INT,
"-1"),
581 V(PathBiasNoticeRate, DOUBLE,
"-1"),
582 V(PathBiasWarnRate, DOUBLE,
"-1"),
583 V(PathBiasExtremeRate, DOUBLE,
"-1"),
584 V(PathBiasScaleThreshold, INT,
"-1"),
587 V(PathBiasDropGuards, AUTOBOOL,
"0"),
590 V(PathBiasUseThreshold, INT,
"-1"),
591 V(PathBiasNoticeUseRate, DOUBLE,
"-1"),
592 V(PathBiasExtremeUseRate, DOUBLE,
"-1"),
593 V(PathBiasScaleUseThreshold, INT,
"-1"),
595 V(PathsNeededToBuildCircuits, DOUBLE,
"-1"),
596 V(PerConnBWBurst, MEMUNIT,
"0"),
597 V(PerConnBWRate, MEMUNIT,
"0"),
598 V_IMMUTABLE(PidFile, FILENAME, NULL),
599 V_IMMUTABLE(TestingTorNetwork, BOOL,
"0"),
601 V(TestingLinkCertLifetime, INTERVAL,
"2 days"),
602 V(TestingAuthKeyLifetime, INTERVAL,
"2 days"),
603 V(TestingLinkKeySlop, INTERVAL,
"3 hours"),
604 V(TestingAuthKeySlop, INTERVAL,
"3 hours"),
605 V(TestingSigningKeySlop, INTERVAL,
"1 day"),
611 V(ProtocolWarnings, BOOL,
"0"),
612 V(PublishServerDescriptor, CSV,
"1"),
613 V(PublishHidServDescriptors, BOOL,
"1"),
614 V(ReachableAddresses, LINELIST, NULL),
615 V(ReachableDirAddresses, LINELIST, NULL),
616 V(ReachableORAddresses, LINELIST, NULL),
618 V(ReducedConnectionPadding, BOOL,
"0"),
619 V(ConnectionPadding, AUTOBOOL,
"auto"),
620 V(RefuseUnknownExits, AUTOBOOL,
"auto"),
621 V(CircuitPadding, BOOL,
"1"),
622 V(ReconfigDropsBridgeDescs, BOOL,
"0"),
623 V(ReducedCircuitPadding, BOOL,
"0"),
624 V(RejectPlaintextPorts, CSV,
""),
625 V(RelayBandwidthBurst, MEMUNIT,
"0"),
626 V(RelayBandwidthRate, MEMUNIT,
"0"),
627 V(RephistTrackTime, INTERVAL,
"24 hours"),
628 V_IMMUTABLE(RunAsDaemon, BOOL,
"0"),
629 V(ReducedExitPolicy, BOOL,
"0"),
631 V_IMMUTABLE(Sandbox, BOOL,
"0"),
632 V(SafeLogging, STRING,
"1"),
633 V(SafeSocks, BOOL,
"0"),
634 V(ServerDNSAllowBrokenConfig, BOOL,
"1"),
635 V(ServerDNSAllowNonRFC953Hostnames, BOOL,
"0"),
636 V(ServerDNSDetectHijacking, BOOL,
"1"),
637 V(ServerDNSRandomizeCase, BOOL,
"1"),
638 V(ServerDNSResolvConfFile, FILENAME, NULL),
639 V(ServerDNSSearchDomains, BOOL,
"0"),
640 V(ServerDNSTestAddresses, CSV,
641 "www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org"),
642 OBSOLETE(
"SchedulerLowWaterMark__"),
643 OBSOLETE(
"SchedulerHighWaterMark__"),
644 OBSOLETE(
"SchedulerMaxFlushCells__"),
645 V(KISTSchedRunInterval, MSEC_INTERVAL,
"0 msec"),
646 V(KISTSockBufSizeFactor, DOUBLE,
"1.0"),
647 V(Schedulers, CSV,
"KIST,KISTLite,Vanilla"),
648 V(ShutdownWaitLength, INTERVAL,
"30 seconds"),
650 V(SocksPolicy, LINELIST, NULL),
652 V(SocksTimeout, INTERVAL,
"2 minutes"),
653 V(SSLKeyLifetime, INTERVAL,
"0"),
656 V(StrictNodes, BOOL,
"0"),
657 OBSOLETE(
"Support022HiddenServices"),
658 V(TestSocks, BOOL,
"0"),
659 V_IMMUTABLE(TokenBucketRefillInterval, MSEC_INTERVAL,
"100 msec"),
661 OBSOLETE(
"Tor2webRendezvousPoints"),
663 V(TrackHostExits, CSV, NULL),
664 V(TrackHostExitsExpire, INTERVAL,
"30 minutes"),
667 V(TransProxyType, STRING,
"default"),
669 V(UpdateBridgesFromAuthority, BOOL,
"0"),
670 V(UseBridges, BOOL,
"0"),
671 VAR(
"UseEntryGuards", BOOL, UseEntryGuards_option,
"1"),
672 OBSOLETE(
"UseEntryGuardsAsDirGuards"),
673 V(UseGuardFraction, AUTOBOOL,
"auto"),
674 V(VanguardsLiteEnabled, AUTOBOOL,
"auto"),
675 V(UseMicrodescriptors, AUTOBOOL,
"auto"),
677 VAR(
"__AlwaysCongestionControl", BOOL, AlwaysCongestionControl,
"0"),
678 VAR(
"__SbwsExit", BOOL, SbwsExit,
"0"),
679 V_IMMUTABLE(User, STRING, NULL),
681 OBSOLETE(
"V1AuthoritativeDirectory"),
682 OBSOLETE(
"V2AuthoritativeDirectory"),
683 VAR(
"V3AuthoritativeDirectory",BOOL, V3AuthoritativeDir,
"0"),
684 V(TestingV3AuthInitialVotingInterval, INTERVAL,
"30 minutes"),
685 V(TestingV3AuthInitialVoteDelay, INTERVAL,
"5 minutes"),
686 V(TestingV3AuthInitialDistDelay, INTERVAL,
"5 minutes"),
687 V(TestingV3AuthVotingStartOffset, INTERVAL,
"0"),
688 V(V3AuthVotingInterval, INTERVAL,
"1 hour"),
689 V(V3AuthVoteDelay, INTERVAL,
"5 minutes"),
690 V(V3AuthDistDelay, INTERVAL,
"5 minutes"),
691 V(V3AuthNIntervalsValid, POSINT,
"3"),
692 V(V3AuthUseLegacyKey, BOOL,
"0"),
693 V(V3BandwidthsFile, FILENAME, NULL),
694 V(GuardfractionFile, FILENAME, NULL),
695 OBSOLETE(
"VoteOnHidServDirectoriesV2"),
696 V(VirtualAddrNetworkIPv4, STRING,
"127.192.0.0/10"),
697 V(VirtualAddrNetworkIPv6, STRING,
"[FE80::]/10"),
698 V(WarnPlaintextPorts, CSV,
"23,109,110,143"),
699 OBSOLETE(
"UseFilteringSSLBufferevents"),
700 OBSOLETE(
"__UseFilteringSSLBufferevents"),
701 VAR_NODUMP(
"__ReloadTorrcOnSIGHUP", BOOL, ReloadTorrcOnSIGHUP,
"1"),
702 VAR_NODUMP(
"__AllDirActionsPrivate", BOOL, AllDirActionsPrivate,
"0"),
703 VAR_NODUMP(
"__DisablePredictedCircuits",BOOL,DisablePredictedCircuits,
"0"),
704 VAR_NODUMP_IMMUTABLE(
"__DisableSignalHandlers", BOOL,
705 DisableSignalHandlers,
"0"),
706 VAR_NODUMP(
"__LeaveStreamsUnattached",BOOL, LeaveStreamsUnattached,
"0"),
707 VAR_NODUMP(
"__HashedControlSessionPassword", LINELIST,
708 HashedControlSessionPassword,
710 VAR_NODUMP(
"__OwningControllerProcess",STRING,
711 OwningControllerProcess, NULL),
712 VAR_NODUMP_IMMUTABLE(
"__OwningControllerFD", UINT64, OwningControllerFD,
714 V(TestingServerDownloadInitialDelay, CSV_INTERVAL,
"0"),
715 V(TestingClientDownloadInitialDelay, CSV_INTERVAL,
"0"),
716 V(TestingServerConsensusDownloadInitialDelay, CSV_INTERVAL,
"0"),
717 V(TestingClientConsensusDownloadInitialDelay, CSV_INTERVAL,
"0"),
733 V(ClientBootstrapConsensusAuthorityDownloadInitialDelay, CSV_INTERVAL,
"6"),
734 V(ClientBootstrapConsensusFallbackDownloadInitialDelay, CSV_INTERVAL,
"0"),
736 V(ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay, CSV_INTERVAL,
742 V(ClientBootstrapConsensusMaxInProgressTries, POSINT,
"3"),
745 V(TestingBridgeDownloadInitialDelay, CSV_INTERVAL,
"10800"),
750 V(TestingBridgeBootstrapDownloadInitialDelay, CSV_INTERVAL,
"0"),
751 V(TestingClientMaxIntervalWithoutRequest, INTERVAL,
"10 minutes"),
752 V(TestingDirConnectionMaxStall, INTERVAL,
"5 minutes"),
753 OBSOLETE(
"TestingConsensusMaxDownloadTries"),
754 OBSOLETE(
"ClientBootstrapConsensusMaxDownloadTries"),
755 OBSOLETE(
"ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries"),
756 OBSOLETE(
"TestingDescriptorMaxDownloadTries"),
757 OBSOLETE(
"TestingMicrodescMaxDownloadTries"),
758 OBSOLETE(
"TestingCertMaxDownloadTries"),
759 VAR_INVIS(
"___UsingTestNetworkDefaults", BOOL, UsingTestNetworkDefaults_,
768 #include "auth_dirs.inc"
778 #include "fallback_dirs.inc"
785 static const struct {
790 #include "testnet.inc"
801 {
"HTTPProxy",
"It only applies to direct unencrypted HTTP connections "
802 "to your directory server, which your Tor probably wasn't using." },
803 {
"HTTPProxyAuthenticator",
"HTTPProxy is deprecated in favor of HTTPSProxy "
804 "which should be used with HTTPSProxyAuthenticator." },
808 {
"ReachableDirAddresses",
"It has no effect on relays, and has had no "
809 "effect on clients since 0.2.8." },
810 {
"ClientPreferIPv6DirPort",
"It has no effect on relays, and has had no "
811 "effect on clients since 0.2.8." },
815 {
"ClientAutoIPv6ORPort",
"This option is unreliable if a connection isn't "
816 "reliably dual-stack."},
823 static char *get_windows_conf_root(
void);
834 static int opt_streq(
const char *s1,
const char *s2);
852 #define OR_OPTIONS_MAGIC 9090909
863 .deprecations = option_deprecation_notes_,
868 .has_config_suite =
true,
869 .config_suite_offset = offsetof(
or_options_t, subconfigs_),
902 if (PREDICT_UNLIKELY(options_mgr == NULL)) {
911 #define CHECK_OPTIONS_MAGIC(opt) STMT_BEGIN \
912 config_check_toplevel_magic(get_options_mgr(), (opt)); \
950 next = &(*next)->next;
977 "Acting on config options left us in a broken state. Dying.");
989 config_free_lines(changes);
993 or_options_free(old_options);
1009 CHECK_OPTIONS_MAGIC(opts);
1015 rs, routerset_free(rs));
1031 tor_free(options->master_key_fname);
1032 config_free_lines(options->
MyFamily);
1069 config_mgr_free(options_mgr);
1086 if (options->SafeLogging_ == SAFELOG_SCRUB_ALL)
1087 return "[scrubbed]";
1107 if (options->SafeLogging_ != SAFELOG_SCRUB_NONE)
1108 return "[scrubbed]";
1119 if (
get_options()->SafeLogging_ == SAFELOG_SCRUB_ALL)
1120 return "[scrubbed]";
1131 if (
get_options()->SafeLogging_ != SAFELOG_SCRUB_NONE)
1132 return "[scrubbed]";
1197 log_err(
LD_BUG,
"Couldn't parse internal DirAuthority line %s",
1211 log_err(
LD_BUG,
"Couldn't parse internal FallbackDir line %s",
1230 "You cannot set both DirAuthority and Alternate*Authority.");
1244 "You have used DirAuthority or AlternateDirAuthority to "
1245 "specify alternate directory authorities in "
1246 "your configuration. This is potentially dangerous: it can "
1247 "make you look different from all other Tor users, and hurt "
1248 "your anonymity. Even if you've specified the same "
1249 "authorities as Tor uses by default, the defaults could "
1250 "change in the future. Be sure you know what you're doing.");
1264 for (cl = options->
FallbackDir; cl; cl = cl->next)
1278 int need_to_update =
1279 !smartlist_len(router_get_trusted_dir_servers()) ||
1280 !smartlist_len(router_get_fallback_dir_servers()) || !old_options ||
1289 if (!need_to_update)
1319 if (type != NO_DIRINFO)
1332 for (cl = options->
FallbackDir; cl; cl = cl->next)
1346 const char *directory,
1351 cpd_check_t cpd_opts = create ? CPD_CREATE : CPD_CHECK;
1353 cpd_opts |= CPD_GROUP_READ;
1358 "Couldn't %s private data directory \"%s\"",
1359 create ?
"create" :
"access",
1365 if (group_readable) {
1367 if (chmod(directory, 0750)) {
1368 log_warn(
LD_FS,
"Unable to make %s group-readable: %s",
1369 directory, strerror(errno));
1387 cpd_opts |= CPD_GROUP_READ;
1389 log_err(
LD_OR,
"Can't create/check datadirectory %s",
1402 static int have_low_ports = -1;
1431 sd_notifyf(0,
"MAINPID=%ld\n", (
long int)getpid());
1439 control_initialize_event_queue();
1453 *msg_out = tor_strdup(
"DisableAllSwap failure. Do you have proper "
1472 if (options->
User) {
1474 unsigned switch_id_flags = 0;
1484 *msg_out = tor_strdup(
"Problem with User value. See logs for details.");
1504 if (subdir_gr != -1) {
1510 if (0 == strcmp(subdir, datadir)) {
1552 key_dir_group_readable,
1566 cache_dir_group_readable,
1609 if (! running_tor) {
1618 *msg_out = tor_strdup(
"Problem with ConnLimit value. "
1619 "See logs for details.");
1632 if (
parse_ports(options, 0, msg_out, &n_ports, NULL)) {
1634 *msg_out = tor_strdup(
"Unexpected problem parsing port config");
1649 *msg_out = tor_strdup(
"Failed to bind one of the listener ports.");
1655 log_notice(
LD_NET,
"DisableNetwork is set. Tor will not make or accept "
1656 "non-control network connections. Shutting down all existing "
1663 #if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
1665 if (options->TransPort_set &&
1667 if (get_pf_socket() < 0) {
1668 *msg_out = tor_strdup(
"Unable to open /dev/pf for transparent proxy.");
1702 int socks_in_reserve = options->
ConnLimit_ / 20;
1703 if (socks_in_reserve > 64) socks_in_reserve = 64;
1708 "Recomputed OOS thresholds: ConnLimit %d, ConnLimit_ %d, "
1709 "ConnLimit_high_thresh %d, ConnLimit_low_thresh %d",
1739 log_notice(LD_NET,
"Closing partially-constructed %s",
1740 connection_describe(conn));
1741 connection_close_immediate(conn);
1742 connection_mark_for_close(conn);
1788 old_options->SafeLogging_ != options->SafeLogging_;
1797 *msg_out = tor_strdup(
"Failed to init Log options. See logs for details.");
1835 const char *badness = NULL;
1836 int bad_safelog = 0, bad_severity = 0, new_badness = 0;
1837 if (options->SafeLogging_ != SAFELOG_SCRUB_ALL) {
1847 if (bad_safelog && bad_severity)
1848 badness =
"you disabled SafeLogging, and "
1849 "you're logging more than \"notice\"";
1850 else if (bad_safelog)
1851 badness =
"you disabled SafeLogging";
1853 badness =
"you're logging more than \"notice\"";
1855 log_warn(
LD_GENERAL,
"Your log may contain sensitive information - %s. "
1856 "Don't log unless it serves an important reason. "
1857 "Overwrite the log afterwards.", badness);
1919 if (listener_transaction == NULL)
1939 if (log_transaction == NULL)
1968 int routerset_usage =
1977 if (routerset_usage && reason_out) {
1978 *reason_out =
"We've been configured to use (or avoid) nodes in certain "
1979 "countries, and we need GEOIP information to figure out which ones they "
1981 }
else if (bridge_usage && reason_out) {
1982 *reason_out =
"We've been configured to see which countries can access "
1983 "us as a bridge, and we need GEOIP information to tell which countries "
1986 return bridge_usage || routerset_usage;
1990 #define YES_IF_CHANGED_BOOL(opt) \
1991 if (!CFG_EQ_BOOL(old_options, new_options, opt)) return 1;
1992 #define YES_IF_CHANGED_INT(opt) \
1993 if (!CFG_EQ_INT(old_options, new_options, opt)) return 1;
1994 #define YES_IF_CHANGED_STRING(opt) \
1995 if (!CFG_EQ_STRING(old_options, new_options, opt)) return 1;
1996 #define YES_IF_CHANGED_LINELIST(opt) \
1997 if (!CFG_EQ_LINELIST(old_options, new_options, opt)) return 1;
1998 #define YES_IF_CHANGED_SMARTLIST(opt) \
1999 if (!CFG_EQ_SMARTLIST(old_options, new_options, opt)) return 1;
2000 #define YES_IF_CHANGED_ROUTERSET(opt) \
2001 if (!CFG_EQ_ROUTERSET(old_options, new_options, opt)) return 1;
2016 YES_IF_CHANGED_BOOL(UseEntryGuards);
2017 YES_IF_CHANGED_BOOL(UseBridges);
2018 YES_IF_CHANGED_BOOL(ClientUseIPv4);
2019 YES_IF_CHANGED_BOOL(ClientUseIPv6);
2020 YES_IF_CHANGED_BOOL(FascistFirewall);
2021 YES_IF_CHANGED_ROUTERSET(ExcludeNodes);
2022 YES_IF_CHANGED_ROUTERSET(EntryNodes);
2023 YES_IF_CHANGED_SMARTLIST(FirewallPorts);
2024 YES_IF_CHANGED_LINELIST(Bridges);
2025 YES_IF_CHANGED_LINELIST(ReachableORAddresses);
2026 YES_IF_CHANGED_LINELIST(ReachableDirAddresses);
2048 const int transition_affects_guards =
2058 static int disabled_debugger_attach = 0;
2061 static int warned_debugger_attach = 0;
2067 if (warned_debugger_attach && ok == 1) {
2068 log_notice(
LD_CONFIG,
"Disabled attaching debuggers for unprivileged "
2072 disabled_debugger_attach = (ok == 1);
2074 !warned_debugger_attach) {
2075 log_notice(
LD_CONFIG,
"Not disabling debugger attaching for "
2076 "unprivileged users.");
2077 warned_debugger_attach = 1;
2100 if (hs_service_non_anonymous_mode_enabled(options)) {
2101 log_warn(
LD_GENERAL,
"This copy of Tor was compiled or configured to run "
2102 "in a non-anonymous mode. It will provide NO ANONYMITY.");
2108 log_warn(
LD_BUG,
"Failed parsing previously validated outbound "
2109 "bind addresses: %s", msg);
2117 for (cl = options->
Bridges; cl; cl = cl->next) {
2122 "Previously validated Bridge line could not be added!");
2134 "Previously validated hidden services line could not be added!");
2141 log_warn(
LD_BUG,
"Previously validated client authorization for "
2142 "hidden services could not be added!");
2147 if (running_tor && !old_options &&
2149 const unsigned ctrl_flags =
2150 CC_LOCAL_FD_IS_OWNER |
2151 CC_LOCAL_FD_IS_AUTHENTICATED;
2154 log_warn(
LD_CONFIG,
"Could not add local controller connection with "
2177 "Previously validated ClientTransportPlugin line "
2178 "could not be added!");
2216 log_err(
LD_CONFIG,
"Unable to write PIDFile %s",
2230 log_warn(
LD_BUG,
"Error parsing already-validated policy options.");
2235 log_warn(
LD_CONFIG,
"Error creating control cookie authentication file.");
2243 log_warn(
LD_GENERAL,
"Error loading rendezvous service keys");
2261 char *http_authenticator;
2263 if (!http_authenticator) {
2265 log_warn(
LD_BUG,
"Unable to allocate HTTP authenticator. Not setting "
2271 http_authenticator, strlen(http_authenticator),
2292 int revise_trackexithosts = 0;
2293 int revise_automap_entries = 0;
2294 int abandon_circuits = 0;
2311 "Changed to using entry guards or bridges, or changed "
2312 "preferred or excluded node lists. "
2313 "Abandoning previous circuits.");
2314 abandon_circuits = 1;
2317 if (transition_affects_guards) {
2319 routerlist_drop_bridge_descriptors();
2321 abandon_circuits = 1;
2325 if (abandon_circuits) {
2328 revise_trackexithosts = 1;
2333 revise_trackexithosts = 1;
2335 if (revise_trackexithosts)
2340 revise_automap_entries = 1;
2344 revise_automap_entries = 1;
2349 revise_automap_entries = 1;
2352 if (revise_automap_entries)
2390 bool print_notice = 0;
2441 static const struct {
2453 { .name=
"--torrc-file",
2456 { .name=
"--allow-missing-torrc" },
2457 { .name=
"--defaults-torrc",
2459 { .name=
"--hash-password",
2463 { .name=
"--dump-config",
2467 { .name=
"--list-fingerprint",
2472 { .name=
"--key-expiration",
2477 { .name=
"--newpass" },
2478 { .name=
"--no-passphrase" },
2479 { .name=
"--passphrase-fd",
2481 { .name=
"--verify-config",
2483 { .name=
"--ignore-missing-torrc" },
2488 { .name=
"--version",
2491 { .name=
"--list-modules",
2494 { .name=
"--library-versions",
2501 { .name=
"--list-torrc-options",
2504 { .name=
"--list-deprecated-options",
2506 { .name=
"--nt-service" },
2507 { .name=
"-nt-service" },
2508 { .name=
"--dbg-dump-subsystem-list",
2539 bool is_a_command =
false;
2548 is_a_command =
true;
2569 }
else if (*s ==
'/') {
2576 const int is_last = (i == argc-1);
2579 if (ignore_errors) {
2580 arg = tor_strdup(
"");
2582 log_warn(
LD_CONFIG,
"Command-line option '%s' with no value. Failing.",
2584 parsed_cmdline_free(result);
2589 (is_last || argv[i+1][0] ==
'-')) {
2590 arg = tor_strdup(
"");
2598 param->key = is_cmdline ? tor_strdup(argv[i]) :
2603 log_debug(
LD_CONFIG,
"command line: parsed keyword '%s', value '%s'",
2604 param->key, param->value);
2611 *new_cmdline = param;
2612 new_cmdline = &((*new_cmdline)->next);
2615 new = &((*new)->next);
2618 i += want_arg ? 2 : 1;
2674 list, flags, msg)) < 0) {
2675 or_options_free(trial_options);
2688 "Copyright (c) 2001-2004, Roger Dingledine\n"
2689 "Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson\n"
2690 "Copyright (c) 2007-2021, The Tor Project, Inc.\n\n"
2691 "tor -f <torrc> [args]\n"
2692 "See man page for options, or https://www.torproject.org/ for "
2693 "documentation.\n");
2709 printf(
"%s\n", var->member.name);
2710 } SMARTLIST_FOREACH_END(var);
2711 smartlist_free(vars);
2722 printf(
"%s\n",
name));
2723 smartlist_free(deps);
2730 printf(
"%s: %s\n",
"relay", have_module_relay() ?
"yes" :
"no");
2731 printf(
"%s: %s\n",
"dirauth", have_module_dirauth() ?
"yes" :
"no");
2742 printf(
"Library versions\tCompiled\t\tRuntime\n");
2743 printf(
"Libevent\t\t%-15s\t\t%s\n",
2746 #ifdef ENABLE_OPENSSL
2747 printf(
"OpenSSL \t\t%-15s\t\t%s\n",
2748 crypto_openssl_get_header_version_str(),
2749 crypto_openssl_get_version_str());
2752 printf(
"NSS \t\t%-15s\t\t%s\n",
2753 crypto_nss_get_header_version_str(),
2754 crypto_nss_get_version_str());
2757 printf(
"Zlib \t\t%-15s\t\t%s\n",
2762 printf(
"Liblzma \t\t%-15s\t\t%s\n",
2767 printf(
"Libzstd \t\t%-15s\t\t%s\n",
2772 printf(
"%-7s \t\t%-15s\t\t%s\n",
2788 log_err(
LD_CONFIG,
"--no-passphrase specified without --keygen!");
2799 const char *formats[] = {
"iso8601",
"timestamp" };
2802 if (!strcmp(value, formats[i])) {
2816 log_err(
LD_CONFIG,
"--format specified without --key-expiration!");
2829 log_err(
LD_CONFIG,
"--newpass specified without --keygen!");
2838 if (
get_options()->keygen_force_passphrase == FORCE_PASSPHRASE_OFF) {
2839 log_err(
LD_CONFIG,
"--no-passphrase specified with --passphrase-fd!");
2842 log_err(
LD_CONFIG,
"--passphrase-fd specified without --keygen!");
2847 if (fd < 0 || ok == 0) {
2863 log_err(
LD_CONFIG,
"--master-key without --keygen!");
2874 using_default_dir_authorities(
const or_options_t *options)
2898 log_err(
LD_BUG,
"Unable to set default options: %s", msg);
2900 tor_assert_unreached();
2902 config_free_lines(dflts);
2915 switch (how_to_dump) {
2916 case OPTIONS_DUMP_MINIMAL:
2920 case OPTIONS_DUMP_ALL:
2921 use_defaults = NULL;
2925 log_warn(
LD_BUG,
"Bogus value for how_to_dump==%d", how_to_dump);
2947 if (i < 1 || i > 65535) {
2962 if (*value > ROUTER_MAX_DECLARED_BANDWIDTH) {
2967 if (*value > ROUTER_MAX_DECLARED_BANDWIDTH) {
2970 ROUTER_MAX_DECLARED_BANDWIDTH);
2979 #define MAX_CIRCS_AVAILABLE_TIME (24*60*60)
2983 #define MIN_MAX_CIRCUIT_DIRTINESS 10
2987 #define MAX_MAX_CIRCUIT_DIRTINESS (30*24*60*60)
2991 #define MIN_CIRCUIT_STREAM_TIMEOUT 10
2998 #define RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT (10)
3019 if (vs == VSTAT_TRANSITION_ERR) {
3020 rv = SETOPT_ERR_TRANSITION;
3022 }
else if (vs < 0) {
3023 rv = SETOPT_ERR_PARSE;
3029 rv = SETOPT_ERR_SETTING;
3037 tor_assert(new_options == NULL || rv != SETOPT_OK);
3038 or_options_free(new_options);
3042 #ifdef TOR_UNIT_TESTS
3058 return vs < 0 ? -1 : 0;
3062 #define REJECT(arg) \
3063 STMT_BEGIN *msg = tor_strdup(arg); return -1; STMT_END
3064 #if defined(__GNUC__) && __GNUC__ <= 3
3065 #define COMPLAIN(args...) \
3066 STMT_BEGIN log_warn(LD_CONFIG, args); STMT_END
3068 #define COMPLAIN(args, ...) \
3069 STMT_BEGIN log_warn(LD_CONFIG, args, ##__VA_ARGS__); STMT_END
3082 const char *filepath)
3086 COMPLAIN(
"Path for %s (%s) is relative and will resolve to %s."
3087 " Is this what you wanted?", option, filepath, abs_path);
3111 const char *
name = cv->member.name;
3115 config_free_lines(line);
3116 } SMARTLIST_FOREACH_END(cv);
3117 smartlist_free(vars);
3120 hs_line = hs_line->next) {
3121 if (!strcasecmp(hs_line->key,
"HiddenServiceDir"))
3134 options_validate_scheduler(
or_options_t *options,
char **msg)
3140 REJECT(
"Empty Schedulers list. Either remove the option so the defaults "
3141 "can be used or set at least one value.");
3151 if (!strcasecmp(
"KISTLite", type)) {
3152 sched_type = tor_malloc_zero(
sizeof(
int));
3153 *sched_type = SCHEDULER_KIST_LITE;
3155 }
else if (!strcasecmp(
"KIST", type)) {
3156 sched_type = tor_malloc_zero(
sizeof(
int));
3157 *sched_type = SCHEDULER_KIST;
3159 }
else if (!strcasecmp(
"Vanilla", type)) {
3160 sched_type = tor_malloc_zero(
sizeof(
int));
3161 *sched_type = SCHEDULER_VANILLA;
3164 tor_asprintf(msg,
"Unknown type %s in option Schedulers. "
3165 "Possible values are KIST, KISTLite and Vanilla.",
3169 } SMARTLIST_FOREACH_END(type);
3172 REJECT(
"KISTSockBufSizeFactor must be at least 0");
3178 tor_asprintf(msg,
"KISTSchedRunInterval must not be more than %d (ms)",
3179 KIST_SCHED_RUN_INTERVAL_MAX);
3191 options_validate_single_onion(
or_options_t *options,
char **msg)
3195 !options->HiddenServiceNonAnonymousMode) {
3196 REJECT(
"HiddenServiceSingleHopMode does not provide any server anonymity. "
3197 "It must be used with HiddenServiceNonAnonymousMode set to 1.");
3199 if (options->HiddenServiceNonAnonymousMode &&
3201 REJECT(
"HiddenServiceNonAnonymousMode does not provide any server "
3202 "anonymity. It must be used with HiddenServiceSingleHopMode set to "
3211 const int client_port_set = (options->SocksPort_set ||
3212 options->TransPort_set ||
3213 options->NATDPort_set ||
3214 options->DNSPort_set ||
3215 options->HTTPTunnelPort_set);
3216 if (hs_service_non_anonymous_mode_enabled(options) && client_port_set) {
3217 REJECT(
"HiddenServiceNonAnonymousMode is incompatible with using Tor as "
3218 "an anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or "
3219 "revert HiddenServiceNonAnonymousMode to 0.");
3222 if (hs_service_allow_non_anonymous_connection(options)
3232 "HiddenServiceSingleHopMode is enabled; disabling "
3248 CHECK_OPTIONS_MAGIC(old_options_);
3249 CHECK_OPTIONS_MAGIC(options_);
3255 int world_writable_control_socket=0;
3261 &world_writable_control_socket) < 0)
3264 #ifndef HAVE_SYS_UN_H
3266 *msg = tor_strdup(
"Unix domain sockets (ControlSocket) not supported "
3267 "on this OS/with this build.");
3272 *msg = tor_strdup(
"Setting ControlSocketsGroupWritable without setting "
3273 "a ControlSocket makes no sense.");
3292 REJECT(
"Invalid DataDirectory");
3297 REJECT(
"You have specified at least one relative path (see above) "
3298 "with the RunAsDaemon option. RunAsDaemon is not compatible "
3299 "with relative paths.");
3310 REJECT(
"Failed to validate Log options. See logs for details.");
3316 "SocksPort, TransPort, NATDPort, DNSPort, and ORPort are all "
3317 "undefined, and there aren't any hidden services configured. "
3318 "Tor will still run, but probably won't do anything.");
3321 #ifdef USE_TRANSPARENT
3326 #if !defined(OpenBSD) && !defined(DARWIN)
3328 REJECT(
"pf-divert is a OpenBSD-specific "
3329 "and OS X/Darwin-specific feature.");
3334 #if !defined(__linux__)
3335 REJECT(
"TPROXY is a Linux-specific feature.");
3340 #ifndef KERNEL_MAY_SUPPORT_IPFW
3342 REJECT(
"ipfw is a FreeBSD-specific "
3343 "and OS X/Darwin-specific feature.");
3348 REJECT(
"Unrecognized value for TransProxyType");
3352 !options->TransPort_set) {
3353 REJECT(
"Cannot use TransProxyType without any valid TransPort.");
3357 if (options->TransPort_set)
3358 REJECT(
"TransPort is disabled in this build.");
3363 REJECT(
"TokenBucketRefillInterval must be between 1 and 1000 inclusive.");
3367 REJECT(
"Cannot set AssumeReachable 1 and AssumeReachableIPv6 0.");
3389 COMPLAIN(
"You have asked to exclude certain relays from all positions "
3390 "in your circuits. Expect hidden services and other Tor "
3391 "features to be broken in unpredictable ways.");
3398 REJECT(
"FetchDirInfoExtraEarly requires that you also set "
3399 "FetchDirInfoEarly");
3403 "ConnLimit must be greater than 0, but was set to %d",
3410 log_warn(
LD_CONFIG,
"PathsNeededToBuildCircuits is too low. Increasing "
3414 log_warn(
LD_CONFIG,
"PathsNeededToBuildCircuits is too high. Decreasing "
3423 "MaxClientCircuitsPending must be between 1 and %d, but "
3424 "was set to %d", MAX_MAX_CLIENT_CIRCUITS_PENDING,
3436 "RejectPlaintextPorts", msg) < 0)
3440 "WarnPlaintextPorts", msg) < 0)
3450 new_line->key = tor_strdup(
"ReachableAddresses");
3455 int p = atoi(portno);
3457 smartlist_add_asprintf(instead,
"*:%d", p);
3462 "Converting FascistFirewall and FirewallPorts "
3463 "config options to new format: \"ReachableAddresses %s\"",
3467 smartlist_free(instead);
3473 new_line->key = tor_strdup(
"ReachableDirAddresses");
3474 new_line->value = tor_strdup(
"*:80");
3476 log_notice(
LD_CONFIG,
"Converting FascistFirewall config option "
3477 "to new format: \"ReachableDirAddresses *:80\"");
3481 new_line->key = tor_strdup(
"ReachableORAddresses");
3482 new_line->value = tor_strdup(
"*:443");
3484 log_notice(
LD_CONFIG,
"Converting FascistFirewall config option "
3485 "to new format: \"ReachableORAddresses *:443\"");
3495 REJECT(
"Servers must be able to freely connect to the rest "
3496 "of the Internet, so they must not set Reachable*Addresses "
3497 "or FascistFirewall or FirewallPorts or ClientUseIPv4 0.");
3501 REJECT(
"Servers must be able to freely connect to the rest "
3502 "of the Internet, so they must not set UseBridges.");
3508 REJECT(
"You cannot set both UseBridges and EntryNodes.");
3513 REJECT(
"Setting UseBridges requires also setting UseEntryGuards.");
3516 compute_real_max_mem_in_queues(options->MaxMemInQueues_raw,
3522 options->SafeLogging_ = SAFELOG_SCRUB_NONE;
3523 }
else if (!strcasecmp(options->
SafeLogging,
"relay")) {
3524 options->SafeLogging_ = SAFELOG_SCRUB_RELAY;
3525 }
else if (!strcasecmp(options->
SafeLogging,
"1")) {
3526 options->SafeLogging_ = SAFELOG_SCRUB_ALL;
3529 "Unrecognized value '%s' in SafeLogging",
3541 if (options_validate_single_onion(options, msg) < 0)
3548 REJECT(
"CircuitsAvailableTimeout is too large. Max is 24 hours.");
3552 REJECT(
"If EntryNodes is set, UseEntryGuards must be enabled.");
3557 !hs_service_allow_non_anonymous_connection(options)) {
3559 "UseEntryGuards is disabled, but you have configured one or more "
3560 "hidden services on this Tor instance. Your hidden services "
3561 "will be very easy to locate using a well-known attack -- see "
3562 "https://freehaven.net/anonbib/#hs-attack06 for details.");
3567 REJECT(
"NumEntryGuards must not be greater than NumPrimaryGuards.");
3575 "You have one single EntryNodes and at least one hidden service "
3576 "configured. This is bad because it's very easy to locate your "
3577 "entry guard which can then lead to the deanonymization of your "
3578 "hidden service -- for more details, see "
3579 "https://bugs.torproject.org/tpo/core/tor/14917. "
3580 "For this reason, the use of one EntryNodes with an hidden "
3581 "service is prohibited until a better solution is found.");
3591 "EntryNodes is set with multiple entries and at least one "
3592 "hidden service is configured. Pinning entry nodes can possibly "
3593 "be harmful to the service anonymity. Because of this, we "
3594 "recommend you either don't do that or make sure you know what "
3595 "you are doing. For more details, please look at "
3596 "https://bugs.torproject.org/tpo/core/tor/21155.");
3600 if (hs_service_non_anonymous_mode_enabled(options)) {
3602 "HiddenServiceNonAnonymousMode is set. Every hidden service on "
3603 "this tor instance is NON-ANONYMOUS. If "
3604 "the HiddenServiceNonAnonymousMode option is changed, Tor will "
3605 "refuse to launch hidden services from the same directories, to "
3606 "protect your anonymity against config errors. This setting is "
3607 "for experimental use only.");
3613 "CircuitBuildTimeout is shorter (%d seconds) than the recommended "
3614 "minimum (%d seconds), and LearnCircuitBuildTimeout is disabled. "
3615 "If tor isn't working, raise this value or enable "
3616 "LearnCircuitBuildTimeout.",
3627 log_fn(severity,
LD_CONFIG,
"You disabled LearnCircuitBuildTimeout, but "
3628 "didn't specify a CircuitBuildTimeout. I'll pick a plausible "
3633 REJECT(
"DormantClientTimeout is too low. It must be at least 10 minutes.");
3636 if (options->PathBiasNoticeRate > 1.0) {
3638 "PathBiasNoticeRate is too high. "
3639 "It must be between 0 and 1.0");
3642 if (options->PathBiasWarnRate > 1.0) {
3644 "PathBiasWarnRate is too high. "
3645 "It must be between 0 and 1.0");
3648 if (options->PathBiasExtremeRate > 1.0) {
3650 "PathBiasExtremeRate is too high. "
3651 "It must be between 0 and 1.0");
3654 if (options->PathBiasNoticeUseRate > 1.0) {
3656 "PathBiasNoticeUseRate is too high. "
3657 "It must be between 0 and 1.0");
3660 if (options->PathBiasExtremeUseRate > 1.0) {
3662 "PathBiasExtremeUseRate is too high. "
3663 "It must be between 0 and 1.0");
3668 log_warn(
LD_CONFIG,
"MaxCircuitDirtiness option is too short; "
3674 log_warn(
LD_CONFIG,
"MaxCircuitDirtiness option is too high; "
3681 log_warn(
LD_CONFIG,
"CircuitStreamTimeout option is too short; "
3689 log_warn(
LD_CONFIG,
"HeartbeatPeriod option is too short; "
3695 REJECT(
"KeepalivePeriod option must be positive.");
3698 "BandwidthRate", msg) < 0)
3701 "BandwidthBurst", msg) < 0)
3708 REJECT(
"BandwidthBurst must be at least equal to BandwidthRate.");
3719 REJECT(
"HTTPProxy failed to parse or resolve. Please fix.");
3727 REJECT(
"HTTPProxyAuthenticator is too long (>= 512 chars).");
3733 REJECT(
"HTTPSProxy failed to parse or resolve. Please fix.");
3741 REJECT(
"HTTPSProxyAuthenticator is too long (>= 512 chars).");
3748 REJECT(
"Socks4Proxy failed to parse or resolve. Please fix.");
3758 REJECT(
"Socks5Proxy failed to parse or resolve. Please fix.");
3774 REJECT(
"You have configured more than one proxy type. "
3775 "(Socks4Proxy|Socks5Proxy|HTTPSProxy|TCPProxy)");
3782 log_warn(
LD_CONFIG,
"HTTPProxy configured, but no SOCKS proxy, "
3783 "HTTPS proxy, or any other TCP proxy configured. Watch out: "
3784 "this configuration will proxy unencrypted directory "
3785 "connections only.");
3793 REJECT(
"Socks5ProxyUsername must be between 1 and 255 characters.");
3796 REJECT(
"Socks5ProxyPassword must be included with Socks5ProxyUsername.");
3800 REJECT(
"Socks5ProxyPassword must be between 1 and 255 characters.");
3802 REJECT(
"Socks5ProxyPassword must be included with Socks5ProxyUsername.");
3807 REJECT(
"Bad HashedControlPassword: wrong length or bad encoding");
3818 REJECT(
"Bad HashedControlSessionPassword: wrong length or bad encoding");
3826 const char *validate_pspec_msg = NULL;
3828 &validate_pspec_msg)) {
3830 validate_pspec_msg);
3835 if ((options->ControlPort_set || world_writable_control_socket) &&
3839 log_warn(
LD_CONFIG,
"Control%s is %s, but no authentication method "
3840 "has been configured. This means that any program on your "
3841 "computer can reconfigure your Tor. That's bad! You should "
3842 "upgrade your Tor controller as soon as possible.",
3843 options->ControlPort_set ?
"Port" :
"Socket",
3844 options->ControlPort_set ?
"open" :
"world writable");
3848 log_warn(
LD_CONFIG,
"CookieAuthFileGroupReadable is set, but will have "
3849 "no effect: you must specify an explicit CookieAuthFile to "
3850 "have it group-readable.");
3867 log_info(
LD_CONFIG,
"You have set UseDefaultFallbackDirs 1 and "
3868 "FallbackDir(s). Ignoring UseDefaultFallbackDirs, and "
3869 "using the FallbackDir(s) you have set.");
3873 REJECT(
"Directory authority/fallback line did not parse. See logs "
3877 REJECT(
"If you set UseBridges, you must specify at least one bridge.");
3879 for (cl = options->
Bridges; cl; cl = cl->next) {
3882 REJECT(
"Bridge line did not parse. See logs for details.");
3883 bridge_line_free(bridge_line);
3888 REJECT(
"Invalid client transport line. See logs for details.");
3901 "ConstrainedSockSize is invalid. Must be a value between %d and %d "
3902 "in 1024 byte increments.",
3903 MIN_CONSTRAINED_TCP_BUFFER, MAX_CONSTRAINED_TCP_BUFFER);
3912 REJECT(
"Failed to configure rendezvous options. See logs for details.");
3916 REJECT(
"Failed to configure client authorization for hidden services. "
3917 "See logs for details.");
3923 AF_INET6, 1, msg)<0)
3930 REJECT(
"TestingTorNetwork may only be configured in combination with "
3931 "a non-default set of DirAuthority or both of "
3932 "AlternateDirAuthority and AlternateBridgeAuthority configured.");
3935 #define CHECK_DEFAULT(arg) \
3937 if (!config_is_same(get_options_mgr(),options, \
3938 dflt_options,#arg)) { \
3939 or_options_free(dflt_options); \
3940 REJECT(#arg " may only be changed in testing Tor " \
3951 CHECK_DEFAULT(TestingV3AuthInitialVotingInterval);
3952 CHECK_DEFAULT(TestingV3AuthInitialVoteDelay);
3953 CHECK_DEFAULT(TestingV3AuthInitialDistDelay);
3954 CHECK_DEFAULT(TestingV3AuthVotingStartOffset);
3955 CHECK_DEFAULT(TestingAuthDirTimeToLearnReachability);
3956 CHECK_DEFAULT(TestingServerDownloadInitialDelay);
3957 CHECK_DEFAULT(TestingClientDownloadInitialDelay);
3958 CHECK_DEFAULT(TestingServerConsensusDownloadInitialDelay);
3959 CHECK_DEFAULT(TestingClientConsensusDownloadInitialDelay);
3960 CHECK_DEFAULT(TestingBridgeDownloadInitialDelay);
3961 CHECK_DEFAULT(TestingBridgeBootstrapDownloadInitialDelay);
3962 CHECK_DEFAULT(TestingClientMaxIntervalWithoutRequest);
3963 CHECK_DEFAULT(TestingDirConnectionMaxStall);
3964 CHECK_DEFAULT(TestingAuthKeyLifetime);
3965 CHECK_DEFAULT(TestingLinkCertLifetime);
3966 CHECK_DEFAULT(TestingSigningKeySlop);
3967 CHECK_DEFAULT(TestingAuthKeySlop);
3968 CHECK_DEFAULT(TestingLinkKeySlop);
3969 CHECK_DEFAULT(TestingMinTimeToReportBandwidth);
3970 or_options_free(dflt_options);
3972 #undef CHECK_DEFAULT
3977 REJECT(
"ClientDNSRejectInternalAddresses used for default network.");
3985 REJECT(
"TestingClientMaxIntervalWithoutRequest is way too low.");
3987 COMPLAIN(
"TestingClientMaxIntervalWithoutRequest is insanely high.");
3991 REJECT(
"TestingDirConnectionMaxStall is way too low.");
3993 COMPLAIN(
"TestingDirConnectionMaxStall is insanely high.");
3997 REJECT(
"ClientBootstrapConsensusMaxInProgressTries must be greater "
4001 COMPLAIN(
"ClientBootstrapConsensusMaxInProgressTries is insanely "
4007 REJECT(
"TestingEnableConnBwEvent may only be changed in testing "
4013 REJECT(
"TestingEnableCellStatsEvent may only be changed in testing "
4018 log_warn(
LD_CONFIG,
"TestingTorNetwork is set. This will make your node "
4019 "almost unusable in the public Tor network, and is "
4020 "therefore only advised if you are building a "
4021 "testing Tor network!");
4024 if (options_validate_scheduler(options, msg) < 0) {
4038 compute_real_max_mem_in_queues(
const uint64_t val,
bool is_server)
4040 #define MIN_SERVER_MB 64
4041 #define MIN_UNWARNED_SERVER_MB 256
4042 #define MIN_UNWARNED_CLIENT_MB 64
4046 #define ONE_GIGABYTE (UINT64_C(1) << 30)
4047 #define ONE_MEGABYTE (UINT64_C(1) << 20)
4050 static int notice_sent = 0;
4054 #if SIZEOF_VOID_P >= 8
4056 result = 8 * ONE_GIGABYTE;
4059 result = ONE_GIGABYTE;
4065 #if SIZEOF_SIZE_T > 4
4067 #define RAM_IS_VERY_LARGE(x) ((x) >= (8 * ONE_GIGABYTE))
4070 #define RAM_IS_VERY_LARGE(x) (0)
4073 if (RAM_IS_VERY_LARGE(ram)) {
4080 avail = (ram / 5) * 2;
4085 avail = (ram / 4) * 3;
4094 }
else if (avail < ONE_GIGABYTE / 4) {
4095 result = ONE_GIGABYTE / 4;
4100 if (is_server && ! notice_sent) {
4101 log_notice(
LD_CONFIG,
"%sMaxMemInQueues is set to %"PRIu64
" MB. "
4102 "You can override this by setting MaxMemInQueues by hand.",
4103 ram ?
"Based on detected system memory, " :
"",
4104 (result / ONE_MEGABYTE));
4108 }
else if (is_server && val < ONE_MEGABYTE * MIN_SERVER_MB) {
4110 log_warn(
LD_CONFIG,
"MaxMemInQueues must be at least %d MB on servers "
4111 "for now. Ideally, have it as large as you can afford.",
4113 return MIN_SERVER_MB * ONE_MEGABYTE;
4114 }
else if (is_server && val < ONE_MEGABYTE * MIN_UNWARNED_SERVER_MB) {
4117 log_warn(
LD_CONFIG,
"MaxMemInQueues is set to a low value; if your "
4118 "relay doesn't work, this may be the reason why.");
4120 }
else if (! is_server && val < ONE_MEGABYTE * MIN_UNWARNED_CLIENT_MB) {
4123 log_warn(
LD_CONFIG,
"MaxMemInQueues is set to a low value; if your "
4124 "client doesn't work, this may be the reason why.");
4143 const void *new_val_,
4146 CHECK_OPTIONS_MAGIC(old_);
4147 CHECK_OPTIONS_MAGIC(new_val_);
4155 #define BAD_CHANGE_TO(opt, how) do { \
4156 *msg = tor_strdup("While Tor is running"how", changing " #opt \
4157 " is not allowed"); \
4162 #define SB_NOCHANGE_STR(opt) \
4163 if (! CFG_EQ_STRING(old, new_val, opt)) \
4164 BAD_CHANGE_TO(opt," with Sandbox active")
4165 #define SB_NOCHANGE_LINELIST(opt) \
4166 if (! CFG_EQ_LINELIST(old, new_val, opt)) \
4167 BAD_CHANGE_TO(opt," with Sandbox active")
4168 #define SB_NOCHANGE_INT(opt) \
4169 if (! CFG_EQ_INT(old, new_val, opt)) \
4170 BAD_CHANGE_TO(opt," with Sandbox active")
4172 SB_NOCHANGE_LINELIST(Address);
4173 SB_NOCHANGE_STR(ServerDNSResolvConfFile);
4174 SB_NOCHANGE_STR(DirPortFrontPage);
4175 SB_NOCHANGE_STR(CookieAuthFile);
4176 SB_NOCHANGE_STR(ExtORPortCookieAuthFile);
4177 SB_NOCHANGE_LINELIST(Logs);
4178 SB_NOCHANGE_INT(ConnLimit);
4181 *msg = tor_strdup(
"Can't start/stop being a server while "
4182 "Sandbox is active");
4187 #undef SB_NOCHANGE_LINELIST
4188 #undef SB_NOCHANGE_STR
4189 #undef SB_NOCHANGE_INT
4190 #undef BAD_CHANGE_TO
4191 #undef NO_CHANGE_BOOL
4192 #undef NO_CHANGE_INT
4193 #undef NO_CHANGE_STRING
4201 get_windows_conf_root(
void)
4203 static int is_set = 0;
4204 static char path[MAX_PATH*2+1];
4205 TCHAR tpath[MAX_PATH] = {0};
4217 #ifdef ENABLE_LOCAL_APPDATA
4218 #define APPDATA_PATH CSIDL_LOCAL_APPDATA
4220 #define APPDATA_PATH CSIDL_APPDATA
4222 if (!SUCCEEDED(SHGetSpecialFolderLocation(NULL, APPDATA_PATH, &idl))) {
4223 getcwd(path,MAX_PATH);
4226 "I couldn't find your application data folder: are you "
4227 "running an ancient version of Windows 95? Defaulting to \"%s\"",
4232 result = SHGetPathFromIDList(idl, tpath);
4234 wcstombs(path,tpath,
sizeof(path));
4235 path[
sizeof(path)-1] =
'\0';
4237 strlcpy(path,tpath,
sizeof(path));
4244 m->lpVtbl->Free(m, idl);
4245 m->lpVtbl->Release(m);
4247 if (!SUCCEEDED(result)) {
4250 strlcat(path,
"\\tor",MAX_PATH);
4261 #ifdef DISABLE_SYSTEM_TORRC
4262 (void) defaults_file;
4264 #elif defined(_WIN32)
4265 if (defaults_file) {
4266 static char defaults_path[MAX_PATH+1];
4267 tor_snprintf(defaults_path, MAX_PATH,
"%s\\torrc-defaults",
4268 get_windows_conf_root());
4269 return defaults_path;
4271 static char path[MAX_PATH+1];
4273 get_windows_conf_root());
4277 return defaults_file ? CONFDIR
"/torrc-defaults" : CONFDIR
"/torrc";
4295 int *using_default_fname,
int *ignore_missing_torrc)
4299 const char *fname_opt = defaults_file ?
"--defaults-torrc" :
"-f";
4300 const char *fname_long_opt = defaults_file ?
"--defaults-torrc" :
4302 const char *ignore_opt = defaults_file ? NULL :
"--ignore-missing-torrc";
4303 const char *keygen_opt =
"--keygen";
4306 *ignore_missing_torrc = 1;
4308 for (p_index = cmd_arg; p_index; p_index = p_index->next) {
4310 if (!strcmp(p_index->key, fname_opt) ||
4311 !strcmp(p_index->key, fname_long_opt)) {
4313 log_warn(
LD_CONFIG,
"Duplicate %s options on command line.",
4326 *using_default_fname = 0;
4327 }
else if ((ignore_opt && !strcmp(p_index->key, ignore_opt)) ||
4328 (keygen_opt && !strcmp(p_index->key, keygen_opt))) {
4329 *ignore_missing_torrc = 1;
4333 if (*using_default_fname) {
4337 if (dflt && (st == FN_FILE || st == FN_EMPTY)) {
4338 fname = tor_strdup(dflt);
4342 if (!defaults_file) {
4347 if (hmst == FN_FILE || hmst == FN_EMPTY || dflt == NULL) {
4351 fname = tor_strdup(dflt);
4354 fname = dflt ? tor_strdup(dflt) : NULL;
4357 fname = dflt ? tor_strdup(dflt) : NULL;
4387 int using_default_torrc = 1;
4388 int ignore_missing_torrc = 0;
4391 if (*fname_var == NULL) {
4393 &using_default_torrc, &ignore_missing_torrc);
4399 log_debug(
LD_CONFIG,
"Opening config file \"%s\"", fname?fname:
"<NULL>");
4403 if (fname == NULL ||
4404 !(st == FN_FILE || st == FN_EMPTY) ||
4405 !(cf = read_file_to_str(fname,0,NULL))) {
4406 if (using_default_torrc == 1 || ignore_missing_torrc) {
4408 log_notice(
LD_CONFIG,
"Configuration file \"%s\" not present, "
4409 "using reasonable defaults.", fname);
4412 cf = tor_strdup(
"");
4415 "Unable to open configuration file \"%s\".", fname);
4419 log_notice(
LD_CONFIG,
"Read configuration file \"%s\".", fname);
4437 char *cf=NULL, *cf_defaults=NULL;
4475 printf(
"Tor is running on %s with Libevent %s, "
4476 "%s %s, Zlib %s, Liblzma %s, Libzstd %s and %s %s as libc.\n",
4490 printf(
"Tor compiled with %s version %s\n",
4491 strcmp(COMPILER_VENDOR,
"gnu") == 0?
4492 COMPILER:COMPILER_VENDOR, COMPILER_VERSION);
4513 cf_defaults = tor_strdup(
"");
4514 cf = tor_strdup(
"");
4520 if (f_line && f_line_long) {
4521 log_err(
LD_CONFIG,
"-f and --torrc-file cannot be used together.");
4524 }
else if (f_line_long) {
4525 f_line = f_line_long;
4528 const int read_torrc_from_stdin =
4529 (f_line != NULL && strcmp(f_line->value,
"-") == 0);
4531 if (read_torrc_from_stdin) {
4539 cf = tor_strdup(
"");
4567 KEY_EXPIRATION_FORMAT_ISO8601;
4602 return retval < 0 ? -1 : 0;
4616 int command,
const char *command_arg,
4620 or_options_t *oldoptions, *newoptions, *newdefaultoptions=NULL;
4624 int cf_has_include = 0;
4633 newoptions->
command_arg = command_arg ? tor_strdup(command_arg) : NULL;
4636 for (
int i = 0; i < 2; ++i) {
4637 const char *body = i==0 ? cf_defaults : cf;
4643 body == cf ? &cf_has_include : NULL,
4646 err = SETOPT_ERR_PARSE;
4651 config_free_lines(cl);
4653 err = SETOPT_ERR_PARSE;
4660 if (newdefaultoptions == NULL) {
4675 err = SETOPT_ERR_PARSE;
4681 opened_files = NULL;
4707 smartlist_free(opened_files);
4709 or_options_free(newdefaultoptions);
4710 or_options_free(newoptions);
4712 char *old_msg = *msg;
4713 tor_asprintf(msg,
"Failed to parse/validate config: %s", old_msg);
4743 const char *from, *to, *msg;
4747 for (opt = options->
AddressMap; opt; opt = opt->next) {
4749 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
4750 if (smartlist_len(elts) < 2) {
4751 log_warn(
LD_CONFIG,
"MapAddress '%s' has too few arguments. Ignoring.",
4756 from = smartlist_get(elts,0);
4757 to = smartlist_get(elts,1);
4759 if (to[0] ==
'.' || from[0] ==
'.') {
4760 log_warn(
LD_CONFIG,
"MapAddress '%s' is ambiguous - address starts with a"
4761 "'.'. Ignoring.",opt->value);
4766 log_warn(
LD_CONFIG,
"MapAddress '%s' failed: %s. Ignoring.", opt->value,
4771 if (smartlist_len(elts) > 2)
4772 log_warn(
LD_CONFIG,
"Ignoring extra arguments to MapAddress.");
4778 smartlist_free(elts);
4790 int from_wildcard = 0, to_wildcard = 0;
4792 *msg =
"whoops, forgot the error message";
4794 if (!strcmp(to,
"*") || !strcmp(from,
"*")) {
4795 *msg =
"can't remap from or to *";
4799 if (!strncmp(from,
"*.",2)) {
4803 if (!strncmp(to,
"*.",2)) {
4808 if (to_wildcard && !from_wildcard) {
4809 *msg =
"can only use wildcard (i.e. '*.') if 'from' address "
4810 "uses wildcard also";
4815 *msg =
"destination is invalid";
4820 from_wildcard, to_wildcard, 0);
4830 const char *filename,
int truncate_log)
4832 int open_flags = O_WRONLY|O_CREAT;
4833 open_flags |= truncate_log ? O_TRUNC : O_APPEND;
4852 log_warn(
LD_CONFIG,
"Log time granularity '%d' has to be positive.",
4858 if (granularity < 40) {
4860 while (1000 % granularity != 0);
4861 }
else if (granularity < 1000) {
4862 granularity = 1000 / granularity;
4863 while (1000 % granularity != 0)
4865 granularity = 1000 / granularity;
4867 granularity = 1000 * ((granularity / 1000) + 1);
4869 log_warn(
LD_CONFIG,
"Log time granularity '%d' has to be either a "
4870 "divisor or a multiple of 1 second. Changing to "
4906 if (options->
Logs == NULL && !run_as_daemon && !validate_only) {
4912 for (opt = options->
Logs; opt; opt = opt->next) {
4914 const char *cfg = opt->value;
4917 log_warn(
LD_CONFIG,
"Couldn't parse log levels in Log option 'Log %s'",
4919 ok = 0;
goto cleanup;
4923 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
4925 if (smartlist_len(elts) == 0)
4928 if (smartlist_len(elts) == 1 &&
4929 (!strcasecmp(smartlist_get(elts,0),
"stdout") ||
4930 !strcasecmp(smartlist_get(elts,0),
"stderr"))) {
4931 int err = smartlist_len(elts) &&
4932 !strcasecmp(smartlist_get(elts,0),
"stderr");
4933 if (!validate_only) {
4934 if (run_as_daemon) {
4936 "Can't log to %s with RunAsDaemon set; skipping stdout",
4937 err?
"stderr":
"stdout");
4940 fileno(err?stderr:stdout));
4945 if (smartlist_len(elts) == 1) {
4946 if (!strcasecmp(smartlist_get(elts,0),
"syslog")) {
4947 #ifdef HAVE_SYSLOG_H
4948 if (!validate_only) {
4952 log_warn(
LD_CONFIG,
"Syslog is not supported on this system. Sorry.");
4959 if (!strcasecmp(smartlist_get(elts, 0),
"android")) {
4960 #ifdef HAVE_SYSLOG_H
4961 log_warn(
LD_CONFIG,
"The android logging API is no longer supported;"
4962 " adding a syslog instead. The 'android' logging "
4963 " type will no longer work in the future.");
4964 if (!validate_only) {
4968 log_warn(
LD_CONFIG,
"The android logging API is no longer supported.");
4974 if (smartlist_len(elts) == 2 &&
4975 !strcasecmp(smartlist_get(elts,0),
"file")) {
4976 if (!validate_only) {
4980 int truncate_log = 0;
4985 for (opt2 = old_options->
Logs; opt2; opt2 = opt2->next)
4986 if (!strcmp(opt->value, opt2->value)) {
4993 log_warn(
LD_CONFIG,
"Couldn't open file for 'Log %s': %s",
4994 opt->value, strerror(errno));
5002 log_warn(
LD_CONFIG,
"Bad syntax on file Log option 'Log %s'",
5004 ok = 0;
goto cleanup;
5011 smartlist_free(elts);
5013 if (ok && !validate_only)
5025 char *socks_string = NULL;
5026 size_t socks_string_len;
5033 log_warn(
LD_CONFIG,
"'%s' is not a k=v item.", s);
5036 } SMARTLIST_FOREACH_END(s);
5042 socks_string_len = strlen(socks_string);
5046 log_warn(
LD_CONFIG,
"SOCKS arguments can't be more than %u bytes (%lu).",
5048 (
unsigned long) socks_string_len);
5062 if (bridge_line->socks_args) {
5064 smartlist_free(bridge_line->socks_args);
5066 tor_free(bridge_line->transport_name);
5086 char *addrport=NULL, *fingerprint=NULL;
5092 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5093 if (smartlist_len(items) < 1) {
5094 log_warn(
LD_CONFIG,
"Too few arguments to Bridge line.");
5099 field = smartlist_get(items, 0);
5104 bridge_line->transport_name = field;
5105 if (smartlist_len(items) < 1) {
5106 log_warn(
LD_CONFIG,
"Too few items to Bridge line.");
5109 addrport = smartlist_get(items, 0);
5116 &bridge_line->addr, &bridge_line->port, 443)<0) {
5117 log_warn(
LD_CONFIG,
"Error parsing Bridge address '%s'", addrport);
5124 if (smartlist_len(items)) {
5125 if (bridge_line->transport_name) {
5126 field = smartlist_get(items, 0);
5135 fingerprint = field;
5146 log_warn(
LD_CONFIG,
"Key digest for Bridge is wrong length.");
5151 log_warn(
LD_CONFIG,
"Unable to decode Bridge key digest.");
5158 if (bridge_line->transport_name && smartlist_len(items)) {
5159 if (!bridge_line->socks_args)
5166 tor_assert(smartlist_len(bridge_line->socks_args) > 0);
5169 if (bridge_line->socks_args) {
5177 bridge_line_free(bridge_line);
5182 smartlist_free(items);
5209 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
5212 if (smartlist_len(sl) < 2) {
5213 *msg = tor_strdup(
"TCPProxy has no address/port. Please fix.");
5217 char *protocol_string = smartlist_get(sl, 0);
5218 char *addrport_string = smartlist_get(sl, 1);
5221 if (strcasecmp(protocol_string,
"haproxy")) {
5222 *msg = tor_strdup(
"TCPProxy protocol is not supported. Currently "
5223 "the only supported protocol is 'haproxy'. "
5234 *msg = tor_strdup(
"TCPProxy address/port failed to parse or resolve. "
5263 const char *line,
int validate_only,
5269 const char *transports = NULL;
5272 char *addrport = NULL;
5275 int socks_ver = PROXY_NONE;
5279 char **proxy_argv = NULL;
5282 int is_useless_proxy = 1;
5289 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5290 line_length = smartlist_len(items);
5292 if (line_length < 3) {
5294 "Too few arguments on %sTransportPlugin line.",
5295 server ?
"Server" :
"Client");
5302 transports = smartlist_get(items, 0);
5305 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
5309 log_warn(
LD_CONFIG,
"Transport name is not a C identifier (%s).",
5316 is_useless_proxy = 0;
5317 } SMARTLIST_FOREACH_END(transport_name);
5319 type = smartlist_get(items, 1);
5320 if (!strcmp(type,
"exec")) {
5322 }
else if (server && !strcmp(type,
"proxy")) {
5325 }
else if (!server && !strcmp(type,
"socks4")) {
5328 socks_ver = PROXY_SOCKS4;
5329 }
else if (!server && !strcmp(type,
"socks5")) {
5332 socks_ver = PROXY_SOCKS5;
5335 "Strange %sTransportPlugin type '%s'",
5336 server ?
"Server" :
"Client", type);
5340 if (is_managed && options->
Sandbox) {
5342 "Managed proxies are not compatible with Sandbox mode."
5343 "(%sTransportPlugin line was %s)",
5344 server ?
"Server" :
"Client",
escaped(line));
5348 if (is_managed && options->
NoExec) {
5350 "Managed proxies are not compatible with NoExec mode; ignoring."
5351 "(%sTransportPlugin line was %s)",
5352 server ?
"Server" :
"Client",
escaped(line));
5360 if (!server && !validate_only && is_useless_proxy) {
5362 "Pluggable transport proxy (%s) does not provide "
5363 "any needed transports and will not be launched.",
5373 if (!validate_only && (server || !is_useless_proxy)) {
5374 proxy_argc = line_length - 2;
5376 proxy_argv = tor_calloc((proxy_argc + 1),
sizeof(
char *));
5379 for (i = 0; i < proxy_argc; i++) {
5381 *tmp++ = smartlist_get(items, 2);
5399 log_warn(
LD_CONFIG,
"You have configured an external proxy with another "
5400 "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|"
5407 "You can't have an external proxy with more than "
5412 addrport = smartlist_get(items, 2);
5416 "Error parsing transport address '%s'", addrport);
5422 "Transport address '%s' has no port.", addrport);
5426 if (!validate_only) {
5427 log_info(
LD_DIR,
"%s '%s' at %s.",
5428 server ?
"Server transport" :
"Transport",
5447 smartlist_free(items);
5489 const char *eq = strchr(flag,
'=');
5491 const char *target = eq + 1;
5495 log_warn(
LD_CONFIG,
"Unsupported URL scheme in authority flag %s", flag);
5498 const char *addr = target + strlen(
"http://");
5500 const char *eos = strchr(addr,
'/');
5502 if (eos && strcmp(eos,
"/")) {
5503 log_warn(
LD_CONFIG,
"Unsupported URL prefix in authority flag %s", flag);
5506 addr_len = eos - addr;
5508 addr_len = strlen(addr);
5512 char *addr_string = tor_strndup(addr, addr_len);
5514 memset(&dirport, 0,
sizeof(dirport));
5516 &dirport.addr, &dirport.port, -1);
5517 if (ds != NULL && rv == 0) {
5519 }
else if (rv == -1) {
5520 log_warn(
LD_CONFIG,
"Unable to parse address in authority flag %s",flag);
5540 char *addrport=NULL, *address=NULL, *nickname=NULL, *fingerprint=NULL;
5542 uint16_t dir_port = 0, or_port = 0;
5546 double weight = 1.0;
5549 memset(v3_digest, 0,
sizeof(v3_digest));
5553 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5554 if (smartlist_len(items) < 1) {
5555 log_warn(
LD_CONFIG,
"No arguments on DirAuthority line.");
5560 nickname = smartlist_get(items, 0);
5564 while (smartlist_len(items)) {
5565 char *flag = smartlist_get(items, 0);
5566 if (TOR_ISDIGIT(flag[0]))
5568 if (!strcasecmp(flag,
"hs") ||
5569 !strcasecmp(flag,
"no-hs")) {
5570 log_warn(
LD_CONFIG,
"The DirAuthority options 'hs' and 'no-hs' are "
5571 "obsolete; you don't need them any more.");
5572 }
else if (!strcasecmp(flag,
"bridge")) {
5574 }
else if (!strcasecmp(flag,
"no-v2")) {
5579 char *portstring = flag + strlen(
"orport=");
5580 or_port = (uint16_t)
tor_parse_long(portstring, 10, 1, 65535, &ok, NULL);
5582 log_warn(
LD_CONFIG,
"Invalid orport '%s' on DirAuthority line.",
5586 const char *wstring = flag + strlen(
"weight=");
5589 log_warn(
LD_CONFIG,
"Invalid weight '%s' on DirAuthority line.",flag);
5593 char *idstr = flag + strlen(
"v3ident=");
5597 log_warn(
LD_CONFIG,
"Bad v3 identity digest '%s' on DirAuthority line",
5603 if (ipv6_addrport_ptr) {
5604 log_warn(
LD_CONFIG,
"Redundant ipv6 addr/port on DirAuthority line");
5607 &ipv6_addrport.addr, &ipv6_addrport.port,
5610 log_warn(
LD_CONFIG,
"Bad ipv6 addr/port %s on DirAuthority line",
5614 ipv6_addrport_ptr = &ipv6_addrport;
5623 log_warn(
LD_CONFIG,
"Unrecognized flag '%s' on DirAuthority line",
5630 if (smartlist_len(items) < 2) {
5631 log_warn(
LD_CONFIG,
"Too few arguments to DirAuthority line.");
5634 addrport = smartlist_get(items, 0);
5638 log_warn(
LD_CONFIG,
"Error parsing DirAuthority address '%s'.", addrport);
5643 log_warn(
LD_CONFIG,
"Error parsing DirAuthority address '%s' "
5644 "(invalid IPv4 address)", address);
5649 log_warn(
LD_CONFIG,
"Missing port in DirAuthority address '%s'",addrport);
5655 log_warn(
LD_CONFIG,
"Key digest '%s' for DirAuthority is wrong length %d.",
5656 fingerprint, (
int)strlen(fingerprint));
5661 log_warn(
LD_CONFIG,
"Unable to decode DirAuthority key digest.");
5665 if (validate_only) {
5669 } SMARTLIST_FOREACH_END(cp);
5672 if (!validate_only && (!required_type || required_type & type)) {
5675 type &= required_type;
5677 log_debug(
LD_DIR,
"Trusted %d dirserver at %s:%d (%s)", (
int)type,
5678 address, (
int)dir_port, (
char*)smartlist_get(items,0));
5681 digest, v3_digest, type, weight)))
5687 } SMARTLIST_FOREACH_END(cp);
5699 smartlist_free(extra_dirports);
5701 smartlist_free(items);
5728 memset(
id, 0,
sizeof(
id));
5730 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5732 const char *eq = strchr(cp,
'=');
5740 1, 65535, &ok, NULL);
5745 if (ipv6_addrport_ptr) {
5746 log_warn(
LD_CONFIG,
"Redundant ipv6 addr/port on FallbackDir line");
5749 &ipv6_addrport.addr, &ipv6_addrport.port,
5752 log_warn(
LD_CONFIG,
"Bad ipv6 addr/port %s on FallbackDir line",
5756 ipv6_addrport_ptr = &ipv6_addrport;
5760 const char *wstring = cp + strlen(
"weight=");
5763 log_warn(
LD_CONFIG,
"Invalid weight '%s' on FallbackDir line.", cp);
5772 } SMARTLIST_FOREACH_END(cp);
5774 if (smartlist_len(positional) != 1) {
5780 log_warn(
LD_CONFIG,
"Missing identity on FallbackDir line");
5785 log_warn(
LD_CONFIG,
"Missing orport on FallbackDir line");
5790 &address, &dirport) < 0 ||
5792 log_warn(
LD_CONFIG,
"Couldn't parse address:port %s on FallbackDir line",
5793 (
const char*)smartlist_get(positional, 0));
5797 if (!validate_only) {
5812 smartlist_free(items);
5813 smartlist_free(positional);
5854 const char *portname,
5855 const int listener_type)
5858 if (port->type != listener_type)
5860 if (port->is_unix_addr) {
5862 }
else if (!tor_addr_is_internal(&port->addr, 1)) {
5863 log_warn(
LD_CONFIG,
"You specified a public address '%s' for %sPort. "
5864 "Other people on the Internet might find your computer and "
5865 "use it as an open proxy. Please don't allow this unless you "
5866 "have a good reason.",
5869 log_notice(
LD_CONFIG,
"You configured a non-loopback address '%s' "
5870 "for %sPort. This allows everybody on your local network to "
5871 "use your machine as a proxy. Make sure this is what you "
5875 } SMARTLIST_FOREACH_END(port);
5889 if (port->is_unix_addr)
5892 if (forbid_nonlocal) {
5895 "You have a ControlPort set to accept "
5896 "unauthenticated connections from a non-local address. "
5897 "This means that programs not running on your computer "
5898 "can reconfigure your Tor, without even having to guess a "
5899 "password. That's so bad that I'm closing your ControlPort "
5900 "for you. If you need to control your Tor remotely, try "
5901 "enabling authentication and using a tool like stunnel or "
5902 "ssh to encrypt remote access.");
5904 port_cfg_free(port);
5907 log_warn(
LD_CONFIG,
"You have a ControlPort set to accept "
5908 "connections from a non-local address. This means that "
5909 "programs not running on your computer can reconfigure your "
5910 "Tor. That's pretty bad, since the controller "
5911 "protocol isn't encrypted! Maybe you should just listen on "
5912 "127.0.0.1 and use a tool like stunnel or ssh to encrypt "
5913 "remote connections to your control port.");
5917 } SMARTLIST_FOREACH_END(port);
5932 char **addrport_out,
5934 const char **rest_out)
5947 *addrport_out = NULL;
5948 line += strlen(unix_socket_prefix);
5950 if (!*rest_out || (*addrport_out && sz != strlen(*addrport_out))) {
5959 line += strlen(unix_socket_prefix);
5967 end = strchr(line,
'\0');