15 #define PROCESS_DESCS_PRIVATE
51 #define ROUTER_ALLOW_SKEW (60*60*12)
59 const char *nickname,
const tor_addr_t *ipv4_addr,
60 uint16_t ipv4_orport,
const char *platform,
61 const char **msg,
int severity);
81 authdir_init_fingerprint_list(
void)
88 authdir_return_fingerprint_list(
void)
109 fingerprint = tor_strdup(fp);
112 fingerprint, strlen(fingerprint)) !=
DIGEST_LEN) {
113 log_warn(
LD_DIRSERV,
"Couldn't decode fingerprint %s",
126 *status |= add_status;
154 *status |= add_status;
165 log_err(
LD_BUG,
"Error computing fingerprint");
171 log_err(
LD_BUG,
"Error adding RSA fingerprint");
175 log_err(
LD_BUG,
"Error adding ed25519 key");
191 char *nickname, *fingerprint;
196 fname = get_datadir_fname(
"approved-routers");
198 "Reloading approved fingerprints from \"%s\"...", fname);
202 log_warn(
LD_FS,
"Cannot open fingerprint file '%s'. That's ok.", fname);
211 log_warn(
LD_CONFIG,
"Error reading from fingerprint file");
217 for (list=front; list; list=list->next) {
219 nickname = list->key; fingerprint = list->value;
223 if (!strcasecmp(nickname,
"!reject")) {
224 add_status = RTR_REJECT;
225 }
else if (!strcasecmp(nickname,
"!badexit")) {
226 add_status = RTR_BADEXIT;
227 }
else if (!strcasecmp(nickname,
"!invalid")) {
228 add_status = RTR_INVALID;
229 }
else if (!strcasecmp(nickname,
"!middleonly")) {
230 add_status = RTR_MIDDLEONLY;
234 int ed25519_not_ok = -1, rsa_not_ok = -1;
239 fingerprint_list_new,
250 fingerprint_list_new, add_status);
255 if (ed25519_not_ok && rsa_not_ok) {
256 log_warn(
LD_CONFIG,
"Invalid fingerprint (nickname '%s', "
257 "fingerprint %s). Skipping.", nickname, fingerprint);
262 config_free_lines(front);
279 #define DISABLE_DISABLING_ED25519
302 log_warn(
LD_BUG,
"Error computing fingerprint");
304 *msg =
"Bug: Error computing fingerprint";
325 if (!routerinfo_has_curve25519_onion_key(router)) {
327 "Descriptor from router %s (platform %s) "
328 "is missing an ntor curve25519 onion key.",
331 *msg =
"Missing ntor curve25519 onion key. Please upgrade!";
337 if (KEYPIN_MISMATCH ==
341 "Descriptor from router %s has an Ed25519 key, "
342 "but the <rsa,ed25519> keys don't match what they were before.",
346 *msg =
"Ed25519 identity key or RSA identity key has changed.";
356 "Descriptor from router %s has no Ed25519 key, "
357 "when we previously knew an Ed25519 for it. Ignoring for now, "
358 "since Ed25519 keys are fairly new.",
360 #ifdef DISABLE_DISABLING_ED25519
363 *msg =
"Ed25519 identity key has disappeared.";
388 return (res & RTR_REJECT) != 0;
404 static const char please_upgrade_string[] =
405 "Tor version is insecure or unsupported. Please upgrade!";
410 *msg = please_upgrade_string;
428 const char *nickname,
const tor_addr_t *ipv4_addr,
429 uint16_t ipv4_orport,
const char *platform,
430 const char **msg,
int severity)
438 log_debug(
LD_DIRSERV,
"%d fingerprints, %d digests known.",
446 *msg =
"Malformed platform string.";
459 if (status_by_digest)
460 result |= *status_by_digest;
462 if (ed25519_public_key) {
464 ed25519_public_key->pubkey);
465 if (status_by_digest)
466 result |= *status_by_digest;
469 if (result & RTR_REJECT) {
471 *msg =
"Fingerprint and/or ed25519 identity is marked rejected -- if "
472 "you think this is a mistake please set a valid email address "
473 "in ContactInfo and send an email to "
474 "bad-relays@lists.torproject.org mentioning your fingerprint(s)?";
476 }
else if (result & RTR_INVALID) {
478 *msg =
"Fingerprint and/or ed25519 identity is marked invalid";
483 "Marking '%s' as bad exit because of address '%s'",
485 result |= RTR_BADEXIT;
490 "Marking '%s' as middle-only because of address '%s'",
492 result |= RTR_MIDDLEONLY;
499 *msg =
"Suspicious relay address range -- if you think this is a "
500 "mistake please set a valid email address in ContactInfo and "
501 "send an email to bad-relays@lists.torproject.org mentioning "
502 "your address(es) and fingerprint(s)?";
507 "Not marking '%s' valid because of address '%s'",
509 result |= RTR_INVALID;
541 tor_addr_is_internal(&ri->
ipv4_addr, 0)) {
543 "Router %s published internal IPv4 address. Refusing.",
551 tor_addr_is_internal(&ri->
ipv6_addr, 0)) {
553 "Router %s published internal IPv6 address. Refusing.",
572 int complain,
int *valid_out)
579 if (status & RTR_REJECT)
586 "far (%d minutes) in the future; possible clock skew. Not adding "
591 *msg =
"Rejected: Your clock is set too far in the future, or your "
592 "timezone is not correct.";
597 "Publication time for %s is too far "
598 "(%d minutes) in the past. Not adding (%s)",
602 *msg =
"Rejected: Server is expired, or your clock is too far in the past,"
603 " or your timezone is not correct.";
608 "Router %s has invalid address. Not adding (%s).",
611 *msg =
"Rejected: Address is a private address.";
615 *valid_out = ! (status & RTR_INVALID);
627 node->
is_valid = (authstatus & RTR_INVALID) ? 0 : 1;
628 node->
is_bad_exit = (authstatus & RTR_BADEXIT) ? 1 : 0;
652 time_t now = time(NULL);
654 char time_buf[ISO_TIME_LEN+1];
658 r=ROUTER_ADDED_SUCCESSFULLY;
661 *msg =
"descriptor(s) or extrainfo(s) not valid UTF-8 or had BOM.";
662 return ROUTER_AUTHDIR_REJECTS;
666 if (
tor_snprintf(annotation_buf,
sizeof(annotation_buf),
669 "%s%s%s", time_buf,
escaped(source),
670 !general ?
"@purpose " :
"",
672 !general ?
"\n" :
"")<0) {
673 *msg =
"Couldn't format annotations";
674 return ROUTER_AUTHDIR_BUG_ANNOTATIONS;
680 annotation_buf, NULL)) {
691 n_parsed += smartlist_len(list);
707 n_parsed += smartlist_len(list);
708 smartlist_free(list);
712 *msg =
"No descriptors found in your POST.";
714 r = ROUTER_IS_ALREADY_KNOWN;
716 *msg =
"(no message)";
743 char *desc, *nickname;
752 log_notice(
LD_DIR,
"Somebody attempted to publish a router descriptor '%s'"
753 " (source: %s) with size %d. Either this is an attack, or the "
754 "MAX_DESCRIPTOR_UPLOAD_SIZE (%d) constant is too low.",
757 *msg =
"Router descriptor was too large.";
758 r = ROUTER_AUTHDIR_REJECTS;
762 log_info(
LD_DIR,
"Assessing new descriptor: %s: %s",
774 "Not replacing descriptor from %s (source: %s); "
775 "differences are cosmetic.",
777 *msg =
"Not replacing router descriptor; no information has changed since "
778 "the last one with this identity.";
779 r = ROUTER_IS_ALREADY_KNOWN;
789 log_warn(
LD_DIRSERV,
"Received bad key from %s (source %s)",
792 return ROUTER_AUTHDIR_REJECTS;
798 pkey->pubkey, ! key_pinning);
802 #ifndef DISABLE_DISABLING_ED25519
803 if (keypin_status == KEYPIN_MISMATCH)
804 keypin_status = KEYPIN_NOT_FOUND;
807 if (keypin_status == KEYPIN_MISMATCH && key_pinning) {
808 log_info(
LD_DIRSERV,
"Dropping descriptor from %s (source: %s) because "
809 "its key did not match an older RSA/Ed25519 keypair",
811 *msg =
"Looks like your keypair has changed? This authority previously "
812 "recorded a different RSA identity for this Ed25519 identity (or vice "
813 "versa.) Did you replace or copy some of your key files, but not "
814 "the others? You should either restore the expected keypair, or "
815 "delete your keys and restart Tor to start your relay with a new "
817 r = ROUTER_AUTHDIR_REJECTS;
824 nickname = tor_strdup(ri->
nickname);
834 "Did not add descriptor from '%s' (source: %s): %s.",
835 nickname, source, *msg ? *msg :
"(no message)");
842 smartlist_free(changed);
844 *msg =
"Descriptor accepted";
847 "Added descriptor from '%s' (source: %s): %s.",
848 nickname, source, *msg);
859 log_info(
LD_GENERAL,
"Marking router with descriptor %s as rejected, "
860 "and therefore undownloadable",
883 *msg =
"No corresponding router descriptor for extra-info descriptor";
891 log_notice(
LD_DIR,
"Somebody attempted to publish an extrainfo "
892 "with size %d. Either this is an attack, or the "
893 "MAX_EXTRAINFO_UPLOAD_SIZE (%d) constant is too low.",
896 *msg =
"Extrainfo document was too large";
902 &ri->cache_info, msg))) {
905 return ROUTER_IS_ALREADY_KNOWN;
911 return ROUTER_ADDED_SUCCESSFULLY;
917 log_info(
LD_GENERAL,
"Marking extrainfo with descriptor %s as "
918 "rejected, and therefore undownloadable",
939 const char *msg = NULL;
940 const char *description;
947 if (r & RTR_REJECT) {
948 log_info(
LD_DIRSERV,
"Router %s is now rejected: %s",
949 description, msg?msg:
"");
953 if (
bool_neq((r & RTR_INVALID), !node->is_valid)) {
954 log_info(
LD_DIRSERV,
"Router '%s' is now %svalid.", description,
955 (r&RTR_INVALID) ?
"in" :
"");
956 node->is_valid = (r&RTR_INVALID)?0:1;
958 if (
bool_neq((r & RTR_BADEXIT), node->is_bad_exit)) {
959 log_info(
LD_DIRSERV,
"Router '%s' is now a %s exit", description,
960 (r & RTR_BADEXIT) ?
"bad" :
"good");
961 node->is_bad_exit = (r&RTR_BADEXIT) ? 1: 0;
963 if (
bool_neq((r & RTR_MIDDLEONLY), node->is_middle_only)) {
964 log_info(
LD_DIRSERV,
"Router '%s' is now %smiddle-only", description,
965 (r & RTR_MIDDLEONLY) ?
"" :
"not");
966 node->is_middle_only = (r&RTR_MIDDLEONLY) ? 1: 0;
968 } SMARTLIST_FOREACH_END(node);
971 smartlist_free(nodes);
int tor_addr_is_null(const tor_addr_t *addr)
const char * hex_str(const char *from, size_t fromlen)
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
const or_options_t * get_options(void)
Header file for config.c.
int config_get_lines(const char *string, config_line_t **result, int extended)
#define BASE64_DIGEST256_LEN
int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey)
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
const char * router_describe(const routerinfo_t *ri)
Header file for describe.c.
Structure dirauth_options_t to hold directory authority options.
Header for dirauth_sys.c.
Header file for directory.c.
void download_status_mark_impossible(download_status_t *dl)
Header file for dlstatus.c.
const char * escaped(const char *s)
#define RFTS_IGNORE_MISSING
int keypin_check_lone_rsa(const uint8_t *rsa_id_digest)
int keypin_check(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key)
int keypin_check_and_add(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int replace_existing_entry)
#define log_fn(severity, domain, args,...)
void tor_free_(void *mem)
Header file for microdesc.c.
Microdescriptor structure.
download_status_t * router_get_dl_status_by_descriptor_digest(const char *d)
Header file for networkstatus.c.
Node information structure.
const smartlist_t * nodelist_get_list(void)
Header file for nodelist.c.
Master header file for Tor-specific functionality.
#define MAX_EXTRAINFO_UPLOAD_SIZE
#define ROUTER_ANNOTATION_BUF_LEN
#define MAX_DESCRIPTOR_UPLOAD_SIZE
#define ROUTER_MAX_AGE_TO_PUBLISH
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_middleonly_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
Header file for policies.c.
int tor_snprintf(char *str, size_t size, const char *format,...)
int dirserv_would_reject_router(const routerstatus_t *rs, const vote_routerstatus_t *vrs)
int dirserv_load_fingerprint_file(void)
STATIC bool dirserv_rejects_tor_version(const char *platform, const char **msg)
static was_router_added_t dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
#define ROUTER_ALLOW_SKEW
was_router_added_t dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
void dirserv_set_node_flags_from_authoritative_status(node_t *node, uint32_t authstatus)
int dirserv_add_own_fingerprint(crypto_pk_t *pk, const ed25519_public_key_t *edkey)
was_router_added_t dirserv_add_multiple_descriptors(const char *desc, size_t desclen, uint8_t purpose, const char *source, const char **msg)
static authdir_config_t * fingerprint_list
void dirserv_free_fingerprint_list(void)
uint32_t dirserv_router_get_status(const routerinfo_t *router, const char **msg, int severity)
STATIC int dirserv_router_has_valid_address(routerinfo_t *ri)
static int WRA_MORE_SEVERE(was_router_added_t a, was_router_added_t b)
static uint32_t dirserv_get_status_impl(const char *id_digest, const ed25519_public_key_t *ed25519_public_key, const char *nickname, const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, const char *platform, const char **msg, int severity)
static authdir_config_t * authdir_config_new(void)
int authdir_wants_to_reject_router(routerinfo_t *ri, const char **msg, int complain, int *valid_out)
static void directory_remove_invalid(void)
int add_ed25519_to_dir(const ed25519_public_key_t *edkey, authdir_config_t *list, rtr_flags_t add_status)
int add_rsa_fingerprint_to_dir(const char *fp, authdir_config_t *list, rtr_flags_t add_status)
Header file for process_descs.c.
int dirserv_should_launch_reachability_test(const routerinfo_t *ri, const routerinfo_t *ri_old)
Header file for reachability.c.
int router_is_me(const routerinfo_t *router)
Header file for router.c.
const char * router_purpose_to_string(uint8_t p)
Header file for routerinfo.c.
Router descriptor structure.
#define ROUTER_PURPOSE_GENERAL
void routerlist_assert_ok(const routerlist_t *rl)
routerinfo_t * router_get_mutable_by_digest(const char *digest)
int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *identity_pkey, extrainfo_t *ei, signed_descriptor_t *sd, const char **msg)
void routerlist_remove(routerlist_t *rl, routerinfo_t *ri, int make_old, time_t now)
routerlist_t * router_get_routerlist(void)
was_router_added_t router_add_extrainfo_to_routerlist(extrainfo_t *ei, const char **msg, int from_cache, int from_fetch)
was_router_added_t router_add_to_routerlist(routerinfo_t *router, const char **msg, int from_cache, int from_fetch)
int router_differences_are_cosmetic(const routerinfo_t *r1, const routerinfo_t *r2)
void routerlist_descriptors_added(smartlist_t *sl, int from_cache)
signed_descriptor_t * router_get_by_extrainfo_digest(const char *digest)
const char * esc_router_info(const routerinfo_t *router)
Header file for routerlist.c.
static int WRA_WAS_ADDED(was_router_added_t s)
int router_parse_list_from_string(const char **s, const char *eos, smartlist_t *dest, saved_location_t saved_location, int want_extrainfo, int allow_annotations, const char *prepend_annotations, smartlist_t *invalid_digests_out)
Header file for routerparse.c.
Routerstatus (consensus entry) structure.
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
digest256map_t * status_by_digest256
digestmap_t * status_by_digest
unsigned int is_middle_only
crypto_pk_t * identity_pkey
unsigned int needs_retest_if_added
char identity_digest[DIGEST_LEN]
char nickname[MAX_NICKNAME_LEN+1]
char signed_descriptor_digest[DIGEST_LEN]
char identity_digest[DIGEST_LEN]
download_status_t ei_dl_status
struct tor_cert_st * signing_key_cert
char * signed_descriptor_body
size_t signed_descriptor_len
uint8_t ed25519_id[ED25519_PUBKEY_LEN]
void format_iso_time(char *buf, time_t t)
Parsed Tor version structure.
int string_is_utf8_no_bom(const char *str, size_t len)
void tor_strstrip(char *s, const char *strip)
int tor_version_as_new_as(const char *platform, const char *cutoff)
int tor_version_parse_platform(const char *platform, tor_version_t *router_version, int strict)
Header file for versions.c.
Routerstatus (vote entry) structure.
#define ED25519_PUBKEY_LEN