tor  0.4.0.0-alpha-dev
router.c
Go to the documentation of this file.
1 /* Copyright (c) 2001 Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2018, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 #define ROUTER_PRIVATE
8 
9 #include "core/or/or.h"
10 #include "app/config/config.h"
11 #include "app/config/statefile.h"
12 #include "app/main/main.h"
14 #include "core/mainloop/mainloop.h"
15 #include "core/mainloop/netstatus.h"
16 #include "core/or/policies.h"
17 #include "core/or/protover.h"
28 #include "feature/keymgt/loadkey.h"
36 #include "feature/nodelist/torcert.h"
37 #include "feature/relay/dns.h"
38 #include "feature/relay/router.h"
39 #include "feature/relay/routerkeys.h"
41 #include "feature/relay/selftest.h"
42 #include "lib/geoip/geoip.h"
44 #include "feature/stats/rephist.h"
50 #include "lib/encoding/confline.h"
51 #include "lib/osinfo/uname.h"
52 #include "lib/tls/tortls.h"
53 #include "lib/version/torversion.h"
54 
56 
57 #include "app/config/or_state_st.h"
58 #include "core/or/port_cfg_st.h"
59 #include "feature/dirclient/dir_server_st.h"
60 #include "feature/dircommon/dir_connection_st.h"
61 #include "feature/nodelist/authority_cert_st.h"
62 #include "feature/nodelist/extrainfo_st.h"
63 #include "feature/nodelist/networkstatus_st.h"
64 #include "feature/nodelist/node_st.h"
65 #include "feature/nodelist/routerinfo_st.h"
66 #include "feature/nodelist/routerstatus_st.h"
67 
89 /************************************************************/
90 
91 /*****
92  * Key management: ORs only.
93  *****/
94 
97 static tor_mutex_t *key_lock=NULL;
98 static time_t onionkey_set_at=0;
100 static crypto_pk_t *onionkey=NULL;
123 
130 
131 /* (Note that v3 authorities also have a separate "authority identity key",
132  * but this key is never actually loaded by the Tor process. Instead, it's
133  * used by tor-gencert to sign new signing keys and make new key
134  * certificates. */
135 
139 const char *
141 {
142  switch (err) {
143  case TOR_ROUTERINFO_ERROR_NO_EXT_ADDR:
144  return "No known exit address yet";
145  case TOR_ROUTERINFO_ERROR_CANNOT_PARSE:
146  return "Cannot parse descriptor";
147  case TOR_ROUTERINFO_ERROR_NOT_A_SERVER:
148  return "Not running in server mode";
149  case TOR_ROUTERINFO_ERROR_DIGEST_FAILED:
150  return "Key digest failed";
151  case TOR_ROUTERINFO_ERROR_CANNOT_GENERATE:
152  return "Cannot generate descriptor";
153  case TOR_ROUTERINFO_ERROR_DESC_REBUILDING:
154  return "Descriptor still rebuilding - not ready yet";
155  }
156 
157  log_warn(LD_BUG, "unknown routerinfo error %d - shouldn't happen", err);
158  tor_assert_unreached();
159 
160  return "Unknown error";
161 }
162 
166 int
168 {
174  return err != TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
175 }
176 
180 static void
182 {
183  if (onionkey && crypto_pk_eq_keys(onionkey, k)) {
184  /* k is already our onion key; free it and return */
185  crypto_pk_free(k);
186  return;
187  }
189  crypto_pk_free(onionkey);
190  onionkey = k;
192  mark_my_descriptor_dirty("set onion key");
193 }
194 
197 crypto_pk_t *
199 {
201  return onionkey;
202 }
203 
208 void
210 {
211  tor_assert(key);
212  tor_assert(last);
214  if (onionkey)
216  else
217  *key = NULL;
218  if (lastonionkey)
220  else
221  *last = NULL;
223 }
224 
232 void
234 {
235  char *fname = NULL;
236 
238 
239  /* Free lastonionkey and set it to NULL. */
240  if (lastonionkey) {
241  crypto_pk_free(lastonionkey);
242  lastonionkey = NULL;
243  }
244 
245  /* We zero out the keypair. See the tor_mem_is_zero() check made in
246  * construct_ntor_key_map() below. */
248 
250 
251  fname = get_keydir_fname("secret_onion_key.old");
252  if (file_status(fname) == FN_FILE) {
253  if (tor_unlink(fname) != 0) {
254  log_warn(LD_FS, "Couldn't unlink old onion key file %s: %s",
255  fname, strerror(errno));
256  }
257  }
258  tor_free(fname);
259 
260  fname = get_keydir_fname("secret_onion_key_ntor.old");
261  if (file_status(fname) == FN_FILE) {
262  if (tor_unlink(fname) != 0) {
263  log_warn(LD_FS, "Couldn't unlink old ntor onion key file %s: %s",
264  fname, strerror(errno));
265  }
266  }
267  tor_free(fname);
268 }
269 
272 static const curve25519_keypair_t *
274 {
275  return &curve25519_onion_key;
276 }
281 {
282  di_digest256_map_t *m = NULL;
283 
284  if (!tor_mem_is_zero((const char*)
285  curve25519_onion_key.pubkey.public_key,
287  dimap_add_entry(&m,
288  curve25519_onion_key.pubkey.public_key,
289  tor_memdup(&curve25519_onion_key,
290  sizeof(curve25519_keypair_t)));
291  }
292  if (!tor_mem_is_zero((const char*)
293  last_curve25519_onion_key.pubkey.public_key,
295  dimap_add_entry(&m,
296  last_curve25519_onion_key.pubkey.public_key,
297  tor_memdup(&last_curve25519_onion_key,
298  sizeof(curve25519_keypair_t)));
299  }
300 
301  return m;
302 }
305 static void
307 {
308  curve25519_keypair_t *k = arg;
309  memwipe(k, 0, sizeof(*k));
310  tor_free(k);
311 }
313 void
315 {
316  if (!map)
317  return;
318  dimap_free(map, ntor_key_map_free_helper);
319 }
320 
325 time_t
327 {
328  return onionkey_set_at;
329 }
330 
333 void
335 {
336  crypto_pk_free(server_identitykey);
337  server_identitykey = k;
340  log_err(LD_BUG, "Couldn't compute our own identity key digest.");
341  tor_assert(0);
342  }
343 }
344 
345 #ifdef TOR_UNIT_TESTS
346 
348 void
349 set_server_identity_key_digest_testing(const uint8_t *digest)
350 {
351  memcpy(server_identitykey_digest, digest, DIGEST_LEN);
352 }
353 #endif
354 
357 static void
359 {
360  if (1)
361  return;
363  if (public_server_mode(get_options())) {
364  /* assert that we have set the client and server keys to be equal */
367  } else {
368  /* assert that we have set the client and server keys to be unequal */
369  if (server_identitykey)
371  }
372 }
373 
377 crypto_pk_t *
379 {
381  tor_assert(server_mode(get_options()));
383  return server_identitykey;
384 }
385 
388 int
390 {
391  return server_mode(get_options()) && server_identitykey != NULL;
392 }
393 
396 void
398 {
399  crypto_pk_free(client_identitykey);
400  client_identitykey = k;
401 }
402 
406 crypto_pk_t *
408 {
411  return client_identitykey;
412 }
413 
415 int
417 {
418  return client_identitykey != NULL;
419 }
420 
424 get_my_v3_authority_cert, (void))
425 {
427 }
428 
431 crypto_pk_t *
433 {
434  return authority_signing_key;
435 }
436 
442 {
443  return legacy_key_certificate;
444 }
445 
448 crypto_pk_t *
450 {
451  return legacy_signing_key;
452 }
453 
461 void
463 {
464  char *fname, *fname_prev;
465  crypto_pk_t *prkey = NULL;
466  or_state_t *state = get_or_state();
467  curve25519_keypair_t new_curve25519_keypair;
468  time_t now;
469  fname = get_keydir_fname("secret_onion_key");
470  fname_prev = get_keydir_fname("secret_onion_key.old");
471  /* There isn't much point replacing an old key with an empty file */
472  if (file_status(fname) == FN_FILE) {
473  if (replace_file(fname, fname_prev))
474  goto error;
475  }
476  if (!(prkey = crypto_pk_new())) {
477  log_err(LD_GENERAL,"Error constructing rotated onion key");
478  goto error;
479  }
480  if (crypto_pk_generate_key(prkey)) {
481  log_err(LD_BUG,"Error generating onion key");
482  goto error;
483  }
484  if (crypto_pk_write_private_key_to_filename(prkey, fname)) {
485  log_err(LD_FS,"Couldn't write generated onion key to \"%s\".", fname);
486  goto error;
487  }
488  tor_free(fname);
489  tor_free(fname_prev);
490  fname = get_keydir_fname("secret_onion_key_ntor");
491  fname_prev = get_keydir_fname("secret_onion_key_ntor.old");
492  if (curve25519_keypair_generate(&new_curve25519_keypair, 1) < 0)
493  goto error;
494  /* There isn't much point replacing an old key with an empty file */
495  if (file_status(fname) == FN_FILE) {
496  if (replace_file(fname, fname_prev))
497  goto error;
498  }
499  if (curve25519_keypair_write_to_file(&new_curve25519_keypair, fname,
500  "onion") < 0) {
501  log_err(LD_FS,"Couldn't write curve25519 onion key to \"%s\".",fname);
502  goto error;
503  }
504  log_info(LD_GENERAL, "Rotating onion key");
506  crypto_pk_free(lastonionkey);
508  onionkey = prkey;
510  sizeof(curve25519_keypair_t));
511  memcpy(&curve25519_onion_key, &new_curve25519_keypair,
512  sizeof(curve25519_keypair_t));
513  now = time(NULL);
514  state->LastRotatedOnionKey = onionkey_set_at = now;
516  mark_my_descriptor_dirty("rotated onion key");
517  or_state_mark_dirty(state, get_options()->AvoidDiskWrites ? now+3600 : 0);
518  goto done;
519  error:
520  log_warn(LD_GENERAL, "Couldn't rotate onion key.");
521  if (prkey)
522  crypto_pk_free(prkey);
523  done:
524  memwipe(&new_curve25519_keypair, 0, sizeof(new_curve25519_keypair));
525  tor_free(fname);
526  tor_free(fname_prev);
527 }
528 
532 static void
534 {
535  static int already_logged = 0;
536 
537  if (already_logged)
538  return;
539 
540  tor_log(LOG_NOTICE, LD_GENERAL, "You are running a new relay. "
541  "Thanks for helping the Tor network! If you wish to know "
542  "what will happen in the upcoming weeks regarding its usage, "
543  "have a look at https://blog.torproject.org/blog/lifecycle-of"
544  "-a-new-relay");
545 
546  already_logged = 1;
547 }
548 
554 static int
556  const char *fname,
557  int generate,
558  int severity,
559  const char *tag)
560 {
561  switch (file_status(fname)) {
562  case FN_DIR:
563  case FN_ERROR:
564  tor_log(severity, LD_FS,"Can't read key from \"%s\"", fname);
565  goto error;
566  /* treat empty key files as if the file doesn't exist, and, if generate
567  * is set, replace the empty file in curve25519_keypair_write_to_file() */
568  case FN_NOENT:
569  case FN_EMPTY:
570  if (generate) {
571  if (!have_lockfile()) {
572  if (try_locking(get_options(), 0)<0) {
573  /* Make sure that --list-fingerprint only creates new keys
574  * if there is no possibility for a deadlock. */
575  tor_log(severity, LD_FS, "Another Tor process has locked \"%s\". "
576  "Not writing any new keys.", fname);
577  /*XXXX The 'other process' might make a key in a second or two;
578  * maybe we should wait for it. */
579  goto error;
580  }
581  }
582  log_info(LD_GENERAL, "No key found in \"%s\"; generating fresh key.",
583  fname);
584  if (curve25519_keypair_generate(keys_out, 1) < 0)
585  goto error;
586  if (curve25519_keypair_write_to_file(keys_out, fname, tag)<0) {
587  tor_log(severity, LD_FS,
588  "Couldn't write generated key to \"%s\".", fname);
589  memwipe(keys_out, 0, sizeof(*keys_out));
590  goto error;
591  }
592  } else {
593  log_info(LD_GENERAL, "No key found in \"%s\"", fname);
594  }
595  return 0;
596  case FN_FILE:
597  {
598  char *tag_in=NULL;
599  if (curve25519_keypair_read_from_file(keys_out, &tag_in, fname) < 0) {
600  tor_log(severity, LD_GENERAL,"Error loading private key.");
601  tor_free(tag_in);
602  goto error;
603  }
604  if (!tag_in || strcmp(tag_in, tag)) {
605  tor_log(severity, LD_GENERAL,"Unexpected tag %s on private key.",
606  escaped(tag_in));
607  tor_free(tag_in);
608  goto error;
609  }
610  tor_free(tag_in);
611  return 0;
612  }
613  default:
614  tor_assert(0);
615  }
616 
617  error:
618  return -1;
619 }
620 
626 static int
627 load_authority_keyset(int legacy, crypto_pk_t **key_out,
628  authority_cert_t **cert_out)
629 {
630  int r = -1;
631  char *fname = NULL, *cert = NULL;
632  const char *eos = NULL;
633  crypto_pk_t *signing_key = NULL;
634  authority_cert_t *parsed = NULL;
635 
636  fname = get_keydir_fname(
637  legacy ? "legacy_signing_key" : "authority_signing_key");
638  signing_key = init_key_from_file(fname, 0, LOG_ERR, NULL);
639  if (!signing_key) {
640  log_warn(LD_DIR, "No version 3 directory key found in %s", fname);
641  goto done;
642  }
643  tor_free(fname);
644  fname = get_keydir_fname(
645  legacy ? "legacy_certificate" : "authority_certificate");
646  cert = read_file_to_str(fname, 0, NULL);
647  if (!cert) {
648  log_warn(LD_DIR, "Signing key found, but no certificate found in %s",
649  fname);
650  goto done;
651  }
652  parsed = authority_cert_parse_from_string(cert, strlen(cert), &eos);
653  if (!parsed) {
654  log_warn(LD_DIR, "Unable to parse certificate in %s", fname);
655  goto done;
656  }
657  if (!crypto_pk_eq_keys(signing_key, parsed->signing_key)) {
658  log_warn(LD_DIR, "Stored signing key does not match signing key in "
659  "certificate");
660  goto done;
661  }
662 
663  crypto_pk_free(*key_out);
664  authority_cert_free(*cert_out);
665 
666  *key_out = signing_key;
667  *cert_out = parsed;
668  r = 0;
669  signing_key = NULL;
670  parsed = NULL;
671 
672  done:
673  tor_free(fname);
674  tor_free(cert);
675  crypto_pk_free(signing_key);
676  authority_cert_free(parsed);
677  return r;
678 }
679 
683 static int
685 {
688  return -1;
689 
690  if (get_options()->V3AuthUseLegacyKey &&
693  return -1;
694 
695  return 0;
696 }
697 
700 void
702 {
703  time_t now, expires;
704  static time_t last_warned = 0;
705  int badness, time_left, warn_interval;
706  if (!authdir_mode_v3(get_options()) || !authority_key_certificate)
707  return;
708 
709  now = time(NULL);
711  time_left = (int)( expires - now );
712  if (time_left <= 0) {
713  badness = LOG_ERR;
714  warn_interval = 60*60;
715  } else if (time_left <= 24*60*60) {
716  badness = LOG_WARN;
717  warn_interval = 60*60;
718  } else if (time_left <= 24*60*60*7) {
719  badness = LOG_WARN;
720  warn_interval = 24*60*60;
721  } else if (time_left <= 24*60*60*30) {
722  badness = LOG_WARN;
723  warn_interval = 24*60*60*5;
724  } else {
725  return;
726  }
727 
728  if (last_warned + warn_interval > now)
729  return;
730 
731  if (time_left <= 0) {
732  tor_log(badness, LD_DIR, "Your v3 authority certificate has expired."
733  " Generate a new one NOW.");
734  } else if (time_left <= 24*60*60) {
735  tor_log(badness, LD_DIR, "Your v3 authority certificate expires in %d "
736  "hours; Generate a new one NOW.", time_left/(60*60));
737  } else {
738  tor_log(badness, LD_DIR, "Your v3 authority certificate expires in %d "
739  "days; Generate a new one soon.", time_left/(24*60*60));
740  }
741  last_warned = now;
742 }
743 
749 static int
751 {
752  return networkstatus_get_param(NULL,
753  "onion-key-rotation-days",
757 }
758 
763 int
765 {
766  return get_onion_key_rotation_days_()*24*60*60;
767 }
768 
773 int
775 {
776  int grace_period;
777  grace_period = networkstatus_get_param(NULL,
778  "onion-key-grace-period-days",
782  return grace_period*24*60*60;
783 }
784 
787 int
789 {
790  unsigned int flags = 0;
791  const or_options_t *options = get_options();
792  int lifetime = options->SSLKeyLifetime;
793  if (public_server_mode(options))
794  flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
795  if (!lifetime) { /* we should guess a good ssl cert lifetime */
796 
797  /* choose between 5 and 365 days, and round to the day */
798  unsigned int five_days = 5*24*3600;
799  unsigned int one_year = 365*24*3600;
800  lifetime = crypto_rand_int_range(five_days, one_year);
801  lifetime -= lifetime % (24*3600);
802 
803  if (crypto_rand_int(2)) {
804  /* Half the time we expire at midnight, and half the time we expire
805  * one second before midnight. (Some CAs wobble their expiry times a
806  * bit in practice, perhaps to reduce collision attacks; see ticket
807  * 8443 for details about observed certs in the wild.) */
808  lifetime--;
809  }
810  }
811 
812  /* It's ok to pass lifetime in as an unsigned int, since
813  * config_parse_interval() checked it. */
814  return tor_tls_context_init(flags,
816  server_mode(options) ?
817  get_server_identity_key() : NULL,
818  (unsigned int)lifetime);
819 }
820 
825 STATIC int
827 {
828  char *keydir = NULL, *cp = NULL;
829  const char *fname = hashed ? "hashed-fingerprint" :
830  "fingerprint";
831  char fingerprint[FINGERPRINT_LEN+1];
832  const or_options_t *options = get_options();
833  char *fingerprint_line = NULL;
834  int result = -1;
835 
836  keydir = get_datadir_fname(fname);
837  log_info(LD_GENERAL,"Dumping %sfingerprint to \"%s\"...",
838  hashed ? "hashed " : "", keydir);
839  if (!hashed) {
841  fingerprint, 0) < 0) {
842  log_err(LD_GENERAL,"Error computing fingerprint");
843  goto done;
844  }
845  } else {
847  fingerprint) < 0) {
848  log_err(LD_GENERAL,"Error computing hashed fingerprint");
849  goto done;
850  }
851  }
852 
853  tor_asprintf(&fingerprint_line, "%s %s\n", options->Nickname, fingerprint);
854 
855  /* Check whether we need to write the (hashed-)fingerprint file. */
856 
857  cp = read_file_to_str(keydir, RFTS_IGNORE_MISSING, NULL);
858  if (!cp || strcmp(cp, fingerprint_line)) {
859  if (write_str_to_file(keydir, fingerprint_line, 0)) {
860  log_err(LD_FS, "Error writing %sfingerprint line to file",
861  hashed ? "hashed " : "");
862  goto done;
863  }
864  }
865 
866  log_notice(LD_GENERAL, "Your Tor %s identity key fingerprint is '%s %s'",
867  hashed ? "bridge's hashed" : "server's", options->Nickname,
868  fingerprint);
869 
870  result = 0;
871  done:
872  tor_free(cp);
873  tor_free(keydir);
874  tor_free(fingerprint_line);
875  return result;
876 }
877 
878 static int
879 init_keys_common(void)
880 {
881  if (!key_lock)
883 
884  /* There are a couple of paths that put us here before we've asked
885  * openssl to initialize itself. */
886  if (crypto_global_init(get_options()->HardwareAccel,
887  get_options()->AccelName,
888  get_options()->AccelDir)) {
889  log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
890  return -1;
891  }
892 
893  return 0;
894 }
895 
896 int
897 init_keys_client(void)
898 {
899  crypto_pk_t *prkey;
900  if (init_keys_common() < 0)
901  return -1;
902 
903  if (!(prkey = crypto_pk_new()))
904  return -1;
905  if (crypto_pk_generate_key(prkey)) {
906  crypto_pk_free(prkey);
907  return -1;
908  }
910  /* Create a TLS context. */
911  if (router_initialize_tls_context() < 0) {
912  log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
913  return -1;
914  }
915  return 0;
916 }
917 
922 int
924 {
925  char *keydir;
926  const char *mydesc;
927  crypto_pk_t *prkey;
928  char digest[DIGEST_LEN];
929  char v3_digest[DIGEST_LEN];
930  const or_options_t *options = get_options();
931  dirinfo_type_t type;
932  time_t now = time(NULL);
933  dir_server_t *ds;
934  int v3_digest_set = 0;
935  authority_cert_t *cert = NULL;
936 
937  /* OP's don't need persistent keys; just make up an identity and
938  * initialize the TLS context. */
939  if (!server_mode(options)) {
940  return init_keys_client();
941  }
942  if (init_keys_common() < 0)
943  return -1;
944 
945  if (create_keys_directory(options) < 0)
946  return -1;
947 
948  /* 1a. Read v3 directory authority key/cert information. */
949  memset(v3_digest, 0, sizeof(v3_digest));
950  if (authdir_mode_v3(options)) {
951  if (init_v3_authority_keys()<0) {
952  log_err(LD_GENERAL, "We're configured as a V3 authority, but we "
953  "were unable to load our v3 authority keys and certificate! "
954  "Use tor-gencert to generate them. Dying.");
955  return -1;
956  }
957  cert = get_my_v3_authority_cert();
958  if (cert) {
959  if (crypto_pk_get_digest(get_my_v3_authority_cert()->identity_key,
960  v3_digest) < 0) {
961  log_err(LD_BUG, "Couldn't compute my v3 authority identity key "
962  "digest.");
963  return -1;
964  }
965  v3_digest_set = 1;
966  }
967  }
968 
969  /* 1b. Read identity key. Make it if none is found. */
970  keydir = get_keydir_fname("secret_id_key");
971  log_info(LD_GENERAL,"Reading/making identity key \"%s\"...",keydir);
972  bool created = false;
973  prkey = init_key_from_file(keydir, 1, LOG_ERR, &created);
974  tor_free(keydir);
975  if (!prkey) return -1;
976  if (created)
979 
980  /* 1c. If we are configured as a bridge, generate a client key;
981  * otherwise, set the server identity key as our client identity
982  * key. */
983  if (public_server_mode(options)) {
984  set_client_identity_key(crypto_pk_dup_key(prkey)); /* set above */
985  } else {
986  if (!(prkey = crypto_pk_new()))
987  return -1;
988  if (crypto_pk_generate_key(prkey)) {
989  crypto_pk_free(prkey);
990  return -1;
991  }
993  }
994 
995  /* 1d. Load all ed25519 keys */
996  const int new_signing_key = load_ed_keys(options,now);
997  if (new_signing_key < 0)
998  return -1;
999 
1000  /* 2. Read onion key. Make it if none is found. */
1001  keydir = get_keydir_fname("secret_onion_key");
1002  log_info(LD_GENERAL,"Reading/making onion key \"%s\"...",keydir);
1003  prkey = init_key_from_file(keydir, 1, LOG_ERR, &created);
1004  if (created)
1006  tor_free(keydir);
1007  if (!prkey) return -1;
1008  set_onion_key(prkey);
1009  if (options->command == CMD_RUN_TOR) {
1010  /* only mess with the state file if we're actually running Tor */
1011  or_state_t *state = get_or_state();
1012  if (state->LastRotatedOnionKey > 100 && state->LastRotatedOnionKey < now) {
1013  /* We allow for some parsing slop, but we don't want to risk accepting
1014  * values in the distant future. If we did, we might never rotate the
1015  * onion key. */
1017  } else {
1018  /* We have no LastRotatedOnionKey set; either we just created the key
1019  * or it's a holdover from 0.1.2.4-alpha-dev or earlier. In either case,
1020  * start the clock ticking now so that we will eventually rotate it even
1021  * if we don't stay up for the full lifetime of an onion key. */
1022  state->LastRotatedOnionKey = onionkey_set_at = now;
1023  or_state_mark_dirty(state, options->AvoidDiskWrites ?
1024  time(NULL)+3600 : 0);
1025  }
1026  }
1027 
1028  keydir = get_keydir_fname("secret_onion_key.old");
1029  if (!lastonionkey && file_status(keydir) == FN_FILE) {
1030  /* Load keys from non-empty files only.
1031  * Missing old keys won't be replaced with freshly generated keys. */
1032  prkey = init_key_from_file(keydir, 0, LOG_ERR, 0);
1033  if (prkey)
1034  lastonionkey = prkey;
1035  }
1036  tor_free(keydir);
1037 
1038  {
1039  /* 2b. Load curve25519 onion keys. */
1040  int r;
1041  keydir = get_keydir_fname("secret_onion_key_ntor");
1043  keydir, 1, LOG_ERR, "onion");
1044  tor_free(keydir);
1045  if (r<0)
1046  return -1;
1047 
1048  keydir = get_keydir_fname("secret_onion_key_ntor.old");
1049  if (tor_mem_is_zero((const char *)
1050  last_curve25519_onion_key.pubkey.public_key,
1052  file_status(keydir) == FN_FILE) {
1053  /* Load keys from non-empty files only.
1054  * Missing old keys won't be replaced with freshly generated keys. */
1056  keydir, 0, LOG_ERR, "onion");
1057  }
1058  tor_free(keydir);
1059  }
1060 
1061  /* 3. Initialize link key and TLS context. */
1062  if (router_initialize_tls_context() < 0) {
1063  log_err(LD_GENERAL,"Error initializing TLS context");
1064  return -1;
1065  }
1066 
1067  /* 3b. Get an ed25519 link certificate. Note that we need to do this
1068  * after we set up the TLS context */
1069  if (generate_ed_link_cert(options, now, new_signing_key > 0) < 0) {
1070  log_err(LD_GENERAL,"Couldn't make link cert");
1071  return -1;
1072  }
1073 
1074  /* 4. Build our router descriptor. */
1075  /* Must be called after keys are initialized. */
1076  mydesc = router_get_my_descriptor();
1077  if (authdir_mode_v3(options)) {
1078  const char *m = NULL;
1079  routerinfo_t *ri;
1080  /* We need to add our own fingerprint so it gets recognized. */
1082  log_err(LD_GENERAL,"Error adding own fingerprint to set of relays");
1083  return -1;
1084  }
1085  if (mydesc) {
1086  was_router_added_t added;
1087  ri = router_parse_entry_from_string(mydesc, NULL, 1, 0, NULL, NULL);
1088  if (!ri) {
1089  log_err(LD_GENERAL,"Generated a routerinfo we couldn't parse.");
1090  return -1;
1091  }
1092  added = dirserv_add_descriptor(ri, &m, "self");
1093  if (!WRA_WAS_ADDED(added)) {
1094  if (!WRA_WAS_OUTDATED(added)) {
1095  log_err(LD_GENERAL, "Unable to add own descriptor to directory: %s",
1096  m?m:"<unknown error>");
1097  return -1;
1098  } else {
1099  /* If the descriptor was outdated, that's ok. This can happen
1100  * when some config options are toggled that affect workers, but
1101  * we don't really need new keys yet so the descriptor doesn't
1102  * change and the old one is still fresh. */
1103  log_info(LD_GENERAL, "Couldn't add own descriptor to directory "
1104  "after key init: %s This is usually not a problem.",
1105  m?m:"<unknown error>");
1106  }
1107  }
1108  }
1109  }
1110 
1111  /* 5. Dump fingerprint and possibly hashed fingerprint to files. */
1112  if (router_write_fingerprint(0)) {
1113  log_err(LD_FS, "Error writing fingerprint to file");
1114  return -1;
1115  }
1116  if (!public_server_mode(options) && router_write_fingerprint(1)) {
1117  log_err(LD_FS, "Error writing hashed fingerprint to file");
1118  return -1;
1119  }
1120 
1121  if (!authdir_mode(options))
1122  return 0;
1123  /* 6. [authdirserver only] load approved-routers file */
1124  if (dirserv_load_fingerprint_file() < 0) {
1125  log_err(LD_GENERAL,"Error loading fingerprints");
1126  return -1;
1127  }
1128  /* 6b. [authdirserver only] add own key to approved directories. */
1130  type = ((options->V3AuthoritativeDir ?
1132  (options->BridgeAuthoritativeDir ? BRIDGE_DIRINFO : NO_DIRINFO));
1133 
1135  if (!ds) {
1136  ds = trusted_dir_server_new(options->Nickname, NULL,
1137  router_get_advertised_dir_port(options, 0),
1139  NULL,
1140  digest,
1141  v3_digest,
1142  type, 0.0);
1143  if (!ds) {
1144  log_err(LD_GENERAL,"We want to be a directory authority, but we "
1145  "couldn't add ourselves to the authority list. Failing.");
1146  return -1;
1147  }
1148  dir_server_add(ds);
1149  }
1150  if (ds->type != type) {
1151  log_warn(LD_DIR, "Configured authority type does not match authority "
1152  "type in DirAuthority list. Adjusting. (%d v %d)",
1153  type, ds->type);
1154  ds->type = type;
1155  }
1156  if (v3_digest_set && (ds->type & V3_DIRINFO) &&
1157  tor_memneq(v3_digest, ds->v3_identity_digest, DIGEST_LEN)) {
1158  log_warn(LD_DIR, "V3 identity key does not match identity declared in "
1159  "DirAuthority line. Adjusting.");
1160  memcpy(ds->v3_identity_digest, v3_digest, DIGEST_LEN);
1161  }
1162 
1163  if (cert) { /* add my own cert to the list of known certs */
1164  log_info(LD_DIR, "adding my own v3 cert");
1167  TRUSTED_DIRS_CERTS_SRC_SELF, 0,
1168  NULL)<0) {
1169  log_warn(LD_DIR, "Unable to parse my own v3 cert! Failing.");
1170  return -1;
1171  }
1172  }
1173 
1174  return 0; /* success */
1175 }
1176 
1179 /* XXX Should this be increased? */
1180 #define MIN_BW_TO_ADVERTISE_DIRSERVER 51200
1181 
1185 int
1187 {
1189  return 0;
1190  }
1191  if (options->RelayBandwidthRate > 0 &&
1193  return 0;
1194  }
1195  return 1;
1196 }
1197 
1205 static int
1206 router_should_be_dirserver(const or_options_t *options, int dir_port)
1207 {
1208  static int advertising=1; /* start out assuming we will advertise */
1209  int new_choice=1;
1210  const char *reason = NULL;
1211 
1212  if (accounting_is_enabled(options) &&
1213  get_options()->AccountingRule != ACCT_IN) {
1214  /* Don't spend bytes for directory traffic if we could end up hibernating,
1215  * but allow DirPort otherwise. Some relay operators set AccountingMax
1216  * because they're confused or to get statistics. Directory traffic has a
1217  * much larger effect on output than input so there is no reason to turn it
1218  * off if using AccountingRule in. */
1219  int interval_length = accounting_get_interval_length();
1220  uint32_t effective_bw = get_effective_bwrate(options);
1221  uint64_t acc_bytes;
1222  if (!interval_length) {
1223  log_warn(LD_BUG, "An accounting interval is not allowed to be zero "
1224  "seconds long. Raising to 1.");
1225  interval_length = 1;
1226  }
1227  log_info(LD_GENERAL, "Calculating whether to advertise %s: effective "
1228  "bwrate: %u, AccountingMax: %"PRIu64", "
1229  "accounting interval length %d",
1230  dir_port ? "dirport" : "begindir",
1231  effective_bw, (options->AccountingMax),
1232  interval_length);
1233 
1234  acc_bytes = options->AccountingMax;
1235  if (get_options()->AccountingRule == ACCT_SUM)
1236  acc_bytes /= 2;
1237  if (effective_bw >=
1238  acc_bytes / interval_length) {
1239  new_choice = 0;
1240  reason = "AccountingMax enabled";
1241  }
1242  } else if (! router_has_bandwidth_to_be_dirserver(options)) {
1243  /* if we're advertising a small amount */
1244  new_choice = 0;
1245  reason = "BandwidthRate under 50KB";
1246  }
1247 
1248  if (advertising != new_choice) {
1249  if (new_choice == 1) {
1250  if (dir_port > 0)
1251  log_notice(LD_DIR, "Advertising DirPort as %d", dir_port);
1252  else
1253  log_notice(LD_DIR, "Advertising directory service support");
1254  } else {
1255  tor_assert(reason);
1256  log_notice(LD_DIR, "Not advertising Dir%s (Reason: %s)",
1257  dir_port ? "Port" : "ectory Service support", reason);
1258  }
1259  advertising = new_choice;
1260  }
1261 
1262  return advertising;
1263 }
1264 
1274 static int
1276  uint16_t dir_port,
1277  int supports_tunnelled_dir_requests)
1278 {
1279  /* Part one: reasons to publish or not publish that aren't
1280  * worth mentioning to the user, either because they're obvious
1281  * or because they're normal behavior. */
1282 
1283  /* short circuit the rest of the function */
1284  if (!dir_port && !supports_tunnelled_dir_requests)
1285  return 0;
1286  if (authdir_mode(options)) /* always publish */
1287  return 1;
1288  if (net_is_disabled())
1289  return 0;
1290  if (dir_port && !router_get_advertised_dir_port(options, dir_port))
1291  return 0;
1292  if (supports_tunnelled_dir_requests &&
1294  return 0;
1295 
1296  /* Part two: consider config options that could make us choose to
1297  * publish or not publish that the user might find surprising. */
1298  return router_should_be_dirserver(options, dir_port);
1299 }
1300 
1305 int
1306 router_should_advertise_dirport(const or_options_t *options, uint16_t dir_port)
1307 {
1308  /* supports_tunnelled_dir_requests is not relevant, pass 0 */
1309  return decide_to_advertise_dir_impl(options, dir_port, 0) ? dir_port : 0;
1310 }
1311 
1315 static int
1317  int supports_tunnelled_dir_requests)
1318 {
1319  /* dir_port is not relevant, pass 0 */
1320  return decide_to_advertise_dir_impl(options, 0,
1321  supports_tunnelled_dir_requests);
1322 }
1323 
1327 int
1329 {
1330  if (options->RefuseUnknownExits != -1) {
1331  return options->RefuseUnknownExits;
1332  } else {
1333  return networkstatus_get_param(NULL, "refuseunknownexits", 1, 0, 1);
1334  }
1335 }
1336 
1350 static int
1352 {
1353  const or_options_t *options = get_options();
1354 
1355  if (options->ClientOnly)
1356  return 0;
1357  if (options->PublishServerDescriptor_ == NO_DIRINFO)
1358  return 0;
1359  if (!server_mode(options))
1360  return 0;
1361  if (authdir_mode(options))
1362  return 1;
1363  if (!router_get_advertised_or_port(options))
1364  return 0;
1365  if (!check_whether_orport_reachable(options))
1366  return 0;
1367  if (router_have_consensus_path() == CONSENSUS_PATH_INTERNAL) {
1368  /* All set: there are no exits in the consensus (maybe this is a tiny
1369  * test network), so we can't check our DirPort reachability. */
1370  return 1;
1371  } else {
1372  return check_whether_dirport_reachable(options);
1373  }
1374 }
1375 
1383 void
1385 {
1386  int rebuilt;
1387 
1388  if (!server_mode(get_options()))
1389  return;
1390 
1391  rebuilt = router_rebuild_descriptor(0);
1394  if (rebuilt == 0)
1396  } else {
1398  }
1399 }
1400 
1405 uint16_t
1407  sa_family_t family)
1408 {
1409  /* Iterate all connections, find one of the right kind and return
1410  the port. Not very sophisticated or fast, but effective. */
1411  smartlist_t *conns = get_connection_array();
1412  SMARTLIST_FOREACH_BEGIN(conns, connection_t *, conn) {
1413  if (conn->type == listener_type && !conn->marked_for_close &&
1414  conn->socket_family == family) {
1415  return conn->port;
1416  }
1417  } SMARTLIST_FOREACH_END(conn);
1418 
1419  return 0;
1420 }
1421 
1426 uint16_t
1428 {
1429  return router_get_advertised_or_port_by_af(options, AF_INET);
1430 }
1431 
1434 uint16_t
1436  sa_family_t family)
1437 {
1439  family);
1440  (void)options;
1441 
1442  /* If the port is in 'auto' mode, we have to use
1443  router_get_listener_port_by_type(). */
1444  if (port == CFG_AUTO_PORT)
1446  family);
1447 
1448  return port;
1449 }
1450 
1456 uint16_t
1457 router_get_advertised_dir_port(const or_options_t *options, uint16_t dirport)
1458 {
1459  int dirport_configured = get_primary_dir_port();
1460  (void)options;
1461 
1462  if (!dirport_configured)
1463  return dirport;
1464 
1465  if (dirport_configured == CFG_AUTO_PORT)
1467  AF_INET);
1468 
1469  return dirport_configured;
1470 }
1471 
1472 /*
1473  * OR descriptor generation.
1474  */
1475 
1482 static const char *desc_gen_reason = "uninitialized reason";
1485 STATIC time_t desc_clean_since = 0;
1487 STATIC const char *desc_dirty_reason = "Tor just started";
1489 static int desc_needs_upload = 0;
1490 
1495 void
1497 {
1498  const routerinfo_t *ri;
1499  extrainfo_t *ei;
1500  char *msg;
1501  size_t desc_len, extra_len = 0, total_len;
1502  dirinfo_type_t auth = get_options()->PublishServerDescriptor_;
1503 
1504  ri = router_get_my_routerinfo();
1505  if (!ri) {
1506  log_info(LD_GENERAL, "No descriptor; skipping upload");
1507  return;
1508  }
1509  ei = router_get_my_extrainfo();
1510  if (auth == NO_DIRINFO)
1511  return;
1512  if (!force && !desc_needs_upload)
1513  return;
1514 
1515  log_info(LD_OR, "Uploading relay descriptor to directory authorities%s",
1516  force ? " (forced)" : "");
1517 
1518  desc_needs_upload = 0;
1519 
1520  desc_len = ri->cache_info.signed_descriptor_len;
1521  extra_len = ei ? ei->cache_info.signed_descriptor_len : 0;
1522  total_len = desc_len + extra_len + 1;
1523  msg = tor_malloc(total_len);
1524  memcpy(msg, ri->cache_info.signed_descriptor_body, desc_len);
1525  if (ei) {
1526  memcpy(msg+desc_len, ei->cache_info.signed_descriptor_body, extra_len);
1527  }
1528  msg[desc_len+extra_len] = 0;
1529 
1531  (auth & BRIDGE_DIRINFO) ?
1532  ROUTER_PURPOSE_BRIDGE :
1533  ROUTER_PURPOSE_GENERAL,
1534  auth, msg, desc_len, extra_len);
1535  tor_free(msg);
1536 }
1537 
1541 int
1543 {
1544  const routerinfo_t *me = router_get_my_routerinfo();
1545  if (!me) /* make sure routerinfo exists */
1546  return -1;
1547 
1548  /* make sure it's resolved to something. this way we can't get a
1549  'maybe' below. */
1550  if (tor_addr_is_null(addr))
1551  return -1;
1552 
1553  /* look at router_get_my_routerinfo()->exit_policy for both the v4 and the
1554  * v6 policies. The exit_policy field in router_get_my_routerinfo() is a
1555  * bit unusual, in that it contains IPv6 and IPv6 entries. We don't want to
1556  * look at router_get_my_routerinfo()->ipv6_exit_policy, since that's a port
1557  * summary. */
1558  if ((tor_addr_family(addr) == AF_INET ||
1559  tor_addr_family(addr) == AF_INET6)) {
1560  return compare_tor_addr_to_addr_policy(addr, port,
1562 #if 0
1563  } else if (tor_addr_family(addr) == AF_INET6) {
1564  return get_options()->IPv6Exit &&
1568 #endif /* 0 */
1569  } else {
1570  return -1;
1571  }
1572 }
1573 
1577 router_my_exit_policy_is_reject_star,(void))
1578 {
1579  const routerinfo_t *me = router_get_my_routerinfo();
1580  if (!me) /* make sure routerinfo exists */
1581  return -1;
1582 
1583  return me->policy_is_reject_star;
1584 }
1585 
1588 int
1589 router_digest_is_me(const char *digest)
1590 {
1591  return (server_identitykey &&
1593 }
1594 
1596 const uint8_t *
1598 {
1599  return (const uint8_t *)server_identitykey_digest;
1600 }
1601 
1604 int
1606 {
1608  if (!ei)
1609  return 0;
1610 
1611  return tor_memeq(digest,
1612  ei->cache_info.signed_descriptor_digest,
1613  DIGEST_LEN);
1614 }
1615 
1617 int
1619 {
1620  return router_digest_is_me(router->cache_info.identity_digest);
1621 }
1622 
1626 router_get_my_routerinfo,(void))
1627 {
1628  return router_get_my_routerinfo_with_err(NULL);
1629 }
1630 
1636 router_get_my_routerinfo_with_err,(int *err))
1637 {
1638  if (!server_mode(get_options())) {
1639  if (err)
1640  *err = TOR_ROUTERINFO_ERROR_NOT_A_SERVER;
1641 
1642  return NULL;
1643  }
1644 
1645  if (!desc_clean_since) {
1646  int rebuild_err = router_rebuild_descriptor(0);
1647  if (rebuild_err < 0) {
1648  if (err)
1649  *err = rebuild_err;
1650 
1651  return NULL;
1652  }
1653  }
1654 
1655  if (!desc_routerinfo) {
1656  if (err)
1657  *err = TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
1658 
1659  return NULL;
1660  }
1661 
1662  if (err)
1663  *err = 0;
1664 
1665  return desc_routerinfo;
1666 }
1667 
1671 const char *
1673 {
1674  const char *body;
1675  const routerinfo_t *me = router_get_my_routerinfo();
1676  if (! me)
1677  return NULL;
1678  tor_assert(me->cache_info.saved_location == SAVED_NOWHERE);
1679  body = signed_descriptor_get_body(&me->cache_info);
1680  /* Make sure this is nul-terminated. */
1681  tor_assert(!body[me->cache_info.signed_descriptor_len]);
1682  log_debug(LD_GENERAL,"my desc is '%s'", body);
1683  return body;
1684 }
1685 
1688 extrainfo_t *
1690 {
1691  if (!server_mode(get_options()))
1692  return NULL;
1694  return NULL;
1695  return desc_extrainfo;
1696 }
1697 
1700 const char *
1702 {
1703  return desc_gen_reason;
1704 }
1705 
1706 static int router_guess_address_from_dir_headers(uint32_t *guess);
1707 
1717 router_pick_published_address,(const or_options_t *options, uint32_t *addr,
1718  int cache_only))
1719 {
1720  /* First, check the cached output from resolve_my_address(). */
1721  *addr = get_last_resolved_addr();
1722  if (*addr)
1723  return 0;
1724 
1725  /* Second, consider doing a resolve attempt right here. */
1726  if (!cache_only) {
1727  if (resolve_my_address(LOG_INFO, options, addr, NULL, NULL) >= 0) {
1728  log_info(LD_CONFIG,"Success: chose address '%s'.", fmt_addr32(*addr));
1729  return 0;
1730  }
1731  }
1732 
1733  /* Third, check the cached output from router_new_address_suggestion(). */
1735  return 0;
1736 
1737  /* We have no useful cached answers. Return failure. */
1738  return -1;
1739 }
1740 
1741 /* Like router_check_descriptor_address_consistency, but specifically for the
1742  * ORPort or DirPort.
1743  * listener_type is either CONN_TYPE_OR_LISTENER or CONN_TYPE_DIR_LISTENER. */
1744 static void
1745 router_check_descriptor_address_port_consistency(uint32_t ipv4h_desc_addr,
1746  int listener_type)
1747 {
1748  tor_assert(listener_type == CONN_TYPE_OR_LISTENER ||
1749  listener_type == CONN_TYPE_DIR_LISTENER);
1750 
1751  /* The first advertised Port may be the magic constant CFG_AUTO_PORT.
1752  */
1753  int port_v4_cfg = get_first_advertised_port_by_type_af(listener_type,
1754  AF_INET);
1755  if (port_v4_cfg != 0 &&
1756  !port_exists_by_type_addr32h_port(listener_type,
1757  ipv4h_desc_addr, port_v4_cfg, 1)) {
1759  listener_type,
1760  AF_INET);
1761  /* If we're building a descriptor with no advertised address,
1762  * something is terribly wrong. */
1763  tor_assert(port_addr);
1764 
1765  tor_addr_t desc_addr;
1766  char port_addr_str[TOR_ADDR_BUF_LEN];
1767  char desc_addr_str[TOR_ADDR_BUF_LEN];
1768 
1769  tor_addr_to_str(port_addr_str, port_addr, TOR_ADDR_BUF_LEN, 0);
1770 
1771  tor_addr_from_ipv4h(&desc_addr, ipv4h_desc_addr);
1772  tor_addr_to_str(desc_addr_str, &desc_addr, TOR_ADDR_BUF_LEN, 0);
1773 
1774  const char *listener_str = (listener_type == CONN_TYPE_OR_LISTENER ?
1775  "OR" : "Dir");
1776  log_warn(LD_CONFIG, "The IPv4 %sPort address %s does not match the "
1777  "descriptor address %s. If you have a static public IPv4 "
1778  "address, use 'Address <IPv4>' and 'OutboundBindAddress "
1779  "<IPv4>'. If you are behind a NAT, use two %sPort lines: "
1780  "'%sPort <PublicPort> NoListen' and '%sPort <InternalPort> "
1781  "NoAdvertise'.",
1782  listener_str, port_addr_str, desc_addr_str, listener_str,
1783  listener_str, listener_str);
1784  }
1785 }
1786 
1787 /* Tor relays only have one IPv4 address in the descriptor, which is derived
1788  * from the Address torrc option, or guessed using various methods in
1789  * router_pick_published_address().
1790  * Warn the operator if there is no ORPort on the descriptor address
1791  * ipv4h_desc_addr.
1792  * Warn the operator if there is no DirPort on the descriptor address.
1793  * This catches a few common config errors:
1794  * - operators who expect ORPorts and DirPorts to be advertised on the
1795  * ports' listen addresses, rather than the torrc Address (or guessed
1796  * addresses in the absence of an Address config). This includes
1797  * operators who attempt to put their ORPort and DirPort on different
1798  * addresses;
1799  * - discrepancies between guessed addresses and configured listen
1800  * addresses (when the Address option isn't set).
1801  * If a listener is listening on all IPv4 addresses, it is assumed that it
1802  * is listening on the configured Address, and no messages are logged.
1803  * If an operators has specified NoAdvertise ORPorts in a NAT setting,
1804  * no messages are logged, unless they have specified other advertised
1805  * addresses.
1806  * The message tells operators to configure an ORPort and DirPort that match
1807  * the Address (using NoListen if needed).
1808  */
1809 static void
1810 router_check_descriptor_address_consistency(uint32_t ipv4h_desc_addr)
1811 {
1812  router_check_descriptor_address_port_consistency(ipv4h_desc_addr,
1814  router_check_descriptor_address_port_consistency(ipv4h_desc_addr,
1816 }
1817 
1821 
1827 STATIC smartlist_t *
1829 {
1830  if (!options->MyFamily)
1831  return NULL;
1832 
1833  if (options->BridgeRelay)
1834  return NULL;
1835 
1836  if (!warned_family)
1837  warned_family = smartlist_new();
1838 
1839  smartlist_t *declared_family = smartlist_new();
1840  config_line_t *family;
1841 
1842  /* First we try to get the whole family in the form of hexdigests. */
1843  for (family = options->MyFamily; family; family = family->next) {
1844  char *name = family->value;
1845  const node_t *member;
1846  if (options->Nickname && !strcasecmp(name, options->Nickname))
1847  continue; /* Don't list ourself by nickname, that's redundant */
1848  else
1849  member = node_get_by_nickname(name, 0);
1850 
1851  if (!member) {
1852  /* This node doesn't seem to exist, so warn about it if it is not
1853  * a hexdigest. */
1854  int is_legal = is_legal_nickname_or_hexdigest(name);
1856  !is_legal_hexdigest(name)) {
1857  if (is_legal)
1858  log_warn(LD_CONFIG,
1859  "There is a router named %s in my declared family, but "
1860  "I have no descriptor for it. I'll use the nickname "
1861  "as is, but this may confuse clients. Please list it "
1862  "by identity digest instead.", escaped(name));
1863  else
1864  log_warn(LD_CONFIG, "There is a router named %s in my declared "
1865  "family, but that isn't a legal digest or nickname. "
1866  "Skipping it.", escaped(name));
1868  }
1869  if (is_legal) {
1870  smartlist_add_strdup(declared_family, name);
1871  }
1872  } else {
1873  /* List the node by digest. */
1874  char *fp = tor_malloc(HEX_DIGEST_LEN+2);
1875  fp[0] = '$';
1877  member->identity, DIGEST_LEN);
1878  smartlist_add(declared_family, fp);
1879 
1880  if (! is_legal_hexdigest(name) &&
1882  /* Warn if this node was not specified by hexdigest. */
1883  log_warn(LD_CONFIG, "There is a router named %s in my declared "
1884  "family, but it wasn't listed by digest. Please consider "
1885  "saying %s instead, if that's what you meant.",
1886  escaped(name), fp);
1888  }
1889  }
1890  }
1891 
1892  /* Now declared_family should have the closest we can come to the
1893  * identities that the user wanted.
1894  *
1895  * Unlike older versions of Tor, we _do_ include our own identity: this
1896  * helps microdescriptor compression, and helps in-memory compression
1897  * on clients. */
1898  nodefamily_t *nf = nodefamily_from_members(declared_family,
1900  NF_WARN_MALFORMED,
1901  NULL);
1902  SMARTLIST_FOREACH(declared_family, char *, s, tor_free(s));
1903  smartlist_free(declared_family);
1904  if (!nf) {
1905  return NULL;
1906  }
1907 
1908  char *s = nodefamily_format(nf);
1909  nodefamily_free(nf);
1910 
1911  smartlist_t *result = smartlist_new();
1912  smartlist_split_string(result, s, NULL,
1913  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
1914  tor_free(s);
1915 
1916  if (smartlist_len(result) == 1) {
1917  /* This is a one-element list containing only ourself; instead return
1918  * nothing */
1919  const char *singleton = smartlist_get(result, 0);
1920  bool is_me = false;
1921  if (singleton[0] == '$') {
1922  char d[DIGEST_LEN];
1923  int n = base16_decode(d, sizeof(d), singleton+1, strlen(singleton+1));
1924  if (n == DIGEST_LEN &&
1925  fast_memeq(d, router_get_my_id_digest(), DIGEST_LEN)) {
1926  is_me = true;
1927  }
1928  }
1929  if (!is_me) {
1930  // LCOV_EXCL_START
1931  log_warn(LD_BUG, "Found a singleton family list with an element "
1932  "that wasn't us! Element was %s", escaped(singleton));
1933  // LCOV_EXCL_STOP
1934  } else {
1935  SMARTLIST_FOREACH(result, char *, cp, tor_free(cp));
1936  smartlist_free(result);
1937  return NULL;
1938  }
1939  }
1940 
1941  return result;
1942 }
1943 
1951 int
1953 {
1954  routerinfo_t *ri;
1955  extrainfo_t *ei;
1956  uint32_t addr;
1957  char platform[256];
1958  int hibernating = we_are_hibernating();
1959  const or_options_t *options = get_options();
1960 
1961  if (router_pick_published_address(options, &addr, 0) < 0) {
1962  log_warn(LD_CONFIG, "Don't know my address while generating descriptor");
1963  return TOR_ROUTERINFO_ERROR_NO_EXT_ADDR;
1964  }
1965 
1966  /* Log a message if the address in the descriptor doesn't match the ORPort
1967  * and DirPort addresses configured by the operator. */
1968  router_check_descriptor_address_consistency(addr);
1969 
1970  ri = tor_malloc_zero(sizeof(routerinfo_t));
1971  ri->cache_info.routerlist_index = -1;
1972  ri->nickname = tor_strdup(options->Nickname);
1973  ri->addr = addr;
1974  ri->or_port = router_get_advertised_or_port(options);
1975  ri->dir_port = router_get_advertised_dir_port(options, 0);
1978  ri->cache_info.published_on = time(NULL);
1979  /* get_onion_key() must invoke from main thread */
1980  router_set_rsa_onion_pkey(get_onion_key(), &ri->onion_pkey,
1981  &ri->onion_pkey_len);
1982 
1983  ri->onion_curve25519_pkey =
1984  tor_memdup(&get_current_curve25519_keypair()->pubkey,
1985  sizeof(curve25519_public_key_t));
1986 
1987  /* For now, at most one IPv6 or-address is being advertised. */
1988  {
1989  const port_cfg_t *ipv6_orport = NULL;
1990  SMARTLIST_FOREACH_BEGIN(get_configured_ports(), const port_cfg_t *, p) {
1991  if (p->type == CONN_TYPE_OR_LISTENER &&
1992  ! p->server_cfg.no_advertise &&
1993  ! p->server_cfg.bind_ipv4_only &&
1994  tor_addr_family(&p->addr) == AF_INET6) {
1995  /* Like IPv4, if the relay is configured using the default
1996  * authorities, disallow internal IPs. Otherwise, allow them. */
1997  const int default_auth = using_default_dir_authorities(options);
1998  if (! tor_addr_is_internal(&p->addr, 0) || ! default_auth) {
1999  ipv6_orport = p;
2000  break;
2001  } else {
2002  char addrbuf[TOR_ADDR_BUF_LEN];
2003  log_warn(LD_CONFIG,
2004  "Unable to use configured IPv6 address \"%s\" in a "
2005  "descriptor. Skipping it. "
2006  "Try specifying a globally reachable address explicitly.",
2007  tor_addr_to_str(addrbuf, &p->addr, sizeof(addrbuf), 1));
2008  }
2009  }
2010  } SMARTLIST_FOREACH_END(p);
2011  if (ipv6_orport) {
2012  tor_addr_copy(&ri->ipv6_addr, &ipv6_orport->addr);
2013  ri->ipv6_orport = ipv6_orport->port;
2014  }
2015  }
2016 
2018  if (BUG(crypto_pk_get_digest(ri->identity_pkey,
2019  ri->cache_info.identity_digest) < 0)) {
2020  routerinfo_free(ri);
2021  return TOR_ROUTERINFO_ERROR_DIGEST_FAILED;
2022  }
2023  ri->cache_info.signing_key_cert =
2024  tor_cert_dup(get_master_signing_key_cert());
2025 
2026  get_platform_str(platform, sizeof(platform));
2027  ri->platform = tor_strdup(platform);
2028 
2029  ri->protocol_list = tor_strdup(protover_get_supported_protocols());
2030 
2031  /* compute ri->bandwidthrate as the min of various options */
2032  ri->bandwidthrate = get_effective_bwrate(options);
2033 
2034  /* and compute ri->bandwidthburst similarly */
2035  ri->bandwidthburst = get_effective_bwburst(options);
2036 
2037  /* Report bandwidth, unless we're hibernating or shutting down */
2038  ri->bandwidthcapacity = hibernating ? 0 : rep_hist_bandwidth_assess();
2039 
2041  /* DNS is screwed up; don't claim to be an exit. */
2043  } else {
2045  &ri->exit_policy);
2046  }
2047  ri->policy_is_reject_star =
2048  policy_is_reject_star(ri->exit_policy, AF_INET, 1) &&
2049  policy_is_reject_star(ri->exit_policy, AF_INET6, 1);
2050 
2051  if (options->IPv6Exit) {
2052  char *p_tmp = policy_summarize(ri->exit_policy, AF_INET6);
2053  if (p_tmp)
2054  ri->ipv6_exit_policy = parse_short_policy(p_tmp);
2055  tor_free(p_tmp);
2056  }
2057 
2058  ri->declared_family = get_my_declared_family(options);
2059 
2060  /* Now generate the extrainfo. */
2061  ei = tor_malloc_zero(sizeof(extrainfo_t));
2062  ei->cache_info.is_extrainfo = 1;
2063  strlcpy(ei->nickname, get_options()->Nickname, sizeof(ei->nickname));
2064  ei->cache_info.published_on = ri->cache_info.published_on;
2065  ei->cache_info.signing_key_cert =
2066  tor_cert_dup(get_master_signing_key_cert());
2067 
2068  memcpy(ei->cache_info.identity_digest, ri->cache_info.identity_digest,
2069  DIGEST_LEN);
2072  get_master_signing_keypair()) < 0) {
2073  log_warn(LD_BUG, "Couldn't generate extra-info descriptor.");
2074  extrainfo_free(ei);
2075  ei = NULL;
2076  } else {
2077  ei->cache_info.signed_descriptor_len =
2078  strlen(ei->cache_info.signed_descriptor_body);
2080  ei->cache_info.signed_descriptor_len,
2081  ei->cache_info.signed_descriptor_digest);
2082  crypto_digest256((char*) ei->digest256,
2083  ei->cache_info.signed_descriptor_body,
2084  ei->cache_info.signed_descriptor_len,
2085  DIGEST_SHA256);
2086  }
2087 
2088  /* Now finish the router descriptor. */
2089  if (ei) {
2090  memcpy(ri->cache_info.extra_info_digest,
2091  ei->cache_info.signed_descriptor_digest,
2092  DIGEST_LEN);
2093  memcpy(ri->cache_info.extra_info_digest256,
2094  ei->digest256,
2095  DIGEST256_LEN);
2096  } else {
2097  /* ri was allocated with tor_malloc_zero, so there is no need to
2098  * zero ri->cache_info.extra_info_digest here. */
2099  }
2100  if (! (ri->cache_info.signed_descriptor_body =
2102  get_onion_key(),
2104  get_master_signing_keypair())) ) {
2105  log_warn(LD_BUG, "Couldn't generate router descriptor.");
2106  routerinfo_free(ri);
2107  extrainfo_free(ei);
2108  return TOR_ROUTERINFO_ERROR_CANNOT_GENERATE;
2109  }
2110  ri->cache_info.signed_descriptor_len =
2111  strlen(ri->cache_info.signed_descriptor_body);
2112 
2113  ri->purpose =
2114  options->BridgeRelay ? ROUTER_PURPOSE_BRIDGE : ROUTER_PURPOSE_GENERAL;
2115  if (options->BridgeRelay) {
2116  /* Bridges shouldn't be able to send their descriptors unencrypted,
2117  anyway, since they don't have a DirPort, and always connect to the
2118  bridge authority anonymously. But just in case they somehow think of
2119  sending them on an unencrypted connection, don't allow them to try. */
2120  ri->cache_info.send_unencrypted = 0;
2121  if (ei)
2122  ei->cache_info.send_unencrypted = 0;
2123  } else {
2124  ri->cache_info.send_unencrypted = 1;
2125  if (ei)
2126  ei->cache_info.send_unencrypted = 1;
2127  }
2128 
2130  strlen(ri->cache_info.signed_descriptor_body),
2131  ri->cache_info.signed_descriptor_digest);
2132 
2133  if (ei) {
2134  tor_assert(!
2136  &ri->cache_info, NULL));
2137  }
2138 
2139  *r = ri;
2140  *e = ei;
2141  return 0;
2142 }
2143 
2148 int
2150 {
2151  int err = 0;
2152  routerinfo_t *ri;
2153  extrainfo_t *ei;
2154  uint32_t addr;
2155  const or_options_t *options = get_options();
2156 
2157  if (desc_clean_since && !force)
2158  return 0;
2159 
2160  if (router_pick_published_address(options, &addr, 0) < 0 ||
2161  router_get_advertised_or_port(options) == 0) {
2162  /* Stop trying to rebuild our descriptor every second. We'll
2163  * learn that it's time to try again when ip_address_changed()
2164  * marks it dirty. */
2165  desc_clean_since = time(NULL);
2166  return TOR_ROUTERINFO_ERROR_DESC_REBUILDING;
2167  }
2168 
2169  log_info(LD_OR, "Rebuilding relay descriptor%s", force ? " (forced)" : "");
2170 
2171  err = router_build_fresh_descriptor(&ri, &ei);
2172  if (err < 0) {
2173  return err;
2174  }
2175 
2176  routerinfo_free(desc_routerinfo);
2177  desc_routerinfo = ri;
2178  extrainfo_free(desc_extrainfo);
2179  desc_extrainfo = ei;
2180 
2181  desc_clean_since = time(NULL);
2182  desc_needs_upload = 1;
2184  if (BUG(desc_gen_reason == NULL)) {
2185  desc_gen_reason = "descriptor was marked dirty earlier, for no reason.";
2186  }
2187  desc_dirty_reason = NULL;
2189  return 0;
2190 }
2191 
2194 #define FORCE_REGENERATE_DESCRIPTOR_INTERVAL (18*60*60)
2195 
2198 #define FAST_RETRY_DESCRIPTOR_INTERVAL (90*60)
2199 
2202 void
2204 {
2205  networkstatus_t *ns;
2206  const routerstatus_t *rs;
2207  const char *retry_fast_reason = NULL; /* Set if we should retry frequently */
2208  const time_t slow_cutoff = now - FORCE_REGENERATE_DESCRIPTOR_INTERVAL;
2209  const time_t fast_cutoff = now - FAST_RETRY_DESCRIPTOR_INTERVAL;
2210 
2211  /* If it's already dirty, don't mark it. */
2212  if (! desc_clean_since)
2213  return;
2214 
2215  /* If it's older than FORCE_REGENERATE_DESCRIPTOR_INTERVAL, it's always
2216  * time to rebuild it. */
2217  if (desc_clean_since < slow_cutoff) {
2218  mark_my_descriptor_dirty("time for new descriptor");
2219  return;
2220  }
2221  /* Now we see whether we want to be retrying frequently or no. The
2222  * rule here is that we'll retry frequently if we aren't listed in the
2223  * live consensus we have, or if the publication time of the
2224  * descriptor listed for us in the consensus is very old, or if the
2225  * consensus lists us as "stale" and we haven't regenerated since the
2226  * consensus was published. */
2227  ns = networkstatus_get_live_consensus(now);
2228  if (ns) {
2229  rs = networkstatus_vote_find_entry(ns, server_identitykey_digest);
2230  if (rs == NULL)
2231  retry_fast_reason = "not listed in consensus";
2232  else if (rs->published_on < slow_cutoff)
2233  retry_fast_reason = "version listed in consensus is quite old";
2234  else if (rs->is_staledesc && ns->valid_after > desc_clean_since)
2235  retry_fast_reason = "listed as stale in consensus";
2236  }
2237 
2238  if (retry_fast_reason && desc_clean_since < fast_cutoff)
2239  mark_my_descriptor_dirty(retry_fast_reason);
2240 }
2241 
2243 void
2244 mark_my_descriptor_dirty(const char *reason)
2245 {
2246  const or_options_t *options = get_options();
2247  if (BUG(reason == NULL)) {
2248  reason = "marked descriptor dirty for unspecified reason";
2249  }
2250  if (server_mode(options) && options->PublishServerDescriptor_)
2251  log_info(LD_OR, "Decided to publish new relay descriptor: %s", reason);
2252  desc_clean_since = 0;
2253  if (!desc_dirty_reason)
2254  desc_dirty_reason = reason;
2255 }
2256 
2260 #define MAX_BANDWIDTH_CHANGE_FREQ (3*60*60)
2261 
2264 #define MAX_UPTIME_BANDWIDTH_CHANGE (24*60*60)
2265 
2267 #define BANDWIDTH_CHANGE_FACTOR 2
2268 
2272 void
2274 {
2275  static time_t last_changed = 0;
2276  uint64_t prev, cur;
2277  const int hibernating = we_are_hibernating();
2278 
2279  /* If the relay uptime is bigger than MAX_UPTIME_BANDWIDTH_CHANGE,
2280  * the next regularly scheduled descriptor update (18h) will be enough */
2281  if (get_uptime() > MAX_UPTIME_BANDWIDTH_CHANGE && !hibernating)
2282  return;
2283 
2284  const routerinfo_t *my_ri = router_get_my_routerinfo();
2285 
2286  if (!my_ri)
2287  return;
2288 
2289  prev = my_ri->bandwidthcapacity;
2290 
2291  /* Consider ourselves to have zero bandwidth if we're hibernating or
2292  * shutting down. */
2293  cur = hibernating ? 0 : rep_hist_bandwidth_assess();
2294 
2295  if ((prev != cur && (!prev || !cur)) ||
2296  cur > (prev * BANDWIDTH_CHANGE_FACTOR) ||
2297  cur < (prev / BANDWIDTH_CHANGE_FACTOR) ) {
2298  if (last_changed+MAX_BANDWIDTH_CHANGE_FREQ < now || !prev) {
2299  log_info(LD_GENERAL,
2300  "Measured bandwidth has changed; rebuilding descriptor.");
2301  mark_my_descriptor_dirty("bandwidth has changed");
2302  last_changed = now;
2303  }
2304  }
2305 }
2306 
2309 static void
2311  const tor_addr_t *prev,
2312  const tor_addr_t *cur,
2313  const char *source)
2314 {
2315  char addrbuf_prev[TOR_ADDR_BUF_LEN];
2316  char addrbuf_cur[TOR_ADDR_BUF_LEN];
2317 
2318  if (BUG(!server_mode(get_options())))
2319  return;
2320 
2321  if (tor_addr_to_str(addrbuf_prev, prev, sizeof(addrbuf_prev), 1) == NULL)
2322  strlcpy(addrbuf_prev, "???", TOR_ADDR_BUF_LEN);
2323  if (tor_addr_to_str(addrbuf_cur, cur, sizeof(addrbuf_cur), 1) == NULL)
2324  strlcpy(addrbuf_cur, "???", TOR_ADDR_BUF_LEN);
2325 
2326  if (!tor_addr_is_null(prev))
2327  log_fn(severity, LD_GENERAL,
2328  "Our IP Address has changed from %s to %s; "
2329  "rebuilding descriptor (source: %s).",
2330  addrbuf_prev, addrbuf_cur, source);
2331  else
2332  log_notice(LD_GENERAL,
2333  "Guessed our IP address as %s (source: %s).",
2334  addrbuf_cur, source);
2335 }
2336 
2340 void
2342 {
2343  uint32_t prev, cur;
2344  const or_options_t *options = get_options();
2345  const char *method = NULL;
2346  char *hostname = NULL;
2347  const routerinfo_t *my_ri = router_get_my_routerinfo();
2348 
2349  (void) now;
2350 
2351  if (my_ri == NULL) /* make sure routerinfo exists */
2352  return;
2353 
2354  /* XXXX ipv6 */
2355  prev = my_ri->addr;
2356  if (resolve_my_address(LOG_INFO, options, &cur, &method, &hostname) < 0) {
2357  log_info(LD_CONFIG,"options->Address didn't resolve into an IP.");
2358  return;
2359  }
2360 
2361  if (prev != cur) {
2362  char *source;
2363  tor_addr_t tmp_prev, tmp_cur;
2364 
2365  tor_addr_from_ipv4h(&tmp_prev, prev);
2366  tor_addr_from_ipv4h(&tmp_cur, cur);
2367 
2368  tor_asprintf(&source, "METHOD=%s%s%s", method,
2369  hostname ? " HOSTNAME=" : "",
2370  hostname ? hostname : "");
2371 
2372  log_addr_has_changed(LOG_NOTICE, &tmp_prev, &tmp_cur, source);
2373  tor_free(source);
2374 
2375  ip_address_changed(0);
2376  }
2377 
2378  tor_free(hostname);
2379 }
2380 
2383 static tor_addr_t last_guessed_ip = TOR_ADDR_NULL;
2384 
2389 void
2390 router_new_address_suggestion(const char *suggestion,
2391  const dir_connection_t *d_conn)
2392 {
2393  tor_addr_t addr;
2394  uint32_t cur = 0; /* Current IPv4 address. */
2395  const or_options_t *options = get_options();
2396 
2397  /* first, learn what the IP address actually is */
2398  if (tor_addr_parse(&addr, suggestion) == -1) {
2399  log_debug(LD_DIR, "Malformed X-Your-Address-Is header %s. Ignoring.",
2400  escaped(suggestion));
2401  return;
2402  }
2403 
2404  log_debug(LD_DIR, "Got X-Your-Address-Is: %s.", suggestion);
2405 
2406  if (!server_mode(options)) {
2407  tor_addr_copy(&last_guessed_ip, &addr);
2408  return;
2409  }
2410 
2411  /* XXXX ipv6 */
2412  cur = get_last_resolved_addr();
2413  if (cur ||
2414  resolve_my_address(LOG_INFO, options, &cur, NULL, NULL) >= 0) {
2415  /* We're all set -- we already know our address. Great. */
2416  tor_addr_from_ipv4h(&last_guessed_ip, cur); /* store it in case we
2417  need it later */
2418  return;
2419  }
2420  if (tor_addr_is_internal(&addr, 0)) {
2421  /* Don't believe anybody who says our IP is, say, 127.0.0.1. */
2422  return;
2423  }
2424  if (tor_addr_eq(&d_conn->base_.addr, &addr)) {
2425  /* Don't believe anybody who says our IP is their IP. */
2426  log_debug(LD_DIR, "A directory server told us our IP address is %s, "
2427  "but they are just reporting their own IP address. Ignoring.",
2428  suggestion);
2429  return;
2430  }
2431 
2432  /* Okay. We can't resolve our own address, and X-Your-Address-Is is giving
2433  * us an answer different from what we had the last time we managed to
2434  * resolve it. */
2435  if (!tor_addr_eq(&last_guessed_ip, &addr)) {
2437  "EXTERNAL_ADDRESS ADDRESS=%s METHOD=DIRSERV",
2438  suggestion);
2440  d_conn->base_.address);
2441  ip_address_changed(0);
2442  tor_addr_copy(&last_guessed_ip, &addr); /* router_rebuild_descriptor()
2443  will fetch it */
2444  }
2445 }
2446 
2451 static int
2453 {
2456  return 0;
2457  }
2458  return -1;
2459 }
2460 
2465 STATIC void
2466 get_platform_str(char *platform, size_t len)
2467 {
2468  tor_snprintf(platform, len, "Tor %s on %s",
2469  get_short_version(), get_uname());
2470 }
2471 
2472 /* XXX need to audit this thing and count fenceposts. maybe
2473  * refactor so we don't have to keep asking if we're
2474  * near the end of maxlen?
2475  */
2476 #define DEBUG_ROUTER_DUMP_ROUTER_TO_STRING
2477 
2482 char *
2484  const crypto_pk_t *ident_key,
2485  const crypto_pk_t *tap_key,
2486  const curve25519_keypair_t *ntor_keypair,
2487  const ed25519_keypair_t *signing_keypair)
2488 {
2489  char *address = NULL;
2490  char *onion_pkey = NULL; /* Onion key, PEM-encoded. */
2491  crypto_pk_t *rsa_pubkey = NULL;
2492  char *identity_pkey = NULL; /* Identity key, PEM-encoded. */
2493  char digest[DIGEST256_LEN];
2494  char published[ISO_TIME_LEN+1];
2495  char fingerprint[FINGERPRINT_LEN+1];
2496  char *extra_info_line = NULL;
2497  size_t onion_pkeylen, identity_pkeylen;
2498  char *family_line = NULL;
2499  char *extra_or_address = NULL;
2500  const or_options_t *options = get_options();
2501  smartlist_t *chunks = NULL;
2502  char *output = NULL;
2503  const int emit_ed_sigs = signing_keypair &&
2504  router->cache_info.signing_key_cert;
2505  char *ed_cert_line = NULL;
2506  char *rsa_tap_cc_line = NULL;
2507  char *ntor_cc_line = NULL;
2508  char *proto_line = NULL;
2509 
2510  /* Make sure the identity key matches the one in the routerinfo. */
2511  if (!crypto_pk_eq_keys(ident_key, router->identity_pkey)) {
2512  log_warn(LD_BUG,"Tried to sign a router with a private key that didn't "
2513  "match router's public key!");
2514  goto err;
2515  }
2516  if (emit_ed_sigs) {
2517  if (!router->cache_info.signing_key_cert->signing_key_included ||
2518  !ed25519_pubkey_eq(&router->cache_info.signing_key_cert->signed_key,
2519  &signing_keypair->pubkey)) {
2520  log_warn(LD_BUG, "Tried to sign a router descriptor with a mismatched "
2521  "ed25519 key chain %d",
2522  router->cache_info.signing_key_cert->signing_key_included);
2523  goto err;
2524  }
2525  }
2526 
2527  /* record our fingerprint, so we can include it in the descriptor */
2528  if (crypto_pk_get_fingerprint(router->identity_pkey, fingerprint, 1)<0) {
2529  log_err(LD_BUG,"Error computing fingerprint");
2530  goto err;
2531  }
2532 
2533  if (emit_ed_sigs) {
2534  /* Encode ed25519 signing cert */
2535  char ed_cert_base64[256];
2536  char ed_fp_base64[ED25519_BASE64_LEN+1];
2537  if (base64_encode(ed_cert_base64, sizeof(ed_cert_base64),
2538  (const char*)router->cache_info.signing_key_cert->encoded,
2539  router->cache_info.signing_key_cert->encoded_len,
2540  BASE64_ENCODE_MULTILINE) < 0) {
2541  log_err(LD_BUG,"Couldn't base64-encode signing key certificate!");
2542  goto err;
2543  }
2544  if (ed25519_public_to_base64(ed_fp_base64,
2545  &router->cache_info.signing_key_cert->signing_key)<0) {
2546  log_err(LD_BUG,"Couldn't base64-encode identity key\n");
2547  goto err;
2548  }
2549  tor_asprintf(&ed_cert_line, "identity-ed25519\n"
2550  "-----BEGIN ED25519 CERT-----\n"
2551  "%s"
2552  "-----END ED25519 CERT-----\n"
2553  "master-key-ed25519 %s\n",
2554  ed_cert_base64, ed_fp_base64);
2555  }
2556 
2557  /* PEM-encode the onion key */
2558  rsa_pubkey = router_get_rsa_onion_pkey(router->onion_pkey,
2559  router->onion_pkey_len);
2560  if (crypto_pk_write_public_key_to_string(rsa_pubkey,
2561  &onion_pkey,&onion_pkeylen)<0) {
2562  log_warn(LD_BUG,"write onion_pkey to string failed!");
2563  goto err;
2564  }
2565 
2566  /* PEM-encode the identity key */
2568  &identity_pkey,&identity_pkeylen)<0) {
2569  log_warn(LD_BUG,"write identity_pkey to string failed!");
2570  goto err;
2571  }
2572 
2573  /* Cross-certify with RSA key */
2574  if (tap_key && router->cache_info.signing_key_cert &&
2575  router->cache_info.signing_key_cert->signing_key_included) {
2576  char buf[256];
2577  int tap_cc_len = 0;
2578  uint8_t *tap_cc =
2580  &router->cache_info.signing_key_cert->signing_key,
2581  router->identity_pkey,
2582  &tap_cc_len);
2583  if (!tap_cc) {
2584  log_warn(LD_BUG,"make_tap_onion_key_crosscert failed!");
2585  goto err;
2586  }
2587 
2588  if (base64_encode(buf, sizeof(buf), (const char*)tap_cc, tap_cc_len,
2589  BASE64_ENCODE_MULTILINE) < 0) {
2590  log_warn(LD_BUG,"base64_encode(rsa_crosscert) failed!");
2591  tor_free(tap_cc);
2592  goto err;
2593  }
2594  tor_free(tap_cc);
2595 
2596  tor_asprintf(&rsa_tap_cc_line,
2597  "onion-key-crosscert\n"
2598  "-----BEGIN CROSSCERT-----\n"
2599  "%s"
2600  "-----END CROSSCERT-----\n", buf);
2601  }
2602 
2603  /* Cross-certify with onion keys */
2604  if (ntor_keypair && router->cache_info.signing_key_cert &&
2605  router->cache_info.signing_key_cert->signing_key_included) {
2606  int sign = 0;
2607  char buf[256];
2608  /* XXXX Base the expiration date on the actual onion key expiration time?*/
2609  tor_cert_t *cert =
2610  make_ntor_onion_key_crosscert(ntor_keypair,
2611  &router->cache_info.signing_key_cert->signing_key,
2612  router->cache_info.published_on,
2613  get_onion_key_lifetime(), &sign);
2614  if (!cert) {
2615  log_warn(LD_BUG,"make_ntor_onion_key_crosscert failed!");
2616  goto err;
2617  }
2618  tor_assert(sign == 0 || sign == 1);
2619 
2620  if (base64_encode(buf, sizeof(buf),
2621  (const char*)cert->encoded, cert->encoded_len,
2622  BASE64_ENCODE_MULTILINE)<0) {
2623  log_warn(LD_BUG,"base64_encode(ntor_crosscert) failed!");
2624  tor_cert_free(cert);
2625  goto err;
2626  }
2627  tor_cert_free(cert);
2628 
2629  tor_asprintf(&ntor_cc_line,
2630  "ntor-onion-key-crosscert %d\n"
2631  "-----BEGIN ED25519 CERT-----\n"
2632  "%s"
2633  "-----END ED25519 CERT-----\n", sign, buf);
2634  }
2635 
2636  /* Encode the publication time. */
2637  format_iso_time(published, router->cache_info.published_on);
2638 
2639  if (router->declared_family && smartlist_len(router->declared_family)) {
2640  char *family = smartlist_join_strings(router->declared_family,
2641  " ", 0, NULL);
2642  tor_asprintf(&family_line, "family %s\n", family);
2643  tor_free(family);
2644  } else {
2645  family_line = tor_strdup("");
2646  }
2647 
2648  if (!tor_digest_is_zero(router->cache_info.extra_info_digest)) {
2649  char extra_info_digest[HEX_DIGEST_LEN+1];
2650  base16_encode(extra_info_digest, sizeof(extra_info_digest),
2651  router->cache_info.extra_info_digest, DIGEST_LEN);
2652  if (!tor_digest256_is_zero(router->cache_info.extra_info_digest256)) {
2653  char d256_64[BASE64_DIGEST256_LEN+1];
2654  digest256_to_base64(d256_64, router->cache_info.extra_info_digest256);
2655  tor_asprintf(&extra_info_line, "extra-info-digest %s %s\n",
2656  extra_info_digest, d256_64);
2657  } else {
2658  tor_asprintf(&extra_info_line, "extra-info-digest %s\n",
2659  extra_info_digest);
2660  }
2661  }
2662 
2663  if (router->ipv6_orport &&
2664  tor_addr_family(&router->ipv6_addr) == AF_INET6) {
2665  char addr[TOR_ADDR_BUF_LEN];
2666  const char *a;
2667  a = tor_addr_to_str(addr, &router->ipv6_addr, sizeof(addr), 1);
2668  if (a) {
2669  tor_asprintf(&extra_or_address,
2670  "or-address %s:%d\n", a, router->ipv6_orport);
2671  log_debug(LD_OR, "My or-address line is <%s>", extra_or_address);
2672  }
2673  }
2674 
2675  if (router->protocol_list) {
2676  tor_asprintf(&proto_line, "proto %s\n", router->protocol_list);
2677  } else {
2678  proto_line = tor_strdup("");
2679  }
2680 
2681  address = tor_dup_ip(router->addr);
2682  chunks = smartlist_new();
2683 
2684  /* Generate the easy portion of the router descriptor. */
2685  smartlist_add_asprintf(chunks,
2686  "router %s %s %d 0 %d\n"
2687  "%s"
2688  "%s"
2689  "platform %s\n"
2690  "%s"
2691  "published %s\n"
2692  "fingerprint %s\n"
2693  "uptime %ld\n"
2694  "bandwidth %d %d %d\n"
2695  "%s%s"
2696  "onion-key\n%s"
2697  "signing-key\n%s"
2698  "%s%s"
2699  "%s%s%s",
2700  router->nickname,
2701  address,
2702  router->or_port,
2703  router_should_advertise_dirport(options, router->dir_port),
2704  ed_cert_line ? ed_cert_line : "",
2705  extra_or_address ? extra_or_address : "",
2706  router->platform,
2707  proto_line,
2708  published,
2709  fingerprint,
2710  get_uptime(),
2711  (int) router->bandwidthrate,
2712  (int) router->bandwidthburst,
2713  (int) router->bandwidthcapacity,
2714  extra_info_line ? extra_info_line : "",
2715  (options->DownloadExtraInfo || options->V3AuthoritativeDir) ?
2716  "caches-extra-info\n" : "",
2717  onion_pkey, identity_pkey,
2718  rsa_tap_cc_line ? rsa_tap_cc_line : "",
2719  ntor_cc_line ? ntor_cc_line : "",
2720  family_line,
2721  we_are_hibernating() ? "hibernating 1\n" : "",
2722  "hidden-service-dir\n");
2723 
2724  if (options->ContactInfo && strlen(options->ContactInfo)) {
2725  const char *ci = options->ContactInfo;
2726  if (strchr(ci, '\n') || strchr(ci, '\r'))
2727  ci = escaped(ci);
2728  smartlist_add_asprintf(chunks, "contact %s\n", ci);
2729  }
2730 
2731  if (options->BridgeRelay) {
2732  const char *bd;
2733  if (options->BridgeDistribution && strlen(options->BridgeDistribution)) {
2734  bd = options->BridgeDistribution;
2735  } else {
2736  bd = "any";
2737  }
2738  if (strchr(bd, '\n') || strchr(bd, '\r'))
2739  bd = escaped(bd);
2740  smartlist_add_asprintf(chunks, "bridge-distribution-request %s\n", bd);
2741  }
2742 
2743  if (router->onion_curve25519_pkey) {
2744  char kbuf[128];
2745  base64_encode(kbuf, sizeof(kbuf),
2746  (const char *)router->onion_curve25519_pkey->public_key,
2747  CURVE25519_PUBKEY_LEN, BASE64_ENCODE_MULTILINE);
2748  smartlist_add_asprintf(chunks, "ntor-onion-key %s", kbuf);
2749  } else {
2750  /* Authorities will start rejecting relays without ntor keys in 0.2.9 */
2751  log_err(LD_BUG, "A relay must have an ntor onion key");
2752  goto err;
2753  }
2754 
2755  /* Write the exit policy to the end of 's'. */
2756  if (!router->exit_policy || !smartlist_len(router->exit_policy)) {
2757  smartlist_add_strdup(chunks, "reject *:*\n");
2758  } else if (router->exit_policy) {
2759  char *exit_policy = router_dump_exit_policy_to_string(router,1,0);
2760 
2761  if (!exit_policy)
2762  goto err;
2763 
2764  smartlist_add_asprintf(chunks, "%s\n", exit_policy);
2765  tor_free(exit_policy);
2766  }
2767 
2768  if (router->ipv6_exit_policy) {
2769  char *p6 = write_short_policy(router->ipv6_exit_policy);
2770  if (p6 && strcmp(p6, "reject 1-65535")) {
2771  smartlist_add_asprintf(chunks,
2772  "ipv6-policy %s\n", p6);
2773  }
2774  tor_free(p6);
2775  }
2776 
2779  smartlist_add_strdup(chunks, "tunnelled-dir-server\n");
2780  }
2781 
2782  /* Sign the descriptor with Ed25519 */
2783  if (emit_ed_sigs) {
2784  smartlist_add_strdup(chunks, "router-sig-ed25519 ");
2786  ED_DESC_SIGNATURE_PREFIX,
2787  chunks, "", DIGEST_SHA256);
2788  ed25519_signature_t sig;
2789  char buf[ED25519_SIG_BASE64_LEN+1];
2790  if (ed25519_sign(&sig, (const uint8_t*)digest, DIGEST256_LEN,
2791  signing_keypair) < 0)
2792  goto err;
2793  if (ed25519_signature_to_base64(buf, &sig) < 0)
2794  goto err;
2795 
2796  smartlist_add_asprintf(chunks, "%s\n", buf);
2797  }
2798 
2799  /* Sign the descriptor with RSA */
2800  smartlist_add_strdup(chunks, "router-signature\n");
2801 
2802  crypto_digest_smartlist(digest, DIGEST_LEN, chunks, "", DIGEST_SHA1);
2803 
2804  {
2805  char *sig;
2806  if (!(sig = router_get_dirobj_signature(digest, DIGEST_LEN, ident_key))) {
2807  log_warn(LD_BUG, "Couldn't sign router descriptor");
2808  goto err;
2809  }
2810  smartlist_add(chunks, sig);
2811  }
2812 
2813  /* include a last '\n' */
2814  smartlist_add_strdup(chunks, "\n");
2815 
2816  output = smartlist_join_strings(chunks, "", 0, NULL);
2817 
2818 #ifdef DEBUG_ROUTER_DUMP_ROUTER_TO_STRING
2819  {
2820  char *s_dup;
2821  const char *cp;
2822  routerinfo_t *ri_tmp;
2823  cp = s_dup = tor_strdup(output);
2824  ri_tmp = router_parse_entry_from_string(cp, NULL, 1, 0, NULL, NULL);
2825  if (!ri_tmp) {
2826  log_err(LD_BUG,
2827  "We just generated a router descriptor we can't parse.");
2828  log_err(LD_BUG, "Descriptor was: <<%s>>", output);
2829  goto err;
2830  }
2831  tor_free(s_dup);
2832  routerinfo_free(ri_tmp);
2833  }
2834 #endif /* defined(DEBUG_ROUTER_DUMP_ROUTER_TO_STRING) */
2835 
2836  goto done;
2837 
2838  err:
2839  tor_free(output); /* sets output to NULL */
2840  done:
2841  if (chunks) {
2842  SMARTLIST_FOREACH(chunks, char *, cp, tor_free(cp));
2843  smartlist_free(chunks);
2844  }
2845  crypto_pk_free(rsa_pubkey);
2846  tor_free(address);
2847  tor_free(family_line);
2848  tor_free(onion_pkey);
2849  tor_free(identity_pkey);
2850  tor_free(extra_or_address);
2851  tor_free(ed_cert_line);
2852  tor_free(rsa_tap_cc_line);
2853  tor_free(ntor_cc_line);
2854  tor_free(extra_info_line);
2855  tor_free(proto_line);
2856 
2857  return output;
2858 }
2859 
2865 char *
2867  int include_ipv4,
2868  int include_ipv6)
2869 {
2870  if ((!router->exit_policy) || (router->policy_is_reject_star)) {
2871  return tor_strdup("reject *:*");
2872  }
2873 
2874  return policy_dump_to_string(router->exit_policy,
2875  include_ipv4,
2876  include_ipv6);
2877 }
2878 
2886 static int
2887 load_stats_file(const char *filename, const char *end_line, time_t now,
2888  char **out)
2889 {
2890  int r = -1;
2891  char *fname = get_datadir_fname(filename);
2892  char *contents, *start = NULL, *tmp, timestr[ISO_TIME_LEN+1];
2893  time_t written;
2894  switch (file_status(fname)) {
2895  case FN_FILE:
2896  /* X022 Find an alternative to reading the whole file to memory. */
2897  if ((contents = read_file_to_str(fname, 0, NULL))) {
2898  tmp = strstr(contents, end_line);
2899  /* Find last block starting with end_line */
2900  while (tmp) {
2901  start = tmp;
2902  tmp = strstr(tmp + 1, end_line);
2903  }
2904  if (!start)
2905  goto notfound;
2906  if (strlen(start) < strlen(end_line) + 1 + sizeof(timestr))
2907  goto notfound;
2908  strlcpy(timestr, start + 1 + strlen(end_line), sizeof(timestr));
2909  if (parse_iso_time(timestr, &written) < 0)
2910  goto notfound;
2911  if (written < now - (25*60*60) || written > now + (1*60*60))
2912  goto notfound;
2913  *out = tor_strdup(start);
2914  r = 1;
2915  }
2916  notfound:
2917  tor_free(contents);
2918  break;
2919  /* treat empty stats files as if the file doesn't exist */
2920  case FN_NOENT:
2921  case FN_EMPTY:
2922  r = 0;
2923  break;
2924  case FN_ERROR:
2925  case FN_DIR:
2926  default:
2927  break;
2928  }
2929  tor_free(fname);
2930  return r;
2931 }
2932 
2936 int
2937 extrainfo_dump_to_string(char **s_out, extrainfo_t *extrainfo,
2938  crypto_pk_t *ident_key,
2939  const ed25519_keypair_t *signing_keypair)
2940 {
2941  const or_options_t *options = get_options();
2942  char identity[HEX_DIGEST_LEN+1];
2943  char published[ISO_TIME_LEN+1];
2944  char digest[DIGEST_LEN];
2945  char *bandwidth_usage;
2946  int result;
2947  static int write_stats_to_extrainfo = 1;
2948  char sig[DIROBJ_MAX_SIG_LEN+1];
2949  char *s = NULL, *pre, *contents, *cp, *s_dup = NULL;
2950  time_t now = time(NULL);
2951  smartlist_t *chunks = smartlist_new();
2952  extrainfo_t *ei_tmp = NULL;
2953  const int emit_ed_sigs = signing_keypair &&
2954  extrainfo->cache_info.signing_key_cert;
2955  char *ed_cert_line = NULL;
2956 
2957  base16_encode(identity, sizeof(identity),
2958  extrainfo->cache_info.identity_digest, DIGEST_LEN);
2959  format_iso_time(published, extrainfo->cache_info.published_on);
2960  bandwidth_usage = rep_hist_get_bandwidth_lines();
2961  if (emit_ed_sigs) {
2962  if (!extrainfo->cache_info.signing_key_cert->signing_key_included ||
2963  !ed25519_pubkey_eq(&extrainfo->cache_info.signing_key_cert->signed_key,
2964  &signing_keypair->pubkey)) {
2965  log_warn(LD_BUG, "Tried to sign a extrainfo descriptor with a "
2966  "mismatched ed25519 key chain %d",
2967  extrainfo->cache_info.signing_key_cert->signing_key_included);
2968  goto err;
2969  }
2970  char ed_cert_base64[256];
2971  if (base64_encode(ed_cert_base64, sizeof(ed_cert_base64),
2972  (const char*)extrainfo->cache_info.signing_key_cert->encoded,
2973  extrainfo->cache_info.signing_key_cert->encoded_len,
2974  BASE64_ENCODE_MULTILINE) < 0) {
2975  log_err(LD_BUG,"Couldn't base64-encode signing key certificate!");
2976  goto err;
2977  }
2978  tor_asprintf(&ed_cert_line, "identity-ed25519\n"
2979  "-----BEGIN ED25519 CERT-----\n"
2980  "%s"
2981  "-----END ED25519 CERT-----\n", ed_cert_base64);
2982  } else {
2983  ed_cert_line = tor_strdup("");
2984  }
2985 
2986  tor_asprintf(&pre, "extra-info %s %s\n%spublished %s\n%s",
2987  extrainfo->nickname, identity,
2988  ed_cert_line,
2989  published, bandwidth_usage);
2990  smartlist_add(chunks, pre);
2991 
2992  if (geoip_is_loaded(AF_INET))
2993  smartlist_add_asprintf(chunks, "geoip-db-digest %s\n",
2994  geoip_db_digest(AF_INET));
2995  if (geoip_is_loaded(AF_INET6))
2996  smartlist_add_asprintf(chunks, "geoip6-db-digest %s\n",
2997  geoip_db_digest(AF_INET6));
2998 
2999  if (options->ExtraInfoStatistics && write_stats_to_extrainfo) {
3000  log_info(LD_GENERAL, "Adding stats to extra-info descriptor.");
3001  if (options->DirReqStatistics &&
3002  load_stats_file("stats"PATH_SEPARATOR"dirreq-stats",
3003  "dirreq-stats-end", now, &contents) > 0) {
3004  smartlist_add(chunks, contents);
3005  }
3006  if (options->HiddenServiceStatistics &&
3007  load_stats_file("stats"PATH_SEPARATOR"hidserv-stats",
3008  "hidserv-stats-end", now, &contents) > 0) {
3009  smartlist_add(chunks, contents);
3010  }
3011  if (options->EntryStatistics &&
3012  load_stats_file("stats"PATH_SEPARATOR"entry-stats",
3013  "entry-stats-end", now, &contents) > 0) {
3014  smartlist_add(chunks, contents);
3015  }
3016  if (options->CellStatistics &&
3017  load_stats_file("stats"PATH_SEPARATOR"buffer-stats",
3018  "cell-stats-end", now, &contents) > 0) {
3019  smartlist_add(chunks, contents);
3020  }
3021  if (options->ExitPortStatistics &&
3022  load_stats_file("stats"PATH_SEPARATOR"exit-stats",
3023  "exit-stats-end", now, &contents) > 0) {
3024  smartlist_add(chunks, contents);
3025  }
3026  if (options->ConnDirectionStatistics &&
3027  load_stats_file("stats"PATH_SEPARATOR"conn-stats",
3028  "conn-bi-direct", now, &contents) > 0) {
3029  smartlist_add(chunks, contents);
3030  }
3031  }
3032 
3033  if (options->PaddingStatistics) {
3034  contents = rep_hist_get_padding_count_lines();
3035  if (contents)
3036  smartlist_add(chunks, contents);
3037  }
3038 
3039  /* Add information about the pluggable transports we support. */
3040  if (options->ServerTransportPlugin) {
3041  char *pluggable_transports = pt_get_extra_info_descriptor_string();
3042  if (pluggable_transports)
3043  smartlist_add(chunks, pluggable_transports);
3044  }
3045 
3046  if (should_record_bridge_info(options) && write_stats_to_extrainfo) {
3047  const char *bridge_stats = geoip_get_bridge_stats_extrainfo(now);
3048  if (bridge_stats) {
3049  smartlist_add_strdup(chunks, bridge_stats);
3050  }
3051  }
3052 
3053  if (emit_ed_sigs) {
3054  char sha256_digest[DIGEST256_LEN];
3055  smartlist_add_strdup(chunks, "router-sig-ed25519 ");
3057  ED_DESC_SIGNATURE_PREFIX,
3058  chunks, "", DIGEST_SHA256);
3059  ed25519_signature_t ed_sig;
3060  char buf[ED25519_SIG_BASE64_LEN+1];
3061  if (ed25519_sign(&ed_sig, (const uint8_t*)sha256_digest, DIGEST256_LEN,
3062  signing_keypair) < 0)
3063  goto err;
3064  if (ed25519_signature_to_base64(buf, &ed_sig) < 0)
3065  goto err;
3066 
3067  smartlist_add_asprintf(chunks, "%s\n", buf);
3068  }
3069 
3070  smartlist_add_strdup(chunks, "router-signature\n");
3071  s = smartlist_join_strings(chunks, "", 0, NULL);
3072 
3073  while (strlen(s) > MAX_EXTRAINFO_UPLOAD_SIZE - DIROBJ_MAX_SIG_LEN) {
3074  /* So long as there are at least two chunks (one for the initial
3075  * extra-info line and one for the router-signature), we can keep removing
3076  * things. */
3077  if (smartlist_len(chunks) > 2) {
3078  /* We remove the next-to-last element (remember, len-1 is the last
3079  element), since we need to keep the router-signature element. */
3080  int idx = smartlist_len(chunks) - 2;
3081  char *e = smartlist_get(chunks, idx);
3082  smartlist_del_keeporder(chunks, idx);
3083  log_warn(LD_GENERAL, "We just generated an extra-info descriptor "
3084  "with statistics that exceeds the 50 KB "
3085  "upload limit. Removing last added "
3086  "statistics.");
3087  tor_free(e);
3088  tor_free(s);
3089  s = smartlist_join_strings(chunks, "", 0, NULL);
3090  } else {
3091  log_warn(LD_BUG, "We just generated an extra-info descriptors that "
3092  "exceeds the 50 KB upload limit.");
3093  goto err;
3094  }
3095  }
3096 
3097  memset(sig, 0, sizeof(sig));
3098  if (router_get_extrainfo_hash(s, strlen(s), digest) < 0 ||
3099  router_append_dirobj_signature(sig, sizeof(sig), digest, DIGEST_LEN,
3100  ident_key) < 0) {
3101  log_warn(LD_BUG, "Could not append signature to extra-info "
3102  "descriptor.");
3103  goto err;
3104  }
3105  smartlist_add_strdup(chunks, sig);
3106  tor_free(s);
3107  s = smartlist_join_strings(chunks, "", 0, NULL);
3108 
3109  cp = s_dup = tor_strdup(s);
3110  ei_tmp = extrainfo_parse_entry_from_string(cp, NULL, 1, NULL, NULL);
3111  if (!ei_tmp) {
3112  if (write_stats_to_extrainfo) {
3113  log_warn(LD_GENERAL, "We just generated an extra-info descriptor "
3114  "with statistics that we can't parse. Not "
3115  "adding statistics to this or any future "
3116  "extra-info descriptors.");
3117  write_stats_to_extrainfo = 0;
3118  result = extrainfo_dump_to_string(s_out, extrainfo, ident_key,
3119  signing_keypair);
3120  goto done;
3121  } else {
3122  log_warn(LD_BUG, "We just generated an extrainfo descriptor we "
3123  "can't parse.");
3124  goto err;
3125  }
3126  }
3127 
3128  *s_out = s;
3129  s = NULL; /* prevent free */
3130  result = 0;
3131  goto done;
3132 
3133  err:
3134  result = -1;
3135 
3136  done:
3137  tor_free(s);
3138  SMARTLIST_FOREACH(chunks, char *, chunk, tor_free(chunk));
3139  smartlist_free(chunks);
3140  tor_free(s_dup);
3141  tor_free(ed_cert_line);
3142  extrainfo_free(ei_tmp);
3143  tor_free(bandwidth_usage);
3144 
3145  return result;
3146 }
3147 
3150 void
3152 {
3153  if (warned_family) {
3154  SMARTLIST_FOREACH(warned_family, char *, cp, tor_free(cp));
3156  }
3157 }
3158 
3160 void
3162 {
3163  crypto_pk_free(onionkey);
3164  crypto_pk_free(lastonionkey);
3165  crypto_pk_free(server_identitykey);
3166  crypto_pk_free(client_identitykey);
3167 
3168  tor_mutex_free(key_lock);
3169  routerinfo_free(desc_routerinfo);
3170  extrainfo_free(desc_extrainfo);
3171  crypto_pk_free(authority_signing_key);
3172  authority_cert_free(authority_key_certificate);
3173  crypto_pk_free(legacy_signing_key);
3174  authority_cert_free(legacy_key_certificate);
3175 
3178 
3179  if (warned_family) {
3180  SMARTLIST_FOREACH(warned_family, char *, cp, tor_free(cp));
3181  smartlist_free(warned_family);
3182  }
3183 }
3184 
3185 /* From the given RSA key object, convert it to ASN-1 encoded format and set
3186  * the newly allocated object in onion_pkey_out. The length of the key is set
3187  * in onion_pkey_len_out. */
3188 void
3189 router_set_rsa_onion_pkey(const crypto_pk_t *pk, char **onion_pkey_out,
3190  size_t *onion_pkey_len_out)
3191 {
3192  int len;
3193  char buf[1024];
3194 
3195  tor_assert(pk);
3196  tor_assert(onion_pkey_out);
3197  tor_assert(onion_pkey_len_out);
3198 
3199  len = crypto_pk_asn1_encode(pk, buf, sizeof(buf));
3200  if (BUG(len < 0)) {
3201  goto done;
3202  }
3203 
3204  *onion_pkey_out = tor_memdup(buf, len);
3205  *onion_pkey_len_out = len;
3206 
3207  done:
3208  return;
3209 }
3210 
3211 /* From an ASN-1 encoded onion pkey, return a newly allocated RSA key object.
3212  * It is the caller responsability to free the returned object.
3213  *
3214  * Return NULL if the pkey is NULL, malformed or if the length is 0. */
3215 crypto_pk_t *
3216 router_get_rsa_onion_pkey(const char *pkey, size_t pkey_len)
3217 {
3218  if (!pkey || pkey_len == 0) {
3219  return NULL;
3220  }
3221  return crypto_pk_asn1_decode(pkey, pkey_len);
3222 }
extrainfo_t * extrainfo_parse_entry_from_string(const char *s, const char *end, int cache_copy, struct digest_ri_map_t *routermap, int *can_dl_again_out)
Definition: routerparse.c:958
struct curve25519_public_key_t * onion_curve25519_pkey
Definition: routerinfo_st.h:40
int V3AuthoritativeDir
Header file for dirserv.c.
#define CONN_TYPE_DIR_LISTENER
Definition: connection.h:33
Header for statefile.c.
void dir_server_add(dir_server_t *ent)
Definition: dirlist.c:366
int crypto_pk_eq_keys(const crypto_pk_t *a, const crypto_pk_t *b)
Definition: crypto_rsa.c:66
int digest256_to_base64(char *d64, const char *digest)
extrainfo_t * router_get_my_extrainfo(void)
Definition: router.c:1689
uint64_t AccountingMax
Header file for dirclient.c.
crypto_pk_t * get_server_identity_key(void)
Definition: router.c:378
const char * tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
Definition: address.c:317
Header for uname.c.
Header for confline.c.
int router_rebuild_descriptor(int force)
Definition: router.c:2149
ed25519_public_key_t signed_key
Definition: torcert.h:25
static int router_should_be_dirserver(const or_options_t *options, int dir_port)
Definition: router.c:1206
int ExitPortStatistics
addr_policy_result_t compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port, const short_policy_t *policy)
Definition: policies.c:2853
uint8_t * encoded
Definition: torcert.h:33
char * policy_summarize(smartlist_t *policy, sa_family_t family)
Definition: policies.c:2604
void tor_mutex_release(tor_mutex_t *m)
Header file for signing.c.
#define TOR_ADDR_BUF_LEN
Definition: address.h:205
Common functions for using (pseudo-)random number generators.
void crypto_digest_smartlist_prefix(char *digest_out, size_t len_out, const char *prepend, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
Definition: node_st.h:28
int have_lockfile(void)
Definition: main.c:730
saved_location_t saved_location
unsigned int policy_is_reject_star
Definition: routerinfo_st.h:74
static extrainfo_t * desc_extrainfo
Definition: router.c:1479
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
uint16_t sa_family_t
Definition: inaddr_st.h:77
int router_is_me(const routerinfo_t *router)
Definition: router.c:1618
static const char * desc_gen_reason
Definition: router.c:1482
was_router_added_t
Definition: routerlist.h:17
char * router_get_dirobj_signature(const char *digest, size_t digest_len, const crypto_pk_t *private_key)
Definition: signing.c:22
uint16_t router_get_advertised_or_port(const or_options_t *options)
Definition: router.c:1427
Header file for geoip_stats.c.
char extra_info_digest[DIGEST_LEN]
uint16_t router_get_advertised_or_port_by_af(const or_options_t *options, sa_family_t family)
Definition: router.c:1435
void crypto_digest_smartlist(char *digest_out, size_t len_out, const smartlist_t *lst, const char *append, digest_algorithm_t alg)
tor_addr_t addr
Definition: port_cfg_st.h:15
tor_addr_t addr
Header file for nodefamily.c.
int server_identity_key_is_set(void)
Definition: router.c:389
Header file for connection.c.
static int get_onion_key_rotation_days_(void)
Definition: router.c:750
const tor_addr_t * get_first_advertised_addr_by_type_af(int listener_type, int address_family)
Definition: config.c:7702
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
int tor_mem_is_zero(const char *mem, size_t len)
Definition: util_string.c:74
#define DEFAULT_ONION_KEY_LIFETIME_DAYS
Definition: or.h:140
#define LD_GENERAL
Definition: log.h:58
int should_refuse_unknown_exits(const or_options_t *options)
Definition: router.c:1328
char nickname[MAX_NICKNAME_LEN+1]
Definition: extrainfo_st.h:18
tor_cert_t * tor_cert_dup(const tor_cert_t *cert)
Definition: torcert.c:294
int replace_file(const char *from, const char *to)
Definition: files.c:117
static int router_guess_address_from_dir_headers(uint32_t *guess)
Definition: router.c:2452
time_t LastRotatedOnionKey
Definition: or_state_st.h:89
uint64_t BandwidthRate
char * pt_get_extra_info_descriptor_string(void)
Definition: transports.c:1616
int authdir_mode(const or_options_t *options)
Definition: authmode.c:25
di_digest256_map_t * construct_ntor_key_map(void)
Definition: router.c:280
int ed25519_signature_to_base64(char *output, const ed25519_signature_t *sig)
int tor_tls_context_init(unsigned flags, crypto_pk_t *client_identity, crypto_pk_t *server_identity, unsigned int key_lifetime)
Definition: tortls.c:177
#define LOG_INFO
Definition: log.h:41
Header file for nodelist.c.
int curve25519_keypair_read_from_file(curve25519_keypair_t *keypair_out, char **tag_out, const char *fname)
static smartlist_t * warned_family
Definition: router.c:1820
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
Definition: log.c:631
char * rep_hist_get_bandwidth_lines(void)
Definition: rephist.c:1281
Header file for directory.c.
void smartlist_add(smartlist_t *sl, void *element)
static char server_identitykey_digest[DIGEST_LEN]
Definition: router.c:113
static int WRA_WAS_ADDED(was_router_added_t s)
Definition: routerlist.h:101
const char * signed_descriptor_get_body(const signed_descriptor_t *desc)
Definition: routerlist.c:794
int ed25519_public_to_base64(char *output, const ed25519_public_key_t *pkey)
void v3_authority_check_key_expiry(void)
Definition: router.c:701
int router_initialize_tls_context(void)
Definition: router.c:788
#define CONN_TYPE_OR_LISTENER
Definition: connection.h:21
int HiddenServiceStatistics
Header file for config.c.
Header file for authcert.c.
static routerinfo_t * desc_routerinfo
Definition: router.c:1477
Header file for nickname.c.
#define DIR_PURPOSE_UPLOAD_DIR
Definition: directory.h:43
int crypto_pk_write_public_key_to_string(crypto_pk_t *env, char **dest, size_t *len)
Definition: crypto_rsa.c:461
ed25519_public_key_t signing_key
Definition: torcert.h:28
#define MIN_ONION_KEY_LIFETIME_DAYS
Definition: or.h:134
#define MAX_UPTIME_BANDWIDTH_CHANGE
Definition: router.c:2264
void set_server_identity_key(crypto_pk_t *k)
Definition: router.c:334
static uint32_t tor_addr_to_ipv4h(const tor_addr_t *a)
Definition: address.h:152
char extra_info_digest256[DIGEST256_LEN]
STATIC time_t desc_clean_since
Definition: router.c:1485
char signed_descriptor_digest[DIGEST_LEN]
static tor_mutex_t * key_lock
Definition: router.c:97
MOCK_IMPL(authority_cert_t *, get_my_v3_authority_cert,(void))
Definition: router.c:423
int should_record_bridge_info(const or_options_t *options)
Definition: geoip_stats.c:112
nodefamily_t * nodefamily_from_members(const smartlist_t *members, const uint8_t *rsa_id_self, unsigned flags, smartlist_t *unrecognized_out)
Definition: nodefamily.c:159
time_t get_onion_key_set_at(void)
Definition: router.c:326
int dirserv_add_own_fingerprint(crypto_pk_t *pk)
unsigned int supports_tunnelled_dir_requests
Definition: routerinfo_st.h:83
void directory_post_to_dirservers(uint8_t dir_purpose, uint8_t router_purpose, dirinfo_type_t type, const char *payload, size_t payload_len, size_t extrainfo_len)
Definition: dirclient.c:228
uint32_t get_last_resolved_addr(void)
Definition: config.c:2664
#define tor_free(p)
Definition: malloc.h:52
int is_legal_nickname_or_hexdigest(const char *s)
Definition: nickname.c:31
int crypto_digest256(char *digest, const char *m, size_t len, digest_algorithm_t algorithm)
uint32_t bandwidthburst
Definition: routerinfo_st.h:53
#define FAST_RETRY_DESCRIPTOR_INTERVAL
Definition: router.c:2198
static void assert_identity_keys_ok(void)
Definition: router.c:358
struct config_line_t * MyFamily
#define LOG_NOTICE
Definition: log.h:46
crypto_pk_t * get_tlsclient_identity_key(void)
Definition: router.c:407
struct tor_cert_st * signing_key_cert
int crypto_rand_int(unsigned int max)
Definition: crypto_rand.c:548
static int desc_needs_upload
Definition: router.c:1489
Header file for mainloop.c.
dirinfo_type_t
Definition: or.h:887
void dimap_add_entry(di_digest256_map_t **map, const uint8_t *key, void *val)
Definition: di_ops.c:173
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:57
const uint8_t * router_get_my_id_digest(void)
Definition: router.c:1597
smartlist_t * declared_family
Definition: routerinfo_st.h:62
static crypto_pk_t * client_identitykey
Definition: router.c:117
dir_server_t * router_get_trusteddirserver_by_digest(const char *digest)
Definition: dirlist.c:112
Header file for geoip.c.
signed_descriptor_t cache_info
Header file for main.c.
char * router_dump_router_to_string(routerinfo_t *router, const crypto_pk_t *ident_key, const crypto_pk_t *tap_key, const curve25519_keypair_t *ntor_keypair, const ed25519_keypair_t *signing_keypair)
Definition: router.c:2483
unsigned signing_key_included
Definition: torcert.h:40
int trusted_dirs_load_certs_from_string(const char *contents, int source, int flush, const char *source_dir)
Definition: authcert.c:373
void smartlist_del_keeporder(smartlist_t *sl, int idx)
short_policy_t * parse_short_policy(const char *summary)
Definition: policies.c:2716
int base64_encode(char *dest, size_t destlen, const char *src, size_t srclen, int flags)
Definition: binascii.c:215
Header file for directory authority mode.
int curve25519_keypair_write_to_file(const curve25519_keypair_t *keypair, const char *fname, const char *tag)
void check_descriptor_ipaddress_changed(time_t now)
Definition: router.c:2341
size_t encoded_len
Definition: torcert.h:35
Header file for loadkey.c.
char * ContactInfo
int try_locking(const or_options_t *options, int err_if_locked)
Definition: main.c:694
const char * routerinfo_err_to_string(int err)
Definition: router.c:140
STATIC void get_platform_str(char *platform, size_t len)
Definition: router.c:2466
#define DIGEST256_LEN
Definition: digest_sizes.h:23
#define FORCE_REGENERATE_DESCRIPTOR_INTERVAL
Definition: router.c:2194
void policies_exit_policy_append_reject_star(smartlist_t **dest)
Definition: policies.c:2197
Header file for hibernate.c.
Header file for policies.c.
int get_first_advertised_port_by_type_af(int listener_type, int address_family)
Definition: config.c:7680
void set_client_identity_key(crypto_pk_t *k)
Definition: router.c:397
int is_legal_hexdigest(const char *s)
Definition: nickname.c:45
int directory_permits_begindir_requests(const or_options_t *options)
Definition: dirserv.c:159
int ed25519_pubkey_eq(const ed25519_public_key_t *key1, const ed25519_public_key_t *key2)
uint32_t bandwidthrate
Definition: routerinfo_st.h:51
int dirserv_load_fingerprint_file(void)
void router_reset_warnings(void)
Definition: router.c:3151
int client_identity_key_is_set(void)
Definition: router.c:416
Common functions for cryptographic routines.
crypto_pk_t * crypto_pk_asn1_decode(const char *str, size_t len)
static int load_authority_keyset(int legacy, crypto_pk_t **key_out, authority_cert_t **cert_out)
Definition: router.c:627
tor_assert(buffer)
#define MAX_BANDWIDTH_CHANGE_FREQ
Definition: router.c:2260
int init_keys(void)
Definition: router.c:923
static time_t onionkey_set_at
Definition: router.c:98
int router_extrainfo_digest_is_me(const char *digest)
Definition: router.c:1605
static int decide_if_publishable_server(void)
Definition: router.c:1351
#define tor_addr_from_ipv4h(dest, v4addr)
Definition: address.h:287
static tor_addr_t last_guessed_ip
Definition: router.c:2383
Header for crypto_format.c.
static const curve25519_keypair_t * get_current_curve25519_keypair(void)
Definition: router.c:273
crypto_pk_t * get_my_v3_legacy_signing_key(void)
Definition: router.c:449
Header file for routermode.c.
was_router_added_t dirserv_add_descriptor(routerinfo_t *ri, const char **msg, const char *source)
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
void router_new_address_suggestion(const char *suggestion, const dir_connection_t *d_conn)
Definition: router.c:2390
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
static crypto_pk_t * lastonionkey
Definition: router.c:103
unsigned int is_staledesc
int has_dns_init_failed(void)
Definition: dns.c:266
#define CFG_AUTO_PORT
Definition: or.h:990
int router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e)
Definition: router.c:1952
int router_should_advertise_dirport(const or_options_t *options, uint16_t dir_port)
Definition: router.c:1306
smartlist_t * exit_policy
Definition: routerinfo_st.h:56
uint32_t get_effective_bwrate(const or_options_t *options)
Definition: config.c:1721
#define DIGEST_LEN
Definition: digest_sizes.h:20
void dup_onion_keys(crypto_pk_t **key, crypto_pk_t **last)
Definition: router.c:209
int load_ed_keys(const or_options_t *options, time_t now)
Definition: routerkeys.c:55
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
#define MAX_ONION_KEY_LIFETIME_DAYS
Definition: or.h:137
char identity[DIGEST_LEN]
Definition: node_st.h:40
void mark_my_descriptor_dirty_if_too_old(time_t now)
Definition: router.c:2203
dir_server_t * trusted_dir_server_new(const char *nickname, const char *address, uint16_t dir_port, uint16_t or_port, const tor_addr_port_t *ipv6_addrport, const char *digest, const char *v3_auth_digest, dirinfo_type_t type, double weight)
Definition: dirlist.c:308
routerinfo_t * router_parse_entry_from_string(const char *s, const char *end, int cache_copy, int allow_annotations, const char *prepend_annotations, int *can_dl_again_out)
Definition: routerparse.c:390
Master header file for Tor-specific functionality.
static int init_v3_authority_keys(void)
Definition: router.c:684
char * Nickname
Definition: or_options_st.h:68
int RefuseUnknownExits
const char * router_get_descriptor_gen_reason(void)
Definition: router.c:1701
size_t onion_pkey_len
Definition: routerinfo_st.h:36
int tor_addr_parse(tor_addr_t *addr, const char *src)
Definition: address.c:1185
static int decide_to_advertise_dir_impl(const or_options_t *options, uint16_t dir_port, int supports_tunnelled_dir_requests)
Definition: router.c:1275
void router_free_all(void)
Definition: router.c:3161
uint16_t router_get_advertised_dir_port(const or_options_t *options, uint16_t dirport)
Definition: router.c:1457
int routerinfo_err_is_transient(int err)
Definition: router.c:167
Header file for rephist.c.
uint8_t * make_tap_onion_key_crosscert(const crypto_pk_t *onion_key, const ed25519_public_key_t *master_id_key, const crypto_pk_t *rsa_id_key, int *len_out)
Definition: routerkeys.c:699
const char * fmt_addr32(uint32_t addr)
Definition: address.c:1169
static void set_onion_key(crypto_pk_t *k)
Definition: router.c:181
crypto_pk_t * signing_key
Header for crypto_ed25519.c.
#define LOG_WARN
Definition: log.h:49
int tor_addr_is_null(const tor_addr_t *addr)
Definition: address.c:758
enum or_options_t::@29 command
static int load_stats_file(const char *filename, const char *end_line, time_t now, char **out)
Definition: router.c:2887
int ConnDirectionStatistics
char * policy_dump_to_string(const smartlist_t *policy_list, int include_ipv4, int include_ipv6)
Definition: policies.c:2956
#define DEFAULT_ONION_KEY_GRACE_PERIOD_DAYS
Definition: or.h:148
void base16_encode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:476
Header file for authcert_parse.c.
int crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out)
Definition: crypto_rsa.c:249
static authority_cert_t * legacy_key_certificate
Definition: router.c:129
static void log_addr_has_changed(int severity, const tor_addr_t *prev, const tor_addr_t *cur, const char *source)
Definition: router.c:2310
authority_cert_t * authority_cert_parse_from_string(const char *s, size_t maxlen, const char **end_of_string)
void mark_my_descriptor_dirty(const char *reason)
Definition: router.c:2244
STATIC int router_write_fingerprint(int hashed)
Definition: router.c:826
int policy_is_reject_star(const smartlist_t *policy, sa_family_t family, int default_reject)
Definition: policies.c:2275
#define RFTS_IGNORE_MISSING
Definition: files.h:97
crypto_pk_t * crypto_pk_dup_key(crypto_pk_t *orig)
int BridgeAuthoritativeDir
Header file for process_descs.c.
static int router_should_advertise_begindir(const or_options_t *options, int supports_tunnelled_dir_requests)
Definition: router.c:1316
Headers for transports.c.
char * onion_pkey
Definition: routerinfo_st.h:34
void set_server_advertised(int s)
Definition: routermode.c:77
int router_get_router_hash(const char *s, size_t s_len, char *digest)
Definition: routerparse.c:176
#define LD_OR
Definition: log.h:88
int get_onion_key_grace_period(void)
Definition: router.c:774
int tor_digest_is_zero(const char *digest)
Definition: util_string.c:96
int dns_seems_to_be_broken(void)
Definition: dns.c:2066
#define MIN_ONION_KEY_GRACE_PERIOD_DAYS
Definition: or.h:145
int resolve_my_address(int warn_severity, const or_options_t *options, uint32_t *addr_out, const char **method_out, char **hostname_out)
Definition: config.c:2733
dirinfo_type_t type
Definition: dir_server_st.h:41
Headers and type declarations for protover.c.
int control_event_my_descriptor_changed(void)
Definition: control.c:6735
#define LOG_ERR
Definition: log.h:52
static crypto_pk_t * server_identitykey
Definition: router.c:111
#define LD_FS
Definition: log.h:66
#define HEX_DIGEST_LEN
Definition: crypto_digest.h:35
struct short_policy_t * ipv6_exit_policy
Definition: routerinfo_st.h:60
#define LD_DIR
Definition: log.h:84
int generate_ed_link_cert(const or_options_t *options, time_t now, int force)
Definition: routerkeys.c:365
const char * geoip_db_digest(sa_family_t family)
Definition: geoip.c:467
tor_cert_t * make_ntor_onion_key_crosscert(const curve25519_keypair_t *onion_key, const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime, int *sign_out)
Definition: routerkeys.c:676
crypto_pk_t * get_onion_key(void)
Definition: router.c:198
char * nodefamily_format(const nodefamily_t *family)
Definition: nodefamily.c:374
static void log_new_relay_greeting(void)
Definition: router.c:533
int crypto_rand_int_range(unsigned int min, unsigned int max)
Definition: crypto_rand.c:575
void router_upload_dir_desc_to_dirservers(int force)
Definition: router.c:1496
int smartlist_contains_string(const smartlist_t *sl, const char *element)
Definition: smartlist.c:93
char identity_digest[DIGEST_LEN]
int control_event_server_status(int severity, const char *format,...)
Definition: control.c:6847
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
Definition: crypto_rsa.c:224
int create_keys_directory(const or_options_t *options)
Definition: config.c:1364
void expire_old_onion_keys(void)
Definition: router.c:233
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
void format_iso_time(char *buf, time_t t)
Definition: time_fmt.c:291
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
int router_compare_to_my_exit_policy(const tor_addr_t *addr, uint16_t port)
Definition: router.c:1542
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
Definition: crypto_rsa.c:351
const char * geoip_get_bridge_stats_extrainfo(time_t)
Definition: geoip_stats.c:1300
void rotate_onion_key(void)
Definition: router.c:462
char * rep_hist_get_padding_count_lines(void)
Definition: rephist.c:2829
void ntor_key_map_free_(di_digest256_map_t *map)
Definition: router.c:314
#define SMARTLIST_FOREACH(sl, type, var, cmd)
static curve25519_keypair_t last_curve25519_onion_key
Definition: router.c:108
char * protocol_list
Definition: routerinfo_st.h:47
#define MAX_EXTRAINFO_UPLOAD_SIZE
Definition: or.h:131
Header file for router.c.
const char * escaped(const char *s)
Definition: escape.c:126
#define FINGERPRINT_LEN
Definition: crypto_rsa.h:34
void consider_publishable_server(int force)
Definition: router.c:1384
char * nickname
Definition: routerinfo_st.h:17
#define MIN_BW_TO_ADVERTISE_DIRSERVER
Definition: router.c:1180
uint16_t dir_port
Definition: routerinfo_st.h:21
int curve25519_keypair_generate(curve25519_keypair_t *keypair_out, int extra_strong)
#define log_fn(severity, domain, args,...)
Definition: log.h:255
crypto_pk_t * get_my_v3_authority_signing_key(void)
Definition: router.c:432
int router_has_bandwidth_to_be_dirserver(const or_options_t *options)
Definition: router.c:1186
int router_digest_is_me(const char *digest)
Definition: router.c:1589
const char * router_get_my_descriptor(void)
Definition: router.c:1672
crypto_pk_t * init_key_from_file(const char *fname, int generate, int severity, bool *created_out)
Definition: loadkey.c:40
authority_cert_t * get_my_v3_legacy_cert(void)
Definition: router.c:441
Headers for tortls.c.
dirinfo_type_t PublishServerDescriptor_
Header file for control.c.
#define tor_addr_eq(a, b)
Definition: address.h:244
void tor_mutex_acquire(tor_mutex_t *m)
Definition: or.h:890
char v3_identity_digest[DIGEST_LEN]
Definition: dir_server_st.h:29
tor_mutex_t * tor_mutex_new(void)
Definition: compat_mutex.c:17
static int init_curve25519_keypair_from_file(curve25519_keypair_t *keys_out, const char *fname, int generate, int severity, const char *tag)
Definition: router.c:555
int ed25519_sign(ed25519_signature_t *signature_out, const uint8_t *msg, size_t len, const ed25519_keypair_t *keypair)
static int WRA_WAS_OUTDATED(was_router_added_t s)
Definition: routerlist.h:111
uint32_t bandwidthcapacity
Definition: routerinfo_st.h:55
void or_state_mark_dirty(or_state_t *state, time_t when)
Definition: statefile.c:715
#define BASE64_DIGEST256_LEN
Definition: crypto_digest.h:29
char * write_short_policy(const short_policy_t *policy)
Definition: policies.c:2817
char * router_dump_exit_policy_to_string(const routerinfo_t *router, int include_ipv4, int include_ipv6)
Definition: router.c:2866
Header file for dirlist.c.
int get_onion_key_lifetime(void)
Definition: router.c:764
uint32_t addr
Definition: routerinfo_st.h:19
crypto_pk_t * crypto_pk_copy_full(crypto_pk_t *orig)
struct config_line_t * ServerTransportPlugin
int base16_decode(char *dest, size_t destlen, const char *src, size_t srclen)
Definition: binascii.c:504
int router_append_dirobj_signature(char *buf, size_t buf_len, const char *digest, size_t digest_len, crypto_pk_t *private_key)
Definition: signing.c:79
int extrainfo_dump_to_string(char **s_out, extrainfo_t *extrainfo, crypto_pk_t *ident_key, const ed25519_keypair_t *signing_keypair)
Definition: router.c:2937
Header file for selftest.c.
char * platform
Definition: routerinfo_st.h:45
static curve25519_keypair_t curve25519_onion_key
Definition: router.c:105
int accounting_get_interval_length(void)
Definition: hibernate.c:315
uint8_t purpose
#define BANDWIDTH_CHANGE_FACTOR
Definition: router.c:2267
STATIC smartlist_t * get_my_declared_family(const or_options_t *options)
Definition: router.c:1828
int tor_digest256_is_zero(const char *digest)
Definition: util_string.c:106
void ip_address_changed(int at_interface)
Definition: mainloop.c:2762
int parse_iso_time(const char *cp, time_t *t)
Definition: time_fmt.c:388
uint8_t digest256[DIGEST256_LEN]
Definition: extrainfo_st.h:16
tor_addr_t ipv6_addr
Definition: routerinfo_st.h:27
char * BridgeDistribution
int crypto_pk_asn1_encode(const crypto_pk_t *pk, char *dest, size_t dest_len)
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:892
uint64_t RelayBandwidthRate
int ExtraInfoStatistics
int crypto_pk_write_private_key_to_filename(crypto_pk_t *env, const char *fname)
Definition: crypto_rsa.c:573
static crypto_pk_t * authority_signing_key
Definition: router.c:119
uint16_t router_get_active_listener_port_by_type_af(int listener_type, sa_family_t family)
Definition: router.c:1406
static authority_cert_t * authority_key_certificate
Definition: router.c:122
int routerinfo_incompatible_with_extrainfo(const crypto_pk_t *identity_pkey, extrainfo_t *ei, signed_descriptor_t *sd, const char **msg)
Definition: routerlist.c:2950
void smartlist_clear(smartlist_t *sl)
void check_descriptor_bandwidth_changed(time_t now)
Definition: router.c:2273
static crypto_pk_t * legacy_signing_key
Definition: router.c:126
int router_get_extrainfo_hash(const char *s, size_t s_len, char *digest)
Definition: routerparse.c:186
uint32_t get_effective_bwburst(const or_options_t *options)
Definition: config.c:1735
int check_whether_orport_reachable(const or_options_t *options)
Definition: selftest.c:74
static crypto_pk_t * onionkey
Definition: router.c:100
crypto_pk_t * identity_pkey
Definition: routerinfo_st.h:38
file_status_t file_status(const char *filename)
Definition: files.c:212
Header file for networkstatus.c.
int crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
Definition: crypto_init.c:81
#define LD_BUG
Definition: log.h:82
Header file for dns.c.
Headers for crypto_init.c.
#define LD_CONFIG
Definition: log.h:64
#define CURVE25519_PUBKEY_LEN
Definition: x25519_sizes.h:20
Header file for routerlist.c.
Header file for routerparse.c.
static void ntor_key_map_free_helper(void *arg)
Definition: router.c:306
uint16_t or_port
Definition: routerinfo_st.h:20
const char * protover_get_supported_protocols(void)
C_RUST_COUPLED: src/rust/protover/protover.rs SUPPORTED_PROTOCOLS
Definition: protover.c:387
int policies_parse_exit_policy_from_options(const or_options_t *or_options, uint32_t local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result)
Definition: policies.c:2134
static sa_family_t tor_addr_family(const tor_addr_t *a)
Definition: address.h:179
int check_whether_dirport_reachable(const or_options_t *options)
Definition: selftest.c:91
STATIC const char * desc_dirty_reason
Definition: router.c:1487
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
char * tor_dup_ip(uint32_t addr)
Definition: address.c:1879