tor-commits November 2011

tor-commits@lists.torproject.org

16 participants
987 discussions

[tor/master] Normal relays should generate dynamic DH moduli as well.
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit fa013e1bc520e116fa63729041e00546d6787dd8 Author: George Kadianakis <desnacked(a)gmail.com> Date: Sat Nov 26 05:57:17 2011 +0100 Normal relays should generate dynamic DH moduli as well. --- src/or/config.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index f8c4ab3..9c65861 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1381,7 +1381,7 @@ options_act(const or_options_t *old_options) } /* If needed, generate a new TLS DH prime according to the current torrc. */ - if (server_mode(options) && options->BridgeRelay) { + if (server_mode(options)) { if (!old_options) { if (options->DynamicDHGroups) { char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus");

1 0

[tor/master] Simply initialize TLS context if DynamicDHGroups change.
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit e3cee8bc2e8df6b39a4122829649e3f9ab920aa6 Author: George Kadianakis <desnacked(a)gmail.com> Date: Thu Nov 24 06:40:02 2011 +0100 Simply initialize TLS context if DynamicDHGroups change. We used to do init_keys() if DynamicDHGroups changed after a HUP, so that the dynamic DH modulus was stored on the disk. Since we are now doing dynamic DH modulus storing in crypto.c, we can simply initialize the TLS context and be good with it. Introduce a new function router_initialize_tls_context() which initializes the TLS context and use it appropriately. --- src/or/config.c | 26 +++++++++++++++++++++++++- src/or/main.c | 5 +---- src/or/router.c | 21 +++++++++++++-------- src/or/router.h | 1 + 4 files changed, 40 insertions(+), 13 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index a846ca9..f8c4ab3 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1267,6 +1267,24 @@ get_effective_bwburst(const or_options_t *options) return (uint32_t)bw; } +/** Return True if any changes from old_options to + * new_options needs us to refresh our TLS context. */ +static int +options_transition_requires_fresh_tls_context(const or_options_t *old_options, + const or_options_t *new_options) +{ + tor_assert(new_options); + + if (!old_options) + return 0; + + if ((old_options->DynamicDHGroups != new_options->DynamicDHGroups)) { + return 1; + } + + return 0; +} + /** Fetch the active option list, and take actions based on it. All of the * things we do should survive being done repeatedly. If present, * old_options contains the previous value of the options. @@ -1394,6 +1412,13 @@ options_act(const or_options_t *old_options) log_warn(LD_BUG,"Error initializing keys; exiting"); return -1; } + } else if (old_options && + options_transition_requires_fresh_tls_context(old_options, + options)) { + if (router_initialize_tls_context() < 0) { + log_warn(LD_BUG,"Error initializing TLS context."); + return -1; + } } /* Write our PID to the PID file. If we do not have write permissions we @@ -4075,7 +4100,6 @@ options_transition_affects_workers(const or_options_t *old_options, { if (!opt_streq(old_options->DataDirectory, new_options->DataDirectory) || old_options->NumCPUs != new_options->NumCPUs || - old_options->DynamicDHGroups != new_options->DynamicDHGroups || old_options->ORPort != new_options->ORPort || old_options->ServerDNSSearchDomains != new_options->ServerDNSSearchDomains || diff --git a/src/or/main.c b/src/or/main.c index 7008d38..95f9958 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -1161,10 +1161,7 @@ run_scheduled_events(time_t now) last_rotated_x509_certificate = now; if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) { log_info(LD_GENERAL,"Rotating tls context."); - if (tor_tls_context_init(public_server_mode(options), - get_tlsclient_identity_key(), - is_server ? get_server_identity_key() : NULL, - MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { + if (router_initialize_tls_context() < 0) { log_warn(LD_BUG, "Error reinitializing TLS context"); /* XXX is it a bug here, that we just keep going? -RD */ } diff --git a/src/or/router.c b/src/or/router.c index fdc83f5..67e98da 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -484,6 +484,17 @@ v3_authority_check_key_expiry(void) last_warned = now; } + +int +router_initialize_tls_context(void) +{ + return tor_tls_context_init(public_server_mode(get_options()), + get_tlsclient_identity_key(), + server_mode(get_options()) ? + get_server_identity_key() : NULL, + MAX_SSL_KEY_LIFETIME_ADVERTISED); +} + /** Initialize all OR private keys, and the TLS context, as necessary. * On OPs, this only initializes the tls context. Return 0 on success, * or -1 if Tor should die. @@ -530,10 +541,7 @@ init_keys(void) } set_client_identity_key(prkey); /* Create a TLS context. */ - if (tor_tls_context_init(0, - get_tlsclient_identity_key(), - NULL, - MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { + if (router_initialize_tls_context() < 0) { log_err(LD_GENERAL,"Error creating TLS context for Tor client."); return -1; } @@ -626,10 +634,7 @@ init_keys(void) tor_free(keydir); /* 3. Initialize link key and TLS context. */ - if (tor_tls_context_init(public_server_mode(options), - get_tlsclient_identity_key(), - get_server_identity_key(), - MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) { + if (router_initialize_tls_context() < 0) { log_err(LD_GENERAL,"Error initializing TLS context"); return -1; } diff --git a/src/or/router.h b/src/or/router.h index f9d156c..68eadbf 100644 --- a/src/or/router.h +++ b/src/or/router.h @@ -30,6 +30,7 @@ crypto_pk_env_t *init_key_from_file(const char *fname, int generate, int severity); void v3_authority_check_key_expiry(void); +int router_initialize_tls_context(void); int init_keys(void); int check_whether_orport_reachable(void);

1 0

[tor/master] Merge remote-tracking branch 'asn-mytor/bug4548_take2'
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit da6c136817983e30349e9733891239b05aa66f09 Merge: 83f66db 055d6c0 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Nov 29 18:30:41 2011 -0500 Merge remote-tracking branch 'asn-mytor/bug4548_take2' changes/bug4548 | 6 + doc/tor.1.txt | 6 + src/common/crypto.c | 303 +++++++++++++++++++++++++++++++++++++++++++++++---- src/common/crypto.h | 2 + src/common/util.c | 42 +++++--- src/common/util.h | 3 + src/or/config.c | 49 ++++++++ src/or/main.c | 5 +- src/or/or.h | 2 + src/or/router.c | 21 ++-- src/or/router.h | 1 + 11 files changed, 391 insertions(+), 49 deletions(-) diff --cc src/or/config.c index f0686da,06914b6..ab991a4 --- a/src/or/config.c +++ b/src/or/config.c @@@ -247,8 -246,8 +247,9 @@@ static config_var_t _option_vars[] = V(DirReqStatistics, BOOL, "1"), VAR("DirServer", LINELIST, DirServers, NULL), V(DisableAllSwap, BOOL, "0"), + V(DisableDebuggerAttachment, BOOL, "1"), V(DisableIOCP, BOOL, "1"), + V(DynamicDHGroups, BOOL, "1"), V(DNSPort, LINELIST, NULL), V(DNSListenAddress, LINELIST, NULL), V(DownloadExtraInfo, BOOL, "0"),

1 0

[tor/master] Introduce write_bytes_to_new_file().
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit f28014bf1aa4274a35404ccc37b559b5531f1835 Author: George Kadianakis <desnacked(a)gmail.com> Date: Sat Nov 26 18:56:49 2011 +0100 Introduce write_bytes_to_new_file(). Introduce write_bytes_to_new_file(), a function which writes bytes to a file only if that file did not exist. --- src/common/util.c | 42 ++++++++++++++++++++++++++++-------------- src/common/util.h | 3 +++ 2 files changed, 31 insertions(+), 14 deletions(-) diff --git a/src/common/util.c b/src/common/util.c index c44a4aa..c19e4d2 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -2137,13 +2137,12 @@ write_chunks_to_file(const char *fname, const smartlist_t *chunks, int bin) return write_chunks_to_file_impl(fname, chunks, flags); } -/** As write_str_to_file, but does not assume a NUL-terminated - * string. Instead, we write len bytes, starting at str. */ -int -write_bytes_to_file(const char *fname, const char *str, size_t len, - int bin) +/** Write len bytes, starting at str, to fname + using the open() flags passed in flags. */ +static int +write_bytes_to_file_impl(const char *fname, const char *str, size_t len, + int flags) { - int flags = OPEN_FLAGS_REPLACE|(bin?O_BINARY:O_TEXT); int r; sized_chunk_t c = { str, len }; smartlist_t *chunks = smartlist_create(); @@ -2153,20 +2152,35 @@ write_bytes_to_file(const char *fname, const char *str, size_t len, return r; } +/** As write_str_to_file, but does not assume a NUL-terminated + * string. Instead, we write len bytes, starting at str. */ +int +write_bytes_to_file(const char *fname, const char *str, size_t len, + int bin) +{ + return write_bytes_to_file_impl(fname, str, len, + OPEN_FLAGS_REPLACE|(bin?O_BINARY:O_TEXT)); +} + /** As write_bytes_to_file, but if the file already exists, append the bytes * to the end of the file instead of overwriting it. */ int append_bytes_to_file(const char *fname, const char *str, size_t len, int bin) { - int flags = OPEN_FLAGS_APPEND|(bin?O_BINARY:O_TEXT); - int r; - sized_chunk_t c = { str, len }; - smartlist_t *chunks = smartlist_create(); - smartlist_add(chunks, &c); - r = write_chunks_to_file_impl(fname, chunks, flags); - smartlist_free(chunks); - return r; + return write_bytes_to_file_impl(fname, str, len, + OPEN_FLAGS_APPEND|(bin?O_BINARY:O_TEXT)); +} + +/** Like write_str_to_file(), but also return -1 if there was a file + already residing in fname. */ +int +write_bytes_to_new_file(const char *fname, const char *str, size_t len, + int bin) +{ + return write_bytes_to_file_impl(fname, str, len, + OPEN_FLAGS_DONT_REPLACE| + (bin?O_BINARY:O_TEXT)); } /** Read the contents of filename into a newly allocated diff --git a/src/common/util.h b/src/common/util.h index 77ed1ca..79b641a 100644 --- a/src/common/util.h +++ b/src/common/util.h @@ -315,6 +315,7 @@ int check_private_dir(const char *dirname, cpd_check_t check, const char *effective_user); #define OPEN_FLAGS_REPLACE (O_WRONLY|O_CREAT|O_TRUNC) #define OPEN_FLAGS_APPEND (O_WRONLY|O_CREAT|O_APPEND) +#define OPEN_FLAGS_DONT_REPLACE (O_CREAT|O_EXCL|O_APPEND|O_WRONLY) typedef struct open_file_t open_file_t; int start_writing_to_file(const char *fname, int open_flags, int mode, open_file_t **data_out); @@ -336,6 +337,8 @@ int write_chunks_to_file(const char *fname, const struct smartlist_t *chunks, int bin); int append_bytes_to_file(const char *fname, const char *str, size_t len, int bin); +int write_bytes_to_new_file(const char *fname, const char *str, size_t len, + int bin); /** Flag for read_file_to_str: open the file in binary mode. */ #define RFTS_BIN 1

1 0

[tor/master] Write dynamic DH parameters to a file.
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit 055d6c01fff3324dbb38c2d81ad49ccfdb5432c2 Author: George Kadianakis <desnacked(a)gmail.com> Date: Sat Nov 26 19:29:57 2011 +0100 Write dynamic DH parameters to a file. Instead of only writing the dynamic DH prime modulus to a file, write the whole DH parameters set for forward compatibility. At the moment we only accept '2' as the group generator. The DH parameters gets stored in base64-ed DER format to the 'dynamic_dh_params' file. --- src/common/crypto.c | 136 ++++++++++++++++++++++++++++++++------------------- src/or/config.c | 4 +- src/or/router.c | 1 - 3 files changed, 87 insertions(+), 54 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index 8cf6231..a38956d 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1852,44 +1852,66 @@ crypto_generate_dynamic_dh_modulus(void) return dynamic_dh_modulus; } -/** Store our dynamic DH modulus to fname for future use. */ +/** Store our dynamic DH modulus (and its group parameters) to + fname for future use. */ static int crypto_store_dynamic_dh_modulus(const char *fname) { - FILE *fp = NULL; + int len, new_len; + DH *dh = NULL; + unsigned char *dh_string_repr = NULL, *cp = NULL; + char *base64_encoded_dh = NULL; int retval = -1; - file_status_t fname_status; tor_assert(fname); - fname_status = file_status(fname); + if (!dh_param_p_tls) { + log_info(LD_CRYPTO, "Tried to store a DH modulus that does not exist."); + goto done; + } - if (fname_status == FN_FILE) { - /* If the fname is a file, then the dynamic DH modulus is already stored.*/ - retval = 0; + if (!(dh = DH_new())) + goto done; + if (!(dh->p = BN_dup(dh_param_p_tls))) + goto done; + if (!(dh->g = BN_new())) goto done; - } else if (fname_status != FN_NOENT) { - log_info(LD_GENERAL, "Dynamic DH modulus filename is occupied."); + if (!BN_set_word(dh->g, DH_GENERATOR)) + goto done; + + len = i2d_DHparams(dh, NULL); + if (len < 0) { + log_warn(LD_CRYPTO, "Error occured while DER encoding DH modulus (1)."); goto done; } - tor_assert(fname_status == FN_NOENT); + cp = dh_string_repr = tor_malloc_zero(len+1); + len = i2d_DHparams(dh, &cp); + if ((len < 0) || ((cp - dh_string_repr) != len)) { + log_warn(LD_CRYPTO, "Error occured while DER encoding DH modulus (2)."); + goto done; + } - if (!(fp = fopen(fname, "w"))) { - log_notice(LD_GENERAL, "Error while creating dynamic DH modulus file."); + base64_encoded_dh = tor_malloc_zero(len * 2); /* should be enough */ + new_len = base64_encode(base64_encoded_dh, len * 2, + (char *)dh_string_repr, len); + if (new_len < 0) { + log_warn(LD_CRYPTO, "Error occured while base64-encoding DH modulus."); goto done; } - if (BN_print_fp(fp, dh_param_p_tls) == 0) { - log_warn(LD_GENERAL, "Error while printing dynamic DH modulus to file."); + if (write_bytes_to_new_file(fname, base64_encoded_dh, new_len, 0) < 0) { + log_info(LD_CRYPTO, "'%s' was already occupied.", fname); goto done; } retval = 0; done: - if (fp) - fclose(fp); + if (dh) + DH_free(dh); + tor_free(dh_string_repr); + tor_free(base64_encoded_dh); return retval; } @@ -1901,52 +1923,62 @@ crypto_get_stored_dynamic_dh_modulus(const char *fname) { int retval; char *contents = NULL; - DH *dh = NULL; int dh_codes; char *fname_new = NULL; - BIGNUM *dynamic_dh_modulus = BN_new(); + DH *stored_dh = NULL; + BIGNUM *dynamic_dh_modulus = NULL; + int length = 0; + unsigned char *base64_decoded_dh = NULL; + const unsigned char *cp = NULL; tor_assert(fname); - if (!dynamic_dh_modulus) - goto err; - contents = read_file_to_str(fname, RFTS_IGNORE_MISSING, NULL); - if (!contents) - goto err; + if (!contents) { + log_info(LD_CRYPTO, "Could not open file '%s'", fname); + goto done; /*usually means that ENOENT. don't try to move file to broken.*/ + } + + /* 'fname' contains the DH parameters stored in base64-ed DER + format. We are only interested in the DH modulus. */ - retval = BN_hex2bn(&dynamic_dh_modulus, contents); - if (!retval) { - log_warn(LD_GENERAL, "Could not understand the dynamic DH modulus " - "format in '%s'", fname); + cp = base64_decoded_dh = tor_malloc_zero(strlen(contents)); + length = base64_decode((char *)base64_decoded_dh, strlen(contents), + contents, strlen(contents)); + if (length < 0) { + log_warn(LD_CRYPTO, "Stored dynamic DH modulus seems corrupted (base64)."); goto err; } - { /* validate the stored prime */ - dh = DH_new(); - if (!dh) - goto err; - - dh->p = BN_dup(dynamic_dh_modulus); - dh->g = BN_new(); - BN_set_word(dh->g, DH_GENERATOR); + stored_dh = d2i_DHparams(NULL, &cp, length); + if ((!stored_dh) || (cp - base64_decoded_dh != length)) { + log_warn(LD_CRYPTO, "Stored dynamic DH modulus seems corrupted (d2i)."); + goto err; + } - retval = DH_check(dh, &dh_codes); + { /* check the cryptographic qualities of the stored dynamic DH modulus: */ + retval = DH_check(stored_dh, &dh_codes); if (!retval || dh_codes) { - log_warn(LD_GENERAL, "Stored dynamic DH prime is not a safe prime."); + log_warn(LD_CRYPTO, "Stored dynamic DH modulus is not a safe prime."); goto err; } - retval = DH_size(dh); + retval = DH_size(stored_dh); if (retval < DH_BYTES) { - log_warn(LD_GENERAL, "Stored dynamic DH prime is smaller " + log_warn(LD_CRYPTO, "Stored dynamic DH modulus is smaller " "than '%d' bits.", DH_BYTES*8); goto err; } + + if (!BN_is_word(stored_dh->g, 2)) { + log_warn(LD_CRYPTO, "Stored dynamic DH parameters do not use '2' " + "as the group generator."); + goto err; + } } { /* log the dynamic DH modulus: */ - char *s = BN_bn2hex(dynamic_dh_modulus); + char *s = BN_bn2hex(stored_dh->p); tor_assert(s); log_info(LD_OR, "Found stored dynamic DH modulus: [%s]", s); OPENSSL_free(s); @@ -1957,31 +1989,34 @@ crypto_get_stored_dynamic_dh_modulus(const char *fname) err: { /* move broken prime to $filename.broken */ - fname_new = tor_malloc(strlen(fname) + 8); /* no can do if these functions return error */ strlcpy(fname_new, fname, strlen(fname) + 8); strlcat(fname_new, ".broken", strlen(fname) + 8); - log_warn(LD_GENERAL, "Moving broken dynamic DH prime to '%s'.", fname_new); + log_warn(LD_CRYPTO, "Moving broken dynamic DH prime to '%s'.", fname_new); if (replace_file(fname, fname_new)) - log_warn(LD_GENERAL, "Error while moving '%s' to '%s'.", fname, fname_new); + log_notice(LD_CRYPTO, "Error while moving '%s' to '%s'.", + fname, fname_new); tor_free(fname_new); - } - if (dynamic_dh_modulus) { - BN_free(dynamic_dh_modulus); - dynamic_dh_modulus = NULL; + if (stored_dh) { + DH_free(stored_dh); + stored_dh = NULL; } done: tor_free(contents); - if (dh) - DH_free(dh); + tor_free(base64_decoded_dh); + + if (stored_dh) { + dynamic_dh_modulus = BN_dup(stored_dh->p); + DH_free(stored_dh); + } return dynamic_dh_modulus; } @@ -2040,10 +2075,9 @@ crypto_set_tls_dh_prime(const char *dynamic_dh_modulus_fname) if (store_dh_prime_afterwards) /* save the new dynamic DH modulus to disk. */ if (crypto_store_dynamic_dh_modulus(dynamic_dh_modulus_fname)) { - log_notice(LD_GENERAL, "Failed while storing dynamic DH modulus. " + log_notice(LD_CRYPTO, "Failed while storing dynamic DH modulus. " "Make sure your data directory is sane."); } - } /** Initialize dh_param_p and dh_param_g if they are not already diff --git a/src/or/config.c b/src/or/config.c index 9c65861..06914b6 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1384,7 +1384,7 @@ options_act(const or_options_t *old_options) if (server_mode(options)) { if (!old_options) { if (options->DynamicDHGroups) { - char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus"); + char *fname = get_datadir_fname2("keys", "dynamic_dh_params"); crypto_set_tls_dh_prime(fname); tor_free(fname); } else { @@ -1392,7 +1392,7 @@ options_act(const or_options_t *old_options) } } else { if (options->DynamicDHGroups && !old_options->DynamicDHGroups) { - char *fname = get_datadir_fname2("keys", "dynamic_dh_modulus"); + char *fname = get_datadir_fname2("keys", "dynamic_dh_params"); crypto_set_tls_dh_prime(fname); tor_free(fname); } else if (!options->DynamicDHGroups && old_options->DynamicDHGroups) { diff --git a/src/or/router.c b/src/or/router.c index 67e98da..5d36939 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -484,7 +484,6 @@ v3_authority_check_key_expiry(void) last_warned = now; } - int router_initialize_tls_context(void) {

1 0

[tor/master] Manpage for DisableNetwork
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit f4d8ed4b28bd8f7ec232c02d0c9987c72ade89b5 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Nov 28 16:01:47 2011 -0500 Manpage for DisableNetwork --- doc/tor.1.txt | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 7f9bfbb..5e2a1e4 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -125,6 +125,12 @@ Other options can be specified either on the command-line (--option You probably don't need to adjust this. It has no effect on Windows since that platform lacks getrlimit(). (Default: 1000) +**DisableNetwork** **0**|**1**:: + When this option is set, we don't listen for or accept any connections + other than controller connections, and we don't make any outbound + connections. Controllers sometimes use this option to avoid using + the network until Tor is fully configured. (Default: 0) + **ConstrainedSockets** **0**|**1**:: If set, Tor will tell the kernel to attempt to shrink the buffers for all sockets to the size specified in **ConstrainedSockSize**. This is useful for

1 0

[tor/master] New 'DisableNetwork' option to prevent Tor from using the network
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit df9b76460c38936b67ef42f5b261b39e2ec7144e Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Nov 28 15:44:10 2011 -0500 New 'DisableNetwork' option to prevent Tor from using the network Some controllers want this so they can mess with Tor's configuration for a while via the control port before actually letting Tor out of the house. We do this with a new DisableNetwork option, that prevents Tor from making any outbound connections or binding any non-control listeners. Additionally, it shuts down the same functionality as shuts down when we are hibernating, plus the code that launches directory downloads. To make sure I didn't miss anything, I added a clause straight to connection_connect, so that we won't even try to open an outbound socket when the network is disabled. In my testing, I made this an assert, but since I probably missed something, I've turned it into a BUG warning for testing. --- changes/disable_network | 9 ++++++ src/or/config.c | 10 ++++++- src/or/connection.c | 68 +++++++++++++++++++++++++++++++++++++++++++--- src/or/connection.h | 3 ++ src/or/hibernate.c | 11 +------- src/or/main.c | 29 +++++++++++--------- src/or/or.h | 4 +++ src/or/router.c | 12 +++++++- src/or/router.h | 2 + src/or/routerlist.c | 6 +++- 10 files changed, 122 insertions(+), 32 deletions(-) diff --git a/changes/disable_network b/changes/disable_network new file mode 100644 index 0000000..e6e7259 --- /dev/null +++ b/changes/disable_network @@ -0,0 +1,9 @@ + o Minor features: + + - New "DisableNetwork" option to prevent Tor from launching any + connections or accepting any connections except on a control + port. Some bundles and controllers want to use this so they can + configure Tor before letting Tor talk to the rest of the + network--for example, to prevent any connections from being made + to a non-bridge address. + diff --git a/src/or/config.c b/src/or/config.c index c0ce404..20ade03 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -231,6 +231,7 @@ static config_var_t _option_vars[] = { V(CountPrivateBandwidth, BOOL, "0"), V(DataDirectory, FILENAME, NULL), OBSOLETE("DebugLogFile"), + V(DisableNetwork, BOOL, "0"), V(DirAllowPrivateAddresses, BOOL, NULL), V(TestingAuthDirTimeToLearnReachability, INTERVAL, "30 minutes"), V(DirListenAddress, LINELIST, NULL), @@ -1093,13 +1094,19 @@ options_act_reversible(const or_options_t *old_options, char **msg) consider_hibernation(time(NULL)); /* Launch the listeners. (We do this before we setuid, so we can bind to - * ports under 1024.) We don't want to rebind if we're hibernating. */ + * ports under 1024.) We don't want to rebind if we're hibernating. If + * networking is disabled, this will close all but the control listeners, + * but disable those. */ if (!we_are_hibernating()) { if (retry_all_listeners(replaced_listeners, new_listeners) < 0) { *msg = tor_strdup("Failed to bind one of the listener ports."); goto rollback; } } + if (options->DisableNetwork) { + /* Aggressively close non-controller stuff, NOW */ + connection_mark_all_noncontrol_connections(); + } } #if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H) @@ -4094,6 +4101,7 @@ options_transition_affects_descriptor(const or_options_t *old_options, old_options->ORPort != new_options->ORPort || old_options->DirPort != new_options->DirPort || old_options->ClientOnly != new_options->ClientOnly || + old_options->DisableNetwork != new_options->DisableNetwork || old_options->_PublishServerDescriptor != new_options->_PublishServerDescriptor || get_effective_bwrate(old_options) != get_effective_bwrate(new_options) || diff --git a/src/or/connection.c b/src/or/connection.c index a52bf48..9c30d8e 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -1318,6 +1318,24 @@ connection_connect(connection_t *conn, const char *address, else protocol_family = PF_INET; + if (get_options()->DisableNetwork) { + /* We should never even try to connect anyplace if DisableNetwork is set. + * Warn if we do, and refuse to make the connection. */ + static ratelim_t disablenet_violated = RATELIM_INIT(30*60); + char *m; +#ifdef MS_WINDOWS + *socket_error = WSAENETUNREACH; +#else + *socket_error = ENETUNREACH; +#endif + if ((m = rate_limit_log(&disablenet_violated, approx_time()))) { + log_warn(LD_BUG, "Tried to open a socket with DisableNetwork set.%s", m); + tor_free(m); + } + tor_fragile_assert(); + return -1; + } + s = tor_open_socket(protocol_family,SOCK_STREAM,IPPROTO_TCP); if (s < 0) { *socket_error = tor_socket_errno(-1); @@ -1968,7 +1986,7 @@ retry_all_listeners(smartlist_t *replaced_conns, smartlist_add(listeners, conn); } SMARTLIST_FOREACH_END(conn); - if (! options->ClientOnly) { + if (! options->ClientOnly && ! options->DisableNetwork) { if (retry_listeners(listeners, CONN_TYPE_OR_LISTENER, options->ORListenAddress, options->ORPort, "0.0.0.0", @@ -1981,10 +1999,13 @@ retry_all_listeners(smartlist_t *replaced_conns, retval = -1; } - if (retry_listener_ports(listeners, - get_configured_client_ports(), - new_conns) < 0) - retval = -1; + if (!options->DisableNetwork) { + if (retry_listener_ports(listeners, + get_configured_client_ports(), + new_conns) < 0) + retval = -1; + } + if (retry_listeners(listeners, CONN_TYPE_CONTROL_LISTENER, options->ControlListenAddress, @@ -2025,6 +2046,43 @@ retry_all_listeners(smartlist_t *replaced_conns, return retval; } +/** DOCDOC */ +void +connection_mark_all_noncontrol_listeners(void) +{ + SMARTLIST_FOREACH_BEGIN(get_connection_array(), connection_t *, conn) { + if (conn->marked_for_close) + continue; + if (conn->type == CONN_TYPE_CONTROL_LISTENER) + continue; + if (connection_is_listener(conn)) + connection_mark_for_close(conn); + } SMARTLIST_FOREACH_END(conn); +} + +/** DOCDOC */ +void +connection_mark_all_noncontrol_connections(void) +{ + SMARTLIST_FOREACH_BEGIN(get_connection_array(), connection_t *, conn) { + if (conn->marked_for_close) + continue; + switch (conn->type) { + case CONN_TYPE_CPUWORKER: + case CONN_TYPE_CONTROL_LISTENER: + case CONN_TYPE_CONTROL: + break; + case CONN_TYPE_AP: + connection_mark_unattached_ap(TO_ENTRY_CONN(conn), + END_STREAM_REASON_HIBERNATING); + break; + default: + connection_mark_for_close(conn); + break; + } + } SMARTLIST_FOREACH_END(conn); +} + /** Return 1 if we should apply rate limiting to conn, and 0 * otherwise. * Right now this just checks if it's an internal IP address or an diff --git a/src/or/connection.h b/src/or/connection.h index 9f11489..c4b8bf8 100644 --- a/src/or/connection.h +++ b/src/or/connection.h @@ -66,6 +66,9 @@ int get_proxy_addrport(tor_addr_t *addr, uint16_t *port, int *proxy_type, int retry_all_listeners(smartlist_t *replaced_conns, smartlist_t *new_conns); +void connection_mark_all_noncontrol_listeners(void); +void connection_mark_all_noncontrol_connections(void); + ssize_t connection_bucket_write_limit(connection_t *conn, time_t now); int global_write_bucket_low(connection_t *conn, size_t attempt, int priority); void connection_bucket_init(void); diff --git a/src/or/hibernate.c b/src/or/hibernate.c index 6fd2b4f..ce64581 100644 --- a/src/or/hibernate.c +++ b/src/or/hibernate.c @@ -735,7 +735,6 @@ hibernate_soft_limit_reached(void) static void hibernate_begin(hibernate_state_t new_state, time_t now) { - connection_t *conn; const or_options_t *options = get_options(); if (new_state == HIBERNATE_STATE_EXITING && @@ -756,15 +755,7 @@ hibernate_begin(hibernate_state_t new_state, time_t now) } /* close listeners. leave control listener(s). */ - while ((conn = connection_get_by_type(CONN_TYPE_OR_LISTENER)) || - (conn = connection_get_by_type(CONN_TYPE_AP_LISTENER)) || - (conn = connection_get_by_type(CONN_TYPE_AP_TRANS_LISTENER)) || - (conn = connection_get_by_type(CONN_TYPE_AP_DNS_LISTENER)) || - (conn = connection_get_by_type(CONN_TYPE_AP_NATD_LISTENER)) || - (conn = connection_get_by_type(CONN_TYPE_DIR_LISTENER))) { - log_info(LD_NET,"Closing listener type %d", conn->type); - connection_mark_for_close(conn); - } + connection_mark_all_noncontrol_listeners(); /* XXX kill intro point circs */ /* XXX upload rendezvous service descriptors with no intro points */ diff --git a/src/or/main.c b/src/or/main.c index 10b80a4..abf8233 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -934,7 +934,7 @@ directory_info_has_arrived(time_t now, int from_cache) update_extrainfo_downloads(now); } - if (server_mode(options) && !we_are_hibernating() && !from_cache && + if (server_mode(options) && !net_is_disabled() && !from_cache && (can_complete_circuit || !any_predicted_circuits(now))) consider_testing_reachability(1, 1); } @@ -1161,11 +1161,11 @@ run_scheduled_events(time_t now) if (router_rebuild_descriptor(1)<0) { log_info(LD_CONFIG, "Couldn't rebuild router descriptor"); } - if (advertised_server_mode()) + if (advertised_server_mode() & !options->DisableNetwork) router_upload_dir_desc_to_dirservers(0); } - if (time_to_try_getting_descriptors < now) { + if (!options->DisableNetwork && time_to_try_getting_descriptors < now) { update_all_descriptor_downloads(now); update_extrainfo_downloads(now); if (router_have_minimum_dir_info()) @@ -1219,7 +1219,7 @@ run_scheduled_events(time_t now) if (time_to_launch_reachability_tests < now && (authdir_mode_tests_reachability(options)) && - !we_are_hibernating()) { + !net_is_disabled()) { time_to_launch_reachability_tests = now + REACHABILITY_TEST_INTERVAL; /* try to determine reachability of the other Tor relays */ dirserv_test_reachability(now); @@ -1355,7 +1355,7 @@ run_scheduled_events(time_t now) /* 2b. Once per minute, regenerate and upload the descriptor if the old * one is inaccurate. */ - if (time_to_check_descriptor < now) { + if (time_to_check_descriptor < now && !options->DisableNetwork) { static int dirport_reachability_count = 0; time_to_check_descriptor = now + CHECK_DESCRIPTOR_INTERVAL; check_descriptor_bandwidth_changed(now); @@ -1430,7 +1430,7 @@ run_scheduled_events(time_t now) connection_expire_held_open(); /** 3d. And every 60 seconds, we relaunch listeners if any died. */ - if (!we_are_hibernating() && time_to_check_listeners < now) { + if (!net_is_disabled() && time_to_check_listeners < now) { retry_all_listeners(NULL, NULL); time_to_check_listeners = now+60; } @@ -1441,7 +1441,7 @@ run_scheduled_events(time_t now) * and we make a new circ if there are no clean circuits. */ have_dir_info = router_have_minimum_dir_info(); - if (have_dir_info && !we_are_hibernating()) + if (have_dir_info && !net_is_disabled()) circuit_build_needed_circs(now); /* every 10 seconds, but not at the same second as other such events */ @@ -1472,7 +1472,7 @@ run_scheduled_events(time_t now) circuit_close_all_marked(); /** 7. And upload service descriptors if necessary. */ - if (can_complete_circuit && !we_are_hibernating()) { + if (can_complete_circuit && !net_is_disabled()) { rend_consider_services_upload(now); rend_consider_descriptor_republication(); } @@ -1489,7 +1489,8 @@ run_scheduled_events(time_t now) /** 9. and if we're a server, check whether our DNS is telling stories to * us. */ - if (public_server_mode(options) && time_to_check_for_correct_dns < now) { + if (!net_is_disabled() && + public_server_mode(options) && time_to_check_for_correct_dns < now) { if (!time_to_check_for_correct_dns) { time_to_check_for_correct_dns = now + 60 + crypto_rand_int(120); } else { @@ -1508,7 +1509,8 @@ run_scheduled_events(time_t now) } /** 11. check the port forwarding app */ - if (time_to_check_port_forwarding < now && + if (!net_is_disabled() && + time_to_check_port_forwarding < now && options->PortForwarding && is_server) { #define PORT_FORWARDING_CHECK_INTERVAL 5 @@ -1520,7 +1522,7 @@ run_scheduled_events(time_t now) } /** 11b. check pending unconfigured managed proxies */ - if (pt_proxies_configuration_pending()) + if (!net_is_disabled() && pt_proxies_configuration_pending()) pt_configure_remaining_proxies(); /** 11c. validate pluggable transports configuration if we need to */ @@ -1592,7 +1594,7 @@ second_elapsed_callback(periodic_timer_t *timer, void *arg) control_event_stream_bandwidth_used(); if (server_mode(options) && - !we_are_hibernating() && + !net_is_disabled() && seconds_elapsed > 0 && can_complete_circuit && stats_n_seconds_working / TIMEOUT_UNTIL_UNREACHABILITY_COMPLAINT != @@ -1793,7 +1795,8 @@ do_hup(void) /* retry appropriate downloads */ router_reset_status_download_failures(); router_reset_descriptor_download_failures(); - update_networkstatus_downloads(time(NULL)); + if (!options->DisableNetwork) + update_networkstatus_downloads(time(NULL)); /* We'll retry routerstatus downloads in about 10 seconds; no need to * force a retry there. */ diff --git a/src/or/or.h b/src/or/or.h index 546fe17..7fd0597 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3439,6 +3439,10 @@ typedef struct { * issue. */ int UserspaceIOCPBuffers; + /** If 1, we accept and launch no external network connections, except on + * control ports. */ + int DisableNetwork; + } or_options_t; /** Persistent state for an onion router, as saved to disk. */ diff --git a/src/or/router.c b/src/or/router.c index b6b96a5..d0292aa 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -780,7 +780,7 @@ check_whether_dirport_reachable(void) const or_options_t *options = get_options(); return !options->DirPort || options->AssumeReachable || - we_are_hibernating() || + net_is_disabled() || can_reach_dir_port; } @@ -806,7 +806,7 @@ decide_to_advertise_dirport(const or_options_t *options, uint16_t dir_port) return 0; if (authdir_mode(options)) /* always publish */ return dir_port; - if (we_are_hibernating()) + if (net_is_disabled()) return 0; if (!check_whether_dirport_reachable()) return 0; @@ -974,6 +974,14 @@ router_perform_bandwidth_test(int num_circs, time_t now) } } +/** Return true iff our network is in some sense disabled: either we're + * hibernating, entering hibernation, or */ +int +net_is_disabled(void) +{ + return get_options()->DisableNetwork || we_are_hibernating(); +} + /** Return true iff we believe ourselves to be an authoritative * directory server. */ diff --git a/src/or/router.h b/src/or/router.h index f9d156c..8cc529f 100644 --- a/src/or/router.h +++ b/src/or/router.h @@ -39,6 +39,8 @@ void router_orport_found_reachable(void); void router_dirport_found_reachable(void); void router_perform_bandwidth_test(int num_circs, time_t now); +int net_is_disabled(void); + int authdir_mode(const or_options_t *options); int authdir_mode_v1(const or_options_t *options); int authdir_mode_v2(const or_options_t *options); diff --git a/src/or/routerlist.c b/src/or/routerlist.c index d97b978..689df99 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -3244,7 +3244,7 @@ router_set_status(const char *digest, int up) log_debug(LD_DIR,"Marking router %s as %s.", node_describe(node), up ? "up" : "down"); #endif - if (!up && node_is_me(node) && !we_are_hibernating()) + if (!up && node_is_me(node) && !net_is_disabled()) log_warn(LD_NET, "We just marked ourself as down. Are your external " "addresses reachable?"); node->is_running = up; @@ -4009,6 +4009,8 @@ signed_desc_digest_is_recognized(signed_descriptor_t *desc) void update_all_descriptor_downloads(time_t now) { + if (get_options()->DisableNetwork) + return; update_router_descriptor_downloads(now); update_microdesc_downloads(now); launch_dummy_descriptor_download_as_needed(now, get_options()); @@ -4021,6 +4023,8 @@ routerlist_retry_directory_downloads(time_t now) { router_reset_status_download_failures(); router_reset_descriptor_download_failures(); + if (get_options()->DisableNetwork) + return; update_networkstatus_downloads(now); update_all_descriptor_downloads(now); }

1 0

[tor/master] log a notice when disablenetwork is set
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit 116dd4ae4fdf0a4699cafdae39b3cdb88f3512f6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Nov 28 16:07:13 2011 -0500 log a notice when disablenetwork is set --- src/or/config.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index 20ade03..b08ed63 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1105,6 +1105,9 @@ options_act_reversible(const or_options_t *old_options, char **msg) } if (options->DisableNetwork) { /* Aggressively close non-controller stuff, NOW */ + log_notice(LD_NET, "DisableNetwork is set. Tor will not make or accept " + "non-control network connections. Shutting down all existing " + "connections."); connection_mark_all_noncontrol_connections(); } }

1 0

[tor/master] Make sure we never launch an evdns resolve when DisableNetwork is 1
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit 8c5a2c5b804a99155a7822f15fef3feb0e536eaf Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Nov 29 17:46:54 2011 -0500 Make sure we never launch an evdns resolve when DisableNetwork is 1 --- src/or/dns.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/src/or/dns.c b/src/or/dns.c index 8ed9536..beb110a 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -1395,6 +1395,10 @@ launch_resolve(edge_connection_t *exitconn) int r; int options = get_options()->ServerDNSSearchDomains ? 0 : DNS_QUERY_NO_SEARCH; + + if (get_options()->DisableNetwork) + return -1; + /* What? Nameservers not configured? Sounds like a bug. */ if (!nameservers_configured) { log_warn(LD_EXIT, "(Harmless.) Nameservers not configured, but resolve " @@ -1601,6 +1605,9 @@ launch_test_addresses(int fd, short event, void *args) (void)event; (void)args; + if (options->DisableNetwork) + return; + log_info(LD_EXIT, "Launching checks to see whether our nameservers like to " "hijack *everything*."); /* This situation is worse than the failure-hijacking situation. When this

1 0

[tor/master] Fix some DOCDOCs
by nickm＠torproject.org 29 Nov '11

29 Nov '11

commit 9e8f3ee8e4d5ad5ce98aeb37b2b8c724a1936355 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Nov 29 17:52:16 2011 -0500 Fix some DOCDOCs --- src/or/connection.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/or/connection.c b/src/or/connection.c index 9c30d8e..b87f922 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -2046,7 +2046,7 @@ retry_all_listeners(smartlist_t *replaced_conns, return retval; } -/** DOCDOC */ +/** Mark every listener of type other than CONTROL_LISTENER to be closed. */ void connection_mark_all_noncontrol_listeners(void) { @@ -2060,7 +2060,7 @@ connection_mark_all_noncontrol_listeners(void) } SMARTLIST_FOREACH_END(conn); } -/** DOCDOC */ +/** Mark every external conection not used for controllers for close. */ void connection_mark_all_noncontrol_connections(void) {

1 0

← Newer
1
...
9
10
11
12
13
14
15
...
99
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits November 2011