Tor  0.4.7.0-alpha-dev
bridges.c
Go to the documentation of this file.
1 /* Copyright (c) 2001 Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file bridges.c
9  * \brief Code to manage bridges and bridge selection.
10  *
11  * Bridges are fixed entry nodes, used for censorship circumvention.
12  **/
13 
14 #define TOR_BRIDGES_PRIVATE
15 
16 #include "core/or/or.h"
17 #include "app/config/config.h"
19 #include "core/or/circuitbuild.h"
20 #include "core/or/policies.h"
21 #include "feature/client/bridges.h"
33 
34 #include "core/or/extend_info_st.h"
39 
40 /** Information about a configured bridge. Currently this just matches the
41  * ones in the torrc file, but one day we may be able to learn about new
42  * bridges on our own, and remember them in the state file. */
43 struct bridge_info_t {
44  /** Address and port of the bridge, as configured by the user.*/
46  /** Address of the bridge. */
48  /** TLS port for the bridge. */
49  uint16_t port;
50  /** Boolean: We are re-parsing our bridge list, and we are going to remove
51  * this one if we don't find it in the list of configured bridges. */
52  unsigned marked_for_removal : 1;
53  /** Expected identity digest, or all zero bytes if we don't know what the
54  * digest should be. */
56 
57  /** Name of pluggable transport protocol taken from its config line. */
59 
60  /** When should we next try to fetch a descriptor for this bridge? */
62 
63  /** A smartlist of k=v values to be passed to the SOCKS proxy, if
64  transports are used for this bridge. */
66 };
67 
68 #define bridge_free(bridge) \
69  FREE_AND_NULL(bridge_info_t, bridge_free_, (bridge))
70 
71 static void bridge_free_(bridge_info_t *bridge);
72 static void rewrite_node_address_for_bridge(const bridge_info_t *bridge,
73  node_t *node);
74 
75 /** A list of configured bridges. Whenever we actually get a descriptor
76  * for one, we add it as an entry guard. Note that the order of bridges
77  * in this list does not necessarily correspond to the order of bridges
78  * in the torrc. */
79 static smartlist_t *bridge_list = NULL;
80 
81 /** Mark every entry of the bridge list to be removed on our next call to
82  * sweep_bridge_list unless it has first been un-marked. */
83 void
85 {
86  if (!bridge_list)
89  b->marked_for_removal = 1);
90 }
91 
92 /** Remove every entry of the bridge list that was marked with
93  * mark_bridge_list if it has not subsequently been un-marked. */
94 void
96 {
97  if (!bridge_list)
100  if (b->marked_for_removal) {
102  bridge_free(b);
103  }
104  } SMARTLIST_FOREACH_END(b);
105 }
106 
107 /** Initialize the bridge list to empty, creating it if needed. */
108 STATIC void
110 {
111  if (!bridge_list)
113  SMARTLIST_FOREACH(bridge_list, bridge_info_t *, b, bridge_free(b));
115 }
116 
117 /** Free the bridge <b>bridge</b>. */
118 static void
120 {
121  if (!bridge)
122  return;
123 
124  tor_free(bridge->transport_name);
125  if (bridge->socks_args) {
126  SMARTLIST_FOREACH(bridge->socks_args, char*, s, tor_free(s));
127  smartlist_free(bridge->socks_args);
128  }
129 
130  tor_free(bridge);
131 }
132 
133 /** Return a list of all the configured bridges, as bridge_info_t pointers. */
134 const smartlist_t *
136 {
137  if (!bridge_list)
139  return bridge_list;
140 }
141 
142 /**
143  * Given a <b>bridge</b>, return a pointer to its RSA identity digest, or
144  * NULL if we don't know one for it.
145  */
146 const uint8_t *
148 {
149  tor_assert(bridge);
150  if (tor_digest_is_zero(bridge->identity))
151  return NULL;
152  else
153  return (const uint8_t *) bridge->identity;
154 }
155 
156 /**
157  * Given a <b>bridge</b>, return a pointer to its configured addr:port
158  * combination.
159  */
160 const tor_addr_port_t *
162 {
163  tor_assert(bridge);
164  return &bridge->addrport_configured;
165 }
166 
167 /**
168  * Given a <b>bridge</b>, return the transport name. If none were configured,
169  * NULL is returned.
170  */
171 const char *
173 {
174  tor_assert(bridge);
175  return bridge->transport_name;
176 }
177 
178 /**
179  * Return true if @a bridge has a transport name for which we don't actually
180  * know a transport.
181  */
182 bool
184 {
185  const char *tname = bridget_get_transport_name(bridge);
186  return tname && transport_get_by_name(tname) == NULL;
187 }
188 
189 /** If we have a bridge configured whose digest matches <b>digest</b>, or a
190  * bridge with no known digest whose address matches any of the
191  * tor_addr_port_t's in <b>orports</b>, return that bridge. Else return
192  * NULL. */
195  const smartlist_t *orports)
196 {
197  if (!bridge_list)
198  return NULL;
200  {
201  if (tor_digest_is_zero(bridge->identity)) {
203  {
204  if (tor_addr_compare(&bridge->addr, &ap->addr, CMP_EXACT) == 0 &&
205  bridge->port == ap->port)
206  return bridge;
207  }
208  SMARTLIST_FOREACH_END(ap);
209  }
210  if (digest && tor_memeq(bridge->identity, digest, DIGEST_LEN))
211  return bridge;
212  }
213  SMARTLIST_FOREACH_END(bridge);
214  return NULL;
215 }
216 
217 /** If we have a bridge configured whose digest matches <b>digest</b>, or a
218  * bridge with no known digest whose address matches <b>addr</b>:<b>port</b>,
219  * return that bridge. Else return NULL. If <b>digest</b> is NULL, check for
220  * address/port matches only. */
223  uint16_t port,
224  const char *digest)
225 {
226  if (!bridge_list)
227  return NULL;
229  {
230  if ((tor_digest_is_zero(bridge->identity) || digest == NULL) &&
231  !tor_addr_compare(&bridge->addr, addr, CMP_EXACT) &&
232  bridge->port == port)
233  return bridge;
234  if (digest && tor_memeq(bridge->identity, digest, DIGEST_LEN))
235  return bridge;
236  }
237  SMARTLIST_FOREACH_END(bridge);
238  return NULL;
239 }
240 
241 /**
242  * As get_configured_bridge_by_addr_port, but require that the
243  * address match <b>addr</b>:<b>port</b>, and that the ID digest match
244  * <b>digest</b>. (The other function will ignore the address if the
245  * digest matches.)
246  */
249  uint16_t port,
250  const char *digest)
251 {
252  if (!bridge_list)
253  return NULL;
255  if (!tor_addr_compare(&bridge->addr, addr, CMP_EXACT) &&
256  bridge->port == port) {
257 
258  if (digest && tor_memeq(bridge->identity, digest, DIGEST_LEN))
259  return bridge;
260  else if (!digest || tor_digest_is_zero(bridge->identity))
261  return bridge;
262  }
263 
264  } SMARTLIST_FOREACH_END(bridge);
265  return NULL;
266 }
267 
268 /** If we have a bridge configured whose digest matches <b>digest</b>, or a
269  * bridge with no known digest whose address matches <b>addr</b>:<b>port</b>,
270  * return 1. Else return 0. If <b>digest</b> is NULL, check for
271  * address/port matches only. */
272 int
274  uint16_t port,
275  const char *digest)
276 {
277  tor_assert(addr);
278  return get_configured_bridge_by_addr_port_digest(addr, port, digest) ? 1 : 0;
279 }
280 
281 /** If we have a bridge configured whose digest matches
282  * <b>ei->identity_digest</b>, or a bridge with no known digest whose address
283  * matches <b>ei->addr</b>:<b>ei->port</b>, return 1. Else return 0.
284  * If <b>ei->onion_key</b> is NULL, check for address/port matches only.
285  *
286  * Note that if the extend_info_t contains multiple addresses, we return true
287  * only if _every_ address is a bridge.
288  */
289 int
291 {
292  const char *digest = ei->onion_key ? ei->identity_digest : NULL;
293  const tor_addr_port_t *ap1 = NULL, *ap2 = NULL;
294  if (! tor_addr_is_null(&ei->orports[0].addr))
295  ap1 = &ei->orports[0];
296  if (! tor_addr_is_null(&ei->orports[1].addr))
297  ap2 = &ei->orports[1];
298  IF_BUG_ONCE(ap1 == NULL) {
299  return 0;
300  }
301  return addr_is_a_configured_bridge(&ap1->addr, ap1->port, digest) &&
302  (ap2 == NULL ||
303  addr_is_a_configured_bridge(&ap2->addr, ap2->port, digest));
304 }
305 
306 /** Wrapper around get_configured_bridge_by_addr_port_digest() to look
307  * it up via router descriptor <b>ri</b>. */
308 static bridge_info_t *
310 {
311  bridge_info_t *bi = NULL;
312  smartlist_t *orports = router_get_all_orports(ri);
314  orports);
315  SMARTLIST_FOREACH(orports, tor_addr_port_t *, p, tor_free(p));
316  smartlist_free(orports);
317  return bi;
318 }
319 
320 /** Return 1 if <b>ri</b> is one of our known bridges, else 0. */
321 int
323 {
324  return get_configured_bridge_by_routerinfo(ri) ? 1 : 0;
325 }
326 
327 /**
328  * Return 1 iff <b>bridge_list</b> contains entry matching given
329  * <b>addr</b> and <b>port</b> (and no identity digest) OR
330  * it contains an entry whose identity matches <b>digest</b>.
331  * Otherwise, return 0.
332  */
333 static int
335  const uint16_t port,
336  const char *digest)
337 {
338  if (!tor_addr_port_is_valid(addr, port, 0))
339  return 0;
340 
341  bridge_info_t *bridge =
342  get_configured_bridge_by_addr_port_digest(addr, port, digest);
343 
344  return (bridge != NULL);
345 }
346 
347 /** Return 1 if <b>node</b> is one of our configured bridges, else 0.
348  * More specifically, return 1 iff: a bridge_info_t object exists in
349  * <b>bridge_list</b> such that: 1) It's identity is equal to node
350  * identity OR 2) It's identity digest is zero, but it matches
351  * address and port of any ORPort in the node.
352  */
353 int
355 {
356  /* First, let's try searching for a bridge with matching identity. */
357  if (BUG(fast_mem_is_zero(node->identity, DIGEST_LEN)))
358  return 0;
359 
360  if (find_bridge_by_digest(node->identity) != NULL)
361  return 1;
362 
363  /* At this point, we have established that no bridge exists with
364  * matching identity digest. However, we still pass it into
365  * bridge_exists_* functions because we want further code to
366  * check for absence of identity digest in a bridge.
367  */
368  if (node->ri) {
370  node->ri->ipv4_orport,
371  node->identity))
372  return 1;
373 
375  node->ri->ipv6_orport,
376  node->identity))
377  return 1;
378  } else if (node->rs) {
379  if (bridge_exists_with_addr_and_port(&node->rs->ipv4_addr,
380  node->rs->ipv4_orport,
381  node->identity))
382  return 1;
383 
385  node->rs->ipv6_orport,
386  node->identity))
387  return 1;
388  } else if (node->md) {
390  node->md->ipv6_orport,
391  node->identity))
392  return 1;
393  }
394 
395  return 0;
396 }
397 
398 /** We made a connection to a router at <b>addr</b>:<b>port</b>
399  * without knowing its digest. Its digest turned out to be <b>digest</b>.
400  * If it was a bridge, and we still don't know its digest, record it.
401  */
402 void
403 learned_router_identity(const tor_addr_t *addr, uint16_t port,
404  const char *digest,
405  const ed25519_public_key_t *ed_id)
406 {
407  // XXXX prop220 use ed_id here, once there is some way to specify
408  (void)ed_id;
409  int learned = 0;
410  bridge_info_t *bridge =
412  if (bridge && tor_digest_is_zero(bridge->identity)) {
413  memcpy(bridge->identity, digest, DIGEST_LEN);
414  learned = 1;
415  }
416  /* XXXX prop220 remember bridge ed25519 identities -- add a field */
417 #if 0
418  if (bridge && ed_id &&
419  ed25519_public_key_is_zero(&bridge->ed25519_identity) &&
420  !ed25519_public_key_is_zero(ed_id)) {
421  memcpy(&bridge->ed25519_identity, ed_id, sizeof(*ed_id));
422  learned = 1;
423  }
424 #endif /* 0 */
425  if (learned) {
426  char *transport_info = NULL;
427  const char *transport_name =
429  if (transport_name)
430  tor_asprintf(&transport_info, " (with transport '%s')", transport_name);
431 
432  // XXXX prop220 log both fingerprints.
433  log_notice(LD_DIR, "Learned fingerprint %s for bridge %s%s.",
434  hex_str(digest, DIGEST_LEN), fmt_addrport(addr, port),
435  transport_info ? transport_info : "");
436  tor_free(transport_info);
438  (const uint8_t *)digest);
439  }
440 }
441 
442 /** Return true if <b>bridge</b> has the same identity digest as
443  * <b>digest</b>. If <b>digest</b> is NULL, it matches
444  * bridges with unspecified identity digests. */
445 static int
446 bridge_has_digest(const bridge_info_t *bridge, const char *digest)
447 {
448  if (digest)
449  return tor_memeq(digest, bridge->identity, DIGEST_LEN);
450  else
451  return tor_digest_is_zero(bridge->identity);
452 }
453 
454 /** We are about to add a new bridge at <b>addr</b>:<b>port</b>, with optional
455  * <b>digest</b> and <b>transport_name</b>. Mark for removal any previously
456  * existing bridge with the same address and port, and warn the user as
457  * appropriate.
458  */
459 STATIC void
460 bridge_resolve_conflicts(const tor_addr_t *addr, uint16_t port,
461  const char *digest, const char *transport_name)
462 {
463  /* Iterate the already-registered bridge list:
464 
465  If you find a bridge with the same address and port, mark it for
466  removal. It doesn't make sense to have two active bridges with
467  the same IP:PORT. If the bridge in question has a different
468  digest or transport than <b>digest</b>/<b>transport_name</b>,
469  it's probably a misconfiguration and we should warn the user.
470  */
472  if (bridge->marked_for_removal)
473  continue;
474 
475  if (tor_addr_eq(&bridge->addr, addr) && (bridge->port == port)) {
476 
477  bridge->marked_for_removal = 1;
478 
479  if (!bridge_has_digest(bridge, digest) ||
480  strcmp_opt(bridge->transport_name, transport_name)) {
481  /* warn the user */
482  char *bridge_description_new, *bridge_description_old;
483  tor_asprintf(&bridge_description_new, "%s:%s:%s",
484  fmt_addrport(addr, port),
485  digest ? hex_str(digest, DIGEST_LEN) : "",
486  transport_name ? transport_name : "");
487  tor_asprintf(&bridge_description_old, "%s:%s:%s",
488  fmt_addrport(&bridge->addr, bridge->port),
489  tor_digest_is_zero(bridge->identity) ?
490  "" : hex_str(bridge->identity,DIGEST_LEN),
491  bridge->transport_name ? bridge->transport_name : "");
492 
493  log_warn(LD_GENERAL,"Tried to add bridge '%s', but we found a conflict"
494  " with the already registered bridge '%s'. We will discard"
495  " the old bridge and keep '%s'. If this is not what you"
496  " wanted, please change your configuration file accordingly.",
497  bridge_description_new, bridge_description_old,
498  bridge_description_new);
499 
500  tor_free(bridge_description_new);
501  tor_free(bridge_description_old);
502  }
503  }
504  } SMARTLIST_FOREACH_END(bridge);
505 }
506 
507 /** Return True if we have a bridge that uses a transport with name
508  * <b>transport_name</b>. */
509 MOCK_IMPL(int,
510 transport_is_needed, (const char *transport_name))
511 {
512  if (!bridge_list)
513  return 0;
514 
516  if (bridge->transport_name &&
517  !strcmp(bridge->transport_name, transport_name))
518  return 1;
519  } SMARTLIST_FOREACH_END(bridge);
520 
521  return 0;
522 }
523 
524 /** Register the bridge information in <b>bridge_line</b> to the
525  * bridge subsystem. Steals reference of <b>bridge_line</b>. */
526 void
528 {
529  bridge_info_t *b;
530 
531  // XXXX prop220 add a way to specify ed25519 ID to bridge_line_t.
532 
533  { /* Log the bridge we are about to register: */
534  log_debug(LD_GENERAL, "Registering bridge at %s (transport: %s) (%s)",
535  fmt_addrport(&bridge_line->addr, bridge_line->port),
536  bridge_line->transport_name ?
537  bridge_line->transport_name : "no transport",
538  tor_digest_is_zero(bridge_line->digest) ?
539  "no key listed" : hex_str(bridge_line->digest, DIGEST_LEN));
540 
541  if (bridge_line->socks_args) { /* print socks arguments */
542  int i = 0;
543 
544  tor_assert(smartlist_len(bridge_line->socks_args) > 0);
545 
546  log_debug(LD_GENERAL, "Bridge uses %d SOCKS arguments:",
547  smartlist_len(bridge_line->socks_args));
548  SMARTLIST_FOREACH(bridge_line->socks_args, const char *, arg,
549  log_debug(LD_CONFIG, "%d: %s", ++i, arg));
550  }
551  }
552 
553  bridge_resolve_conflicts(&bridge_line->addr,
554  bridge_line->port,
555  bridge_line->digest,
556  bridge_line->transport_name);
557 
558  b = tor_malloc_zero(sizeof(bridge_info_t));
559  tor_addr_copy(&b->addrport_configured.addr, &bridge_line->addr);
560  b->addrport_configured.port = bridge_line->port;
561  tor_addr_copy(&b->addr, &bridge_line->addr);
562  b->port = bridge_line->port;
563  memcpy(b->identity, bridge_line->digest, DIGEST_LEN);
564  if (bridge_line->transport_name)
565  b->transport_name = bridge_line->transport_name;
566  b->fetch_status.schedule = DL_SCHED_BRIDGE;
567  b->fetch_status.increment_on = DL_SCHED_INCREMENT_ATTEMPT;
568  /* We can't reset the bridge's download status here, because UseBridges
569  * might be 0 now, and it might be changed to 1 much later. */
570  b->socks_args = bridge_line->socks_args;
571  if (!bridge_list)
573 
574  tor_free(bridge_line); /* Deallocate bridge_line now. */
575 
577 }
578 
579 /** If <b>digest</b> is one of our known bridges, return it. */
581 find_bridge_by_digest(const char *digest)
582 {
583  if (! bridge_list)
584  return NULL;
586  {
587  if (tor_memeq(bridge->identity, digest, DIGEST_LEN))
588  return bridge;
589  });
590  return NULL;
591 }
592 
593 /** Given the <b>addr</b> and <b>port</b> of a bridge, if that bridge
594  * supports a pluggable transport, return its name. Otherwise, return
595  * NULL. */
596 const char *
598 {
599  if (!bridge_list)
600  return NULL;
601 
603  if (tor_addr_eq(&bridge->addr, addr) &&
604  (bridge->port == port))
605  return bridge->transport_name;
606  } SMARTLIST_FOREACH_END(bridge);
607 
608  return NULL;
609 }
610 
611 /** If <b>addr</b> and <b>port</b> match the address and port of a
612  * bridge of ours that uses pluggable transports, place its transport
613  * in <b>transport</b>.
614  *
615  * Return 0 on success (found a transport, or found a bridge with no
616  * transport, or found no bridge); return -1 if we should be using a
617  * transport, but the transport could not be found.
618  */
619 int
620 get_transport_by_bridge_addrport(const tor_addr_t *addr, uint16_t port,
621  const transport_t **transport)
622 {
623  *transport = NULL;
624  if (!bridge_list)
625  return 0;
626 
628  if (tor_addr_eq(&bridge->addr, addr) &&
629  (bridge->port == port)) { /* bridge matched */
630  if (bridge->transport_name) { /* it also uses pluggable transports */
631  *transport = transport_get_by_name(bridge->transport_name);
632  if (*transport == NULL) { /* it uses pluggable transports, but
633  the transport could not be found! */
634  return -1;
635  }
636  return 0;
637  } else { /* bridge matched, but it doesn't use transports. */
638  break;
639  }
640  }
641  } SMARTLIST_FOREACH_END(bridge);
642 
643  *transport = NULL;
644  return 0;
645 }
646 
647 /** Return a smartlist containing all the SOCKS arguments that we
648  * should pass to the SOCKS proxy. */
649 const smartlist_t *
651 {
653  port,
654  NULL);
655  return bridge ? bridge->socks_args : NULL;
656 }
657 
658 /** We need to ask <b>bridge</b> for its server descriptor. */
659 static void
661 {
662  const or_options_t *options = get_options();
663  circuit_guard_state_t *guard_state = NULL;
664 
666  CONN_TYPE_DIR, &bridge->addr, bridge->port,
668  return; /* it's already on the way */
669 
670  if (bridge_has_invalid_transport(bridge)) {
672  log_warn(LD_CONFIG, "Can't use bridge at %s: there is no configured "
673  "transport called \"%s\".",
674  safe_str_client(fmt_and_decorate_addr(&bridge->addr)),
676  return; /* Can't use this bridge; it has not */
677  }
678 
679  if (routerset_contains_bridge(options->ExcludeNodes, bridge)) {
681  log_warn(LD_APP, "Not using bridge at %s: it is in ExcludeNodes.",
682  safe_str_client(fmt_and_decorate_addr(&bridge->addr)));
683  return;
684  }
685 
686  /* Until we get a descriptor for the bridge, we only know one address for
687  * it. */
688  if (!reachable_addr_allows_addr(&bridge->addr, bridge->port,
689  FIREWALL_OR_CONNECTION, 0, 0)) {
690  log_notice(LD_CONFIG, "Tried to fetch a descriptor directly from a "
691  "bridge, but that bridge is not reachable through our "
692  "firewall.");
693  return;
694  }
695 
696  /* If we already have a node_t for this bridge, rewrite its address now. */
697  node_t *node = node_get_mutable_by_id(bridge->identity);
698  if (node) {
699  rewrite_node_address_for_bridge(bridge, node);
700  }
701 
702  tor_addr_port_t bridge_addrport;
703  memcpy(&bridge_addrport.addr, &bridge->addr, sizeof(tor_addr_t));
704  bridge_addrport.port = bridge->port;
705 
706  guard_state = get_guard_state_for_bridge_desc_fetch(bridge->identity);
707 
708  directory_request_t *req =
710  directory_request_set_or_addr_port(req, &bridge_addrport);
713  directory_request_set_resource(req, "authority.z");
714  if (guard_state) {
715  directory_request_set_guard_state(req, guard_state);
716  }
718  directory_request_free(req);
719 }
720 
721 /** Fetching the bridge descriptor from the bridge authority returned a
722  * "not found". Fall back to trying a direct fetch. */
723 void
725 {
726  bridge_info_t *bridge = find_bridge_by_digest(digest);
727  if (!bridge)
728  return; /* not found? oh well. */
729 
731 }
732 
733 /** For each bridge in our list for which we don't currently have a
734  * descriptor, fetch a new copy of its descriptor -- either directly
735  * from the bridge or via a bridge authority. */
736 void
737 fetch_bridge_descriptors(const or_options_t *options, time_t now)
738 {
739  int num_bridge_auths = get_n_authorities(BRIDGE_DIRINFO);
740  int ask_bridge_directly;
741  int can_use_bridge_authority;
742 
743  if (!bridge_list)
744  return;
745 
746  /* If we still have unconfigured managed proxies, don't go and
747  connect to a bridge. */
749  return;
750 
752  {
753  /* This resets the download status on first use */
754  if (!download_status_is_ready(&bridge->fetch_status, now))
755  continue; /* don't bother, no need to retry yet */
756  if (routerset_contains_bridge(options->ExcludeNodes, bridge)) {
757  download_status_mark_impossible(&bridge->fetch_status);
758  log_warn(LD_APP, "Not using bridge at %s: it is in ExcludeNodes.",
759  safe_str_client(fmt_and_decorate_addr(&bridge->addr)));
760  continue;
761  }
762 
763  /* schedule the next attempt
764  * we can't increment after a failure, because sometimes we use the
765  * bridge authority, and sometimes we use the bridge direct */
767  &bridge->fetch_status,
768  safe_str_client(fmt_and_decorate_addr(&bridge->addr)),
769  now);
770 
771  can_use_bridge_authority = !tor_digest_is_zero(bridge->identity) &&
772  num_bridge_auths;
773  ask_bridge_directly = !can_use_bridge_authority ||
774  !options->UpdateBridgesFromAuthority;
775  log_debug(LD_DIR, "ask_bridge_directly=%d (%d, %d, %d)",
776  ask_bridge_directly, tor_digest_is_zero(bridge->identity),
777  !options->UpdateBridgesFromAuthority, !num_bridge_auths);
778 
779  if (ask_bridge_directly &&
780  !reachable_addr_allows_addr(&bridge->addr, bridge->port,
781  FIREWALL_OR_CONNECTION, 0,
782  0)) {
783  log_notice(LD_DIR, "Bridge at '%s' isn't reachable by our "
784  "firewall policy. %s.",
785  fmt_addrport(&bridge->addr, bridge->port),
786  can_use_bridge_authority ?
787  "Asking bridge authority instead" : "Skipping");
788  if (can_use_bridge_authority)
789  ask_bridge_directly = 0;
790  else
791  continue;
792  }
793 
794  if (ask_bridge_directly) {
795  /* we need to ask the bridge itself for its descriptor. */
797  } else {
798  /* We have a digest and we want to ask an authority. We could
799  * combine all the requests into one, but that may give more
800  * hints to the bridge authority than we want to give. */
801  char resource[10 + HEX_DIGEST_LEN];
802  memcpy(resource, "fp/", 3);
803  base16_encode(resource+3, HEX_DIGEST_LEN+1,
804  bridge->identity, DIGEST_LEN);
805  memcpy(resource+3+HEX_DIGEST_LEN, ".z", 3);
806  log_info(LD_DIR, "Fetching bridge info '%s' from bridge authority.",
807  resource);
809  ROUTER_PURPOSE_BRIDGE, resource, 0, DL_WANT_AUTHORITY);
810  }
811  }
812  SMARTLIST_FOREACH_END(bridge);
813 }
814 
815 /** If our <b>bridge</b> is configured to be a different address than
816  * the bridge gives in <b>node</b>, rewrite the routerinfo
817  * we received to use the address we meant to use. Now we handle
818  * multihomed bridges better.
819  */
820 static void
822 {
823  /* XXXX move this function. */
824  /* XXXX overridden addresses should really live in the node_t, so that the
825  * routerinfo_t and the microdesc_t can be immutable. But we can only
826  * do that safely if we know that no function that connects to an OR
827  * does so through an address from any source other than node_get_addr().
828  */
829  const or_options_t *options = get_options();
830 
831  if (node->ri) {
832  routerinfo_t *ri = node->ri;
833  if ((!tor_addr_compare(&bridge->addr, &ri->ipv4_addr, CMP_EXACT) &&
834  bridge->port == ri->ipv4_orport) ||
835  (!tor_addr_compare(&bridge->addr, &ri->ipv6_addr, CMP_EXACT) &&
836  bridge->port == ri->ipv6_orport)) {
837  /* they match, so no need to do anything */
838  } else {
839  if (tor_addr_family(&bridge->addr) == AF_INET) {
840  tor_addr_copy(&ri->ipv4_addr, &bridge->addr);
841  ri->ipv4_orport = bridge->port;
842  log_info(LD_DIR,
843  "Adjusted bridge routerinfo for '%s' to match configured "
844  "address %s:%d.",
845  ri->nickname, fmt_addr(&ri->ipv4_addr), ri->ipv4_orport);
846  } else if (tor_addr_family(&bridge->addr) == AF_INET6) {
847  tor_addr_copy(&ri->ipv6_addr, &bridge->addr);
848  ri->ipv6_orport = bridge->port;
849  log_info(LD_DIR,
850  "Adjusted bridge routerinfo for '%s' to match configured "
851  "address %s.",
852  ri->nickname, fmt_addrport(&ri->ipv6_addr, ri->ipv6_orport));
853  } else {
854  log_err(LD_BUG, "Address family not supported: %d.",
855  tor_addr_family(&bridge->addr));
856  return;
857  }
858  }
859 
860  if (options->ClientPreferIPv6ORPort == -1) {
861  /* Mark which address to use based on which bridge_t we got. */
862  node->ipv6_preferred = (tor_addr_family(&bridge->addr) == AF_INET6 &&
863  !tor_addr_is_null(&node->ri->ipv6_addr));
864  } else {
865  /* Mark which address to use based on user preference */
867  !tor_addr_is_null(&node->ri->ipv6_addr));
868  }
869 
870  /* XXXipv6 we lack support for falling back to another address for
871  the same relay, warn the user */
872  if (!tor_addr_is_null(&ri->ipv6_addr)) {
873  tor_addr_port_t ap;
874  node_get_pref_orport(node, &ap);
875  log_notice(LD_CONFIG,
876  "Bridge '%s' has both an IPv4 and an IPv6 address. "
877  "Will prefer using its %s address (%s) based on %s.",
878  ri->nickname,
879  node->ipv6_preferred ? "IPv6" : "IPv4",
880  fmt_addrport(&ap.addr, ap.port),
881  options->ClientPreferIPv6ORPort == -1 ?
882  "the configured Bridge address" :
883  "ClientPreferIPv6ORPort");
884  }
885  }
886  if (node->rs) {
887  routerstatus_t *rs = node->rs;
888 
889  if ((!tor_addr_compare(&bridge->addr, &rs->ipv4_addr, CMP_EXACT) &&
890  bridge->port == rs->ipv4_orport) ||
891  (!tor_addr_compare(&bridge->addr, &rs->ipv6_addr, CMP_EXACT) &&
892  bridge->port == rs->ipv6_orport)) {
893  /* they match, so no need to do anything */
894  } else {
895  if (tor_addr_family(&bridge->addr) == AF_INET) {
896  tor_addr_copy(&rs->ipv4_addr, &bridge->addr);
897  rs->ipv4_orport = bridge->port;
898  log_info(LD_DIR,
899  "Adjusted bridge routerstatus for '%s' to match "
900  "configured address %s.",
901  rs->nickname, fmt_addrport(&bridge->addr, rs->ipv4_orport));
902  /* set IPv6 preferences even if there is no ri */
903  } else if (tor_addr_family(&bridge->addr) == AF_INET6) {
904  tor_addr_copy(&rs->ipv6_addr, &bridge->addr);
905  rs->ipv6_orport = bridge->port;
906  log_info(LD_DIR,
907  "Adjusted bridge routerstatus for '%s' to match configured"
908  " address %s.",
909  rs->nickname, fmt_addrport(&rs->ipv6_addr, rs->ipv6_orport));
910  } else {
911  log_err(LD_BUG, "Address family not supported: %d.",
912  tor_addr_family(&bridge->addr));
913  return;
914  }
915  }
916 
917  if (options->ClientPreferIPv6ORPort == -1) {
918  /* Mark which address to use based on which bridge_t we got. */
919  node->ipv6_preferred = (tor_addr_family(&bridge->addr) == AF_INET6 &&
920  !tor_addr_is_null(&node->rs->ipv6_addr));
921  } else {
922  /* Mark which address to use based on user preference */
924  !tor_addr_is_null(&node->rs->ipv6_addr));
925  }
926 
927  /* XXXipv6 we lack support for falling back to another address for
928  the same relay, warn the user */
929  if (!tor_addr_is_null(&rs->ipv6_addr)) {
930  tor_addr_port_t ap;
931  node_get_pref_orport(node, &ap);
932  log_notice(LD_CONFIG,
933  "Bridge '%s' has both an IPv4 and an IPv6 address. "
934  "Will prefer using its %s address (%s) based on %s.",
935  rs->nickname,
936  node->ipv6_preferred ? "IPv6" : "IPv4",
937  fmt_addrport(&ap.addr, ap.port),
938  options->ClientPreferIPv6ORPort == -1 ?
939  "the configured Bridge address" :
940  "ClientPreferIPv6ORPort");
941  }
942  }
943 }
944 
945 /** We just learned a descriptor for a bridge. See if that
946  * digest is in our entry guard list, and add it if not. */
947 void
949 {
950  tor_assert(ri);
952  if (get_options()->UseBridges) {
953  /* Retry directory downloads whenever we get a bridge descriptor:
954  * - when bootstrapping, and
955  * - when we aren't sure if any of our bridges are reachable.
956  * Keep on retrying until we have at least one reachable bridge. */
957  int first = num_bridges_usable(0) < 1;
959  time_t now = time(NULL);
960  router_set_status(ri->cache_info.identity_digest, 1);
961 
962  if (bridge) { /* if we actually want to use this one */
963  node_t *node;
964  /* it's here; schedule its re-fetch for a long time from now. */
965  if (!from_cache) {
966  /* This schedules the re-fetch at a constant interval, which produces
967  * a pattern of bridge traffic. But it's better than trying all
968  * configured bridges several times in the first few minutes. */
970  }
971 
972  node = node_get_mutable_by_id(ri->cache_info.identity_digest);
973  tor_assert(node);
974  rewrite_node_address_for_bridge(bridge, node);
975  if (tor_digest_is_zero(bridge->identity)) {
976  memcpy(bridge->identity,ri->cache_info.identity_digest, DIGEST_LEN);
977  log_notice(LD_DIR, "Learned identity %s for bridge at %s:%d",
978  hex_str(bridge->identity, DIGEST_LEN),
979  fmt_and_decorate_addr(&bridge->addr),
980  (int) bridge->port);
981  }
983  (const uint8_t*)ri->cache_info.identity_digest);
984 
985  log_notice(LD_DIR, "new bridge descriptor '%s' (%s): %s", ri->nickname,
986  from_cache ? "cached" : "fresh", router_describe(ri));
987  /* If we didn't have a reachable bridge before this one, try directory
988  * documents again. */
989  if (first) {
991  }
992  }
993  }
994 }
995 
996 /** Return a smartlist containing all bridge identity digests */
999 {
1000  smartlist_t *result = NULL;
1001  char *digest_tmp;
1002 
1003  if (get_options()->UseBridges && bridge_list) {
1004  result = smartlist_new();
1005 
1007  digest_tmp = tor_malloc(DIGEST_LEN);
1008  memcpy(digest_tmp, b->identity, DIGEST_LEN);
1009  smartlist_add(result, digest_tmp);
1010  } SMARTLIST_FOREACH_END(b);
1011  }
1012 
1013  return result;
1014 }
1015 
1016 /** Get the download status for a bridge descriptor given its identity */
1018 get_bridge_dl_status_by_id, (const char *digest))
1019 {
1020  download_status_t *dl = NULL;
1021 
1022  if (digest && get_options()->UseBridges && bridge_list) {
1024  if (tor_memeq(digest, b->identity, DIGEST_LEN)) {
1025  dl = &(b->fetch_status);
1026  break;
1027  }
1028  } SMARTLIST_FOREACH_END(b);
1029  }
1030 
1031  return dl;
1032 }
1033 
1034 /** Release all storage held in bridges.c */
1035 void
1037 {
1039  smartlist_free(bridge_list);
1040  bridge_list = NULL;
1041 }
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:933
const char * fmt_addrport(const tor_addr_t *addr, uint16_t port)
Definition: address.c:1199
int tor_addr_compare(const tor_addr_t *addr1, const tor_addr_t *addr2, tor_addr_comparison_t how)
Definition: address.c:984
int tor_addr_is_null(const tor_addr_t *addr)
Definition: address.c:780
#define fmt_and_decorate_addr(a)
Definition: address.h:243
static sa_family_t tor_addr_family(const tor_addr_t *a)
Definition: address.h:187
#define fmt_addr(a)
Definition: address.h:239
#define tor_addr_eq(a, b)
Definition: address.h:280
const char * hex_str(const char *from, size_t fromlen)
Definition: binascii.c:34
void base16_encode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:478
const char * find_transport_name_by_bridge_addrport(const tor_addr_t *addr, uint16_t port)
Definition: bridges.c:597
static void rewrite_node_address_for_bridge(const bridge_info_t *bridge, node_t *node)
Definition: bridges.c:821
void mark_bridge_list(void)
Definition: bridges.c:84
int routerinfo_is_a_configured_bridge(const routerinfo_t *ri)
Definition: bridges.c:322
STATIC void bridge_resolve_conflicts(const tor_addr_t *addr, uint16_t port, const char *digest, const char *transport_name)
Definition: bridges.c:460
int addr_is_a_configured_bridge(const tor_addr_t *addr, uint16_t port, const char *digest)
Definition: bridges.c:273
static void bridge_free_(bridge_info_t *bridge)
Definition: bridges.c:119
void learned_router_identity(const tor_addr_t *addr, uint16_t port, const char *digest, const ed25519_public_key_t *ed_id)
Definition: bridges.c:403
void sweep_bridge_list(void)
Definition: bridges.c:95
STATIC void clear_bridge_list(void)
Definition: bridges.c:109
int transport_is_needed(const char *transport_name)
Definition: bridges.c:510
void bridge_add_from_config(bridge_line_t *bridge_line)
Definition: bridges.c:527
static void launch_direct_bridge_descriptor_fetch(bridge_info_t *bridge)
Definition: bridges.c:660
const smartlist_t * get_socks_args_by_bridge_addrport(const tor_addr_t *addr, uint16_t port)
Definition: bridges.c:650
const char * bridget_get_transport_name(const bridge_info_t *bridge)
Definition: bridges.c:172
STATIC bridge_info_t * get_configured_bridge_by_orports_digest(const char *digest, const smartlist_t *orports)
Definition: bridges.c:194
int extend_info_is_a_configured_bridge(const extend_info_t *ei)
Definition: bridges.c:290
STATIC bridge_info_t * find_bridge_by_digest(const char *digest)
Definition: bridges.c:581
bridge_info_t * get_configured_bridge_by_exact_addr_port_digest(const tor_addr_t *addr, uint16_t port, const char *digest)
Definition: bridges.c:248
int node_is_a_configured_bridge(const node_t *node)
Definition: bridges.c:354
const tor_addr_port_t * bridge_get_addr_port(const bridge_info_t *bridge)
Definition: bridges.c:161
void fetch_bridge_descriptors(const or_options_t *options, time_t now)
Definition: bridges.c:737
smartlist_t * list_bridge_identities(void)
Definition: bridges.c:998
static bridge_info_t * get_configured_bridge_by_routerinfo(const routerinfo_t *ri)
Definition: bridges.c:309
const uint8_t * bridge_get_rsa_id_digest(const bridge_info_t *bridge)
Definition: bridges.c:147
download_status_t * get_bridge_dl_status_by_id(const char *digest)
Definition: bridges.c:1018
void bridges_free_all(void)
Definition: bridges.c:1036
int get_transport_by_bridge_addrport(const tor_addr_t *addr, uint16_t port, const transport_t **transport)
Definition: bridges.c:620
bridge_info_t * get_configured_bridge_by_addr_port_digest(const tor_addr_t *addr, uint16_t port, const char *digest)
Definition: bridges.c:222
static int bridge_exists_with_addr_and_port(const tor_addr_t *addr, const uint16_t port, const char *digest)
Definition: bridges.c:334
static smartlist_t * bridge_list
Definition: bridges.c:79
const smartlist_t * bridge_list_get(void)
Definition: bridges.c:135
void retry_bridge_descriptor_fetch_directly(const char *digest)
Definition: bridges.c:724
static int bridge_has_digest(const bridge_info_t *bridge, const char *digest)
Definition: bridges.c:446
void learned_bridge_descriptor(routerinfo_t *ri, int from_cache)
Definition: bridges.c:948
bool bridge_has_invalid_transport(const bridge_info_t *bridge)
Definition: bridges.c:183
Header file for circuitbuild.c.
Header file for circuitbuild.c.
const or_options_t * get_options(void)
Definition: config.c:919
Header file for config.c.
connection_t * connection_get_by_type_addr_port_purpose(int type, const tor_addr_t *addr, uint16_t port, int purpose)
Definition: connection.c:4797
Header file for connection.c.
#define CONN_TYPE_DIR
Definition: connection.h:55
#define HEX_DIGEST_LEN
Definition: crypto_digest.h:35
int ed25519_public_key_is_zero(const ed25519_public_key_t *pubkey)
const char * router_describe(const routerinfo_t *ri)
Definition: describe.c:137
Header file for describe.c.
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
#define DIGEST_LEN
Definition: digest_sizes.h:20
void directory_request_set_resource(directory_request_t *req, const char *resource)
Definition: dirclient.c:1015
void directory_request_set_or_addr_port(directory_request_t *req, const tor_addr_port_t *p)
Definition: dirclient.c:953
void directory_request_set_guard_state(directory_request_t *req, circuit_guard_state_t *state)
Definition: dirclient.c:1092
directory_request_t * directory_request_new(uint8_t dir_purpose)
Definition: dirclient.c:919
void directory_request_set_router_purpose(directory_request_t *req, uint8_t router_purpose)
Definition: dirclient.c:986
void directory_get_from_dirserver(uint8_t dir_purpose, uint8_t router_purpose, const char *resource, int pds_flags, download_want_authority_t want_authority)
Definition: dirclient.c:448
void directory_request_set_directory_id_digest(directory_request_t *req, const char *digest)
Definition: dirclient.c:974
void directory_initiate_request(directory_request_t *request)
Definition: dirclient.c:1222
Header file for dirclient.c.
struct directory_request_t directory_request_t
Definition: dirclient.h:52
Header file for directory.c.
#define DIR_PURPOSE_FETCH_SERVERDESC
Definition: directory.h:36
int get_n_authorities(dirinfo_type_t type)
Definition: dirlist.c:103
Header file for dirlist.c.
int download_status_is_ready(download_status_t *dls, time_t now)
Definition: dlstatus.c:381
time_t download_status_increment_attempt(download_status_t *dls, const char *item, time_t now)
Definition: dlstatus.c:309
void download_status_mark_impossible(download_status_t *dl)
Definition: dlstatus.c:393
void download_status_reset(download_status_t *dls)
Definition: dlstatus.c:364
Header file for dlstatus.c.
void entry_guard_learned_bridge_identity(const tor_addr_port_t *addrport, const uint8_t *rsa_id_digest)
Definition: entrynodes.c:960
int num_bridges_usable(int use_maybe_reachable)
Definition: entrynodes.c:3412
circuit_guard_state_t * get_guard_state_for_bridge_desc_fetch(const char *digest)
Definition: entrynodes.c:3350
Header file for circuitbuild.c.
Extend-info structure.
#define LD_APP
Definition: log.h:78
#define LD_BUG
Definition: log.h:86
#define LD_GENERAL
Definition: log.h:62
#define LD_DIR
Definition: log.h:88
#define LD_CONFIG
Definition: log.h:68
#define tor_free(p)
Definition: malloc.h:52
Microdescriptor structure.
Node information structure.
void node_get_pref_orport(const node_t *node, tor_addr_port_t *ap_out)
Definition: nodelist.c:1842
node_t * node_get_mutable_by_id(const char *identity_digest)
Definition: nodelist.c:197
void router_set_status(const char *digest, int up)
Definition: nodelist.c:2371
Header file for nodelist.c.
Master header file for Tor-specific functionality.
@ BRIDGE_DIRINFO
Definition: or.h:790
int reachable_addr_prefer_ipv6_orport(const or_options_t *options)
Definition: policies.c:487
int reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:533
Header file for policies.c.
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
smartlist_t * router_get_all_orports(const routerinfo_t *ri)
Definition: routerinfo.c:68
Header file for routerinfo.c.
Router descriptor structure.
#define ROUTER_PURPOSE_BRIDGE
void routerlist_retry_directory_downloads(time_t now)
Definition: routerlist.c:2315
Header file for routerlist.c.
int routerset_contains_bridge(const routerset_t *set, const bridge_info_t *bridge)
Definition: routerset.c:365
Header file for routerset.c.
Routerstatus (consensus entry) structure.
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
#define SMARTLIST_DEL_CURRENT(sl, var)
tor_addr_port_t addrport_configured
Definition: bridges.c:45
char * transport_name
Definition: bridges.c:58
uint16_t port
Definition: bridges.c:49
char identity[DIGEST_LEN]
Definition: bridges.c:55
unsigned marked_for_removal
Definition: bridges.c:52
download_status_t fetch_status
Definition: bridges.c:61
smartlist_t * socks_args
Definition: bridges.c:65
tor_addr_t addr
Definition: bridges.c:47
download_schedule_increment_bitfield_t increment_on
download_schedule_bitfield_t schedule
tor_addr_port_t orports[EXTEND_INFO_MAX_ADDRS]
char identity_digest[DIGEST_LEN]
crypto_pk_t * onion_key
uint16_t ipv6_orport
Definition: microdesc_st.h:81
tor_addr_t ipv6_addr
Definition: microdesc_st.h:79
Definition: node_st.h:34
char identity[DIGEST_LEN]
Definition: node_st.h:46
unsigned int ipv6_preferred
Definition: node_st.h:88
int UpdateBridgesFromAuthority
int ClientPreferIPv6ORPort
struct routerset_t * ExcludeNodes
tor_addr_t ipv6_addr
Definition: routerinfo_st.h:30
tor_addr_t ipv4_addr
Definition: routerinfo_st.h:25
uint8_t purpose
char * nickname
Definition: routerinfo_st.h:22
uint16_t ipv6_orport
tor_addr_t ipv6_addr
char nickname[MAX_NICKNAME_LEN+1]
uint16_t ipv4_orport
char identity_digest[DIGEST_LEN]
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
int pt_proxies_configuration_pending(void)
Definition: transports.c:396
transport_t * transport_get_by_name(const char *name)
Definition: transports.c:236
Headers for transports.c.
#define tor_assert(expr)
Definition: util_bug.h:102
#define IF_BUG_ONCE(cond)
Definition: util_bug.h:246
int strcmp_opt(const char *s1, const char *s2)
Definition: util_string.c:197
int fast_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
int tor_digest_is_zero(const char *digest)
Definition: util_string.c:96