let people test the RefuseUnknownExits idea

5 files changed, 33 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 4fa361654..7d742574d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,11 @@
 Changes in version 0.2.2.11-alpha - 2010-03-??
+  o Minor features:
+    - Experiment with a more aggressive approach to preventing clients
+      from making one-hop exit streams. Exit relays who want to try it
+      out can set "RefuseUnknownExits 1" in their torrc, and then look
+      for "Attempt by %s to open a stream" log messages. Let us know
+      how it goes!
+
   o Minor bugfixes:
     - When we cleaned up the contrib/tor-exit-notice.html file, we left
       out some key text. Fixes bug 1295.
diff --git a/src/or/config.c b/src/or/config.c
index cbf9a5a0c..dee2303bf 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -299,6 +299,7 @@ static config_var_t _option_vars[] = {
   V(RecommendedClientVersions,   LINELIST, NULL),
   V(RecommendedServerVersions,   LINELIST, NULL),
   OBSOLETE("RedirectExit"),
+  V(RefuseUnknownExits,          BOOL,     "0"),
   V(RejectPlaintextPorts,        CSV,      ""),
   V(RelayBandwidthBurst,         MEMUNIT,  "0"),
   V(RelayBandwidthRate,          MEMUNIT,  "0"),
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 861482d2a..a173dc122 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -2505,16 +2505,28 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
       tor_free(address);
       return 0;
     }
-    if (or_circ && or_circ->is_first_hop &&
-        !get_options()->AllowSingleHopExits) {
+    if (or_circ && or_circ->p_conn && !get_options()->AllowSingleHopExits &&
+        (or_circ->is_first_hop ||
+         (!connection_or_digest_is_known_relay(
+                                       or_circ->p_conn->identity_digest) &&
+//        XXX022 commented out so we can test it first in 0.2.2.11 -RD
+//        networkstatus_get_param(NULL, "refuseunknownexits", 1)))) {
+          get_options()->RefuseUnknownExits))) {
       /* Don't let clients use us as a single-hop proxy, unless the user
-       * has explicitly allowed that in the config.  It attracts attackers
+       * has explicitly allowed that in the config. It attracts attackers
        * and users who'd be better off with, well, single-hop proxies.
        */
-      log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
-             "Attempt to open a stream on first hop of circuit. Closing.");
+//    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+      log_notice(LD_PROTOCOL,
+             "Attempt by %s to open a stream %s. Closing.",
+             safe_str(or_circ->p_conn->_base.address),
+             or_circ->is_first_hop ? "on first hop of circuit" :
+                                     "from unknown relay");
       relay_send_end_cell_from_edge(rh.stream_id, circ,
-                                    END_STREAM_REASON_TORPROTOCOL, NULL);
+                                    or_circ->is_first_hop ?
+                                      END_STREAM_REASON_TORPROTOCOL :
+                                      END_STREAM_REASON_MISC,
+                                    NULL);
       tor_free(address);
       return 0;
     }
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index dfd0a965b..98525f16a 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -322,7 +322,7 @@ connection_or_finished_connecting(or_connection_t *or_conn)
 
 /** Return 1 if identity digest <b>id_digest</b> is known to be a
  * currently or recently running relay. Otherwise return 0. */
-static int
+int
 connection_or_digest_is_known_relay(const char *id_digest)
 {
   if (router_get_consensus_status_by_id(id_digest))
diff --git a/src/or/or.h b/src/or/or.h
index cf27520f1..737c19742 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2462,6 +2462,11 @@ typedef struct {
   int ConstrainedSockets; /**< Shrink xmit and recv socket buffers. */
   uint64_t ConstrainedSockSize; /**< Size of constrained buffers. */
 
+  /** Whether we should drop exit streams from Tors that we don't know
+   * are relays. XXX022 In here for 0.2.2.11 as a temporary test before
+   * we switch over to putting it in consensusparams. -RD */
+  int RefuseUnknownExits;
+
   /** Application ports that require all nodes in circ to have sufficient
    * uptime. */
   smartlist_t *LongLivedPorts;
@@ -3532,6 +3537,7 @@ int connection_or_process_inbuf(or_connection_t *conn);
 int connection_or_flushed_some(or_connection_t *conn);
 int connection_or_finished_flushing(or_connection_t *conn);
 int connection_or_finished_connecting(or_connection_t *conn);
+int connection_or_digest_is_known_relay(const char *id_digest);
 
 void connection_or_connect_failed(or_connection_t *conn,
                                   int reason, const char *msg);