80#include "trunnel/conflux.h"
81#include "core/or/dos.h"
133#ifdef HAVE_SYS_STAT_H
136#ifdef HAVE_SYS_PARAM_H
137#include <sys/param.h>
165# if defined(__COVERITY__) && !defined(__INCLUDE_LEVEL__)
169# define __INCLUDE_LEVEL__ 2
171#include <systemd/sd-daemon.h>
175static const char unix_socket_prefix[] =
"unix:";
178static const char unix_q_socket_prefix[] =
"unix:\"";
181#define MIN_CONSTRAINED_TCP_BUFFER 2048
182#define MAX_CONSTRAINED_TCP_BUFFER 262144
187#define DOWNLOAD_SCHEDULE(name) \
188 { (#name "DownloadSchedule"), (#name "DownloadInitialDelay"), 0, 1 }
190#define DOWNLOAD_SCHEDULE(name) { NULL, NULL, 0, 1 }
199 PLURAL(AuthDirMiddleOnlyCC),
205 PLURAL(HiddenServiceNode),
206 PLURAL(HiddenServiceExcludeNode),
209 PLURAL(RecommendedPackage),
215 {
"AllowUnverifiedNodes",
"AllowInvalidNodes", 0, 0},
216 {
"AutomapHostSuffixes",
"AutomapHostsSuffixes", 0, 0},
217 {
"AutomapHostOnResolve",
"AutomapHostsOnResolve", 0, 0},
218 {
"BandwidthRateBytes",
"BandwidthRate", 0, 0},
219 {
"BandwidthBurstBytes",
"BandwidthBurst", 0, 0},
220 {
"DirFetchPostPeriod",
"StatusFetchPeriod", 0, 0},
221 {
"DirServer",
"DirAuthority", 0, 0},
222 {
"MaxConn",
"ConnLimit", 0, 1},
223 {
"MaxMemInCellQueues",
"MaxMemInQueues", 0, 0},
224 {
"ORBindAddress",
"ORListenAddress", 0, 0},
225 {
"DirBindAddress",
"DirListenAddress", 0, 0},
226 {
"SocksBindAddress",
"SocksListenAddress", 0, 0},
227 {
"UseHelperNodes",
"UseEntryGuards", 0, 0},
228 {
"NumHelperNodes",
"NumEntryGuards", 0, 0},
229 {
"UseEntryNodes",
"UseEntryGuards", 0, 0},
230 {
"NumEntryNodes",
"NumEntryGuards", 0, 0},
231 {
"ResolvConf",
"ServerDNSResolvConfFile", 0, 1},
232 {
"SearchDomains",
"ServerDNSSearchDomains", 0, 1},
233 {
"ServerDNSAllowBrokenResolvConf",
"ServerDNSAllowBrokenConfig", 0, 0},
234 {
"PreferTunnelledDirConns",
"PreferTunneledDirConns", 0, 0},
235 {
"BridgeAuthoritativeDirectory",
"BridgeAuthoritativeDir", 0, 0},
236 {
"HashedControlPassword",
"__HashedControlSessionPassword", 1, 0},
237 {
"VirtualAddrNetwork",
"VirtualAddrNetworkIPv4", 0, 0},
238 {
"SocksSocketsGroupWritable",
"UnixSocksGroupWritable", 0, 1},
239 {
"_HSLayer2Nodes",
"HSLayer2Nodes", 0, 1 },
240 {
"_HSLayer3Nodes",
"HSLayer3Nodes", 0, 1 },
263#define VAR(varname,conftype,member,initvalue) \
264 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, 0, initvalue)
267#define VAR_D(varname,conftype,member,initvalue) \
268 CONFIG_VAR_DEFN(or_options_t, varname, conftype, member, 0, initvalue)
270#define VAR_NODUMP(varname,conftype,member,initvalue) \
271 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
272 CFLG_NODUMP, initvalue)
273#define VAR_NODUMP_IMMUTABLE(varname,conftype,member,initvalue) \
274 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
275 CFLG_NODUMP | CFLG_IMMUTABLE, initvalue)
276#define VAR_INVIS(varname,conftype,member,initvalue) \
277 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
278 CFLG_NODUMP | CFLG_NOSET | CFLG_NOLIST, initvalue)
280#define V(member,conftype,initvalue) \
281 VAR(#member, conftype, member, initvalue)
283#define VAR_IMMUTABLE(varname, conftype, member, initvalue) \
284 CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
285 CFLG_IMMUTABLE, initvalue)
287#define V_IMMUTABLE(member,conftype,initvalue) \
288 VAR_IMMUTABLE(#member, conftype, member, initvalue)
291#define V_D(member,type,initvalue) \
292 VAR_D(#member, type, member, initvalue)
295#define OBSOLETE(varname) CONFIG_VAR_OBSOLETE(varname)
304#define VPORT(member) \
305 VAR(#member "Lines", LINELIST_V, member ## _lines, NULL), \
306 VAR(#member, LINELIST_S, member ## _lines, NULL), \
307 VAR_NODUMP("__" #member, LINELIST_S, member ## _lines, NULL)
310#define UINT64_MAX_STRING "18446744073709551615"
317 V(AccountingMax, MEMUNIT,
"0 bytes"),
318 VAR(
"AccountingRule", STRING, AccountingRule_option,
"max"),
319 V(AccountingStart, STRING, NULL),
320 V(Address, LINELIST, NULL),
321 V(AddressDisableIPv6, BOOL,
"0"),
324 V(AllowNonRFC953Hostnames, BOOL,
"0"),
327 V(AlternateBridgeAuthority, LINELIST, NULL),
328 V(AlternateDirAuthority, LINELIST, NULL),
330 V(AssumeReachable, BOOL,
"0"),
331 V(AssumeReachableIPv6, AUTOBOOL,
"auto"),
334 V(AuthDirBadExit, LINELIST, NULL),
335 V(AuthDirBadExitCCs, CSV,
""),
336 V(AuthDirInvalid, LINELIST, NULL),
337 V(AuthDirInvalidCCs, CSV,
""),
338 V(AuthDirMiddleOnly, LINELIST, NULL),
339 V(AuthDirMiddleOnlyCCs, CSV,
""),
340 V(AuthDirReject, LINELIST, NULL),
341 V(AuthDirRejectCCs, CSV,
""),
344 OBSOLETE(
"AuthDirMaxServersPerAuthAddr"),
345 VAR(
"AuthoritativeDirectory", BOOL, AuthoritativeDir,
"0"),
346 V(AutomapHostsOnResolve, BOOL,
"0"),
347 V(AutomapHostsSuffixes, CSV,
".onion,.exit"),
348 V(AvoidDiskWrites, BOOL,
"0"),
349 V(BandwidthBurst, MEMUNIT,
"1 GB"),
350 V(BandwidthRate, MEMUNIT,
"1 GB"),
351 V(BridgeAuthoritativeDir, BOOL,
"0"),
352 VAR(
"Bridge", LINELIST, Bridges, NULL),
353 V(BridgePassword, STRING, NULL),
354 V(BridgeRecordUsageByCountry, BOOL,
"1"),
355 V(BridgeRelay, BOOL,
"0"),
356 V(BridgeDistribution, STRING, NULL),
357 VAR_IMMUTABLE(
"CacheDirectory",FILENAME, CacheDirectory_option, NULL),
358 V(CacheDirectoryGroupReadable, AUTOBOOL,
"auto"),
359 V(CellStatistics, BOOL,
"0"),
360 V(PaddingStatistics, BOOL,
"1"),
361 V(OverloadStatistics, BOOL,
"1"),
362 V(LearnCircuitBuildTimeout, BOOL,
"1"),
363 V(CircuitBuildTimeout, INTERVAL,
"0"),
365 V(CircuitsAvailableTimeout, INTERVAL,
"0"),
366 V(CircuitStreamTimeout, INTERVAL,
"0"),
367 V(CircuitPriorityHalflife, DOUBLE,
"-1.0"),
368 V(ClientDNSRejectInternalAddresses, BOOL,
"1"),
369#if defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS)
371 V(ClientOnly, BOOL,
"0"),
374 V(ClientOnly, BOOL,
"1"),
376 V(ClientPreferIPv6ORPort, AUTOBOOL,
"auto"),
377 V(ClientPreferIPv6DirPort, AUTOBOOL,
"auto"),
379 V(ClientRejectInternalAddresses, BOOL,
"1"),
380 V(ClientTransportPlugin, LINELIST, NULL),
381 V(ClientUseIPv6, BOOL,
"1"),
382 V(ClientUseIPv4, BOOL,
"1"),
383 V(CompiledProofOfWorkHash, AUTOBOOL,
"auto"),
384 V(ConfluxEnabled, AUTOBOOL,
"auto"),
385 VAR(
"ConfluxClientUX", STRING, ConfluxClientUX_option,
387 V(ConnLimit, POSINT,
"1000"),
388 V(ConnDirectionStatistics, BOOL,
"0"),
389 V(ConstrainedSockets, BOOL,
"0"),
390 V(ConstrainedSockSize, MEMUNIT,
"8192"),
391 V(ContactInfo, STRING, NULL),
394 V(ControlPortFileGroupReadable,BOOL,
"0"),
395 V(ControlPortWriteToFile, FILENAME, NULL),
396 V(ControlSocket, LINELIST, NULL),
397 V(ControlSocketsGroupWritable, BOOL,
"0"),
398 V(UnixSocksGroupWritable, BOOL,
"0"),
399 V(CookieAuthentication, BOOL,
"0"),
400 V(CookieAuthFileGroupReadable, BOOL,
"0"),
401 V(CookieAuthFile, FILENAME, NULL),
402 V(CountPrivateBandwidth, BOOL,
"0"),
403 VAR_IMMUTABLE(
"DataDirectory", FILENAME, DataDirectory_option, NULL),
404 V(DataDirectoryGroupReadable, BOOL,
"0"),
405 V(DisableOOSCheck, BOOL,
"1"),
406 V(DisableNetwork, BOOL,
"0"),
407 V(DirAllowPrivateAddresses, BOOL,
"0"),
409 V(DirPolicy, LINELIST, NULL),
411 V(DirPortFrontPage, FILENAME, NULL),
412 VAR(
"DirReqStatistics", BOOL, DirReqStatistics_option,
"1"),
413 VAR(
"DirAuthority", LINELIST, DirAuthorities, NULL),
414#if defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS)
416 V(DirCache, BOOL,
"1"),
419 V(DirCache, BOOL,
"0"),
428 V(DirAuthorityFallbackRate, DOUBLE,
"0.1"),
429 V_IMMUTABLE(DisableAllSwap, BOOL,
"0"),
430 V_IMMUTABLE(DisableDebuggerAttachment, BOOL,
"1"),
432 OBSOLETE(
"DisableV2DirectoryInfo_"),
436 V(DormantClientTimeout, INTERVAL,
"24 hours"),
437 V(DormantTimeoutEnabled, BOOL,
"1"),
438 V(DormantTimeoutDisabledByIdleStreams, BOOL,
"1"),
439 V(DormantOnFirstStartup, BOOL,
"0"),
440 V(DormantCanceledByStartup, BOOL,
"0"),
441 V(DownloadExtraInfo, BOOL,
"0"),
442 V(TestingEnableConnBwEvent, BOOL,
"0"),
443 V(TestingEnableCellStatsEvent, BOOL,
"0"),
444 OBSOLETE(
"TestingEnableTbEmptyEvent"),
445 V(EnforceDistinctSubnets, BOOL,
"1"),
446 V_D(EntryNodes, ROUTERSET, NULL),
447 V(EntryStatistics, BOOL,
"0"),
448 OBSOLETE(
"TestingEstimatedDescriptorPropagationTime"),
449 V_D(ExcludeNodes, ROUTERSET, NULL),
450 V_D(ExcludeExitNodes, ROUTERSET, NULL),
452 V_D(ExitNodes, ROUTERSET, NULL),
456 V_D(MiddleNodes, ROUTERSET, NULL),
457 V(ExitPolicy, LINELIST, NULL),
458 V(ExitPolicyRejectPrivate, BOOL,
"1"),
459 V(ExitPolicyRejectLocalInterfaces, BOOL,
"0"),
460 V(ExitPortStatistics, BOOL,
"0"),
461 V(ExtendAllowPrivateAddresses, BOOL,
"0"),
462 V(ExitRelay, AUTOBOOL,
"auto"),
464 V(ExtORPortCookieAuthFile, FILENAME, NULL),
465 V(ExtORPortCookieAuthFileGroupReadable, BOOL,
"0"),
466 V(ExtraInfoStatistics, BOOL,
"1"),
467 V(ExtendByEd25519ID, AUTOBOOL,
"auto"),
468 V(FallbackDir, LINELIST, NULL),
470 V(UseDefaultFallbackDirs, BOOL,
"1"),
472 OBSOLETE(
"FallbackNetworkstatusFile"),
473 V(FascistFirewall, BOOL,
"0"),
474 V(FirewallPorts, CSV,
""),
476 V(FetchDirInfoEarly, BOOL,
"0"),
477 V(FetchDirInfoExtraEarly, BOOL,
"0"),
478 V(FetchServerDescriptors, BOOL,
"1"),
479 V(FetchHidServDescriptors, BOOL,
"1"),
480 V(FetchUselessDescriptors, BOOL,
"0"),
482 V(GeoIPExcludeUnknown, AUTOBOOL,
"auto"),
484 V(GeoIPFile, FILENAME,
"<default>"),
485 V(GeoIPv6File, FILENAME,
"<default>"),
486#elif defined(__ANDROID__)
491 V(GeoIPFile, FILENAME,
"/data/local/tmp/geoip"),
492 V(GeoIPv6File, FILENAME,
"/data/local/tmp/geoip6"),
494 V(GeoIPFile, FILENAME,
495 SHARE_DATADIR PATH_SEPARATOR
"tor" PATH_SEPARATOR
"geoip"),
496 V(GeoIPv6File, FILENAME,
497 SHARE_DATADIR PATH_SEPARATOR
"tor" PATH_SEPARATOR
"geoip6"),
500 V(GuardLifetime, INTERVAL,
"0 minutes"),
501 V(HeartbeatPeriod, INTERVAL,
"6 hours"),
502 V(MainloopStats, BOOL,
"0"),
503 V(HashedControlPassword, LINELIST, NULL),
505 OBSOLETE(
"HiddenServiceAuthorizeClient"),
507 VAR(
"HiddenServiceDir", LINELIST_S, RendConfigLines, NULL),
508 VAR(
"HiddenServiceDirGroupReadable", LINELIST_S, RendConfigLines, NULL),
509 VAR(
"HiddenServiceOptions",LINELIST_V, RendConfigLines, NULL),
510 VAR(
"HiddenServicePort", LINELIST_S, RendConfigLines, NULL),
511 VAR(
"HiddenServiceVersion",LINELIST_S, RendConfigLines, NULL),
512 VAR(
"HiddenServiceAllowUnknownPorts",LINELIST_S, RendConfigLines, NULL),
513 VAR(
"HiddenServiceMaxStreams",LINELIST_S, RendConfigLines, NULL),
514 VAR(
"HiddenServiceMaxStreamsCloseCircuit",LINELIST_S, RendConfigLines, NULL),
515 VAR(
"HiddenServiceNumIntroductionPoints", LINELIST_S, RendConfigLines, NULL),
516 VAR(
"HiddenServiceExportCircuitID", LINELIST_S, RendConfigLines, NULL),
517 VAR(
"HiddenServiceEnableIntroDoSDefense", LINELIST_S, RendConfigLines, NULL),
518 VAR(
"HiddenServiceEnableIntroDoSRatePerSec",
519 LINELIST_S, RendConfigLines, NULL),
520 VAR(
"HiddenServiceEnableIntroDoSBurstPerSec",
521 LINELIST_S, RendConfigLines, NULL),
522 VAR(
"HiddenServiceOnionBalanceInstance",
523 LINELIST_S, RendConfigLines, NULL),
524 VAR(
"HiddenServicePoWDefensesEnabled", LINELIST_S, RendConfigLines, NULL),
525 VAR(
"HiddenServicePoWQueueRate", LINELIST_S, RendConfigLines, NULL),
526 VAR(
"HiddenServicePoWQueueBurst", LINELIST_S, RendConfigLines, NULL),
527 VAR(
"HiddenServiceStatistics", BOOL, HiddenServiceStatistics_option,
"1"),
528 V(ClientOnionAuthDir, FILENAME, NULL),
529 OBSOLETE(
"CloseHSClientCircuitsImmediatelyOnTimeout"),
530 OBSOLETE(
"CloseHSServiceRendCircuitsImmediatelyOnTimeout"),
531 V_IMMUTABLE(HiddenServiceSingleHopMode, BOOL,
"0"),
532 V_IMMUTABLE(HiddenServiceNonAnonymousMode,BOOL,
"0"),
533 V(HTTPProxy, STRING, NULL),
534 V(HTTPProxyAuthenticator, STRING, NULL),
535 V(HTTPSProxy, STRING, NULL),
536 V(HTTPSProxyAuthenticator, STRING, NULL),
537 VPORT(HTTPTunnelPort),
538 V(IPv6Exit, BOOL,
"0"),
539 VAR(
"ServerTransportPlugin", LINELIST, ServerTransportPlugin, NULL),
540 V(ServerTransportListenAddr, LINELIST, NULL),
541 V(ServerTransportOptions, LINELIST, NULL),
542 V(SigningKeyLifetime, INTERVAL,
"30 days"),
543 V(Socks4Proxy, STRING, NULL),
544 V(Socks5Proxy, STRING, NULL),
545 V(Socks5ProxyUsername, STRING, NULL),
546 V(Socks5ProxyPassword, STRING, NULL),
547 V(TCPProxy, STRING, NULL),
548 VAR_IMMUTABLE(
"KeyDirectory", FILENAME, KeyDirectory_option, NULL),
549 V(KeyDirectoryGroupReadable, AUTOBOOL,
"auto"),
550 VAR_D(
"HSLayer2Nodes", ROUTERSET, HSLayer2Nodes, NULL),
551 VAR_D(
"HSLayer3Nodes", ROUTERSET, HSLayer3Nodes, NULL),
552 V(KeepalivePeriod, INTERVAL,
"5 minutes"),
553 V_IMMUTABLE(KeepBindCapabilities, AUTOBOOL,
"auto"),
554 VAR(
"Log", LINELIST, Logs, NULL),
555 V(LogMessageDomains, BOOL,
"0"),
556 V(LogTimeGranularity, MSEC_INTERVAL,
"1 second"),
557 V(TruncateLogFile, BOOL,
"0"),
558 V_IMMUTABLE(SyslogIdentityTag, STRING, NULL),
560 V(LongLivedPorts, CSV,
561 "21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300"),
562 VAR(
"MapAddress", LINELIST, AddressMap, NULL),
563 V(MaxAdvertisedBandwidth, MEMUNIT,
"1 GB"),
564 V(MaxCircuitDirtiness, INTERVAL,
"10 minutes"),
565 V(MaxClientCircuitsPending, POSINT,
"32"),
566 V(MaxConsensusAgeForDiffs, INTERVAL,
"0 seconds"),
567 VAR(
"MaxMemInQueues", MEMUNIT, MaxMemInQueues_raw,
"0"),
569 V(MaxOnionQueueDelay, MSEC_INTERVAL,
"0"),
570 V(MaxUnparseableDescSizeToLog, MEMUNIT,
"10 MB"),
572 V(MetricsPortPolicy, LINELIST, NULL),
573 V(TestingMinTimeToReportBandwidth, INTERVAL,
"1 day"),
574 VAR(
"MyFamily", LINELIST, MyFamily_lines, NULL),
575 V(NewCircuitPeriod, INTERVAL,
"30 seconds"),
576 OBSOLETE(
"NamingAuthoritativeDirectory"),
579 V(Nickname, STRING, NULL),
580 OBSOLETE(
"PredictedPortsRelevanceTime"),
582 VAR(
"NodeFamily", LINELIST, NodeFamilies, NULL),
583 V_IMMUTABLE(NoExec, BOOL,
"0"),
584 V(NumCPUs, POSINT,
"0"),
585 V(NumDirectoryGuards, POSINT,
"0"),
586 V(NumEntryGuards, POSINT,
"0"),
587 V(NumPrimaryGuards, POSINT,
"0"),
588 V(OfflineMasterKey, BOOL,
"0"),
591 V(OutboundBindAddress, LINELIST, NULL),
592 V(OutboundBindAddressOR, LINELIST, NULL),
593 V(OutboundBindAddressExit, LINELIST, NULL),
594 V(OutboundBindAddressPT, LINELIST, NULL),
597 V(PathBiasCircThreshold, INT,
"-1"),
598 V(PathBiasNoticeRate, DOUBLE,
"-1"),
599 V(PathBiasWarnRate, DOUBLE,
"-1"),
600 V(PathBiasExtremeRate, DOUBLE,
"-1"),
601 V(PathBiasScaleThreshold, INT,
"-1"),
604 V(PathBiasDropGuards, AUTOBOOL,
"0"),
607 V(PathBiasUseThreshold, INT,
"-1"),
608 V(PathBiasNoticeUseRate, DOUBLE,
"-1"),
609 V(PathBiasExtremeUseRate, DOUBLE,
"-1"),
610 V(PathBiasScaleUseThreshold, INT,
"-1"),
612 V(PathsNeededToBuildCircuits, DOUBLE,
"-1"),
613 V(PerConnBWBurst, MEMUNIT,
"0"),
614 V(PerConnBWRate, MEMUNIT,
"0"),
615 V_IMMUTABLE(PidFile, FILENAME, NULL),
616 V_IMMUTABLE(TestingTorNetwork, BOOL,
"0"),
618 V(TestingLinkCertLifetime, INTERVAL,
"2 days"),
619 V(TestingAuthKeyLifetime, INTERVAL,
"2 days"),
620 V(TestingLinkKeySlop, INTERVAL,
"3 hours"),
621 V(TestingAuthKeySlop, INTERVAL,
"3 hours"),
622 V(TestingSigningKeySlop, INTERVAL,
"1 day"),
628 V(ProtocolWarnings, BOOL,
"0"),
629 V(PublishServerDescriptor, CSV,
"1"),
630 V(PublishHidServDescriptors, BOOL,
"1"),
631 V(ReachableAddresses, LINELIST, NULL),
632 V(ReachableDirAddresses, LINELIST, NULL),
633 V(ReachableORAddresses, LINELIST, NULL),
635 V(ReducedConnectionPadding, BOOL,
"0"),
636 V(ConnectionPadding, AUTOBOOL,
"auto"),
637 V(RefuseUnknownExits, AUTOBOOL,
"auto"),
638 V(CircuitPadding, BOOL,
"1"),
639 V(ReconfigDropsBridgeDescs, BOOL,
"0"),
640 V(ReducedCircuitPadding, BOOL,
"0"),
641 V(RejectPlaintextPorts, CSV,
""),
642 V(RelayBandwidthBurst, MEMUNIT,
"0"),
643 V(RelayBandwidthRate, MEMUNIT,
"0"),
644 V(RephistTrackTime, INTERVAL,
"24 hours"),
645 V_IMMUTABLE(RunAsDaemon, BOOL,
"0"),
646 V(ReducedExitPolicy, BOOL,
"0"),
647 V(ReevaluateExitPolicy, BOOL,
"0"),
649 V_IMMUTABLE(Sandbox, BOOL,
"0"),
650 V(SafeLogging, STRING,
"1"),
651 V(SafeSocks, BOOL,
"0"),
652 V(ServerDNSAllowBrokenConfig, BOOL,
"1"),
653 V(ServerDNSAllowNonRFC953Hostnames, BOOL,
"0"),
654 V(ServerDNSDetectHijacking, BOOL,
"1"),
655 V(ServerDNSRandomizeCase, BOOL,
"1"),
656 V(ServerDNSResolvConfFile, FILENAME, NULL),
657 V(ServerDNSSearchDomains, BOOL,
"0"),
658 V(ServerDNSTestAddresses, CSV,
659 "www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org"),
660 OBSOLETE(
"SchedulerLowWaterMark__"),
661 OBSOLETE(
"SchedulerHighWaterMark__"),
662 OBSOLETE(
"SchedulerMaxFlushCells__"),
663 V(KISTSchedRunInterval, MSEC_INTERVAL,
"0 msec"),
664 V(KISTSockBufSizeFactor, DOUBLE,
"1.0"),
665 V(Schedulers, CSV,
"KIST,KISTLite,Vanilla"),
666 V(ShutdownWaitLength, INTERVAL,
"30 seconds"),
668 V(SocksPolicy, LINELIST, NULL),
670 V(SocksTimeout, INTERVAL,
"2 minutes"),
671 V(SSLKeyLifetime, INTERVAL,
"0"),
674 V(StrictNodes, BOOL,
"0"),
675 OBSOLETE(
"Support022HiddenServices"),
676 V(TestSocks, BOOL,
"0"),
677 V_IMMUTABLE(TokenBucketRefillInterval, MSEC_INTERVAL,
"100 msec"),
679 OBSOLETE(
"Tor2webRendezvousPoints"),
681 V(TrackHostExits, CSV, NULL),
682 V(TrackHostExitsExpire, INTERVAL,
"30 minutes"),
685 V(TransProxyType, STRING,
"default"),
687 V(UpdateBridgesFromAuthority, BOOL,
"0"),
688 V(UseBridges, BOOL,
"0"),
689 VAR(
"UseEntryGuards", BOOL, UseEntryGuards_option,
"1"),
690 OBSOLETE(
"UseEntryGuardsAsDirGuards"),
691 V(UseGuardFraction, AUTOBOOL,
"auto"),
692 V(VanguardsLiteEnabled, AUTOBOOL,
"auto"),
693 V(UseMicrodescriptors, AUTOBOOL,
"auto"),
695 VAR(
"__AlwaysCongestionControl", BOOL, AlwaysCongestionControl,
"0"),
696 VAR(
"__SbwsExit", BOOL, SbwsExit,
"0"),
697 V_IMMUTABLE(User, STRING, NULL),
699 OBSOLETE(
"V1AuthoritativeDirectory"),
700 OBSOLETE(
"V2AuthoritativeDirectory"),
701 VAR(
"V3AuthoritativeDirectory",BOOL, V3AuthoritativeDir,
"0"),
702 V(TestingV3AuthInitialVotingInterval, INTERVAL,
"30 minutes"),
703 V(TestingV3AuthInitialVoteDelay, INTERVAL,
"5 minutes"),
704 V(TestingV3AuthInitialDistDelay, INTERVAL,
"5 minutes"),
705 V(TestingV3AuthVotingStartOffset, INTERVAL,
"0"),
706 V(V3AuthVotingInterval, INTERVAL,
"1 hour"),
707 V(V3AuthVoteDelay, INTERVAL,
"5 minutes"),
708 V(V3AuthDistDelay, INTERVAL,
"5 minutes"),
709 V(V3AuthNIntervalsValid, POSINT,
"3"),
710 V(V3AuthUseLegacyKey, BOOL,
"0"),
711 V(V3BandwidthsFile, FILENAME, NULL),
712 V(GuardfractionFile, FILENAME, NULL),
713 OBSOLETE(
"VoteOnHidServDirectoriesV2"),
714 V(VirtualAddrNetworkIPv4, STRING,
"127.192.0.0/10"),
715 V(VirtualAddrNetworkIPv6, STRING,
"[FE80::]/10"),
716 V(WarnPlaintextPorts, CSV,
"23,109,110,143"),
717 OBSOLETE(
"UseFilteringSSLBufferevents"),
718 OBSOLETE(
"__UseFilteringSSLBufferevents"),
719 VAR_NODUMP(
"__ReloadTorrcOnSIGHUP", BOOL, ReloadTorrcOnSIGHUP,
"1"),
720 VAR_NODUMP(
"__AllDirActionsPrivate", BOOL, AllDirActionsPrivate,
"0"),
721 VAR_NODUMP(
"__DisablePredictedCircuits",BOOL,DisablePredictedCircuits,
"0"),
722 VAR_NODUMP_IMMUTABLE(
"__DisableSignalHandlers", BOOL,
723 DisableSignalHandlers,
"0"),
724 VAR_NODUMP(
"__LeaveStreamsUnattached",BOOL, LeaveStreamsUnattached,
"0"),
725 VAR_NODUMP(
"__HashedControlSessionPassword", LINELIST,
726 HashedControlSessionPassword,
728 VAR_NODUMP(
"__OwningControllerProcess",STRING,
729 OwningControllerProcess, NULL),
730 VAR_NODUMP_IMMUTABLE(
"__OwningControllerFD", UINT64, OwningControllerFD,
732 V(TestingServerDownloadInitialDelay, CSV_INTERVAL,
"0"),
733 V(TestingClientDownloadInitialDelay, CSV_INTERVAL,
"0"),
734 V(TestingServerConsensusDownloadInitialDelay, CSV_INTERVAL,
"0"),
735 V(TestingClientConsensusDownloadInitialDelay, CSV_INTERVAL,
"0"),
751 V(ClientBootstrapConsensusAuthorityDownloadInitialDelay, CSV_INTERVAL,
"6"),
752 V(ClientBootstrapConsensusFallbackDownloadInitialDelay, CSV_INTERVAL,
"0"),
754 V(ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay, CSV_INTERVAL,
760 V(ClientBootstrapConsensusMaxInProgressTries, POSINT,
"3"),
763 V(TestingBridgeDownloadInitialDelay, CSV_INTERVAL,
"10800"),
768 V(TestingBridgeBootstrapDownloadInitialDelay, CSV_INTERVAL,
"0"),
769 V(TestingClientMaxIntervalWithoutRequest, INTERVAL,
"10 minutes"),
770 V(TestingDirConnectionMaxStall, INTERVAL,
"5 minutes"),
771 OBSOLETE(
"TestingConsensusMaxDownloadTries"),
772 OBSOLETE(
"ClientBootstrapConsensusMaxDownloadTries"),
773 OBSOLETE(
"ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries"),
774 OBSOLETE(
"TestingDescriptorMaxDownloadTries"),
775 OBSOLETE(
"TestingMicrodescMaxDownloadTries"),
776 OBSOLETE(
"TestingCertMaxDownloadTries"),
777 VAR_INVIS(
"___UsingTestNetworkDefaults", BOOL, UsingTestNetworkDefaults_,
786#include "auth_dirs.inc"
796#include "fallback_dirs.inc"
808#include "testnet.inc"
819 {
"HTTPProxy",
"It only applies to direct unencrypted HTTP connections "
820 "to your directory server, which your Tor probably wasn't using." },
821 {
"HTTPProxyAuthenticator",
"HTTPProxy is deprecated in favor of HTTPSProxy "
822 "which should be used with HTTPSProxyAuthenticator." },
826 {
"ReachableDirAddresses",
"It has no effect on relays, and has had no "
827 "effect on clients since 0.2.8." },
828 {
"ClientPreferIPv6DirPort",
"It has no effect on relays, and has had no "
829 "effect on clients since 0.2.8." },
833 {
"ClientAutoIPv6ORPort",
"This option is unreliable if a connection isn't "
834 "reliably dual-stack."},
841static char *get_windows_conf_root(
void);
852static int opt_streq(
const char *s1,
const char *s2);
870#define OR_OPTIONS_MAGIC 9090909
881 .deprecations = option_deprecation_notes_,
886 .has_config_suite =
true,
887 .config_suite_offset = offsetof(
or_options_t, subconfigs_),
920 if (PREDICT_UNLIKELY(options_mgr == NULL)) {
929#define CHECK_OPTIONS_MAGIC(opt) STMT_BEGIN \
930 config_check_toplevel_magic(get_options_mgr(), (opt)); \
968 next = &(*next)->next;
995 "Acting on config options left us in a broken state. Dying.");
1007 connection_reapply_exit_policy(changes);
1008 config_free_lines(changes);
1012 or_options_free(old_options);
1028 CHECK_OPTIONS_MAGIC(opts);
1034 rs, routerset_free(rs));
1050 tor_free(options->master_key_fname);
1051 config_free_lines(options->
MyFamily);
1088 config_mgr_free(options_mgr);
1105 if (options->SafeLogging_ == SAFELOG_SCRUB_ALL)
1106 return "[scrubbed]";
1126 if (options->SafeLogging_ != SAFELOG_SCRUB_NONE)
1127 return "[scrubbed]";
1138 if (
get_options()->SafeLogging_ == SAFELOG_SCRUB_ALL)
1139 return "[scrubbed]";
1150 if (
get_options()->SafeLogging_ != SAFELOG_SCRUB_NONE)
1151 return "[scrubbed]";
1216 log_err(
LD_BUG,
"Couldn't parse internal DirAuthority line %s",
1230 log_err(
LD_BUG,
"Couldn't parse internal FallbackDir line %s",
1249 "You cannot set both DirAuthority and Alternate*Authority.");
1263 "You have used DirAuthority or AlternateDirAuthority to "
1264 "specify alternate directory authorities in "
1265 "your configuration. This is potentially dangerous: it can "
1266 "make you look different from all other Tor users, and hurt "
1267 "your anonymity. Even if you've specified the same "
1268 "authorities as Tor uses by default, the defaults could "
1269 "change in the future. Be sure you know what you're doing.");
1283 for (cl = options->
FallbackDir; cl; cl = cl->next)
1297 int need_to_update =
1298 !smartlist_len(router_get_trusted_dir_servers()) ||
1299 !smartlist_len(router_get_fallback_dir_servers()) || !old_options ||
1308 if (!need_to_update)
1338 if (type != NO_DIRINFO)
1351 for (cl = options->
FallbackDir; cl; cl = cl->next)
1365 const char *directory,
1370 cpd_check_t cpd_opts = create ? CPD_CREATE : CPD_CHECK;
1372 cpd_opts |= CPD_GROUP_READ;
1377 "Couldn't %s private data directory \"%s\"",
1378 create ?
"create" :
"access",
1384 if (group_readable) {
1386 if (chmod(directory, 0750)) {
1387 log_warn(
LD_FS,
"Unable to make %s group-readable: %s",
1388 directory, strerror(errno));
1406 cpd_opts |= CPD_GROUP_READ;
1408 log_err(
LD_OR,
"Can't create/check datadirectory %s",
1421static int have_low_ports = -1;
1450 sd_notifyf(0,
"MAINPID=%ld\n", (
long int)getpid());
1458 control_initialize_event_queue();
1472 *msg_out = tor_strdup(
"DisableAllSwap failure. Do you have proper "
1491 if (options->
User) {
1493 unsigned switch_id_flags = 0;
1503 *msg_out = tor_strdup(
"Problem with User value. See logs for details.");
1523 if (subdir_gr != -1) {
1529 if (0 == strcmp(subdir, datadir)) {
1571 key_dir_group_readable,
1585 cache_dir_group_readable,
1628 if (! running_tor) {
1637 *msg_out = tor_strdup(
"Problem with ConnLimit value. "
1638 "See logs for details.");
1651 if (
parse_ports(options, 0, msg_out, &n_ports, NULL)) {
1653 *msg_out = tor_strdup(
"Unexpected problem parsing port config");
1668 *msg_out = tor_strdup(
"Failed to bind one of the listener ports.");
1674 log_notice(
LD_NET,
"DisableNetwork is set. Tor will not make or accept "
1675 "non-control network connections. Shutting down all existing "
1682#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
1684 if (options->TransPort_set &&
1686 if (get_pf_socket() < 0) {
1687 *msg_out = tor_strdup(
"Unable to open /dev/pf for transparent proxy.");
1721 int socks_in_reserve = options->
ConnLimit_ / 20;
1722 if (socks_in_reserve > 64) socks_in_reserve = 64;
1727 "Recomputed OOS thresholds: ConnLimit %d, ConnLimit_ %d, "
1728 "ConnLimit_high_thresh %d, ConnLimit_low_thresh %d",
1758 log_notice(LD_NET,
"Closing partially-constructed %s",
1759 connection_describe(conn));
1760 connection_close_immediate(conn);
1761 connection_mark_for_close(conn);
1807 old_options->SafeLogging_ != options->SafeLogging_;
1816 *msg_out = tor_strdup(
"Failed to init Log options. See logs for details.");
1854 const char *badness = NULL;
1855 int bad_safelog = 0, bad_severity = 0, new_badness = 0;
1856 if (options->SafeLogging_ != SAFELOG_SCRUB_ALL) {
1866 if (bad_safelog && bad_severity)
1867 badness =
"you disabled SafeLogging, and "
1868 "you're logging more than \"notice\"";
1869 else if (bad_safelog)
1870 badness =
"you disabled SafeLogging";
1872 badness =
"you're logging more than \"notice\"";
1874 log_warn(
LD_GENERAL,
"Your log may contain sensitive information - %s. "
1875 "Don't log unless it serves an important reason. "
1876 "Overwrite the log afterwards.", badness);
1938 if (listener_transaction == NULL)
1958 if (log_transaction == NULL)
1987 int routerset_usage =
1996 if (routerset_usage && reason_out) {
1997 *reason_out =
"We've been configured to use (or avoid) nodes in certain "
1998 "countries, and we need GEOIP information to figure out which ones they "
2000 }
else if (bridge_usage && reason_out) {
2001 *reason_out =
"We've been configured to see which countries can access "
2002 "us as a bridge, and we need GEOIP information to tell which countries "
2005 return bridge_usage || routerset_usage;
2009#define YES_IF_CHANGED_BOOL(opt) \
2010 if (!CFG_EQ_BOOL(old_options, new_options, opt)) return 1;
2011#define YES_IF_CHANGED_INT(opt) \
2012 if (!CFG_EQ_INT(old_options, new_options, opt)) return 1;
2013#define YES_IF_CHANGED_STRING(opt) \
2014 if (!CFG_EQ_STRING(old_options, new_options, opt)) return 1;
2015#define YES_IF_CHANGED_LINELIST(opt) \
2016 if (!CFG_EQ_LINELIST(old_options, new_options, opt)) return 1;
2017#define YES_IF_CHANGED_SMARTLIST(opt) \
2018 if (!CFG_EQ_SMARTLIST(old_options, new_options, opt)) return 1;
2019#define YES_IF_CHANGED_ROUTERSET(opt) \
2020 if (!CFG_EQ_ROUTERSET(old_options, new_options, opt)) return 1;
2035 YES_IF_CHANGED_BOOL(UseEntryGuards);
2036 YES_IF_CHANGED_BOOL(UseBridges);
2037 YES_IF_CHANGED_BOOL(ClientUseIPv4);
2038 YES_IF_CHANGED_BOOL(ClientUseIPv6);
2039 YES_IF_CHANGED_BOOL(FascistFirewall);
2040 YES_IF_CHANGED_ROUTERSET(ExcludeNodes);
2041 YES_IF_CHANGED_ROUTERSET(EntryNodes);
2042 YES_IF_CHANGED_SMARTLIST(FirewallPorts);
2043 YES_IF_CHANGED_LINELIST(Bridges);
2044 YES_IF_CHANGED_LINELIST(ReachableORAddresses);
2045 YES_IF_CHANGED_LINELIST(ReachableDirAddresses);
2067 const int transition_affects_guards =
2077 static int disabled_debugger_attach = 0;
2080 static int warned_debugger_attach = 0;
2086 if (warned_debugger_attach && ok == 1) {
2087 log_notice(
LD_CONFIG,
"Disabled attaching debuggers for unprivileged "
2091 disabled_debugger_attach = (ok == 1);
2093 !warned_debugger_attach) {
2094 log_notice(
LD_CONFIG,
"Not disabling debugger attaching for "
2095 "unprivileged users.");
2096 warned_debugger_attach = 1;
2119 if (hs_service_non_anonymous_mode_enabled(options)) {
2120 log_warn(
LD_GENERAL,
"This copy of Tor was compiled or configured to run "
2121 "in a non-anonymous mode. It will provide NO ANONYMITY.");
2127 log_warn(
LD_BUG,
"Failed parsing previously validated outbound "
2128 "bind addresses: %s", msg);
2136 for (cl = options->
Bridges; cl; cl = cl->next) {
2141 "Previously validated Bridge line could not be added!");
2153 "Previously validated hidden services line could not be added!");
2160 log_warn(
LD_BUG,
"Previously validated client authorization for "
2161 "hidden services could not be added!");
2166 if (running_tor && !old_options &&
2168 const unsigned ctrl_flags =
2169 CC_LOCAL_FD_IS_OWNER |
2170 CC_LOCAL_FD_IS_AUTHENTICATED;
2173 log_warn(
LD_CONFIG,
"Could not add local controller connection with "
2196 "Previously validated ClientTransportPlugin line "
2197 "could not be added!");
2235 log_err(
LD_CONFIG,
"Unable to write PIDFile %s",
2249 log_warn(
LD_BUG,
"Error parsing already-validated policy options.");
2254 log_warn(
LD_CONFIG,
"Error creating control cookie authentication file.");
2262 log_warn(
LD_GENERAL,
"Error loading rendezvous service keys");
2280 char *http_authenticator;
2282 if (!http_authenticator) {
2284 log_warn(
LD_BUG,
"Unable to allocate HTTP authenticator. Not setting "
2290 http_authenticator, strlen(http_authenticator),
2311 int revise_trackexithosts = 0;
2312 int revise_automap_entries = 0;
2313 int abandon_circuits = 0;
2330 "Changed to using entry guards or bridges, or changed "
2331 "preferred or excluded node lists. "
2332 "Abandoning previous circuits.");
2333 abandon_circuits = 1;
2336 if (transition_affects_guards) {
2338 routerlist_drop_bridge_descriptors();
2340 abandon_circuits = 1;
2344 if (abandon_circuits) {
2347 revise_trackexithosts = 1;
2352 revise_trackexithosts = 1;
2354 if (revise_trackexithosts)
2359 revise_automap_entries = 1;
2363 revise_automap_entries = 1;
2368 revise_automap_entries = 1;
2371 if (revise_automap_entries)
2409 bool print_notice = 0;
2460static const struct {
2472 { .name=
"--torrc-file",
2475 { .name=
"--allow-missing-torrc" },
2476 { .name=
"--defaults-torrc",
2478 { .name=
"--hash-password",
2482 { .name=
"--dump-config",
2486 { .name=
"--list-fingerprint",
2491 { .name=
"--key-expiration",
2496 { .name=
"--newpass" },
2497 { .name=
"--no-passphrase" },
2498 { .name=
"--passphrase-fd",
2500 { .name=
"--verify-config",
2502 { .name=
"--ignore-missing-torrc" },
2507 { .name=
"--version",
2510 { .name=
"--list-modules",
2513 { .name=
"--library-versions",
2520 { .name=
"--list-torrc-options",
2523 { .name=
"--list-deprecated-options",
2525 { .name=
"--nt-service" },
2526 { .name=
"-nt-service" },
2527 { .name=
"--dbg-dump-subsystem-list",
2558 bool is_a_command =
false;
2567 is_a_command =
true;
2588 }
else if (*s ==
'/') {
2595 const int is_last = (i == argc-1);
2598 if (ignore_errors) {
2599 arg = tor_strdup(
"");
2601 log_warn(
LD_CONFIG,
"Command-line option '%s' with no value. Failing.",
2603 parsed_cmdline_free(result);
2608 (is_last || argv[i+1][0] ==
'-')) {
2609 arg = tor_strdup(
"");
2617 param->key = is_cmdline ? tor_strdup(argv[i]) :
2622 log_debug(
LD_CONFIG,
"command line: parsed keyword '%s', value '%s'",
2623 param->key, param->value);
2630 *new_cmdline = param;
2631 new_cmdline = &((*new_cmdline)->next);
2634 new = &((*new)->next);
2637 i += want_arg ? 2 : 1;
2693 list, flags, msg)) < 0) {
2694 or_options_free(trial_options);
2707"Copyright (c) 2001-2004, Roger Dingledine\n"
2708"Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson\n"
2709"Copyright (c) 2007-2021, The Tor Project, Inc.\n\n"
2710"tor -f <torrc> [args]\n"
2711"See man page for options, or https://www.torproject.org/ for "
2728 printf(
"%s\n", var->member.name);
2729 } SMARTLIST_FOREACH_END(var);
2730 smartlist_free(vars);
2741 printf(
"%s\n",
name));
2742 smartlist_free(deps);
2749 static const struct {
2753 {
"relay", have_module_relay() },
2754 {
"dirauth", have_module_dirauth() },
2755 {
"dircache", have_module_dircache() },
2756 {
"pow", have_module_pow() }
2759 for (
unsigned i = 0; i <
sizeof list /
sizeof list[0]; i++) {
2760 printf(
"%s: %s\n", list[i].
name, list[i].have ?
"yes" :
"no");
2769 printf(
"Library versions\tCompiled\t\tRuntime\n");
2770 printf(
"Libevent\t\t%-15s\t\t%s\n",
2773#ifdef ENABLE_OPENSSL
2774 printf(
"OpenSSL \t\t%-15s\t\t%s\n",
2775 crypto_openssl_get_header_version_str(),
2776 crypto_openssl_get_version_str());
2779 printf(
"NSS \t\t%-15s\t\t%s\n",
2780 crypto_nss_get_header_version_str(),
2781 crypto_nss_get_version_str());
2784 printf(
"Zlib \t\t%-15s\t\t%s\n",
2789 printf(
"Liblzma \t\t%-15s\t\t%s\n",
2794 printf(
"Libzstd \t\t%-15s\t\t%s\n",
2799 printf(
"%-7s \t\t%-15s\t\t%s\n",
2815 log_err(
LD_CONFIG,
"--no-passphrase specified without --keygen!");
2826 const char *formats[] = {
"iso8601",
"timestamp" };
2829 if (!strcmp(value, formats[i])) {
2843 log_err(
LD_CONFIG,
"--format specified without --key-expiration!");
2856 log_err(
LD_CONFIG,
"--newpass specified without --keygen!");
2865 if (
get_options()->keygen_force_passphrase == FORCE_PASSPHRASE_OFF) {
2866 log_err(
LD_CONFIG,
"--no-passphrase specified with --passphrase-fd!");
2869 log_err(
LD_CONFIG,
"--passphrase-fd specified without --keygen!");
2874 if (fd < 0 || ok == 0) {
2890 log_err(
LD_CONFIG,
"--master-key without --keygen!");
2901using_default_dir_authorities(
const or_options_t *options)
2925 log_err(
LD_BUG,
"Unable to set default options: %s", msg);
2927 tor_assert_unreached();
2929 config_free_lines(dflts);
2942 switch (how_to_dump) {
2943 case OPTIONS_DUMP_MINIMAL:
2947 case OPTIONS_DUMP_ALL:
2948 use_defaults = NULL;
2952 log_warn(
LD_BUG,
"Bogus value for how_to_dump==%d", how_to_dump);
2974 if (i < 1 || i > 65535) {
2989 if (*value > ROUTER_MAX_DECLARED_BANDWIDTH) {
2994 if (*value > ROUTER_MAX_DECLARED_BANDWIDTH) {
2997 ROUTER_MAX_DECLARED_BANDWIDTH);
3006#define MAX_CIRCS_AVAILABLE_TIME (24*60*60)
3010#define MIN_MAX_CIRCUIT_DIRTINESS 10
3014#define MAX_MAX_CIRCUIT_DIRTINESS (30*24*60*60)
3018#define MIN_CIRCUIT_STREAM_TIMEOUT 10
3025#define RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT (10)
3046 if (vs == VSTAT_TRANSITION_ERR) {
3047 rv = SETOPT_ERR_TRANSITION;
3049 }
else if (vs < 0) {
3050 rv = SETOPT_ERR_PARSE;
3056 rv = SETOPT_ERR_SETTING;
3064 tor_assert(new_options == NULL || rv != SETOPT_OK);
3065 or_options_free(new_options);
3069#ifdef TOR_UNIT_TESTS
3085 return vs < 0 ? -1 : 0;
3089#define REJECT(arg) \
3090 STMT_BEGIN *msg = tor_strdup(arg); return -1; STMT_END
3091#if defined(__GNUC__) && __GNUC__ <= 3
3092#define COMPLAIN(args...) \
3093 STMT_BEGIN log_warn(LD_CONFIG, args); STMT_END
3095#define COMPLAIN(args, ...) \
3096 STMT_BEGIN log_warn(LD_CONFIG, args, ##__VA_ARGS__); STMT_END
3109 const char *filepath)
3113 COMPLAIN(
"Path for %s (%s) is relative and will resolve to %s."
3114 " Is this what you wanted?", option, filepath, abs_path);
3138 const char *
name = cv->member.name;
3142 config_free_lines(line);
3143 } SMARTLIST_FOREACH_END(cv);
3144 smartlist_free(vars);
3147 hs_line = hs_line->next) {
3148 if (!strcasecmp(hs_line->key,
"HiddenServiceDir"))
3161options_validate_scheduler(
or_options_t *options,
char **msg)
3167 REJECT(
"Empty Schedulers list. Either remove the option so the defaults "
3168 "can be used or set at least one value.");
3178 if (!strcasecmp(
"KISTLite", type)) {
3179 sched_type = tor_malloc_zero(
sizeof(
int));
3180 *sched_type = SCHEDULER_KIST_LITE;
3182 }
else if (!strcasecmp(
"KIST", type)) {
3183 sched_type = tor_malloc_zero(
sizeof(
int));
3184 *sched_type = SCHEDULER_KIST;
3186 }
else if (!strcasecmp(
"Vanilla", type)) {
3187 sched_type = tor_malloc_zero(
sizeof(
int));
3188 *sched_type = SCHEDULER_VANILLA;
3191 tor_asprintf(msg,
"Unknown type %s in option Schedulers. "
3192 "Possible values are KIST, KISTLite and Vanilla.",
3196 } SMARTLIST_FOREACH_END(type);
3199 REJECT(
"KISTSockBufSizeFactor must be at least 0");
3205 tor_asprintf(msg,
"KISTSchedRunInterval must not be more than %d (ms)",
3206 KIST_SCHED_RUN_INTERVAL_MAX);
3218options_validate_single_onion(
or_options_t *options,
char **msg)
3222 !options->HiddenServiceNonAnonymousMode) {
3223 REJECT(
"HiddenServiceSingleHopMode does not provide any server anonymity. "
3224 "It must be used with HiddenServiceNonAnonymousMode set to 1.");
3226 if (options->HiddenServiceNonAnonymousMode &&
3228 REJECT(
"HiddenServiceNonAnonymousMode does not provide any server "
3229 "anonymity. It must be used with HiddenServiceSingleHopMode set to "
3238 const int client_port_set = (options->SocksPort_set ||
3239 options->TransPort_set ||
3240 options->NATDPort_set ||
3241 options->DNSPort_set ||
3242 options->HTTPTunnelPort_set);
3243 if (hs_service_non_anonymous_mode_enabled(options) && client_port_set) {
3244 REJECT(
"HiddenServiceNonAnonymousMode is incompatible with using Tor as "
3245 "an anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or "
3246 "revert HiddenServiceNonAnonymousMode to 0.");
3249 if (hs_service_allow_non_anonymous_connection(options)
3259 "HiddenServiceSingleHopMode is enabled; disabling "
3275 CHECK_OPTIONS_MAGIC(old_options_);
3276 CHECK_OPTIONS_MAGIC(options_);
3282 int world_writable_control_socket=0;
3288 &world_writable_control_socket) < 0)
3291#ifndef HAVE_SYS_UN_H
3293 *msg = tor_strdup(
"Unix domain sockets (ControlSocket) not supported "
3294 "on this OS/with this build.");
3299 *msg = tor_strdup(
"Setting ControlSocketsGroupWritable without setting "
3300 "a ControlSocket makes no sense.");
3319 REJECT(
"Invalid DataDirectory");
3324 REJECT(
"You have specified at least one relative path (see above) "
3325 "with the RunAsDaemon option. RunAsDaemon is not compatible "
3326 "with relative paths.");
3337 REJECT(
"Failed to validate Log options. See logs for details.");
3343 "SocksPort, TransPort, NATDPort, DNSPort, and ORPort are all "
3344 "undefined, and there aren't any hidden services configured. "
3345 "Tor will still run, but probably won't do anything.");
3348#ifdef USE_TRANSPARENT
3353#if !defined(OpenBSD) && !defined(DARWIN)
3355 REJECT(
"pf-divert is a OpenBSD-specific "
3356 "and OS X/Darwin-specific feature.");
3361#if !defined(__linux__)
3362 REJECT(
"TPROXY is a Linux-specific feature.");
3367#ifndef KERNEL_MAY_SUPPORT_IPFW
3369 REJECT(
"ipfw is a FreeBSD-specific "
3370 "and OS X/Darwin-specific feature.");
3375 REJECT(
"Unrecognized value for TransProxyType");
3379 !options->TransPort_set) {
3380 REJECT(
"Cannot use TransProxyType without any valid TransPort.");
3384 if (options->TransPort_set)
3385 REJECT(
"TransPort is disabled in this build.");
3390 REJECT(
"TokenBucketRefillInterval must be between 1 and 1000 inclusive.");
3394 REJECT(
"Cannot set AssumeReachable 1 and AssumeReachableIPv6 0.");
3416 COMPLAIN(
"You have asked to exclude certain relays from all positions "
3417 "in your circuits. Expect hidden services and other Tor "
3418 "features to be broken in unpredictable ways.");
3425 REJECT(
"FetchDirInfoExtraEarly requires that you also set "
3426 "FetchDirInfoEarly");
3430 "ConnLimit must be greater than 0, but was set to %d",
3437 log_warn(
LD_CONFIG,
"PathsNeededToBuildCircuits is too low. Increasing "
3441 log_warn(
LD_CONFIG,
"PathsNeededToBuildCircuits is too high. Decreasing "
3450 "MaxClientCircuitsPending must be between 1 and %d, but "
3451 "was set to %d", MAX_MAX_CLIENT_CIRCUITS_PENDING,
3463 "RejectPlaintextPorts", msg) < 0)
3467 "WarnPlaintextPorts", msg) < 0)
3477 new_line->key = tor_strdup(
"ReachableAddresses");
3482 int p = atoi(portno);
3484 smartlist_add_asprintf(instead,
"*:%d", p);
3489 "Converting FascistFirewall and FirewallPorts "
3490 "config options to new format: \"ReachableAddresses %s\"",
3494 smartlist_free(instead);
3500 new_line->key = tor_strdup(
"ReachableDirAddresses");
3501 new_line->value = tor_strdup(
"*:80");
3503 log_notice(
LD_CONFIG,
"Converting FascistFirewall config option "
3504 "to new format: \"ReachableDirAddresses *:80\"");
3508 new_line->key = tor_strdup(
"ReachableORAddresses");
3509 new_line->value = tor_strdup(
"*:443");
3511 log_notice(
LD_CONFIG,
"Converting FascistFirewall config option "
3512 "to new format: \"ReachableORAddresses *:443\"");
3522 REJECT(
"Servers must be able to freely connect to the rest "
3523 "of the Internet, so they must not set Reachable*Addresses "
3524 "or FascistFirewall or FirewallPorts or ClientUseIPv4 0.");
3528 REJECT(
"Servers must be able to freely connect to the rest "
3529 "of the Internet, so they must not set UseBridges.");
3535 REJECT(
"You cannot set both UseBridges and EntryNodes.");
3540 REJECT(
"Setting UseBridges requires also setting UseEntryGuards.");
3543 compute_real_max_mem_in_queues(options->MaxMemInQueues_raw,
3549 options->SafeLogging_ = SAFELOG_SCRUB_NONE;
3550 }
else if (!strcasecmp(options->
SafeLogging,
"relay")) {
3551 options->SafeLogging_ = SAFELOG_SCRUB_RELAY;
3552 }
else if (!strcasecmp(options->
SafeLogging,
"1")) {
3553 options->SafeLogging_ = SAFELOG_SCRUB_ALL;
3556 "Unrecognized value '%s' in SafeLogging",
3561 options->ConfluxClientUX = CONFLUX_UX_HIGH_THROUGHPUT;
3564 options->ConfluxClientUX = CONFLUX_UX_MIN_LATENCY;
3566 options->ConfluxClientUX = CONFLUX_UX_HIGH_THROUGHPUT;
3568 options->ConfluxClientUX = CONFLUX_UX_LOW_MEM_LATENCY;
3570 options->ConfluxClientUX = CONFLUX_UX_LOW_MEM_THROUGHPUT;
3572 REJECT(
"ConfluxClientUX must be 'latency', 'throughput, "
3573 "'latency_lowmem', or 'throughput_lowmem'");
3583 if (options_validate_single_onion(options, msg) < 0)
3590 REJECT(
"CircuitsAvailableTimeout is too large. Max is 24 hours.");
3594 REJECT(
"If EntryNodes is set, UseEntryGuards must be enabled.");
3599 !hs_service_allow_non_anonymous_connection(options)) {
3601 "UseEntryGuards is disabled, but you have configured one or more "
3602 "hidden services on this Tor instance. Your hidden services "
3603 "will be very easy to locate using a well-known attack -- see "
3604 "https://freehaven.net/anonbib/#hs-attack06 for details.");
3609 REJECT(
"NumEntryGuards must not be greater than NumPrimaryGuards.");
3617 "You have one single EntryNodes and at least one hidden service "
3618 "configured. This is bad because it's very easy to locate your "
3619 "entry guard which can then lead to the deanonymization of your "
3620 "hidden service -- for more details, see "
3621 "https://bugs.torproject.org/tpo/core/tor/14917. "
3622 "For this reason, the use of one EntryNodes with an hidden "
3623 "service is prohibited until a better solution is found.");
3633 "EntryNodes is set with multiple entries and at least one "
3634 "hidden service is configured. Pinning entry nodes can possibly "
3635 "be harmful to the service anonymity. Because of this, we "
3636 "recommend you either don't do that or make sure you know what "
3637 "you are doing. For more details, please look at "
3638 "https://bugs.torproject.org/tpo/core/tor/21155.");
3642 if (hs_service_non_anonymous_mode_enabled(options)) {
3644 "HiddenServiceNonAnonymousMode is set. Every hidden service on "
3645 "this tor instance is NON-ANONYMOUS. If "
3646 "the HiddenServiceNonAnonymousMode option is changed, Tor will "
3647 "refuse to launch hidden services from the same directories, to "
3648 "protect your anonymity against config errors. This setting is "
3649 "for experimental use only.");
3655 "CircuitBuildTimeout is shorter (%d seconds) than the recommended "
3656 "minimum (%d seconds), and LearnCircuitBuildTimeout is disabled. "
3657 "If tor isn't working, raise this value or enable "
3658 "LearnCircuitBuildTimeout.",
3669 log_fn(severity,
LD_CONFIG,
"You disabled LearnCircuitBuildTimeout, but "
3670 "didn't specify a CircuitBuildTimeout. I'll pick a plausible "
3675 REJECT(
"DormantClientTimeout is too low. It must be at least 10 minutes.");
3678 if (options->PathBiasNoticeRate > 1.0) {
3680 "PathBiasNoticeRate is too high. "
3681 "It must be between 0 and 1.0");
3684 if (options->PathBiasWarnRate > 1.0) {
3686 "PathBiasWarnRate is too high. "
3687 "It must be between 0 and 1.0");
3690 if (options->PathBiasExtremeRate > 1.0) {
3692 "PathBiasExtremeRate is too high. "
3693 "It must be between 0 and 1.0");
3696 if (options->PathBiasNoticeUseRate > 1.0) {
3698 "PathBiasNoticeUseRate is too high. "
3699 "It must be between 0 and 1.0");
3702 if (options->PathBiasExtremeUseRate > 1.0) {
3704 "PathBiasExtremeUseRate is too high. "
3705 "It must be between 0 and 1.0");
3710 log_warn(
LD_CONFIG,
"MaxCircuitDirtiness option is too short; "
3716 log_warn(
LD_CONFIG,
"MaxCircuitDirtiness option is too high; "
3723 log_warn(
LD_CONFIG,
"CircuitStreamTimeout option is too short; "
3731 log_warn(
LD_CONFIG,
"HeartbeatPeriod option is too short; "
3737 REJECT(
"KeepalivePeriod option must be positive.");
3740 "BandwidthRate", msg) < 0)
3743 "BandwidthBurst", msg) < 0)
3750 REJECT(
"BandwidthBurst must be at least equal to BandwidthRate.");
3761 REJECT(
"HTTPProxy failed to parse or resolve. Please fix.");
3769 REJECT(
"HTTPProxyAuthenticator is too long (>= 512 chars).");
3775 REJECT(
"HTTPSProxy failed to parse or resolve. Please fix.");
3783 REJECT(
"HTTPSProxyAuthenticator is too long (>= 512 chars).");
3790 REJECT(
"Socks4Proxy failed to parse or resolve. Please fix.");
3800 REJECT(
"Socks5Proxy failed to parse or resolve. Please fix.");
3816 REJECT(
"You have configured more than one proxy type. "
3817 "(Socks4Proxy|Socks5Proxy|HTTPSProxy|TCPProxy)");
3824 log_warn(
LD_CONFIG,
"HTTPProxy configured, but no SOCKS proxy, "
3825 "HTTPS proxy, or any other TCP proxy configured. Watch out: "
3826 "this configuration will proxy unencrypted directory "
3827 "connections only.");
3835 REJECT(
"Socks5ProxyUsername must be between 1 and 255 characters.");
3838 REJECT(
"Socks5ProxyPassword must be included with Socks5ProxyUsername.");
3842 REJECT(
"Socks5ProxyPassword must be between 1 and 255 characters.");
3844 REJECT(
"Socks5ProxyPassword must be included with Socks5ProxyUsername.");
3849 REJECT(
"Bad HashedControlPassword: wrong length or bad encoding");
3860 REJECT(
"Bad HashedControlSessionPassword: wrong length or bad encoding");
3868 const char *validate_pspec_msg = NULL;
3870 &validate_pspec_msg)) {
3872 validate_pspec_msg);
3877 if ((options->ControlPort_set || world_writable_control_socket) &&
3881 log_warn(
LD_CONFIG,
"Control%s is %s, but no authentication method "
3882 "has been configured. This means that any program on your "
3883 "computer can reconfigure your Tor. That's bad! You should "
3884 "upgrade your Tor controller as soon as possible.",
3885 options->ControlPort_set ?
"Port" :
"Socket",
3886 options->ControlPort_set ?
"open" :
"world writable");
3890 log_warn(
LD_CONFIG,
"CookieAuthFileGroupReadable is set, but will have "
3891 "no effect: you must specify an explicit CookieAuthFile to "
3892 "have it group-readable.");
3909 log_info(
LD_CONFIG,
"You have set UseDefaultFallbackDirs 1 and "
3910 "FallbackDir(s). Ignoring UseDefaultFallbackDirs, and "
3911 "using the FallbackDir(s) you have set.");
3915 REJECT(
"Directory authority/fallback line did not parse. See logs "
3919 REJECT(
"If you set UseBridges, you must specify at least one bridge.");
3921 for (cl = options->
Bridges; cl; cl = cl->next) {
3924 REJECT(
"Bridge line did not parse. See logs for details.");
3925 bridge_line_free(bridge_line);
3930 REJECT(
"Invalid client transport line. See logs for details.");
3943 "ConstrainedSockSize is invalid. Must be a value between %d and %d "
3944 "in 1024 byte increments.",
3945 MIN_CONSTRAINED_TCP_BUFFER, MAX_CONSTRAINED_TCP_BUFFER);
3954 REJECT(
"Failed to configure rendezvous options. See logs for details.");
3958 REJECT(
"Failed to configure client authorization for hidden services. "
3959 "See logs for details.");
3965 AF_INET6, 1, msg)<0)
3972 REJECT(
"TestingTorNetwork may only be configured in combination with "
3973 "a non-default set of DirAuthority or both of "
3974 "AlternateDirAuthority and AlternateBridgeAuthority configured.");
3977#define CHECK_DEFAULT(arg) \
3979 if (!config_is_same(get_options_mgr(),options, \
3980 dflt_options,#arg)) { \
3981 or_options_free(dflt_options); \
3982 REJECT(#arg " may only be changed in testing Tor " \
3993 CHECK_DEFAULT(TestingV3AuthInitialVotingInterval);
3994 CHECK_DEFAULT(TestingV3AuthInitialVoteDelay);
3995 CHECK_DEFAULT(TestingV3AuthInitialDistDelay);
3996 CHECK_DEFAULT(TestingV3AuthVotingStartOffset);
3997 CHECK_DEFAULT(TestingAuthDirTimeToLearnReachability);
3998 CHECK_DEFAULT(TestingServerDownloadInitialDelay);
3999 CHECK_DEFAULT(TestingClientDownloadInitialDelay);
4000 CHECK_DEFAULT(TestingServerConsensusDownloadInitialDelay);
4001 CHECK_DEFAULT(TestingClientConsensusDownloadInitialDelay);
4002 CHECK_DEFAULT(TestingBridgeDownloadInitialDelay);
4003 CHECK_DEFAULT(TestingBridgeBootstrapDownloadInitialDelay);
4004 CHECK_DEFAULT(TestingClientMaxIntervalWithoutRequest);
4005 CHECK_DEFAULT(TestingDirConnectionMaxStall);
4006 CHECK_DEFAULT(TestingAuthKeyLifetime);
4007 CHECK_DEFAULT(TestingLinkCertLifetime);
4008 CHECK_DEFAULT(TestingSigningKeySlop);
4009 CHECK_DEFAULT(TestingAuthKeySlop);
4010 CHECK_DEFAULT(TestingLinkKeySlop);
4011 CHECK_DEFAULT(TestingMinTimeToReportBandwidth);
4012 or_options_free(dflt_options);
4019 REJECT(
"ClientDNSRejectInternalAddresses used for default network.");
4027 REJECT(
"TestingClientMaxIntervalWithoutRequest is way too low.");
4029 COMPLAIN(
"TestingClientMaxIntervalWithoutRequest is insanely high.");
4033 REJECT(
"TestingDirConnectionMaxStall is way too low.");
4035 COMPLAIN(
"TestingDirConnectionMaxStall is insanely high.");
4039 REJECT(
"ClientBootstrapConsensusMaxInProgressTries must be greater "
4043 COMPLAIN(
"ClientBootstrapConsensusMaxInProgressTries is insanely "
4049 REJECT(
"TestingEnableConnBwEvent may only be changed in testing "
4055 REJECT(
"TestingEnableCellStatsEvent may only be changed in testing "
4060 log_warn(
LD_CONFIG,
"TestingTorNetwork is set. This will make your node "
4061 "almost unusable in the public Tor network, and is "
4062 "therefore only advised if you are building a "
4063 "testing Tor network!");
4066 if (options_validate_scheduler(options, msg) < 0) {
4080compute_real_max_mem_in_queues(
const uint64_t val,
bool is_server)
4082#define MIN_SERVER_MB 64
4083#define MIN_UNWARNED_SERVER_MB 256
4084#define MIN_UNWARNED_CLIENT_MB 64
4088#define ONE_GIGABYTE (UINT64_C(1) << 30)
4089#define ONE_MEGABYTE (UINT64_C(1) << 20)
4092 static int notice_sent = 0;
4096#if SIZEOF_VOID_P >= 8
4098 result = 8 * ONE_GIGABYTE;
4101 result = ONE_GIGABYTE;
4107#if SIZEOF_SIZE_T > 4
4109#define RAM_IS_VERY_LARGE(x) ((x) >= (8 * ONE_GIGABYTE))
4112#define RAM_IS_VERY_LARGE(x) (0)
4115 if (RAM_IS_VERY_LARGE(ram)) {
4122 avail = (ram / 5) * 2;
4127 avail = (ram / 4) * 3;
4136 }
else if (avail < ONE_GIGABYTE / 4) {
4137 result = ONE_GIGABYTE / 4;
4142 if (is_server && ! notice_sent) {
4143 log_notice(
LD_CONFIG,
"%sMaxMemInQueues is set to %"PRIu64
" MB. "
4144 "You can override this by setting MaxMemInQueues by hand.",
4145 ram ?
"Based on detected system memory, " :
"",
4146 (result / ONE_MEGABYTE));
4150 }
else if (is_server && val < ONE_MEGABYTE * MIN_SERVER_MB) {
4152 log_warn(
LD_CONFIG,
"MaxMemInQueues must be at least %d MB on servers "
4153 "for now. Ideally, have it as large as you can afford.",
4155 return MIN_SERVER_MB * ONE_MEGABYTE;
4156 }
else if (is_server && val < ONE_MEGABYTE * MIN_UNWARNED_SERVER_MB) {
4159 log_warn(
LD_CONFIG,
"MaxMemInQueues is set to a low value; if your "
4160 "relay doesn't work, this may be the reason why.");
4162 }
else if (! is_server && val < ONE_MEGABYTE * MIN_UNWARNED_CLIENT_MB) {
4165 log_warn(
LD_CONFIG,
"MaxMemInQueues is set to a low value; if your "
4166 "client doesn't work, this may be the reason why.");
4185 const void *new_val_,
4188 CHECK_OPTIONS_MAGIC(old_);
4189 CHECK_OPTIONS_MAGIC(new_val_);
4197#define BAD_CHANGE_TO(opt, how) do { \
4198 *msg = tor_strdup("While Tor is running"how", changing " #opt \
4199 " is not allowed"); \
4204#define SB_NOCHANGE_STR(opt) \
4205 if (! CFG_EQ_STRING(old, new_val, opt)) \
4206 BAD_CHANGE_TO(opt," with Sandbox active")
4207#define SB_NOCHANGE_LINELIST(opt) \
4208 if (! CFG_EQ_LINELIST(old, new_val, opt)) \
4209 BAD_CHANGE_TO(opt," with Sandbox active")
4210#define SB_NOCHANGE_INT(opt) \
4211 if (! CFG_EQ_INT(old, new_val, opt)) \
4212 BAD_CHANGE_TO(opt," with Sandbox active")
4214 SB_NOCHANGE_LINELIST(Address);
4215 SB_NOCHANGE_STR(ServerDNSResolvConfFile);
4216 SB_NOCHANGE_STR(DirPortFrontPage);
4217 SB_NOCHANGE_STR(CookieAuthFile);
4218 SB_NOCHANGE_STR(ExtORPortCookieAuthFile);
4219 SB_NOCHANGE_LINELIST(Logs);
4220 SB_NOCHANGE_INT(ConnLimit);
4223 *msg = tor_strdup(
"Can't start/stop being a server while "
4224 "Sandbox is active");
4229#undef SB_NOCHANGE_LINELIST
4230#undef SB_NOCHANGE_STR
4231#undef SB_NOCHANGE_INT
4233#undef NO_CHANGE_BOOL
4235#undef NO_CHANGE_STRING
4243get_windows_conf_root(
void)
4245 static int is_set = 0;
4246 static char path[MAX_PATH*2+1];
4247 TCHAR tpath[MAX_PATH] = {0};
4259#ifdef ENABLE_LOCAL_APPDATA
4260#define APPDATA_PATH CSIDL_LOCAL_APPDATA
4262#define APPDATA_PATH CSIDL_APPDATA
4264 if (!SUCCEEDED(SHGetSpecialFolderLocation(NULL, APPDATA_PATH, &idl))) {
4265 getcwd(path,MAX_PATH);
4268 "I couldn't find your application data folder: are you "
4269 "running an ancient version of Windows 95? Defaulting to \"%s\"",
4274 result = SHGetPathFromIDList(idl, tpath);
4276 wcstombs(path,tpath,
sizeof(path));
4277 path[
sizeof(path)-1] =
'\0';
4279 strlcpy(path,tpath,
sizeof(path));
4286 m->lpVtbl->Free(m, idl);
4287 m->lpVtbl->Release(m);
4289 if (!SUCCEEDED(result)) {
4292 strlcat(path,
"\\tor",MAX_PATH);
4303#ifdef DISABLE_SYSTEM_TORRC
4304 (void) defaults_file;
4306#elif defined(_WIN32)
4307 if (defaults_file) {
4308 static char defaults_path[MAX_PATH+1];
4309 tor_snprintf(defaults_path, MAX_PATH,
"%s\\torrc-defaults",
4310 get_windows_conf_root());
4311 return defaults_path;
4313 static char path[MAX_PATH+1];
4315 get_windows_conf_root());
4319 return defaults_file ? CONFDIR
"/torrc-defaults" : CONFDIR
"/torrc";
4337 int *using_default_fname,
int *ignore_missing_torrc)
4341 const char *fname_opt = defaults_file ?
"--defaults-torrc" :
"-f";
4342 const char *fname_long_opt = defaults_file ?
"--defaults-torrc" :
4344 const char *ignore_opt = defaults_file ? NULL :
"--ignore-missing-torrc";
4345 const char *keygen_opt =
"--keygen";
4348 *ignore_missing_torrc = 1;
4350 for (p_index = cmd_arg; p_index; p_index = p_index->next) {
4352 if (!strcmp(p_index->key, fname_opt) ||
4353 !strcmp(p_index->key, fname_long_opt)) {
4355 log_warn(
LD_CONFIG,
"Duplicate %s options on command line.",
4368 *using_default_fname = 0;
4369 }
else if ((ignore_opt && !strcmp(p_index->key, ignore_opt)) ||
4370 (keygen_opt && !strcmp(p_index->key, keygen_opt))) {
4371 *ignore_missing_torrc = 1;
4375 if (*using_default_fname) {
4379 if (dflt && (st == FN_FILE || st == FN_EMPTY)) {
4380 fname = tor_strdup(dflt);
4384 if (!defaults_file) {
4389 if (hmst == FN_FILE || hmst == FN_EMPTY || dflt == NULL) {
4393 fname = tor_strdup(dflt);
4396 fname = dflt ? tor_strdup(dflt) : NULL;
4399 fname = dflt ? tor_strdup(dflt) : NULL;
4429 int using_default_torrc = 1;
4430 int ignore_missing_torrc = 0;
4433 if (*fname_var == NULL) {
4435 &using_default_torrc, &ignore_missing_torrc);
4441 log_debug(
LD_CONFIG,
"Opening config file \"%s\"", fname?fname:
"<NULL>");
4445 if (fname == NULL ||
4446 !(st == FN_FILE || st == FN_EMPTY) ||
4447 !(cf = read_file_to_str(fname,0,NULL))) {
4448 if (using_default_torrc == 1 || ignore_missing_torrc) {
4450 log_notice(
LD_CONFIG,
"Configuration file \"%s\" not present, "
4451 "using reasonable defaults.", fname);
4454 cf = tor_strdup(
"");
4457 "Unable to open configuration file \"%s\".", fname);
4461 log_notice(
LD_CONFIG,
"Read configuration file \"%s\".", fname);
4479 char *cf=NULL, *cf_defaults=NULL;
4518 printf(
"This build of Tor is covered by the GNU General Public License "
4519 "(https://www.gnu.org/licenses/gpl-3.0.en.html)\n");
4521 printf(
"Tor is running on %s with Libevent %s, "
4522 "%s %s, Zlib %s, Liblzma %s, Libzstd %s and %s %s as libc.\n",
4536 printf(
"Tor compiled with %s version %s\n",
4537 strcmp(COMPILER_VENDOR,
"gnu") == 0?
4538 COMPILER:COMPILER_VENDOR, COMPILER_VERSION);
4559 cf_defaults = tor_strdup(
"");
4560 cf = tor_strdup(
"");
4566 if (f_line && f_line_long) {
4567 log_err(
LD_CONFIG,
"-f and --torrc-file cannot be used together.");
4570 }
else if (f_line_long) {
4571 f_line = f_line_long;
4574 const int read_torrc_from_stdin =
4575 (f_line != NULL && strcmp(f_line->value,
"-") == 0);
4577 if (read_torrc_from_stdin) {
4585 cf = tor_strdup(
"");
4613 KEY_EXPIRATION_FORMAT_ISO8601;
4648 return retval < 0 ? -1 : 0;
4662 int command,
const char *command_arg,
4666 or_options_t *oldoptions, *newoptions, *newdefaultoptions=NULL;
4670 int cf_has_include = 0;
4679 newoptions->
command_arg = command_arg ? tor_strdup(command_arg) : NULL;
4682 for (
int i = 0; i < 2; ++i) {
4683 const char *body = i==0 ? cf_defaults : cf;
4689 body == cf ? &cf_has_include : NULL,
4692 err = SETOPT_ERR_PARSE;
4697 config_free_lines(cl);
4699 err = SETOPT_ERR_PARSE;
4706 if (newdefaultoptions == NULL) {
4721 err = SETOPT_ERR_PARSE;
4727 opened_files = NULL;
4753 smartlist_free(opened_files);
4755 or_options_free(newdefaultoptions);
4756 or_options_free(newoptions);
4758 char *old_msg = *msg;
4759 tor_asprintf(msg,
"Failed to parse/validate config: %s", old_msg);
4789 const char *from, *to, *msg;
4793 for (opt = options->
AddressMap; opt; opt = opt->next) {
4795 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
4796 if (smartlist_len(elts) < 2) {
4797 log_warn(
LD_CONFIG,
"MapAddress '%s' has too few arguments. Ignoring.",
4802 from = smartlist_get(elts,0);
4803 to = smartlist_get(elts,1);
4805 if (to[0] ==
'.' || from[0] ==
'.') {
4806 log_warn(
LD_CONFIG,
"MapAddress '%s' is ambiguous - address starts with a"
4807 "'.'. Ignoring.",opt->value);
4812 log_warn(
LD_CONFIG,
"MapAddress '%s' failed: %s. Ignoring.", opt->value,
4817 if (smartlist_len(elts) > 2)
4818 log_warn(
LD_CONFIG,
"Ignoring extra arguments to MapAddress.");
4824 smartlist_free(elts);
4836 int from_wildcard = 0, to_wildcard = 0;
4838 *msg =
"whoops, forgot the error message";
4840 if (!strcmp(to,
"*") || !strcmp(from,
"*")) {
4841 *msg =
"can't remap from or to *";
4845 if (!strncmp(from,
"*.",2)) {
4849 if (!strncmp(to,
"*.",2)) {
4854 if (to_wildcard && !from_wildcard) {
4855 *msg =
"can only use wildcard (i.e. '*.') if 'from' address "
4856 "uses wildcard also";
4861 *msg =
"destination is invalid";
4866 from_wildcard, to_wildcard, 0);
4876 const char *filename,
int truncate_log)
4878 int open_flags = O_WRONLY|O_CREAT;
4879 open_flags |= truncate_log ? O_TRUNC : O_APPEND;
4898 log_warn(
LD_CONFIG,
"Log time granularity '%d' has to be positive.",
4904 if (granularity < 40) {
4906 while (1000 % granularity != 0);
4907 }
else if (granularity < 1000) {
4908 granularity = 1000 / granularity;
4909 while (1000 % granularity != 0)
4911 granularity = 1000 / granularity;
4913 granularity = 1000 * ((granularity / 1000) + 1);
4915 log_warn(
LD_CONFIG,
"Log time granularity '%d' has to be either a "
4916 "divisor or a multiple of 1 second. Changing to "
4952 if (options->
Logs == NULL && !run_as_daemon && !validate_only) {
4958 for (opt = options->
Logs; opt; opt = opt->next) {
4960 const char *cfg = opt->value;
4963 log_warn(
LD_CONFIG,
"Couldn't parse log levels in Log option 'Log %s'",
4965 ok = 0;
goto cleanup;
4969 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
4971 if (smartlist_len(elts) == 0)
4974 if (smartlist_len(elts) == 1 &&
4975 (!strcasecmp(smartlist_get(elts,0),
"stdout") ||
4976 !strcasecmp(smartlist_get(elts,0),
"stderr"))) {
4977 int err = smartlist_len(elts) &&
4978 !strcasecmp(smartlist_get(elts,0),
"stderr");
4979 if (!validate_only) {
4980 if (run_as_daemon) {
4982 "Can't log to %s with RunAsDaemon set; skipping stdout",
4983 err?
"stderr":
"stdout");
4986 fileno(err?stderr:stdout));
4991 if (smartlist_len(elts) == 1) {
4992 if (!strcasecmp(smartlist_get(elts,0),
"syslog")) {
4994 if (!validate_only) {
4998 log_warn(
LD_CONFIG,
"Syslog is not supported on this system. Sorry.");
5005 if (!strcasecmp(smartlist_get(elts, 0),
"android")) {
5007 log_warn(
LD_CONFIG,
"The android logging API is no longer supported;"
5008 " adding a syslog instead. The 'android' logging "
5009 " type will no longer work in the future.");
5010 if (!validate_only) {
5014 log_warn(
LD_CONFIG,
"The android logging API is no longer supported.");
5020 if (smartlist_len(elts) == 2 &&
5021 !strcasecmp(smartlist_get(elts,0),
"file")) {
5022 if (!validate_only) {
5026 int truncate_log = 0;
5031 for (opt2 = old_options->
Logs; opt2; opt2 = opt2->next)
5032 if (!strcmp(opt->value, opt2->value)) {
5039 log_warn(
LD_CONFIG,
"Couldn't open file for 'Log %s': %s",
5040 opt->value, strerror(errno));
5048 log_warn(
LD_CONFIG,
"Bad syntax on file Log option 'Log %s'",
5050 ok = 0;
goto cleanup;
5057 smartlist_free(elts);
5059 if (ok && !validate_only)
5071 char *socks_string = NULL;
5072 size_t socks_string_len;
5079 log_warn(
LD_CONFIG,
"'%s' is not a k=v item.", s);
5082 } SMARTLIST_FOREACH_END(s);
5088 socks_string_len = strlen(socks_string);
5092 log_warn(
LD_CONFIG,
"SOCKS arguments can't be more than %u bytes (%lu).",
5094 (
unsigned long) socks_string_len);
5108 if (bridge_line->socks_args) {
5110 smartlist_free(bridge_line->socks_args);
5112 tor_free(bridge_line->transport_name);
5132 char *addrport=NULL, *fingerprint=NULL;
5138 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5139 if (smartlist_len(items) < 1) {
5140 log_warn(
LD_CONFIG,
"Too few arguments to Bridge line.");
5145 field = smartlist_get(items, 0);
5150 bridge_line->transport_name = field;
5151 if (smartlist_len(items) < 1) {
5152 log_warn(
LD_CONFIG,
"Too few items to Bridge line.");
5155 addrport = smartlist_get(items, 0);
5162 &bridge_line->addr, &bridge_line->port, 443)<0) {
5163 log_warn(
LD_CONFIG,
"Error parsing Bridge address '%s'", addrport);
5170 if (smartlist_len(items)) {
5171 if (bridge_line->transport_name) {
5172 field = smartlist_get(items, 0);
5181 fingerprint = field;
5192 log_warn(
LD_CONFIG,
"Key digest for Bridge is wrong length.");
5197 log_warn(
LD_CONFIG,
"Unable to decode Bridge key digest.");
5204 if (bridge_line->transport_name && smartlist_len(items)) {
5205 if (!bridge_line->socks_args)
5212 tor_assert(smartlist_len(bridge_line->socks_args) > 0);
5215 if (bridge_line->socks_args) {
5223 bridge_line_free(bridge_line);
5228 smartlist_free(items);
5255 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
5258 if (smartlist_len(sl) < 2) {
5259 *msg = tor_strdup(
"TCPProxy has no address/port. Please fix.");
5263 char *protocol_string = smartlist_get(sl, 0);
5264 char *addrport_string = smartlist_get(sl, 1);
5267 if (strcasecmp(protocol_string,
"haproxy")) {
5268 *msg = tor_strdup(
"TCPProxy protocol is not supported. Currently "
5269 "the only supported protocol is 'haproxy'. "
5280 *msg = tor_strdup(
"TCPProxy address/port failed to parse or resolve. "
5309 const char *line,
int validate_only,
5315 const char *transports = NULL;
5318 char *addrport = NULL;
5321 int socks_ver = PROXY_NONE;
5325 char **proxy_argv = NULL;
5328 int is_useless_proxy = 1;
5335 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5336 line_length = smartlist_len(items);
5338 if (line_length < 3) {
5340 "Too few arguments on %sTransportPlugin line.",
5341 server ?
"Server" :
"Client");
5348 transports = smartlist_get(items, 0);
5351 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
5355 log_warn(
LD_CONFIG,
"Transport name is not a C identifier (%s).",
5362 is_useless_proxy = 0;
5363 } SMARTLIST_FOREACH_END(transport_name);
5365 type = smartlist_get(items, 1);
5366 if (!strcmp(type,
"exec")) {
5368 }
else if (server && !strcmp(type,
"proxy")) {
5371 }
else if (!server && !strcmp(type,
"socks4")) {
5374 socks_ver = PROXY_SOCKS4;
5375 }
else if (!server && !strcmp(type,
"socks5")) {
5378 socks_ver = PROXY_SOCKS5;
5381 "Strange %sTransportPlugin type '%s'",
5382 server ?
"Server" :
"Client", type);
5386 if (is_managed && options->
Sandbox) {
5388 "Managed proxies are not compatible with Sandbox mode."
5389 "(%sTransportPlugin line was %s)",
5390 server ?
"Server" :
"Client",
escaped(line));
5394 if (is_managed && options->
NoExec) {
5396 "Managed proxies are not compatible with NoExec mode; ignoring."
5397 "(%sTransportPlugin line was %s)",
5398 server ?
"Server" :
"Client",
escaped(line));
5406 if (!server && !validate_only && is_useless_proxy) {
5408 "Pluggable transport proxy (%s) does not provide "
5409 "any needed transports and will not be launched.",
5419 if (!validate_only && (server || !is_useless_proxy)) {
5420 proxy_argc = line_length - 2;
5422 proxy_argv = tor_calloc((proxy_argc + 1),
sizeof(
char *));
5425 for (i = 0; i < proxy_argc; i++) {
5427 *tmp++ = smartlist_get(items, 2);
5445 log_warn(
LD_CONFIG,
"You have configured an external proxy with another "
5446 "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|"
5453 "You can't have an external proxy with more than "
5458 addrport = smartlist_get(items, 2);
5462 "Error parsing transport address '%s'", addrport);
5468 "Transport address '%s' has no port.", addrport);
5472 if (!validate_only) {
5473 log_info(
LD_DIR,
"%s '%s' at %s.",
5474 server ?
"Server transport" :
"Transport",
5493 smartlist_free(items);
5535 const char *eq = strchr(flag,
'=');
5537 const char *target = eq + 1;
5541 log_warn(
LD_CONFIG,
"Unsupported URL scheme in authority flag %s", flag);
5544 const char *addr = target + strlen(
"http://");
5546 const char *eos = strchr(addr,
'/');
5548 if (eos && strcmp(eos,
"/")) {
5549 log_warn(
LD_CONFIG,
"Unsupported URL prefix in authority flag %s", flag);
5552 addr_len = eos - addr;
5554 addr_len = strlen(addr);
5558 char *addr_string = tor_strndup(addr, addr_len);
5560 memset(&dirport, 0,
sizeof(dirport));
5562 &dirport.addr, &dirport.port, -1);
5563 if (ds != NULL && rv == 0) {
5565 }
else if (rv == -1) {
5566 log_warn(
LD_CONFIG,
"Unable to parse address in authority flag %s",flag);
5586 char *addrport=NULL, *address=NULL, *nickname=NULL, *fingerprint=NULL;
5588 uint16_t dir_port = 0, or_port = 0;
5592 double weight = 1.0;
5595 memset(v3_digest, 0,
sizeof(v3_digest));
5599 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5600 if (smartlist_len(items) < 1) {
5601 log_warn(
LD_CONFIG,
"No arguments on DirAuthority line.");
5606 nickname = smartlist_get(items, 0);
5610 while (smartlist_len(items)) {
5611 char *flag = smartlist_get(items, 0);
5612 if (TOR_ISDIGIT(flag[0]))
5614 if (!strcasecmp(flag,
"hs") ||
5615 !strcasecmp(flag,
"no-hs")) {
5616 log_warn(
LD_CONFIG,
"The DirAuthority options 'hs' and 'no-hs' are "
5617 "obsolete; you don't need them any more.");
5618 }
else if (!strcasecmp(flag,
"bridge")) {
5620 }
else if (!strcasecmp(flag,
"no-v2")) {
5625 char *portstring = flag + strlen(
"orport=");
5626 or_port = (uint16_t)
tor_parse_long(portstring, 10, 1, 65535, &ok, NULL);
5628 log_warn(
LD_CONFIG,
"Invalid orport '%s' on DirAuthority line.",
5632 const char *wstring = flag + strlen(
"weight=");
5635 log_warn(
LD_CONFIG,
"Invalid weight '%s' on DirAuthority line.",flag);
5639 char *idstr = flag + strlen(
"v3ident=");
5643 log_warn(
LD_CONFIG,
"Bad v3 identity digest '%s' on DirAuthority line",