From 0d5a847f12724d1a86898ca3246850c06ceaebf1 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 14 Oct 2004 01:44:32 +0000 Subject: Remove need for dirservers file: now, we note trusted dirservers in configuration options, and only need to remember addr:port and key digest for each one. svn:r2479 --- src/config/Makefile.am | 4 +- src/config/torrc.sample.in | 12 +++-- src/or/config.c | 119 --------------------------------------------- src/or/connection.c | 3 +- src/or/directory.c | 21 ++++---- src/or/or.h | 4 +- src/or/router.c | 11 +++++ src/or/routerlist.c | 63 +++++++----------------- 8 files changed, 52 insertions(+), 185 deletions(-) (limited to 'src') diff --git a/src/config/Makefile.am b/src/config/Makefile.am index 13ed39d7f..b440abc5c 100644 --- a/src/config/Makefile.am +++ b/src/config/Makefile.am @@ -1,5 +1,5 @@ confdir = $(sysconfdir)/tor -EXTRA_DIST = dirservers +EXTRA_DIST = -conf_DATA = dirservers torrc.sample +conf_DATA = torrc.sample diff --git a/src/config/torrc.sample.in b/src/config/torrc.sample.in index 4d562f15a..0c5fa068a 100644 --- a/src/config/torrc.sample.in +++ b/src/config/torrc.sample.in @@ -1,9 +1,5 @@ # Configuration file for a typical tor user -# List of routers. Tor nodes start out knowing about the directory -# servers, and from them they get a list of currently up nodes. -RouterFile @CONFDIR@/dirservers - # Replace this with "SocksPort 0" if you don't want clients to connect. SocksPort 9050 SocksBindAddress 127.0.0.1 # accept connections only from localhost @@ -37,6 +33,14 @@ AllowUnverifiedNodes middle,rendezvous # Uncomment this to start the process in the background #RunAsDaemon 1 +# The three trusted directory servers on the current Tor network. The entries +# below are for moria1, moria2, and tor26 respectively. Tor only trusts +# directories signed with one of these three keys, and uses the given addresses +# to conntect to the trusted directory servers. +DirServer 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441 +DirServer 18.244.0.188:9032 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF +DirServer 62.116.124.106:9030 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D + ##################### Below is just for servers ##################### ## NOTE: If you enable these, you should consider mailing your diff --git a/src/or/config.c b/src/or/config.c index 52e8c0241..d79070549 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -282,124 +282,6 @@ static int config_assign(or_options_t *options, struct config_line_t *list) { return 0; } -const char default_dirservers_string[] = -"router moria1 18.244.0.188 9001 9021 9031\n" -"platform Tor 0.0.6rc1 on Linux moria.mit.edu i686\n" -"published 2004-04-25 21:54:28\n" -"bandwidth 800000 10000000\n" -"onion-key\n" -"-----BEGIN RSA PUBLIC KEY-----\n" -"MIGJAoGBANoIvHieyHUTzIacbnWOnyTyzGrLOdXqbcjz2GGMxyHEd5K1bO1ZBNHP\n" -"9i5qLQpN5viFk2K2rEGuG8tFgDEzSWZEtBqv3NVfUdiumdERWMBwlaQ0MVK4C+jf\n" -"y5gZ8KI3o9ZictgPS1AQF+Kk932/vIHTuRIUKb4ILTnQilNvID0NAgMBAAE=\n" -"-----END RSA PUBLIC KEY-----\n" -"signing-key\n" -"-----BEGIN RSA PUBLIC KEY-----\n" -"MIGJAoGBAMHa0ZC/jo2Q2DrwKYF/6ZbmZ27PFYG91u4gUzzmZ/VXLpZ8wNzEV3oW\n" -"nt+I61048fBiC1frT1/DZ351n2bLSk9zJbB6jyGZJn0380FPRX3+cXyXS0Gq8Ril\n" -"xkhMQf5XuNFUb8UmYPSOH4WErjvYjKvU+gfjbK/82Jo9SuHpYz+BAgMBAAE=\n" -"-----END RSA PUBLIC KEY-----\n" -"reject 0.0.0.0/255.0.0.0:*\n" -"reject 169.254.0.0/255.255.0.0:*\n" -"reject 127.0.0.0/255.0.0.0:*\n" -"reject 192.168.0.0/255.255.0.0:*\n" -"reject 10.0.0.0/255.0.0.0:*\n" -"reject 172.16.0.0/255.240.0.0:*\n" -"accept *:20-22\n" -"accept *:53\n" -"accept *:79-80\n" -"accept *:110\n" -"accept *:143\n" -"accept *:443\n" -"accept *:873\n" -"accept *:993\n" -"accept *:995\n" -"accept *:1024-65535\n" -"reject *:*\n" -"router-signature\n" -"-----BEGIN SIGNATURE-----\n" -"o1eAoRHDAEAXsnh5wN++vIwrupd+DbAJ2p3wxHDrmqxTpygzxxCnyQyhMfX03ua2\n" -"4iplyNlwyFwzWcw0sk31otlO2HBYXT1V9G0YxGtKMOeOBMHjfGbUjGvEALHzWi4z\n" -"8DXGJp13zgnUyP4ZA6xaGROwcT6oB5e7UlztvvpGxTg=\n" -"-----END SIGNATURE-----\n" -"\n" -"router moria2 18.244.0.188 9002 9022 9032\n" -"platform Tor 0.0.6rc1 on Linux moria.mit.edu i686\n" -"published 2004-04-25 21:54:30\n" -"bandwidth 800000 10000000\n" -"onion-key\n" -"-----BEGIN RSA PUBLIC KEY-----\n" -"MIGJAoGBAM4Cc/npgYC54XrYLC+grVxJp7PDmNO2DRRJOxKttBBtvLpnR1UaueTi\n" -"kyknT5kmlx+ihgZF/jmye//2dDUp2+kK/kSkpRV4xnDLXZmed+sNSQxqmm9TtZQ9\n" -"/hjpxhp5J9HmUTYhntBs+4E4CUKokmrI6oRLoln4SA39AX9QLPcnAgMBAAE=\n" -"-----END RSA PUBLIC KEY-----\n" -"signing-key\n" -"-----BEGIN RSA PUBLIC KEY-----\n" -"MIGJAoGBAOcrht/y5rkaahfX7sMe2qnpqoPibsjTSJaDvsUtaNP/Bq0MgNDGOR48\n" -"rtwfqTRff275Edkp/UYw3G3vSgKCJr76/bqOHCmkiZrnPV1zxNfrK18gNw2Cxre0\n" -"nTA+fD8JQqpPtb8b0SnG9kwy75eS//sRu7TErie2PzGMxrf9LH0LAgMBAAE=\n" -"-----END RSA PUBLIC KEY-----\n" -"reject 0.0.0.0/255.0.0.0:*\n" -"reject 169.254.0.0/255.255.0.0:*\n" -"reject 127.0.0.0/255.0.0.0:*\n" -"reject 192.168.0.0/255.255.0.0:*\n" -"reject 10.0.0.0/255.0.0.0:*\n" -"reject 172.16.0.0/255.240.0.0:*\n" -"accept *:20-22\n" -"accept *:53\n" -"accept *:79-80\n" -"accept *:110\n" -"accept *:143\n" -"accept *:443\n" -"accept *:873\n" -"accept *:993\n" -"accept *:995\n" -"accept *:1024-65535\n" -"reject *:*\n" -"router-signature\n" -"-----BEGIN SIGNATURE-----\n" -"RKROLwP1ExjTZeg6wuN0pzYqed9IJUd5lAe9hp4ritbnmJAgS6qfww6jgx61CfUR\n" -"6SElhOLE7Q77jAdoL45Ji5pn/Y+Q+E+5lJm1E/ed9ha+YsOPaOc7z6GQ7E4mihCL\n" -"gI1vsw92+P1Ty4RHj6fyD9DhbV19nh2Qs+pvGJOS2FY=\n" -"-----END SIGNATURE-----\n" -"\n" -"router tor26 62.116.124.106 9001 9050 9030\n" -"platform Tor 0.0.6 on Linux seppia i686\n" -"published 2004-05-06 21:33:23\n" -"bandwidth 500000 10000000\n" -"onion-key\n" -"-----BEGIN RSA PUBLIC KEY-----\n" -"MIGJAoGBAMEHdDnpj3ik1AF1xe/VqjoguH2DbANifYqXXfempu0fS+tU9FGo6dU/\n" -"fnVHAZwL9Ek9k2rMzumShi1RduK9p035R/Gk+PBBcLfvwYJ/Nat+ZO/L8jn/3bZe\n" -"ieQd9CKj2LjNGKpRNry37vkwMGIOIlegwK+2us8aXJ7sIvlNts0TAgMBAAE=\n" -"-----END RSA PUBLIC KEY-----\n" -"signing-key\n" -"-----BEGIN RSA PUBLIC KEY-----\n" -"MIGJAoGBAMQgV2gXLbXgesWgeAsj8P1Uvm/zibrFXqwDq27lLKNgWGYGX2ax3LyT\n" -"3nzI1Y5oLs4kPKTsMM5ft9aokwf417lKoCRlZc9ptfRbgxDx90c9GtWVmkrmDvCK\n" -"ae59TMoXIiGfZiwWT6KKq5Zm9/Fu2Il3B2vHGkKJYKixmiBJRKp/AgMBAAE=\n" -"-----END RSA PUBLIC KEY-----\n" -"accept 62.245.184.24:25\n" -"accept 62.116.124.106:6666-6670\n" -"accept *:48099\n" -"reject *:*\n" -"router-signature\n" -"-----BEGIN SIGNATURE-----\n" -"qh/xRoqfLNFzPaB8VdpbdMAwRyuk5qjx4LeLVQ2pDwTZ55PqmG99+VKUNte2WTTD\n" -"7dZEA7um2rueohGe4nYmvbhJWr20/I0ZxmWDRDvFy0b5nwzDMGvLvDw95Zu/XJQ2\n" -"md32NE3y9VZCfbCN+GlvETX3fdR3Svzcm8Kzesg2/s4=\n" -"-----END SIGNATURE-----\n" -; - -int config_assign_default_dirservers(void) { - if(router_load_routerlist_from_string(default_dirservers_string, 1) < 0) { - log_fn(LOG_WARN,"Bug: the default dirservers internal string is corrupt."); - return -1; - } - - return 0; -} - static void add_default_trusted_dirservers(void) { /* moria1 */ parse_dir_server_line("18.244.0.188:9031 " @@ -894,7 +776,6 @@ int getconfig(int argc, char **argv, or_options_t *options) { } } - clear_trusted_dir_servers(); if (!options->DirServers) { add_default_trusted_dirservers(); diff --git a/src/or/connection.c b/src/or/connection.c index f01502f1d..c2f01c052 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -738,7 +738,8 @@ int connection_handle_read(connection_t *conn) { /* it's a directory server and connecting failed: forget about this router */ /* XXX I suspect pollerr may make Windows not get to this point. :( */ router_mark_as_down(conn->identity_digest); - if(conn->purpose == DIR_PURPOSE_FETCH_DIR && !all_directory_servers_down()) { + if(conn->purpose == DIR_PURPOSE_FETCH_DIR && + !all_trusted_directory_servers_down()) { log_fn(LOG_INFO,"Giving up on dirserver %s; trying another.", conn->address); directory_get_from_dirserver(DIR_PURPOSE_FETCH_DIR, NULL, 0); } diff --git a/src/or/directory.c b/src/or/directory.c index 62e66d1a2..d054a5a56 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -105,20 +105,18 @@ directory_get_from_dirserver(uint8_t purpose, const char *payload, if (purpose == DIR_PURPOSE_FETCH_DIR) { if (advertised_server_mode()) { /* only ask authdirservers, and don't ask myself */ - r = router_pick_directory_server(1, 1); - /* XXXX NM Enable this once we actually set keys for dirservers. - * ds = router_pick_trusteddirserver(1); - */ + ds = router_pick_trusteddirserver(1); } else { /* anybody with a non-zero dirport will do */ - r = router_pick_directory_server(0, 1); + r = router_pick_directory_server(1); + if (!r) { + log_fn(LOG_INFO, "No router found for directory; falling back to dirserver list"); + ds = router_pick_trusteddirserver(1); + } } } else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC) /* only ask authdirservers, any of them will do */ - r = router_pick_directory_server(1, 0); - /* XXXX NM Enable this once we actually set keys for dirservers. - * ds = router_pick_trusteddirserver(0); - */ + ds = router_pick_trusteddirserver(0); } if (r) @@ -152,7 +150,7 @@ static void directory_initiate_command_trusted_dir(trusted_dir_server_t *dirserv, uint8_t purpose, const char *payload, int payload_len) { - directory_initiate_command(dirserv->address, dirserv->addr, dirserv->dir_port, + directory_initiate_command(dirserv->address, dirserv->addr,dirserv->dir_port, NULL, dirserv->digest, purpose, payload, payload_len); } @@ -212,7 +210,8 @@ directory_initiate_command(const char *address, uint32_t addr, switch(connection_connect(conn, conn->address, conn->addr, conn->port)) { case -1: router_mark_as_down(conn->identity_digest); /* don't try him again */ - if(purpose == DIR_PURPOSE_FETCH_DIR && !all_directory_servers_down()) { + if(purpose == DIR_PURPOSE_FETCH_DIR && + !all_trusted_directory_servers_down()) { log_fn(LOG_INFO,"Giving up on dirserver %s; trying another.", conn->nickname); directory_get_from_dirserver(purpose, payload, payload_len); } diff --git a/src/or/or.h b/src/or/or.h index db128a09a..196c610ac 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1411,9 +1411,9 @@ typedef struct trusted_dir_server_t { } trusted_dir_server_t; int router_reload_router_list(void); -routerinfo_t *router_pick_directory_server(int requireauth, int requireothers); +routerinfo_t *router_pick_directory_server(int requireothers); trusted_dir_server_t *router_pick_trusteddirserver(int requireothers); -int all_directory_servers_down(void); +int all_trusted_directory_servers_down(void); struct smartlist_t; void routerlist_add_friends(struct smartlist_t *sl, routerinfo_t *router); void add_nickname_list_to_smartlist(struct smartlist_t *sl, const char *list, int warn_if_down); diff --git a/src/or/router.c b/src/or/router.c index aec642638..da7b70719 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -228,6 +228,7 @@ int init_keys(void) { char *cp; const char *tmp, *mydesc, *datadir; crypto_pk_env_t *prkey; + char digest[20]; if (!key_lock) key_lock = tor_mutex_new(); @@ -345,6 +346,16 @@ int init_keys(void) { log_fn(LOG_ERR, "Error loading fingerprints"); return -1; } + /* 6b. [authdirserver only] add own key to approved directories. */ + crypto_pk_get_digest(get_identity_key(), digest); + if (!router_digest_is_trusted_dir(digest)) { + uint32_t addr; + if(resolve_my_address(options.Address, &addr) < 0) { + log_fn(LOG_WARN,"options.Address didn't resolve into an IP."); + return -1; + } + add_trusted_dir_server(addr, options.DirPort, digest); + } /* 7. [authdirserver only] load old directory, if it's there */ sprintf(keydir,"%s/cached-directory", datadir); log_fn(LOG_INFO,"Loading cached directory from %s...",keydir); diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 91575d7f1..e942e9623 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -22,7 +22,7 @@ static smartlist_t *trusted_dir_servers = NULL; /* static function prototypes */ static routerinfo_t * -router_pick_directory_server_impl(int requireauth, int requireothers, int fascistfirewall); +router_pick_directory_server_impl(int requireothers, int fascistfirewall); static trusted_dir_server_t * router_pick_trusteddirserver_impl(int requireother, int fascistfirewall); static void mark_all_trusteddirservers_up(void); @@ -49,17 +49,6 @@ int router_reload_router_list(void) { char filename[512]; routerlist_clear_trusted_directories(); - if (options.RouterFile) { - log_fn(LOG_INFO, "Loading router list from %s", options.RouterFile); - if (router_load_routerlist_from_file(options.RouterFile, 1) < 0) { - log_fn(LOG_ERR,"Error loading router list '%s'.", options.RouterFile); - return -1; - } - } else { - log_fn(LOG_INFO, "Loading internal default router list."); - if (config_assign_default_dirservers() < 0) - return -1; - } if (get_data_directory(&options)) { char *s; snprintf(filename,sizeof(filename),"%s/cached-directory", get_data_directory(&options)); @@ -70,7 +59,7 @@ int router_reload_router_list(void) if (router_load_routerlist_from_directory(s, NULL, 0) < 0) { log_fn(LOG_WARN, "Cached directory '%s' was unparseable; ignoring.", filename); } - if(routerlist->published_on > time(NULL) - OLD_MIN_ONION_KEY_LIFETIME/2) { + if( routerlist && routerlist->published_on > time(NULL) - OLD_MIN_ONION_KEY_LIFETIME/2) { /* XXX use new onion key lifetime when 0.0.8 servers are obsolete */ directory_has_arrived(); /* do things we've been waiting to do */ } @@ -84,22 +73,25 @@ int router_reload_router_list(void) * in our routerlist, set all the authoritative ones as running again, * and pick one. If there are no dirservers at all in our routerlist, * reload the routerlist and try one last time. */ -routerinfo_t *router_pick_directory_server(int requireauth, int requireothers) { +routerinfo_t *router_pick_directory_server(int requireothers) { routerinfo_t *choice; - choice = router_pick_directory_server_impl(requireauth, requireothers, options.FascistFirewall); + if (!routerlist) + + + choice = router_pick_directory_server_impl(requireothers, options.FascistFirewall); if(choice) return choice; - log_fn(LOG_INFO,"No dirservers are reachable. Trying them all again."); + log_fn(LOG_INFO,"No reachable router entries for dirservers. Trying them all again."); /* mark all authdirservers as up again */ mark_all_trusteddirservers_up(); /* try again */ - choice = router_pick_directory_server_impl(requireauth, requireothers, 0); + choice = router_pick_directory_server_impl(requireothers, options.FascistFirewall); if(choice) return choice; - log_fn(LOG_WARN,"Still no dirservers %s. Reloading and trying again.", + log_fn(LOG_INFO,"Still no %s router entries. Reloading and trying again.", options.FascistFirewall ? "reachable" : "known"); has_fetched_directory=0; /* reset it */ routerlist_clear_trusted_directories(); @@ -107,7 +99,7 @@ routerinfo_t *router_pick_directory_server(int requireauth, int requireothers) { return NULL; } /* give it one last try */ - choice = router_pick_directory_server_impl(requireauth, requireothers, 0); + choice = router_pick_directory_server_impl(requireothers, 0); return choice; } @@ -143,7 +135,7 @@ trusted_dir_server_t *router_pick_trusteddirserver(int requireothers) { * it has to be a trusted server. If requireothers, it cannot be us. */ static routerinfo_t * -router_pick_directory_server_impl(int requireauth, int requireothers, int fascistfirewall) +router_pick_directory_server_impl(int requireothers, int fascistfirewall) { int i; routerinfo_t *router; @@ -159,8 +151,6 @@ router_pick_directory_server_impl(int requireauth, int requireothers, int fascis router = smartlist_get(routerlist->routers, i); if(!router->is_running || !router->dir_port) continue; - if(requireauth && !router->is_trusted_dir) - continue; if(requireothers && router_is_me(router)) continue; if(fascistfirewall) { @@ -224,24 +214,11 @@ static void mark_all_trusteddirservers_up(void) { /** Return 0 if \exists an authoritative dirserver that's currently * thought to be running, else return 1. */ -int all_directory_servers_down(void) { - int i; - routerinfo_t *router; - if(!routerlist) - return 1; /* if no dirservers, I guess they're all down */ - for(i=0;i< smartlist_len(routerlist->routers); i++) { - router = smartlist_get(routerlist->routers, i); - if(router->is_running && router->is_trusted_dir) { - tor_assert(router->dir_port > 0); - return 0; - } - } - /* XXXX NM look at trusted_dir_servers instead. +int all_trusted_directory_servers_down(void) { if (!trusted_dir_servers) return 1; SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, dir, if (dir->is_running) return 0); - */ return 1; } @@ -680,15 +657,14 @@ int router_add_to_routerlist(routerinfo_t *router) { */ for (i = 0; i < smartlist_len(routerlist->routers); ++i) { r = smartlist_get(routerlist->routers, i); + + r->is_trusted_dir = router_digest_is_trusted_dir(r->identity_digest); + if (!crypto_pk_cmp_keys(router->identity_pkey, r->identity_pkey)) { if (router->published_on > r->published_on) { log_fn(LOG_DEBUG, "Replacing entry for router '%s/%s' [%s]", router->nickname, r->nickname, hex_str(id_digest,DIGEST_LEN)); /* Remember whether we trust this router as a dirserver. */ - /*XXXXNM first test is redundant; second should move elsewhere */ - if (r->is_trusted_dir || - router_digest_is_trusted_dir(router->identity_digest)) - router->is_trusted_dir = 1; /* If the address hasn't changed; no need to re-resolve. */ if (!strcasecmp(r->address, router->address)) router->addr = r->addr; @@ -698,10 +674,6 @@ int router_add_to_routerlist(routerinfo_t *router) { } else { log_fn(LOG_DEBUG, "Skipping old entry for router '%s'", router->nickname); - /* If we now trust 'router', then we trust the one in the routerlist - * too. */ - if (router->is_trusted_dir) - r->is_trusted_dir = 1; /* Update the is_running status to whatever we were told. */ r->is_running = router->is_running; routerinfo_free(router); @@ -803,7 +775,6 @@ void routerlist_clear_trusted_directories(void) SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, r, r->is_trusted_dir = 0); } - clear_trusted_dir_servers(); } /** Helper function: read routerinfo elements from s, and throw out the @@ -1154,7 +1125,7 @@ void add_trusted_dir_server(const char *addr, uint16_t port, const char *digest) ent = tor_malloc(sizeof(trusted_dir_server_t)); ent->address = tor_strdup(addr); - ent->addr = a; + ent->addr = ntohl(a); ent->dir_port = port; ent->is_running = 1; memcpy(ent->digest, digest, DIGEST_LEN); -- cgit v1.2.3