Tor  0.4.7.0-alpha-dev
process_descs.c
Go to the documentation of this file.
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3  * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 
6 /**
7  * \file process_descs.c
8  * \brief Make decisions about uploaded descriptors
9  *
10  * Authorities use the code in this module to decide what to do with just-
11  * uploaded descriptors, and to manage the fingerprint file that helps
12  * them make those decisions.
13  **/
14 
15 #define PROCESS_DESCS_PRIVATE
16 
17 #include "core/or/or.h"
19 
20 #include "app/config/config.h"
21 #include "core/or/policies.h"
22 #include "core/or/versions.h"
24 #include "feature/dirauth/keypin.h"
36 #include "feature/relay/router.h"
37 
38 #include "core/or/tor_version_st.h"
46 
47 #include "lib/encoding/confline.h"
49 
50 /** How far in the future do we allow a router to get? (seconds) */
51 #define ROUTER_ALLOW_SKEW (60*60*12)
52 
53 static void directory_remove_invalid(void);
55  const char **msg);
56 static uint32_t
57 dirserv_get_status_impl(const char *id_digest,
58  const ed25519_public_key_t *ed25519_public_key,
59  const char *nickname, const tor_addr_t *ipv4_addr,
60  uint16_t ipv4_orport, const char *platform,
61  const char **msg, int severity);
62 
63 /** Should be static; exposed for testing. */
65 
66 /** Allocate and return a new, empty, authdir_config_t. */
67 static authdir_config_t *
69 {
70  authdir_config_t *list = tor_malloc_zero(sizeof(authdir_config_t));
71  list->fp_by_name = strmap_new();
72  list->status_by_digest = digestmap_new();
73  list->status_by_digest256 = digest256map_new();
74  return list;
75 }
76 
77 #ifdef TOR_UNIT_TESTS
78 
79 /** Initialize fingerprint_list to a new authdir_config_t. Used for tests. */
80 void
81 authdir_init_fingerprint_list(void)
82 {
84 }
85 
86 /* Return the current fingerprint_list. Used for tests. */
88 authdir_return_fingerprint_list(void)
89 {
90  return fingerprint_list;
91 }
92 
93 #endif /* defined(TOR_UNIT_TESTS) */
94 
95 /** Add the fingerprint <b>fp</b> to the smartlist of fingerprint_entry_t's
96  * <b>list</b>, or-ing the currently set status flags with
97  * <b>add_status</b>.
98  */
99 int
101  rtr_flags_t add_status)
102 {
103  char *fingerprint;
104  char d[DIGEST_LEN];
105  rtr_flags_t *status;
106  tor_assert(fp);
107  tor_assert(list);
108 
109  fingerprint = tor_strdup(fp);
110  tor_strstrip(fingerprint, " ");
111  if (base16_decode(d, DIGEST_LEN,
112  fingerprint, strlen(fingerprint)) != DIGEST_LEN) {
113  log_warn(LD_DIRSERV, "Couldn't decode fingerprint \"%s\"",
114  escaped(fp));
115  tor_free(fingerprint);
116  return -1;
117  }
118 
119  status = digestmap_get(list->status_by_digest, d);
120  if (!status) {
121  status = tor_malloc_zero(sizeof(rtr_flags_t));
122  digestmap_set(list->status_by_digest, d, status);
123  }
124 
125  tor_free(fingerprint);
126  *status |= add_status;
127  return 0;
128 }
129 
130 /** Add the ed25519 key <b>edkey</b> to the smartlist of fingerprint_entry_t's
131  * <b>list</b>, or-ing the currently set status flags with <b>add_status</b>.
132  * Return -1 if we were unable to decode the key, else return 0.
133  */
134 int
136  rtr_flags_t add_status)
137 {
138  rtr_flags_t *status;
139 
140  tor_assert(edkey);
141  tor_assert(list);
142 
143  if (ed25519_validate_pubkey(edkey) < 0) {
144  log_warn(LD_DIRSERV, "Invalid ed25519 key \"%s\"", ed25519_fmt(edkey));
145  return -1;
146  }
147 
148  status = digest256map_get(list->status_by_digest256, edkey->pubkey);
149  if (!status) {
150  status = tor_malloc_zero(sizeof(rtr_flags_t));
151  digest256map_set(list->status_by_digest256, edkey->pubkey, status);
152  }
153 
154  *status |= add_status;
155  return 0;
156 }
157 
158 /** Add the fingerprint for this OR to the global list of recognized
159  * identity key fingerprints. */
160 int
162 {
163  char fp[FINGERPRINT_LEN+1];
164  if (crypto_pk_get_fingerprint(pk, fp, 0)<0) {
165  log_err(LD_BUG, "Error computing fingerprint");
166  return -1;
167  }
168  if (!fingerprint_list)
171  log_err(LD_BUG, "Error adding RSA fingerprint");
172  return -1;
173  }
174  if (add_ed25519_to_dir(edkey, fingerprint_list, 0) < 0) {
175  log_err(LD_BUG, "Error adding ed25519 key");
176  return -1;
177  }
178  return 0;
179 }
180 
181 /** Load the nickname->fingerprint mappings stored in the approved-routers
182  * file. The file format is line-based, with each non-blank holding one
183  * nickname, some space, and a fingerprint for that nickname. On success,
184  * replace the current fingerprint list with the new list and return 0. On
185  * failure, leave the current fingerprint list untouched, and return -1. */
186 int
188 {
189  char *fname;
190  char *cf;
191  char *nickname, *fingerprint;
192  authdir_config_t *fingerprint_list_new;
193  int result;
194  config_line_t *front=NULL, *list;
195 
196  fname = get_datadir_fname("approved-routers");
197  log_info(LD_GENERAL,
198  "Reloading approved fingerprints from \"%s\"...", fname);
199 
200  cf = read_file_to_str(fname, RFTS_IGNORE_MISSING, NULL);
201  if (!cf) {
202  log_warn(LD_FS, "Cannot open fingerprint file '%s'. That's ok.", fname);
203  tor_free(fname);
204  return 0;
205  }
206  tor_free(fname);
207 
208  result = config_get_lines(cf, &front, 0);
209  tor_free(cf);
210  if (result < 0) {
211  log_warn(LD_CONFIG, "Error reading from fingerprint file");
212  return -1;
213  }
214 
215  fingerprint_list_new = authdir_config_new();
216 
217  for (list=front; list; list=list->next) {
218  rtr_flags_t add_status = 0;
219  nickname = list->key; fingerprint = list->value;
220  tor_strstrip(fingerprint, " "); /* remove spaces */
221 
222  /* Determine what we should do with the relay with the nickname field. */
223  if (!strcasecmp(nickname, "!reject")) {
224  add_status = RTR_REJECT;
225  } else if (!strcasecmp(nickname, "!badexit")) {
226  add_status = RTR_BADEXIT;
227  } else if (!strcasecmp(nickname, "!invalid")) {
228  add_status = RTR_INVALID;
229  }
230 
231  /* Check if fingerprint is RSA or ed25519 by verifying it. */
232  int ed25519_not_ok = -1, rsa_not_ok = -1;
233 
234  /* Attempt to add the RSA key. */
235  if (strlen(fingerprint) == HEX_DIGEST_LEN) {
236  rsa_not_ok = add_rsa_fingerprint_to_dir(fingerprint,
237  fingerprint_list_new,
238  add_status);
239  }
240 
241  /* Check ed25519 key. We check the size to prevent buffer overflows.
242  * If valid, attempt to add it, */
243  ed25519_public_key_t ed25519_pubkey_tmp;
244  if (strlen(fingerprint) == BASE64_DIGEST256_LEN) {
245  if (!digest256_from_base64((char *) ed25519_pubkey_tmp.pubkey,
246  fingerprint)) {
247  ed25519_not_ok = add_ed25519_to_dir(&ed25519_pubkey_tmp,
248  fingerprint_list_new, add_status);
249  }
250  }
251 
252  /* If both keys are invalid (or missing), log and skip. */
253  if (ed25519_not_ok && rsa_not_ok) {
254  log_warn(LD_CONFIG, "Invalid fingerprint (nickname '%s', "
255  "fingerprint %s). Skipping.", nickname, fingerprint);
256  continue;
257  }
258  }
259 
260  config_free_lines(front);
262  fingerprint_list = fingerprint_list_new;
263  /* Delete any routers whose fingerprints we no longer recognize */
265  return 0;
266 }
267 
268 /* If this is set, then we don't allow routers that have advertised an Ed25519
269  * identity to stop doing so. This is going to be essential for good identity
270  * security: otherwise anybody who can attack RSA-1024 but not Ed25519 could
271  * just sign fake descriptors missing the Ed25519 key. But we won't actually
272  * be able to prevent that kind of thing until we're confident that there isn't
273  * actually a legit reason to downgrade to 0.2.5. Now we are not recommending
274  * 0.2.5 anymore so there is no reason to keep the #undef.
275  */
276 
277 #define DISABLE_DISABLING_ED25519
278 
279 /** Check whether <b>router</b> has:
280  * - a nickname/identity key combination that we recognize from the fingerprint
281  * list,
282  * - an IP we automatically act on according to our configuration,
283  * - an appropriate version, and
284  * - matching pinned keys.
285  *
286  * Return the appropriate router status.
287  *
288  * If the status is 'RTR_REJECT' and <b>msg</b> is provided, set
289  * *<b>msg</b> to a string constant explaining why. */
290 uint32_t
291 dirserv_router_get_status(const routerinfo_t *router, const char **msg,
292  int severity)
293 {
294  char d[DIGEST_LEN];
295  const int key_pinning = dirauth_get_options()->AuthDirPinKeys;
296  uint32_t r;
297  ed25519_public_key_t *signing_key = NULL;
298 
299  if (crypto_pk_get_digest(router->identity_pkey, d)) {
300  log_warn(LD_BUG,"Error computing fingerprint");
301  if (msg)
302  *msg = "Bug: Error computing fingerprint";
303  return RTR_REJECT;
304  }
305 
306  /* First, check for the more common reasons to reject a router. */
307  if (router->cache_info.signing_key_cert) {
308  /* This has an ed25519 identity key. */
309  signing_key = &router->cache_info.signing_key_cert->signing_key;
310  }
311  r = dirserv_get_status_impl(d, signing_key, router->nickname,
312  &router->ipv4_addr, router->ipv4_orport,
313  router->platform, msg, severity);
314 
315  if (r)
316  return r;
317 
318  /* dirserv_get_status_impl already rejects versions older than 0.2.4.18-rc,
319  * and onion_curve25519_pkey was introduced in 0.2.4.8-alpha.
320  * But just in case a relay doesn't provide or lies about its version, or
321  * doesn't include an ntor key in its descriptor, check that it exists,
322  * and is non-zero (clients check that it's non-zero before using it). */
323  if (!routerinfo_has_curve25519_onion_key(router)) {
324  log_fn(severity, LD_DIR,
325  "Descriptor from router %s (platform %s) "
326  "is missing an ntor curve25519 onion key.",
327  router_describe(router), router->platform);
328  if (msg)
329  *msg = "Missing ntor curve25519 onion key. Please upgrade!";
330  return RTR_REJECT;
331  }
332 
333  if (router->cache_info.signing_key_cert) {
334  /* This has an ed25519 identity key. */
335  if (KEYPIN_MISMATCH ==
336  keypin_check((const uint8_t*)router->cache_info.identity_digest,
337  router->cache_info.signing_key_cert->signing_key.pubkey)) {
338  log_fn(severity, LD_DIR,
339  "Descriptor from router %s has an Ed25519 key, "
340  "but the <rsa,ed25519> keys don't match what they were before.",
341  router_describe(router));
342  if (key_pinning) {
343  if (msg) {
344  *msg = "Ed25519 identity key or RSA identity key has changed.";
345  }
346  return RTR_REJECT;
347  }
348  }
349  } else {
350  /* No ed25519 key */
351  if (KEYPIN_MISMATCH == keypin_check_lone_rsa(
352  (const uint8_t*)router->cache_info.identity_digest)) {
353  log_fn(severity, LD_DIR,
354  "Descriptor from router %s has no Ed25519 key, "
355  "when we previously knew an Ed25519 for it. Ignoring for now, "
356  "since Ed25519 keys are fairly new.",
357  router_describe(router));
358 #ifdef DISABLE_DISABLING_ED25519
359  if (key_pinning) {
360  if (msg) {
361  *msg = "Ed25519 identity key has disappeared.";
362  }
363  return RTR_REJECT;
364  }
365 #endif /* defined(DISABLE_DISABLING_ED25519) */
366  }
367  }
368 
369  return 0;
370 }
371 
372 /** Return true if there is no point in downloading the router described by
373  * <b>rs</b> because this directory would reject it. */
374 int
376  const vote_routerstatus_t *vrs)
377 {
378  uint32_t res;
379  struct ed25519_public_key_t pk;
380  memcpy(&pk.pubkey, vrs->ed25519_id, ED25519_PUBKEY_LEN);
381 
383  &rs->ipv4_addr, rs->ipv4_orport, NULL, NULL,
384  LOG_DEBUG);
385 
386  return (res & RTR_REJECT) != 0;
387 }
388 
389 /**
390  * Check whether the platform string in <b>platform</b> describes a platform
391  * that, as a directory authority, we want to reject. If it does, return
392  * true, and set *<b>msg</b> (if present) to a rejection message. Otherwise
393  * return false.
394  */
395 STATIC bool
396 dirserv_rejects_tor_version(const char *platform,
397  const char **msg)
398 {
399  if (!platform)
400  return false;
401 
402  static const char please_upgrade_string[] =
403  "Tor version is insecure or unsupported. Please upgrade!";
404 
405  /* Versions before Tor 0.3.5 are unsupported.
406  *
407  * Also, reject unstable versions of 0.3.5, since (as of this writing)
408  * they are almost none of the network. */
409  if (!tor_version_as_new_as(platform,"0.3.5.7")) {
410  if (msg)
411  *msg = please_upgrade_string;
412  return true;
413  }
414 
415  /* Series between Tor 0.3.6 and 0.4.1 inclusive are unsupported. Reject
416  * them. 0.3.6.0-alpha-dev only existed for a short time, before it was
417  * renamed to 0.4.0.0-alpha-dev. */
418  if (tor_version_as_new_as(platform,"0.3.6.0-alpha-dev") &&
419  !tor_version_as_new_as(platform,"0.4.2.1-alpha")) {
420  if (msg) {
421  *msg = please_upgrade_string;
422  }
423  return true;
424  }
425 
426  return false;
427 }
428 
429 /** Helper: As dirserv_router_get_status, but takes the router fingerprint
430  * (hex, no spaces), ed25519 key, nickname, address (used for logging only),
431  * IP address, OR port and platform (logging only) as arguments.
432  *
433  * Log messages at 'severity'. (There's not much point in
434  * logging that we're rejecting servers we'll not download.)
435  */
436 static uint32_t
437 dirserv_get_status_impl(const char *id_digest,
438  const ed25519_public_key_t *ed25519_public_key,
439  const char *nickname, const tor_addr_t *ipv4_addr,
440  uint16_t ipv4_orport, const char *platform,
441  const char **msg, int severity)
442 {
443  uint32_t result = 0;
444  rtr_flags_t *status_by_digest;
445 
446  if (!fingerprint_list)
448 
449  log_debug(LD_DIRSERV, "%d fingerprints, %d digests known.",
450  strmap_size(fingerprint_list->fp_by_name),
451  digestmap_size(fingerprint_list->status_by_digest));
452 
453  if (platform) {
454  tor_version_t ver_tmp;
455  if (tor_version_parse_platform(platform, &ver_tmp, 1) < 0) {
456  if (msg) {
457  *msg = "Malformed platform string.";
458  }
459  return RTR_REJECT;
460  }
461  }
462 
463  /* Check whether the version is obsolete, broken, insecure, etc... */
464  if (platform && dirserv_rejects_tor_version(platform, msg)) {
465  return RTR_REJECT;
466  }
467 
468  status_by_digest = digestmap_get(fingerprint_list->status_by_digest,
469  id_digest);
470  if (status_by_digest)
471  result |= *status_by_digest;
472 
473  if (ed25519_public_key) {
474  status_by_digest = digest256map_get(fingerprint_list->status_by_digest256,
475  ed25519_public_key->pubkey);
476  if (status_by_digest)
477  result |= *status_by_digest;
478  }
479 
480  if (result & RTR_REJECT) {
481  if (msg)
482  *msg = "Fingerprint and/or ed25519 identity is marked rejected -- if "
483  "you think this is a mistake please set a valid email address "
484  "in ContactInfo and send an email to "
485  "bad-relays@lists.torproject.org mentioning your fingerprint(s)?";
486  return RTR_REJECT;
487  } else if (result & RTR_INVALID) {
488  if (msg)
489  *msg = "Fingerprint and/or ed25519 identity is marked invalid";
490  }
491 
492  if (authdir_policy_badexit_address(ipv4_addr, ipv4_orport)) {
493  log_fn(severity, LD_DIRSERV,
494  "Marking '%s' as bad exit because of address '%s'",
495  nickname, fmt_addr(ipv4_addr));
496  result |= RTR_BADEXIT;
497  }
498 
499  if (!authdir_policy_permits_address(ipv4_addr, ipv4_orport)) {
500  log_fn(severity, LD_DIRSERV, "Rejecting '%s' because of address '%s'",
501  nickname, fmt_addr(ipv4_addr));
502  if (msg)
503  *msg = "Suspicious relay address range -- if you think this is a "
504  "mistake please set a valid email address in ContactInfo and "
505  "send an email to bad-relays@lists.torproject.org mentioning "
506  "your address(es) and fingerprint(s)?";
507  return RTR_REJECT;
508  }
509  if (!authdir_policy_valid_address(ipv4_addr, ipv4_orport)) {
510  log_fn(severity, LD_DIRSERV,
511  "Not marking '%s' valid because of address '%s'",
512  nickname, fmt_addr(ipv4_addr));
513  result |= RTR_INVALID;
514  }
515 
516  return result;
517 }
518 
519 /** Clear the current fingerprint list. */
520 void
522 {
523  if (!fingerprint_list)
524  return;
525 
526  strmap_free(fingerprint_list->fp_by_name, tor_free_);
527  digestmap_free(fingerprint_list->status_by_digest, tor_free_);
528  digest256map_free(fingerprint_list->status_by_digest256, tor_free_);
530 }
531 
532 /*
533  * Descriptor list
534  */
535 
536 /** Return -1 if <b>ri</b> has a private or otherwise bad address,
537  * unless we're configured to not care. Return 0 if all ok. */
538 STATIC int
540 {
541  if (get_options()->DirAllowPrivateAddresses)
542  return 0; /* whatever it is, we're fine with it */
543 
544  if (tor_addr_is_null(&ri->ipv4_addr) ||
545  tor_addr_is_internal(&ri->ipv4_addr, 0)) {
546  log_info(LD_DIRSERV,
547  "Router %s published internal IPv4 address. Refusing.",
548  router_describe(ri));
549  return -1; /* it's a private IP, we should reject it */
550  }
551 
552  /* We only check internal v6 on non-null addresses because we do not require
553  * IPv6 and null IPv6 is normal. */
554  if (!tor_addr_is_null(&ri->ipv6_addr) &&
555  tor_addr_is_internal(&ri->ipv6_addr, 0)) {
556  log_info(LD_DIRSERV,
557  "Router %s published internal IPv6 address. Refusing.",
558  router_describe(ri));
559  return -1; /* it's a private IP, we should reject it */
560  }
561 
562  return 0;
563 }
564 
565 /** Check whether we, as a directory server, want to accept <b>ri</b>. If so,
566  * set its is_valid,running fields and return 0. Otherwise, return -1.
567  *
568  * If the router is rejected, set *<b>msg</b> to a string constant explining
569  * why.
570  *
571  * If <b>complain</b> then explain at log-level 'notice' why we refused
572  * a descriptor; else explain at log-level 'info'.
573  */
574 int
576  int complain, int *valid_out)
577 {
578  /* Okay. Now check whether the fingerprint is recognized. */
579  time_t now;
580  int severity = (complain && ri->contact_info) ? LOG_NOTICE : LOG_INFO;
581  uint32_t status = dirserv_router_get_status(ri, msg, severity);
582  tor_assert(msg);
583  if (status & RTR_REJECT)
584  return -1; /* msg is already set. */
585 
586  /* Is there too much clock skew? */
587  now = time(NULL);
588  if (ri->cache_info.published_on > now+ROUTER_ALLOW_SKEW) {
589  log_fn(severity, LD_DIRSERV, "Publication time for %s is too "
590  "far (%d minutes) in the future; possible clock skew. Not adding "
591  "(%s)",
592  router_describe(ri),
593  (int)((ri->cache_info.published_on-now)/60),
594  esc_router_info(ri));
595  *msg = "Rejected: Your clock is set too far in the future, or your "
596  "timezone is not correct.";
597  return -1;
598  }
599  if (ri->cache_info.published_on < now-ROUTER_MAX_AGE_TO_PUBLISH) {
600  log_fn(severity, LD_DIRSERV,
601  "Publication time for %s is too far "
602  "(%d minutes) in the past. Not adding (%s)",
603  router_describe(ri),
604  (int)((now-ri->cache_info.published_on)/60),
605  esc_router_info(ri));
606  *msg = "Rejected: Server is expired, or your clock is too far in the past,"
607  " or your timezone is not correct.";
608  return -1;
609  }
610  if (dirserv_router_has_valid_address(ri) < 0) {
611  log_fn(severity, LD_DIRSERV,
612  "Router %s has invalid address. Not adding (%s).",
613  router_describe(ri),
614  esc_router_info(ri));
615  *msg = "Rejected: Address is a private address.";
616  return -1;
617  }
618 
619  *valid_out = ! (status & RTR_INVALID);
620 
621  return 0;
622 }
623 
624 /** Update the relevant flags of <b>node</b> based on our opinion as a
625  * directory authority in <b>authstatus</b>, as returned by
626  * dirserv_router_get_status or equivalent. */
627 void
629  uint32_t authstatus)
630 {
631  node->is_valid = (authstatus & RTR_INVALID) ? 0 : 1;
632  node->is_bad_exit = (authstatus & RTR_BADEXIT) ? 1 : 0;
633 }
634 
635 /** True iff <b>a</b> is more severe than <b>b</b>. */
636 static int
638 {
639  return a < b;
640 }
641 
642 /** As for dirserv_add_descriptor(), but accepts multiple documents, and
643  * returns the most severe error that occurred for any one of them. */
645 dirserv_add_multiple_descriptors(const char *desc, size_t desclen,
646  uint8_t purpose,
647  const char *source,
648  const char **msg)
649 {
650  was_router_added_t r, r_tmp;
651  const char *msg_out;
652  smartlist_t *list;
653  const char *s;
654  int n_parsed = 0;
655  time_t now = time(NULL);
656  char annotation_buf[ROUTER_ANNOTATION_BUF_LEN];
657  char time_buf[ISO_TIME_LEN+1];
658  int general = purpose == ROUTER_PURPOSE_GENERAL;
659  tor_assert(msg);
660 
661  r=ROUTER_ADDED_SUCCESSFULLY; /* Least severe return value. */
662 
663  if (!string_is_utf8_no_bom(desc, desclen)) {
664  *msg = "descriptor(s) or extrainfo(s) not valid UTF-8 or had BOM.";
665  return ROUTER_AUTHDIR_REJECTS;
666  }
667 
668  format_iso_time(time_buf, now);
669  if (tor_snprintf(annotation_buf, sizeof(annotation_buf),
670  "@uploaded-at %s\n"
671  "@source %s\n"
672  "%s%s%s", time_buf, escaped(source),
673  !general ? "@purpose " : "",
674  !general ? router_purpose_to_string(purpose) : "",
675  !general ? "\n" : "")<0) {
676  *msg = "Couldn't format annotations";
677  return ROUTER_AUTHDIR_BUG_ANNOTATIONS;
678  }
679 
680  s = desc;
681  list = smartlist_new();
682  if (!router_parse_list_from_string(&s, s+desclen, list, SAVED_NOWHERE, 0, 0,
683  annotation_buf, NULL)) {
684  SMARTLIST_FOREACH(list, routerinfo_t *, ri, {
685  msg_out = NULL;
686  tor_assert(ri->purpose == purpose);
687  r_tmp = dirserv_add_descriptor(ri, &msg_out, source);
688  if (WRA_MORE_SEVERE(r_tmp, r)) {
689  r = r_tmp;
690  *msg = msg_out;
691  }
692  });
693  }
694  n_parsed += smartlist_len(list);
695  smartlist_clear(list);
696 
697  s = desc;
698  if (!router_parse_list_from_string(&s, s+desclen, list, SAVED_NOWHERE, 1, 0,
699  NULL, NULL)) {
700  SMARTLIST_FOREACH(list, extrainfo_t *, ei, {
701  msg_out = NULL;
702 
703  r_tmp = dirserv_add_extrainfo(ei, &msg_out);
704  if (WRA_MORE_SEVERE(r_tmp, r)) {
705  r = r_tmp;
706  *msg = msg_out;
707  }
708  });
709  }
710  n_parsed += smartlist_len(list);
711  smartlist_free(list);
712 
713  if (! *msg) {
714  if (!n_parsed) {
715  *msg = "No descriptors found in your POST.";
716  if (WRA_WAS_ADDED(r))
717  r = ROUTER_IS_ALREADY_KNOWN;
718  } else {
719  *msg = "(no message)";
720  }
721  }
722 
723  return r;
724 }
725 
726 /** Examine the parsed server descriptor in <b>ri</b> and maybe insert it into
727  * the list of server descriptors. Set *<b>msg</b> to a message that should be
728  * passed back to the origin of this descriptor, or NULL if there is no such
729  * message. Use <b>source</b> to produce better log messages.
730  *
731  * If <b>ri</b> is not added to the list of server descriptors, free it.
732  * That means the caller must not access <b>ri</b> after this function
733  * returns, since it might have been freed.
734  *
735  * Return the status of the operation, and set *<b>msg</b> to a string
736  * constant describing the status.
737  *
738  * This function is only called when fresh descriptors are posted, not when
739  * we re-load the cache.
740  */
742 dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
743 {
745  routerinfo_t *ri_old;
746  char *desc, *nickname;
747  const size_t desclen = ri->cache_info.signed_descriptor_len +
748  ri->cache_info.annotations_len;
749  const int key_pinning = dirauth_get_options()->AuthDirPinKeys;
750  *msg = NULL;
751 
752  /* If it's too big, refuse it now. Otherwise we'll cache it all over the
753  * network and it'll clog everything up. */
754  if (ri->cache_info.signed_descriptor_len > MAX_DESCRIPTOR_UPLOAD_SIZE) {
755  log_notice(LD_DIR, "Somebody attempted to publish a router descriptor '%s'"
756  " (source: %s) with size %d. Either this is an attack, or the "
757  "MAX_DESCRIPTOR_UPLOAD_SIZE (%d) constant is too low.",
758  ri->nickname, source, (int)ri->cache_info.signed_descriptor_len,
760  *msg = "Router descriptor was too large.";
761  r = ROUTER_AUTHDIR_REJECTS;
762  goto fail;
763  }
764 
765  log_info(LD_DIR, "Assessing new descriptor: %s: %s",
766  ri->nickname, ri->platform);
767 
768  /* Check whether this descriptor is semantically identical to the last one
769  * from this server. (We do this here and not in router_add_to_routerlist
770  * because we want to be able to accept the newest router descriptor that
771  * another authority has, so we all converge on the same one.) */
772  ri_old = router_get_mutable_by_digest(ri->cache_info.identity_digest);
773  if (ri_old && ri_old->cache_info.published_on < ri->cache_info.published_on
774  && router_differences_are_cosmetic(ri_old, ri)
775  && !router_is_me(ri)) {
776  log_info(LD_DIRSERV,
777  "Not replacing descriptor from %s (source: %s); "
778  "differences are cosmetic.",
779  router_describe(ri), source);
780  *msg = "Not replacing router descriptor; no information has changed since "
781  "the last one with this identity.";
782  r = ROUTER_IS_ALREADY_KNOWN;
783  goto fail;
784  }
785 
786  /* Do keypinning again ... this time, to add the pin if appropriate */
787  int keypin_status;
788  if (ri->cache_info.signing_key_cert) {
789  ed25519_public_key_t *pkey = &ri->cache_info.signing_key_cert->signing_key;
790  /* First let's validate this pubkey before pinning it */
791  if (ed25519_validate_pubkey(pkey) < 0) {
792  log_warn(LD_DIRSERV, "Received bad key from %s (source %s)",
793  router_describe(ri), source);
794  routerinfo_free(ri);
795  return ROUTER_AUTHDIR_REJECTS;
796  }
797 
798  /* Now pin it! */
799  keypin_status = keypin_check_and_add(
800  (const uint8_t*)ri->cache_info.identity_digest,
801  pkey->pubkey, ! key_pinning);
802  } else {
803  keypin_status = keypin_check_lone_rsa(
804  (const uint8_t*)ri->cache_info.identity_digest);
805 #ifndef DISABLE_DISABLING_ED25519
806  if (keypin_status == KEYPIN_MISMATCH)
807  keypin_status = KEYPIN_NOT_FOUND;
808 #endif
809  }
810  if (keypin_status == KEYPIN_MISMATCH && key_pinning) {
811  log_info(LD_DIRSERV, "Dropping descriptor from %s (source: %s) because "
812  "its key did not match an older RSA/Ed25519 keypair",
813  router_describe(ri), source);
814  *msg = "Looks like your keypair has changed? This authority previously "
815  "recorded a different RSA identity for this Ed25519 identity (or vice "
816  "versa.) Did you replace or copy some of your key files, but not "
817  "the others? You should either restore the expected keypair, or "
818  "delete your keys and restart Tor to start your relay with a new "
819  "identity.";
820  r = ROUTER_AUTHDIR_REJECTS;
821  goto fail;
822  }
823 
824  /* Make a copy of desc, since router_add_to_routerlist might free
825  * ri and its associated signed_descriptor_t. */
826  desc = tor_strndup(ri->cache_info.signed_descriptor_body, desclen);
827  nickname = tor_strdup(ri->nickname);
828 
829  /* Tell if we're about to need to launch a test if we add this. */
832 
833  r = router_add_to_routerlist(ri, msg, 0, 0);
834  if (!WRA_WAS_ADDED(r)) {
835  /* unless the routerinfo was fine, just out-of-date */
836  log_info(LD_DIRSERV,
837  "Did not add descriptor from '%s' (source: %s): %s.",
838  nickname, source, *msg ? *msg : "(no message)");
839  } else {
840  smartlist_t *changed;
841 
842  changed = smartlist_new();
843  smartlist_add(changed, ri);
844  routerlist_descriptors_added(changed, 0);
845  smartlist_free(changed);
846  if (!*msg) {
847  *msg = "Descriptor accepted";
848  }
849  log_info(LD_DIRSERV,
850  "Added descriptor from '%s' (source: %s): %s.",
851  nickname, source, *msg);
852  }
853  tor_free(desc);
854  tor_free(nickname);
855  return r;
856  fail:
857  {
858  const char *desc_digest = ri->cache_info.signed_descriptor_digest;
859  download_status_t *dls =
861  if (dls) {
862  log_info(LD_GENERAL, "Marking router with descriptor %s as rejected, "
863  "and therefore undownloadable",
864  hex_str(desc_digest, DIGEST_LEN));
866  }
867  routerinfo_free(ri);
868  }
869  return r;
870 }
871 
872 /** As dirserv_add_descriptor, but for an extrainfo_t <b>ei</b>. */
873 static was_router_added_t
874 dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
875 {
876  routerinfo_t *ri;
877  int r;
879  tor_assert(msg);
880  *msg = NULL;
881 
882  /* Needs to be mutable so routerinfo_incompatible_with_extrainfo
883  * can mess with some of the flags in ri->cache_info. */
884  ri = router_get_mutable_by_digest(ei->cache_info.identity_digest);
885  if (!ri) {
886  *msg = "No corresponding router descriptor for extra-info descriptor";
887  rv = ROUTER_BAD_EI;
888  goto fail;
889  }
890 
891  /* If it's too big, refuse it now. Otherwise we'll cache it all over the
892  * network and it'll clog everything up. */
893  if (ei->cache_info.signed_descriptor_len > MAX_EXTRAINFO_UPLOAD_SIZE) {
894  log_notice(LD_DIR, "Somebody attempted to publish an extrainfo "
895  "with size %d. Either this is an attack, or the "
896  "MAX_EXTRAINFO_UPLOAD_SIZE (%d) constant is too low.",
897  (int)ei->cache_info.signed_descriptor_len,
899  *msg = "Extrainfo document was too large";
900  rv = ROUTER_BAD_EI;
901  goto fail;
902  }
903 
905  &ri->cache_info, msg))) {
906  if (r<0) {
907  extrainfo_free(ei);
908  return ROUTER_IS_ALREADY_KNOWN;
909  }
910  rv = ROUTER_BAD_EI;
911  goto fail;
912  }
913  router_add_extrainfo_to_routerlist(ei, msg, 0, 0);
914  return ROUTER_ADDED_SUCCESSFULLY;
915  fail:
916  {
917  const char *d = ei->cache_info.signed_descriptor_digest;
919  if (sd) {
920  log_info(LD_GENERAL, "Marking extrainfo with descriptor %s as "
921  "rejected, and therefore undownloadable",
922  hex_str((char*)d,DIGEST_LEN));
924  }
925  extrainfo_free(ei);
926  }
927  return rv;
928 }
929 
930 /** Remove all descriptors whose nicknames or fingerprints no longer
931  * are allowed by our fingerprint list. (Descriptors that used to be
932  * good can become bad when we reload the fingerprint list.)
933  */
934 static void
936 {
938  smartlist_t *nodes = smartlist_new();
940 
941  SMARTLIST_FOREACH_BEGIN(nodes, node_t *, node) {
942  const char *msg = NULL;
943  const char *description;
944  routerinfo_t *ent = node->ri;
945  uint32_t r;
946  if (!ent)
947  continue;
948  r = dirserv_router_get_status(ent, &msg, LOG_INFO);
949  description = router_describe(ent);
950  if (r & RTR_REJECT) {
951  log_info(LD_DIRSERV, "Router %s is now rejected: %s",
952  description, msg?msg:"");
953  routerlist_remove(rl, ent, 0, time(NULL));
954  continue;
955  }
956  if (bool_neq((r & RTR_INVALID), !node->is_valid)) {
957  log_info(LD_DIRSERV, "Router '%s' is now %svalid.", description,
958  (r&RTR_INVALID) ? "in" : "");
959  node->is_valid = (r&RTR_INVALID)?0:1;
960  }
961  if (bool_neq((r & RTR_BADEXIT), node->is_bad_exit)) {
962  log_info(LD_DIRSERV, "Router '%s' is now a %s exit", description,
963  (r & RTR_BADEXIT) ? "bad" : "good");
964  node->is_bad_exit = (r&RTR_BADEXIT) ? 1: 0;
965  }
966  } SMARTLIST_FOREACH_END(node);
967 
969  smartlist_free(nodes);
970 }
int tor_addr_is_null(const tor_addr_t *addr)
Definition: address.c:780
#define fmt_addr(a)
Definition: address.h:239
const char * hex_str(const char *from, size_t fromlen)
Definition: binascii.c:34
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:506
const or_options_t * get_options(void)
Definition: config.c:919
Header file for config.c.
int config_get_lines(const char *string, config_line_t **result, int extended)
Definition: confline.c:200
Header for confline.c.
#define BASE64_DIGEST256_LEN
Definition: crypto_digest.h:29
#define HEX_DIGEST_LEN
Definition: crypto_digest.h:35
int ed25519_validate_pubkey(const ed25519_public_key_t *pubkey)
const char * ed25519_fmt(const ed25519_public_key_t *pkey)
int digest256_from_base64(char *digest, const char *d64)
Header for crypto_format.c.
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
Definition: crypto_rsa.c:229
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
Definition: crypto_rsa.c:356
#define FINGERPRINT_LEN
Definition: crypto_rsa.h:34
const char * router_describe(const routerinfo_t *ri)
Definition: describe.c:137
Header file for describe.c.
#define DIGEST_LEN
Definition: digest_sizes.h:20
Structure dirauth_options_t to hold directory authority options.
Header for dirauth_sys.c.
Header file for directory.c.
void download_status_mark_impossible(download_status_t *dl)
Definition: dlstatus.c:393
Header file for dlstatus.c.
const char * escaped(const char *s)
Definition: escape.c:126
A relay's extra-info structure.
#define RFTS_IGNORE_MISSING
Definition: files.h:101
int keypin_check_lone_rsa(const uint8_t *rsa_id_digest)
Definition: keypin.c:280
int keypin_check(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key)
Definition: keypin.c:153
int keypin_check_and_add(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int replace_existing_entry)
Definition: keypin.c:140
Header for keypin.c.
#define log_fn(severity, domain, args,...)
Definition: log.h:283
#define LD_DIRSERV
Definition: log.h:90
#define LOG_DEBUG
Definition: log.h:42
#define LD_FS
Definition: log.h:70
#define LD_BUG
Definition: log.h:86
#define LD_GENERAL
Definition: log.h:62
#define LD_DIR
Definition: log.h:88
#define LOG_NOTICE
Definition: log.h:50
#define LD_CONFIG
Definition: log.h:68
#define LOG_INFO
Definition: log.h:45
#define bool_neq(a, b)
Definition: logic.h:18
void tor_free_(void *mem)
Definition: malloc.c:227
#define tor_free(p)
Definition: malloc.h:52
Header file for microdesc.c.
Microdescriptor structure.
download_status_t * router_get_dl_status_by_descriptor_digest(const char *d)
Header file for networkstatus.c.
Node information structure.
const smartlist_t * nodelist_get_list(void)
Definition: nodelist.c:1047
Header file for nodelist.c.
Master header file for Tor-specific functionality.
@ SAVED_NOWHERE
Definition: or.h:630
#define MAX_EXTRAINFO_UPLOAD_SIZE
Definition: or.h:130
#define ROUTER_ANNOTATION_BUF_LEN
Definition: or.h:684
#define MAX_DESCRIPTOR_UPLOAD_SIZE
Definition: or.h:127
#define ROUTER_MAX_AGE_TO_PUBLISH
Definition: or.h:161
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
Definition: policies.c:1115
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
Definition: policies.c:1093
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
Definition: policies.c:1104
Header file for policies.c.
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
int dirserv_would_reject_router(const routerstatus_t *rs, const vote_routerstatus_t *vrs)
int dirserv_load_fingerprint_file(void)
STATIC bool dirserv_rejects_tor_version(const char *platform, const char **msg)
static was_router_added_t dirserv_add_extrainfo(extrainfo_t *ei, const char **msg)
#define ROUTER_ALLOW_SKEW
Definition: process_descs.c:51
was_router_added_t dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
void dirserv_set_node_flags_from_authoritative_status(node_t *node, uint32_t authstatus)
int dirserv_add_own_fingerprint(crypto_pk_t *pk, const ed25519_public_key_t *edkey)
was_router_added_t dirserv_add_multiple_descriptors(const char *desc, size_t desclen, uint8_t purpose, const char *source, const char **msg)
static authdir_config_t * fingerprint_list
Definition: process_descs.c:64
void dirserv_free_fingerprint_list(void)
uint32_t dirserv_router_get_status(const routerinfo_t *router, const char **msg, int severity)
STATIC int dirserv_router_has_valid_address(routerinfo_t *ri)
static int WRA_MORE_SEVERE(was_router_added_t a, was_router_added_t b)
static uint32_t dirserv_get_status_impl(const char *id_digest, const ed25519_public_key_t *ed25519_public_key, const char *nickname, const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, const char *platform, const char **msg, int severity)
static authdir_config_t * authdir_config_new(void)
Definition: process_descs.c:68
int authdir_wants_to_reject_router(routerinfo_t *ri, const char **msg, int complain, int *valid_out)
static void directory_remove_invalid(void)
int add_ed25519_to_dir(const ed25519_public_key_t *edkey, authdir_config_t *list, rtr_flags_t add_status)
int add_rsa_fingerprint_to_dir(const char *fp, authdir_config_t *list, rtr_flags_t add_status)
Header file for process_descs.c.
uint32_t rtr_flags_t
Definition: process_descs.h:20
int dirserv_should_launch_reachability_test(const routerinfo_t *ri, const routerinfo_t *ri_old)
Definition: reachability.c:103
Header file for reachability.c.
int router_is_me(const routerinfo_t *router)
Definition: router.c:1768
Header file for router.c.
const char * router_purpose_to_string(uint8_t p)
Definition: routerinfo.c:98
Header file for routerinfo.c.
Router descriptor structure.
#define ROUTER_PURPOSE_GENERAL
Definition: routerinfo_st.h:98
void routerlist_assert_ok(const routerlist_t *rl)
Definition: routerlist.c:3155
routerinfo_t * router_get_mutable_by_digest(const char *digest)
Definition: routerlist.c:762
int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *identity_pkey, extrainfo_t *ei, signed_descriptor_t *sd, const char **msg)
Definition: routerlist.c:3018
void routerlist_remove(routerlist_t *rl, routerinfo_t *ri, int make_old, time_t now)
Definition: routerlist.c:1275
routerlist_t * router_get_routerlist(void)
Definition: routerlist.c:895
was_router_added_t router_add_extrainfo_to_routerlist(extrainfo_t *ei, const char **msg, int from_cache, int from_fetch)
Definition: routerlist.c:1749
was_router_added_t router_add_to_routerlist(routerinfo_t *router, const char **msg, int from_cache, int from_fetch)
Definition: routerlist.c:1573
int router_differences_are_cosmetic(const routerinfo_t *r1, const routerinfo_t *r2)
Definition: routerlist.c:2922
void routerlist_descriptors_added(smartlist_t *sl, int from_cache)
Definition: routerlist.c:2018
signed_descriptor_t * router_get_by_extrainfo_digest(const char *digest)
Definition: routerlist.c:797
const char * esc_router_info(const routerinfo_t *router)
Definition: routerlist.c:3243
Header file for routerlist.c.
static int WRA_WAS_ADDED(was_router_added_t s)
Definition: routerlist.h:106
was_router_added_t
Definition: routerlist.h:17
int router_parse_list_from_string(const char **s, const char *eos, smartlist_t *dest, saved_location_t saved_location, int want_extrainfo, int allow_annotations, const char *prepend_annotations, smartlist_t *invalid_digests_out)
Definition: routerparse.c:249
Header file for routerparse.c.
Routerstatus (consensus entry) structure.
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
digest256map_t * status_by_digest256
Definition: process_descs.h:37
strmap_t * fp_by_name
Definition: process_descs.h:35
digestmap_t * status_by_digest
Definition: process_descs.h:36
Definition: node_st.h:34
unsigned int is_bad_exit
Definition: node_st.h:71
unsigned int is_valid
Definition: node_st.h:65
char * platform
Definition: routerinfo_st.h:48
tor_addr_t ipv6_addr
Definition: routerinfo_st.h:30
tor_addr_t ipv4_addr
Definition: routerinfo_st.h:25
crypto_pk_t * identity_pkey
Definition: routerinfo_st.h:41
unsigned int needs_retest_if_added
Definition: routerinfo_st.h:81
char * contact_info
Definition: routerinfo_st.h:67
char * nickname
Definition: routerinfo_st.h:22
char identity_digest[DIGEST_LEN]
char nickname[MAX_NICKNAME_LEN+1]
uint16_t ipv4_orport
char signed_descriptor_digest[DIGEST_LEN]
char identity_digest[DIGEST_LEN]
download_status_t ei_dl_status
struct tor_cert_st * signing_key_cert
uint8_t ed25519_id[ED25519_PUBKEY_LEN]
#define STATIC
Definition: testsupport.h:32
void format_iso_time(char *buf, time_t t)
Definition: time_fmt.c:295
Parsed Tor version structure.
Header for torcert.c.
#define tor_assert(expr)
Definition: util_bug.h:102
int string_is_utf8_no_bom(const char *str, size_t len)
Definition: util_string.c:557
void tor_strstrip(char *s, const char *strip)
Definition: util_string.c:111
int tor_version_as_new_as(const char *platform, const char *cutoff)
Definition: versions.c:171
int tor_version_parse_platform(const char *platform, tor_version_t *router_version, int strict)
Definition: versions.c:127
Header file for versions.c.
Routerstatus (vote entry) structure.
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27