15#define PROCESS_DESCS_PRIVATE
51#define ROUTER_ALLOW_SKEW (60*60*12)
59 const char *nickname,
const tor_addr_t *ipv4_addr,
60 uint16_t ipv4_orport,
const char *platform,
61 const char **msg,
int severity);
81authdir_init_fingerprint_list(
void)
88authdir_return_fingerprint_list(
void)
109 fingerprint = tor_strdup(fp);
112 fingerprint, strlen(fingerprint)) !=
DIGEST_LEN) {
113 log_warn(
LD_DIRSERV,
"Couldn't decode fingerprint %s",
126 *status |= add_status;
154 *status |= add_status;
165 log_err(
LD_BUG,
"Error computing fingerprint");
171 log_err(
LD_BUG,
"Error adding RSA fingerprint");
175 log_err(
LD_BUG,
"Error adding ed25519 key");
191 char *nickname, *fingerprint;
196 fname = get_datadir_fname(
"approved-routers");
198 "Reloading approved fingerprints from \"%s\"...", fname);
202 log_warn(
LD_FS,
"Cannot open fingerprint file '%s'. That's ok.", fname);
211 log_warn(
LD_CONFIG,
"Error reading from fingerprint file");
217 for (list=front; list; list=list->next) {
219 nickname = list->key; fingerprint = list->value;
223 if (!strcasecmp(nickname,
"!reject")) {
224 add_status = RTR_REJECT;
225 }
else if (!strcasecmp(nickname,
"!badexit")) {
226 add_status = RTR_BADEXIT;
227 }
else if (!strcasecmp(nickname,
"!invalid")) {
228 add_status = RTR_INVALID;
229 }
else if (!strcasecmp(nickname,
"!middleonly")) {
230 add_status = RTR_MIDDLEONLY;
231 }
else if (!strcasecmp(nickname,
"!stripguard")) {
232 add_status = RTR_STRIPGUARD;
233 }
else if (!strcasecmp(nickname,
"!striphsdir")) {
234 add_status = RTR_STRIPHSDIR;
235 }
else if (!strcasecmp(nickname,
"!stripv2dir")) {
236 add_status = RTR_STRIPV2DIR;
240 int ed25519_not_ok = -1, rsa_not_ok = -1;
245 fingerprint_list_new,
256 fingerprint_list_new, add_status);
261 if (ed25519_not_ok && rsa_not_ok) {
262 log_warn(
LD_CONFIG,
"Invalid fingerprint (nickname '%s', "
263 "fingerprint %s). Skipping.", nickname, fingerprint);
268 config_free_lines(front);
285#define DISABLE_DISABLING_ED25519
308 log_warn(
LD_BUG,
"Error computing fingerprint");
310 *msg =
"Bug: Error computing fingerprint";
331 if (!routerinfo_has_curve25519_onion_key(router)) {
333 "Descriptor from router %s (platform %s) "
334 "is missing an ntor curve25519 onion key.",
337 *msg =
"Missing ntor curve25519 onion key. Please upgrade!";
343 if (KEYPIN_MISMATCH ==
347 "Descriptor from router %s has an Ed25519 key, "
348 "but the <rsa,ed25519> keys don't match what they were before.",
352 *msg =
"Ed25519 identity key or RSA identity key has changed.";
362 "Descriptor from router %s has no Ed25519 key, "
363 "when we previously knew an Ed25519 for it. Ignoring for now, "
364 "since Ed25519 keys are fairly new.",
366#ifdef DISABLE_DISABLING_ED25519
369 *msg =
"Ed25519 identity key has disappeared.";
394 return (res & RTR_REJECT) != 0;
410 static const char please_upgrade_string[] =
411 "Tor version is insecure or unsupported. Please upgrade!";
414 dirauth_get_options()->MinimalAcceptedServerVersion)) {
416 *msg = please_upgrade_string;
434 const char *nickname,
const tor_addr_t *ipv4_addr,
435 uint16_t ipv4_orport,
const char *platform,
436 const char **msg,
int severity)
444 log_debug(
LD_DIRSERV,
"%d fingerprints, %d digests known.",
452 *msg =
"Malformed platform string.";
465 if (status_by_digest)
466 result |= *status_by_digest;
468 if (ed25519_public_key) {
470 ed25519_public_key->pubkey);
471 if (status_by_digest)
472 result |= *status_by_digest;
475 if (result & RTR_REJECT) {
477 *msg =
"Fingerprint and/or ed25519 identity is marked rejected -- if "
478 "you think this is a mistake please set a valid email address "
479 "in ContactInfo and send an email to "
480 "bad-relays@lists.torproject.org mentioning your fingerprint(s)?";
482 }
else if (result & RTR_INVALID) {
484 *msg =
"Fingerprint and/or ed25519 identity is marked invalid";
489 "Marking '%s' as bad exit because of address '%s'",
491 result |= RTR_BADEXIT;
496 "Marking '%s' as middle-only because of address '%s'",
498 result |= RTR_MIDDLEONLY;
505 *msg =
"Suspicious relay address range -- if you think this is a "
506 "mistake please set a valid email address in ContactInfo and "
507 "send an email to bad-relays@lists.torproject.org mentioning "
508 "your address(es) and fingerprint(s)?";
513 "Not marking '%s' valid because of address '%s'",
515 result |= RTR_INVALID;
547 tor_addr_is_internal(&ri->
ipv4_addr, 0)) {
549 "Router %s published internal IPv4 address. Refusing.",
557 tor_addr_is_internal(&ri->
ipv6_addr, 0)) {
559 "Router %s published internal IPv6 address. Refusing.",
578 int complain,
int *valid_out)
585 if (status & RTR_REJECT)
592 "far (%d minutes) in the future; possible clock skew. Not adding "
597 *msg =
"Rejected: Your clock is set too far in the future, or your "
598 "timezone is not correct.";
603 "Publication time for %s is too far "
604 "(%d minutes) in the past. Not adding (%s)",
608 *msg =
"Rejected: Server is expired, or your clock is too far in the past,"
609 " or your timezone is not correct.";
614 "Router %s has invalid address. Not adding (%s).",
617 *msg =
"Rejected: Address is a private address.";
621 *valid_out = ! (status & RTR_INVALID);
633 node->
is_valid = (authstatus & RTR_INVALID) ? 0 : 1;
634 node->
is_bad_exit = (authstatus & RTR_BADEXIT) ? 1 : 0;
636 node->
strip_guard = (authstatus & RTR_STRIPGUARD) ? 1 : 0;
637 node->
strip_hsdir = (authstatus & RTR_STRIPHSDIR) ? 1 : 0;
638 node->
strip_v2dir = (authstatus & RTR_STRIPV2DIR) ? 1 : 0;
661 time_t now = time(NULL);
663 char time_buf[ISO_TIME_LEN+1];
667 r=ROUTER_ADDED_SUCCESSFULLY;
670 *msg =
"descriptor(s) or extrainfo(s) not valid UTF-8 or had BOM.";
671 return ROUTER_AUTHDIR_REJECTS;
675 if (
tor_snprintf(annotation_buf,
sizeof(annotation_buf),
678 "%s%s%s", time_buf,
escaped(source),
679 !general ?
"@purpose " :
"",
681 !general ?
"\n" :
"")<0) {
682 *msg =
"Couldn't format annotations";
683 return ROUTER_AUTHDIR_BUG_ANNOTATIONS;
689 annotation_buf, NULL)) {
700 n_parsed += smartlist_len(list);
716 n_parsed += smartlist_len(list);
717 smartlist_free(list);
721 *msg =
"No descriptors found in your POST.";
723 r = ROUTER_IS_ALREADY_KNOWN;
725 *msg =
"(no message)";
752 char *desc, *nickname;
761 log_notice(
LD_DIR,
"Somebody attempted to publish a router descriptor '%s'"
762 " (source: %s) with size %d. Either this is an attack, or the "
763 "MAX_DESCRIPTOR_UPLOAD_SIZE (%d) constant is too low.",
766 *msg =
"Router descriptor was too large.";
767 r = ROUTER_AUTHDIR_REJECTS;
771 log_info(
LD_DIR,
"Assessing new descriptor: %s: %s",
776 log_info(
LD_DIRSERV,
"Rejecting descriptor from %s (source: %s); "
777 "it has no TAP key.",
779 *msg =
"Missing TAP key in descriptor.";
780 r = ROUTER_AUTHDIR_REJECTS;
793 "Not replacing descriptor from %s (source: %s); "
794 "differences are cosmetic.",
796 *msg =
"Not replacing router descriptor; no information has changed since "
797 "the last one with this identity.";
798 r = ROUTER_IS_ALREADY_KNOWN;
808 log_warn(
LD_DIRSERV,
"Received bad key from %s (source %s)",
811 return ROUTER_AUTHDIR_REJECTS;
817 pkey->pubkey, ! key_pinning);
821#ifndef DISABLE_DISABLING_ED25519
822 if (keypin_status == KEYPIN_MISMATCH)
823 keypin_status = KEYPIN_NOT_FOUND;
826 if (keypin_status == KEYPIN_MISMATCH && key_pinning) {
827 log_info(
LD_DIRSERV,
"Dropping descriptor from %s (source: %s) because "
828 "its key did not match an older RSA/Ed25519 keypair",
830 *msg =
"Looks like your keypair has changed? This authority previously "
831 "recorded a different RSA identity for this Ed25519 identity (or vice "
832 "versa.) Did you replace or copy some of your key files, but not "
833 "the others? You should either restore the expected keypair, or "
834 "delete your keys and restart Tor to start your relay with a new "
836 r = ROUTER_AUTHDIR_REJECTS;
843 nickname = tor_strdup(ri->
nickname);
853 "Did not add descriptor from '%s' (source: %s): %s.",
854 nickname, source, *msg ? *msg :
"(no message)");
861 smartlist_free(changed);
863 *msg =
"Descriptor accepted";
866 "Added descriptor from '%s' (source: %s): %s.",
867 nickname, source, *msg);
878 log_info(
LD_GENERAL,
"Marking router with descriptor %s as rejected, "
879 "and therefore undownloadable",
902 *msg =
"No corresponding router descriptor for extra-info descriptor";
910 log_notice(
LD_DIR,
"Somebody attempted to publish an extrainfo "
911 "with size %d. Either this is an attack, or the "
912 "MAX_EXTRAINFO_UPLOAD_SIZE (%d) constant is too low.",
915 *msg =
"Extrainfo document was too large";
921 &ri->cache_info, msg))) {
924 return ROUTER_IS_ALREADY_KNOWN;
930 return ROUTER_ADDED_SUCCESSFULLY;
936 log_info(
LD_GENERAL,
"Marking extrainfo with descriptor %s as "
937 "rejected, and therefore undownloadable",
958 const char *msg = NULL;
959 const char *description;
966 if (r & RTR_REJECT) {
967 log_info(
LD_DIRSERV,
"Router %s is now rejected: %s",
968 description, msg?msg:
"");
972 if (
bool_neq((r & RTR_INVALID), !node->is_valid)) {
973 log_info(
LD_DIRSERV,
"Router '%s' is now %svalid.", description,
974 (r&RTR_INVALID) ?
"in" :
"");
975 node->is_valid = (r&RTR_INVALID)?0:1;
977 if (
bool_neq((r & RTR_BADEXIT), node->is_bad_exit)) {
978 log_info(
LD_DIRSERV,
"Router '%s' is now a %s exit", description,
979 (r & RTR_BADEXIT) ?
"bad" :
"good");
980 node->is_bad_exit = (r&RTR_BADEXIT) ? 1: 0;
982 if (
bool_neq((r & RTR_MIDDLEONLY), node->is_middle_only)) {
983 log_info(
LD_DIRSERV,
"Router '%s' is now %smiddle-only", description,
984 (r & RTR_MIDDLEONLY) ?
"" :
"not");
985 node->is_middle_only = (r&RTR_MIDDLEONLY) ? 1: 0;
987 if (
bool_neq((r & RTR_STRIPGUARD), node->strip_guard)) {
988 log_info(
LD_DIRSERV,
"Router '%s' is now %s guard", description,
989 (r & RTR_STRIPGUARD) ?
"stripped of" :
"not");
990 node->strip_guard = (r&RTR_STRIPGUARD) ? 1: 0;
992 if (
bool_neq((r & RTR_STRIPHSDIR), node->strip_hsdir)) {
993 log_info(
LD_DIRSERV,
"Router '%s' is now %s hidden service directory",
994 description, (r & RTR_STRIPHSDIR) ?
"stripped of" :
"not");
995 node->strip_hsdir = (r&RTR_STRIPHSDIR) ? 1: 0;
997 if (
bool_neq((r & RTR_STRIPV2DIR), node->strip_v2dir)) {
998 log_info(
LD_DIRSERV,
"Router '%s' is now %s v2 directory",
999 description, (r & RTR_STRIPV2DIR) ?
"stripped of" :
"not");
1000 node->strip_v2dir = (r&RTR_STRIPV2DIR) ? 1: 0;
1002 } SMARTLIST_FOREACH_END(node);
1005 smartlist_free(nodes);
int tor_addr_is_null(const tor_addr_t *addr)
const char * hex_str(const char *from, size_t fromlen)
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
const or_options_t * get_options(void)
Header file for config.c.
int config_get_lines(const char *string, config_line_t **result, int extended)
#define BASE64_DIGEST256_LEN
int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey)
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
const char * router_describe(const routerinfo_t *ri)
Header file for describe.c.
Structure dirauth_options_t to hold directory authority options.
Header for dirauth_sys.c.
Header file for directory.c.
void download_status_mark_impossible(download_status_t *dl)
Header file for dlstatus.c.
const char * escaped(const char *s)
#define RFTS_IGNORE_MISSING
int keypin_check_lone_rsa(const uint8_t *rsa_id_digest)
int keypin_check(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key)
int keypin_check_and_add(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int replace_existing_entry)
#define log_fn(severity, domain, args,...)
void tor_free_(void *mem)
Header file for microdesc.c.
Microdescriptor structure.
download_status_t * router_get_dl_status_by_descriptor_digest(const char *d)
Header file for networkstatus.c.
Node information structure.
const smartlist_t * nodelist_get_list(void)
Header file for nodelist.c.
Master header file for Tor-specific functionality.
#define MAX_EXTRAINFO_UPLOAD_SIZE
#define ROUTER_ANNOTATION_BUF_LEN
#define MAX_DESCRIPTOR_UPLOAD_SIZE
#define ROUTER_MAX_AGE_TO_PUBLISH
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_middleonly_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
Header file for policies.c.
int tor_snprintf(char *str, size_t size, const char *format,...)
int dirserv_would_reject_router(const routerstatus_t *rs, const vote_routerstatus_t *vrs)
int dirserv_load_fingerprint_file(void)
STATIC bool dirserv_rejects_tor_version(const char *platform, const char **msg)
static was_router_added_t dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
#define ROUTER_ALLOW_SKEW
was_router_added_t dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
void dirserv_set_node_flags_from_authoritative_status(node_t *node, uint32_t authstatus)
int dirserv_add_own_fingerprint(crypto_pk_t *pk, const ed25519_public_key_t *edkey)
static authdir_config_t * authdir_config_new(void)
was_router_added_t dirserv_add_multiple_descriptors(const char *desc, size_t desclen, uint8_t purpose, const char *source, const char **msg)
static authdir_config_t * fingerprint_list
void dirserv_free_fingerprint_list(void)
uint32_t dirserv_router_get_status(const routerinfo_t *router, const char **msg, int severity)
STATIC int dirserv_router_has_valid_address(routerinfo_t *ri)
static int WRA_MORE_SEVERE(was_router_added_t a, was_router_added_t b)
static uint32_t dirserv_get_status_impl(const char *id_digest, const ed25519_public_key_t *ed25519_public_key, const char *nickname, const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, const char *platform, const char **msg, int severity)
int authdir_wants_to_reject_router(routerinfo_t *ri, const char **msg, int complain, int *valid_out)
static void directory_remove_invalid(void)
int add_ed25519_to_dir(const ed25519_public_key_t *edkey, authdir_config_t *list, rtr_flags_t add_status)
int add_rsa_fingerprint_to_dir(const char *fp, authdir_config_t *list, rtr_flags_t add_status)
Header file for process_descs.c.
int dirserv_should_launch_reachability_test(const routerinfo_t *ri, const routerinfo_t *ri_old)
Header file for reachability.c.
int router_is_me(const routerinfo_t *router)
Header file for router.c.
const char * router_purpose_to_string(uint8_t p)
Header file for routerinfo.c.
Router descriptor structure.
#define ROUTER_PURPOSE_GENERAL
const char * esc_router_info(const routerinfo_t *router)
routerlist_t * router_get_routerlist(void)
signed_descriptor_t * router_get_by_extrainfo_digest(const char *digest)
void routerlist_assert_ok(const routerlist_t *rl)
int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *identity_pkey, extrainfo_t *ei, signed_descriptor_t *sd, const char **msg)
void routerlist_remove(routerlist_t *rl, routerinfo_t *ri, int make_old, time_t now)
was_router_added_t router_add_extrainfo_to_routerlist(extrainfo_t *ei, const char **msg, int from_cache, int from_fetch)
was_router_added_t router_add_to_routerlist(routerinfo_t *router, const char **msg, int from_cache, int from_fetch)
int router_differences_are_cosmetic(const routerinfo_t *r1, const routerinfo_t *r2)
void routerlist_descriptors_added(smartlist_t *sl, int from_cache)
routerinfo_t * router_get_mutable_by_digest(const char *digest)
Header file for routerlist.c.
static int WRA_WAS_ADDED(was_router_added_t s)
int router_parse_list_from_string(const char **s, const char *eos, smartlist_t *dest, saved_location_t saved_location, int want_extrainfo, int allow_annotations, const char *prepend_annotations, smartlist_t *invalid_digests_out)
Header file for routerparse.c.
Routerstatus (consensus entry) structure.
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
digest256map_t * status_by_digest256
digestmap_t * status_by_digest
unsigned int is_middle_only
crypto_pk_t * identity_pkey
unsigned int needs_retest_if_added
char identity_digest[DIGEST_LEN]
char nickname[MAX_NICKNAME_LEN+1]
char signed_descriptor_digest[DIGEST_LEN]
char identity_digest[DIGEST_LEN]
download_status_t ei_dl_status
struct tor_cert_st * signing_key_cert
char * signed_descriptor_body
size_t signed_descriptor_len
uint8_t ed25519_id[ED25519_PUBKEY_LEN]
void format_iso_time(char *buf, time_t t)
Parsed Tor version structure.
int string_is_utf8_no_bom(const char *str, size_t len)
void tor_strstrip(char *s, const char *strip)
int tor_version_as_new_as(const char *platform, const char *cutoff)
int tor_version_parse_platform(const char *platform, tor_version_t *router_version, int strict)
Header file for versions.c.
Routerstatus (vote entry) structure.
#define ED25519_PUBKEY_LEN