Commit 0d5a847f authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

Remove need for dirservers file: now, we note trusted dirservers in...

Remove need for dirservers file: now, we note trusted dirservers in configuration options, and only need to remember addr:port and key digest for each one.


svn:r2479
parent 55634e4e
......@@ -13,8 +13,8 @@ ARMA - arma claims
0.0.9pre2:
R . bandwidth buckets for write as well as read.
N - switch dirservers entries to config lines.
N - add three default dirplaces if we parse the whole torrc and
o switch dirservers entries to config lines.
o add three default dirplaces if we parse the whole torrc and
no dirplaces are specified.
N - Handle rendezvousing with unverified nodes.
- Specify: Stick rendezvous point's key in INTRODUCE cell.
......
confdir = $(sysconfdir)/tor
EXTRA_DIST = dirservers
EXTRA_DIST =
conf_DATA = dirservers torrc.sample
conf_DATA = torrc.sample
# Configuration file for a typical tor user
# List of routers. Tor nodes start out knowing about the directory
# servers, and from them they get a list of currently up nodes.
RouterFile @CONFDIR@/dirservers
# Replace this with "SocksPort 0" if you don't want clients to connect.
SocksPort 9050
SocksBindAddress 127.0.0.1 # accept connections only from localhost
......@@ -37,6 +33,14 @@ AllowUnverifiedNodes middle,rendezvous
# Uncomment this to start the process in the background
#RunAsDaemon 1
# The three trusted directory servers on the current Tor network. The entries
# below are for moria1, moria2, and tor26 respectively. Tor only trusts
# directories signed with one of these three keys, and uses the given addresses
# to conntect to the trusted directory servers.
DirServer 18.244.0.188:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441
DirServer 18.244.0.188:9032 719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF
DirServer 62.116.124.106:9030 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D
##################### Below is just for servers #####################
## NOTE: If you enable these, you should consider mailing your
......
......@@ -282,124 +282,6 @@ static int config_assign(or_options_t *options, struct config_line_t *list) {
return 0;
}
const char default_dirservers_string[] =
"router moria1 18.244.0.188 9001 9021 9031\n"
"platform Tor 0.0.6rc1 on Linux moria.mit.edu i686\n"
"published 2004-04-25 21:54:28\n"
"bandwidth 800000 10000000\n"
"onion-key\n"
"-----BEGIN RSA PUBLIC KEY-----\n"
"MIGJAoGBANoIvHieyHUTzIacbnWOnyTyzGrLOdXqbcjz2GGMxyHEd5K1bO1ZBNHP\n"
"9i5qLQpN5viFk2K2rEGuG8tFgDEzSWZEtBqv3NVfUdiumdERWMBwlaQ0MVK4C+jf\n"
"y5gZ8KI3o9ZictgPS1AQF+Kk932/vIHTuRIUKb4ILTnQilNvID0NAgMBAAE=\n"
"-----END RSA PUBLIC KEY-----\n"
"signing-key\n"
"-----BEGIN RSA PUBLIC KEY-----\n"
"MIGJAoGBAMHa0ZC/jo2Q2DrwKYF/6ZbmZ27PFYG91u4gUzzmZ/VXLpZ8wNzEV3oW\n"
"nt+I61048fBiC1frT1/DZ351n2bLSk9zJbB6jyGZJn0380FPRX3+cXyXS0Gq8Ril\n"
"xkhMQf5XuNFUb8UmYPSOH4WErjvYjKvU+gfjbK/82Jo9SuHpYz+BAgMBAAE=\n"
"-----END RSA PUBLIC KEY-----\n"
"reject 0.0.0.0/255.0.0.0:*\n"
"reject 169.254.0.0/255.255.0.0:*\n"
"reject 127.0.0.0/255.0.0.0:*\n"
"reject 192.168.0.0/255.255.0.0:*\n"
"reject 10.0.0.0/255.0.0.0:*\n"
"reject 172.16.0.0/255.240.0.0:*\n"
"accept *:20-22\n"
"accept *:53\n"
"accept *:79-80\n"
"accept *:110\n"
"accept *:143\n"
"accept *:443\n"
"accept *:873\n"
"accept *:993\n"
"accept *:995\n"
"accept *:1024-65535\n"
"reject *:*\n"
"router-signature\n"
"-----BEGIN SIGNATURE-----\n"
"o1eAoRHDAEAXsnh5wN++vIwrupd+DbAJ2p3wxHDrmqxTpygzxxCnyQyhMfX03ua2\n"
"4iplyNlwyFwzWcw0sk31otlO2HBYXT1V9G0YxGtKMOeOBMHjfGbUjGvEALHzWi4z\n"
"8DXGJp13zgnUyP4ZA6xaGROwcT6oB5e7UlztvvpGxTg=\n"
"-----END SIGNATURE-----\n"
"\n"
"router moria2 18.244.0.188 9002 9022 9032\n"
"platform Tor 0.0.6rc1 on Linux moria.mit.edu i686\n"
"published 2004-04-25 21:54:30\n"
"bandwidth 800000 10000000\n"
"onion-key\n"
"-----BEGIN RSA PUBLIC KEY-----\n"
"MIGJAoGBAM4Cc/npgYC54XrYLC+grVxJp7PDmNO2DRRJOxKttBBtvLpnR1UaueTi\n"
"kyknT5kmlx+ihgZF/jmye//2dDUp2+kK/kSkpRV4xnDLXZmed+sNSQxqmm9TtZQ9\n"
"/hjpxhp5J9HmUTYhntBs+4E4CUKokmrI6oRLoln4SA39AX9QLPcnAgMBAAE=\n"
"-----END RSA PUBLIC KEY-----\n"
"signing-key\n"
"-----BEGIN RSA PUBLIC KEY-----\n"
"MIGJAoGBAOcrht/y5rkaahfX7sMe2qnpqoPibsjTSJaDvsUtaNP/Bq0MgNDGOR48\n"
"rtwfqTRff275Edkp/UYw3G3vSgKCJr76/bqOHCmkiZrnPV1zxNfrK18gNw2Cxre0\n"
"nTA+fD8JQqpPtb8b0SnG9kwy75eS//sRu7TErie2PzGMxrf9LH0LAgMBAAE=\n"
"-----END RSA PUBLIC KEY-----\n"
"reject 0.0.0.0/255.0.0.0:*\n"
"reject 169.254.0.0/255.255.0.0:*\n"
"reject 127.0.0.0/255.0.0.0:*\n"
"reject 192.168.0.0/255.255.0.0:*\n"
"reject 10.0.0.0/255.0.0.0:*\n"
"reject 172.16.0.0/255.240.0.0:*\n"
"accept *:20-22\n"
"accept *:53\n"
"accept *:79-80\n"
"accept *:110\n"
"accept *:143\n"
"accept *:443\n"
"accept *:873\n"
"accept *:993\n"
"accept *:995\n"
"accept *:1024-65535\n"
"reject *:*\n"
"router-signature\n"
"-----BEGIN SIGNATURE-----\n"
"RKROLwP1ExjTZeg6wuN0pzYqed9IJUd5lAe9hp4ritbnmJAgS6qfww6jgx61CfUR\n"
"6SElhOLE7Q77jAdoL45Ji5pn/Y+Q+E+5lJm1E/ed9ha+YsOPaOc7z6GQ7E4mihCL\n"
"gI1vsw92+P1Ty4RHj6fyD9DhbV19nh2Qs+pvGJOS2FY=\n"
"-----END SIGNATURE-----\n"
"\n"
"router tor26 62.116.124.106 9001 9050 9030\n"
"platform Tor 0.0.6 on Linux seppia i686\n"
"published 2004-05-06 21:33:23\n"
"bandwidth 500000 10000000\n"
"onion-key\n"
"-----BEGIN RSA PUBLIC KEY-----\n"
"MIGJAoGBAMEHdDnpj3ik1AF1xe/VqjoguH2DbANifYqXXfempu0fS+tU9FGo6dU/\n"
"fnVHAZwL9Ek9k2rMzumShi1RduK9p035R/Gk+PBBcLfvwYJ/Nat+ZO/L8jn/3bZe\n"
"ieQd9CKj2LjNGKpRNry37vkwMGIOIlegwK+2us8aXJ7sIvlNts0TAgMBAAE=\n"
"-----END RSA PUBLIC KEY-----\n"
"signing-key\n"
"-----BEGIN RSA PUBLIC KEY-----\n"
"MIGJAoGBAMQgV2gXLbXgesWgeAsj8P1Uvm/zibrFXqwDq27lLKNgWGYGX2ax3LyT\n"
"3nzI1Y5oLs4kPKTsMM5ft9aokwf417lKoCRlZc9ptfRbgxDx90c9GtWVmkrmDvCK\n"
"ae59TMoXIiGfZiwWT6KKq5Zm9/Fu2Il3B2vHGkKJYKixmiBJRKp/AgMBAAE=\n"
"-----END RSA PUBLIC KEY-----\n"
"accept 62.245.184.24:25\n"
"accept 62.116.124.106:6666-6670\n"
"accept *:48099\n"
"reject *:*\n"
"router-signature\n"
"-----BEGIN SIGNATURE-----\n"
"qh/xRoqfLNFzPaB8VdpbdMAwRyuk5qjx4LeLVQ2pDwTZ55PqmG99+VKUNte2WTTD\n"
"7dZEA7um2rueohGe4nYmvbhJWr20/I0ZxmWDRDvFy0b5nwzDMGvLvDw95Zu/XJQ2\n"
"md32NE3y9VZCfbCN+GlvETX3fdR3Svzcm8Kzesg2/s4=\n"
"-----END SIGNATURE-----\n"
;
int config_assign_default_dirservers(void) {
if(router_load_routerlist_from_string(default_dirservers_string, 1) < 0) {
log_fn(LOG_WARN,"Bug: the default dirservers internal string is corrupt.");
return -1;
}
return 0;
}
static void add_default_trusted_dirservers(void) {
/* moria1 */
parse_dir_server_line("18.244.0.188:9031 "
......@@ -894,7 +776,6 @@ int getconfig(int argc, char **argv, or_options_t *options) {
}
}
clear_trusted_dir_servers();
if (!options->DirServers) {
add_default_trusted_dirservers();
......
......@@ -738,7 +738,8 @@ int connection_handle_read(connection_t *conn) {
/* it's a directory server and connecting failed: forget about this router */
/* XXX I suspect pollerr may make Windows not get to this point. :( */
router_mark_as_down(conn->identity_digest);
if(conn->purpose == DIR_PURPOSE_FETCH_DIR && !all_directory_servers_down()) {
if(conn->purpose == DIR_PURPOSE_FETCH_DIR &&
!all_trusted_directory_servers_down()) {
log_fn(LOG_INFO,"Giving up on dirserver %s; trying another.", conn->address);
directory_get_from_dirserver(DIR_PURPOSE_FETCH_DIR, NULL, 0);
}
......
......@@ -105,20 +105,18 @@ directory_get_from_dirserver(uint8_t purpose, const char *payload,
if (purpose == DIR_PURPOSE_FETCH_DIR) {
if (advertised_server_mode()) {
/* only ask authdirservers, and don't ask myself */
r = router_pick_directory_server(1, 1);
/* XXXX NM Enable this once we actually set keys for dirservers.
* ds = router_pick_trusteddirserver(1);
*/
ds = router_pick_trusteddirserver(1);
} else {
/* anybody with a non-zero dirport will do */
r = router_pick_directory_server(0, 1);
r = router_pick_directory_server(1);
if (!r) {
log_fn(LOG_INFO, "No router found for directory; falling back to dirserver list");
ds = router_pick_trusteddirserver(1);
}
}
} else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC)
/* only ask authdirservers, any of them will do */
r = router_pick_directory_server(1, 0);
/* XXXX NM Enable this once we actually set keys for dirservers.
* ds = router_pick_trusteddirserver(0);
*/
ds = router_pick_trusteddirserver(0);
}
if (r)
......@@ -152,7 +150,7 @@ static void
directory_initiate_command_trusted_dir(trusted_dir_server_t *dirserv,
uint8_t purpose, const char *payload, int payload_len)
{
directory_initiate_command(dirserv->address, dirserv->addr, dirserv->dir_port,
directory_initiate_command(dirserv->address, dirserv->addr,dirserv->dir_port,
NULL, dirserv->digest, purpose, payload, payload_len);
}
......@@ -212,7 +210,8 @@ directory_initiate_command(const char *address, uint32_t addr,
switch(connection_connect(conn, conn->address, conn->addr, conn->port)) {
case -1:
router_mark_as_down(conn->identity_digest); /* don't try him again */
if(purpose == DIR_PURPOSE_FETCH_DIR && !all_directory_servers_down()) {
if(purpose == DIR_PURPOSE_FETCH_DIR &&
!all_trusted_directory_servers_down()) {
log_fn(LOG_INFO,"Giving up on dirserver %s; trying another.", conn->nickname);
directory_get_from_dirserver(purpose, payload, payload_len);
}
......
......@@ -1411,9 +1411,9 @@ typedef struct trusted_dir_server_t {
} trusted_dir_server_t;
int router_reload_router_list(void);
routerinfo_t *router_pick_directory_server(int requireauth, int requireothers);
routerinfo_t *router_pick_directory_server(int requireothers);
trusted_dir_server_t *router_pick_trusteddirserver(int requireothers);
int all_directory_servers_down(void);
int all_trusted_directory_servers_down(void);
struct smartlist_t;
void routerlist_add_friends(struct smartlist_t *sl, routerinfo_t *router);
void add_nickname_list_to_smartlist(struct smartlist_t *sl, const char *list, int warn_if_down);
......
......@@ -228,6 +228,7 @@ int init_keys(void) {
char *cp;
const char *tmp, *mydesc, *datadir;
crypto_pk_env_t *prkey;
char digest[20];
if (!key_lock)
key_lock = tor_mutex_new();
......@@ -345,6 +346,16 @@ int init_keys(void) {
log_fn(LOG_ERR, "Error loading fingerprints");
return -1;
}
/* 6b. [authdirserver only] add own key to approved directories. */
crypto_pk_get_digest(get_identity_key(), digest);
if (!router_digest_is_trusted_dir(digest)) {
uint32_t addr;
if(resolve_my_address(options.Address, &addr) < 0) {
log_fn(LOG_WARN,"options.Address didn't resolve into an IP.");
return -1;
}
add_trusted_dir_server(addr, options.DirPort, digest);
}
/* 7. [authdirserver only] load old directory, if it's there */
sprintf(keydir,"%s/cached-directory", datadir);
log_fn(LOG_INFO,"Loading cached directory from %s...",keydir);
......
......@@ -22,7 +22,7 @@ static smartlist_t *trusted_dir_servers = NULL;
/* static function prototypes */
static routerinfo_t *
router_pick_directory_server_impl(int requireauth, int requireothers, int fascistfirewall);
router_pick_directory_server_impl(int requireothers, int fascistfirewall);
static trusted_dir_server_t *
router_pick_trusteddirserver_impl(int requireother, int fascistfirewall);
static void mark_all_trusteddirservers_up(void);
......@@ -49,17 +49,6 @@ int router_reload_router_list(void)
{
char filename[512];
routerlist_clear_trusted_directories();
if (options.RouterFile) {
log_fn(LOG_INFO, "Loading router list from %s", options.RouterFile);
if (router_load_routerlist_from_file(options.RouterFile, 1) < 0) {
log_fn(LOG_ERR,"Error loading router list '%s'.", options.RouterFile);
return -1;
}
} else {
log_fn(LOG_INFO, "Loading internal default router list.");
if (config_assign_default_dirservers() < 0)
return -1;
}
if (get_data_directory(&options)) {
char *s;
snprintf(filename,sizeof(filename),"%s/cached-directory", get_data_directory(&options));
......@@ -70,7 +59,7 @@ int router_reload_router_list(void)
if (router_load_routerlist_from_directory(s, NULL, 0) < 0) {
log_fn(LOG_WARN, "Cached directory '%s' was unparseable; ignoring.", filename);
}
if(routerlist->published_on > time(NULL) - OLD_MIN_ONION_KEY_LIFETIME/2) {
if( routerlist && routerlist->published_on > time(NULL) - OLD_MIN_ONION_KEY_LIFETIME/2) {
/* XXX use new onion key lifetime when 0.0.8 servers are obsolete */
directory_has_arrived(); /* do things we've been waiting to do */
}
......@@ -84,22 +73,25 @@ int router_reload_router_list(void)
* in our routerlist, set all the authoritative ones as running again,
* and pick one. If there are no dirservers at all in our routerlist,
* reload the routerlist and try one last time. */
routerinfo_t *router_pick_directory_server(int requireauth, int requireothers) {
routerinfo_t *router_pick_directory_server(int requireothers) {
routerinfo_t *choice;
choice = router_pick_directory_server_impl(requireauth, requireothers, options.FascistFirewall);
if (!routerlist)
choice = router_pick_directory_server_impl(requireothers, options.FascistFirewall);
if(choice)
return choice;
log_fn(LOG_INFO,"No dirservers are reachable. Trying them all again.");
log_fn(LOG_INFO,"No reachable router entries for dirservers. Trying them all again.");
/* mark all authdirservers as up again */
mark_all_trusteddirservers_up();
/* try again */
choice = router_pick_directory_server_impl(requireauth, requireothers, 0);
choice = router_pick_directory_server_impl(requireothers, options.FascistFirewall);
if(choice)
return choice;
log_fn(LOG_WARN,"Still no dirservers %s. Reloading and trying again.",
log_fn(LOG_INFO,"Still no %s router entries. Reloading and trying again.",
options.FascistFirewall ? "reachable" : "known");
has_fetched_directory=0; /* reset it */
routerlist_clear_trusted_directories();
......@@ -107,7 +99,7 @@ routerinfo_t *router_pick_directory_server(int requireauth, int requireothers) {
return NULL;
}
/* give it one last try */
choice = router_pick_directory_server_impl(requireauth, requireothers, 0);
choice = router_pick_directory_server_impl(requireothers, 0);
return choice;
}
......@@ -143,7 +135,7 @@ trusted_dir_server_t *router_pick_trusteddirserver(int requireothers) {
* it has to be a trusted server. If requireothers, it cannot be us.
*/
static routerinfo_t *
router_pick_directory_server_impl(int requireauth, int requireothers, int fascistfirewall)
router_pick_directory_server_impl(int requireothers, int fascistfirewall)
{
int i;
routerinfo_t *router;
......@@ -159,8 +151,6 @@ router_pick_directory_server_impl(int requireauth, int requireothers, int fascis
router = smartlist_get(routerlist->routers, i);
if(!router->is_running || !router->dir_port)
continue;
if(requireauth && !router->is_trusted_dir)
continue;
if(requireothers && router_is_me(router))
continue;
if(fascistfirewall) {
......@@ -224,24 +214,11 @@ static void mark_all_trusteddirservers_up(void) {
/** Return 0 if \exists an authoritative dirserver that's currently
* thought to be running, else return 1.
*/
int all_directory_servers_down(void) {
int i;
routerinfo_t *router;
if(!routerlist)
return 1; /* if no dirservers, I guess they're all down */
for(i=0;i< smartlist_len(routerlist->routers); i++) {
router = smartlist_get(routerlist->routers, i);
if(router->is_running && router->is_trusted_dir) {
tor_assert(router->dir_port > 0);
return 0;
}
}
/* XXXX NM look at trusted_dir_servers instead.
int all_trusted_directory_servers_down(void) {
if (!trusted_dir_servers)
return 1;
SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, dir,
if (dir->is_running) return 0);
*/
return 1;
}
......@@ -680,15 +657,14 @@ int router_add_to_routerlist(routerinfo_t *router) {
*/
for (i = 0; i < smartlist_len(routerlist->routers); ++i) {
r = smartlist_get(routerlist->routers, i);
r->is_trusted_dir = router_digest_is_trusted_dir(r->identity_digest);
if (!crypto_pk_cmp_keys(router->identity_pkey, r->identity_pkey)) {
if (router->published_on > r->published_on) {
log_fn(LOG_DEBUG, "Replacing entry for router '%s/%s' [%s]",
router->nickname, r->nickname, hex_str(id_digest,DIGEST_LEN));
/* Remember whether we trust this router as a dirserver. */
/*XXXXNM first test is redundant; second should move elsewhere */
if (r->is_trusted_dir ||
router_digest_is_trusted_dir(router->identity_digest))
router->is_trusted_dir = 1;
/* If the address hasn't changed; no need to re-resolve. */
if (!strcasecmp(r->address, router->address))
router->addr = r->addr;
......@@ -698,10 +674,6 @@ int router_add_to_routerlist(routerinfo_t *router) {
} else {
log_fn(LOG_DEBUG, "Skipping old entry for router '%s'",
router->nickname);
/* If we now trust 'router', then we trust the one in the routerlist
* too. */
if (router->is_trusted_dir)
r->is_trusted_dir = 1;
/* Update the is_running status to whatever we were told. */
r->is_running = router->is_running;
routerinfo_free(router);
......@@ -803,7 +775,6 @@ void routerlist_clear_trusted_directories(void)
SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, r,
r->is_trusted_dir = 0);
}
clear_trusted_dir_servers();
}
/** Helper function: read routerinfo elements from s, and throw out the
......@@ -1154,7 +1125,7 @@ void add_trusted_dir_server(const char *addr, uint16_t port, const char *digest)
ent = tor_malloc(sizeof(trusted_dir_server_t));
ent->address = tor_strdup(addr);
ent->addr = a;
ent->addr = ntohl(a);
ent->dir_port = port;
ent->is_running = 1;
memcpy(ent->digest, digest, DIGEST_LEN);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment