15 #define PROCESS_DESCS_PRIVATE
51 #define ROUTER_ALLOW_SKEW (60*60*12)
59 const char *nickname,
const tor_addr_t *ipv4_addr,
60 uint16_t ipv4_orport,
const char *platform,
61 const char **msg,
int severity);
81 authdir_init_fingerprint_list(
void)
88 authdir_return_fingerprint_list(
void)
109 fingerprint = tor_strdup(fp);
112 fingerprint, strlen(fingerprint)) !=
DIGEST_LEN) {
113 log_warn(
LD_DIRSERV,
"Couldn't decode fingerprint \"%s\"",
126 *status |= add_status;
154 *status |= add_status;
165 log_err(
LD_BUG,
"Error computing fingerprint");
171 log_err(
LD_BUG,
"Error adding RSA fingerprint");
175 log_err(
LD_BUG,
"Error adding ed25519 key");
191 char *nickname, *fingerprint;
196 fname = get_datadir_fname(
"approved-routers");
198 "Reloading approved fingerprints from \"%s\"...", fname);
202 log_warn(
LD_FS,
"Cannot open fingerprint file '%s'. That's ok.", fname);
211 log_warn(
LD_CONFIG,
"Error reading from fingerprint file");
217 for (list=front; list; list=list->next) {
219 nickname = list->key; fingerprint = list->value;
223 if (!strcasecmp(nickname,
"!reject")) {
224 add_status = RTR_REJECT;
225 }
else if (!strcasecmp(nickname,
"!badexit")) {
226 add_status = RTR_BADEXIT;
227 }
else if (!strcasecmp(nickname,
"!invalid")) {
228 add_status = RTR_INVALID;
232 int ed25519_not_ok = -1, rsa_not_ok = -1;
237 fingerprint_list_new,
248 fingerprint_list_new, add_status);
253 if (ed25519_not_ok && rsa_not_ok) {
254 log_warn(
LD_CONFIG,
"Invalid fingerprint (nickname '%s', "
255 "fingerprint %s). Skipping.", nickname, fingerprint);
260 config_free_lines(front);
277 #define DISABLE_DISABLING_ED25519
300 log_warn(
LD_BUG,
"Error computing fingerprint");
302 *msg =
"Bug: Error computing fingerprint";
323 if (!routerinfo_has_curve25519_onion_key(router)) {
325 "Descriptor from router %s (platform %s) "
326 "is missing an ntor curve25519 onion key.",
329 *msg =
"Missing ntor curve25519 onion key. Please upgrade!";
335 if (KEYPIN_MISMATCH ==
339 "Descriptor from router %s has an Ed25519 key, "
340 "but the <rsa,ed25519> keys don't match what they were before.",
344 *msg =
"Ed25519 identity key or RSA identity key has changed.";
354 "Descriptor from router %s has no Ed25519 key, "
355 "when we previously knew an Ed25519 for it. Ignoring for now, "
356 "since Ed25519 keys are fairly new.",
358 #ifdef DISABLE_DISABLING_ED25519
361 *msg =
"Ed25519 identity key has disappeared.";
386 return (res & RTR_REJECT) != 0;
402 static const char please_upgrade_string[] =
403 "Tor version is insecure or unsupported. Please upgrade!";
411 *msg = please_upgrade_string;
421 *msg = please_upgrade_string;
439 const char *nickname,
const tor_addr_t *ipv4_addr,
440 uint16_t ipv4_orport,
const char *platform,
441 const char **msg,
int severity)
449 log_debug(
LD_DIRSERV,
"%d fingerprints, %d digests known.",
457 *msg =
"Malformed platform string.";
470 if (status_by_digest)
471 result |= *status_by_digest;
473 if (ed25519_public_key) {
475 ed25519_public_key->pubkey);
476 if (status_by_digest)
477 result |= *status_by_digest;
480 if (result & RTR_REJECT) {
482 *msg =
"Fingerprint and/or ed25519 identity is marked rejected -- if "
483 "you think this is a mistake please set a valid email address "
484 "in ContactInfo and send an email to "
485 "bad-relays@lists.torproject.org mentioning your fingerprint(s)?";
487 }
else if (result & RTR_INVALID) {
489 *msg =
"Fingerprint and/or ed25519 identity is marked invalid";
494 "Marking '%s' as bad exit because of address '%s'",
496 result |= RTR_BADEXIT;
503 *msg =
"Suspicious relay address range -- if you think this is a "
504 "mistake please set a valid email address in ContactInfo and "
505 "send an email to bad-relays@lists.torproject.org mentioning "
506 "your address(es) and fingerprint(s)?";
511 "Not marking '%s' valid because of address '%s'",
513 result |= RTR_INVALID;
545 tor_addr_is_internal(&ri->
ipv4_addr, 0)) {
547 "Router %s published internal IPv4 address. Refusing.",
555 tor_addr_is_internal(&ri->
ipv6_addr, 0)) {
557 "Router %s published internal IPv6 address. Refusing.",
576 int complain,
int *valid_out)
583 if (status & RTR_REJECT)
590 "far (%d minutes) in the future; possible clock skew. Not adding "
595 *msg =
"Rejected: Your clock is set too far in the future, or your "
596 "timezone is not correct.";
601 "Publication time for %s is too far "
602 "(%d minutes) in the past. Not adding (%s)",
606 *msg =
"Rejected: Server is expired, or your clock is too far in the past,"
607 " or your timezone is not correct.";
612 "Router %s has invalid address. Not adding (%s).",
615 *msg =
"Rejected: Address is a private address.";
619 *valid_out = ! (status & RTR_INVALID);
631 node->
is_valid = (authstatus & RTR_INVALID) ? 0 : 1;
632 node->
is_bad_exit = (authstatus & RTR_BADEXIT) ? 1 : 0;
655 time_t now = time(NULL);
657 char time_buf[ISO_TIME_LEN+1];
661 r=ROUTER_ADDED_SUCCESSFULLY;
664 *msg =
"descriptor(s) or extrainfo(s) not valid UTF-8 or had BOM.";
665 return ROUTER_AUTHDIR_REJECTS;
669 if (
tor_snprintf(annotation_buf,
sizeof(annotation_buf),
672 "%s%s%s", time_buf,
escaped(source),
673 !general ?
"@purpose " :
"",
675 !general ?
"\n" :
"")<0) {
676 *msg =
"Couldn't format annotations";
677 return ROUTER_AUTHDIR_BUG_ANNOTATIONS;
683 annotation_buf, NULL)) {
694 n_parsed += smartlist_len(list);
710 n_parsed += smartlist_len(list);
711 smartlist_free(list);
715 *msg =
"No descriptors found in your POST.";
717 r = ROUTER_IS_ALREADY_KNOWN;
719 *msg =
"(no message)";
746 char *desc, *nickname;
755 log_notice(
LD_DIR,
"Somebody attempted to publish a router descriptor '%s'"
756 " (source: %s) with size %d. Either this is an attack, or the "
757 "MAX_DESCRIPTOR_UPLOAD_SIZE (%d) constant is too low.",
760 *msg =
"Router descriptor was too large.";
761 r = ROUTER_AUTHDIR_REJECTS;
765 log_info(
LD_DIR,
"Assessing new descriptor: %s: %s",
777 "Not replacing descriptor from %s (source: %s); "
778 "differences are cosmetic.",
780 *msg =
"Not replacing router descriptor; no information has changed since "
781 "the last one with this identity.";
782 r = ROUTER_IS_ALREADY_KNOWN;
792 log_warn(
LD_DIRSERV,
"Received bad key from %s (source %s)",
795 return ROUTER_AUTHDIR_REJECTS;
801 pkey->pubkey, ! key_pinning);
805 #ifndef DISABLE_DISABLING_ED25519
806 if (keypin_status == KEYPIN_MISMATCH)
807 keypin_status = KEYPIN_NOT_FOUND;
810 if (keypin_status == KEYPIN_MISMATCH && key_pinning) {
811 log_info(
LD_DIRSERV,
"Dropping descriptor from %s (source: %s) because "
812 "its key did not match an older RSA/Ed25519 keypair",
814 *msg =
"Looks like your keypair has changed? This authority previously "
815 "recorded a different RSA identity for this Ed25519 identity (or vice "
816 "versa.) Did you replace or copy some of your key files, but not "
817 "the others? You should either restore the expected keypair, or "
818 "delete your keys and restart Tor to start your relay with a new "
820 r = ROUTER_AUTHDIR_REJECTS;
827 nickname = tor_strdup(ri->
nickname);
837 "Did not add descriptor from '%s' (source: %s): %s.",
838 nickname, source, *msg ? *msg :
"(no message)");
845 smartlist_free(changed);
847 *msg =
"Descriptor accepted";
850 "Added descriptor from '%s' (source: %s): %s.",
851 nickname, source, *msg);
862 log_info(
LD_GENERAL,
"Marking router with descriptor %s as rejected, "
863 "and therefore undownloadable",
886 *msg =
"No corresponding router descriptor for extra-info descriptor";
894 log_notice(
LD_DIR,
"Somebody attempted to publish an extrainfo "
895 "with size %d. Either this is an attack, or the "
896 "MAX_EXTRAINFO_UPLOAD_SIZE (%d) constant is too low.",
899 *msg =
"Extrainfo document was too large";
905 &ri->cache_info, msg))) {
908 return ROUTER_IS_ALREADY_KNOWN;
914 return ROUTER_ADDED_SUCCESSFULLY;
920 log_info(
LD_GENERAL,
"Marking extrainfo with descriptor %s as "
921 "rejected, and therefore undownloadable",
942 const char *msg = NULL;
943 const char *description;
950 if (r & RTR_REJECT) {
951 log_info(
LD_DIRSERV,
"Router %s is now rejected: %s",
952 description, msg?msg:
"");
956 if (
bool_neq((r & RTR_INVALID), !node->is_valid)) {
957 log_info(
LD_DIRSERV,
"Router '%s' is now %svalid.", description,
958 (r&RTR_INVALID) ?
"in" :
"");
959 node->is_valid = (r&RTR_INVALID)?0:1;
961 if (
bool_neq((r & RTR_BADEXIT), node->is_bad_exit)) {
962 log_info(
LD_DIRSERV,
"Router '%s' is now a %s exit", description,
963 (r & RTR_BADEXIT) ?
"bad" :
"good");
964 node->is_bad_exit = (r&RTR_BADEXIT) ? 1: 0;
966 } SMARTLIST_FOREACH_END(node);
969 smartlist_free(nodes);
int tor_addr_is_null(const tor_addr_t *addr)
const char * hex_str(const char *from, size_t fromlen)
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
const or_options_t * get_options(void)
Header file for config.c.
int config_get_lines(const char *string, config_line_t **result, int extended)
#define BASE64_DIGEST256_LEN
int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey)
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
const char * router_describe(const routerinfo_t *ri)
Header file for describe.c.
Structure dirauth_options_t to hold directory authority options.
Header for dirauth_sys.c.
Header file for directory.c.
void download_status_mark_impossible(download_status_t *dl)
Header file for dlstatus.c.
const char * escaped(const char *s)
#define RFTS_IGNORE_MISSING
int keypin_check_lone_rsa(const uint8_t *rsa_id_digest)
int keypin_check(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key)
int keypin_check_and_add(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int replace_existing_entry)
#define log_fn(severity, domain, args,...)
void tor_free_(void *mem)
Header file for microdesc.c.
Microdescriptor structure.
download_status_t * router_get_dl_status_by_descriptor_digest(const char *d)
Header file for networkstatus.c.
Node information structure.
const smartlist_t * nodelist_get_list(void)
Header file for nodelist.c.
Master header file for Tor-specific functionality.
#define MAX_EXTRAINFO_UPLOAD_SIZE
#define ROUTER_ANNOTATION_BUF_LEN
#define MAX_DESCRIPTOR_UPLOAD_SIZE
#define ROUTER_MAX_AGE_TO_PUBLISH
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
Header file for policies.c.
int tor_snprintf(char *str, size_t size, const char *format,...)
int dirserv_would_reject_router(const routerstatus_t *rs, const vote_routerstatus_t *vrs)
int dirserv_load_fingerprint_file(void)
STATIC bool dirserv_rejects_tor_version(const char *platform, const char **msg)
static was_router_added_t dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
#define ROUTER_ALLOW_SKEW
was_router_added_t dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
void dirserv_set_node_flags_from_authoritative_status(node_t *node, uint32_t authstatus)
int dirserv_add_own_fingerprint(crypto_pk_t *pk, const ed25519_public_key_t *edkey)
was_router_added_t dirserv_add_multiple_descriptors(const char *desc, size_t desclen, uint8_t purpose, const char *source, const char **msg)
static authdir_config_t * fingerprint_list
void dirserv_free_fingerprint_list(void)
uint32_t dirserv_router_get_status(const routerinfo_t *router, const char **msg, int severity)
STATIC int dirserv_router_has_valid_address(routerinfo_t *ri)
static int WRA_MORE_SEVERE(was_router_added_t a, was_router_added_t b)
static uint32_t dirserv_get_status_impl(const char *id_digest, const ed25519_public_key_t *ed25519_public_key, const char *nickname, const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, const char *platform, const char **msg, int severity)
static authdir_config_t * authdir_config_new(void)
int authdir_wants_to_reject_router(routerinfo_t *ri, const char **msg, int complain, int *valid_out)
static void directory_remove_invalid(void)
int add_ed25519_to_dir(const ed25519_public_key_t *edkey, authdir_config_t *list, rtr_flags_t add_status)
int add_rsa_fingerprint_to_dir(const char *fp, authdir_config_t *list, rtr_flags_t add_status)
Header file for process_descs.c.
int dirserv_should_launch_reachability_test(const routerinfo_t *ri, const routerinfo_t *ri_old)
Header file for reachability.c.
int router_is_me(const routerinfo_t *router)
Header file for router.c.
const char * router_purpose_to_string(uint8_t p)
Header file for routerinfo.c.
Router descriptor structure.
#define ROUTER_PURPOSE_GENERAL
void routerlist_assert_ok(const routerlist_t *rl)
routerinfo_t * router_get_mutable_by_digest(const char *digest)
int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *identity_pkey, extrainfo_t *ei, signed_descriptor_t *sd, const char **msg)
void routerlist_remove(routerlist_t *rl, routerinfo_t *ri, int make_old, time_t now)
routerlist_t * router_get_routerlist(void)
was_router_added_t router_add_extrainfo_to_routerlist(extrainfo_t *ei, const char **msg, int from_cache, int from_fetch)
was_router_added_t router_add_to_routerlist(routerinfo_t *router, const char **msg, int from_cache, int from_fetch)
int router_differences_are_cosmetic(const routerinfo_t *r1, const routerinfo_t *r2)
void routerlist_descriptors_added(smartlist_t *sl, int from_cache)
signed_descriptor_t * router_get_by_extrainfo_digest(const char *digest)
const char * esc_router_info(const routerinfo_t *router)
Header file for routerlist.c.
static int WRA_WAS_ADDED(was_router_added_t s)
int router_parse_list_from_string(const char **s, const char *eos, smartlist_t *dest, saved_location_t saved_location, int want_extrainfo, int allow_annotations, const char *prepend_annotations, smartlist_t *invalid_digests_out)
Header file for routerparse.c.
Routerstatus (consensus entry) structure.
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
digest256map_t * status_by_digest256
digestmap_t * status_by_digest
crypto_pk_t * identity_pkey
unsigned int needs_retest_if_added
char identity_digest[DIGEST_LEN]
char nickname[MAX_NICKNAME_LEN+1]
char signed_descriptor_digest[DIGEST_LEN]
char identity_digest[DIGEST_LEN]
download_status_t ei_dl_status
struct tor_cert_st * signing_key_cert
char * signed_descriptor_body
size_t signed_descriptor_len
uint8_t ed25519_id[ED25519_PUBKEY_LEN]
void format_iso_time(char *buf, time_t t)
Parsed Tor version structure.
int string_is_utf8_no_bom(const char *str, size_t len)
void tor_strstrip(char *s, const char *strip)
int tor_version_as_new_as(const char *platform, const char *cutoff)
int tor_version_parse_platform(const char *platform, tor_version_t *router_version, int strict)
Header file for versions.c.
Routerstatus (vote entry) structure.
#define ED25519_PUBKEY_LEN