Tor  0.4.4.0-alpha-dev
process_descs.c
Go to the documentation of this file.
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3  * Copyright (c) 2007-2020, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 
6 /**
7  * \file process_descs.c
8  * \brief Make decisions about uploaded descriptors
9  *
10  * Authorities use the code in this module to decide what to do with just-
11  * uploaded descriptors, and to manage the fingerprint file that helps
12  * them make those decisions.
13  **/
14 
15 #define PROCESS_DESCS_PRIVATE
16 
17 #include "core/or/or.h"
19 
20 #include "app/config/config.h"
21 #include "core/or/policies.h"
22 #include "core/or/versions.h"
24 #include "feature/dirauth/keypin.h"
36 #include "feature/relay/router.h"
37 
38 #include "core/or/tor_version_st.h"
46 
47 #include "lib/encoding/confline.h"
49 
50 /** How far in the future do we allow a router to get? (seconds) */
51 #define ROUTER_ALLOW_SKEW (60*60*12)
52 
53 static void directory_remove_invalid(void);
55  const char **msg);
56 static uint32_t
57 dirserv_get_status_impl(const char *id_digest,
58  const ed25519_public_key_t *ed25519_public_key,
59  const char *nickname, uint32_t addr, uint16_t or_port,
60  const char *platform, const char **msg, int severity);
61 
62 /** Should be static; exposed for testing. */
64 
65 /** Allocate and return a new, empty, authdir_config_t. */
66 static authdir_config_t *
68 {
69  authdir_config_t *list = tor_malloc_zero(sizeof(authdir_config_t));
70  list->fp_by_name = strmap_new();
71  list->status_by_digest = digestmap_new();
72  list->status_by_digest256 = digest256map_new();
73  return list;
74 }
75 
76 #ifdef TOR_UNIT_TESTS
77 
78 /** Initialize fingerprint_list to a new authdir_config_t. Used for tests. */
79 void
80 authdir_init_fingerprint_list(void)
81 {
83 }
84 
85 /* Return the current fingerprint_list. Used for tests. */
87 authdir_return_fingerprint_list(void)
88 {
89  return fingerprint_list;
90 }
91 
92 #endif /* defined(TOR_UNIT_TESTS) */
93 
94 /** Add the fingerprint <b>fp</b> to the smartlist of fingerprint_entry_t's
95  * <b>list</b>, or-ing the currently set status flags with
96  * <b>add_status</b>.
97  */
98 int
100  rtr_flags_t add_status)
101 {
102  char *fingerprint;
103  char d[DIGEST_LEN];
104  rtr_flags_t *status;
105  tor_assert(fp);
106  tor_assert(list);
107 
108  fingerprint = tor_strdup(fp);
109  tor_strstrip(fingerprint, " ");
110  if (base16_decode(d, DIGEST_LEN,
111  fingerprint, strlen(fingerprint)) != DIGEST_LEN) {
112  log_warn(LD_DIRSERV, "Couldn't decode fingerprint \"%s\"",
113  escaped(fp));
114  tor_free(fingerprint);
115  return -1;
116  }
117 
118  status = digestmap_get(list->status_by_digest, d);
119  if (!status) {
120  status = tor_malloc_zero(sizeof(rtr_flags_t));
121  digestmap_set(list->status_by_digest, d, status);
122  }
123 
124  tor_free(fingerprint);
125  *status |= add_status;
126  return 0;
127 }
128 
129 /** Add the ed25519 key <b>edkey</b> to the smartlist of fingerprint_entry_t's
130  * <b>list</b>, or-ing the currently set status flags with <b>add_status</b>.
131  * Return -1 if we were unable to decode the key, else return 0.
132  */
133 int
135  rtr_flags_t add_status)
136 {
137  rtr_flags_t *status;
138 
139  tor_assert(edkey);
140  tor_assert(list);
141 
142  if (ed25519_validate_pubkey(edkey) < 0) {
143  log_warn(LD_DIRSERV, "Invalid ed25519 key \"%s\"", ed25519_fmt(edkey));
144  return -1;
145  }
146 
147  status = digest256map_get(list->status_by_digest256, edkey->pubkey);
148  if (!status) {
149  status = tor_malloc_zero(sizeof(rtr_flags_t));
150  digest256map_set(list->status_by_digest256, edkey->pubkey, status);
151  }
152 
153  *status |= add_status;
154  return 0;
155 }
156 
157 /** Add the fingerprint for this OR to the global list of recognized
158  * identity key fingerprints. */
159 int
161 {
162  char fp[FINGERPRINT_LEN+1];
163  if (crypto_pk_get_fingerprint(pk, fp, 0)<0) {
164  log_err(LD_BUG, "Error computing fingerprint");
165  return -1;
166  }
167  if (!fingerprint_list)
170  log_err(LD_BUG, "Error adding RSA fingerprint");
171  return -1;
172  }
173  if (add_ed25519_to_dir(edkey, fingerprint_list, 0) < 0) {
174  log_err(LD_BUG, "Error adding ed25519 key");
175  return -1;
176  }
177  return 0;
178 }
179 
180 /** Load the nickname->fingerprint mappings stored in the approved-routers
181  * file. The file format is line-based, with each non-blank holding one
182  * nickname, some space, and a fingerprint for that nickname. On success,
183  * replace the current fingerprint list with the new list and return 0. On
184  * failure, leave the current fingerprint list untouched, and return -1. */
185 int
187 {
188  char *fname;
189  char *cf;
190  char *nickname, *fingerprint;
191  authdir_config_t *fingerprint_list_new;
192  int result;
193  config_line_t *front=NULL, *list;
194 
195  fname = get_datadir_fname("approved-routers");
196  log_info(LD_GENERAL,
197  "Reloading approved fingerprints from \"%s\"...", fname);
198 
199  cf = read_file_to_str(fname, RFTS_IGNORE_MISSING, NULL);
200  if (!cf) {
201  log_warn(LD_FS, "Cannot open fingerprint file '%s'. That's ok.", fname);
202  tor_free(fname);
203  return 0;
204  }
205  tor_free(fname);
206 
207  result = config_get_lines(cf, &front, 0);
208  tor_free(cf);
209  if (result < 0) {
210  log_warn(LD_CONFIG, "Error reading from fingerprint file");
211  return -1;
212  }
213 
214  fingerprint_list_new = authdir_config_new();
215 
216  for (list=front; list; list=list->next) {
217  rtr_flags_t add_status = 0;
218  nickname = list->key; fingerprint = list->value;
219  tor_strstrip(fingerprint, " "); /* remove spaces */
220 
221  /* Determine what we should do with the relay with the nickname field. */
222  if (!strcasecmp(nickname, "!reject")) {
223  add_status = RTR_REJECT;
224  } else if (!strcasecmp(nickname, "!badexit")) {
225  add_status = RTR_BADEXIT;
226  } else if (!strcasecmp(nickname, "!invalid")) {
227  add_status = RTR_INVALID;
228  }
229 
230  /* Check if fingerprint is RSA or ed25519 by verifying it. */
231  int ed25519_not_ok = -1, rsa_not_ok = -1;
232 
233  /* Attempt to add the RSA key. */
234  if (strlen(fingerprint) == HEX_DIGEST_LEN) {
235  rsa_not_ok = add_rsa_fingerprint_to_dir(fingerprint,
236  fingerprint_list_new,
237  add_status);
238  }
239 
240  /* Check ed25519 key. We check the size to prevent buffer overflows.
241  * If valid, attempt to add it, */
242  ed25519_public_key_t ed25519_pubkey_tmp;
243  if (strlen(fingerprint) == BASE64_DIGEST256_LEN) {
244  if (!digest256_from_base64((char *) ed25519_pubkey_tmp.pubkey,
245  fingerprint)) {
246  ed25519_not_ok = add_ed25519_to_dir(&ed25519_pubkey_tmp,
247  fingerprint_list_new, add_status);
248  }
249  }
250 
251  /* If both keys are invalid (or missing), log and skip. */
252  if (ed25519_not_ok && rsa_not_ok) {
253  log_warn(LD_CONFIG, "Invalid fingerprint (nickname '%s', "
254  "fingerprint %s). Skipping.", nickname, fingerprint);
255  continue;
256  }
257  }
258 
259  config_free_lines(front);
261  fingerprint_list = fingerprint_list_new;
262  /* Delete any routers whose fingerprints we no longer recognize */
264  return 0;
265 }
266 
267 /* If this is set, then we don't allow routers that have advertised an Ed25519
268  * identity to stop doing so. This is going to be essential for good identity
269  * security: otherwise anybody who can attack RSA-1024 but not Ed25519 could
270  * just sign fake descriptors missing the Ed25519 key. But we won't actually
271  * be able to prevent that kind of thing until we're confident that there isn't
272  * actually a legit reason to downgrade to 0.2.5. Now we are not recommending
273  * 0.2.5 anymore so there is no reason to keep the #undef.
274  */
275 
276 #define DISABLE_DISABLING_ED25519
277 
278 /** Check whether <b>router</b> has:
279  * - a nickname/identity key combination that we recognize from the fingerprint
280  * list,
281  * - an IP we automatically act on according to our configuration,
282  * - an appropriate version, and
283  * - matching pinned keys.
284  *
285  * Return the appropriate router status.
286  *
287  * If the status is 'RTR_REJECT' and <b>msg</b> is provided, set
288  * *<b>msg</b> to a string constant explaining why. */
289 uint32_t
290 dirserv_router_get_status(const routerinfo_t *router, const char **msg,
291  int severity)
292 {
293  char d[DIGEST_LEN];
294  const int key_pinning = dirauth_get_options()->AuthDirPinKeys;
295  uint32_t r;
296  ed25519_public_key_t *signing_key = NULL;
297 
298  if (crypto_pk_get_digest(router->identity_pkey, d)) {
299  log_warn(LD_BUG,"Error computing fingerprint");
300  if (msg)
301  *msg = "Bug: Error computing fingerprint";
302  return RTR_REJECT;
303  }
304 
305  /* First, check for the more common reasons to reject a router. */
306  if (router->cache_info.signing_key_cert) {
307  /* This has an ed25519 identity key. */
308  signing_key = &router->cache_info.signing_key_cert->signing_key;
309  }
310  r = dirserv_get_status_impl(d, signing_key, router->nickname, router->addr,
311  router->or_port, router->platform, msg,
312  severity);
313 
314  if (r)
315  return r;
316 
317  /* dirserv_get_status_impl already rejects versions older than 0.2.4.18-rc,
318  * and onion_curve25519_pkey was introduced in 0.2.4.8-alpha.
319  * But just in case a relay doesn't provide or lies about its version, or
320  * doesn't include an ntor key in its descriptor, check that it exists,
321  * and is non-zero (clients check that it's non-zero before using it). */
322  if (!routerinfo_has_curve25519_onion_key(router)) {
323  log_fn(severity, LD_DIR,
324  "Descriptor from router %s is missing an ntor curve25519 onion "
325  "key.", router_describe(router));
326  if (msg)
327  *msg = "Missing ntor curve25519 onion key. Please upgrade!";
328  return RTR_REJECT;
329  }
330 
331  if (router->cache_info.signing_key_cert) {
332  /* This has an ed25519 identity key. */
333  if (KEYPIN_MISMATCH ==
334  keypin_check((const uint8_t*)router->cache_info.identity_digest,
335  router->cache_info.signing_key_cert->signing_key.pubkey)) {
336  log_fn(severity, LD_DIR,
337  "Descriptor from router %s has an Ed25519 key, "
338  "but the <rsa,ed25519> keys don't match what they were before.",
339  router_describe(router));
340  if (key_pinning) {
341  if (msg) {
342  *msg = "Ed25519 identity key or RSA identity key has changed.";
343  }
344  return RTR_REJECT;
345  }
346  }
347  } else {
348  /* No ed25519 key */
349  if (KEYPIN_MISMATCH == keypin_check_lone_rsa(
350  (const uint8_t*)router->cache_info.identity_digest)) {
351  log_fn(severity, LD_DIR,
352  "Descriptor from router %s has no Ed25519 key, "
353  "when we previously knew an Ed25519 for it. Ignoring for now, "
354  "since Ed25519 keys are fairly new.",
355  router_describe(router));
356 #ifdef DISABLE_DISABLING_ED25519
357  if (key_pinning) {
358  if (msg) {
359  *msg = "Ed25519 identity key has disappeared.";
360  }
361  return RTR_REJECT;
362  }
363 #endif /* defined(DISABLE_DISABLING_ED25519) */
364  }
365  }
366 
367  return 0;
368 }
369 
370 /** Return true if there is no point in downloading the router described by
371  * <b>rs</b> because this directory would reject it. */
372 int
374  const vote_routerstatus_t *vrs)
375 {
376  uint32_t res;
377  struct ed25519_public_key_t pk;
378  memcpy(&pk.pubkey, vrs->ed25519_id, ED25519_PUBKEY_LEN);
379 
381  rs->addr, rs->or_port, NULL, NULL, LOG_DEBUG);
382 
383  return (res & RTR_REJECT) != 0;
384 }
385 
386 /**
387  * Check whether the platform string in <b>platform</b> describes a platform
388  * that, as a directory authority, we want to reject. If it does, return
389  * true, and set *<b>msg</b> (if present) to a rejection message. Otherwise
390  * return false.
391  */
392 STATIC bool
393 dirserv_rejects_tor_version(const char *platform,
394  const char **msg)
395 {
396  if (!platform)
397  return false;
398 
399  static const char please_upgrade_string[] =
400  "Tor version is insecure or unsupported. Please upgrade!";
401 
402  /* Versions before Tor 0.3.5 are unsupported.
403  *
404  * Also, reject unstable versions of 0.3.5, since (as of this writing)
405  * they are almost none of the network. */
406  if (!tor_version_as_new_as(platform,"0.3.5.7")) {
407  if (msg)
408  *msg = please_upgrade_string;
409  return true;
410  }
411 
412  /* Series between Tor 0.3.6 and 0.4.1.4-rc inclusive are unsupported.
413  * Reject them. 0.3.6.0-alpha-dev only existed for a short time, before
414  * it was renamed to 0.4.0.0-alpha-dev. */
415  if (tor_version_as_new_as(platform,"0.3.6.0-alpha-dev") &&
416  !tor_version_as_new_as(platform,"0.4.1.5")) {
417  if (msg) {
418  *msg = please_upgrade_string;
419  }
420  return true;
421  }
422 
423  return false;
424 }
425 
426 /** Helper: As dirserv_router_get_status, but takes the router fingerprint
427  * (hex, no spaces), ed25519 key, nickname, address (used for logging only),
428  * IP address, OR port and platform (logging only) as arguments.
429  *
430  * Log messages at 'severity'. (There's not much point in
431  * logging that we're rejecting servers we'll not download.)
432  */
433 static uint32_t
434 dirserv_get_status_impl(const char *id_digest,
435  const ed25519_public_key_t *ed25519_public_key,
436  const char *nickname, uint32_t addr, uint16_t or_port,
437  const char *platform, const char **msg, int severity)
438 {
439  uint32_t result = 0;
440  rtr_flags_t *status_by_digest;
441 
442  if (!fingerprint_list)
444 
445  log_debug(LD_DIRSERV, "%d fingerprints, %d digests known.",
446  strmap_size(fingerprint_list->fp_by_name),
447  digestmap_size(fingerprint_list->status_by_digest));
448 
449  if (platform) {
450  tor_version_t ver_tmp;
451  if (tor_version_parse_platform(platform, &ver_tmp, 1) < 0) {
452  if (msg) {
453  *msg = "Malformed platform string.";
454  }
455  return RTR_REJECT;
456  }
457  }
458 
459  /* Check whether the version is obsolete, broken, insecure, etc... */
460  if (platform && dirserv_rejects_tor_version(platform, msg)) {
461  return RTR_REJECT;
462  }
463 
464  status_by_digest = digestmap_get(fingerprint_list->status_by_digest,
465  id_digest);
466  if (status_by_digest)
467  result |= *status_by_digest;
468 
469  if (ed25519_public_key) {
470  status_by_digest = digest256map_get(fingerprint_list->status_by_digest256,
471  ed25519_public_key->pubkey);
472  if (status_by_digest)
473  result |= *status_by_digest;
474  }
475 
476  if (result & RTR_REJECT) {
477  if (msg)
478  *msg = "Fingerprint and/or ed25519 identity is marked rejected -- if "
479  "you think this is a mistake please set a valid email address "
480  "in ContactInfo and send an email to "
481  "bad-relays@lists.torproject.org mentioning your fingerprint(s)?";
482  return RTR_REJECT;
483  } else if (result & RTR_INVALID) {
484  if (msg)
485  *msg = "Fingerprint and/or ed25519 identity is marked invalid";
486  }
487 
488  if (authdir_policy_badexit_address(addr, or_port)) {
489  log_fn(severity, LD_DIRSERV,
490  "Marking '%s' as bad exit because of address '%s'",
491  nickname, fmt_addr32(addr));
492  result |= RTR_BADEXIT;
493  }
494 
495  if (!authdir_policy_permits_address(addr, or_port)) {
496  log_fn(severity, LD_DIRSERV, "Rejecting '%s' because of address '%s'",
497  nickname, fmt_addr32(addr));
498  if (msg)
499  *msg = "Suspicious relay address range -- if you think this is a "
500  "mistake please set a valid email address in ContactInfo and "
501  "send an email to bad-relays@lists.torproject.org mentioning "
502  "your address(es) and fingerprint(s)?";
503  return RTR_REJECT;
504  }
505  if (!authdir_policy_valid_address(addr, or_port)) {
506  log_fn(severity, LD_DIRSERV,
507  "Not marking '%s' valid because of address '%s'",
508  nickname, fmt_addr32(addr));
509  result |= RTR_INVALID;
510  }
511 
512  return result;
513 }
514 
515 /** Clear the current fingerprint list. */
516 void
518 {
519  if (!fingerprint_list)
520  return;
521 
522  strmap_free(fingerprint_list->fp_by_name, tor_free_);
523  digestmap_free(fingerprint_list->status_by_digest, tor_free_);
524  digest256map_free(fingerprint_list->status_by_digest256, tor_free_);
526 }
527 
528 /*
529  * Descriptor list
530  */
531 
532 /** Return -1 if <b>ri</b> has a private or otherwise bad address,
533  * unless we're configured to not care. Return 0 if all ok. */
534 STATIC int
536 {
537  tor_addr_t addr;
538 
539  if (get_options()->DirAllowPrivateAddresses)
540  return 0; /* whatever it is, we're fine with it */
541 
542  tor_addr_from_ipv4h(&addr, ri->addr);
543  if (tor_addr_is_null(&addr) || tor_addr_is_internal(&addr, 0)) {
544  log_info(LD_DIRSERV,
545  "Router %s published internal IPv4 address. Refusing.",
546  router_describe(ri));
547  return -1; /* it's a private IP, we should reject it */
548  }
549 
550  /* We only check internal v6 on non-null addresses because we do not require
551  * IPv6 and null IPv6 is normal. */
552  if (!tor_addr_is_null(&ri->ipv6_addr) &&
553  tor_addr_is_internal(&ri->ipv6_addr, 0)) {
554  log_info(LD_DIRSERV,
555  "Router %s published internal IPv6 address. Refusing.",
556  router_describe(ri));
557  return -1; /* it's a private IP, we should reject it */
558  }
559 
560  return 0;
561 }
562 
563 /** Check whether we, as a directory server, want to accept <b>ri</b>. If so,
564  * set its is_valid,running fields and return 0. Otherwise, return -1.
565  *
566  * If the router is rejected, set *<b>msg</b> to a string constant explining
567  * why.
568  *
569  * If <b>complain</b> then explain at log-level 'notice' why we refused
570  * a descriptor; else explain at log-level 'info'.
571  */
572 int
574  int complain, int *valid_out)
575 {
576  /* Okay. Now check whether the fingerprint is recognized. */
577  time_t now;
578  int severity = (complain && ri->contact_info) ? LOG_NOTICE : LOG_INFO;
579  uint32_t status = dirserv_router_get_status(ri, msg, severity);
580  tor_assert(msg);
581  if (status & RTR_REJECT)
582  return -1; /* msg is already set. */
583 
584  /* Is there too much clock skew? */
585  now = time(NULL);
586  if (ri->cache_info.published_on > now+ROUTER_ALLOW_SKEW) {
587  log_fn(severity, LD_DIRSERV, "Publication time for %s is too "
588  "far (%d minutes) in the future; possible clock skew. Not adding "
589  "(%s)",
590  router_describe(ri),
591  (int)((ri->cache_info.published_on-now)/60),
592  esc_router_info(ri));
593  *msg = "Rejected: Your clock is set too far in the future, or your "
594  "timezone is not correct.";
595  return -1;
596  }
597  if (ri->cache_info.published_on < now-ROUTER_MAX_AGE_TO_PUBLISH) {
598  log_fn(severity, LD_DIRSERV,
599  "Publication time for %s is too far "
600  "(%d minutes) in the past. Not adding (%s)",
601  router_describe(ri),
602  (int)((now-ri->cache_info.published_on)/60),
603  esc_router_info(ri));
604  *msg = "Rejected: Server is expired, or your clock is too far in the past,"
605  " or your timezone is not correct.";
606  return -1;
607  }
608  if (dirserv_router_has_valid_address(ri) < 0) {
609  log_fn(severity, LD_DIRSERV,
610  "Router %s has invalid address. Not adding (%s).",
611  router_describe(ri),
612  esc_router_info(ri));
613  *msg = "Rejected: Address is a private address.";
614  return -1;
615  }
616 
617  *valid_out = ! (status & RTR_INVALID);
618 
619  return 0;
620 }
621 
622 /** Update the relevant flags of <b>node</b> based on our opinion as a
623  * directory authority in <b>authstatus</b>, as returned by
624  * dirserv_router_get_status or equivalent. */
625 void
627  uint32_t authstatus)
628 {
629  node->is_valid = (authstatus & RTR_INVALID) ? 0 : 1;
630  node->is_bad_exit = (authstatus & RTR_BADEXIT) ? 1 : 0;
631 }
632 
633 /** True iff <b>a</b> is more severe than <b>b</b>. */
634 static int
636 {
637  return a < b;
638 }
639 
640 /** As for dirserv_add_descriptor(), but accepts multiple documents, and
641  * returns the most severe error that occurred for any one of them. */
643 dirserv_add_multiple_descriptors(const char *desc, size_t desclen,
644  uint8_t purpose,
645  const char *source,
646  const char **msg)
647 {
648  was_router_added_t r, r_tmp;
649  const char *msg_out;
650  smartlist_t *list;
651  const char *s;
652  int n_parsed = 0;
653  time_t now = time(NULL);
654  char annotation_buf[ROUTER_ANNOTATION_BUF_LEN];
655  char time_buf[ISO_TIME_LEN+1];
656  int general = purpose == ROUTER_PURPOSE_GENERAL;
657  tor_assert(msg);
658 
659  r=ROUTER_ADDED_SUCCESSFULLY; /* Least severe return value. */
660 
661  if (!string_is_utf8_no_bom(desc, desclen)) {
662  *msg = "descriptor(s) or extrainfo(s) not valid UTF-8 or had BOM.";
663  return ROUTER_AUTHDIR_REJECTS;
664  }
665 
666  format_iso_time(time_buf, now);
667  if (tor_snprintf(annotation_buf, sizeof(annotation_buf),
668  "@uploaded-at %s\n"
669  "@source %s\n"
670  "%s%s%s", time_buf, escaped(source),
671  !general ? "@purpose " : "",
672  !general ? router_purpose_to_string(purpose) : "",
673  !general ? "\n" : "")<0) {
674  *msg = "Couldn't format annotations";
675  return ROUTER_AUTHDIR_BUG_ANNOTATIONS;
676  }
677 
678  s = desc;
679  list = smartlist_new();
680  if (!router_parse_list_from_string(&s, s+desclen, list, SAVED_NOWHERE, 0, 0,
681  annotation_buf, NULL)) {
682  SMARTLIST_FOREACH(list, routerinfo_t *, ri, {
683  msg_out = NULL;
684  tor_assert(ri->purpose == purpose);
685  r_tmp = dirserv_add_descriptor(ri, &msg_out, source);
686  if (WRA_MORE_SEVERE(r_tmp, r)) {
687  r = r_tmp;
688  *msg = msg_out;
689  }
690  });
691  }
692  n_parsed += smartlist_len(list);
693  smartlist_clear(list);
694 
695  s = desc;
696  if (!router_parse_list_from_string(&s, s+desclen, list, SAVED_NOWHERE, 1, 0,
697  NULL, NULL)) {
698  SMARTLIST_FOREACH(list, extrainfo_t *, ei, {
699  msg_out = NULL;
700 
701  r_tmp = dirserv_add_extrainfo(ei, &msg_out);
702  if (WRA_MORE_SEVERE(r_tmp, r)) {
703  r = r_tmp;
704  *msg = msg_out;
705  }
706  });
707  }
708  n_parsed += smartlist_len(list);
709  smartlist_free(list);
710 
711  if (! *msg) {
712  if (!n_parsed) {
713  *msg = "No descriptors found in your POST.";
714  if (WRA_WAS_ADDED(r))
715  r = ROUTER_IS_ALREADY_KNOWN;
716  } else {
717  *msg = "(no message)";
718  }
719  }
720 
721  return r;
722 }
723 
724 /** Examine the parsed server descriptor in <b>ri</b> and maybe insert it into
725  * the list of server descriptors. Set *<b>msg</b> to a message that should be
726  * passed back to the origin of this descriptor, or NULL if there is no such
727  * message. Use <b>source</b> to produce better log messages.
728  *
729  * If <b>ri</b> is not added to the list of server descriptors, free it.
730  * That means the caller must not access <b>ri</b> after this function
731  * returns, since it might have been freed.
732  *
733  * Return the status of the operation, and set *<b>msg</b> to a string
734  * constant describing the status.
735  *
736  * This function is only called when fresh descriptors are posted, not when
737  * we re-load the cache.
738  */
740 dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
741 {
743  routerinfo_t *ri_old;
744  char *desc, *nickname;
745  const size_t desclen = ri->cache_info.signed_descriptor_len +
746  ri->cache_info.annotations_len;
747  const int key_pinning = dirauth_get_options()->AuthDirPinKeys;
748  *msg = NULL;
749 
750  /* If it's too big, refuse it now. Otherwise we'll cache it all over the
751  * network and it'll clog everything up. */
752  if (ri->cache_info.signed_descriptor_len > MAX_DESCRIPTOR_UPLOAD_SIZE) {
753  log_notice(LD_DIR, "Somebody attempted to publish a router descriptor '%s'"
754  " (source: %s) with size %d. Either this is an attack, or the "
755  "MAX_DESCRIPTOR_UPLOAD_SIZE (%d) constant is too low.",
756  ri->nickname, source, (int)ri->cache_info.signed_descriptor_len,
758  *msg = "Router descriptor was too large.";
759  r = ROUTER_AUTHDIR_REJECTS;
760  goto fail;
761  }
762 
763  /* Check whether this descriptor is semantically identical to the last one
764  * from this server. (We do this here and not in router_add_to_routerlist
765  * because we want to be able to accept the newest router descriptor that
766  * another authority has, so we all converge on the same one.) */
767  ri_old = router_get_mutable_by_digest(ri->cache_info.identity_digest);
768  if (ri_old && ri_old->cache_info.published_on < ri->cache_info.published_on
769  && router_differences_are_cosmetic(ri_old, ri)
770  && !router_is_me(ri)) {
771  log_info(LD_DIRSERV,
772  "Not replacing descriptor from %s (source: %s); "
773  "differences are cosmetic.",
774  router_describe(ri), source);
775  *msg = "Not replacing router descriptor; no information has changed since "
776  "the last one with this identity.";
777  r = ROUTER_IS_ALREADY_KNOWN;
778  goto fail;
779  }
780 
781  /* Do keypinning again ... this time, to add the pin if appropriate */
782  int keypin_status;
783  if (ri->cache_info.signing_key_cert) {
784  ed25519_public_key_t *pkey = &ri->cache_info.signing_key_cert->signing_key;
785  /* First let's validate this pubkey before pinning it */
786  if (ed25519_validate_pubkey(pkey) < 0) {
787  log_warn(LD_DIRSERV, "Received bad key from %s (source %s)",
788  router_describe(ri), source);
789  routerinfo_free(ri);
790  return ROUTER_AUTHDIR_REJECTS;
791  }
792 
793  /* Now pin it! */
794  keypin_status = keypin_check_and_add(
795  (const uint8_t*)ri->cache_info.identity_digest,
796  pkey->pubkey, ! key_pinning);
797  } else {
798  keypin_status = keypin_check_lone_rsa(
799  (const uint8_t*)ri->cache_info.identity_digest);
800 #ifndef DISABLE_DISABLING_ED25519
801  if (keypin_status == KEYPIN_MISMATCH)
802  keypin_status = KEYPIN_NOT_FOUND;
803 #endif
804  }
805  if (keypin_status == KEYPIN_MISMATCH && key_pinning) {
806  log_info(LD_DIRSERV, "Dropping descriptor from %s (source: %s) because "
807  "its key did not match an older RSA/Ed25519 keypair",
808  router_describe(ri), source);
809  *msg = "Looks like your keypair has changed? This authority previously "
810  "recorded a different RSA identity for this Ed25519 identity (or vice "
811  "versa.) Did you replace or copy some of your key files, but not "
812  "the others? You should either restore the expected keypair, or "
813  "delete your keys and restart Tor to start your relay with a new "
814  "identity.";
815  r = ROUTER_AUTHDIR_REJECTS;
816  goto fail;
817  }
818 
819  /* Make a copy of desc, since router_add_to_routerlist might free
820  * ri and its associated signed_descriptor_t. */
821  desc = tor_strndup(ri->cache_info.signed_descriptor_body, desclen);
822  nickname = tor_strdup(ri->nickname);
823 
824  /* Tell if we're about to need to launch a test if we add this. */
827 
828  r = router_add_to_routerlist(ri, msg, 0, 0);
829  if (!WRA_WAS_ADDED(r)) {
830  /* unless the routerinfo was fine, just out-of-date */
831  log_info(LD_DIRSERV,
832  "Did not add descriptor from '%s' (source: %s): %s.",
833  nickname, source, *msg ? *msg : "(no message)");
834  } else {
835  smartlist_t *changed;
836 
837  changed = smartlist_new();
838  smartlist_add(changed, ri);
839  routerlist_descriptors_added(changed, 0);
840  smartlist_free(changed);
841  if (!*msg) {
842  *msg = "Descriptor accepted";
843  }
844  log_info(LD_DIRSERV,
845  "Added descriptor from '%s' (source: %s): %s.",
846  nickname, source, *msg);
847  }
848  tor_free(desc);
849  tor_free(nickname);
850  return r;
851  fail:
852  {
853  const char *desc_digest = ri->cache_info.signed_descriptor_digest;
854  download_status_t *dls =
856  if (dls) {
857  log_info(LD_GENERAL, "Marking router with descriptor %s as rejected, "
858  "and therefore undownloadable",
859  hex_str(desc_digest, DIGEST_LEN));
861  }
862  routerinfo_free(ri);
863  }
864  return r;
865 }
866 
867 /** As dirserv_add_descriptor, but for an extrainfo_t <b>ei</b>. */
868 static was_router_added_t
869 dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
870 {
871  routerinfo_t *ri;
872  int r;
874  tor_assert(msg);
875  *msg = NULL;
876 
877  /* Needs to be mutable so routerinfo_incompatible_with_extrainfo
878  * can mess with some of the flags in ri->cache_info. */
879  ri = router_get_mutable_by_digest(ei->cache_info.identity_digest);
880  if (!ri) {
881  *msg = "No corresponding router descriptor for extra-info descriptor";
882  rv = ROUTER_BAD_EI;
883  goto fail;
884  }
885 
886  /* If it's too big, refuse it now. Otherwise we'll cache it all over the
887  * network and it'll clog everything up. */
888  if (ei->cache_info.signed_descriptor_len > MAX_EXTRAINFO_UPLOAD_SIZE) {
889  log_notice(LD_DIR, "Somebody attempted to publish an extrainfo "
890  "with size %d. Either this is an attack, or the "
891  "MAX_EXTRAINFO_UPLOAD_SIZE (%d) constant is too low.",
892  (int)ei->cache_info.signed_descriptor_len,
894  *msg = "Extrainfo document was too large";
895  rv = ROUTER_BAD_EI;
896  goto fail;
897  }
898 
900  &ri->cache_info, msg))) {
901  if (r<0) {
902  extrainfo_free(ei);
903  return ROUTER_IS_ALREADY_KNOWN;
904  }
905  rv = ROUTER_BAD_EI;
906  goto fail;
907  }
908  router_add_extrainfo_to_routerlist(ei, msg, 0, 0);
909  return ROUTER_ADDED_SUCCESSFULLY;
910  fail:
911  {
912  const char *d = ei->cache_info.signed_descriptor_digest;
914  if (sd) {
915  log_info(LD_GENERAL, "Marking extrainfo with descriptor %s as "
916  "rejected, and therefore undownloadable",
917  hex_str((char*)d,DIGEST_LEN));
919  }
920  extrainfo_free(ei);
921  }
922  return rv;
923 }
924 
925 /** Remove all descriptors whose nicknames or fingerprints no longer
926  * are allowed by our fingerprint list. (Descriptors that used to be
927  * good can become bad when we reload the fingerprint list.)
928  */
929 static void
931 {
933  smartlist_t *nodes = smartlist_new();
935 
936  SMARTLIST_FOREACH_BEGIN(nodes, node_t *, node) {
937  const char *msg = NULL;
938  const char *description;
939  routerinfo_t *ent = node->ri;
940  uint32_t r;
941  if (!ent)
942  continue;
943  r = dirserv_router_get_status(ent, &msg, LOG_INFO);
944  description = router_describe(ent);
945  if (r & RTR_REJECT) {
946  log_info(LD_DIRSERV, "Router %s is now rejected: %s",
947  description, msg?msg:"");
948  routerlist_remove(rl, ent, 0, time(NULL));
949  continue;
950  }
951  if (bool_neq((r & RTR_INVALID), !node->is_valid)) {
952  log_info(LD_DIRSERV, "Router '%s' is now %svalid.", description,
953  (r&RTR_INVALID) ? "in" : "");
954  node->is_valid = (r&RTR_INVALID)?0:1;
955  }
956  if (bool_neq((r & RTR_BADEXIT), node->is_bad_exit)) {
957  log_info(LD_DIRSERV, "Router '%s' is now a %s exit", description,
958  (r & RTR_BADEXIT) ? "bad" : "good");
959  node->is_bad_exit = (r&RTR_BADEXIT) ? 1: 0;
960  }
961  } SMARTLIST_FOREACH_END(node);
962 
964  smartlist_free(nodes);
965 }
static authdir_config_t * authdir_config_new(void)
Definition: process_descs.c:67
#define MAX_DESCRIPTOR_UPLOAD_SIZE
Definition: or.h:127
void dirserv_free_fingerprint_list(void)
crypto_pk_t * identity_pkey
Definition: routerinfo_st.h:43
A relay's extra-info structure.
Structure dirauth_options_t to hold directory authority options.
Header for confline.c.
Router descriptor structure.
char * contact_info
Definition: routerinfo_st.h:69
unsigned int is_bad_exit
Definition: node_st.h:71
unsigned int is_valid
Definition: node_st.h:65
Definition: node_st.h:34
STATIC bool dirserv_rejects_tor_version(const char *platform, const char **msg)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
int router_is_me(const routerinfo_t *router)
Definition: router.c:1660
int router_differences_are_cosmetic(const routerinfo_t *r1, const routerinfo_t *r2)
Definition: routerlist.c:2867
was_router_added_t
Definition: routerlist.h:17
Header for dirauth_sys.c.
int keypin_check_and_add(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int replace_existing_entry)
Definition: keypin.c:142
int authdir_policy_valid_address(uint32_t addr, uint16_t port)
Definition: policies.c:1157
#define LD_GENERAL
Definition: log.h:62
int dirserv_should_launch_reachability_test(const routerinfo_t *ri, const routerinfo_t *ri_old)
Definition: reachability.c:103
Parsed Tor version structure.
int tor_version_as_new_as(const char *platform, const char *cutoff)
Definition: versions.c:171
int authdir_policy_permits_address(uint32_t addr, uint16_t port)
Definition: policies.c:1146
#define LOG_INFO
Definition: log.h:45
Header file for describe.c.
Header file for nodelist.c.
uint32_t dirserv_router_get_status(const routerinfo_t *router, const char **msg, int severity)
Header file for directory.c.
Microdescriptor structure.
void smartlist_add(smartlist_t *sl, void *element)
char nickname[MAX_NICKNAME_LEN+1]
static int WRA_WAS_ADDED(was_router_added_t s)
Definition: routerlist.h:104
void tor_strstrip(char *s, const char *strip)
Definition: util_string.c:111
#define bool_neq(a, b)
Definition: logic.h:18
Node information structure.
int digest256_from_base64(char *digest, const char *d64)
int add_ed25519_to_dir(const ed25519_public_key_t *edkey, authdir_config_t *list, rtr_flags_t add_status)
Header file for config.c.
char identity_digest[DIGEST_LEN]
const or_options_t * get_options(void)
Definition: config.c:925
#define tor_assert(expr)
Definition: util_bug.h:102
Header file for microdesc.c.
routerinfo_t * router_get_mutable_by_digest(const char *digest)
Definition: routerlist.c:677
static authdir_config_t * fingerprint_list
Definition: process_descs.c:63
Header for keypin.c.
download_status_t * router_get_dl_status_by_descriptor_digest(const char *d)
Header file for reachability.c.
char * nickname
Definition: routerinfo_st.h:22
#define tor_free(p)
Definition: malloc.h:52
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
#define LOG_NOTICE
Definition: log.h:50
int authdir_policy_badexit_address(uint32_t addr, uint16_t port)
Definition: policies.c:1168
smartlist_t * smartlist_new(void)
int keypin_check(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key)
Definition: keypin.c:155
Header file for versions.c.
uint32_t rtr_flags_t
Definition: process_descs.h:20
int config_get_lines(const char *string, config_line_t **result, int extended)
Definition: confline.c:201
#define STATIC
Definition: testsupport.h:32
void routerlist_assert_ok(const routerlist_t *rl)
Definition: routerlist.c:3100
Routerstatus (consensus entry) structure.
Header file for policies.c.
char signed_descriptor_digest[DIGEST_LEN]
int dirserv_load_fingerprint_file(void)
const char * ed25519_fmt(const ed25519_public_key_t *pkey)
int add_rsa_fingerprint_to_dir(const char *fp, authdir_config_t *list, rtr_flags_t add_status)
Definition: process_descs.c:99
#define tor_addr_from_ipv4h(dest, v4addr)
Definition: address.h:299
int router_parse_list_from_string(const char **s, const char *eos, smartlist_t *dest, saved_location_t saved_location, int want_extrainfo, int allow_annotations, const char *prepend_annotations, smartlist_t *invalid_digests_out)
Definition: routerparse.c:249
Header for crypto_format.c.
was_router_added_t dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
static int WRA_MORE_SEVERE(was_router_added_t a, was_router_added_t b)
digest256map_t * status_by_digest256
Definition: process_descs.h:37
static uint32_t dirserv_get_status_impl(const char *id_digest, const ed25519_public_key_t *ed25519_public_key, const char *nickname, uint32_t addr, uint16_t or_port, const char *platform, const char **msg, int severity)
#define DIGEST_LEN
Definition: digest_sizes.h:20
Master header file for Tor-specific functionality.
signed_descriptor_t * router_get_by_extrainfo_digest(const char *digest)
Definition: routerlist.c:712
const char * hex_str(const char *from, size_t fromlen)
Definition: binascii.c:34
#define LD_DIRSERV
Definition: log.h:90
download_status_t ei_dl_status
int dirserv_would_reject_router(const routerstatus_t *rs, const vote_routerstatus_t *vrs)
void routerlist_descriptors_added(smartlist_t *sl, int from_cache)
Definition: routerlist.c:1929
int dirserv_add_own_fingerprint(crypto_pk_t *pk, const ed25519_public_key_t *edkey)
void dirserv_set_node_flags_from_authoritative_status(node_t *node, uint32_t authstatus)
const char * fmt_addr32(uint32_t addr)
Definition: address.c:1186
#define ROUTER_PURPOSE_GENERAL
int tor_addr_is_null(const tor_addr_t *addr)
Definition: address.c:770
int string_is_utf8_no_bom(const char *str, size_t len)
Definition: util_string.c:548
void tor_free_(void *mem)
Definition: malloc.c:227
#define RFTS_IGNORE_MISSING
Definition: files.h:97
Header file for process_descs.c.
unsigned int needs_retest_if_added
Definition: routerinfo_st.h:83
#define LD_FS
Definition: log.h:70
const char * esc_router_info(const routerinfo_t *router)
Definition: routerlist.c:3188
#define HEX_DIGEST_LEN
Definition: crypto_digest.h:35
char * platform
Definition: routerinfo_st.h:50
#define LD_DIR
Definition: log.h:88
const smartlist_t * nodelist_get_list(void)
Definition: nodelist.c:975
digestmap_t * status_by_digest
Definition: process_descs.h:36
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
Definition: crypto_rsa.c:229
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
#define ROUTER_MAX_AGE_TO_PUBLISH
Definition: or.h:161
void format_iso_time(char *buf, time_t t)
Definition: time_fmt.c:295
int keypin_check_lone_rsa(const uint8_t *rsa_id_digest)
Definition: keypin.c:282
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
Definition: crypto_rsa.c:356
strmap_t * fp_by_name
Definition: process_descs.h:35
int authdir_wants_to_reject_router(routerinfo_t *ri, const char **msg, int complain, int *valid_out)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
#define MAX_EXTRAINFO_UPLOAD_SIZE
Definition: or.h:130
Header file for router.c.
const char * escaped(const char *s)
Definition: escape.c:126
#define FINGERPRINT_LEN
Definition: crypto_rsa.h:34
void routerlist_remove(routerlist_t *rl, routerinfo_t *ri, int make_old, time_t now)
Definition: routerlist.c:1186
char identity_digest[DIGEST_LEN]
Header file for dlstatus.c.
const char * router_purpose_to_string(uint8_t p)
Definition: routerinfo.c:59
#define log_fn(severity, domain, args,...)
Definition: log.h:287
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
tor_addr_t ipv6_addr
Definition: routerinfo_st.h:32
#define LOG_DEBUG
Definition: log.h:42
uint16_t or_port
Definition: routerinfo_st.h:25
#define BASE64_DIGEST256_LEN
Definition: crypto_digest.h:29
#define ROUTER_ALLOW_SKEW
Definition: process_descs.c:51
Header for torcert.c.
struct tor_cert_st * signing_key_cert
was_router_added_t router_add_to_routerlist(routerinfo_t *router, const char **msg, int from_cache, int from_fetch)
Definition: routerlist.c:1484
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:506
uint32_t addr
Definition: routerinfo_st.h:24
#define ROUTER_ANNOTATION_BUF_LEN
Definition: or.h:803
STATIC int dirserv_router_has_valid_address(routerinfo_t *ri)
uint8_t ed25519_id[ED25519_PUBKEY_LEN]
void download_status_mark_impossible(download_status_t *dl)
Definition: dlstatus.c:393
int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *identity_pkey, extrainfo_t *ei, signed_descriptor_t *sd, const char **msg)
Definition: routerlist.c:2963
was_router_added_t dirserv_add_multiple_descriptors(const char *desc, size_t desclen, uint8_t purpose, const char *source, const char **msg)
Header file for routerinfo.c.
void smartlist_clear(smartlist_t *sl)
const char * router_describe(const routerinfo_t *ri)
Definition: describe.c:123
routerlist_t * router_get_routerlist(void)
Definition: routerlist.c:810
was_router_added_t router_add_extrainfo_to_routerlist(extrainfo_t *ei, const char **msg, int from_cache, int from_fetch)
Definition: routerlist.c:1660
static void directory_remove_invalid(void)
Header file for networkstatus.c.
#define LD_BUG
Definition: log.h:86
static was_router_added_t dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
#define LD_CONFIG
Definition: log.h:68
Header file for routerlist.c.
Routerstatus (vote entry) structure.
int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey)
Header file for routerparse.c.
int tor_version_parse_platform(const char *platform, tor_version_t *router_version, int strict)
Definition: versions.c:127