Tor  0.4.7.0-alpha-dev
config.c
Go to the documentation of this file.
1 /* Copyright (c) 2001 Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file config.c
9  * \brief Code to interpret the user's configuration of Tor.
10  *
11  * This module handles torrc configuration file, including parsing it,
12  * combining it with torrc.defaults and the command line, allowing
13  * user changes to it (via editing and SIGHUP or via the control port),
14  * writing it back to disk (because of SAVECONF from the control port),
15  * and -- most importantly, acting on it.
16  *
17  * The module additionally has some tools for manipulating and
18  * inspecting values that are calculated as a result of the
19  * configured options.
20  *
21  * <h3>How to add new options</h3>
22  *
23  * To add new items to the torrc, there are a minimum of three places to edit:
24  * <ul>
25  * <li>The or_options_t structure in or_options_st.h, where the options are
26  * stored.
27  * <li>The option_vars_ array below in this module, which configures
28  * the names of the torrc options, their types, their multiplicities,
29  * and their mappings to fields in or_options_t.
30  * <li>The manual in doc/man/tor.1.txt, to document what the new option
31  * is, and how it works.
32  * </ul>
33  *
34  * Additionally, you might need to edit these places too:
35  * <ul>
36  * <li>options_validate_cb() below, in case you want to reject some possible
37  * values of the new configuration option.
38  * <li>options_transition_allowed() below, in case you need to
39  * forbid some or all changes in the option while Tor is
40  * running.
41  * <li>options_transition_affects_workers(), in case changes in the option
42  * might require Tor to relaunch or reconfigure its worker threads.
43  * (This function is now in the relay module.)
44  * <li>options_transition_affects_descriptor(), in case changes in the
45  * option might require a Tor relay to build and publish a new server
46  * descriptor.
47  * (This function is now in the relay module.)
48  * <li>options_act() and/or options_act_reversible(), in case there's some
49  * action that needs to be taken immediately based on the option's
50  * value.
51  * </ul>
52  *
53  * <h3>Changing the value of an option</h3>
54  *
55  * Because of the SAVECONF command from the control port, it's a bad
56  * idea to change the value of any user-configured option in the
57  * or_options_t. If you want to sometimes do this anyway, we recommend
58  * that you create a secondary field in or_options_t; that you have the
59  * user option linked only to the secondary field; that you use the
60  * secondary field to initialize the one that Tor actually looks at; and that
61  * you use the one Tor looks as the one that you modify.
62  **/
63 
64 #define CONFIG_PRIVATE
65 #include "core/or/or.h"
66 #include "app/config/config.h"
67 #include "lib/confmgt/confmgt.h"
68 #include "app/config/statefile.h"
69 #include "app/main/main.h"
70 #include "app/main/subsysmgr.h"
72 #include "core/mainloop/mainloop.h"
74 #include "core/or/channel.h"
75 #include "core/or/circuitlist.h"
76 #include "core/or/circuitmux.h"
78 #include "core/or/circuitstats.h"
80 #include "core/or/dos.h"
81 #include "core/or/policies.h"
82 #include "core/or/relay.h"
83 #include "core/or/scheduler.h"
85 #include "feature/client/bridges.h"
93 #include "feature/hs/hs_config.h"
101 #include "feature/relay/dns.h"
106 #include "lib/geoip/geoip.h"
108 #include "lib/compress/compress.h"
109 #include "lib/confmgt/structvar.h"
113 #include "lib/encoding/confline.h"
114 #include "lib/net/resolve.h"
115 #include "lib/sandbox/sandbox.h"
116 #include "lib/version/torversion.h"
117 
118 #ifdef ENABLE_NSS
120 #else
122 #endif
123 
124 #ifdef _WIN32
125 #include <shlobj.h>
126 #endif
127 #ifdef HAVE_FCNTL_H
128 #include <fcntl.h>
129 #endif
130 #ifdef HAVE_SYS_STAT_H
131 #include <sys/stat.h>
132 #endif
133 #ifdef HAVE_SYS_PARAM_H
134 #include <sys/param.h>
135 #endif
136 #ifdef HAVE_UNISTD_H
137 #include <unistd.h>
138 #endif
139 
140 #include "lib/meminfo/meminfo.h"
141 #include "lib/osinfo/uname.h"
142 #include "lib/osinfo/libc.h"
143 #include "lib/process/daemon.h"
144 #include "lib/process/pidfile.h"
145 #include "lib/process/restrict.h"
146 #include "lib/process/setuid.h"
147 #include "lib/process/process.h"
148 #include "lib/net/gethostname.h"
149 #include "lib/thread/numcpus.h"
150 
151 #include "lib/encoding/keyval.h"
152 #include "lib/fs/conffile.h"
153 #include "lib/evloop/procmon.h"
154 
157 
158 #include "core/or/connection_st.h"
159 #include "core/or/port_cfg_st.h"
160 
161 #ifdef HAVE_SYSTEMD
162 # if defined(__COVERITY__) && !defined(__INCLUDE_LEVEL__)
163 /* Systemd's use of gcc's __INCLUDE_LEVEL__ extension macro appears to confuse
164  * Coverity. Here's a kludge to unconfuse it.
165  */
166 # define __INCLUDE_LEVEL__ 2
167 #endif /* defined(__COVERITY__) && !defined(__INCLUDE_LEVEL__) */
168 #include <systemd/sd-daemon.h>
169 #endif /* defined(HAVE_SYSTEMD) */
170 
171 /* Prefix used to indicate a Unix socket in a FooPort configuration. */
172 static const char unix_socket_prefix[] = "unix:";
173 /* Prefix used to indicate a Unix socket with spaces in it, in a FooPort
174  * configuration. */
175 static const char unix_q_socket_prefix[] = "unix:\"";
176 
177 /* limits for TCP send and recv buffer size used for constrained sockets */
178 #define MIN_CONSTRAINED_TCP_BUFFER 2048
179 #define MAX_CONSTRAINED_TCP_BUFFER 262144 /* 256k */
180 
181 /** macro to help with the bulk rename of *DownloadSchedule to
182  * *DowloadInitialDelay . */
183 #ifndef COCCI
184 #define DOWNLOAD_SCHEDULE(name) \
185  { (#name "DownloadSchedule"), (#name "DownloadInitialDelay"), 0, 1 }
186 #else
187 #define DOWNLOAD_SCHEDULE(name) { NULL, NULL, 0, 1 }
188 #endif /* !defined(COCCI) */
189 
190 /** A list of abbreviations and aliases to map command-line options, obsolete
191  * option names, or alternative option names, to their current values. */
193  PLURAL(AuthDirBadDirCC),
194  PLURAL(AuthDirBadExitCC),
195  PLURAL(AuthDirInvalidCC),
196  PLURAL(AuthDirRejectCC),
197  PLURAL(EntryNode),
198  PLURAL(ExcludeNode),
199  PLURAL(FirewallPort),
200  PLURAL(LongLivedPort),
201  PLURAL(HiddenServiceNode),
202  PLURAL(HiddenServiceExcludeNode),
203  PLURAL(NumCPU),
204  PLURAL(RendNode),
205  PLURAL(RecommendedPackage),
206  PLURAL(RendExcludeNode),
207  PLURAL(StrictEntryNode),
208  PLURAL(StrictExitNode),
209  PLURAL(StrictNode),
210  { "l", "Log", 1, 0},
211  { "AllowUnverifiedNodes", "AllowInvalidNodes", 0, 0},
212  { "AutomapHostSuffixes", "AutomapHostsSuffixes", 0, 0},
213  { "AutomapHostOnResolve", "AutomapHostsOnResolve", 0, 0},
214  { "BandwidthRateBytes", "BandwidthRate", 0, 0},
215  { "BandwidthBurstBytes", "BandwidthBurst", 0, 0},
216  { "DirFetchPostPeriod", "StatusFetchPeriod", 0, 0},
217  { "DirServer", "DirAuthority", 0, 0}, /* XXXX later, make this warn? */
218  { "MaxConn", "ConnLimit", 0, 1},
219  { "MaxMemInCellQueues", "MaxMemInQueues", 0, 0},
220  { "ORBindAddress", "ORListenAddress", 0, 0},
221  { "DirBindAddress", "DirListenAddress", 0, 0},
222  { "SocksBindAddress", "SocksListenAddress", 0, 0},
223  { "UseHelperNodes", "UseEntryGuards", 0, 0},
224  { "NumHelperNodes", "NumEntryGuards", 0, 0},
225  { "UseEntryNodes", "UseEntryGuards", 0, 0},
226  { "NumEntryNodes", "NumEntryGuards", 0, 0},
227  { "ResolvConf", "ServerDNSResolvConfFile", 0, 1},
228  { "SearchDomains", "ServerDNSSearchDomains", 0, 1},
229  { "ServerDNSAllowBrokenResolvConf", "ServerDNSAllowBrokenConfig", 0, 0},
230  { "PreferTunnelledDirConns", "PreferTunneledDirConns", 0, 0},
231  { "BridgeAuthoritativeDirectory", "BridgeAuthoritativeDir", 0, 0},
232  { "HashedControlPassword", "__HashedControlSessionPassword", 1, 0},
233  { "VirtualAddrNetwork", "VirtualAddrNetworkIPv4", 0, 0},
234  { "SocksSocketsGroupWritable", "UnixSocksGroupWritable", 0, 1},
235  { "_HSLayer2Nodes", "HSLayer2Nodes", 0, 1 },
236  { "_HSLayer3Nodes", "HSLayer3Nodes", 0, 1 },
237 
238  DOWNLOAD_SCHEDULE(ClientBootstrapConsensusAuthority),
239  DOWNLOAD_SCHEDULE(ClientBootstrapConsensusAuthorityOnly),
240  DOWNLOAD_SCHEDULE(ClientBootstrapConsensusFallback),
241  DOWNLOAD_SCHEDULE(TestingBridge),
242  DOWNLOAD_SCHEDULE(TestingBridgeBootstrap),
243  DOWNLOAD_SCHEDULE(TestingClient),
244  DOWNLOAD_SCHEDULE(TestingClientConsensus),
245  DOWNLOAD_SCHEDULE(TestingServer),
246  DOWNLOAD_SCHEDULE(TestingServerConsensus),
247 
248  { NULL, NULL, 0, 0},
249 };
250 
251 /** dummy instance of or_options_t, used for type-checking its
252  * members with CONF_CHECK_VAR_TYPE. */
254 
255 /** An entry for config_vars: "The option <b>varname</b> has type
256  * CONFIG_TYPE_<b>conftype</b>, and corresponds to
257  * or_options_t.<b>member</b>"
258  */
259 #define VAR(varname,conftype,member,initvalue) \
260  CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, 0, initvalue)
261 
262 /* As VAR, but uses a type definition in addition to a type enum. */
263 #define VAR_D(varname,conftype,member,initvalue) \
264  CONFIG_VAR_DEFN(or_options_t, varname, conftype, member, 0, initvalue)
265 
266 #define VAR_NODUMP(varname,conftype,member,initvalue) \
267  CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
268  CFLG_NODUMP, initvalue)
269 #define VAR_NODUMP_IMMUTABLE(varname,conftype,member,initvalue) \
270  CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
271  CFLG_NODUMP | CFLG_IMMUTABLE, initvalue)
272 #define VAR_INVIS(varname,conftype,member,initvalue) \
273  CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
274  CFLG_NODUMP | CFLG_NOSET | CFLG_NOLIST, initvalue)
275 
276 #define V(member,conftype,initvalue) \
277  VAR(#member, conftype, member, initvalue)
278 
279 #define VAR_IMMUTABLE(varname, conftype, member, initvalue) \
280  CONFIG_VAR_ETYPE(or_options_t, varname, conftype, member, \
281  CFLG_IMMUTABLE, initvalue)
282 
283 #define V_IMMUTABLE(member,conftype,initvalue) \
284  VAR_IMMUTABLE(#member, conftype, member, initvalue)
285 
286 /** As V, but uses a type definition instead of a type enum */
287 #define V_D(member,type,initvalue) \
288  VAR_D(#member, type, member, initvalue)
289 
290 /** An entry for config_vars: "The option <b>varname</b> is obsolete." */
291 #define OBSOLETE(varname) CONFIG_VAR_OBSOLETE(varname)
292 
293 /**
294  * Macro to declare *Port options. Each one comes in three entries.
295  * For example, most users should use "SocksPort" to configure the
296  * socks port, but TorBrowser wants to use __SocksPort so that it
297  * isn't stored by SAVECONF. The SocksPortLines virtual option is
298  * used to query both options from the controller.
299  */
300 #define VPORT(member) \
301  VAR(#member "Lines", LINELIST_V, member ## _lines, NULL), \
302  VAR(#member, LINELIST_S, member ## _lines, NULL), \
303  VAR_NODUMP("__" #member, LINELIST_S, member ## _lines, NULL)
304 
305 /** UINT64_MAX as a decimal string */
306 #define UINT64_MAX_STRING "18446744073709551615"
307 
308 /** Array of configuration options. Until we disallow nonstandard
309  * abbreviations, order is significant, since the first matching option will
310  * be chosen first.
311  */
312 static const config_var_t option_vars_[] = {
313  V(AccountingMax, MEMUNIT, "0 bytes"),
314  VAR("AccountingRule", STRING, AccountingRule_option, "max"),
315  V(AccountingStart, STRING, NULL),
316  V(Address, LINELIST, NULL),
317  V(AddressDisableIPv6, BOOL, "0"),
318  OBSOLETE("AllowDotExit"),
319  OBSOLETE("AllowInvalidNodes"),
320  V(AllowNonRFC953Hostnames, BOOL, "0"),
321  OBSOLETE("AllowSingleHopCircuits"),
322  OBSOLETE("AllowSingleHopExits"),
323  V(AlternateBridgeAuthority, LINELIST, NULL),
324  V(AlternateDirAuthority, LINELIST, NULL),
325  OBSOLETE("AlternateHSAuthority"),
326  V(AssumeReachable, BOOL, "0"),
327  V(AssumeReachableIPv6, AUTOBOOL, "auto"),
328  OBSOLETE("AuthDirBadDir"),
329  OBSOLETE("AuthDirBadDirCCs"),
330  V(AuthDirBadExit, LINELIST, NULL),
331  V(AuthDirBadExitCCs, CSV, ""),
332  V(AuthDirInvalid, LINELIST, NULL),
333  V(AuthDirInvalidCCs, CSV, ""),
334  V(AuthDirReject, LINELIST, NULL),
335  V(AuthDirRejectCCs, CSV, ""),
336  OBSOLETE("AuthDirRejectUnlisted"),
337  OBSOLETE("AuthDirListBadDirs"),
338  OBSOLETE("AuthDirMaxServersPerAuthAddr"),
339  VAR("AuthoritativeDirectory", BOOL, AuthoritativeDir, "0"),
340  V(AutomapHostsOnResolve, BOOL, "0"),
341  V(AutomapHostsSuffixes, CSV, ".onion,.exit"),
342  V(AvoidDiskWrites, BOOL, "0"),
343  V(BandwidthBurst, MEMUNIT, "1 GB"),
344  V(BandwidthRate, MEMUNIT, "1 GB"),
345  V(BridgeAuthoritativeDir, BOOL, "0"),
346  VAR("Bridge", LINELIST, Bridges, NULL),
347  V(BridgePassword, STRING, NULL),
348  V(BridgeRecordUsageByCountry, BOOL, "1"),
349  V(BridgeRelay, BOOL, "0"),
350  V(BridgeDistribution, STRING, NULL),
351  VAR_IMMUTABLE("CacheDirectory",FILENAME, CacheDirectory_option, NULL),
352  V(CacheDirectoryGroupReadable, AUTOBOOL, "auto"),
353  V(CellStatistics, BOOL, "0"),
354  V(PaddingStatistics, BOOL, "1"),
355  V(OverloadStatistics, BOOL, "1"),
356  V(LearnCircuitBuildTimeout, BOOL, "1"),
357  V(CircuitBuildTimeout, INTERVAL, "0"),
358  OBSOLETE("CircuitIdleTimeout"),
359  V(CircuitsAvailableTimeout, INTERVAL, "0"),
360  V(CircuitStreamTimeout, INTERVAL, "0"),
361  V(CircuitPriorityHalflife, DOUBLE, "-1.0"), /*negative:'Use default'*/
362  V(ClientDNSRejectInternalAddresses, BOOL,"1"),
363 #if defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS)
364  /* The unit tests expect the ClientOnly default to be 0. */
365  V(ClientOnly, BOOL, "0"),
366 #else
367  /* We must be a Client if the relay module is disabled. */
368  V(ClientOnly, BOOL, "1"),
369 #endif /* defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS) */
370  V(ClientPreferIPv6ORPort, AUTOBOOL, "auto"),
371  V(ClientPreferIPv6DirPort, AUTOBOOL, "auto"),
372  OBSOLETE("ClientAutoIPv6ORPort"),
373  V(ClientRejectInternalAddresses, BOOL, "1"),
374  V(ClientTransportPlugin, LINELIST, NULL),
375  V(ClientUseIPv6, BOOL, "0"),
376  V(ClientUseIPv4, BOOL, "1"),
377  V(ConnLimit, POSINT, "1000"),
378  V(ConnDirectionStatistics, BOOL, "0"),
379  V(ConstrainedSockets, BOOL, "0"),
380  V(ConstrainedSockSize, MEMUNIT, "8192"),
381  V(ContactInfo, STRING, NULL),
382  OBSOLETE("ControlListenAddress"),
383  VPORT(ControlPort),
384  V(ControlPortFileGroupReadable,BOOL, "0"),
385  V(ControlPortWriteToFile, FILENAME, NULL),
386  V(ControlSocket, LINELIST, NULL),
387  V(ControlSocketsGroupWritable, BOOL, "0"),
388  V(UnixSocksGroupWritable, BOOL, "0"),
389  V(CookieAuthentication, BOOL, "0"),
390  V(CookieAuthFileGroupReadable, BOOL, "0"),
391  V(CookieAuthFile, FILENAME, NULL),
392  V(CountPrivateBandwidth, BOOL, "0"),
393  VAR_IMMUTABLE("DataDirectory", FILENAME, DataDirectory_option, NULL),
394  V(DataDirectoryGroupReadable, BOOL, "0"),
395  V(DisableOOSCheck, BOOL, "1"),
396  V(DisableNetwork, BOOL, "0"),
397  V(DirAllowPrivateAddresses, BOOL, "0"),
398  OBSOLETE("DirListenAddress"),
399  V(DirPolicy, LINELIST, NULL),
400  VPORT(DirPort),
401  V(DirPortFrontPage, FILENAME, NULL),
402  VAR("DirReqStatistics", BOOL, DirReqStatistics_option, "1"),
403  VAR("DirAuthority", LINELIST, DirAuthorities, NULL),
404 #if defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS)
405  /* The unit tests expect the DirCache default to be 1. */
406  V(DirCache, BOOL, "1"),
407 #else
408  /* We can't be a DirCache if the relay module is disabled. */
409  V(DirCache, BOOL, "0"),
410 #endif /* defined(HAVE_MODULE_RELAY) || defined(TOR_UNIT_TESTS) */
411  /* A DirAuthorityFallbackRate of 0.1 means that 0.5% of clients try an
412  * authority when all fallbacks are up, and 2% try an authority when 25% of
413  * fallbacks are down. (We rebuild the list when 25% of fallbacks are down).
414  *
415  * We want to reduce load on authorities, but keep these two figures within
416  * an order of magnitude, so there isn't too much load shifting to
417  * authorities when fallbacks go down. */
418  V(DirAuthorityFallbackRate, DOUBLE, "0.1"),
419  V_IMMUTABLE(DisableAllSwap, BOOL, "0"),
420  V_IMMUTABLE(DisableDebuggerAttachment, BOOL, "1"),
421  OBSOLETE("DisableIOCP"),
422  OBSOLETE("DisableV2DirectoryInfo_"),
423  OBSOLETE("DynamicDHGroups"),
424  VPORT(DNSPort),
425  OBSOLETE("DNSListenAddress"),
426  V(DormantClientTimeout, INTERVAL, "24 hours"),
427  V(DormantTimeoutEnabled, BOOL, "1"),
428  V(DormantTimeoutDisabledByIdleStreams, BOOL, "1"),
429  V(DormantOnFirstStartup, BOOL, "0"),
430  V(DormantCanceledByStartup, BOOL, "0"),
431  V(DownloadExtraInfo, BOOL, "0"),
432  V(TestingEnableConnBwEvent, BOOL, "0"),
433  V(TestingEnableCellStatsEvent, BOOL, "0"),
434  OBSOLETE("TestingEnableTbEmptyEvent"),
435  V(EnforceDistinctSubnets, BOOL, "1"),
436  V_D(EntryNodes, ROUTERSET, NULL),
437  V(EntryStatistics, BOOL, "0"),
438  OBSOLETE("TestingEstimatedDescriptorPropagationTime"),
439  V_D(ExcludeNodes, ROUTERSET, NULL),
440  V_D(ExcludeExitNodes, ROUTERSET, NULL),
441  OBSOLETE("ExcludeSingleHopRelays"),
442  V_D(ExitNodes, ROUTERSET, NULL),
443  /* Researchers need a way to tell their clients to use specific
444  * middles that they also control, to allow safe live-network
445  * experimentation with new padding machines. */
446  V_D(MiddleNodes, ROUTERSET, NULL),
447  V(ExitPolicy, LINELIST, NULL),
448  V(ExitPolicyRejectPrivate, BOOL, "1"),
449  V(ExitPolicyRejectLocalInterfaces, BOOL, "0"),
450  V(ExitPortStatistics, BOOL, "0"),
451  V(ExtendAllowPrivateAddresses, BOOL, "0"),
452  V(ExitRelay, AUTOBOOL, "auto"),
453  VPORT(ExtORPort),
454  V(ExtORPortCookieAuthFile, FILENAME, NULL),
455  V(ExtORPortCookieAuthFileGroupReadable, BOOL, "0"),
456  V(ExtraInfoStatistics, BOOL, "1"),
457  V(ExtendByEd25519ID, AUTOBOOL, "auto"),
458  V(FallbackDir, LINELIST, NULL),
459 
460  V(UseDefaultFallbackDirs, BOOL, "1"),
461 
462  OBSOLETE("FallbackNetworkstatusFile"),
463  V(FascistFirewall, BOOL, "0"),
464  V(FirewallPorts, CSV, ""),
465  OBSOLETE("FastFirstHopPK"),
466  V(FetchDirInfoEarly, BOOL, "0"),
467  V(FetchDirInfoExtraEarly, BOOL, "0"),
468  V(FetchServerDescriptors, BOOL, "1"),
469  V(FetchHidServDescriptors, BOOL, "1"),
470  V(FetchUselessDescriptors, BOOL, "0"),
471  OBSOLETE("FetchV2Networkstatus"),
472  V(GeoIPExcludeUnknown, AUTOBOOL, "auto"),
473 #ifdef _WIN32
474  V(GeoIPFile, FILENAME, "<default>"),
475  V(GeoIPv6File, FILENAME, "<default>"),
476 #else
477  V(GeoIPFile, FILENAME,
478  SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"),
479  V(GeoIPv6File, FILENAME,
480  SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip6"),
481 #endif /* defined(_WIN32) */
482  OBSOLETE("Group"),
483  V(GuardLifetime, INTERVAL, "0 minutes"),
484  V(HeartbeatPeriod, INTERVAL, "6 hours"),
485  V(MainloopStats, BOOL, "0"),
486  V(HashedControlPassword, LINELIST, NULL),
487  OBSOLETE("HidServDirectoryV2"),
488  OBSOLETE("HiddenServiceAuthorizeClient"),
489  OBSOLETE("HidServAuth"),
490  VAR("HiddenServiceDir", LINELIST_S, RendConfigLines, NULL),
491  VAR("HiddenServiceDirGroupReadable", LINELIST_S, RendConfigLines, NULL),
492  VAR("HiddenServiceOptions",LINELIST_V, RendConfigLines, NULL),
493  VAR("HiddenServicePort", LINELIST_S, RendConfigLines, NULL),
494  VAR("HiddenServiceVersion",LINELIST_S, RendConfigLines, NULL),
495  VAR("HiddenServiceAllowUnknownPorts",LINELIST_S, RendConfigLines, NULL),
496  VAR("HiddenServiceMaxStreams",LINELIST_S, RendConfigLines, NULL),
497  VAR("HiddenServiceMaxStreamsCloseCircuit",LINELIST_S, RendConfigLines, NULL),
498  VAR("HiddenServiceNumIntroductionPoints", LINELIST_S, RendConfigLines, NULL),
499  VAR("HiddenServiceExportCircuitID", LINELIST_S, RendConfigLines, NULL),
500  VAR("HiddenServiceEnableIntroDoSDefense", LINELIST_S, RendConfigLines, NULL),
501  VAR("HiddenServiceEnableIntroDoSRatePerSec",
502  LINELIST_S, RendConfigLines, NULL),
503  VAR("HiddenServiceEnableIntroDoSBurstPerSec",
504  LINELIST_S, RendConfigLines, NULL),
505  VAR("HiddenServiceOnionBalanceInstance",
506  LINELIST_S, RendConfigLines, NULL),
507  VAR("HiddenServiceStatistics", BOOL, HiddenServiceStatistics_option, "1"),
508  V(ClientOnionAuthDir, FILENAME, NULL),
509  OBSOLETE("CloseHSClientCircuitsImmediatelyOnTimeout"),
510  OBSOLETE("CloseHSServiceRendCircuitsImmediatelyOnTimeout"),
511  V_IMMUTABLE(HiddenServiceSingleHopMode, BOOL, "0"),
512  V_IMMUTABLE(HiddenServiceNonAnonymousMode,BOOL, "0"),
513  V(HTTPProxy, STRING, NULL),
514  V(HTTPProxyAuthenticator, STRING, NULL),
515  V(HTTPSProxy, STRING, NULL),
516  V(HTTPSProxyAuthenticator, STRING, NULL),
517  VPORT(HTTPTunnelPort),
518  V(IPv6Exit, BOOL, "0"),
519  VAR("ServerTransportPlugin", LINELIST, ServerTransportPlugin, NULL),
520  V(ServerTransportListenAddr, LINELIST, NULL),
521  V(ServerTransportOptions, LINELIST, NULL),
522  V(SigningKeyLifetime, INTERVAL, "30 days"),
523  V(Socks4Proxy, STRING, NULL),
524  V(Socks5Proxy, STRING, NULL),
525  V(Socks5ProxyUsername, STRING, NULL),
526  V(Socks5ProxyPassword, STRING, NULL),
527  V(TCPProxy, STRING, NULL),
528  VAR_IMMUTABLE("KeyDirectory", FILENAME, KeyDirectory_option, NULL),
529  V(KeyDirectoryGroupReadable, AUTOBOOL, "auto"),
530  VAR_D("HSLayer2Nodes", ROUTERSET, HSLayer2Nodes, NULL),
531  VAR_D("HSLayer3Nodes", ROUTERSET, HSLayer3Nodes, NULL),
532  V(KeepalivePeriod, INTERVAL, "5 minutes"),
533  V_IMMUTABLE(KeepBindCapabilities, AUTOBOOL, "auto"),
534  VAR("Log", LINELIST, Logs, NULL),
535  V(LogMessageDomains, BOOL, "0"),
536  V(LogTimeGranularity, MSEC_INTERVAL, "1 second"),
537  V(TruncateLogFile, BOOL, "0"),
538  V_IMMUTABLE(SyslogIdentityTag, STRING, NULL),
539  OBSOLETE("AndroidIdentityTag"),
540  V(LongLivedPorts, CSV,
541  "21,22,706,1863,5050,5190,5222,5223,6523,6667,6697,8300"),
542  VAR("MapAddress", LINELIST, AddressMap, NULL),
543  V(MaxAdvertisedBandwidth, MEMUNIT, "1 GB"),
544  V(MaxCircuitDirtiness, INTERVAL, "10 minutes"),
545  V(MaxClientCircuitsPending, POSINT, "32"),
546  V(MaxConsensusAgeForDiffs, INTERVAL, "0 seconds"),
547  VAR("MaxMemInQueues", MEMUNIT, MaxMemInQueues_raw, "0"),
548  OBSOLETE("MaxOnionsPending"),
549  V(MaxOnionQueueDelay, MSEC_INTERVAL, "1750 msec"),
550  V(MaxUnparseableDescSizeToLog, MEMUNIT, "10 MB"),
551  VPORT(MetricsPort),
552  V(MetricsPortPolicy, LINELIST, NULL),
553  VAR("MyFamily", LINELIST, MyFamily_lines, NULL),
554  V(NewCircuitPeriod, INTERVAL, "30 seconds"),
555  OBSOLETE("NamingAuthoritativeDirectory"),
556  OBSOLETE("NATDListenAddress"),
557  VPORT(NATDPort),
558  V(Nickname, STRING, NULL),
559  OBSOLETE("PredictedPortsRelevanceTime"),
560  OBSOLETE("WarnUnsafeSocks"),
561  VAR("NodeFamily", LINELIST, NodeFamilies, NULL),
562  V_IMMUTABLE(NoExec, BOOL, "0"),
563  V(NumCPUs, POSINT, "0"),
564  V(NumDirectoryGuards, POSINT, "0"),
565  V(NumEntryGuards, POSINT, "0"),
566  V(NumPrimaryGuards, POSINT, "0"),
567  V(OfflineMasterKey, BOOL, "0"),
568  OBSOLETE("ORListenAddress"),
569  VPORT(ORPort),
570  V(OutboundBindAddress, LINELIST, NULL),
571  V(OutboundBindAddressOR, LINELIST, NULL),
572  V(OutboundBindAddressExit, LINELIST, NULL),
573  V(OutboundBindAddressPT, LINELIST, NULL),
574 
575  OBSOLETE("PathBiasDisableRate"),
576  V(PathBiasCircThreshold, INT, "-1"),
577  V(PathBiasNoticeRate, DOUBLE, "-1"),
578  V(PathBiasWarnRate, DOUBLE, "-1"),
579  V(PathBiasExtremeRate, DOUBLE, "-1"),
580  V(PathBiasScaleThreshold, INT, "-1"),
581  OBSOLETE("PathBiasScaleFactor"),
582  OBSOLETE("PathBiasMultFactor"),
583  V(PathBiasDropGuards, AUTOBOOL, "0"),
584  OBSOLETE("PathBiasUseCloseCounts"),
585 
586  V(PathBiasUseThreshold, INT, "-1"),
587  V(PathBiasNoticeUseRate, DOUBLE, "-1"),
588  V(PathBiasExtremeUseRate, DOUBLE, "-1"),
589  V(PathBiasScaleUseThreshold, INT, "-1"),
590 
591  V(PathsNeededToBuildCircuits, DOUBLE, "-1"),
592  V(PerConnBWBurst, MEMUNIT, "0"),
593  V(PerConnBWRate, MEMUNIT, "0"),
594  V_IMMUTABLE(PidFile, FILENAME, NULL),
595  V_IMMUTABLE(TestingTorNetwork, BOOL, "0"),
596 
597  V(TestingLinkCertLifetime, INTERVAL, "2 days"),
598  V(TestingAuthKeyLifetime, INTERVAL, "2 days"),
599  V(TestingLinkKeySlop, INTERVAL, "3 hours"),
600  V(TestingAuthKeySlop, INTERVAL, "3 hours"),
601  V(TestingSigningKeySlop, INTERVAL, "1 day"),
602 
603  OBSOLETE("OptimisticData"),
604  OBSOLETE("PortForwarding"),
605  OBSOLETE("PortForwardingHelper"),
606  OBSOLETE("PreferTunneledDirConns"),
607  V(ProtocolWarnings, BOOL, "0"),
608  V(PublishServerDescriptor, CSV, "1"),
609  V(PublishHidServDescriptors, BOOL, "1"),
610  V(ReachableAddresses, LINELIST, NULL),
611  V(ReachableDirAddresses, LINELIST, NULL),
612  V(ReachableORAddresses, LINELIST, NULL),
613  OBSOLETE("RecommendedPackages"),
614  V(ReducedConnectionPadding, BOOL, "0"),
615  V(ConnectionPadding, AUTOBOOL, "auto"),
616  V(RefuseUnknownExits, AUTOBOOL, "auto"),
617  V(CircuitPadding, BOOL, "1"),
618  V(ReducedCircuitPadding, BOOL, "0"),
619  V(RejectPlaintextPorts, CSV, ""),
620  V(RelayBandwidthBurst, MEMUNIT, "0"),
621  V(RelayBandwidthRate, MEMUNIT, "0"),
622  V(RendPostPeriod, INTERVAL, "1 hour"), /* Used internally. */
623  V(RephistTrackTime, INTERVAL, "24 hours"),
624  V_IMMUTABLE(RunAsDaemon, BOOL, "0"),
625  V(ReducedExitPolicy, BOOL, "0"),
626  OBSOLETE("RunTesting"), // currently unused
627  V_IMMUTABLE(Sandbox, BOOL, "0"),
628  V(SafeLogging, STRING, "1"),
629  V(SafeSocks, BOOL, "0"),
630  V(ServerDNSAllowBrokenConfig, BOOL, "1"),
631  V(ServerDNSAllowNonRFC953Hostnames, BOOL,"0"),
632  V(ServerDNSDetectHijacking, BOOL, "1"),
633  V(ServerDNSRandomizeCase, BOOL, "1"),
634  V(ServerDNSResolvConfFile, FILENAME, NULL),
635  V(ServerDNSSearchDomains, BOOL, "0"),
636  V(ServerDNSTestAddresses, CSV,
637  "www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org"),
638  OBSOLETE("SchedulerLowWaterMark__"),
639  OBSOLETE("SchedulerHighWaterMark__"),
640  OBSOLETE("SchedulerMaxFlushCells__"),
641  V(KISTSchedRunInterval, MSEC_INTERVAL, "0 msec"),
642  V(KISTSockBufSizeFactor, DOUBLE, "1.0"),
643  V(Schedulers, CSV, "KIST,KISTLite,Vanilla"),
644  V(ShutdownWaitLength, INTERVAL, "30 seconds"),
645  OBSOLETE("SocksListenAddress"),
646  V(SocksPolicy, LINELIST, NULL),
647  VPORT(SocksPort),
648  V(SocksTimeout, INTERVAL, "2 minutes"),
649  V(SSLKeyLifetime, INTERVAL, "0"),
650  OBSOLETE("StrictEntryNodes"),
651  OBSOLETE("StrictExitNodes"),
652  V(StrictNodes, BOOL, "0"),
653  OBSOLETE("Support022HiddenServices"),
654  V(TestSocks, BOOL, "0"),
655  V_IMMUTABLE(TokenBucketRefillInterval, MSEC_INTERVAL, "100 msec"),
656  OBSOLETE("Tor2webMode"),
657  OBSOLETE("Tor2webRendezvousPoints"),
658  OBSOLETE("TLSECGroup"),
659  V(TrackHostExits, CSV, NULL),
660  V(TrackHostExitsExpire, INTERVAL, "30 minutes"),
661  OBSOLETE("TransListenAddress"),
662  VPORT(TransPort),
663  V(TransProxyType, STRING, "default"),
664  OBSOLETE("TunnelDirConns"),
665  V(UpdateBridgesFromAuthority, BOOL, "0"),
666  V(UseBridges, BOOL, "0"),
667  VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"),
668  OBSOLETE("UseEntryGuardsAsDirGuards"),
669  V(UseGuardFraction, AUTOBOOL, "auto"),
670  V(UseMicrodescriptors, AUTOBOOL, "auto"),
671  OBSOLETE("UseNTorHandshake"),
672  V_IMMUTABLE(User, STRING, NULL),
673  OBSOLETE("UserspaceIOCPBuffers"),
674  OBSOLETE("V1AuthoritativeDirectory"),
675  OBSOLETE("V2AuthoritativeDirectory"),
676  VAR("V3AuthoritativeDirectory",BOOL, V3AuthoritativeDir, "0"),
677  V(TestingV3AuthInitialVotingInterval, INTERVAL, "30 minutes"),
678  V(TestingV3AuthInitialVoteDelay, INTERVAL, "5 minutes"),
679  V(TestingV3AuthInitialDistDelay, INTERVAL, "5 minutes"),
680  V(TestingV3AuthVotingStartOffset, INTERVAL, "0"),
681  V(V3AuthVotingInterval, INTERVAL, "1 hour"),
682  V(V3AuthVoteDelay, INTERVAL, "5 minutes"),
683  V(V3AuthDistDelay, INTERVAL, "5 minutes"),
684  V(V3AuthNIntervalsValid, POSINT, "3"),
685  V(V3AuthUseLegacyKey, BOOL, "0"),
686  V(V3BandwidthsFile, FILENAME, NULL),
687  V(GuardfractionFile, FILENAME, NULL),
688  OBSOLETE("VoteOnHidServDirectoriesV2"),
689  V(VirtualAddrNetworkIPv4, STRING, "127.192.0.0/10"),
690  V(VirtualAddrNetworkIPv6, STRING, "[FE80::]/10"),
691  V(WarnPlaintextPorts, CSV, "23,109,110,143"),
692  OBSOLETE("UseFilteringSSLBufferevents"),
693  OBSOLETE("__UseFilteringSSLBufferevents"),
694  VAR_NODUMP("__ReloadTorrcOnSIGHUP", BOOL, ReloadTorrcOnSIGHUP, "1"),
695  VAR_NODUMP("__AllDirActionsPrivate", BOOL, AllDirActionsPrivate, "0"),
696  VAR_NODUMP("__DisablePredictedCircuits",BOOL,DisablePredictedCircuits, "0"),
697  VAR_NODUMP_IMMUTABLE("__DisableSignalHandlers", BOOL,
698  DisableSignalHandlers, "0"),
699  VAR_NODUMP("__LeaveStreamsUnattached",BOOL, LeaveStreamsUnattached, "0"),
700  VAR_NODUMP("__HashedControlSessionPassword", LINELIST,
701  HashedControlSessionPassword,
702  NULL),
703  VAR_NODUMP("__OwningControllerProcess",STRING,
704  OwningControllerProcess, NULL),
705  VAR_NODUMP_IMMUTABLE("__OwningControllerFD", UINT64, OwningControllerFD,
707  V(TestingServerDownloadInitialDelay, CSV_INTERVAL, "0"),
708  V(TestingClientDownloadInitialDelay, CSV_INTERVAL, "0"),
709  V(TestingServerConsensusDownloadInitialDelay, CSV_INTERVAL, "0"),
710  V(TestingClientConsensusDownloadInitialDelay, CSV_INTERVAL, "0"),
711  /* With the ClientBootstrapConsensus*Download* below:
712  * Clients with only authorities will try:
713  * - at least 3 authorities over 10 seconds, then exponentially backoff,
714  * with the next attempt 3-21 seconds later,
715  * Clients with authorities and fallbacks will try:
716  * - at least 2 authorities and 4 fallbacks over 21 seconds, then
717  * exponentially backoff, with the next attempts 4-33 seconds later,
718  * Clients will also retry when an application request arrives.
719  * After a number of failed requests, clients retry every 3 days + 1 hour.
720  *
721  * Clients used to try 2 authorities over 10 seconds, then wait for
722  * 60 minutes or an application request.
723  *
724  * When clients have authorities and fallbacks available, they use these
725  * schedules: (we stagger the times to avoid thundering herds) */
726  V(ClientBootstrapConsensusAuthorityDownloadInitialDelay, CSV_INTERVAL, "6"),
727  V(ClientBootstrapConsensusFallbackDownloadInitialDelay, CSV_INTERVAL, "0"),
728  /* When clients only have authorities available, they use this schedule: */
729  V(ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay, CSV_INTERVAL,
730  "0"),
731  /* We don't want to overwhelm slow networks (or mirrors whose replies are
732  * blocked), but we also don't want to fail if only some mirrors are
733  * blackholed. Clients will try 3 directories simultaneously.
734  * (Relays never use simultaneous connections.) */
735  V(ClientBootstrapConsensusMaxInProgressTries, POSINT, "3"),
736  /* When a client has any running bridges, check each bridge occasionally,
737  * whether or not that bridge is actually up. */
738  V(TestingBridgeDownloadInitialDelay, CSV_INTERVAL,"10800"),
739  /* When a client is just starting, or has no running bridges, check each
740  * bridge a few times quickly, and then try again later. These schedules
741  * are much longer than the other schedules, because we try each and every
742  * configured bridge with this schedule. */
743  V(TestingBridgeBootstrapDownloadInitialDelay, CSV_INTERVAL, "0"),
744  V(TestingClientMaxIntervalWithoutRequest, INTERVAL, "10 minutes"),
745  V(TestingDirConnectionMaxStall, INTERVAL, "5 minutes"),
746  OBSOLETE("TestingConsensusMaxDownloadTries"),
747  OBSOLETE("ClientBootstrapConsensusMaxDownloadTries"),
748  OBSOLETE("ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries"),
749  OBSOLETE("TestingDescriptorMaxDownloadTries"),
750  OBSOLETE("TestingMicrodescMaxDownloadTries"),
751  OBSOLETE("TestingCertMaxDownloadTries"),
752  VAR_INVIS("___UsingTestNetworkDefaults", BOOL, UsingTestNetworkDefaults_,
753  "0"),
754 
756 };
757 
758 /** List of default directory authorities */
759 static const char *default_authorities[] = {
760 #ifndef COCCI
761 #include "auth_dirs.inc"
762 #endif
763  NULL
764 };
765 
766 /** List of fallback directory authorities. The list is generated by opt-in of
767  * relays that meet certain stability criteria.
768  */
769 static const char *default_fallbacks[] = {
770 #ifndef COCCI
771 #include "fallback_dirs.inc"
772 #endif
773  NULL
774 };
775 
776 /** Override default values with these if the user sets the TestingTorNetwork
777  * option. */
778 static const struct {
779  const char *k;
780  const char *v;
782 #ifndef COCCI
783 #include "testnet.inc"
784 #endif
785  { NULL, NULL }
786 };
787 
788 #undef VAR
789 #undef V
790 #undef OBSOLETE
791 
792 static const config_deprecation_t option_deprecation_notes_[] = {
793  /* Deprecated since 0.3.2.0-alpha. */
794  { "HTTPProxy", "It only applies to direct unencrypted HTTP connections "
795  "to your directory server, which your Tor probably wasn't using." },
796  { "HTTPProxyAuthenticator", "HTTPProxy is deprecated in favor of HTTPSProxy "
797  "which should be used with HTTPSProxyAuthenticator." },
798  /* End of options deprecated since 0.3.2.1-alpha */
799 
800  /* Options deprecated since 0.3.2.2-alpha */
801  { "ReachableDirAddresses", "It has no effect on relays, and has had no "
802  "effect on clients since 0.2.8." },
803  { "ClientPreferIPv6DirPort", "It has no effect on relays, and has had no "
804  "effect on clients since 0.2.8." },
805  /* End of options deprecated since 0.3.2.2-alpha. */
806 
807  /* Options deprecated since 0.4.3.1-alpha. */
808  { "ClientAutoIPv6ORPort", "This option is unreliable if a connection isn't "
809  "reliably dual-stack."},
810  /* End of options deprecated since 0.4.3.1-alpha. */
811 
812  { NULL, NULL }
813 };
814 
815 #ifdef _WIN32
816 static char *get_windows_conf_root(void);
817 #endif
818 
819 static int options_check_transition_cb(const void *old,
820  const void *new,
821  char **msg);
822 static int validate_data_directories(or_options_t *options);
823 static int write_configuration_file(const char *fname,
824  const or_options_t *options);
825 
826 static void init_libevent(const or_options_t *options);
827 static int opt_streq(const char *s1, const char *s2);
828 static int parse_outbound_addresses(or_options_t *options, int validate_only,
829  char **msg);
830 static void config_maybe_load_geoip_files_(const or_options_t *options,
831  const or_options_t *old_options);
832 static int options_validate_cb(const void *old_options, void *options,
833  char **msg);
835 static void set_protocol_warning_severity_level(int warning_severity);
836 static void options_clear_cb(const config_mgr_t *mgr, void *opts);
837 static setopt_err_t options_validate_and_set(const or_options_t *old_options,
838  or_options_t *new_options,
839  char **msg_out);
842  struct listener_transaction_t *xn);
843 
844 /** Magic value for or_options_t. */
845 #define OR_OPTIONS_MAGIC 9090909
846 
847 /** Configuration format for or_options_t. */
849  .size = sizeof(or_options_t),
850  .magic = {
851  "or_options_t",
853  offsetof(or_options_t, magic_),
854  },
855  .abbrevs = option_abbrevs_,
856  .deprecations = option_deprecation_notes_,
857  .vars = option_vars_,
858  .legacy_validate_fn = options_validate_cb,
859  .check_transition_fn = options_check_transition_cb,
860  .clear_fn = options_clear_cb,
861  .has_config_suite = true,
862  .config_suite_offset = offsetof(or_options_t, subconfigs_),
863 };
864 
865 /*
866  * Functions to read and write the global options pointer.
867  */
868 
869 /** Command-line and config-file options. */
871 /** The fallback options_t object; this is where we look for options not
872  * in torrc before we fall back to Tor's defaults. */
874 /** Name of most recently read torrc file. */
875 static char *torrc_fname = NULL;
876 /** Name of the most recently read torrc-defaults file.*/
877 static char *torrc_defaults_fname = NULL;
878 /** Result of parsing the command line. */
880 /** List of port_cfg_t for all configured ports. */
882 /** True iff we're currently validating options, and any calls to
883  * get_options() are likely to be bugs. */
884 static int in_option_validation = 0;
885 /** True iff we have run options_act_once_on_startup() */
886 static bool have_set_startup_options = false;
887 
888 /* A global configuration manager to handle all configuration objects. */
889 static config_mgr_t *options_mgr = NULL;
890 
891 /** Return the global configuration manager object for torrc options. */
892 STATIC const config_mgr_t *
894 {
895  if (PREDICT_UNLIKELY(options_mgr == NULL)) {
896  options_mgr = config_mgr_new(&options_format);
897  int rv = subsystems_register_options_formats(options_mgr);
898  tor_assert(rv == 0);
899  config_mgr_freeze(options_mgr);
900  }
901  return options_mgr;
902 }
903 
904 #define CHECK_OPTIONS_MAGIC(opt) STMT_BEGIN \
905  config_check_toplevel_magic(get_options_mgr(), (opt)); \
906  STMT_END
907 
908 /** Returns the currently configured options. */
911 {
913  tor_assert_nonfatal(! in_option_validation);
914  return global_options;
915 }
916 
917 /** Returns the currently configured options */
918 MOCK_IMPL(const or_options_t *,
919 get_options,(void))
920 {
921  return get_options_mutable();
922 }
923 
924 /**
925  * True iff we have noticed that this is a testing tor network, and we
926  * should use the corresponding defaults.
927  **/
928 static bool testing_network_configured = false;
929 
930 /** Return a set of lines for any default options that we want to override
931  * from those set in our config_var_t values. */
932 static config_line_t *
934 {
935  int i;
936  config_line_t *result = NULL, **next = &result;
937 
939  for (i = 0; testing_tor_network_defaults[i].k; ++i) {
940  config_line_append(next,
943  next = &(*next)->next;
944  }
945  }
946 
947  return result;
948 }
949 
950 /** Change the current global options to contain <b>new_val</b> instead of
951  * their current value; take action based on the new value; free the old value
952  * as necessary. Returns 0 on success, -1 on failure.
953  */
954 int
955 set_options(or_options_t *new_val, char **msg)
956 {
957  or_options_t *old_options = global_options;
958  global_options = new_val;
959  /* Note that we pass the *old* options below, for comparison. It
960  * pulls the new options directly out of global_options. */
961  if (options_act_reversible(old_options, msg)<0) {
962  tor_assert(*msg);
963  global_options = old_options;
964  return -1;
965  }
966  if (subsystems_set_options(get_options_mgr(), new_val) < 0 ||
967  options_act(old_options) < 0) { /* acting on the options failed. die. */
969  log_err(LD_BUG,
970  "Acting on config options left us in a broken state. Dying.");
972  }
973  global_options = old_options;
974  return -1;
975  }
976  /* Issues a CONF_CHANGED event to notify controller of the change. If Tor is
977  * just starting up then the old_options will be undefined. */
978  if (old_options && old_options != global_options) {
979  config_line_t *changes =
980  config_get_changes(get_options_mgr(), old_options, new_val);
982  config_free_lines(changes);
983  }
984 
985  if (old_options != global_options) {
986  or_options_free(old_options);
987  /* If we are here it means we've successfully applied the new options and
988  * that the global options have been changed to the new values. We'll
989  * check if we need to remove or add periodic events. */
990  periodic_events_on_new_options(global_options);
991  }
992 
993  return 0;
994 }
995 
996 /** Release additional memory allocated in options
997  */
998 static void
999 options_clear_cb(const config_mgr_t *mgr, void *opts)
1000 {
1001  (void)mgr;
1002  CHECK_OPTIONS_MAGIC(opts);
1003  or_options_t *options = opts;
1004 
1005  routerset_free(options->ExcludeExitNodesUnion_);
1006  if (options->NodeFamilySets) {
1007  SMARTLIST_FOREACH(options->NodeFamilySets, routerset_t *,
1008  rs, routerset_free(rs));
1009  smartlist_free(options->NodeFamilySets);
1010  }
1011  if (options->SchedulerTypes_) {
1012  SMARTLIST_FOREACH(options->SchedulerTypes_, int *, i, tor_free(i));
1013  smartlist_free(options->SchedulerTypes_);
1014  }
1015  if (options->FilesOpenedByIncludes) {
1016  SMARTLIST_FOREACH(options->FilesOpenedByIncludes, char *, f, tor_free(f));
1017  smartlist_free(options->FilesOpenedByIncludes);
1018  }
1019  tor_free(options->DataDirectory);
1020  tor_free(options->CacheDirectory);
1021  tor_free(options->KeyDirectory);
1023  tor_free(options->command_arg);
1024  tor_free(options->master_key_fname);
1025  config_free_lines(options->MyFamily);
1026 }
1027 
1028 /** Release all memory allocated in options
1029  */
1030 STATIC void
1032 {
1033  config_free(get_options_mgr(), options);
1034 }
1035 
1036 /** Release all memory and resources held by global configuration structures.
1037  */
1038 void
1040 {
1041  or_options_free(global_options);
1042  global_options = NULL;
1043  or_options_free(global_default_options);
1044  global_default_options = NULL;
1045 
1046  parsed_cmdline_free(global_cmdline);
1047 
1048  if (configured_ports) {
1050  port_cfg_t *, p, port_cfg_free(p));
1051  smartlist_free(configured_ports);
1052  configured_ports = NULL;
1053  }
1054 
1057 
1059 
1060  have_set_startup_options = false;
1061 
1062  config_mgr_free(options_mgr);
1063 }
1064 
1065 /** Make <b>address</b> -- a piece of information related to our operation as
1066  * a client -- safe to log according to the settings in options->SafeLogging,
1067  * and return it.
1068  *
1069  * (We return "[scrubbed]" if SafeLogging is "1", and address otherwise.)
1070  */
1071 const char *
1072 safe_str_client_opts(const or_options_t *options, const char *address)
1073 {
1074  tor_assert(address);
1075  if (!options) {
1076  options = get_options();
1077  }
1078 
1079  if (options->SafeLogging_ == SAFELOG_SCRUB_ALL)
1080  return "[scrubbed]";
1081  else
1082  return address;
1083 }
1084 
1085 /** Make <b>address</b> -- a piece of information of unspecified sensitivity
1086  * -- safe to log according to the settings in options->SafeLogging, and
1087  * return it.
1088  *
1089  * (We return "[scrubbed]" if SafeLogging is anything besides "0", and address
1090  * otherwise.)
1091  */
1092 const char *
1093 safe_str_opts(const or_options_t *options, const char *address)
1094 {
1095  tor_assert(address);
1096  if (!options) {
1097  options = get_options();
1098  }
1099 
1100  if (options->SafeLogging_ != SAFELOG_SCRUB_NONE)
1101  return "[scrubbed]";
1102  else
1103  return address;
1104 }
1105 
1106 /** Equivalent to escaped(safe_str_client(address)). See reentrancy note on
1107  * escaped(): don't use this outside the main thread, or twice in the same
1108  * log statement. */
1109 const char *
1110 escaped_safe_str_client(const char *address)
1111 {
1112  if (get_options()->SafeLogging_ == SAFELOG_SCRUB_ALL)
1113  return "[scrubbed]";
1114  else
1115  return escaped(address);
1116 }
1117 
1118 /** Equivalent to escaped(safe_str(address)). See reentrancy note on
1119  * escaped(): don't use this outside the main thread, or twice in the same
1120  * log statement. */
1121 const char *
1122 escaped_safe_str(const char *address)
1123 {
1124  if (get_options()->SafeLogging_ != SAFELOG_SCRUB_NONE)
1125  return "[scrubbed]";
1126  else
1127  return escaped(address);
1128 }
1129 
1130 /**
1131  * The severity level that should be used for warnings of severity
1132  * LOG_PROTOCOL_WARN.
1133  *
1134  * We keep this outside the options, and we use an atomic_counter_t, in case
1135  * one thread needs to use LOG_PROTOCOL_WARN while an option transition is
1136  * happening in the main thread.
1137  */
1139 
1140 /** Return the severity level that should be used for warnings of severity
1141  * LOG_PROTOCOL_WARN. */
1142 int
1144 {
1146 }
1147 
1148 /** Set the protocol warning severity level to <b>severity</b>. */
1149 static void
1151 {
1153  warning_severity);
1154 }
1155 
1156 /**
1157  * Initialize the log warning severity level for protocol warnings. Call
1158  * only once at startup.
1159  */
1160 void
1162 {
1165 }
1166 
1167 /**
1168  * Tear down protocol_warning_severity_level.
1169  */
1170 static void
1172 {
1173  /* Destroying a locked mutex is undefined behaviour. This mutex may be
1174  * locked, because multiple threads can access it. But we need to destroy
1175  * it, otherwise re-initialisation will trigger undefined behaviour.
1176  * See #31735 for details. */
1178 }
1179 
1180 /** Add the default directory authorities directly into the trusted dir list,
1181  * but only add them insofar as they share bits with <b>type</b>.
1182  * Each authority's bits are restricted to the bits shared with <b>type</b>.
1183  * If <b>type</b> is ALL_DIRINFO or NO_DIRINFO (zero), add all authorities. */
1184 STATIC void
1186 {
1187  int i;
1188  for (i=0; default_authorities[i]; i++) {
1189  if (parse_dir_authority_line(default_authorities[i], type, 0)<0) {
1190  log_err(LD_BUG, "Couldn't parse internal DirAuthority line %s",
1191  default_authorities[i]);
1192  }
1193  }
1194 }
1195 
1196 /** Add the default fallback directory servers into the fallback directory
1197  * server list. */
1198 MOCK_IMPL(void,
1200 {
1201  int i;
1202  for (i=0; default_fallbacks[i]; i++) {
1204  log_err(LD_BUG, "Couldn't parse internal FallbackDir line %s",
1205  default_fallbacks[i]);
1206  }
1207  }
1208 }
1209 
1210 /** Look at all the config options for using alternate directory
1211  * authorities, and make sure none of them are broken. Also, warn the
1212  * user if we changed any dangerous ones.
1213  */
1214 static int
1216  const or_options_t *old_options)
1217 {
1218  config_line_t *cl;
1219 
1220  if (options->DirAuthorities &&
1221  (options->AlternateDirAuthority || options->AlternateBridgeAuthority)) {
1222  log_warn(LD_CONFIG,
1223  "You cannot set both DirAuthority and Alternate*Authority.");
1224  return -1;
1225  }
1226 
1227  /* do we want to complain to the user about being partitionable? */
1228  if ((options->DirAuthorities &&
1229  (!old_options ||
1230  !config_lines_eq(options->DirAuthorities,
1231  old_options->DirAuthorities))) ||
1232  (options->AlternateDirAuthority &&
1233  (!old_options ||
1235  old_options->AlternateDirAuthority)))) {
1236  log_warn(LD_CONFIG,
1237  "You have used DirAuthority or AlternateDirAuthority to "
1238  "specify alternate directory authorities in "
1239  "your configuration. This is potentially dangerous: it can "
1240  "make you look different from all other Tor users, and hurt "
1241  "your anonymity. Even if you've specified the same "
1242  "authorities as Tor uses by default, the defaults could "
1243  "change in the future. Be sure you know what you're doing.");
1244  }
1245 
1246  /* Now go through the four ways you can configure an alternate
1247  * set of directory authorities, and make sure none are broken. */
1248  for (cl = options->DirAuthorities; cl; cl = cl->next)
1249  if (parse_dir_authority_line(cl->value, NO_DIRINFO, 1)<0)
1250  return -1;
1251  for (cl = options->AlternateBridgeAuthority; cl; cl = cl->next)
1252  if (parse_dir_authority_line(cl->value, NO_DIRINFO, 1)<0)
1253  return -1;
1254  for (cl = options->AlternateDirAuthority; cl; cl = cl->next)
1255  if (parse_dir_authority_line(cl->value, NO_DIRINFO, 1)<0)
1256  return -1;
1257  for (cl = options->FallbackDir; cl; cl = cl->next)
1258  if (parse_dir_fallback_line(cl->value, 1)<0)
1259  return -1;
1260  return 0;
1261 }
1262 
1263 /** Look at all the config options and assign new dir authorities
1264  * as appropriate.
1265  */
1266 int
1268  const or_options_t *old_options)
1269 {
1270  config_line_t *cl;
1271  int need_to_update =
1272  !smartlist_len(router_get_trusted_dir_servers()) ||
1273  !smartlist_len(router_get_fallback_dir_servers()) || !old_options ||
1274  !config_lines_eq(options->DirAuthorities, old_options->DirAuthorities) ||
1275  !config_lines_eq(options->FallbackDir, old_options->FallbackDir) ||
1276  (options->UseDefaultFallbackDirs != old_options->UseDefaultFallbackDirs) ||
1278  old_options->AlternateBridgeAuthority) ||
1280  old_options->AlternateDirAuthority);
1281 
1282  if (!need_to_update)
1283  return 0; /* all done */
1284 
1285  /* "You cannot set both DirAuthority and Alternate*Authority."
1286  * Checking that this restriction holds allows us to simplify
1287  * the unit tests. */
1288  tor_assert(!(options->DirAuthorities &&
1289  (options->AlternateDirAuthority
1290  || options->AlternateBridgeAuthority)));
1291 
1292  /* Start from a clean slate. */
1294 
1295  if (!options->DirAuthorities) {
1296  /* then we may want some of the defaults */
1297  dirinfo_type_t type = NO_DIRINFO;
1298  if (!options->AlternateBridgeAuthority) {
1299  type |= BRIDGE_DIRINFO;
1300  }
1301  if (!options->AlternateDirAuthority) {
1303  /* Only add the default fallback directories when the DirAuthorities,
1304  * AlternateDirAuthority, and FallbackDir directory config options
1305  * are set to their defaults, and when UseDefaultFallbackDirs is 1. */
1306  if (!options->FallbackDir && options->UseDefaultFallbackDirs) {
1308  }
1309  }
1310  /* if type == NO_DIRINFO, we don't want to add any of the
1311  * default authorities, because we've replaced them all */
1312  if (type != NO_DIRINFO)
1314  }
1315 
1316  for (cl = options->DirAuthorities; cl; cl = cl->next)
1317  if (parse_dir_authority_line(cl->value, NO_DIRINFO, 0)<0)
1318  return -1;
1319  for (cl = options->AlternateBridgeAuthority; cl; cl = cl->next)
1320  if (parse_dir_authority_line(cl->value, NO_DIRINFO, 0)<0)
1321  return -1;
1322  for (cl = options->AlternateDirAuthority; cl; cl = cl->next)
1323  if (parse_dir_authority_line(cl->value, NO_DIRINFO, 0)<0)
1324  return -1;
1325  for (cl = options->FallbackDir; cl; cl = cl->next)
1326  if (parse_dir_fallback_line(cl->value, 0)<0)
1327  return -1;
1328  return 0;
1329 }
1330 
1331 /**
1332  * Make sure that <b>directory</b> exists, with appropriate ownership and
1333  * permissions (as modified by <b>group_readable</b>). If <b>create</b>,
1334  * create the directory if it is missing. Return 0 on success.
1335  * On failure, return -1 and set *<b>msg_out</b>.
1336  */
1337 static int
1339  const char *directory,
1340  int group_readable,
1341  const char *owner,
1342  char **msg_out)
1343 {
1344  cpd_check_t cpd_opts = create ? CPD_CREATE : CPD_CHECK;
1345  if (group_readable)
1346  cpd_opts |= CPD_GROUP_READ;
1347  if (check_private_dir(directory,
1348  cpd_opts,
1349  owner) < 0) {
1350  tor_asprintf(msg_out,
1351  "Couldn't %s private data directory \"%s\"",
1352  create ? "create" : "access",
1353  directory);
1354  return -1;
1355  }
1356 
1357 #ifndef _WIN32
1358  if (group_readable) {
1359  /* Only new dirs created get new opts, also enforce group read. */
1360  if (chmod(directory, 0750)) {
1361  log_warn(LD_FS,"Unable to make %s group-readable: %s",
1362  directory, strerror(errno));
1363  }
1364  }
1365 #endif /* !defined(_WIN32) */
1366 
1367  return 0;
1368 }
1369 
1370 /**
1371  * Ensure that our keys directory exists, with appropriate permissions.
1372  * Return 0 on success, -1 on failure.
1373  */
1374 int
1376 {
1377  /* Make sure DataDirectory exists, and is private. */
1378  cpd_check_t cpd_opts = CPD_CREATE;
1379  if (options->DataDirectoryGroupReadable)
1380  cpd_opts |= CPD_GROUP_READ;
1381  if (check_private_dir(options->DataDirectory, cpd_opts, options->User)) {
1382  log_err(LD_OR, "Can't create/check datadirectory %s",
1383  options->DataDirectory);
1384  return -1;
1385  }
1386 
1387  /* Check the key directory. */
1388  if (check_private_dir(options->KeyDirectory, CPD_CREATE, options->User)) {
1389  return -1;
1390  }
1391  return 0;
1392 }
1393 
1394 /* Helps determine flags to pass to switch_id. */
1395 static int have_low_ports = -1;
1396 
1397 /** Take case of initial startup tasks that must occur before any of the
1398  * transactional option-related changes are allowed. */
1399 static int
1401 {
1403  return 0;
1404 
1405  const or_options_t *options = get_options();
1406  const bool running_tor = options->command == CMD_RUN_TOR;
1407 
1408  if (!running_tor)
1409  return 0;
1410 
1411  /* Daemonize _first_, since we only want to open most of this stuff in
1412  * the subprocess. Libevent bases can't be reliably inherited across
1413  * processes. */
1414  if (options->RunAsDaemon) {
1417  /* No need to roll back, since you can't change the value. */
1418  if (start_daemon())
1420  }
1421 
1422 #ifdef HAVE_SYSTEMD
1423  /* Our PID may have changed, inform supervisor */
1424  sd_notifyf(0, "MAINPID=%ld\n", (long int)getpid());
1425 #endif
1426 
1427  /* Set up libevent. (We need to do this before we can register the
1428  * listeners as listeners.) */
1429  init_libevent(options);
1430 
1431  /* This has to come up after libevent is initialized. */
1432  control_initialize_event_queue();
1433 
1434  /*
1435  * Initialize the scheduler - this has to come after
1436  * options_init_from_torrc() sets up libevent - why yes, that seems
1437  * completely sensible to hide the libevent setup in the option parsing
1438  * code! It also needs to happen before init_keys(), so it needs to
1439  * happen here too. How yucky. */
1440  scheduler_init();
1441 
1442  /* Attempt to lock all current and future memory with mlockall() only once.
1443  * This must happen before setuid. */
1444  if (options->DisableAllSwap) {
1445  if (tor_mlockall() == -1) {
1446  *msg_out = tor_strdup("DisableAllSwap failure. Do you have proper "
1447  "permissions?");
1448  return -1;
1449  }
1450  }
1451 
1452  have_set_startup_options = true;
1453  return 0;
1454 }
1455 
1456 /**
1457  * Change our user ID if we're configured to do so.
1458  **/
1459 static int
1460 options_switch_id(char **msg_out)
1461 {
1462  const or_options_t *options = get_options();
1463 
1464  /* Setuid/setgid as appropriate */
1465  if (options->User) {
1466  tor_assert(have_low_ports != -1);
1467  unsigned switch_id_flags = 0;
1468  if (options->KeepBindCapabilities == 1) {
1469  switch_id_flags |= SWITCH_ID_KEEP_BINDLOW;
1470  switch_id_flags |= SWITCH_ID_WARN_IF_NO_CAPS;
1471  }
1472  if (options->KeepBindCapabilities == -1 && have_low_ports) {
1473  switch_id_flags |= SWITCH_ID_KEEP_BINDLOW;
1474  }
1475  if (switch_id(options->User, switch_id_flags) != 0) {
1476  /* No need to roll back, since you can't change the value. */
1477  *msg_out = tor_strdup("Problem with User value. See logs for details.");
1478  return -1;
1479  }
1480  }
1481 
1482  return 0;
1483 }
1484 
1485 /**
1486  * Helper. Given a data directory (<b>datadir</b>) and another directory
1487  * (<b>subdir</b>) with respective group-writable permissions
1488  * <b>datadir_gr</b> and <b>subdir_gr</b>, compute whether the subdir should
1489  * be group-writeable.
1490  **/
1491 static int
1492 compute_group_readable_flag(const char *datadir,
1493  const char *subdir,
1494  int datadir_gr,
1495  int subdir_gr)
1496 {
1497  if (subdir_gr != -1) {
1498  /* The user specified a default for "subdir", so we always obey it. */
1499  return subdir_gr;
1500  }
1501 
1502  /* The user left the subdir_gr option on "auto." */
1503  if (0 == strcmp(subdir, datadir)) {
1504  /* The directories are the same, so we use the group-readable flag from
1505  * the datadirectory */
1506  return datadir_gr;
1507  } else {
1508  /* The directories are different, so we default to "not group-readable" */
1509  return 0;
1510  }
1511 }
1512 
1513 /**
1514  * Create our DataDirectory, CacheDirectory, and KeyDirectory, and
1515  * set their permissions correctly.
1516  */
1517 STATIC int
1519 {
1520  const or_options_t *options = get_options();
1521  const bool running_tor = options->command == CMD_RUN_TOR;
1522 
1523  /* Ensure data directory is private; create if possible. */
1524  /* It's okay to do this in "options_act_reversible()" even though it isn't
1525  * actually reversible, since you can't change the DataDirectory while
1526  * Tor is running. */
1527  if (check_and_create_data_directory(running_tor /* create */,
1528  options->DataDirectory,
1529  options->DataDirectoryGroupReadable,
1530  options->User,
1531  msg_out) < 0) {
1532  return -1;
1533  }
1534 
1535  /* We need to handle the group-readable flag for the cache directory and key
1536  * directory specially, since they may be the same as the data directory */
1537  const int key_dir_group_readable = compute_group_readable_flag(
1538  options->DataDirectory,
1539  options->KeyDirectory,
1540  options->DataDirectoryGroupReadable,
1541  options->KeyDirectoryGroupReadable);
1542 
1543  if (check_and_create_data_directory(running_tor /* create */,
1544  options->KeyDirectory,
1545  key_dir_group_readable,
1546  options->User,
1547  msg_out) < 0) {
1548  return -1;
1549  }
1550 
1551  const int cache_dir_group_readable = compute_group_readable_flag(
1552  options->DataDirectory,
1553  options->CacheDirectory,
1554  options->DataDirectoryGroupReadable,
1555  options->CacheDirectoryGroupReadable);
1556 
1557  if (check_and_create_data_directory(running_tor /* create */,
1558  options->CacheDirectory,
1559  cache_dir_group_readable,
1560  options->User,
1561  msg_out) < 0) {
1562  return -1;
1563  }
1564 
1565  return 0;
1566 }
1567 
1568 /** Structure to represent an incomplete configuration of a set of
1569  * listeners.
1570  *
1571  * This structure is generated by options_start_listener_transaction(), and is
1572  * either committed by options_commit_listener_transaction() or rolled back by
1573  * options_rollback_listener_transaction(). */
1574 typedef struct listener_transaction_t {
1575  bool set_conn_limit; /**< True if we've set the connection limit */
1576  unsigned old_conn_limit; /**< If nonzero, previous connlimit value. */
1577  smartlist_t *new_listeners; /**< List of new listeners that we opened. */
1579 
1580 /**
1581  * Start configuring our listeners based on the current value of
1582  * get_options().
1583  *
1584  * The value <b>old_options</b> holds either the previous options object,
1585  * or NULL if we're starting for the first time.
1586  *
1587  * On success, return a listener_transaction_t that we can either roll back or
1588  * commit.
1589  *
1590  * On failure return NULL and write a message into a newly allocated string in
1591  * *<b>msg_out</b>.
1592  **/
1593 static listener_transaction_t *
1595  char **msg_out)
1596 {
1597  listener_transaction_t *xn = tor_malloc_zero(sizeof(listener_transaction_t));
1598  xn->new_listeners = smartlist_new();
1599  or_options_t *options = get_options_mutable();
1600  const bool running_tor = options->command == CMD_RUN_TOR;
1601 
1602  if (! running_tor) {
1603  return xn;
1604  }
1605 
1606  int n_ports=0;
1607  /* We need to set the connection limit before we can open the listeners. */
1608  if (! sandbox_is_active()) {
1609  if (set_max_file_descriptors((unsigned)options->ConnLimit,
1610  &options->ConnLimit_) < 0) {
1611  *msg_out = tor_strdup("Problem with ConnLimit value. "
1612  "See logs for details.");
1613  goto rollback;
1614  }
1615  xn->set_conn_limit = true;
1616  if (old_options)
1617  xn->old_conn_limit = (unsigned)old_options->ConnLimit;
1618  } else {
1619  tor_assert(old_options);
1620  options->ConnLimit_ = old_options->ConnLimit_;
1621  }
1622 
1623  /* Adjust the port configuration so we can launch listeners. */
1624  /* 31851: some ports are relay-only */
1625  if (parse_ports(options, 0, msg_out, &n_ports, NULL)) {
1626  if (!*msg_out)
1627  *msg_out = tor_strdup("Unexpected problem parsing port config");
1628  goto rollback;
1629  }
1630 
1631  /* Set the hibernation state appropriately.*/
1632  consider_hibernation(time(NULL));
1633 
1634  /* Launch the listeners. (We do this before we setuid, so we can bind to
1635  * ports under 1024.) We don't want to rebind if we're hibernating or
1636  * shutting down. If networking is disabled, this will close all but the
1637  * control listeners, but disable those. */
1638  /* 31851: some listeners are relay-only */
1639  if (!we_are_hibernating()) {
1641  options->DisableNetwork) < 0) {
1642  *msg_out = tor_strdup("Failed to bind one of the listener ports.");
1643  goto rollback;
1644  }
1645  }
1646  if (options->DisableNetwork) {
1647  /* Aggressively close non-controller stuff, NOW */
1648  log_notice(LD_NET, "DisableNetwork is set. Tor will not make or accept "
1649  "non-control network connections. Shutting down all existing "
1650  "connections.");
1652  /* We can't complete circuits until the network is re-enabled. */
1654  }
1655 
1656 #if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
1657  /* Open /dev/pf before (possibly) dropping privileges. */
1658  if (options->TransPort_set &&
1659  options->TransProxyType_parsed == TPT_DEFAULT) {
1660  if (get_pf_socket() < 0) {
1661  *msg_out = tor_strdup("Unable to open /dev/pf for transparent proxy.");
1662  goto rollback;
1663  }
1664  }
1665 #endif /* defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H) */
1666 
1667  return xn;
1668 
1669  rollback:
1671  return NULL;
1672 }
1673 
1674 /**
1675  * Finish configuring the listeners that started to get configured with
1676  * <b>xn</b>. Frees <b>xn</b>.
1677  **/
1678 static void
1680 {
1681  tor_assert(xn);
1682  if (xn->set_conn_limit) {
1683  or_options_t *options = get_options_mutable();
1684  /*
1685  * If we adjusted the conn limit, recompute the OOS threshold too
1686  *
1687  * How many possible sockets to keep in reserve? If we have lots of
1688  * possible sockets, keep this below a limit and set ConnLimit_high_thresh
1689  * very close to ConnLimit_, but if ConnLimit_ is low, shrink it in
1690  * proportion.
1691  *
1692  * Somewhat arbitrarily, set socks_in_reserve to 5% of ConnLimit_, but
1693  * cap it at 64.
1694  */
1695  int socks_in_reserve = options->ConnLimit_ / 20;
1696  if (socks_in_reserve > 64) socks_in_reserve = 64;
1697 
1698  options->ConnLimit_high_thresh = options->ConnLimit_ - socks_in_reserve;
1699  options->ConnLimit_low_thresh = (options->ConnLimit_ / 4) * 3;
1700  log_info(LD_GENERAL,
1701  "Recomputed OOS thresholds: ConnLimit %d, ConnLimit_ %d, "
1702  "ConnLimit_high_thresh %d, ConnLimit_low_thresh %d",
1703  options->ConnLimit, options->ConnLimit_,
1704  options->ConnLimit_high_thresh,
1705  options->ConnLimit_low_thresh);
1706 
1707  /* Give the OOS handler a chance with the new thresholds */
1709  }
1710 
1711  smartlist_free(xn->new_listeners);
1712  tor_free(xn);
1713 }
1714 
1715 /**
1716  * Revert the listener configuration changes that that started to get
1717  * configured with <b>xn</b>. Frees <b>xn</b>.
1718  **/
1719 static void
1721 {
1722  if (! xn)
1723  return;
1724 
1725  or_options_t *options = get_options_mutable();
1726 
1727  if (xn->set_conn_limit && xn->old_conn_limit)
1729 
1731  {
1732  log_notice(LD_NET, "Closing partially-constructed %s",
1733  connection_describe(conn));
1734  connection_close_immediate(conn);
1735  connection_mark_for_close(conn);
1736  });
1737 
1738  smartlist_free(xn->new_listeners);
1739  tor_free(xn);
1740 }
1741 
1742 /** Structure to represent an incomplete configuration of a set of logs.
1743  *
1744  * This structure is generated by options_start_log_transaction(), and is
1745  * either committed by options_commit_log_transaction() or rolled back by
1746  * options_rollback_log_transaction(). */
1747 typedef struct log_transaction_t {
1748  /** Previous lowest severity of any configured log. */
1750  /** True if we have marked the previous logs to be closed */
1752  /** True if we initialized the new set of logs */
1754  /** True if our safelogging configuration is different from what it was
1755  * previously (or if we are starting for the first time). */
1758 
1759 /**
1760  * Start configuring our logs based on the current value of get_options().
1761  *
1762  * The value <b>old_options</b> holds either the previous options object,
1763  * or NULL if we're starting for the first time.
1764  *
1765  * On success, return a log_transaction_t that we can either roll back or
1766  * commit.
1767  *
1768  * On failure return NULL and write a message into a newly allocated string in
1769  * *<b>msg_out</b>.
1770  **/
1773  char **msg_out)
1774 {
1775  const or_options_t *options = get_options();
1776  const bool running_tor = options->command == CMD_RUN_TOR;
1777 
1778  log_transaction_t *xn = tor_malloc_zero(sizeof(log_transaction_t));
1780  xn->safelogging_changed = !old_options ||
1781  old_options->SafeLogging_ != options->SafeLogging_;
1782 
1783  if (! running_tor)
1784  goto done;
1785 
1786  mark_logs_temp(); /* Close current logs once new logs are open. */
1787  xn->logs_marked = true;
1788  /* Configure the tor_log(s) */
1789  if (options_init_logs(old_options, options, 0)<0) {
1790  *msg_out = tor_strdup("Failed to init Log options. See logs for details.");
1792  xn = NULL;
1793  goto done;
1794  }
1795 
1796  xn->logs_initialized = true;
1797 
1798  done:
1799  return xn;
1800 }
1801 
1802 /**
1803  * Finish configuring the logs that started to get configured with <b>xn</b>.
1804  * Frees <b>xn</b>.
1805  **/
1806 STATIC void
1808 {
1809  const or_options_t *options = get_options();
1810  tor_assert(xn);
1811 
1812  if (xn->logs_marked) {
1813  log_severity_list_t *severity =
1814  tor_malloc_zero(sizeof(log_severity_list_t));
1815  close_temp_logs();
1819  tor_free(severity);
1821  }
1822 
1823  if (xn->logs_initialized) {
1825  }
1826 
1827  {
1828  const char *badness = NULL;
1829  int bad_safelog = 0, bad_severity = 0, new_badness = 0;
1830  if (options->SafeLogging_ != SAFELOG_SCRUB_ALL) {
1831  bad_safelog = 1;
1832  if (xn->safelogging_changed)
1833  new_badness = 1;
1834  }
1835  if (get_min_log_level() >= LOG_INFO) {
1836  bad_severity = 1;
1837  if (get_min_log_level() != xn->old_min_log_level)
1838  new_badness = 1;
1839  }
1840  if (bad_safelog && bad_severity)
1841  badness = "you disabled SafeLogging, and "
1842  "you're logging more than \"notice\"";
1843  else if (bad_safelog)
1844  badness = "you disabled SafeLogging";
1845  else
1846  badness = "you're logging more than \"notice\"";
1847  if (new_badness)
1848  log_warn(LD_GENERAL, "Your log may contain sensitive information - %s. "
1849  "Don't log unless it serves an important reason. "
1850  "Overwrite the log afterwards.", badness);
1851  }
1852 
1853  tor_free(xn);
1854 }
1855 
1856 /**
1857  * Revert the log configuration changes that that started to get configured
1858  * with <b>xn</b>. Frees <b>xn</b>.
1859  **/
1860 STATIC void
1862 {
1863  if (!xn)
1864  return;
1865 
1866  if (xn->logs_marked) {
1869  }
1870 
1871  tor_free(xn);
1872 }
1873 
1874 /**
1875  * Fetch the active option list, and take actions based on it. All of
1876  * the things we do in this function should survive being done
1877  * repeatedly, OR be done only once when starting Tor. If present,
1878  * <b>old_options</b> contains the previous value of the options.
1879  *
1880  * This function is only truly "reversible" _after_ the first time it
1881  * is run. The first time that it runs, it performs some irreversible
1882  * tasks in the correct sequence between the reversible option changes.
1883  *
1884  * Option changes should only be marked as "reversible" if they cannot
1885  * be validated before switching them, but they can be switched back if
1886  * some other validation fails.
1887  *
1888  * Return 0 if all goes well, return -1 if things went badly.
1889  */
1890 MOCK_IMPL(STATIC int,
1891 options_act_reversible,(const or_options_t *old_options, char **msg))
1892 {
1893  const bool first_time = ! have_set_startup_options;
1894  log_transaction_t *log_transaction = NULL;
1895  listener_transaction_t *listener_transaction = NULL;
1896  int r = -1;
1897 
1898  /* The ordering of actions in this function is not free, sadly.
1899  *
1900  * First of all, we _must_ daemonize before we take all kinds of
1901  * initialization actions, since they need to happen in the
1902  * subprocess.
1903  */
1904  if (options_act_once_on_startup(msg) < 0)
1905  goto rollback;
1906 
1907  /* Once we've handled most of once-off initialization, we need to
1908  * open our listeners before we switch IDs. (If we open listeners first,
1909  * we might not be able to bind to low ports.)
1910  */
1911  listener_transaction = options_start_listener_transaction(old_options, msg);
1912  if (listener_transaction == NULL)
1913  goto rollback;
1914 
1915  if (first_time) {
1916  if (options_switch_id(msg) < 0)
1917  goto rollback;
1918  }
1919 
1920  /* On the other hand, we need to touch the file system _after_ we
1921  * switch IDs: otherwise, we'll be making directories and opening files
1922  * with the wrong permissions.
1923  */
1924  if (first_time) {
1925  if (options_create_directories(msg) < 0)
1926  goto rollback;
1927  }
1928 
1929  /* Bail out at this point if we're not going to be a client or server:
1930  * we don't run Tor itself. */
1931  log_transaction = options_start_log_transaction(old_options, msg);
1932  if (log_transaction == NULL)
1933  goto rollback;
1934 
1935  // Commit!
1936  r = 0;
1937 
1938  options_commit_log_transaction(log_transaction);
1939 
1940  options_commit_listener_transaction(listener_transaction);
1941 
1942  goto done;
1943 
1944  rollback:
1945  r = -1;
1946  tor_assert(*msg);
1947 
1948  options_rollback_log_transaction(log_transaction);
1949  options_rollback_listener_transaction(listener_transaction);
1950 
1951  done:
1952  return r;
1953 }
1954 
1955 /** If we need to have a GEOIP ip-to-country map to run with our configured
1956  * options, return 1 and set *<b>reason_out</b> to a description of why. */
1957 int
1958 options_need_geoip_info(const or_options_t *options, const char **reason_out)
1959 {
1960  int bridge_usage = should_record_bridge_info(options);
1961  int routerset_usage =
1962  routerset_needs_geoip(options->EntryNodes) ||
1963  routerset_needs_geoip(options->ExitNodes) ||
1964  routerset_needs_geoip(options->MiddleNodes) ||
1966  routerset_needs_geoip(options->ExcludeNodes) ||
1969 
1970  if (routerset_usage && reason_out) {
1971  *reason_out = "We've been configured to use (or avoid) nodes in certain "
1972  "countries, and we need GEOIP information to figure out which ones they "
1973  "are.";
1974  } else if (bridge_usage && reason_out) {
1975  *reason_out = "We've been configured to see which countries can access "
1976  "us as a bridge, and we need GEOIP information to tell which countries "
1977  "clients are in.";
1978  }
1979  return bridge_usage || routerset_usage;
1980 }
1981 
1982 /* Used in the various options_transition_affects* functions. */
1983 #define YES_IF_CHANGED_BOOL(opt) \
1984  if (!CFG_EQ_BOOL(old_options, new_options, opt)) return 1;
1985 #define YES_IF_CHANGED_INT(opt) \
1986  if (!CFG_EQ_INT(old_options, new_options, opt)) return 1;
1987 #define YES_IF_CHANGED_STRING(opt) \
1988  if (!CFG_EQ_STRING(old_options, new_options, opt)) return 1;
1989 #define YES_IF_CHANGED_LINELIST(opt) \
1990  if (!CFG_EQ_LINELIST(old_options, new_options, opt)) return 1;
1991 #define YES_IF_CHANGED_SMARTLIST(opt) \
1992  if (!CFG_EQ_SMARTLIST(old_options, new_options, opt)) return 1;
1993 #define YES_IF_CHANGED_ROUTERSET(opt) \
1994  if (!CFG_EQ_ROUTERSET(old_options, new_options, opt)) return 1;
1995 
1996 /**
1997  * Return true if changing the configuration from <b>old</b> to <b>new</b>
1998  * affects the guard subsystem.
1999  */
2000 static int
2002  const or_options_t *new_options)
2003 {
2004  /* NOTE: Make sure this function stays in sync with
2005  * node_passes_guard_filter */
2006  tor_assert(old_options);
2007  tor_assert(new_options);
2008 
2009  YES_IF_CHANGED_BOOL(UseEntryGuards);
2010  YES_IF_CHANGED_BOOL(UseBridges);
2011  YES_IF_CHANGED_BOOL(ClientUseIPv4);
2012  YES_IF_CHANGED_BOOL(ClientUseIPv6);
2013  YES_IF_CHANGED_BOOL(FascistFirewall);
2014  YES_IF_CHANGED_ROUTERSET(ExcludeNodes);
2015  YES_IF_CHANGED_ROUTERSET(EntryNodes);
2016  YES_IF_CHANGED_SMARTLIST(FirewallPorts);
2017  YES_IF_CHANGED_LINELIST(Bridges);
2018  YES_IF_CHANGED_LINELIST(ReachableORAddresses);
2019  YES_IF_CHANGED_LINELIST(ReachableDirAddresses);
2020 
2021  return 0;
2022 }
2023 
2024 /** Fetch the active option list, and take actions based on it. All of the
2025  * things we do should survive being done repeatedly. If present,
2026  * <b>old_options</b> contains the previous value of the options.
2027  *
2028  * Return 0 if all goes well, return -1 if it's time to die.
2029  *
2030  * Note: We haven't moved all the "act on new configuration" logic
2031  * the options_act* functions yet. Some is still in do_hup() and other
2032  * places.
2033  */
2034 MOCK_IMPL(STATIC int,
2035 options_act,(const or_options_t *old_options))
2036 {
2037  config_line_t *cl;
2038  or_options_t *options = get_options_mutable();
2039  int running_tor = options->command == CMD_RUN_TOR;
2040  char *msg=NULL;
2041  const int transition_affects_guards =
2042  old_options && options_transition_affects_guards(old_options, options);
2043 
2044  if (options->NoExec || options->Sandbox) {
2046  }
2047 
2048  /* disable ptrace and later, other basic debugging techniques */
2049  {
2050  /* Remember if we already disabled debugger attachment */
2051  static int disabled_debugger_attach = 0;
2052  /* Remember if we already warned about being configured not to disable
2053  * debugger attachment */
2054  static int warned_debugger_attach = 0;
2055  /* Don't disable debugger attachment when we're running the unit tests. */
2056  if (options->DisableDebuggerAttachment && !disabled_debugger_attach &&
2057  running_tor) {
2058  int ok = tor_disable_debugger_attach();
2059  /* LCOV_EXCL_START the warned_debugger_attach is 0 can't reach inside. */
2060  if (warned_debugger_attach && ok == 1) {
2061  log_notice(LD_CONFIG, "Disabled attaching debuggers for unprivileged "
2062  "users.");
2063  }
2064  /* LCOV_EXCL_STOP */
2065  disabled_debugger_attach = (ok == 1);
2066  } else if (!options->DisableDebuggerAttachment &&
2067  !warned_debugger_attach) {
2068  log_notice(LD_CONFIG, "Not disabling debugger attaching for "
2069  "unprivileged users.");
2070  warned_debugger_attach = 1;
2071  }
2072  }
2073 
2074  /* Write control ports to disk as appropriate */
2076 
2077  if (running_tor && !have_lockfile()) {
2078  if (try_locking(options, 1) < 0)
2079  return -1;
2080  }
2081 
2082  {
2083  int warning_severity = options->ProtocolWarnings ? LOG_WARN : LOG_INFO;
2084  set_protocol_warning_severity_level(warning_severity);
2085  }
2086 
2087  if (consider_adding_dir_servers(options, old_options) < 0) {
2088  // XXXX This should get validated earlier, and committed here, to
2089  // XXXX lower opportunities for reaching an error case.
2090  return -1;
2091  }
2092 
2093  if (hs_service_non_anonymous_mode_enabled(options)) {
2094  log_warn(LD_GENERAL, "This copy of Tor was compiled or configured to run "
2095  "in a non-anonymous mode. It will provide NO ANONYMITY.");
2096  }
2097 
2098  /* 31851: OutboundBindAddressExit is relay-only */
2099  if (parse_outbound_addresses(options, 0, &msg) < 0) {
2100  // LCOV_EXCL_START
2101  log_warn(LD_BUG, "Failed parsing previously validated outbound "
2102  "bind addresses: %s", msg);
2103  tor_free(msg);
2104  return -1;
2105  // LCOV_EXCL_STOP
2106  }
2107 
2108  if (options->Bridges) {
2109  mark_bridge_list();
2110  for (cl = options->Bridges; cl; cl = cl->next) {
2111  bridge_line_t *bridge_line = parse_bridge_line(cl->value);
2112  if (!bridge_line) {
2113  // LCOV_EXCL_START
2114  log_warn(LD_BUG,
2115  "Previously validated Bridge line could not be added!");
2116  return -1;
2117  // LCOV_EXCL_STOP
2118  }
2119  bridge_add_from_config(bridge_line);
2120  }
2122  }
2123 
2124  if (running_tor && hs_config_service_all(options, 0)<0) {
2125  // LCOV_EXCL_START
2126  log_warn(LD_BUG,
2127  "Previously validated hidden services line could not be added!");
2128  return -1;
2129  // LCOV_EXCL_STOP
2130  }
2131 
2132  if (running_tor && hs_config_client_auth_all(options, 0) < 0) {
2133  // LCOV_EXCL_START
2134  log_warn(LD_BUG, "Previously validated client authorization for "
2135  "hidden services could not be added!");
2136  return -1;
2137  // LCOV_EXCL_STOP
2138  }
2139 
2140  if (running_tor && !old_options &&
2141  options->OwningControllerFD != UINT64_MAX) {
2142  const unsigned ctrl_flags =
2143  CC_LOCAL_FD_IS_OWNER |
2144  CC_LOCAL_FD_IS_AUTHENTICATED;
2145  tor_socket_t ctrl_sock = (tor_socket_t)options->OwningControllerFD;
2146  if (control_connection_add_local_fd(ctrl_sock, ctrl_flags) < 0) {
2147  log_warn(LD_CONFIG, "Could not add local controller connection with "
2148  "given FD.");
2149  return -1;
2150  }
2151  }
2152 
2153  /* Load state */
2154  if (! or_state_loaded() && running_tor) {
2155  if (or_state_load())
2156  return -1;
2157  if (options_act_dirauth_mtbf(options) < 0)
2158  return -1;
2159  }
2160 
2161  /* 31851: some of the code in these functions is relay-only */
2164  if (!options->DisableNetwork) {
2165  if (options->ClientTransportPlugin) {
2166  for (cl = options->ClientTransportPlugin; cl; cl = cl->next) {
2167  if (pt_parse_transport_line(options, cl->value, 0, 0) < 0) {
2168  // LCOV_EXCL_START
2169  log_warn(LD_BUG,
2170  "Previously validated ClientTransportPlugin line "
2171  "could not be added!");
2172  return -1;
2173  // LCOV_EXCL_STOP
2174  }
2175  }
2176  }
2177  }
2178 
2179  if (options_act_server_transport(old_options) < 0)
2180  return -1;
2181 
2183  sweep_proxy_list();
2184 
2185  /* Start the PT proxy configuration. By doing this configuration
2186  here, we also figure out which proxies need to be restarted and
2187  which not. */
2190 
2191  /* Bail out at this point if we're not going to be a client or server:
2192  * we want to not fork, and to log stuff to stderr. */
2193  if (!running_tor)
2194  return 0;
2195 
2196  /* Finish backgrounding the process */
2197  if (options->RunAsDaemon) {
2198  /* We may be calling this for the n'th time (on SIGHUP), but it's safe. */
2199  finish_daemon(options->DataDirectory);
2200  }
2201 
2202  if (options_act_relay(old_options) < 0)
2203  return -1;
2204 
2205  /* Write our PID to the PID file. If we do not have write permissions we
2206  * will log a warning and exit. */
2207  if (options->PidFile && !sandbox_is_active()) {
2208  if (write_pidfile(options->PidFile) < 0) {
2209  log_err(LD_CONFIG, "Unable to write PIDFile %s",
2210  escaped(options->PidFile));
2211  return -1;
2212  }
2213  }
2214 
2215  /* Register addressmap directives */
2216  config_register_addressmaps(options);
2217  parse_virtual_addr_network(options->VirtualAddrNetworkIPv4, AF_INET,0,NULL);
2218  parse_virtual_addr_network(options->VirtualAddrNetworkIPv6, AF_INET6,0,NULL);
2219 
2220  /* Update address policies. */
2221  if (policies_parse_from_options(options) < 0) {
2222  /* This should be impossible, but let's be sure. */
2223  log_warn(LD_BUG,"Error parsing already-validated policy options.");
2224  return -1;
2225  }
2226 
2227  if (init_control_cookie_authentication(options->CookieAuthentication) < 0) {
2228  log_warn(LD_CONFIG,"Error creating control cookie authentication file.");
2229  return -1;
2230  }
2231 
2233 
2234  /* reload keys as needed for rendezvous services. */
2235  if (hs_service_load_all_keys() < 0) {
2236  log_warn(LD_GENERAL,"Error loading rendezvous service keys");
2237  return -1;
2238  }
2239 
2240  /* Inform the scheduler subsystem that a configuration changed happened. It
2241  * might be a change of scheduler or parameter. */
2243 
2244  if (options_act_relay_accounting(old_options) < 0)
2245  return -1;
2246 
2247  /* Change the cell EWMA settings */
2249 
2250  /* Update the BridgePassword's hashed version as needed. We store this as a
2251  * digest so that we can do side-channel-proof comparisons on it.
2252  */
2253  if (options->BridgePassword) {
2254  char *http_authenticator;
2255  http_authenticator = alloc_http_authenticator(options->BridgePassword);
2256  if (!http_authenticator) {
2257  // XXXX This should get validated in options_validate().
2258  log_warn(LD_BUG, "Unable to allocate HTTP authenticator. Not setting "
2259  "BridgePassword.");
2260  return -1;
2261  }
2262  options->BridgePassword_AuthDigest_ = tor_malloc(DIGEST256_LEN);
2264  http_authenticator, strlen(http_authenticator),
2265  DIGEST_SHA256);
2266  tor_free(http_authenticator);
2267  }
2268 
2269  config_maybe_load_geoip_files_(options, old_options);
2270 
2271  if (geoip_is_loaded(AF_INET) && options->GeoIPExcludeUnknown) {
2272  /* ExcludeUnknown is true or "auto" */
2273  const int is_auto = options->GeoIPExcludeUnknown == -1;
2274  int changed;
2275 
2276  changed = routerset_add_unknown_ccs(&options->ExcludeNodes, is_auto);
2277  changed += routerset_add_unknown_ccs(&options->ExcludeExitNodes, is_auto);
2278 
2279  if (changed)
2281  }
2282 
2283  /* Check for transitions that need action. */
2284  if (old_options) {
2285  int revise_trackexithosts = 0;
2286  int revise_automap_entries = 0;
2287  int abandon_circuits = 0;
2288  if ((options->UseEntryGuards && !old_options->UseEntryGuards) ||
2289  options->UseBridges != old_options->UseBridges ||
2290  (options->UseBridges &&
2291  !config_lines_eq(options->Bridges, old_options->Bridges)) ||
2292  !routerset_equal(old_options->ExcludeNodes,options->ExcludeNodes) ||
2293  !routerset_equal(old_options->ExcludeExitNodes,
2294  options->ExcludeExitNodes) ||
2295  !routerset_equal(old_options->EntryNodes, options->EntryNodes) ||
2296  !routerset_equal(old_options->ExitNodes, options->ExitNodes) ||
2297  !routerset_equal(old_options->HSLayer2Nodes,
2298  options->HSLayer2Nodes) ||
2299  !routerset_equal(old_options->HSLayer3Nodes,
2300  options->HSLayer3Nodes) ||
2301  !routerset_equal(old_options->MiddleNodes, options->MiddleNodes) ||
2302  options->StrictNodes != old_options->StrictNodes) {
2303  log_info(LD_CIRC,
2304  "Changed to using entry guards or bridges, or changed "
2305  "preferred or excluded node lists. "
2306  "Abandoning previous circuits.");
2307  abandon_circuits = 1;
2308  }
2309 
2310  if (transition_affects_guards) {
2311  if (guards_update_all()) {
2312  abandon_circuits = 1;
2313  }
2314  }
2315 
2316  if (abandon_circuits) {
2319  revise_trackexithosts = 1;
2320  }
2321 
2322  if (!smartlist_strings_eq(old_options->TrackHostExits,
2323  options->TrackHostExits))
2324  revise_trackexithosts = 1;
2325 
2326  if (revise_trackexithosts)
2328 
2329  if (!options->AutomapHostsOnResolve &&
2330  old_options->AutomapHostsOnResolve) {
2331  revise_automap_entries = 1;
2332  } else {
2333  if (!smartlist_strings_eq(old_options->AutomapHostsSuffixes,
2334  options->AutomapHostsSuffixes))
2335  revise_automap_entries = 1;
2336  else if (!opt_streq(old_options->VirtualAddrNetworkIPv4,
2337  options->VirtualAddrNetworkIPv4) ||
2338  !opt_streq(old_options->VirtualAddrNetworkIPv6,
2339  options->VirtualAddrNetworkIPv6))
2340  revise_automap_entries = 1;
2341  }
2342 
2343  if (revise_automap_entries)
2345 
2346  if (options_act_bridge_stats(old_options) < 0)
2347  return -1;
2348 
2349  if (dns_reset())
2350  return -1;
2351 
2352  if (options_act_relay_bandwidth(old_options) < 0)
2353  return -1;
2354 
2355  if (options->BandwidthRate != old_options->BandwidthRate ||
2356  options->BandwidthBurst != old_options->BandwidthBurst)
2357  connection_bucket_adjust(options);
2358 
2359  if (options->MainloopStats != old_options->MainloopStats) {
2361  }
2362  }
2363 
2364  /* 31851: These options are relay-only, but we need to disable them if we
2365  * are in client mode. In 29211, we will disable all relay options in
2366  * client mode. */
2367  /* Only collect directory-request statistics on relays and bridges. */
2368  options->DirReqStatistics = options->DirReqStatistics_option &&
2369  server_mode(options);
2370  options->HiddenServiceStatistics =
2371  options->HiddenServiceStatistics_option && server_mode(options);
2372 
2373  /* Only collect other relay-only statistics on relays. */
2374  if (!public_server_mode(options)) {
2375  options->CellStatistics = 0;
2376  options->EntryStatistics = 0;
2377  options->ConnDirectionStatistics = 0;
2378  options->ExitPortStatistics = 0;
2379  }
2380 
2381  bool print_notice = 0;
2382  if (options_act_relay_stats(old_options, &print_notice) < 0)
2383  return -1;
2384  if (options_act_dirauth_stats(old_options, &print_notice) < 0)
2385  return -1;
2386  if (print_notice)
2388 
2389  if (options_act_relay_desc(old_options) < 0)
2390  return -1;
2391 
2392  if (options_act_dirauth(old_options) < 0)
2393  return -1;
2394 
2395  /* We may need to reschedule some directory stuff if our status changed. */
2396  if (old_options) {
2398  dirclient_fetches_dir_info_early(old_options)) ||
2400  dirclient_fetches_dir_info_later(old_options)) ||
2401  !config_lines_eq(old_options->Bridges, options->Bridges)) {
2402  /* Make sure update_router_have_minimum_dir_info() gets called. */
2404  /* We might need to download a new consensus status later or sooner than
2405  * we had expected. */
2407  }
2408  }
2409 
2410  if (options_act_relay_dos(old_options) < 0)
2411  return -1;
2412  if (options_act_relay_dir(old_options) < 0)
2413  return -1;
2414 
2415  return 0;
2416 }
2417 
2418 /**
2419  * Enumeration to describe the syntax for a command-line option.
2420  **/
2421 typedef enum {
2422  /** Describe an option that does not take an argument. */
2424  /** Describes an option that takes a single argument. */
2426  /** Describes an option that takes a single optional argument. */
2427  ARGUMENT_OPTIONAL = 2
2429 
2430 /** Table describing arguments that Tor accepts on the command line,
2431  * other than those that are the same as in torrc. */
2432 static const struct {
2433  /** The string that the user has to provide. */
2434  const char *name;
2435  /** Optional short name. */
2436  const char *short_name;
2437  /** Does this option accept an argument? */
2439  /** If not CMD_RUN_TOR, what should Tor do when it starts? */
2441  /** If nonzero, set the quiet level to this. 1 is "hush", 2 is "quiet" */
2442  int quiet;
2443 } CMDLINE_ONLY_OPTIONS[] = {
2444  { .name="--torrc-file",
2445  .short_name="-f",
2446  .takes_argument=ARGUMENT_NECESSARY },
2447  { .name="--allow-missing-torrc" },
2448  { .name="--defaults-torrc",
2449  .takes_argument=ARGUMENT_NECESSARY },
2450  { .name="--hash-password",
2451  .takes_argument=ARGUMENT_NECESSARY,
2452  .command=CMD_HASH_PASSWORD,
2453  .quiet=QUIET_HUSH },
2454  { .name="--dump-config",
2455  .takes_argument=ARGUMENT_OPTIONAL,
2456  .command=CMD_DUMP_CONFIG,
2457  .quiet=QUIET_SILENT },
2458  { .name="--list-fingerprint",
2459  .takes_argument=ARGUMENT_OPTIONAL,
2460  .command=CMD_LIST_FINGERPRINT },
2461  { .name="--keygen",
2462  .command=CMD_KEYGEN },
2463  { .name="--key-expiration",
2464  .takes_argument=ARGUMENT_OPTIONAL,
2465  .command=CMD_KEY_EXPIRATION },
2466  { .name="--format",
2467  .takes_argument=ARGUMENT_NECESSARY },
2468  { .name="--newpass" },
2469  { .name="--no-passphrase" },
2470  { .name="--passphrase-fd",
2471  .takes_argument=ARGUMENT_NECESSARY },
2472  { .name="--verify-config",
2473  .command=CMD_VERIFY_CONFIG },
2474  { .name="--ignore-missing-torrc" },
2475  { .name="--quiet",
2476  .quiet=QUIET_SILENT },
2477  { .name="--hush",
2478  .quiet=QUIET_HUSH },
2479  { .name="--version",
2480  .command=CMD_IMMEDIATE,
2481  .quiet=QUIET_HUSH },
2482  { .name="--list-modules",
2483  .command=CMD_IMMEDIATE,
2484  .quiet=QUIET_HUSH },
2485  { .name="--library-versions",
2486  .command=CMD_IMMEDIATE,
2487  .quiet=QUIET_HUSH },
2488  { .name="--help",
2489  .short_name="-h",
2490  .command=CMD_IMMEDIATE,
2491  .quiet=QUIET_HUSH },
2492  { .name="--list-torrc-options",
2493  .command=CMD_IMMEDIATE,
2494  .quiet=QUIET_HUSH },
2495  { .name="--list-deprecated-options",
2496  .command=CMD_IMMEDIATE },
2497  { .name="--nt-service" },
2498  { .name="-nt-service" },
2499  { .name="--dbg-dump-subsystem-list",
2500  .command=CMD_IMMEDIATE,
2501  .quiet=QUIET_HUSH },
2502  { .name=NULL },
2503 };
2504 
2505 /** Helper: Read a list of configuration options from the command line. If
2506  * successful, return a newly allocated parsed_cmdline_t; otherwise return
2507  * NULL.
2508  *
2509  * If <b>ignore_errors</b> is set, try to recover from all recoverable
2510  * errors and return the best command line we can.
2511  */
2513 config_parse_commandline(int argc, char **argv, int ignore_errors)
2514 {
2515  parsed_cmdline_t *result = tor_malloc_zero(sizeof(parsed_cmdline_t));
2516  result->command = CMD_RUN_TOR;
2517  config_line_t *param = NULL;
2518 
2519  config_line_t **new_cmdline = &result->cmdline_opts;
2520  config_line_t **new = &result->other_opts;
2521 
2522  char *s, *arg;
2523  int i = 1;
2524 
2525  while (i < argc) {
2526  unsigned command = CONFIG_LINE_NORMAL;
2528  int is_cmdline = 0;
2529  int j;
2530  bool is_a_command = false;
2531 
2532  for (j = 0; CMDLINE_ONLY_OPTIONS[j].name != NULL; ++j) {
2533  if (!strcmp(argv[i], CMDLINE_ONLY_OPTIONS[j].name) ||
2535  !strcmp(argv[i], CMDLINE_ONLY_OPTIONS[j].short_name))) {
2536  is_cmdline = 1;
2537  want_arg = CMDLINE_ONLY_OPTIONS[j].takes_argument;
2539  is_a_command = true;
2540  result->command = CMDLINE_ONLY_OPTIONS[j].command;
2541  }
2543  if (quiet > result->quiet_level)
2544  result->quiet_level = quiet;
2545  break;
2546  }
2547  }
2548 
2549  s = argv[i];
2550 
2551  /* Each keyword may be prefixed with one or two dashes. */
2552  if (*s == '-')
2553  s++;
2554  if (*s == '-')
2555  s++;
2556  /* Figure out the command, if any. */
2557  if (*s == '+') {
2558  s++;
2560  } else if (*s == '/') {
2561  s++;
2562  command = CONFIG_LINE_CLEAR;
2563  /* A 'clear' command has no argument. */
2564  want_arg = 0;
2565  }
2566 
2567  const int is_last = (i == argc-1);
2568 
2569  if (want_arg == ARGUMENT_NECESSARY && is_last) {
2570  if (ignore_errors) {
2571  arg = tor_strdup("");
2572  } else {
2573  log_warn(LD_CONFIG,"Command-line option '%s' with no value. Failing.",
2574  argv[i]);
2575  parsed_cmdline_free(result);
2576  return NULL;
2577  }
2578  } else if (want_arg == ARGUMENT_OPTIONAL &&
2579  /* optional arguments may never start with '-'. */
2580  (is_last || argv[i+1][0] == '-')) {
2581  arg = tor_strdup("");
2582  want_arg = ARGUMENT_NONE; // prevent skipping the next flag.
2583  } else {
2584  arg = (want_arg != ARGUMENT_NONE) ? tor_strdup(argv[i+1]) :
2585  tor_strdup("");
2586  }
2587 
2588  param = tor_malloc_zero(sizeof(config_line_t));
2589  param->key = is_cmdline ? tor_strdup(argv[i]) :
2590  tor_strdup(config_expand_abbrev(get_options_mgr(), s, 1, 1));
2591  param->value = arg;
2592  param->command = command;
2593  param->next = NULL;
2594  log_debug(LD_CONFIG, "command line: parsed keyword '%s', value '%s'",
2595  param->key, param->value);
2596 
2597  if (is_a_command) {
2598  result->command_arg = param->value;
2599  }
2600 
2601  if (is_cmdline) {
2602  *new_cmdline = param;
2603  new_cmdline = &((*new_cmdline)->next);
2604  } else {
2605  *new = param;
2606  new = &((*new)->next);
2607  }
2608 
2609  i += want_arg ? 2 : 1;
2610  }
2611 
2612  return result;
2613 }
2614 
2615 /** Release all storage held by <b>cmdline</b>. */
2616 void
2618 {
2619  if (!cmdline)
2620  return;
2621  config_free_lines(cmdline->cmdline_opts);
2622  config_free_lines(cmdline->other_opts);
2623  tor_free(cmdline);
2624 }
2625 
2626 /** Return true iff key is a valid configuration option. */
2627 int
2628 option_is_recognized(const char *key)
2629 {
2630  return config_find_option_name(get_options_mgr(), key) != NULL;
2631 }
2632 
2633 /** Return the canonical name of a configuration option, or NULL
2634  * if no such option exists. */
2635 const char *
2637 {
2639 }
2640 
2641 /** Return a canonical list of the options assigned for key.
2642  */
2643 config_line_t *
2644 option_get_assignment(const or_options_t *options, const char *key)
2645 {
2646  return config_get_assigned_option(get_options_mgr(), options, key, 1);
2647 }
2648 
2649 /** Try assigning <b>list</b> to the global options. You do this by duping
2650  * options, assigning list to the new one, then validating it. If it's
2651  * ok, then throw out the old one and stick with the new one. Else,
2652  * revert to old and return failure. Return SETOPT_OK on success, or
2653  * a setopt_err_t on failure.
2654  *
2655  * If not success, point *<b>msg</b> to a newly allocated string describing
2656  * what went wrong.
2657  */
2659 options_trial_assign(config_line_t *list, unsigned flags, char **msg)
2660 {
2661  int r;
2662  or_options_t *trial_options = config_dup(get_options_mgr(), get_options());
2663 
2664  if ((r=config_assign(get_options_mgr(), trial_options,
2665  list, flags, msg)) < 0) {
2666  or_options_free(trial_options);
2667  return r;
2668  }
2669  const or_options_t *cur_options = get_options();
2670 
2671  return options_validate_and_set(cur_options, trial_options, msg);
2672 }
2673 
2674 /** Print a usage message for tor. */
2675 static void
2677 {
2678  printf(
2679 "Copyright (c) 2001-2004, Roger Dingledine\n"
2680 "Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson\n"
2681 "Copyright (c) 2007-2021, The Tor Project, Inc.\n\n"
2682 "tor -f <torrc> [args]\n"
2683 "See man page for options, or https://www.torproject.org/ for "
2684 "documentation.\n");
2685 }
2686 
2687 /** Print all non-obsolete torrc options. */
2688 static void
2690 {
2692  SMARTLIST_FOREACH_BEGIN(vars, const config_var_t *, var) {
2693  /* Possibly this should check listable, rather than (or in addition to)
2694  * settable. See ticket 31654.
2695  */
2696  if (! config_var_is_settable(var)) {
2697  /* This variable cannot be set, or cannot be set by this name. */
2698  continue;
2699  }
2700  printf("%s\n", var->member.name);
2701  } SMARTLIST_FOREACH_END(var);
2702  smartlist_free(vars);
2703 }
2704 
2705 /** Print all deprecated but non-obsolete torrc options. */
2706 static void
2708 {
2710  /* Possibly this should check whether the variables are listable,
2711  * but currently it does not. See ticket 31654. */
2712  SMARTLIST_FOREACH(deps, const char *, name,
2713  printf("%s\n", name));
2714  smartlist_free(deps);
2715 }
2716 
2717 /** Print all compile-time modules and their enabled/disabled status. */
2718 static void
2720 {
2721  printf("%s: %s\n", "relay", have_module_relay() ? "yes" : "no");
2722  printf("%s: %s\n", "dirauth", have_module_dirauth() ? "yes" : "no");
2723  // We don't list dircache, because it cannot be enabled or disabled
2724  // independently from relay. Listing it here would proliferate
2725  // test variants in test_parseconf.sh to no useful purpose.
2726 }
2727 
2728 /** Prints compile-time and runtime library versions. */
2729 static void
2731 {
2732  printf("Tor version %s. \n", get_version());
2733  printf("Library versions\tCompiled\t\tRuntime\n");
2734  printf("Libevent\t\t%-15s\t\t%s\n",
2737 #ifdef ENABLE_OPENSSL
2738  printf("OpenSSL \t\t%-15s\t\t%s\n",
2739  crypto_openssl_get_header_version_str(),
2740  crypto_openssl_get_version_str());
2741 #endif
2742 #ifdef ENABLE_NSS
2743  printf("NSS \t\t%-15s\t\t%s\n",
2744  crypto_nss_get_header_version_str(),
2745  crypto_nss_get_version_str());
2746 #endif
2747  if (tor_compress_supports_method(ZLIB_METHOD)) {
2748  printf("Zlib \t\t%-15s\t\t%s\n",
2749  tor_compress_version_str(ZLIB_METHOD),
2750  tor_compress_header_version_str(ZLIB_METHOD));
2751  }
2752  if (tor_compress_supports_method(LZMA_METHOD)) {
2753  printf("Liblzma \t\t%-15s\t\t%s\n",
2754  tor_compress_version_str(LZMA_METHOD),
2755  tor_compress_header_version_str(LZMA_METHOD));
2756  }
2757  if (tor_compress_supports_method(ZSTD_METHOD)) {
2758  printf("Libzstd \t\t%-15s\t\t%s\n",
2759  tor_compress_version_str(ZSTD_METHOD),
2760  tor_compress_header_version_str(ZSTD_METHOD));
2761  }
2762  if (tor_libc_get_name()) {
2763  printf("%-7s \t\t%-15s\t\t%s\n",
2767  }
2768  //TODO: Hex versions?
2769 }
2770 
2771 /** Handles the --no-passphrase command line option. */
2772 static int
2774 {
2775  if (command == CMD_KEYGEN) {
2776  get_options_mutable()->keygen_force_passphrase = FORCE_PASSPHRASE_OFF;
2777  return 0;
2778  } else {
2779  log_err(LD_CONFIG, "--no-passphrase specified without --keygen!");
2780  return -1;
2781  }
2782 }
2783 
2784 /** Handles the --format command line option. */
2785 static int
2787 {
2788  if (command == CMD_KEY_EXPIRATION) {
2789  // keep the same order as enum key_expiration_format
2790  const char *formats[] = { "iso8601", "timestamp" };
2791  int format = -1;
2792  for (unsigned i = 0; i < ARRAY_LENGTH(formats); i++) {
2793  if (!strcmp(value, formats[i])) {
2794  format = i;
2795  break;
2796  }
2797  }
2798 
2799  if (format < 0) {
2800  log_err(LD_CONFIG, "Invalid --format value %s", escaped(value));
2801  return -1;
2802  } else {
2803  get_options_mutable()->key_expiration_format = format;
2804  }
2805  return 0;
2806  } else {
2807  log_err(LD_CONFIG, "--format specified without --key-expiration!");
2808  return -1;
2809  }
2810 }
2811 
2812 /** Handles the --newpass command line option. */
2813 static int
2815 {
2816  if (command == CMD_KEYGEN) {
2817  get_options_mutable()->change_key_passphrase = 1;
2818  return 0;
2819  } else {
2820  log_err(LD_CONFIG, "--newpass specified without --keygen!");
2821  return -1;
2822  }
2823 }
2824 
2825 /** Handles the --passphrase-fd command line option. */
2826 static int
2828 {
2829  if (get_options()->keygen_force_passphrase == FORCE_PASSPHRASE_OFF) {
2830  log_err(LD_CONFIG, "--no-passphrase specified with --passphrase-fd!");
2831  return -1;
2832  } else if (command != CMD_KEYGEN) {
2833  log_err(LD_CONFIG, "--passphrase-fd specified without --keygen!");
2834  return -1;
2835  } else {
2836  int ok = 1;
2837  long fd = tor_parse_long(value, 10, 0, INT_MAX, &ok, NULL);
2838  if (fd < 0 || ok == 0) {
2839  log_err(LD_CONFIG, "Invalid --passphrase-fd value %s", escaped(value));
2840  return -1;
2841  }
2842  get_options_mutable()->keygen_passphrase_fd = (int)fd;
2843  get_options_mutable()->use_keygen_passphrase_fd = 1;
2844  get_options_mutable()->keygen_force_passphrase = FORCE_PASSPHRASE_ON;
2845  return 0;
2846  }
2847 }
2848 
2849 /** Handles the --master-key command line option. */
2850 static int
2852 {
2853  if (command != CMD_KEYGEN) {
2854  log_err(LD_CONFIG, "--master-key without --keygen!");
2855  return -1;
2856  } else {
2857  get_options_mutable()->master_key_fname = tor_strdup(value);
2858  return 0;
2859  }
2860 }
2861 
2862 /* Return true if <b>options</b> is using the default authorities, and false
2863  * if any authority-related option has been overridden. */
2864 int
2865 using_default_dir_authorities(const or_options_t *options)
2866 {
2867  return (!options->DirAuthorities && !options->AlternateDirAuthority);
2868 }
2869 
2870 /** Return a new empty or_options_t. Used for testing. */
2871 or_options_t *
2873 {
2874  or_options_t *options = config_new(get_options_mgr());
2875  options->command = CMD_RUN_TOR;
2876  return options;
2877 }
2878 
2879 /** Set <b>options</b> to hold reasonable defaults for most options.
2880  * Each option defaults to zero. */
2881 void
2883 {
2884  config_init(get_options_mgr(), options);
2886  char *msg=NULL;
2887  if (config_assign(get_options_mgr(), options, dflts,
2888  CAL_WARN_DEPRECATIONS, &msg)<0) {
2889  log_err(LD_BUG, "Unable to set default options: %s", msg);
2890  tor_free(msg);
2891  tor_assert_unreached();
2892  }
2893  config_free_lines(dflts);
2894  tor_free(msg);
2895 }
2896 
2897 /** Return a string containing a possible configuration file that would give
2898  * the configuration in <b>options</b>. If <b>minimal</b> is true, do not
2899  * include options that are the same as Tor's defaults.
2900  */
2901 char *
2902 options_dump(const or_options_t *options, int how_to_dump)
2903 {
2904  const or_options_t *use_defaults;
2905  int minimal;
2906  switch (how_to_dump) {
2907  case OPTIONS_DUMP_MINIMAL:
2908  use_defaults = global_default_options;
2909  minimal = 1;
2910  break;
2911  case OPTIONS_DUMP_ALL:
2912  use_defaults = NULL;
2913  minimal = 0;
2914  break;
2915  default:
2916  log_warn(LD_BUG, "Bogus value for how_to_dump==%d", how_to_dump);
2917  return NULL;
2918  }
2919 
2920  return config_dump(get_options_mgr(), use_defaults, options, minimal, 0);
2921 }
2922 
2923 /** Return 0 if every element of sl is a string holding a decimal
2924  * representation of a port number, or if sl is NULL.
2925  * Otherwise set *msg and return -1. */
2926 static int
2927 validate_ports_csv(smartlist_t *sl, const char *name, char **msg)
2928 {
2929  int i;
2930  tor_assert(name);
2931 
2932  if (!sl)
2933  return 0;
2934 
2935  SMARTLIST_FOREACH(sl, const char *, cp,
2936  {
2937  i = atoi(cp);
2938  if (i < 1 || i > 65535) {
2939  tor_asprintf(msg, "Port '%s' out of range in %s", cp, name);
2940  return -1;
2941  }
2942  });
2943  return 0;
2944 }
2945 
2946 /** If <b>value</b> exceeds ROUTER_MAX_DECLARED_BANDWIDTH, write
2947  * a complaint into *<b>msg</b> using string <b>desc</b>, and return -1.
2948  * Else return 0.
2949  */
2950 int
2951 config_ensure_bandwidth_cap(uint64_t *value, const char *desc, char **msg)
2952 {
2953  if (*value > ROUTER_MAX_DECLARED_BANDWIDTH) {
2954  /* This handles an understandable special case where somebody says "2gb"
2955  * whereas our actual maximum is 2gb-1 (INT_MAX) */
2956  --*value;
2957  }
2958  if (*value > ROUTER_MAX_DECLARED_BANDWIDTH) {
2959  tor_asprintf(msg, "%s (%"PRIu64") must be at most %d",
2960  desc, (*value),
2961  ROUTER_MAX_DECLARED_BANDWIDTH);
2962  return -1;
2963  }
2964  return 0;
2965 }
2966 
2967 /** Lowest allowable value for RendPostPeriod; if this is too low, hidden
2968  * services can overload the directory system. */
2969 #define MIN_REND_POST_PERIOD (10*60)
2970 #define MIN_REND_POST_PERIOD_TESTING (5)
2971 
2972 /** Highest allowable value for CircuitsAvailableTimeout.
2973  * If this is too large, client connections will stay open for too long,
2974  * incurring extra padding overhead. */
2975 #define MAX_CIRCS_AVAILABLE_TIME (24*60*60)
2976 
2977 /** Highest allowable value for RendPostPeriod. */
2978 #define MAX_DIR_PERIOD ((7*24*60*60)/2)
2979 
2980 /** Lowest allowable value for MaxCircuitDirtiness; if this is too low, Tor
2981  * will generate too many circuits and potentially overload the network. */
2982 #define MIN_MAX_CIRCUIT_DIRTINESS 10
2983 
2984 /** Highest allowable value for MaxCircuitDirtiness: prevents time_t
2985  * overflows. */
2986 #define MAX_MAX_CIRCUIT_DIRTINESS (30*24*60*60)
2987 
2988 /** Lowest allowable value for CircuitStreamTimeout; if this is too low, Tor
2989  * will generate too many circuits and potentially overload the network. */
2990 #define MIN_CIRCUIT_STREAM_TIMEOUT 10
2991 
2992 /** Lowest recommended value for CircuitBuildTimeout; if it is set too low
2993  * and LearnCircuitBuildTimeout is off, the failure rate for circuit
2994  * construction may be very high. In that case, if it is set below this
2995  * threshold emit a warning.
2996  * */
2997 #define RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT (10)
2998 
2999 /**
3000  * Validate <b>new_options</b>. If it is valid, and it is a reasonable
3001  * replacement for <b>old_options</b>, replace the previous value of the
3002  * global options, and return return SETOPT_OK.
3003  *
3004  * If it is not valid, then free <b>new_options</b>, set *<b>msg_out</b> to a
3005  * newly allocated error message, and return an error code.
3006  */
3007 static setopt_err_t
3009  or_options_t *new_options,
3010  char **msg_out)
3011 {
3012  setopt_err_t rv;
3014 
3016  vs = config_validate(get_options_mgr(), old_options, new_options, msg_out);
3017 
3018  if (vs == VSTAT_TRANSITION_ERR) {
3019  rv = SETOPT_ERR_TRANSITION;
3020  goto err;
3021  } else if (vs < 0) {
3022  rv = SETOPT_ERR_PARSE;
3023  goto err;
3024  }
3026 
3027  if (set_options(new_options, msg_out)) {
3028  rv = SETOPT_ERR_SETTING;
3029  goto err;
3030  }
3031 
3032  rv = SETOPT_OK;
3033  new_options = NULL; /* prevent free */
3034  err:
3036  tor_assert(new_options == NULL || rv != SETOPT_OK);
3037  or_options_free(new_options);
3038  return rv;
3039 }
3040 
3041 #ifdef TOR_UNIT_TESTS
3042 /**
3043  * Return 0 if every setting in <b>options</b> is reasonable, is a
3044  * permissible transition from <b>old_options</b>, and none of the
3045  * testing-only settings differ from <b>default_options</b> unless in
3046  * testing mode. Else return -1. Should have no side effects, except for
3047  * normalizing the contents of <b>options</b>.
3048  *
3049  * On error, tor_strdup an error explanation into *<b>msg</b>.
3050  */
3051 int
3052 options_validate(const or_options_t *old_options, or_options_t *options,
3053  char **msg)
3054 {
3056  vs = config_validate(get_options_mgr(), old_options, options, msg);
3057  return vs < 0 ? -1 : 0;
3058 }
3059 #endif /* defined(TOR_UNIT_TESTS) */
3060 
3061 #define REJECT(arg) \
3062  STMT_BEGIN *msg = tor_strdup(arg); return -1; STMT_END
3063 #if defined(__GNUC__) && __GNUC__ <= 3
3064 #define COMPLAIN(args...) \
3065  STMT_BEGIN log_warn(LD_CONFIG, args); STMT_END
3066 #else
3067 #define COMPLAIN(args, ...) \
3068  STMT_BEGIN log_warn(LD_CONFIG, args, ##__VA_ARGS__); STMT_END
3069 #endif /* defined(__GNUC__) && __GNUC__ <= 3 */
3070 
3071 /** Log a warning message iff <b>filepath</b> is not absolute.
3072  * Warning message must contain option name <b>option</b> and
3073  * an absolute path that <b>filepath</b> will resolve to.
3074  *
3075  * In case <b>filepath</b> is absolute, do nothing.
3076  *
3077  * Return 1 if there were relative paths; 0 otherwise.
3078  */
3079 static int
3081  const char *filepath)
3082 {
3083  if (filepath && path_is_relative(filepath)) {
3084  char *abs_path = make_path_absolute(filepath);
3085  COMPLAIN("Path for %s (%s) is relative and will resolve to %s."
3086  " Is this what you wanted?", option, filepath, abs_path);
3087  tor_free(abs_path);
3088  return 1;
3089  }
3090  return 0;
3091 }
3092 
3093 /** Scan <b>options</b> for occurrences of relative file/directory
3094  * paths and log a warning whenever one is found.
3095  *
3096  * Return 1 if there were relative paths; 0 otherwise.
3097  */
3098 static int
3100 {
3101  tor_assert(options);
3102  int n = 0;
3103  const config_mgr_t *mgr = get_options_mgr();
3104 
3105  smartlist_t *vars = config_mgr_list_vars(mgr);
3106  SMARTLIST_FOREACH_BEGIN(vars, const config_var_t *, cv) {
3107  config_line_t *line;
3108  if (cv->member.type != CONFIG_TYPE_FILENAME)
3109  continue;
3110  const char *name = cv->member.name;
3111  line = config_get_assigned_option(mgr, options, name, 0);
3112  if (line)
3113  n += warn_if_option_path_is_relative(name, line->value);
3114  config_free_lines(line);
3115  } SMARTLIST_FOREACH_END(cv);
3116  smartlist_free(vars);
3117 
3118  for (config_line_t *hs_line = options->RendConfigLines; hs_line;
3119  hs_line = hs_line->next) {
3120  if (!strcasecmp(hs_line->key, "HiddenServiceDir"))
3121  n += warn_if_option_path_is_relative("HiddenServiceDir",hs_line->value);
3122  }
3123  return n != 0;
3124 }
3125 
3126 /* Validate options related to the scheduler. From the Schedulers list, the
3127  * SchedulerTypes_ list is created with int values so once we select the
3128  * scheduler, which can happen anytime at runtime, we don't have to parse
3129  * strings and thus be quick.
3130  *
3131  * Return 0 on success else -1 and msg is set with an error message. */
3132 static int
3133 options_validate_scheduler(or_options_t *options, char **msg)
3134 {
3135  tor_assert(options);
3136  tor_assert(msg);
3137 
3138  if (!options->Schedulers || smartlist_len(options->Schedulers) == 0) {
3139  REJECT("Empty Schedulers list. Either remove the option so the defaults "
3140  "can be used or set at least one value.");
3141  }
3142  /* Ok, we do have scheduler types, validate them. */
3143  if (options->SchedulerTypes_) {
3144  SMARTLIST_FOREACH(options->SchedulerTypes_, int *, iptr, tor_free(iptr));
3145  smartlist_free(options->SchedulerTypes_);
3146  }
3147  options->SchedulerTypes_ = smartlist_new();
3148  SMARTLIST_FOREACH_BEGIN(options->Schedulers, const char *, type) {
3149  int *sched_type;
3150  if (!strcasecmp("KISTLite", type)) {
3151  sched_type = tor_malloc_zero(sizeof(int));
3152  *sched_type = SCHEDULER_KIST_LITE;
3153  smartlist_add(options->SchedulerTypes_, sched_type);
3154  } else if (!strcasecmp("KIST", type)) {
3155  sched_type = tor_malloc_zero(sizeof(int));
3156  *sched_type = SCHEDULER_KIST;
3157  smartlist_add(options->SchedulerTypes_, sched_type);
3158  } else if (!strcasecmp("Vanilla", type)) {
3159  sched_type = tor_malloc_zero(sizeof(int));
3160  *sched_type = SCHEDULER_VANILLA;
3161  smartlist_add(options->SchedulerTypes_, sched_type);
3162  } else {
3163  tor_asprintf(msg, "Unknown type %s in option Schedulers. "
3164  "Possible values are KIST, KISTLite and Vanilla.",
3165  escaped(type));
3166  return -1;
3167  }
3168  } SMARTLIST_FOREACH_END(type);
3169 
3170  if (options->KISTSockBufSizeFactor < 0) {
3171  REJECT("KISTSockBufSizeFactor must be at least 0");
3172  }
3173 
3174  /* Don't need to validate that the Interval is less than anything because
3175  * zero is valid and all negative values are valid. */
3176  if (options->KISTSchedRunInterval > KIST_SCHED_RUN_INTERVAL_MAX) {
3177  tor_asprintf(msg, "KISTSchedRunInterval must not be more than %d (ms)",
3178  KIST_SCHED_RUN_INTERVAL_MAX);
3179  return -1;
3180  }
3181 
3182  return 0;
3183 }
3184 
3185 /* Validate options related to single onion services.
3186  * Modifies some options that are incompatible with single onion services.
3187  * On failure returns -1, and sets *msg to an error string.
3188  * Returns 0 on success. */
3189 STATIC int
3190 options_validate_single_onion(or_options_t *options, char **msg)
3191 {
3192  /* The two single onion service options must have matching values. */
3193  if (options->HiddenServiceSingleHopMode &&
3194  !options->HiddenServiceNonAnonymousMode) {
3195  REJECT("HiddenServiceSingleHopMode does not provide any server anonymity. "
3196  "It must be used with HiddenServiceNonAnonymousMode set to 1.");
3197  }
3198  if (options->HiddenServiceNonAnonymousMode &&
3199  !options->HiddenServiceSingleHopMode) {
3200  REJECT("HiddenServiceNonAnonymousMode does not provide any server "
3201  "anonymity. It must be used with HiddenServiceSingleHopMode set to "
3202  "1.");
3203  }
3204 
3205  /* Now that we've checked that the two options are consistent, we can safely
3206  * call the hs_service_* functions that abstract these options. */
3207 
3208  /* If you run an anonymous client with an active Single Onion service, the
3209  * client loses anonymity. */
3210  const int client_port_set = (options->SocksPort_set ||
3211  options->TransPort_set ||
3212  options->NATDPort_set ||
3213  options->DNSPort_set ||
3214  options->HTTPTunnelPort_set);
3215  if (hs_service_non_anonymous_mode_enabled(options) && client_port_set) {
3216  REJECT("HiddenServiceNonAnonymousMode is incompatible with using Tor as "
3217  "an anonymous client. Please set Socks/Trans/NATD/DNSPort to 0, or "
3218  "revert HiddenServiceNonAnonymousMode to 0.");
3219  }
3220 
3221  if (hs_service_allow_non_anonymous_connection(options)
3222  && options->UseEntryGuards) {
3223  /* Single Onion services only use entry guards when uploading descriptors;
3224  * all other connections are one-hop. Further, Single Onions causes the
3225  * hidden service code to do things which break the path bias
3226  * detector, and it's far easier to turn off entry guards (and
3227  * thus the path bias detector with it) than to figure out how to
3228  * make path bias compatible with single onions.
3229  */
3230  log_notice(LD_CONFIG,
3231  "HiddenServiceSingleHopMode is enabled; disabling "
3232  "UseEntryGuards.");
3233  options->UseEntryGuards = 0;
3234  }
3235 
3236  return 0;
3237 }
3238 
3239 /**
3240  * Legacy validation/normalization callback for or_options_t. See
3241  * legacy_validate_fn_t for more information.
3242  */
3243 static int
3244 options_validate_cb(const void *old_options_, void *options_, char **msg)
3245 {
3246  if (old_options_)
3247  CHECK_OPTIONS_MAGIC(old_options_);
3248  CHECK_OPTIONS_MAGIC(options_);
3249  const or_options_t *old_options = old_options_;
3250  or_options_t *options = options_;
3251 
3252  config_line_t *cl;
3253  int n_ports=0;
3254  int world_writable_control_socket=0;
3255 
3256  tor_assert(msg);
3257  *msg = NULL;
3258 
3259  if (parse_ports(options, 1, msg, &n_ports,
3260  &world_writable_control_socket) < 0)
3261  return -1;
3262 
3263 #ifndef HAVE_SYS_UN_H
3264  if (options->ControlSocket || options->ControlSocketsGroupWritable) {
3265  *msg = tor_strdup("Unix domain sockets (ControlSocket) not supported "
3266  "on this OS/with this build.");
3267  return -1;
3268  }
3269 #else /* defined(HAVE_SYS_UN_H) */
3270  if (options->ControlSocketsGroupWritable && !options->ControlSocket) {
3271  *msg = tor_strdup("Setting ControlSocketsGroupWritable without setting "
3272  "a ControlSocket makes no sense.");
3273  return -1;
3274  }
3275 #endif /* !defined(HAVE_SYS_UN_H) */
3276 
3277  /* Set UseEntryGuards from the configured value, before we check it below.
3278  * We change UseEntryGuards when it's incompatible with other options,
3279  * but leave UseEntryGuards_option with the original value.
3280  * Always use the value of UseEntryGuards, not UseEntryGuards_option. */
3281  options->UseEntryGuards = options->UseEntryGuards_option;
3282 
3283  if (options_validate_relay_os(old_options, options, msg) < 0)
3284  return -1;
3285 
3286  /* 31851: OutboundBindAddressExit is unused in client mode */
3287  if (parse_outbound_addresses(options, 1, msg) < 0)
3288  return -1;
3289 
3290  if (validate_data_directories(options)<0)
3291  REJECT("Invalid DataDirectory");
3292 
3293  /* need to check for relative paths after we populate
3294  * options->DataDirectory (just above). */
3295  if (warn_about_relative_paths(options) && options->RunAsDaemon) {
3296  REJECT("You have specified at least one relative path (see above) "
3297  "with the RunAsDaemon option. RunAsDaemon is not compatible "
3298  "with relative paths.");
3299  }
3300 
3301  if (options_validate_relay_info(old_options, options, msg) < 0)
3302  return -1;
3303 
3304  /* 31851: this function is currently a no-op in client mode */
3306 
3307  /* Validate the tor_log(s) */
3308  if (options_init_logs(old_options, options, 1)<0)
3309  REJECT("Failed to validate Log options. See logs for details.");
3310 
3311  /* XXXX require that the only port not be DirPort? */
3312  /* XXXX require that at least one port be listened-upon. */
3313  if (n_ports == 0 && !options->RendConfigLines)
3314  log_warn(LD_CONFIG,
3315  "SocksPort, TransPort, NATDPort, DNSPort, and ORPort are all "
3316  "undefined, and there aren't any hidden services configured. "
3317  "Tor will still run, but probably won't do anything.");
3318 
3319  options->TransProxyType_parsed = TPT_DEFAULT;
3320 #ifdef USE_TRANSPARENT
3321  if (options->TransProxyType) {
3322  if (!strcasecmp(options->TransProxyType, "default")) {
3323  options->TransProxyType_parsed = TPT_DEFAULT;
3324  } else if (!strcasecmp(options->TransProxyType, "pf-divert")) {
3325 #if !defined(OpenBSD) && !defined(DARWIN)
3326  /* Later versions of OS X have pf */
3327  REJECT("pf-divert is a OpenBSD-specific "
3328  "and OS X/Darwin-specific feature.");
3329 #else
3330  options->TransProxyType_parsed = TPT_PF_DIVERT;
3331 #endif /* !defined(OpenBSD) && !defined(DARWIN) */
3332  } else if (!strcasecmp(options->TransProxyType, "tproxy")) {
3333 #if !defined(__linux__)
3334  REJECT("TPROXY is a Linux-specific feature.");
3335 #else
3336  options->TransProxyType_parsed = TPT_TPROXY;
3337 #endif
3338  } else if (!strcasecmp(options->TransProxyType, "ipfw")) {
3339 #ifndef KERNEL_MAY_SUPPORT_IPFW
3340  /* Earlier versions of OS X have ipfw */
3341  REJECT("ipfw is a FreeBSD-specific "
3342  "and OS X/Darwin-specific feature.");
3343 #else
3344  options->TransProxyType_parsed = TPT_IPFW;
3345 #endif /* !defined(KERNEL_MAY_SUPPORT_IPFW) */
3346  } else {
3347  REJECT("Unrecognized value for TransProxyType");
3348  }
3349 
3350  if (strcasecmp(options->TransProxyType, "default") &&
3351  !options->TransPort_set) {
3352  REJECT("Cannot use TransProxyType without any valid TransPort.");
3353  }
3354  }
3355 #else /* !defined(USE_TRANSPARENT) */
3356  if (options->TransPort_set)
3357  REJECT("TransPort is disabled in this build.");
3358 #endif /* defined(USE_TRANSPARENT) */
3359 
3360  if (options->TokenBucketRefillInterval <= 0
3361  || options->TokenBucketRefillInterval > 1000) {
3362  REJECT("TokenBucketRefillInterval must be between 1 and 1000 inclusive.");
3363  }
3364 
3365  if (options->AssumeReachable && options->AssumeReachableIPv6 == 0) {
3366  REJECT("Cannot set AssumeReachable 1 and AssumeReachableIPv6 0.");
3367  }
3368 
3369  if (options->ExcludeExitNodes || options->ExcludeNodes) {
3373  }
3374 
3375  if (options->NodeFamilies) {
3376  options->NodeFamilySets = smartlist_new();
3377  for (cl = options->NodeFamilies; cl; cl = cl->next) {
3378  routerset_t *rs = routerset_new();
3379  if (routerset_parse(rs, cl->value, cl->key) == 0) {
3380  smartlist_add(options->NodeFamilySets, rs);
3381  } else {
3382  routerset_free(rs);
3383  }
3384  }
3385  }
3386 
3387  if (options->ExcludeNodes && options->StrictNodes) {
3388  COMPLAIN("You have asked to exclude certain relays from all positions "
3389  "in your circuits. Expect hidden services and other Tor "
3390  "features to be broken in unpredictable ways.");
3391  }
3392 
3393  if (options_validate_dirauth_mode(old_options, options, msg) < 0)
3394  return -1;
3395 
3396  if (options->FetchDirInfoExtraEarly && !options->FetchDirInfoEarly)
3397  REJECT("FetchDirInfoExtraEarly requires that you also set "
3398  "FetchDirInfoEarly");
3399 
3400  if (options->ConnLimit <= 0) {
3401  tor_asprintf(msg,
3402  "ConnLimit must be greater than 0, but was set to %d",
3403  options->ConnLimit);
3404  return -1;
3405  }
3406 
3407  if (options->PathsNeededToBuildCircuits >= 0.0) {
3408  if (options->PathsNeededToBuildCircuits < 0.25) {
3409  log_warn(LD_CONFIG, "PathsNeededToBuildCircuits is too low. Increasing "
3410  "to 0.25");
3411  options->PathsNeededToBuildCircuits = 0.25;
3412  } else if (options->PathsNeededToBuildCircuits > 0.95) {
3413  log_warn(LD_CONFIG, "PathsNeededToBuildCircuits is too high. Decreasing "
3414  "to 0.95");
3415  options->PathsNeededToBuildCircuits = 0.95;
3416  }
3417  }
3418 
3419  if (options->MaxClientCircuitsPending <= 0 ||
3420  options->MaxClientCircuitsPending > MAX_MAX_CLIENT_CIRCUITS_PENDING) {
3421  tor_asprintf(msg,
3422  "MaxClientCircuitsPending must be between 1 and %d, but "
3423  "was set to %d", MAX_MAX_CLIENT_CIRCUITS_PENDING,
3424  options->MaxClientCircuitsPending);
3425  return -1;
3426  }
3427 
3428  if (validate_ports_csv(options->FirewallPorts, "FirewallPorts", msg) < 0)
3429  return -1;
3430 
3431  if (validate_ports_csv(options->LongLivedPorts, "LongLivedPorts", msg) < 0)
3432  return -1;
3433 
3435  "RejectPlaintextPorts", msg) < 0)
3436  return -1;
3437 
3439  "WarnPlaintextPorts", msg) < 0)
3440  return -1;
3441 
3442  if (options->FascistFirewall && !options->ReachableAddresses) {
3443  if (options->FirewallPorts && smartlist_len(options->FirewallPorts)) {
3444  /* We already have firewall ports set, so migrate them to
3445  * ReachableAddresses, which will set ReachableORAddresses and
3446  * ReachableDirAddresses if they aren't set explicitly. */
3447  smartlist_t *instead = smartlist_new();
3448  config_line_t *new_line = tor_malloc_zero(sizeof(config_line_t));
3449  new_line->key = tor_strdup("ReachableAddresses");
3450  /* If we're configured with the old format, we need to prepend some
3451  * open ports. */
3452  SMARTLIST_FOREACH(options->FirewallPorts, const char *, portno,
3453  {
3454  int p = atoi(portno);
3455  if (p<0) continue;
3456  smartlist_add_asprintf(instead, "*:%d", p);
3457  });
3458  new_line->value = smartlist_join_strings(instead,",",0,NULL);
3459  /* These have been deprecated since 0.1.1.5-alpha-cvs */
3460  log_notice(LD_CONFIG,
3461  "Converting FascistFirewall and FirewallPorts "
3462  "config options to new format: \"ReachableAddresses %s\"",
3463  new_line->value);
3464  options->ReachableAddresses = new_line;
3465  SMARTLIST_FOREACH(instead, char *, cp, tor_free(cp));
3466  smartlist_free(instead);
3467  } else {
3468  /* We do not have FirewallPorts set, so add 80 to
3469  * ReachableDirAddresses, and 443 to ReachableORAddresses. */
3470  if (!options->ReachableDirAddresses) {
3471  config_line_t *new_line = tor_malloc_zero(sizeof(config_line_t));
3472  new_line->key = tor_strdup("ReachableDirAddresses");
3473  new_line->value = tor_strdup("*:80");
3474  options->ReachableDirAddresses = new_line;
3475  log_notice(LD_CONFIG, "Converting FascistFirewall config option "
3476  "to new format: \"ReachableDirAddresses *:80\"");
3477  }
3478  if (!options->ReachableORAddresses) {
3479  config_line_t *new_line = tor_malloc_zero(sizeof(config_line_t));
3480  new_line->key = tor_strdup("ReachableORAddresses");
3481  new_line->value = tor_strdup("*:443");
3482  options->ReachableORAddresses = new_line;
3483  log_notice(LD_CONFIG, "Converting FascistFirewall config option "
3484  "to new format: \"ReachableORAddresses *:443\"");
3485  }
3486  }
3487  }
3488 
3489  if ((options->ReachableAddresses ||
3490  options->ReachableORAddresses ||
3491  options->ReachableDirAddresses ||
3492  options->ClientUseIPv4 == 0) &&
3493  server_mode(options))
3494  REJECT("Servers must be able to freely connect to the rest "
3495  "of the Internet, so they must not set Reachable*Addresses "
3496  "or FascistFirewall or FirewallPorts or ClientUseIPv4 0.");
3497 
3498  if (options->UseBridges &&
3499  server_mode(options))
3500  REJECT("Servers must be able to freely connect to the rest "
3501  "of the Internet, so they must not set UseBridges.");
3502 
3503  /* If both of these are set, we'll end up with funny behavior where we
3504  * demand enough entrynodes be up and running else we won't build
3505  * circuits, yet we never actually use them. */
3506  if (options->UseBridges && options->EntryNodes)
3507  REJECT("You cannot set both UseBridges and EntryNodes.");
3508 
3509  /* If we have UseBridges as 1 and UseEntryGuards as 0, we end up bypassing
3510  * the use of bridges */
3511  if (options->UseBridges && !options->UseEntryGuards)
3512  REJECT("Setting UseBridges requires also setting UseEntryGuards.");
3513 
3514  options->MaxMemInQueues =
3515  compute_real_max_mem_in_queues(options->MaxMemInQueues_raw,
3516  server_mode(options));
3517  options->MaxMemInQueues_low_threshold = (options->MaxMemInQueues / 4) * 3;
3518 
3519  if (!options->SafeLogging ||
3520  !strcasecmp(options->SafeLogging, "0")) {
3521  options->SafeLogging_ = SAFELOG_SCRUB_NONE;
3522  } else if (!strcasecmp(options->SafeLogging, "relay")) {
3523  options->SafeLogging_ = SAFELOG_SCRUB_RELAY;
3524  } else if (!strcasecmp(options->SafeLogging, "1")) {
3525  options->SafeLogging_ = SAFELOG_SCRUB_ALL;
3526  } else {
3527  tor_asprintf(msg,
3528  "Unrecognized value '%s' in SafeLogging",
3529  escaped(options->SafeLogging));
3530  return -1;
3531  }
3532 
3533  if (options_validate_publish_server(old_options, options, msg) < 0)
3534  return -1;
3535 
3536  if (options_validate_relay_padding(old_options, options, msg) < 0)
3537  return -1;
3538 
3539  const int min_rendpostperiod =
3540  options->TestingTorNetwork ?
3541  MIN_REND_POST_PERIOD_TESTING : MIN_REND_POST_PERIOD;
3542  if (options->RendPostPeriod < min_rendpostperiod) {
3543  log_warn(LD_CONFIG, "RendPostPeriod option is too short; "
3544  "raising to %d seconds.", min_rendpostperiod);
3545  options->RendPostPeriod = min_rendpostperiod;
3546  }
3547 
3548  if (options->RendPostPeriod > MAX_DIR_PERIOD) {
3549  log_warn(LD_CONFIG, "RendPostPeriod is too large; clipping to %ds.",
3550  MAX_DIR_PERIOD);
3551  options->RendPostPeriod = MAX_DIR_PERIOD;
3552  }
3553 
3554  /* Check the Single Onion Service options */
3555  if (options_validate_single_onion(options, msg) < 0)
3556  return -1;
3557 
3559  // options_t is immutable for new code (the above code is older),
3560  // so just make the user fix the value themselves rather than
3561  // silently keep a shadow value lower than what they asked for.
3562  REJECT("CircuitsAvailableTimeout is too large. Max is 24 hours.");
3563  }
3564 
3565  if (options->EntryNodes && !options->UseEntryGuards) {
3566  REJECT("If EntryNodes is set, UseEntryGuards must be enabled.");
3567  }
3568 
3569  if (!(options->UseEntryGuards) &&
3570  (options->RendConfigLines != NULL) &&
3571  !hs_service_allow_non_anonymous_connection(options)) {
3572  log_warn(LD_CONFIG,
3573  "UseEntryGuards is disabled, but you have configured one or more "
3574  "hidden services on this Tor instance. Your hidden services "
3575  "will be very easy to locate using a well-known attack -- see "
3576  "https://freehaven.net/anonbib/#hs-attack06 for details.");
3577  }
3578 
3579  if (options->NumPrimaryGuards && options->NumEntryGuards &&
3580  options->NumEntryGuards > options->NumPrimaryGuards) {
3581  REJECT("NumEntryGuards must not be greater than NumPrimaryGuards.");
3582  }
3583 
3584  if (options->EntryNodes &&
3585  routerset_is_list(options->EntryNodes) &&
3586  (routerset_len(options->EntryNodes) == 1) &&
3587  (options->RendConfigLines != NULL)) {
3588  tor_asprintf(msg,
3589  "You have one single EntryNodes and at least one hidden service "
3590  "configured. This is bad because it's very easy to locate your "
3591  "entry guard which can then lead to the deanonymization of your "
3592  "hidden service -- for more details, see "
3593  "https://bugs.torproject.org/tpo/core/tor/14917. "
3594  "For this reason, the use of one EntryNodes with an hidden "
3595  "service is prohibited until a better solution is found.");
3596  return -1;
3597  }
3598 
3599  /* Inform the hidden service operator that pinning EntryNodes can possibly
3600  * be harmful for the service anonymity. */
3601  if (options->EntryNodes &&
3602  routerset_is_list(options->EntryNodes) &&
3603  (options->RendConfigLines != NULL)) {
3604  log_warn(LD_CONFIG,
3605  "EntryNodes is set with multiple entries and at least one "
3606  "hidden service is configured. Pinning entry nodes can possibly "
3607  "be harmful to the service anonymity. Because of this, we "
3608  "recommend you either don't do that or make sure you know what "
3609  "you are doing. For more details, please look at "
3610  "https://bugs.torproject.org/tpo/core/tor/21155.");
3611  }
3612 
3613  /* Single Onion Services: non-anonymous hidden services */
3614  if (hs_service_non_anonymous_mode_enabled(options)) {
3615  log_warn(LD_CONFIG,
3616  "HiddenServiceNonAnonymousMode is set. Every hidden service on "
3617  "this tor instance is NON-ANONYMOUS. If "
3618  "the HiddenServiceNonAnonymousMode option is changed, Tor will "
3619  "refuse to launch hidden services from the same directories, to "
3620  "protect your anonymity against config errors. This setting is "
3621  "for experimental use only.");
3622  }
3623 
3624  if (!options->LearnCircuitBuildTimeout && options->CircuitBuildTimeout &&
3626  log_warn(LD_CONFIG,
3627  "CircuitBuildTimeout is shorter (%d seconds) than the recommended "
3628  "minimum (%d seconds), and LearnCircuitBuildTimeout is disabled. "
3629  "If tor isn't working, raise this value or enable "
3630  "LearnCircuitBuildTimeout.",
3631  options->CircuitBuildTimeout,
3633  } else if (!options->LearnCircuitBuildTimeout &&
3634  !options->CircuitBuildTimeout) {
3635  int severity = LOG_NOTICE;
3636  /* Be a little quieter if we've deliberately disabled
3637  * LearnCircuitBuildTimeout. */
3638  if (circuit_build_times_disabled_(options, 1)) {
3639  severity = LOG_INFO;
3640  }
3641  log_fn(severity, LD_CONFIG, "You disabled LearnCircuitBuildTimeout, but "
3642  "didn't specify a CircuitBuildTimeout. I'll pick a plausible "
3643  "default.");
3644  }
3645 
3646  if (options->DormantClientTimeout < 10*60 && !options->TestingTorNetwork) {
3647  REJECT("DormantClientTimeout is too low. It must be at least 10 minutes.");
3648  }
3649 
3650  if (options->PathBiasNoticeRate > 1.0) {
3651  tor_asprintf(msg,
3652  "PathBiasNoticeRate is too high. "
3653  "It must be between 0 and 1.0");
3654  return -1;
3655  }
3656  if (options->PathBiasWarnRate > 1.0) {
3657  tor_asprintf(msg,
3658  "PathBiasWarnRate is too high. "
3659  "It must be between 0 and 1.0");
3660  return -1;
3661  }
3662  if (options->PathBiasExtremeRate > 1.0) {
3663  tor_asprintf(msg,
3664  "PathBiasExtremeRate is too high. "
3665  "It must be between 0 and 1.0");
3666  return -1;
3667  }
3668  if (options->PathBiasNoticeUseRate > 1.0) {
3669  tor_asprintf(msg,
3670  "PathBiasNoticeUseRate is too high. "
3671  "It must be between 0 and 1.0");
3672  return -1;
3673  }
3674  if (options->PathBiasExtremeUseRate > 1.0) {
3675  tor_asprintf(msg,
3676  "PathBiasExtremeUseRate is too high. "
3677  "It must be between 0 and 1.0");
3678  return -1;
3679  }
3680 
3682  log_warn(LD_CONFIG, "MaxCircuitDirtiness option is too short; "
3683  "raising to %d seconds.", MIN_MAX_CIRCUIT_DIRTINESS);
3685  }
3686 
3688  log_warn(LD_CONFIG, "MaxCircuitDirtiness option is too high; "
3689  "setting to %d days.", MAX_MAX_CIRCUIT_DIRTINESS/86400);
3691  }
3692 
3693  if (options->CircuitStreamTimeout &&
3695  log_warn(LD_CONFIG, "CircuitStreamTimeout option is too short; "
3696  "raising to %d seconds.", MIN_CIRCUIT_STREAM_TIMEOUT);
3698  }
3699 
3700  if (options->HeartbeatPeriod &&
3702  !options->TestingTorNetwork) {
3703  log_warn(LD_CONFIG, "HeartbeatPeriod option is too short; "
3704  "raising to %d seconds.", MIN_HEARTBEAT_PERIOD);
3706  }
3707 
3708  if (options->KeepalivePeriod < 1)
3709  REJECT("KeepalivePeriod option must be positive.");
3710 
3712  "BandwidthRate", msg) < 0)
3713  return -1;
3715  "BandwidthBurst", msg) < 0)
3716  return -1;
3717 
3718  if (options_validate_relay_bandwidth(old_options, options, msg) < 0)
3719  return -1;
3720 
3721  if (options->BandwidthRate > options->BandwidthBurst)
3722  REJECT("BandwidthBurst must be at least equal to BandwidthRate.");
3723 
3724  if (options_validate_relay_accounting(old_options, options, msg) < 0)
3725  return -1;
3726 
3727  if (options_validate_relay_mode(old_options, options, msg) < 0)
3728  return -1;
3729 
3730  if (options->HTTPProxy) { /* parse it now */
3731  if (tor_addr_port_lookup(options->HTTPProxy,
3732  &options->HTTPProxyAddr, &options->HTTPProxyPort) < 0)
3733  REJECT("HTTPProxy failed to parse or resolve. Please fix.");
3734  if (options->HTTPProxyPort == 0) { /* give it a default */
3735  options->HTTPProxyPort = 80;
3736  }
3737  }
3738 
3739  if (options->HTTPProxyAuthenticator) {
3740  if (strlen(options->HTTPProxyAuthenticator) >= 512)
3741  REJECT("HTTPProxyAuthenticator is too long (>= 512 chars).");
3742  }
3743 
3744  if (options->HTTPSProxy) { /* parse it now */
3745  if (tor_addr_port_lookup(options->HTTPSProxy,
3746  &options->HTTPSProxyAddr, &options->HTTPSProxyPort) <0)
3747  REJECT("HTTPSProxy failed to parse or resolve. Please fix.");
3748  if (options->HTTPSProxyPort == 0) { /* give it a default */
3749  options->HTTPSProxyPort = 443;
3750  }
3751  }
3752 
3753  if (options->HTTPSProxyAuthenticator) {
3754  if (strlen(options->HTTPSProxyAuthenticator) >= 512)
3755  REJECT("HTTPSProxyAuthenticator is too long (>= 512 chars).");
3756  }
3757 
3758  if (options->Socks4Proxy) { /* parse it now */
3759  if (tor_addr_port_lookup(options->Socks4Proxy,
3760  &options->Socks4ProxyAddr,
3761  &options->Socks4ProxyPort) <0)
3762  REJECT("Socks4Proxy failed to parse or resolve. Please fix.");
3763  if (options->Socks4ProxyPort == 0) { /* give it a default */
3764  options->Socks4ProxyPort = 1080;
3765  }
3766  }
3767 
3768  if (options->Socks5Proxy) { /* parse it now */
3769  if (tor_addr_port_lookup(options->Socks5Proxy,
3770  &options->Socks5ProxyAddr,
3771  &options->Socks5ProxyPort) <0)
3772  REJECT("Socks5Proxy failed to parse or resolve. Please fix.");
3773  if (options->Socks5ProxyPort == 0) { /* give it a default */
3774  options->Socks5ProxyPort = 1080;
3775  }
3776  }
3777 
3778  if (options->TCPProxy) {
3779  int res = parse_tcp_proxy_line(options->TCPProxy, options, msg);
3780  if (res < 0) {
3781  return res;
3782  }
3783  }
3784 
3785  /* Check if more than one exclusive proxy type has been enabled. */
3786  if (!!options->Socks4Proxy + !!options->Socks5Proxy +
3787  !!options->HTTPSProxy + !!options->TCPProxy > 1)
3788  REJECT("You have configured more than one proxy type. "
3789  "(Socks4Proxy|Socks5Proxy|HTTPSProxy|TCPProxy)");
3790 
3791  /* Check if the proxies will give surprising behavior. */
3792  if (options->HTTPProxy && !(options->Socks4Proxy ||
3793  options->Socks5Proxy ||
3794  options->HTTPSProxy ||
3795  options->TCPProxy)) {
3796  log_warn(LD_CONFIG, "HTTPProxy configured, but no SOCKS proxy, "
3797  "HTTPS proxy, or any other TCP proxy configured. Watch out: "
3798  "this configuration will proxy unencrypted directory "
3799  "connections only.");
3800  }
3801 
3802  if (options->Socks5ProxyUsername) {
3803  size_t len;
3804 
3805  len = strlen(options->Socks5ProxyUsername);
3806  if (len < 1 || len > MAX_SOCKS5_AUTH_FIELD_SIZE)
3807  REJECT("Socks5ProxyUsername must be between 1 and 255 characters.");
3808 
3809  if (!options->Socks5ProxyPassword)
3810  REJECT("Socks5ProxyPassword must be included with Socks5ProxyUsername.");
3811 
3812  len = strlen(options->Socks5ProxyPassword);
3813  if (len < 1 || len > MAX_SOCKS5_AUTH_FIELD_SIZE)
3814  REJECT("Socks5ProxyPassword must be between 1 and 255 characters.");
3815  } else if (options->Socks5ProxyPassword)
3816  REJECT("Socks5ProxyPassword must be included with Socks5ProxyUsername.");
3817 
3818  if (options->HashedControlPassword) {
3820  if (!sl) {
3821  REJECT("Bad HashedControlPassword: wrong length or bad encoding");
3822  } else {
3823  SMARTLIST_FOREACH(sl, char*, cp, tor_free(cp));
3824  smartlist_free(sl);
3825  }
3826  }
3827 
3828  if (options->HashedControlSessionPassword) {
3830  options->HashedControlSessionPassword);
3831  if (!sl) {
3832  REJECT("Bad HashedControlSessionPassword: wrong length or bad encoding");
3833  } else {
3834  SMARTLIST_FOREACH(sl, char*, cp, tor_free(cp));
3835  smartlist_free(sl);
3836  }
3837  }
3838 
3839  if (options->OwningControllerProcess) {
3840  const char *validate_pspec_msg = NULL;
3842  &validate_pspec_msg)) {
3843  tor_asprintf(msg, "Bad OwningControllerProcess: %s",
3844  validate_pspec_msg);
3845  return -1;
3846  }
3847  }
3848 
3849  if ((options->ControlPort_set || world_writable_control_socket) &&
3850  !options->HashedControlPassword &&
3851  !options->HashedControlSessionPassword &&
3852  !options->CookieAuthentication) {
3853  log_warn(LD_CONFIG, "Control%s is %s, but no authentication method "
3854  "has been configured. This means that any program on your "
3855  "computer can reconfigure your Tor. That's bad! You should "
3856  "upgrade your Tor controller as soon as possible.",
3857  options->ControlPort_set ? "Port" : "Socket",
3858  options->ControlPort_set ? "open" : "world writable");
3859  }
3860 
3861  if (options->CookieAuthFileGroupReadable && !options->CookieAuthFile) {
3862  log_warn(LD_CONFIG, "CookieAuthFileGroupReadable is set, but will have "
3863  "no effect: you must specify an explicit CookieAuthFile to "
3864  "have it group-readable.");
3865  }
3866 
3867  for (cl = options->NodeFamilies; cl; cl = cl->next) {
3868  routerset_t *rs = routerset_new();
3869  if (routerset_parse(rs, cl->value, cl->key)) {
3870  routerset_free(rs);
3871  return -1;
3872  }
3873  routerset_free(rs);
3874  }
3875 
3876  if (validate_addr_policies(options, msg) < 0)
3877  return -1;
3878 
3879  /* If FallbackDir is set, we don't UseDefaultFallbackDirs */
3880  if (options->UseDefaultFallbackDirs && options->FallbackDir) {
3881  log_info(LD_CONFIG, "You have set UseDefaultFallbackDirs 1 and "
3882  "FallbackDir(s). Ignoring UseDefaultFallbackDirs, and "
3883  "using the FallbackDir(s) you have set.");
3884  }
3885 
3886  if (validate_dir_servers(options, old_options) < 0)
3887  REJECT("Directory authority/fallback line did not parse. See logs "
3888  "for details.");
3889 
3890  if (options->UseBridges && !options->Bridges)
3891  REJECT("If you set UseBridges, you must specify at least one bridge.");
3892 
3893  for (cl = options->Bridges; cl; cl = cl->next) {
3894  bridge_line_t *bridge_line = parse_bridge_line(cl->value);
3895  if (!bridge_line)
3896  REJECT("Bridge line did not parse. See logs for details.");
3897  bridge_line_free(bridge_line);
3898  }
3899 
3900  for (cl = options->ClientTransportPlugin; cl; cl = cl->next) {
3901  if (pt_parse_transport_line(options, cl->value, 1, 0) < 0)
3902  REJECT("Invalid client transport line. See logs for details.");
3903  }
3904 
3905  if (options_validate_server_transport(old_options, options, msg) < 0)
3906  return -1;
3907 
3908  if (options->ConstrainedSockets) {
3909  /* If the user wants to constrain socket buffer use, make sure the desired
3910  * limit is between MIN|MAX_TCPSOCK_BUFFER in k increments. */
3911  if (options->ConstrainedSockSize < MIN_CONSTRAINED_TCP_BUFFER ||
3912  options->ConstrainedSockSize > MAX_CONSTRAINED_TCP_BUFFER ||
3913  options->ConstrainedSockSize % 1024) {
3914  tor_asprintf(msg,
3915  "ConstrainedSockSize is invalid. Must be a value between %d and %d "
3916  "in 1024 byte increments.",
3917  MIN_CONSTRAINED_TCP_BUFFER, MAX_CONSTRAINED_TCP_BUFFER);
3918  return -1;
3919  }
3920  }
3921 
3922  if (options_validate_dirauth_schedule(old_options, options, msg) < 0)
3923  return -1;
3924 
3925  if (hs_config_service_all(options, 1) < 0)
3926  REJECT("Failed to configure rendezvous options. See logs for details.");
3927 
3928  /* Parse client-side authorization for hidden services. */
3929  if (hs_config_client_auth_all(options, 1) < 0)
3930  REJECT("Failed to configure client authorization for hidden services. "
3931  "See logs for details.");
3932 
3934  AF_INET, 1, msg)<0)
3935  return -1;
3937  AF_INET6, 1, msg)<0)
3938  return -1;
3939 
3940  if (options->TestingTorNetwork &&
3941  !(options->DirAuthorities ||
3942  (options->AlternateDirAuthority &&
3943  options->AlternateBridgeAuthority))) {
3944  REJECT("TestingTorNetwork may only be configured in combination with "
3945  "a non-default set of DirAuthority or both of "
3946  "AlternateDirAuthority and AlternateBridgeAuthority configured.");
3947  }
3948 
3949 #define CHECK_DEFAULT(arg) \
3950  STMT_BEGIN \
3951  if (!config_is_same(get_options_mgr(),options, \
3952  dflt_options,#arg)) { \
3953  or_options_free(dflt_options); \
3954  REJECT(#arg " may only be changed in testing Tor " \
3955  "networks!"); \
3956  } \
3957  STMT_END
3958 
3959  /* Check for options that can only be changed from the defaults in testing
3960  networks. */
3961  if (! options->TestingTorNetwork && !options->UsingTestNetworkDefaults_) {
3962  or_options_t *dflt_options = options_new();
3963  options_init(dflt_options);
3964  /* 31851: some of these options are dirauth or relay only */
3965  CHECK_DEFAULT(TestingV3AuthInitialVotingInterval);
3966  CHECK_DEFAULT(TestingV3AuthInitialVoteDelay);
3967  CHECK_DEFAULT(TestingV3AuthInitialDistDelay);
3968  CHECK_DEFAULT(TestingV3AuthVotingStartOffset);
3969  CHECK_DEFAULT(TestingAuthDirTimeToLearnReachability);
3970  CHECK_DEFAULT(TestingServerDownloadInitialDelay);
3971  CHECK_DEFAULT(TestingClientDownloadInitialDelay);
3972  CHECK_DEFAULT(TestingServerConsensusDownloadInitialDelay);
3973  CHECK_DEFAULT(TestingClientConsensusDownloadInitialDelay);
3974  CHECK_DEFAULT(TestingBridgeDownloadInitialDelay);
3975  CHECK_DEFAULT(TestingBridgeBootstrapDownloadInitialDelay);
3976  CHECK_DEFAULT(TestingClientMaxIntervalWithoutRequest);
3977  CHECK_DEFAULT(TestingDirConnectionMaxStall);
3978  CHECK_DEFAULT(TestingAuthKeyLifetime);
3979  CHECK_DEFAULT(TestingLinkCertLifetime);
3980  CHECK_DEFAULT(TestingSigningKeySlop);
3981  CHECK_DEFAULT(TestingAuthKeySlop);
3982  CHECK_DEFAULT(TestingLinkKeySlop);
3983  or_options_free(dflt_options);
3984  }
3985 #undef CHECK_DEFAULT
3986 
3987  if (!options->ClientDNSRejectInternalAddresses &&
3988  !(options->DirAuthorities ||
3989  (options->AlternateDirAuthority && options->AlternateBridgeAuthority)))
3990  REJECT("ClientDNSRejectInternalAddresses used for default network.");
3991 
3992  if (options_validate_relay_testing(old_options, options, msg) < 0)
3993  return -1;
3994  if (options_validate_dirauth_testing(old_options, options, msg) < 0)
3995  return -1;
3996 
3997  if (options->TestingClientMaxIntervalWithoutRequest < 1) {
3998  REJECT("TestingClientMaxIntervalWithoutRequest is way too low.");
3999  } else if (options->TestingClientMaxIntervalWithoutRequest > 3600) {
4000  COMPLAIN("TestingClientMaxIntervalWithoutRequest is insanely high.");
4001  }
4002 
4003  if (options->TestingDirConnectionMaxStall < 5) {
4004  REJECT("TestingDirConnectionMaxStall is way too low.");
4005  } else if (options->TestingDirConnectionMaxStall > 3600) {
4006  COMPLAIN("TestingDirConnectionMaxStall is insanely high.");
4007  }
4008 
4009  if (options->ClientBootstrapConsensusMaxInProgressTries < 1) {
4010  REJECT("ClientBootstrapConsensusMaxInProgressTries must be greater "
4011  "than 0.");
4012  } else if (options->ClientBootstrapConsensusMaxInProgressTries
4013  > 100) {
4014  COMPLAIN("ClientBootstrapConsensusMaxInProgressTries is insanely "
4015  "high.");
4016  }
4017 
4018  if (options->TestingEnableConnBwEvent &&
4019  !options->TestingTorNetwork && !options->UsingTestNetworkDefaults_) {
4020  REJECT("TestingEnableConnBwEvent may only be changed in testing "
4021  "Tor networks!");
4022  }
4023 
4024  if (options->TestingEnableCellStatsEvent &&
4025  !options->TestingTorNetwork && !options->UsingTestNetworkDefaults_) {
4026  REJECT("TestingEnableCellStatsEvent may only be changed in testing "
4027  "Tor networks!");
4028  }
4029 
4030  if (options->TestingTorNetwork) {
4031  log_warn(LD_CONFIG, "TestingTorNetwork is set. This will make your node "
4032  "almost unusable in the public Tor network, and is "
4033  "therefore only advised if you are building a "
4034  "testing Tor network!");
4035  }
4036 
4037  if (options_validate_scheduler(options, msg) < 0) {
4038  return -1;
4039  }
4040 
4041  return 0;
4042 }
4043 
4044 #undef REJECT
4045 #undef COMPLAIN
4046 
4047 /* Given the value that the user has set for MaxMemInQueues, compute the
4048  * actual maximum value. We clip this value if it's too low, and autodetect
4049  * it if it's set to 0. */
4050 STATIC uint64_t
4051 compute_real_max_mem_in_queues(const uint64_t val, bool is_server)
4052 {
4053 #define MIN_SERVER_MB 64
4054 #define MIN_UNWARNED_SERVER_MB 256
4055 #define MIN_UNWARNED_CLIENT_MB 64
4056  uint64_t result;
4057 
4058  if (val == 0) {
4059 #define ONE_GIGABYTE (UINT64_C(1) << 30)
4060 #define ONE_MEGABYTE (UINT64_C(1) << 20)
4061  /* The user didn't pick a memory limit. Choose a very large one
4062  * that is still smaller than the system memory */
4063  static int notice_sent = 0;
4064  size_t ram = 0;
4065  if (get_total_system_memory(&ram) < 0) {
4066  /* We couldn't determine our total system memory! */
4067 #if SIZEOF_VOID_P >= 8
4068  /* 64-bit system. Let's hope for 8 GB. */
4069  result = 8 * ONE_GIGABYTE;
4070 #else
4071  /* (presumably) 32-bit system. Let's hope for 1 GB. */
4072  result = ONE_GIGABYTE;
4073 #endif /* SIZEOF_VOID_P >= 8 */
4074  } else {
4075  /* We detected the amount of memory available. */
4076  uint64_t avail = 0;
4077 
4078 #if SIZEOF_SIZE_T > 4
4079 /* On a 64-bit platform, we consider 8GB "very large". */
4080 #define RAM_IS_VERY_LARGE(x) ((x) >= (8 * ONE_GIGABYTE))
4081 #else
4082 /* On a 32-bit platform, we can't have 8GB of ram. */
4083 #define RAM_IS_VERY_LARGE(x) (0)
4084 #endif /* SIZEOF_SIZE_T > 4 */
4085 
4086  if (RAM_IS_VERY_LARGE(ram)) {
4087  /* If we have 8 GB, or more, RAM available, we set the MaxMemInQueues
4088  * to 0.4 * RAM. The idea behind this value is that the amount of RAM
4089  * is more than enough for a single relay and should allow the relay
4090  * operator to run two relays if they have additional bandwidth
4091  * available.
4092  */
4093  avail = (ram / 5) * 2;
4094  } else {
4095  /* If we have less than 8 GB of RAM available, we use the "old" default
4096  * for MaxMemInQueues of 0.75 * RAM.
4097  */
4098  avail = (ram / 4) * 3;
4099  }
4100 
4101  /* Make sure it's in range from 0.25 GB to 8 GB for 64-bit and 0.25 to 2
4102  * GB for 32-bit. */
4103  if (avail > MAX_DEFAULT_MEMORY_QUEUE_SIZE) {
4104  /* If you want to use more than this much RAM, you need to configure
4105  it yourself */
4107  } else if (avail < ONE_GIGABYTE / 4) {
4108  result = ONE_GIGABYTE / 4;
4109  } else {
4110  result = avail;
4111  }
4112  }
4113  if (is_server && ! notice_sent) {
4114  log_notice(LD_CONFIG, "%sMaxMemInQueues is set to %"PRIu64" MB. "
4115  "You can override this by setting MaxMemInQueues by hand.",
4116  ram ? "Based on detected system memory, " : "",
4117  (result / ONE_MEGABYTE));
4118  notice_sent = 1;
4119  }
4120  return result;
4121  } else if (is_server && val < ONE_MEGABYTE * MIN_SERVER_MB) {
4122  /* We can't configure less than this much on a server. */
4123  log_warn(LD_CONFIG, "MaxMemInQueues must be at least %d MB on servers "
4124  "for now. Ideally, have it as large as you can afford.",
4125  MIN_SERVER_MB);
4126  return MIN_SERVER_MB * ONE_MEGABYTE;
4127  } else if (is_server && val < ONE_MEGABYTE * MIN_UNWARNED_SERVER_MB) {
4128  /* On a server, if it's less than this much, we warn that things
4129  * may go badly. */
4130  log_warn(LD_CONFIG, "MaxMemInQueues is set to a low value; if your "
4131  "relay doesn't work, this may be the reason why.");
4132  return val;
4133  } else if (! is_server && val < ONE_MEGABYTE * MIN_UNWARNED_CLIENT_MB) {
4134  /* On a client, if it's less than this much, we warn that things
4135  * may go badly. */
4136  log_warn(LD_CONFIG, "MaxMemInQueues is set to a low value; if your "
4137  "client doesn't work, this may be the reason why.");
4138  return val;
4139  } else {
4140  /* The value was fine all along */
4141  return val;
4142  }
4143 }
4144 
4145 /** Helper: return true iff s1 and s2 are both NULL, or both non-NULL
4146  * equal strings. */
4147 static int
4148 opt_streq(const char *s1, const char *s2)
4149 {
4150  return 0 == strcmp_opt(s1, s2);
4151 }
4152 
4153 /** Check if any config options have changed but aren't allowed to. */
4154 static int
4156  const void *new_val_,
4157  char **msg)
4158 {
4159  CHECK_OPTIONS_MAGIC(old_);
4160  CHECK_OPTIONS_MAGIC(new_val_);
4161 
4162  const or_options_t *old = old_;
4163  const or_options_t *new_val = new_val_;
4164 
4165  if (BUG(!old))
4166  return 0;
4167 
4168 #define BAD_CHANGE_TO(opt, how) do { \
4169  *msg = tor_strdup("While Tor is running"how", changing " #opt \
4170  " is not allowed"); \
4171  return -1; \
4172  } while (0)
4173 
4174  if (sandbox_is_active()) {
4175 #define SB_NOCHANGE_STR(opt) \
4176  if (! CFG_EQ_STRING(old, new_val, opt)) \
4177  BAD_CHANGE_TO(opt," with Sandbox active")
4178 #define SB_NOCHANGE_LINELIST(opt) \
4179  if (! CFG_EQ_LINELIST(old, new_val, opt)) \
4180  BAD_CHANGE_TO(opt," with Sandbox active")
4181 #define SB_NOCHANGE_INT(opt) \
4182  if (! CFG_EQ_INT(old, new_val, opt)) \
4183  BAD_CHANGE_TO(opt," with Sandbox active")
4184 
4185  SB_NOCHANGE_LINELIST(Address);
4186  SB_NOCHANGE_STR(ServerDNSResolvConfFile);
4187  SB_NOCHANGE_STR(DirPortFrontPage);
4188  SB_NOCHANGE_STR(CookieAuthFile);
4189  SB_NOCHANGE_STR(ExtORPortCookieAuthFile);
4190  SB_NOCHANGE_LINELIST(Logs);
4191  SB_NOCHANGE_INT(ConnLimit);
4192 
4193  if (server_mode(old) != server_mode(new_val)) {
4194  *msg = tor_strdup("Can't start/stop being a server while "
4195  "Sandbox is active");
4196  return -1;
4197  }
4198  }
4199 
4200 #undef SB_NOCHANGE_LINELIST
4201 #undef SB_NOCHANGE_STR
4202 #undef SB_NOCHANGE_INT
4203 #undef BAD_CHANGE_TO
4204 #undef NO_CHANGE_BOOL
4205 #undef NO_CHANGE_INT
4206 #undef NO_CHANGE_STRING
4207  return 0;
4208 }
4209 
4210 #ifdef _WIN32
4211 /** Return the directory on windows where we expect to find our application
4212  * data. */
4213 static char *
4214 get_windows_conf_root(void)
4215 {
4216  static int is_set = 0;
4217  static char path[MAX_PATH*2+1];
4218  TCHAR tpath[MAX_PATH] = {0};
4219 
4220  LPITEMIDLIST idl;
4221  IMalloc *m;
4222  HRESULT result;
4223 
4224  if (is_set)
4225  return path;
4226 
4227  /* Find X:\documents and settings\username\application data\ .
4228  * We would use SHGetSpecialFolder path, but that wasn't added until IE4.
4229  */
4230 #ifdef ENABLE_LOCAL_APPDATA
4231 #define APPDATA_PATH CSIDL_LOCAL_APPDATA
4232 #else
4233 #define APPDATA_PATH CSIDL_APPDATA
4234 #endif
4235  if (!SUCCEEDED(SHGetSpecialFolderLocation(NULL, APPDATA_PATH, &idl))) {
4236  getcwd(path,MAX_PATH);
4237  is_set = 1;
4238  log_warn(LD_CONFIG,
4239  "I couldn't find your application data folder: are you "
4240  "running an ancient version of Windows 95? Defaulting to \"%s\"",
4241  path);
4242  return path;
4243  }
4244  /* Convert the path from an "ID List" (whatever that is!) to a path. */
4245  result = SHGetPathFromIDList(idl, tpath);
4246 #ifdef UNICODE
4247  wcstombs(path,tpath,sizeof(path));
4248  path[sizeof(path)-1] = '\0';
4249 #else
4250  strlcpy(path,tpath,sizeof(path));
4251 #endif /* defined(UNICODE) */
4252 
4253  /* Now we need to free the memory that the path-idl was stored in. In
4254  * typical Windows fashion, we can't just call 'free()' on it. */
4255  SHGetMalloc(&m);
4256  if (m) {
4257  m->lpVtbl->Free(m, idl);
4258  m->lpVtbl->Release(m);
4259  }
4260  if (!SUCCEEDED(result)) {
4261  return NULL;
4262  }
4263  strlcat(path,"\\tor",MAX_PATH);
4264  is_set = 1;
4265  return path;
4266 }
4267 #endif /* defined(_WIN32) */
4268 
4269 /** Return the default location for our torrc file (if <b>defaults_file</b> is
4270  * false), or for the torrc-defaults file (if <b>defaults_file</b> is true). */
4271 static const char *
4272 get_default_conf_file(int defaults_file)
4273 {
4274 #ifdef DISABLE_SYSTEM_TORRC
4275  (void) defaults_file;
4276  return NULL;
4277 #elif defined(_WIN32)
4278  if (defaults_file) {
4279  static char defaults_path[MAX_PATH+1];
4280  tor_snprintf(defaults_path, MAX_PATH, "%s\\torrc-defaults",
4281  get_windows_conf_root());
4282  return defaults_path;
4283  } else {
4284  static char path[MAX_PATH+1];
4285  tor_snprintf(path, MAX_PATH, "%s\\torrc",
4286  get_windows_conf_root());
4287  return path;
4288  }
4289 #else
4290  return defaults_file ? CONFDIR "/torrc-defaults" : CONFDIR "/torrc";
4291 #endif /* defined(DISABLE_SYSTEM_TORRC) || ... */
4292 }
4293 
4294 /** Learn config file name from command line arguments, or use the default.
4295  *
4296  * If <b>defaults_file</b> is true, we're looking for torrc-defaults;
4297  * otherwise, we're looking for the regular torrc_file.
4298  *
4299  * Set *<b>using_default_fname</b> to true if we're using the default
4300  * configuration file name; or false if we've set it from the command line.
4301  *
4302  * Set *<b>ignore_missing_torrc</b> to true if we should ignore the resulting
4303  * filename if it doesn't exist.
4304  */
4305 static char *
4307  int defaults_file,
4308  int *using_default_fname, int *ignore_missing_torrc)
4309 {
4310  char *fname=NULL;
4311  const config_line_t *p_index;
4312  const char *fname_opt = defaults_file ? "--defaults-torrc" : "-f";
4313  const char *fname_long_opt = defaults_file ? "--defaults-torrc" :
4314  "--torrc-file";
4315  const char *ignore_opt = defaults_file ? NULL : "--ignore-missing-torrc";
4316  const char *keygen_opt = "--keygen";
4317 
4318  if (defaults_file)
4319  *ignore_missing_torrc = 1;
4320 
4321  for (p_index = cmd_arg; p_index; p_index = p_index->next) {
4322  // options_init_from_torrc ensures only the short or long name is present
4323  if (!strcmp(p_index->key, fname_opt) ||
4324  !strcmp(p_index->key, fname_long_opt)) {
4325  if (fname) {
4326  log_warn(LD_CONFIG, "Duplicate %s options on command line.",
4327  p_index->key);
4328  tor_free(fname);
4329  }
4330  fname = expand_filename(p_index->value);
4331 
4332  {
4333  char *absfname;
4334  absfname = make_path_absolute(fname);
4335  tor_free(fname);
4336  fname = absfname;
4337  }
4338 
4339  *using_default_fname = 0;
4340  } else if ((ignore_opt && !strcmp(p_index->key, ignore_opt)) ||
4341  (keygen_opt && !strcmp(p_index->key, keygen_opt))) {
4342  *ignore_missing_torrc = 1;
4343  }
4344  }
4345 
4346  if (*using_default_fname) {
4347  /* didn't find one, try CONFDIR */
4348  const char *dflt = get_default_conf_file(defaults_file);
4349  file_status_t st = file_status(dflt);
4350  if (dflt && (st == FN_FILE || st == FN_EMPTY)) {
4351  fname = tor_strdup(dflt);
4352  } else {
4353 #ifndef _WIN32
4354  char *fn = NULL;
4355  if (!defaults_file) {
4356  fn = expand_filename("~/.torrc");
4357  }
4358  if (fn) {
4359  file_status_t hmst = file_status(fn);
4360  if (hmst == FN_FILE || hmst == FN_EMPTY || dflt == NULL) {
4361  fname = fn;
4362  } else {
4363  tor_free(fn);
4364  fname = tor_strdup(dflt);
4365  }
4366  } else {
4367  fname = dflt ? tor_strdup(dflt) : NULL;
4368  }
4369 #else /* defined(_WIN32) */
4370  fname = dflt ? tor_strdup(dflt) : NULL;
4371 #endif /* !defined(_WIN32) */
4372  }
4373  }
4374  return fname;
4375 }
4376 
4377 /** Read the torrc from standard input and return it as a string.
4378  * Upon failure, return NULL.
4379  */
4380 static char *
4382 {
4383  size_t sz_out;
4384 
4385  return read_file_to_str_until_eof(STDIN_FILENO,SIZE_MAX,&sz_out);
4386 }
4387 
4388 /** Load a configuration file from disk, setting torrc_fname or
4389  * torrc_defaults_fname if successful.
4390  *
4391  * If <b>defaults_file</b> is true, load torrc-defaults; otherwise load torrc.
4392  *
4393  * Return the contents of the file on success, and NULL on failure.
4394  */
4395 static char *
4396 load_torrc_from_disk(const config_line_t *cmd_arg, int defaults_file)
4397 {
4398  char *fname=NULL;
4399  char *cf = NULL;
4400  int using_default_torrc = 1;
4401  int ignore_missing_torrc = 0;
4402  char **fname_var = defaults_file ? &torrc_defaults_fname : &torrc_fname;
4403 
4404  if (*fname_var == NULL) {
4405  fname = find_torrc_filename(cmd_arg, defaults_file,
4406  &using_default_torrc, &ignore_missing_torrc);
4407  tor_free(*fname_var);
4408  *fname_var = fname;
4409  } else {
4410  fname = *fname_var;
4411  }
4412  log_debug(LD_CONFIG, "Opening config file \"%s\"", fname?fname:"<NULL>");
4413 
4414  /* Open config file */
4415  file_status_t st = fname ? file_status(fname) : FN_EMPTY;
4416  if (fname == NULL ||
4417  !(st == FN_FILE || st == FN_EMPTY) ||
4418  !(cf = read_file_to_str(fname,0,NULL))) {
4419  if (using_default_torrc == 1 || ignore_missing_torrc) {
4420  if (!defaults_file)
4421  log_notice(LD_CONFIG, "Configuration file \"%s\" not present, "
4422  "using reasonable defaults.", fname);
4423  tor_free(fname); /* sets fname to NULL */
4424  *fname_var = NULL;
4425  cf = tor_strdup("");
4426  } else {
4427  log_warn(LD_CONFIG,
4428  "Unable to open configuration file \"%s\".", fname);
4429  goto err;
4430  }
4431  } else {
4432  log_notice(LD_CONFIG, "Read configuration file \"%s\".", fname);
4433  }
4434 
4435  return cf;
4436  err:
4437  tor_free(fname);
4438  *fname_var = NULL;
4439  return NULL;
4440 }
4441 
4442 /** Read a configuration file into <b>options</b>, finding the configuration
4443  * file location based on the command line. After loading the file
4444  * call options_init_from_string() to load the config.
4445  * Return 0 if success, -1 if failure, and 1 if we succeeded but should exit
4446  * anyway. */
4447 int
4448 options_init_from_torrc(int argc, char **argv)
4449 {
4450  char *cf=NULL, *cf_defaults=NULL;
4451  int retval = -1;
4452  char *errmsg=NULL;
4453  const config_line_t *cmdline_only_options;
4454 
4455  /* Go through command-line variables */
4456  if (global_cmdline == NULL) {
4457  /* Or we could redo the list every time we pass this place.
4458  * It does not really matter */
4459  global_cmdline = config_parse_commandline(argc, argv, 0);
4460  if (global_cmdline == NULL) {
4461  goto err;
4462  }
4463  }
4464  cmdline_only_options = global_cmdline->cmdline_opts;
4465 
4466  if (config_line_find(cmdline_only_options, "-h") ||
4467  config_line_find(cmdline_only_options, "--help")) {
4468  print_usage();
4469  return 1;
4470  }
4471  if (config_line_find(cmdline_only_options, "--list-torrc-options")) {
4472  /* For validating whether we've documented everything. */
4474  return 1;
4475  }
4476  if (config_line_find(cmdline_only_options, "--list-deprecated-options")) {
4477  /* For validating whether what we have deprecated really exists. */
4479  return 1;
4480  }
4481  if (config_line_find(cmdline_only_options, "--dbg-dump-subsystem-list")) {
4483  return 1;
4484  }
4485 
4486  if (config_line_find(cmdline_only_options, "--version")) {
4487  printf("Tor version %s.\n",get_version());
4488  printf("Tor is running on %s with Libevent %s, "
4489  "%s %s, Zlib %s, Liblzma %s, Libzstd %s and %s %s as libc.\n",
4490  get_uname(),
4494  tor_compress_supports_method(ZLIB_METHOD) ?
4495  tor_compress_version_str(ZLIB_METHOD) : "N/A",
4496  tor_compress_supports_method(LZMA_METHOD) ?
4497  tor_compress_version_str(LZMA_METHOD) : "N/A",
4498  tor_compress_supports_method(ZSTD_METHOD) ?
4499  tor_compress_version_str(ZSTD_METHOD) : "N/A",
4500  tor_libc_get_name() ?
4501  tor_libc_get_name() : "Unknown",
4503  printf("Tor compiled with %s version %s\n",
4504  strcmp(COMPILER_VENDOR, "gnu") == 0?
4505  COMPILER:COMPILER_VENDOR, COMPILER_VERSION);
4506 
4507  return 1;
4508  }
4509 
4510  if (config_line_find(cmdline_only_options, "--list-modules")) {
4512  return 1;
4513  }
4514 
4515  if (config_line_find(cmdline_only_options, "--library-versions")) {
4517  return 1;
4518  }
4519 
4521  const char *command_arg = global_cmdline->command_arg;
4522  /* "immediate" has already been handled by this point. */
4524 
4525  if (command == CMD_HASH_PASSWORD) {
4526  cf_defaults = tor_strdup("");
4527  cf = tor_strdup("");
4528  } else {
4529  cf_defaults = load_torrc_from_disk(cmdline_only_options, 1);
4530  const config_line_t *f_line = config_line_find(cmdline_only_options, "-f");
4531  const config_line_t *f_line_long = config_line_find(cmdline_only_options,
4532  "--torrc-file");
4533  if (f_line && f_line_long) {
4534  log_err(LD_CONFIG, "-f and --torrc-file cannot be used together.");
4535  retval = -1;
4536  goto err;
4537  } else if (f_line_long) {
4538  f_line = f_line_long;
4539  }
4540 
4541  const int read_torrc_from_stdin =
4542  (f_line != NULL && strcmp(f_line->value, "-") == 0);
4543 
4544  if (read_torrc_from_stdin) {
4545  cf = load_torrc_from_stdin();
4546  } else {
4547  cf = load_torrc_from_disk(cmdline_only_options, 0);
4548  }
4549 
4550  if (!cf) {
4551  if (config_line_find(cmdline_only_options, "--allow-missing-torrc")) {
4552  cf = tor_strdup("");
4553  } else {
4554  goto err;
4555  }
4556  }
4557  }
4558 
4559  retval = options_init_from_string(cf_defaults, cf, command, command_arg,
4560  &errmsg);
4561  if (retval < 0)
4562  goto err;
4563 
4564  if (config_line_find(cmdline_only_options, "--no-passphrase")) {
4566  retval = -1;
4567  goto err;
4568  }
4569  }
4570 
4571  const config_line_t *format_line = config_line_find(cmdline_only_options,
4572  "--format");
4573  if (format_line) {
4574  if (handle_cmdline_format(command, format_line->value) < 0) {
4575  retval = -1;
4576  goto err;
4577  }
4578  } else {
4579  get_options_mutable()->key_expiration_format =
4580  KEY_EXPIRATION_FORMAT_ISO8601;
4581  }
4582 
4583  if (config_line_find(cmdline_only_options, "--newpass")) {
4584  if (handle_cmdline_newpass(command) < 0) {
4585  retval = -1;
4586  goto err;
4587  }
4588  }
4589 
4590  const config_line_t *fd_line = config_line_find(cmdline_only_options,
4591  "--passphrase-fd");
4592  if (fd_line) {
4593  if (handle_cmdline_passphrase_fd(command, fd_line->value) < 0) {
4594  retval = -1;
4595  goto err;
4596  }
4597  }
4598 
4599  const config_line_t *key_line = config_line_find(cmdline_only_options,
4600  "--master-key");
4601  if (key_line) {
4602  if (handle_cmdline_master_key(command, key_line->value) < 0) {
4603  retval = -1;
4604  goto err;
4605  }
4606  }
4607 
4608  err:
4609  tor_free(cf);
4610  tor_free(cf_defaults);
4611  if (errmsg) {
4612  log_warn(LD_CONFIG,"%s", errmsg);
4613  tor_free(errmsg);
4614  }
4615  return retval < 0 ? -1 : 0;
4616 }
4617 
4618 /** Load the options from the configuration in <b>cf</b>, validate
4619  * them for consistency and take actions based on them.
4620  *
4621  * Return 0 if success, negative on error:
4622  * * -1 for general errors.
4623  * * -2 for failure to parse/validate,
4624  * * -3 for transition not allowed
4625  * * -4 for error while setting the new options
4626  */
4628 options_init_from_string(const char *cf_defaults, const char *cf,
4629  int command, const char *command_arg,
4630  char **msg)
4631 {
4632  bool retry = false;
4633  or_options_t *oldoptions, *newoptions, *newdefaultoptions=NULL;
4634  config_line_t *cl;
4635  int retval;
4636  setopt_err_t err = SETOPT_ERR_MISC;
4637  int cf_has_include = 0;
4638  tor_assert(msg);
4639 
4640  oldoptions = global_options; /* get_options unfortunately asserts if
4641  this is the first time we run*/
4642 
4643  newoptions = options_new();
4644  options_init(newoptions);
4645  newoptions->command = command;
4646  newoptions->command_arg = command_arg ? tor_strdup(command_arg) : NULL;
4647 
4648  smartlist_t *opened_files = smartlist_new();
4649  for (int i = 0; i < 2; ++i) {
4650  const char *body = i==0 ? cf_defaults : cf;
4651  if (!body)
4652  continue;
4653 
4654  /* get config lines, assign them */
4655  retval = config_get_lines_include(body, &cl, 1,
4656  body == cf ? &cf_has_include : NULL,
4657  opened_files);
4658  if (retval < 0) {
4659  err = SETOPT_ERR_PARSE;
4660  goto err;
4661  }
4662  retval = config_assign(get_options_mgr(), newoptions, cl,
4663  CAL_WARN_DEPRECATIONS, msg);
4664  config_free_lines(cl);
4665  if (retval < 0) {
4666  err = SETOPT_ERR_PARSE;
4667  goto err;
4668  }
4669  if (i==0)
4670  newdefaultoptions = config_dup(get_options_mgr(), newoptions);
4671  }
4672 
4673  if (newdefaultoptions == NULL) {
4674  newdefaultoptions = config_dup(get_options_mgr(), global_default_options);
4675  }
4676 
4677  /* Go through command-line variables too */
4678  {
4679  config_line_t *other_opts = NULL;
4680  if (global_cmdline) {
4681  other_opts = global_cmdline->other_opts;
4682  }
4683  retval = config_assign(get_options_mgr(), newoptions,
4684  other_opts,
4685  CAL_WARN_DEPRECATIONS, msg);
4686  }
4687  if (retval < 0) {
4688  err = SETOPT_ERR_PARSE;
4689  goto err;
4690  }
4691 
4692  newoptions->IncludeUsed = cf_has_include;
4693  newoptions->FilesOpenedByIncludes = opened_files;
4694  opened_files = NULL; // prevent double-free.
4695 
4696  /* If this is a testing network configuration, change defaults
4697  * for a list of dependent config options, and try this function again. */
4698  if (newoptions->TestingTorNetwork && ! testing_network_configured) {
4699  // retry with the testing defaults.
4701  retry = true;
4702  goto err;
4703  }
4704 
4705  err = options_validate_and_set(oldoptions, newoptions, msg);
4706  if (err < 0) {
4707  newoptions = NULL; // This was already freed in options_validate_and_set.
4708  goto err;
4709  }
4710 
4711  or_options_free(global_default_options);
4712  global_default_options = newdefaultoptions;
4713 
4714  return SETOPT_OK;
4715 
4716  err:
4718  if (opened_files) {
4719  SMARTLIST_FOREACH(opened_files, char *, f, tor_free(f));
4720  smartlist_free(opened_files);
4721  }
4722  or_options_free(newdefaultoptions);
4723  or_options_free(newoptions);
4724  if (*msg) {
4725  char *old_msg = *msg;
4726  tor_asprintf(msg, "Failed to parse/validate config: %s", old_msg);
4727  tor_free(old_msg);
4728  }
4729  if (retry)
4730  return options_init_from_string(cf_defaults, cf, command, command_arg,
4731  msg);
4732  return err;
4733 }
4734 
4735 /** Return the location for our configuration file. May return NULL.
4736  */
4737 const char *
4738 get_torrc_fname(int defaults_fname)
4739 {
4740  const char *fname = defaults_fname ? torrc_defaults_fname : torrc_fname;
4741 
4742  if (fname)
4743  return fname;
4744  else
4745  return get_default_conf_file(defaults_fname);
4746 }
4747 
4748 /** Adjust the address map based on the MapAddress elements in the
4749  * configuration <b>options</b>
4750  */
4751 void
4753 {
4754  smartlist_t *elts;
4755  config_line_t *opt;
4756  const char *from, *to, *msg;
4757 
4759  elts = smartlist_new();
4760  for (opt = options->AddressMap; opt; opt = opt->next) {
4761  smartlist_split_string(elts, opt->value, NULL,
4762  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
4763  if (smartlist_len(elts) < 2) {
4764  log_warn(LD_CONFIG,"MapAddress '%s' has too few arguments. Ignoring.",
4765  opt->value);
4766  goto cleanup;
4767  }
4768 
4769  from = smartlist_get(elts,0);
4770  to = smartlist_get(elts,1);
4771 
4772  if (to[0] == '.' || from[0] == '.') {
4773  log_warn(LD_CONFIG,"MapAddress '%s' is ambiguous - address starts with a"
4774  "'.'. Ignoring.",opt->value);
4775  goto cleanup;
4776  }
4777 
4778  if (addressmap_register_auto(from, to, 0, ADDRMAPSRC_TORRC, &msg) < 0) {
4779  log_warn(LD_CONFIG,"MapAddress '%s' failed: %s. Ignoring.", opt->value,
4780  msg);
4781  goto cleanup;
4782  }
4783 
4784  if (smartlist_len(elts) > 2)
4785  log_warn(LD_CONFIG,"Ignoring extra arguments to MapAddress.");
4786 
4787  cleanup:
4788  SMARTLIST_FOREACH(elts, char*, cp, tor_free(cp));
4789  smartlist_clear(elts);
4790  }
4791  smartlist_free(elts);
4792 }
4793 
4794 /** As addressmap_register(), but detect the wildcarded status of "from" and
4795  * "to", and do not steal a reference to <b>to</b>. */
4796 /* XXXX move to connection_edge.c */
4797 int
4798 addressmap_register_auto(const char *from, const char *to,
4799  time_t expires,
4800  addressmap_entry_source_t addrmap_source,
4801  const char **msg)
4802 {
4803  int from_wildcard = 0, to_wildcard = 0;
4804 
4805  *msg = "whoops, forgot the error message";
4806 
4807  if (!strcmp(to, "*") || !strcmp(from, "*")) {
4808  *msg = "can't remap from or to *";
4809  return -1;
4810  }
4811  /* Detect asterisks in expressions of type: '*.example.com' */
4812  if (!strncmp(from,"*.",2)) {
4813  from += 2;
4814  from_wildcard = 1;
4815  }
4816  if (!strncmp(to,"*.",2)) {
4817  to += 2;
4818  to_wildcard = 1;
4819  }
4820 
4821  if (to_wildcard && !from_wildcard) {
4822  *msg = "can only use wildcard (i.e. '*.') if 'from' address "
4823  "uses wildcard also";
4824  return -1;
4825  }
4826 
4827  if (address_is_invalid_destination(to, 1)) {
4828  *msg = "destination is invalid";
4829  return -1;
4830  }
4831 
4832  addressmap_register(from, tor_strdup(to), expires, addrmap_source,
4833  from_wildcard, to_wildcard, 0);
4834 
4835  return 0;
4836 }
4837 
4838 /**
4839  * As add_file_log, but open the file as appropriate.
4840  */
4841 STATIC int
4843  const char *filename, int truncate_log)
4844 {
4845  int open_flags = O_WRONLY|O_CREAT;
4846  open_flags |= truncate_log ? O_TRUNC : O_APPEND;
4847 
4848  int fd = tor_open_cloexec(filename, open_flags, 0640);
4849  if (fd < 0)
4850  return -1;
4851 
4852  return add_file_log(severity, filename, fd);
4853 }
4854 
4855 /**
4856  * Try to set our global log granularity from `options->LogGranularity`,
4857  * adjusting it as needed so that we are an even divisor of a second, or an
4858  * even multiple of seconds. Return 0 on success, -1 on failure.
4859  **/
4860 static int
4862  int validate_only)
4863 {
4864  if (options->LogTimeGranularity <= 0) {
4865  log_warn(LD_CONFIG, "Log time granularity '%d' has to be positive.",
4866  options->LogTimeGranularity);
4867  return -1;
4868  } else if (1000 % options->LogTimeGranularity != 0 &&
4869  options->LogTimeGranularity % 1000 != 0) {
4870  int granularity = options->LogTimeGranularity;
4871  if (granularity < 40) {
4872  do granularity++;
4873  while (1000 % granularity != 0);
4874  } else if (granularity < 1000) {
4875  granularity = 1000 / granularity;
4876  while (1000 % granularity != 0)
4877  granularity--;
4878  granularity = 1000 / granularity;
4879  } else {
4880  granularity = 1000 * ((granularity / 1000) + 1);
4881  }
4882  log_warn(LD_CONFIG, "Log time granularity '%d' has to be either a "
4883  "divisor or a multiple of 1 second. Changing to "
4884  "'%d'.",
4885  options->LogTimeGranularity, granularity);
4886  if (!validate_only)
4887  set_log_time_granularity(granularity);
4888  } else {
4889  if (!validate_only)
4891  }
4892 
4893  return 0;
4894 }
4895 
4896 /**
4897  * Initialize the logs based on the configuration file.
4898  */
4899 STATIC int
4900 options_init_logs(const or_options_t *old_options, const or_options_t *options,
4901  int validate_only)
4902 {
4903  config_line_t *opt;
4904  int ok;
4905  smartlist_t *elts;
4906  int run_as_daemon =
4907 #ifdef _WIN32
4908  0;
4909 #else
4910  options->RunAsDaemon;
4911 #endif
4912 
4913  if (options_init_log_granularity(options, validate_only) < 0)
4914  return -1;
4915 
4916  ok = 1;
4917  elts = smartlist_new();
4918 
4919  if (options->Logs == NULL && !run_as_daemon && !validate_only) {
4920  /* When no logs are given, the default behavior is to log nothing (if
4921  RunAsDaemon is set) or to log based on the quiet level otherwise. */
4923  }
4924 
4925  for (opt = options->Logs; opt; opt = opt->next) {
4926  log_severity_list_t *severity;
4927  const char *cfg = opt->value;
4928  severity = tor_malloc_zero(sizeof(log_severity_list_t));
4929  if (parse_log_severity_config(&cfg, severity) < 0) {
4930  log_warn(LD_CONFIG, "Couldn't parse log levels in Log option 'Log %s'",
4931  opt->value);
4932  ok = 0; goto cleanup;
4933  }
4934 
4935  smartlist_split_string(elts, cfg, NULL,
4936  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
4937 
4938  if (smartlist_len(elts) == 0)
4939  smartlist_add_strdup(elts, "stdout");
4940 
4941  if (smartlist_len(elts) == 1 &&
4942  (!strcasecmp(smartlist_get(elts,0), "stdout") ||
4943  !strcasecmp(smartlist_get(elts,0), "stderr"))) {
4944  int err = smartlist_len(elts) &&
4945  !strcasecmp(smartlist_get(elts,0), "stderr");
4946  if (!validate_only) {
4947  if (run_as_daemon) {
4948  log_warn(LD_CONFIG,
4949  "Can't log to %s with RunAsDaemon set; skipping stdout",
4950  err?"stderr":"stdout");
4951  } else {
4952  add_stream_log(severity, err?"<stderr>":"<stdout>",
4953  fileno(err?stderr:stdout));
4954  }
4955  }
4956  goto cleanup;
4957  }
4958  if (smartlist_len(elts) == 1) {
4959  if (!strcasecmp(smartlist_get(elts,0), "syslog")) {
4960 #ifdef HAVE_SYSLOG_H
4961  if (!validate_only) {
4962  add_syslog_log(severity, options->SyslogIdentityTag);
4963  }
4964 #else
4965  log_warn(LD_CONFIG, "Syslog is not supported on this system. Sorry.");
4966 #endif /* defined(HAVE_SYSLOG_H) */
4967  goto cleanup;
4968  }
4969 
4970  /* We added this workaround in 0.4.5.x; we can remove it in 0.4.6 or
4971  * later */
4972  if (!strcasecmp(smartlist_get(elts, 0), "android")) {
4973 #ifdef HAVE_SYSLOG_H
4974  log_warn(LD_CONFIG, "The android logging API is no longer supported;"
4975  " adding a syslog instead. The 'android' logging "
4976  " type will no longer work in the future.");
4977  if (!validate_only) {
4978  add_syslog_log(severity, options->SyslogIdentityTag);
4979  }
4980 #else /* !defined(HAVE_SYSLOG_H) */
4981  log_warn(LD_CONFIG, "The android logging API is no longer supported.");
4982 #endif /* defined(HAVE_SYSLOG_H) */
4983  goto cleanup;
4984  }
4985  }
4986 
4987  if (smartlist_len(elts) == 2 &&
4988  !strcasecmp(smartlist_get(elts,0), "file")) {
4989  if (!validate_only) {
4990  char *fname = expand_filename(smartlist_get(elts, 1));
4991  /* Truncate if TruncateLogFile is set and we haven't seen this option
4992  line before. */
4993  int truncate_log = 0;
4994  if (options->TruncateLogFile) {
4995  truncate_log = 1;
4996  if (old_options) {
4997  config_line_t *opt2;
4998  for (opt2 = old_options->Logs; opt2; opt2 = opt2->next)
4999  if (!strcmp(opt->value, opt2->value)) {
5000  truncate_log = 0;
5001  break;
5002  }
5003  }
5004  }
5005  if (open_and_add_file_log(severity, fname, truncate_log) < 0) {
5006  log_warn(LD_CONFIG, "Couldn't open file for 'Log %s': %s",
5007  opt->value, strerror(errno));
5008  ok = 0;
5009  }
5010  tor_free(fname);
5011  }
5012  goto cleanup;
5013  }
5014 
5015  log_warn(LD_CONFIG, "Bad syntax on file Log option 'Log %s'",
5016  opt->value);
5017  ok = 0; goto cleanup;
5018 
5019  cleanup:
5020  SMARTLIST_FOREACH(elts, char*, cp, tor_free(cp));
5021  smartlist_clear(elts);
5022  tor_free(severity);
5023  }
5024  smartlist_free(elts);
5025 
5026  if (ok && !validate_only)
5028 
5029  return ok?0:-1;
5030 }
5031 
5032 /** Given a smartlist of SOCKS arguments to be passed to a transport
5033  * proxy in <b>args</b>, validate them and return -1 if they are
5034  * corrupted. Return 0 if they seem OK. */
5035 static int
5037 {
5038  char *socks_string = NULL;
5039  size_t socks_string_len;
5040 
5041  tor_assert(args);
5042  tor_assert(smartlist_len(args) > 0);
5043 
5044  SMARTLIST_FOREACH_BEGIN(args, const char *, s) {
5045  if (!string_is_key_value(LOG_WARN, s)) { /* items should be k=v items */
5046  log_warn(LD_CONFIG, "'%s' is not a k=v item.", s);
5047  return -1;
5048  }
5049  } SMARTLIST_FOREACH_END(s);
5050 
5051  socks_string = pt_stringify_socks_args(args);
5052  if (!socks_string)
5053  return -1;
5054 
5055  socks_string_len = strlen(socks_string);
5056  tor_free(socks_string);
5057 
5058  if (socks_string_len > MAX_SOCKS5_AUTH_SIZE_TOTAL) {
5059  log_warn(LD_CONFIG, "SOCKS arguments can't be more than %u bytes (%lu).",
5061  (unsigned long) socks_string_len);
5062  return -1;
5063  }
5064 
5065  return 0;
5066 }
5067 
5068 /** Deallocate a bridge_line_t structure. */
5069 /* private */ void
5071 {
5072  if (!bridge_line)
5073  return;
5074 
5075  if (bridge_line->socks_args) {
5076  SMARTLIST_FOREACH(bridge_line->socks_args, char*, s, tor_free(s));
5077  smartlist_free(bridge_line->socks_args);
5078  }
5079  tor_free(bridge_line->transport_name);
5080  tor_free(bridge_line);
5081 }
5082 
5083 /** Parse the contents of a string, <b>line</b>, containing a Bridge line,
5084  * into a bridge_line_t.
5085  *
5086  * Validates that the IP:PORT, fingerprint, and SOCKS arguments (given to the
5087  * Pluggable Transport, if a one was specified) are well-formed.
5088  *
5089  * Returns NULL If the Bridge line could not be validated, and returns a
5090  * bridge_line_t containing the parsed information otherwise.
5091  *
5092  * Bridge line format:
5093  * Bridge [transport] IP:PORT [id-fingerprint] [k=v] [k=v] ...
5094  */
5095 /* private */ bridge_line_t *
5096 parse_bridge_line(const char *line)
5097 {
5098  smartlist_t *items = NULL;
5099  char *addrport=NULL, *fingerprint=NULL;
5100  char *field=NULL;
5101  bridge_line_t *bridge_line = tor_malloc_zero(sizeof(bridge_line_t));
5102 
5103  items = smartlist_new();
5104  smartlist_split_string(items, line, NULL,
5105  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5106  if (smartlist_len(items) < 1) {
5107  log_warn(LD_CONFIG, "Too few arguments to Bridge line.");
5108  goto err;
5109  }
5110 
5111  /* first field is either a transport name or addrport */
5112  field = smartlist_get(items, 0);
5113  smartlist_del_keeporder(items, 0);
5114 
5115  if (string_is_C_identifier(field)) {
5116  /* It's a transport name. */
5117  bridge_line->transport_name = field;
5118  if (smartlist_len(items) < 1) {
5119  log_warn(LD_CONFIG, "Too few items to Bridge line.");
5120  goto err;
5121  }
5122  addrport = smartlist_get(items, 0); /* Next field is addrport then. */
5123  smartlist_del_keeporder(items, 0);
5124  } else {
5125  addrport = field;
5126  }
5127 
5128  if (tor_addr_port_parse(LOG_INFO, addrport,
5129  &bridge_line->addr, &bridge_line->port, 443)<0) {
5130  log_warn(LD_CONFIG, "Error parsing Bridge address '%s'", addrport);
5131  goto err;
5132  }
5133 
5134  /* If transports are enabled, next field could be a fingerprint or a
5135  socks argument. If transports are disabled, next field must be
5136  a fingerprint. */
5137  if (smartlist_len(items)) {
5138  if (bridge_line->transport_name) { /* transports enabled: */
5139  field = smartlist_get(items, 0);
5140  smartlist_del_keeporder(items, 0);
5141 
5142  /* If it's a key=value pair, then it's a SOCKS argument for the
5143  transport proxy... */
5144  if (string_is_key_value(LOG_DEBUG, field)) {
5145  bridge_line->socks_args = smartlist_new();
5146  smartlist_add(bridge_line->socks_args, field);
5147  } else { /* ...otherwise, it's the bridge fingerprint. */
5148  fingerprint = field;
5149  }
5150 
5151  } else { /* transports disabled: */
5152  fingerprint = smartlist_join_strings(items, "", 0, NULL);
5153  }
5154  }
5155 
5156  /* Handle fingerprint, if it was provided. */
5157  if (fingerprint) {
5158  if (strlen(fingerprint) != HEX_DIGEST_LEN) {
5159  log_warn(LD_CONFIG, "Key digest for Bridge is wrong length.");
5160  goto err;
5161  }
5162  if (base16_decode(bridge_line->digest, DIGEST_LEN,
5163  fingerprint, HEX_DIGEST_LEN) != DIGEST_LEN) {
5164  log_warn(LD_CONFIG, "Unable to decode Bridge key digest.");
5165  goto err;
5166  }
5167  }
5168 
5169  /* If we are using transports, any remaining items in the smartlist
5170  should be k=v values. */
5171  if (bridge_line->transport_name && smartlist_len(items)) {
5172  if (!bridge_line->socks_args)
5173  bridge_line->socks_args = smartlist_new();
5174 
5175  /* append remaining items of 'items' to 'socks_args' */
5176  smartlist_add_all(bridge_line->socks_args, items);
5177  smartlist_clear(items);
5178 
5179  tor_assert(smartlist_len(bridge_line->socks_args) > 0);
5180  }
5181 
5182  if (bridge_line->socks_args) {
5183  if (validate_transport_socks_arguments(bridge_line->socks_args) < 0)
5184  goto err;
5185  }
5186 
5187  goto done;
5188 
5189  err:
5190  bridge_line_free(bridge_line);
5191  bridge_line = NULL;
5192 
5193  done:
5194  SMARTLIST_FOREACH(items, char*, s, tor_free(s));
5195  smartlist_free(items);
5196  tor_free(addrport);
5197  tor_free(fingerprint);
5198 
5199  return bridge_line;
5200 }
5201 
5202 /** Parse the contents of a TCPProxy line from <b>line</b> and put it
5203  * in <b>options</b>. Return 0 if the line is well-formed, and -1 if it
5204  * isn't.
5205  *
5206  * This will mutate only options->TCPProxyProtocol, options->TCPProxyAddr,
5207  * and options->TCPProxyPort.
5208  *
5209  * On error, tor_strdup an error explanation into *<b>msg</b>.
5210  */
5211 STATIC int
5212 parse_tcp_proxy_line(const char *line, or_options_t *options, char **msg)
5213 {
5214  int ret = 0;
5215  tor_assert(line);
5216  tor_assert(options);
5217  tor_assert(msg);
5218 
5219  smartlist_t *sl = smartlist_new();
5220  /* Split between the protocol and the address/port. */
5221  smartlist_split_string(sl, line, " ",
5222  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 2);
5223 
5224  /* The address/port is not specified. */
5225  if (smartlist_len(sl) < 2) {
5226  *msg = tor_strdup("TCPProxy has no address/port. Please fix.");
5227  goto err;
5228  }
5229 
5230  char *protocol_string = smartlist_get(sl, 0);
5231  char *addrport_string = smartlist_get(sl, 1);
5232 
5233  /* The only currently supported protocol is 'haproxy'. */
5234  if (strcasecmp(protocol_string, "haproxy")) {
5235  *msg = tor_strdup("TCPProxy protocol is not supported. Currently "
5236  "the only supported protocol is 'haproxy'. "
5237  "Please fix.");
5238  goto err;
5239  } else {
5240  /* Otherwise, set the correct protocol. */
5242  }
5243 
5244  /* Parse the address/port. */
5245  if (tor_addr_port_lookup(addrport_string, &options->TCPProxyAddr,
5246  &options->TCPProxyPort) < 0) {
5247  *msg = tor_strdup("TCPProxy address/port failed to parse or resolve. "
5248  "Please fix.");
5249  goto err;
5250  }
5251 
5252  /* Success. */
5253  ret = 0;
5254  goto end;
5255 
5256  err:
5257  ret = -1;
5258  end:
5259  SMARTLIST_FOREACH(sl, char *, cp, tor_free(cp));
5260  smartlist_free(sl);
5261  return ret;
5262 }
5263 
5264 /** Read the contents of a ClientTransportPlugin or ServerTransportPlugin
5265  * line from <b>line</b>, depending on the value of <b>server</b>. Return 0
5266  * if the line is well-formed, and -1 if it isn't.
5267  *
5268  * If <b>validate_only</b> is 0, the line is well-formed, and the transport is
5269  * needed by some bridge:
5270  * - If it's an external proxy line, add the transport described in the line to
5271  * our internal transport list.
5272  * - If it's a managed proxy line, launch the managed proxy.
5273  */
5274 int
5276  const char *line, int validate_only,
5277  int server)
5278 {
5279 
5280  smartlist_t *items = NULL;
5281  int r;
5282  const char *transports = NULL;
5283  smartlist_t *transport_list = NULL;
5284  char *type = NULL;
5285  char *addrport = NULL;
5286  tor_addr_t addr;
5287  uint16_t port = 0;
5288  int socks_ver = PROXY_NONE;
5289 
5290  /* managed proxy options */
5291  int is_managed = 0;
5292  char **proxy_argv = NULL;
5293  char **tmp = NULL;
5294  int proxy_argc, i;
5295  int is_useless_proxy = 1;
5296 
5297  int line_length;
5298 
5299  /* Split the line into space-separated tokens */
5300  items = smartlist_new();
5301  smartlist_split_string(items, line, NULL,
5302  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5303  line_length = smartlist_len(items);
5304 
5305  if (line_length < 3) {
5306  log_warn(LD_CONFIG,
5307  "Too few arguments on %sTransportPlugin line.",
5308  server ? "Server" : "Client");
5309  goto err;
5310  }
5311 
5312  /* Get the first line element, split it to commas into
5313  transport_list (in case it's multiple transports) and validate
5314  the transport names. */
5315  transports = smartlist_get(items, 0);
5317  smartlist_split_string(transport_list, transports, ",",
5318  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
5319  SMARTLIST_FOREACH_BEGIN(transport_list, const char *, transport_name) {
5320  /* validate transport names */
5321  if (!string_is_C_identifier(transport_name)) {
5322  log_warn(LD_CONFIG, "Transport name is not a C identifier (%s).",
5323  transport_name);
5324  goto err;
5325  }
5326 
5327  /* see if we actually need the transports provided by this proxy */
5328  if (!validate_only && transport_is_needed(transport_name))
5329  is_useless_proxy = 0;
5330  } SMARTLIST_FOREACH_END(transport_name);
5331 
5332  type = smartlist_get(items, 1);
5333  if (!strcmp(type, "exec")) {
5334  is_managed = 1;
5335  } else if (server && !strcmp(type, "proxy")) {
5336  /* 'proxy' syntax only with ServerTransportPlugin */
5337  is_managed = 0;
5338  } else if (!server && !strcmp(type, "socks4")) {
5339  /* 'socks4' syntax only with ClientTransportPlugin */
5340  is_managed = 0;
5341  socks_ver = PROXY_SOCKS4;
5342  } else if (!server && !strcmp(type, "socks5")) {
5343  /* 'socks5' syntax only with ClientTransportPlugin */
5344  is_managed = 0;
5345  socks_ver = PROXY_SOCKS5;
5346  } else {
5347  log_warn(LD_CONFIG,
5348  "Strange %sTransportPlugin type '%s'",
5349  server ? "Server" : "Client", type);
5350  goto err;
5351  }
5352 
5353  if (is_managed && options->Sandbox) {
5354  log_warn(LD_CONFIG,
5355  "Managed proxies are not compatible with Sandbox mode."
5356  "(%sTransportPlugin line was %s)",
5357  server ? "Server" : "Client", escaped(line));
5358  goto err;
5359  }
5360 
5361  if (is_managed && options->NoExec) {
5362  log_warn(LD_CONFIG,
5363  "Managed proxies are not compatible with NoExec mode; ignoring."
5364  "(%sTransportPlugin line was %s)",
5365  server ? "Server" : "Client", escaped(line));
5366  r = 0;
5367  goto done;
5368  }
5369 
5370  if (is_managed) {
5371  /* managed */
5372 
5373  if (!server && !validate_only && is_useless_proxy) {
5374  log_info(LD_GENERAL,
5375  "Pluggable transport proxy (%s) does not provide "
5376  "any needed transports and will not be launched.",
5377  line);
5378  }
5379 
5380  /*
5381  * If we are not just validating, use the rest of the line as the
5382  * argv of the proxy to be launched. Also, make sure that we are
5383  * only launching proxies that contribute useful transports.
5384  */
5385 
5386  if (!validate_only && (server || !is_useless_proxy)) {
5387  proxy_argc = line_length - 2;
5388  tor_assert(proxy_argc > 0);
5389  proxy_argv = tor_calloc((proxy_argc + 1), sizeof(char *));
5390  tmp = proxy_argv;
5391 
5392  for (i = 0; i < proxy_argc; i++) {
5393  /* store arguments */
5394  *tmp++ = smartlist_get(items, 2);
5395  smartlist_del_keeporder(items, 2);
5396  }
5397  *tmp = NULL; /* terminated with NULL, just like execve() likes it */
5398 
5399  /* kickstart the thing */
5400  if (server) {
5401  pt_kickstart_server_proxy(transport_list, proxy_argv);
5402  } else {
5403  pt_kickstart_client_proxy(transport_list, proxy_argv);
5404  }
5405  }
5406  } else {
5407  /* external */
5408 
5409  /* ClientTransportPlugins connecting through a proxy is managed only. */
5410  if (!server && (options->Socks4Proxy || options->Socks5Proxy ||
5411  options->HTTPSProxy || options->TCPProxy)) {
5412  log_warn(LD_CONFIG, "You have configured an external proxy with another "
5413  "proxy type. (Socks4Proxy|Socks5Proxy|HTTPSProxy|"
5414  "TCPProxy)");
5415  goto err;
5416  }
5417 
5418  if (smartlist_len(transport_list) != 1) {
5419  log_warn(LD_CONFIG,
5420  "You can't have an external proxy with more than "
5421  "one transport.");
5422  goto err;
5423  }
5424 
5425  addrport = smartlist_get(items, 2);
5426 
5427  if (tor_addr_port_lookup(addrport, &addr, &port) < 0) {
5428  log_warn(LD_CONFIG,
5429  "Error parsing transport address '%s'", addrport);
5430  goto err;
5431  }
5432 
5433  if (!port) {
5434  log_warn(LD_CONFIG,
5435  "Transport address '%s' has no port.", addrport);
5436  goto err;
5437  }
5438 
5439  if (!validate_only) {
5440  log_info(LD_DIR, "%s '%s' at %s.",
5441  server ? "Server transport" : "Transport",
5442  transports, fmt_addrport(&addr, port));
5443 
5444  if (!server) {
5445  transport_add_from_config(&addr, port,
5446  smartlist_get(transport_list, 0),
5447  socks_ver);
5448  }
5449  }
5450  }
5451 
5452  r = 0;
5453  goto done;
5454 
5455  err:
5456  r = -1;
5457 
5458  done:
5459  SMARTLIST_FOREACH(items, char*, s, tor_free(s));
5460  smartlist_free(items);
5461  if (transport_list) {
5462  SMARTLIST_FOREACH(transport_list, char*, s, tor_free(s));
5463  smartlist_free(transport_list);
5464  }
5465 
5466  return r;
5467 }
5468 
5469 /**
5470  * Parse a flag describing an extra dirport for a directory authority.
5471  *
5472  * Right now, the supported format is exactly:
5473  * `{upload,download,voting}=http://[IP:PORT]/`.
5474  * Other URL schemes, and other suffixes, might be supported in the future.
5475  *
5476  * Only call this function if `flag` starts with one of the above strings.
5477  *
5478  * Return 0 on success, and -1 on failure.
5479  *
5480  * If `ds` is provided, then add any parsed dirport to `ds`. If `ds` is NULL,
5481  * take no action other than parsing.
5482  **/
5483 static int
5484 parse_dirauth_dirport(dir_server_t *ds, const char *flag)
5485 {
5486  tor_assert(flag);
5487 
5488  auth_dirport_usage_t usage;
5489 
5490  if (!strcasecmpstart(flag, "upload=")) {
5491  usage = AUTH_USAGE_UPLOAD;
5492  } else if (!strcasecmpstart(flag, "download=")) {
5493  usage = AUTH_USAGE_DOWNLOAD;
5494  } else if (!strcasecmpstart(flag, "vote=")) {
5495  usage = AUTH_USAGE_VOTING;
5496  } else {
5497  // We shouldn't get called with a flag that we don't recognize.
5499  return -1;
5500  }
5501 
5502  const char *eq = strchr(flag, '=');
5503  tor_assert(eq);
5504  const char *target = eq + 1;
5505 
5506  // Find the part inside the http://{....}/
5507  if (strcmpstart(target, "http://")) {
5508  log_warn(LD_CONFIG, "Unsupported URL scheme in authority flag %s", flag);
5509  return -1;
5510  }
5511  const char *addr = target + strlen("http://");
5512 
5513  const char *eos = strchr(addr, '/');
5514  size_t addr_len;
5515  if (eos && strcmp(eos, "/")) {
5516  log_warn(LD_CONFIG, "Unsupported URL prefix in authority flag %s", flag);
5517  return -1;
5518  } else if (eos) {
5519  addr_len = eos - addr;
5520  } else {
5521  addr_len = strlen(addr);
5522  }
5523 
5524  // Finally, parse the addr:port part.
5525  char *addr_string = tor_strndup(addr, addr_len);
5526  tor_addr_port_t dirport;
5527  memset(&dirport, 0, sizeof(dirport));
5528  int rv = tor_addr_port_parse(LOG_WARN, addr_string,
5529  &dirport.addr, &dirport.port, -1);
5530  if (ds != NULL && rv == 0) {
5531  trusted_dir_server_add_dirport(ds, usage, &dirport);
5532  } else if (rv == -1) {
5533  log_warn(LD_CONFIG, "Unable to parse address in authority flag %s",flag);
5534  }
5535 
5536  tor_free(addr_string);
5537  return rv;
5538 }
5539 
5540 /** Read the contents of a DirAuthority line from <b>line</b>. If
5541  * <b>validate_only</b> is 0, and the line is well-formed, and it
5542  * shares any bits with <b>required_type</b> or <b>required_type</b>
5543  * is NO_DIRINFO (zero), then add the dirserver described in the line
5544  * (minus whatever bits it's missing) as a valid authority.
5545  * Return 0 on success or filtering out by type,
5546  * or -1 if the line isn't well-formed or if we can't add it. */
5547 STATIC int
5548 parse_dir_authority_line(const char *line, dirinfo_type_t required_type,
5549  int validate_only)
5550 {
5551  smartlist_t *items = NULL;
5552  int r;
5553  char *addrport=NULL, *address=NULL, *nickname=NULL, *fingerprint=NULL;
5554  tor_addr_port_t ipv6_addrport, *ipv6_addrport_ptr = NULL;
5555  uint16_t dir_port = 0, or_port = 0;
5556  char digest[DIGEST_LEN];
5557  char v3_digest[DIGEST_LEN];
5558  dirinfo_type_t type = 0;
5559  double weight = 1.0;
5560  smartlist_t *extra_dirports = smartlist_new();
5561 
5562  memset(v3_digest, 0, sizeof(v3_digest));
5563 
5564  items = smartlist_new();
5565  smartlist_split_string(items, line, NULL,
5566  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5567  if (smartlist_len(items) < 1) {
5568  log_warn(LD_CONFIG, "No arguments on DirAuthority line.");
5569  goto err;
5570  }
5571 
5572  if (is_legal_nickname(smartlist_get(items, 0))) {
5573  nickname = smartlist_get(items, 0);
5574  smartlist_del_keeporder(items, 0);
5575  }
5576 
5577  while (smartlist_len(items)) {
5578  char *flag = smartlist_get(items, 0);
5579  if (TOR_ISDIGIT(flag[0]))
5580  break;
5581  if (!strcasecmp(flag, "hs") ||
5582  !strcasecmp(flag, "no-hs")) {
5583  log_warn(LD_CONFIG, "The DirAuthority options 'hs' and 'no-hs' are "
5584  "obsolete; you don't need them any more.");
5585  } else if (!strcasecmp(flag, "bridge")) {
5586  type |= BRIDGE_DIRINFO;
5587  } else if (!strcasecmp(flag, "no-v2")) {
5588  /* obsolete, but may still be contained in DirAuthority lines generated
5589  by various tools */;
5590  } else if (!strcasecmpstart(flag, "orport=")) {
5591  int ok;
5592  char *portstring = flag + strlen("orport=");
5593  or_port = (uint16_t) tor_parse_long(portstring, 10, 1, 65535, &ok, NULL);
5594  if (!ok)
5595  log_warn(LD_CONFIG, "Invalid orport '%s' on DirAuthority line.",
5596  portstring);
5597  } else if (!strcmpstart(flag, "weight=")) {
5598  int ok;
5599  const char *wstring = flag + strlen("weight=");
5600  weight = tor_parse_double(wstring, 0, (double)UINT64_MAX, &ok, NULL);
5601  if (!ok) {
5602  log_warn(LD_CONFIG, "Invalid weight '%s' on DirAuthority line.",flag);
5603  weight=1.0;
5604  }
5605  } else if (!strcasecmpstart(flag, "v3ident=")) {
5606  char *idstr = flag + strlen("v3ident=");
5607  if (strlen(idstr) != HEX_DIGEST_LEN ||
5608  base16_decode(v3_digest, DIGEST_LEN,
5609  idstr, HEX_DIGEST_LEN) != DIGEST_LEN) {
5610  log_warn(LD_CONFIG, "Bad v3 identity digest '%s' on DirAuthority line",
5611  flag);
5612  } else {
5614  }
5615  } else if (!strcasecmpstart(flag, "ipv6=")) {
5616  if (ipv6_addrport_ptr) {
5617  log_warn(LD_CONFIG, "Redundant ipv6 addr/port on DirAuthority line");
5618  } else {
5619  if (tor_addr_port_parse(LOG_WARN, flag+strlen("ipv6="),
5620  &ipv6_addrport.addr, &ipv6_addrport.port,
5621  -1) < 0
5622  || tor_addr_family(&ipv6_addrport.addr) != AF_INET6) {
5623  log_warn(LD_CONFIG, "Bad ipv6 addr/port %s on DirAuthority line",
5624  escaped(flag));
5625  goto err;
5626  }
5627  ipv6_addrport_ptr = &ipv6_addrport;
5628  }
5629  } else if (!strcasecmpstart(flag, "upload=") ||
5630  !strcasecmpstart(flag, "download=") ||
5631  !strcasecmpstart(flag, "vote=")) {
5632  // We'll handle these after creating the authority object.
5633  smartlist_add(extra_dirports, flag);
5634  flag = NULL; // prevent double-free.
5635  } else {
5636  log_warn(LD_CONFIG, "Unrecognized flag '%s' on DirAuthority line",
5637  flag);
5638  }
5639  tor_free(flag);
5640  smartlist_del_keeporder(items, 0);
5641  }
5642 
5643  if (smartlist_len(items) < 2) {
5644  log_warn(LD_CONFIG, "Too few arguments to DirAuthority line.");
5645  goto err;
5646  }
5647  addrport = smartlist_get(items, 0);
5648  smartlist_del_keeporder(items, 0);
5649 
5650  if (tor_addr_port_split(LOG_WARN, addrport, &address, &dir_port) < 0) {
5651  log_warn(LD_CONFIG, "Error parsing DirAuthority address '%s'.", addrport);
5652  goto err;
5653  }
5654 
5655  if (!string_is_valid_ipv4_address(address)) {
5656  log_warn(LD_CONFIG, "Error parsing DirAuthority address '%s' "
5657  "(invalid IPv4 address)", address);
5658  goto err;
5659  }
5660 
5661  if (!dir_port) {
5662  log_warn(LD_CONFIG, "Missing port in DirAuthority address '%s'",addrport);
5663  goto err;
5664  }
5665 
5666  fingerprint = smartlist_join_strings(items, "", 0, NULL);
5667  if (strlen(fingerprint) != HEX_DIGEST_LEN) {
5668  log_warn(LD_CONFIG, "Key digest '%s' for DirAuthority is wrong length %d.",
5669  fingerprint, (int)strlen(fingerprint));
5670  goto err;
5671  }
5672  if (base16_decode(digest, DIGEST_LEN,
5673  fingerprint, HEX_DIGEST_LEN) != DIGEST_LEN) {
5674  log_warn(LD_CONFIG, "Unable to decode DirAuthority key digest.");
5675  goto err;
5676  }
5677 
5678  if (validate_only) {
5679  SMARTLIST_FOREACH_BEGIN(extra_dirports, const char *, cp) {
5680  if (parse_dirauth_dirport(NULL, cp) < 0)
5681  goto err;
5682  } SMARTLIST_FOREACH_END(cp);
5683  }
5684 
5685  if (!validate_only && (!required_type || required_type & type)) {
5686  dir_server_t *ds;
5687  if (required_type)
5688  type &= required_type; /* pare down what we think of them as an
5689  * authority for. */
5690  log_debug(LD_DIR, "Trusted %d dirserver at %s:%d (%s)", (int)type,
5691  address, (int)dir_port, (char*)smartlist_get(items,0));
5692  if (!(ds = trusted_dir_server_new(nickname, address, dir_port, or_port,
5693  ipv6_addrport_ptr,
5694  digest, v3_digest, type, weight)))
5695  goto err;
5696 
5697  SMARTLIST_FOREACH_BEGIN(extra_dirports, const char *, cp) {
5698  if (parse_dirauth_dirport(ds, cp) < 0)
5699  goto err;
5700  } SMARTLIST_FOREACH_END(cp);
5701  dir_server_add(ds);
5702  }
5703 
5704  r = 0;
5705  goto done;
5706 
5707  err:
5708  r = -1;
5709 
5710  done:
5711  SMARTLIST_FOREACH(extra_dirports, char*, s, tor_free(s));
5712  smartlist_free(extra_dirports);
5713  SMARTLIST_FOREACH(items, char*, s, tor_free(s));
5714  smartlist_free(items);
5715  tor_free(addrport);
5716  tor_free(address);
5717  tor_free(nickname);
5718  tor_free(fingerprint);
5719  return r;
5720 }
5721 
5722 /** Read the contents of a FallbackDir line from <b>line</b>. If
5723  * <b>validate_only</b> is 0, and the line is well-formed, then add the
5724  * dirserver described in the line as a fallback directory. Return 0 on
5725  * success, or -1 if the line isn't well-formed or if we can't add it. */
5726 int
5727 parse_dir_fallback_line(const char *line,
5728  int validate_only)
5729 {
5730  int r = -1;
5731  smartlist_t *items = smartlist_new(), *positional = smartlist_new();
5732  int orport = -1;
5733  uint16_t dirport;
5734  tor_addr_t addr;
5735  int ok;
5736  char id[DIGEST_LEN];
5737  char *address=NULL;
5738  tor_addr_port_t ipv6_addrport, *ipv6_addrport_ptr = NULL;
5739  double weight=1.0;
5740 
5741  memset(id, 0, sizeof(id));
5742  smartlist_split_string(items, line, NULL,
5743  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, -1);
5744  SMARTLIST_FOREACH_BEGIN(items, const char *, cp) {
5745  const char *eq = strchr(cp, '=');
5746  ok = 1;
5747  if (! eq) {
5748  smartlist_add(positional, (char*)cp);
5749  continue;
5750  }
5751  if (!strcmpstart(cp, "orport=")) {
5752  orport = (int)tor_parse_long(cp+strlen("orport="), 10,
5753  1, 65535, &ok, NULL);
5754  } else if (!strcmpstart(cp, "id=")) {
5755  ok = base16_decode(id, DIGEST_LEN, cp+strlen("id="),
5756  strlen(cp)-strlen("id=")) == DIGEST_LEN;
5757  } else if (!strcasecmpstart(cp, "ipv6=")) {
5758  if (ipv6_addrport_ptr) {
5759  log_warn(LD_CONFIG, "Redundant ipv6 addr/port on FallbackDir line");
5760  } else {
5761  if (tor_addr_port_parse(LOG_WARN, cp+strlen("ipv6="),
5762  &ipv6_addrport.addr, &ipv6_addrport.port,
5763  -1) < 0
5764  || tor_addr_family(&ipv6_addrport.addr) != AF_INET6) {
5765  log_warn(LD_CONFIG, "Bad ipv6 addr/port %s on FallbackDir line",
5766  escaped(cp));
5767  goto end;
5768  }
5769  ipv6_addrport_ptr = &ipv6_addrport;
5770  }
5771  } else if (!strcmpstart(cp, "weight=")) {
5772  int num_ok;
5773  const char *wstring = cp + strlen("weight=");
5774  weight = tor_parse_double(wstring, 0, (double)UINT64_MAX, &num_ok, NULL);
5775  if (!num_ok) {
5776  log_warn(LD_CONFIG, "Invalid weight '%s' on FallbackDir line.", cp);
5777  weight=1.0;
5778  }
5779  }
5780 
5781  if (!ok) {
5782  log_warn(LD_CONFIG, "Bad FallbackDir option %s", escaped(cp));
5783  goto end;
5784  }
5785  } SMARTLIST_FOREACH_END(cp);
5786 
5787  if (smartlist_len(positional) != 1) {
5788  log_warn(LD_CONFIG, "Couldn't parse FallbackDir line %s", escaped(line));
5789  goto end;
5790  }
5791 
5792  if (tor_digest_is_zero(id)) {
5793  log_warn(LD_CONFIG, "Missing identity on FallbackDir line");
5794  goto end;
5795  }
5796 
5797  if (orport <= 0) {
5798  log_warn(LD_CONFIG, "Missing orport on FallbackDir line");
5799  goto end;
5800  }
5801 
5802  if (tor_addr_port_split(LOG_INFO, smartlist_get(positional, 0),
5803  &address, &dirport) < 0 ||
5804  tor_addr_parse(&addr, address)<0) {
5805  log_warn(LD_CONFIG, "Couldn't parse address:port %s on FallbackDir line",
5806  (const char*)smartlist_get(positional, 0));
5807  goto end;
5808  }
5809 
5810  if (!validate_only) {
5811  dir_server_t *ds;
5812  ds = fallback_dir_server_new(&addr, dirport, orport, ipv6_addrport_ptr,
5813  id, weight);
5814  if (!ds) {
5815  log_warn(LD_CONFIG, "Couldn't create FallbackDir %s", escaped(line));
5816  goto end;
5817  }
5818  dir_server_add(ds);
5819  }
5820 
5821  r = 0;
5822 
5823  end:
5824  SMARTLIST_FOREACH(items, char *, cp, tor_free(cp));
5825  smartlist_free(items);
5826  smartlist_free(positional);
5827  tor_free(address);
5828  return r;
5829 }
5830 
5831 /** Allocate and return a new port_cfg_t with reasonable defaults.
5832  *
5833  * <b>namelen</b> is the length of the unix socket name
5834  * (typically the filesystem path), not including the trailing NUL.
5835  * It should be 0 for ports that are not zunix sockets. */
5836 port_cfg_t *
5837 port_cfg_new(size_t namelen)
5838 {
5839  tor_assert(namelen <= SIZE_T_CEILING - sizeof(port_cfg_t) - 1);
5840  port_cfg_t *cfg = tor_malloc_zero(sizeof(port_cfg_t) + namelen + 1);
5841 
5842  /* entry_cfg flags */
5843  cfg->entry_cfg.ipv4_traffic = 1;
5844  cfg->entry_cfg.ipv6_traffic = 1;
5845  cfg->entry_cfg.prefer_ipv6 = 0;
5846  cfg->entry_cfg.dns_request = 1;
5847  cfg->entry_cfg.onion_traffic = 1;
5851 
5852  /* Other flags default to 0 due to tor_malloc_zero */
5853  return cfg;
5854 }
5855 
5856 /** Free all storage held in <b>port</b> */
5857 void
5859 {
5860  tor_free(port);
5861 }
5862 
5863 /** Warn for every port in <b>ports</b> of type <b>listener_type</b> that is
5864  * on a publicly routable address. */
5865 static void
5867  const char *portname,
5868  const int listener_type)
5869 {
5870  SMARTLIST_FOREACH_BEGIN(ports, const port_cfg_t *, port) {
5871  if (port->type != listener_type)
5872  continue;
5873  if (port->is_unix_addr) {
5874  /* Unix sockets aren't accessible over a network. */
5875  } else if (!tor_addr_is_internal(&port->addr, 1)) {
5876  log_warn(LD_CONFIG, "You specified a public address '%s' for %sPort. "
5877  "Other people on the Internet might find your computer and "
5878  "use it as an open proxy. Please don't allow this unless you "
5879  "have a good reason.",
5880  fmt_addrport(&port->addr, port->port), portname);
5881  } else if (!tor_addr_is_loopback(&port->addr)) {
5882  log_notice(LD_CONFIG, "You configured a non-loopback address '%s' "
5883  "for %sPort. This allows everybody on your local network to "
5884  "use your machine as a proxy. Make sure this is what you "
5885  "wanted.",
5886  fmt_addrport(&port->addr, port->port), portname);
5887  }
5888  } SMARTLIST_FOREACH_END(port);
5889 }
5890 
5891 /** Given a list of port_cfg_t in <b>ports</b>, warn if any controller port
5892  * there is listening on any non-loopback address. If <b>forbid_nonlocal</b>
5893  * is true, then emit a stronger warning and remove the port from the list.
5894  */
5895 static void
5896 warn_nonlocal_controller_ports(smartlist_t *ports, unsigned forbid_nonlocal)
5897 {
5898  int warned = 0;
5899  SMARTLIST_FOREACH_BEGIN(ports, port_cfg_t *, port) {
5900  if (port->type != CONN_TYPE_CONTROL_LISTENER)
5901  continue;
5902  if (port->is_unix_addr)
5903  continue;
5904  if (!tor_addr_is_loopback(&port->addr)) {
5905  if (forbid_nonlocal) {
5906  if (!warned)
5907  log_warn(LD_CONFIG,
5908  "You have a ControlPort set to accept "
5909  "unauthenticated connections from a non-local address. "
5910  "This means that programs not running on your computer "
5911  "can reconfigure your Tor, without even having to guess a "
5912  "password. That's so bad that I'm closing your ControlPort "
5913  "for you. If you need to control your Tor remotely, try "
5914  "enabling authentication and using a tool like stunnel or "
5915  "ssh to encrypt remote access.");
5916  warned = 1;
5917  port_cfg_free(port);
5918  SMARTLIST_DEL_CURRENT(ports, port);
5919  } else {
5920  log_warn(LD_CONFIG, "You have a ControlPort set to accept "
5921  "connections from a non-local address. This means that "
5922  "programs not running on your computer can reconfigure your "
5923  "Tor. That's pretty bad, since the controller "
5924  "protocol isn't encrypted! Maybe you should just listen on "
5925  "127.0.0.1 and use a tool like stunnel or ssh to encrypt "
5926  "remote connections to your control port.");
5927  return; /* No point in checking the rest */
5928  }
5929  }
5930  } SMARTLIST_FOREACH_END(port);
5931 }
5932 
5933 /**
5934  * Take a string (<b>line</b>) that begins with either an address:port, a
5935  * port, or an AF_UNIX address, optionally quoted, prefixed with
5936  * "unix:". Parse that line, and on success, set <b>addrport_out</b> to a new
5937  * string containing the beginning portion (without prefix). Iff there was a
5938  * unix: prefix, set <b>is_unix_out</b> to true. On success, also set
5939  * <b>rest_out</b> to point to the part of the line after the address portion.
5940  *
5941  * Return 0 on success, -1 on failure.
5942  */
5943 int
5945  char **addrport_out,
5946  int *is_unix_out,
5947  const char **rest_out)
5948 {
5949  tor_assert(line);
5950  tor_assert(addrport_out);
5951  tor_assert(is_unix_out);
5952  tor_assert(rest_out);
5953 
5954  line = eat_whitespace(line);
5955 
5956  if (!strcmpstart(line, unix_q_socket_prefix)) {
5957  // It starts with unix:"
5958  size_t sz;
5959  *is_unix_out = 1;
5960  *addrport_out = NULL;
5961  line += strlen(unix_socket_prefix); /* No 'unix:', but keep the quote */
5962  *rest_out = unescape_string(line, addrport_out, &sz);
5963  if (!*rest_out || (*addrport_out && sz != strlen(*addrport_out))) {
5964  tor_free(*addrport_out);
5965  return -1;
5966  }