policies.c 56.5 KB
Newer Older
1
/* Copyright (c) 2001-2004, Roger Dingledine.
2
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3
 * Copyright (c) 2007-2013, The Tor Project, Inc. */
4
5
6
7
8
9
10
11
/* See LICENSE for licensing information */

/**
 * \file policies.c
 * \brief Code to parse and use address policies and exit policies.
 **/

#include "or.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
12
#include "config.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
13
#include "dirserv.h"
14
#include "nodelist.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
15
#include "policies.h"
16
#include "router.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
17
#include "routerparse.h"
18
#include "geoip.h"
19
#include "ht.h"
20

21
/** Policy that addresses for incoming SOCKS connections must match. */
22
static smartlist_t *socks_policy = NULL;
23
/** Policy that addresses for incoming directory connections must match. */
24
static smartlist_t *dir_policy = NULL;
25
26
/** Policy that addresses for incoming router descriptors must match in order
 * to be published by us. */
27
static smartlist_t *authdir_reject_policy = NULL;
28
29
/** Policy that addresses for incoming router descriptors must match in order
 * to be marked as valid in our networkstatus. */
30
static smartlist_t *authdir_invalid_policy = NULL;
31
32
/** Policy that addresses for incoming router descriptors must <b>not</b>
 * match in order to not be marked as BadDirectory. */
33
static smartlist_t *authdir_baddir_policy = NULL;
34
35
/** Policy that addresses for incoming router descriptors must <b>not</b>
 * match in order to not be marked as BadExit. */
36
static smartlist_t *authdir_badexit_policy = NULL;
37
38
39

/** Parsed addr_policy_t describing which addresses we believe we can start
 * circuits at. */
40
static smartlist_t *reachable_or_addr_policy = NULL;
41
42
/** Parsed addr_policy_t describing which addresses we believe we can connect
 * to directories at. */
43
44
static smartlist_t *reachable_dir_addr_policy = NULL;

45
46
47
48
49
/** Element of an exit policy summary */
typedef struct policy_summary_item_t {
    uint16_t prt_min; /**< Lowest port number to accept/reject. */
    uint16_t prt_max; /**< Highest port number to accept/reject. */
    uint64_t reject_count; /**< Number of IP-Addresses that are rejected to
Nick Mathewson's avatar
Nick Mathewson committed
50
                                this port range. */
51
    unsigned int accepted:1; /** Has this port already been accepted */
52
53
} policy_summary_item_t;

54
55
56
57
58
59
60
61
62
/** Private networks.  This list is used in two places, once to expand the
 *  "private" keyword when parsing our own exit policy, secondly to ignore
 *  just such networks when building exit policy summaries.  It is important
 *  that all authorities agree on that list when creating summaries, so don't
 *  just change this without a proper migration plan and a proposal and stuff.
 */
static const char *private_nets[] = {
  "0.0.0.0/8", "169.254.0.0/16",
  "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
63
64
65
66
  "[::]/8",
  "[fc00::]/7", "[fe80::]/10", "[fec0::]/10", "[ff00::]/8", "[::]/127",
  NULL
};
67

68
69
70
71
72
73
74
75
76
77
/** Replace all "private" entries in *<b>policy</b> with their expanded
 * equivalents. */
void
policy_expand_private(smartlist_t **policy)
{
  uint16_t port_min, port_max;

  int i;
  smartlist_t *tmp;

78
  if (!*policy) /*XXXX disallow NULL policies? */
79
80
    return;

81
  tmp = smartlist_new();
82

83
  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
84
85
86
87
88
     if (! p->is_private) {
       smartlist_add(tmp, p);
       continue;
     }
     for (i = 0; private_nets[i]; ++i) {
89
90
91
92
       addr_policy_t newpolicy;
       memcpy(&newpolicy, p, sizeof(addr_policy_t));
       newpolicy.is_private = 0;
       newpolicy.is_canonical = 0;
93
94
       if (tor_addr_parse_mask_ports(private_nets[i], 0,
                               &newpolicy.addr,
95
                               &newpolicy.maskbits, &port_min, &port_max)<0) {
96
97
         tor_assert(0);
       }
98
       smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy));
99
100
     }
     addr_policy_free(p);
101
  } SMARTLIST_FOREACH_END(p);
102
103
104
105

  smartlist_free(*policy);
  *policy = tmp;
}
106

107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
/** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
 * specific and one IPv6-specific. */
void
policy_expand_unspec(smartlist_t **policy)
{
  smartlist_t *tmp;
  if (!*policy)
    return;

  tmp = smartlist_new();
  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
    sa_family_t family = tor_addr_family(&p->addr);
    if (family == AF_INET6 || family == AF_INET || p->is_private) {
      smartlist_add(tmp, p);
    } else if (family == AF_UNSPEC) {
      addr_policy_t newpolicy_ipv4;
      addr_policy_t newpolicy_ipv6;
      memcpy(&newpolicy_ipv4, p, sizeof(addr_policy_t));
      memcpy(&newpolicy_ipv6, p, sizeof(addr_policy_t));
      newpolicy_ipv4.is_canonical = 0;
      newpolicy_ipv6.is_canonical = 0;
      if (p->maskbits != 0) {
        log_warn(LD_BUG, "AF_UNSPEC policy with maskbits==%d", p->maskbits);
        newpolicy_ipv4.maskbits = 0;
        newpolicy_ipv6.maskbits = 0;
      }
      tor_addr_from_ipv4h(&newpolicy_ipv4.addr, 0);
      tor_addr_from_ipv6_bytes(&newpolicy_ipv6.addr,
                               "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
      smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv4));
      smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv6));
      addr_policy_free(p);
    } else {
      log_warn(LD_BUG, "Funny-looking address policy with family %d", family);
      smartlist_add(tmp, p);
    }
  } SMARTLIST_FOREACH_END(p);

  smartlist_free(*policy);
  *policy = tmp;
}

150
151
152
/**
 * Given a linked list of config lines containing "allow" and "deny"
 * tokens, parse them and append the result to <b>dest</b>. Return -1
153
 * if any tokens are malformed (and don't append any), else return 0.
154
155
156
157
 *
 * If <b>assume_action</b> is nonnegative, then insert its action
 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
 * action.
158
159
 */
static int
160
parse_addr_policy(config_line_t *cfg, smartlist_t **dest,
161
162
                  int assume_action)
{
163
  smartlist_t *result;
164
  smartlist_t *entries;
165
  addr_policy_t *item;
166
167
168
169
170
  int r = 0;

  if (!cfg)
    return 0;

171
172
  result = smartlist_new();
  entries = smartlist_new();
173
174
175
  for (; cfg; cfg = cfg->next) {
    smartlist_split_string(entries, cfg->value, ",",
                           SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
176
    SMARTLIST_FOREACH_BEGIN(entries, const char *, ent) {
177
      log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
178
179
180
      item = router_parse_addr_policy_item_from_string(ent, assume_action);
      if (item) {
        smartlist_add(result, item);
181
182
183
184
      } else {
        log_warn(LD_CONFIG,"Malformed policy '%s'.", ent);
        r = -1;
      }
185
    } SMARTLIST_FOREACH_END(ent);
186
187
188
189
    SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
    smartlist_clear(entries);
  }
  smartlist_free(entries);
190
191
192
193
  if (r == -1) {
    addr_policy_list_free(result);
  } else {
    policy_expand_private(&result);
194
    policy_expand_unspec(&result);
195
196
197
198
199
200
201
202
203

    if (*dest) {
      smartlist_add_all(*dest, result);
      smartlist_free(result);
    } else {
      *dest = result;
    }
  }

204
205
206
207
  return r;
}

/** Helper: parse the Reachable(Dir|OR)?Addresses fields into
208
209
210
211
 * reachable_(or|dir)_addr_policy.  The options should already have
 * been validated by validate_addr_policies.
 */
static int
212
213
parse_reachable_addresses(void)
{
214
  const or_options_t *options = get_options();
215
  int ret = 0;
216
217
218
219
220
221
222
223

  if (options->ReachableDirAddresses &&
      options->ReachableORAddresses &&
      options->ReachableAddresses) {
    log_warn(LD_CONFIG,
             "Both ReachableDirAddresses and ReachableORAddresses are set. "
             "ReachableAddresses setting will be ignored.");
  }
224
  addr_policy_list_free(reachable_or_addr_policy);
225
226
227
228
229
230
231
232
233
234
235
  reachable_or_addr_policy = NULL;
  if (!options->ReachableORAddresses && options->ReachableAddresses)
    log_info(LD_CONFIG,
             "Using ReachableAddresses as ReachableORAddresses.");
  if (parse_addr_policy(options->ReachableORAddresses ?
                          options->ReachableORAddresses :
                          options->ReachableAddresses,
                        &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
    log_warn(LD_CONFIG,
             "Error parsing Reachable%sAddresses entry; ignoring.",
             options->ReachableORAddresses ? "OR" : "");
236
    ret = -1;
237
238
  }

239
  addr_policy_list_free(reachable_dir_addr_policy);
240
241
242
243
244
245
246
247
248
249
250
  reachable_dir_addr_policy = NULL;
  if (!options->ReachableDirAddresses && options->ReachableAddresses)
    log_info(LD_CONFIG,
             "Using ReachableAddresses as ReachableDirAddresses");
  if (parse_addr_policy(options->ReachableDirAddresses ?
                          options->ReachableDirAddresses :
                          options->ReachableAddresses,
                        &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
    if (options->ReachableDirAddresses)
      log_warn(LD_CONFIG,
               "Error parsing ReachableDirAddresses entry; ignoring.");
251
    ret = -1;
252
  }
253
  return ret;
254
255
256
257
258
259
260
261
}

/** Return true iff the firewall options might block any address:port
 * combination.
 */
int
firewall_is_fascist_or(void)
{
262
  return reachable_or_addr_policy != NULL;
263
264
265
266
267
268
}

/** Return true iff <b>policy</b> (possibly NULL) will allow a
 * connection to <b>addr</b>:<b>port</b>.
 */
static int
269
addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
270
                            smartlist_t *policy)
271
272
{
  addr_policy_result_t p;
273
  p = compare_tor_addr_to_addr_policy(addr, port, policy);
274
275
276
277
278
279
280
281
282
283
284
285
286
  switch (p) {
    case ADDR_POLICY_PROBABLY_ACCEPTED:
    case ADDR_POLICY_ACCEPTED:
      return 1;
    case ADDR_POLICY_PROBABLY_REJECTED:
    case ADDR_POLICY_REJECTED:
      return 0;
    default:
      log_warn(LD_BUG, "Unexpected result: %d", (int)p);
      return 0;
  }
}

287
288
289
290
/** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
 * <b>addr</b>:<b>port</b>.  <b>addr</b> is an IPv4 address given in host
 * order. */
/* XXXX deprecate when possible. */
291
292
293
294
295
296
297
298
299
static int
addr_policy_permits_address(uint32_t addr, uint16_t port,
                            smartlist_t *policy)
{
  tor_addr_t a;
  tor_addr_from_ipv4h(&a, addr);
  return addr_policy_permits_tor_addr(&a, port, policy);
}

300
301
/** Return true iff we think our firewall will let us make an OR connection to
 * addr:port. */
302
int
303
fascist_firewall_allows_address_or(const tor_addr_t *addr, uint16_t port)
304
{
305
  return addr_policy_permits_tor_addr(addr, port,
306
307
308
                                     reachable_or_addr_policy);
}

309
310
/** Return true iff we think our firewall will let us make an OR connection to
 * <b>ri</b>. */
311
int
312
fascist_firewall_allows_or(const routerinfo_t *ri)
313
{
314
  /* XXXX proposal 118 */
315
316
317
318
319
  tor_addr_t addr;
  tor_addr_from_ipv4h(&addr, ri->addr);
  return fascist_firewall_allows_address_or(&addr, ri->or_port);
}

320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
/** Return true iff we think our firewall will let us make an OR connection to
 * <b>node</b>. */
int
fascist_firewall_allows_node(const node_t *node)
{
  if (node->ri) {
    return fascist_firewall_allows_or(node->ri);
  } else if (node->rs) {
    tor_addr_t addr;
    tor_addr_from_ipv4h(&addr, node->rs->addr);
    return fascist_firewall_allows_address_or(&addr, node->rs->or_port);
  } else {
    return 1;
  }
}

336
337
/** Return true iff we think our firewall will let us make a directory
 * connection to addr:port. */
338
int
339
fascist_firewall_allows_address_dir(const tor_addr_t *addr, uint16_t port)
340
{
341
342
  return addr_policy_permits_tor_addr(addr, port,
                                      reachable_dir_addr_policy);
343
344
345
346
347
348
}

/** Return 1 if <b>addr</b> is permitted to connect to our dir port,
 * based on <b>dir_policy</b>. Else return 0.
 */
int
349
dir_policy_permits_address(const tor_addr_t *addr)
350
{
351
  return addr_policy_permits_tor_addr(addr, 1, dir_policy);
352
353
354
355
356
357
}

/** Return 1 if <b>addr</b> is permitted to connect to our socks port,
 * based on <b>socks_policy</b>. Else return 0.
 */
int
358
socks_policy_permits_address(const tor_addr_t *addr)
359
{
360
  return addr_policy_permits_tor_addr(addr, 1, socks_policy);
361
362
}

363
/** Return true iff the address <b>addr</b> is in a country listed in the
364
 * case-insensitive list of country codes <b>cc_list</b>. */
365
366
367
368
369
static int
addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
{
  country_t country;
  const char *name;
nils's avatar
nils committed
370
371
  tor_addr_t tar;

372
373
  if (!cc_list)
    return 0;
374
  /* XXXXipv6 */
nils's avatar
nils committed
375
376
  tor_addr_from_ipv4h(&tar, addr);
  country = geoip_get_country_by_addr(&tar);
377
  name = geoip_get_country_name(country);
Nick Mathewson's avatar
Nick Mathewson committed
378
  return smartlist_contains_string_case(cc_list, name);
379
380
}

381
382
383
384
385
386
/** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
 */
int
authdir_policy_permits_address(uint32_t addr, uint16_t port)
{
387
388
  if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
    return 0;
389
  return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCCs);
390
391
392
393
394
395
396
397
}

/** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
 */
int
authdir_policy_valid_address(uint32_t addr, uint16_t port)
{
398
399
  if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
    return 0;
400
  return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
401
402
}

403
404
405
406
407
408
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
 * based on <b>authdir_baddir_policy</b>. Else return 0.
 */
int
authdir_policy_baddir_address(uint32_t addr, uint16_t port)
{
409
410
  if (! addr_policy_permits_address(addr, port, authdir_baddir_policy))
    return 1;
411
  return addr_is_in_cc_list(addr, get_options()->AuthDirBadDirCCs);
412
413
}

414
415
416
417
418
419
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
 * based on <b>authdir_badexit_policy</b>. Else return 0.
 */
int
authdir_policy_badexit_address(uint32_t addr, uint16_t port)
{
420
421
  if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
    return 1;
422
  return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCCs);
423
424
}

425
#define REJECT(arg) \
426
  STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
427

428
429
430
/** Config helper: If there's any problem with the policy configuration
 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
 * allocated description of the error. Else return 0. */
431
int
432
validate_addr_policies(const or_options_t *options, char **msg)
433
{
434
435
436
  /* XXXX Maybe merge this into parse_policies_from_options, to make sure
   * that the two can't go out of sync. */

437
  smartlist_t *addr_policy=NULL;
438
439
440
  *msg = NULL;

  if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
441
                                 options->IPv6Exit,
442
                                 options->ExitPolicyRejectPrivate, 0,
Karsten Loesing's avatar
Karsten Loesing committed
443
                                 !options->BridgeRelay))
444
445
446
447
448
449
450
451
    REJECT("Error in ExitPolicy entry.");

  /* The rest of these calls *append* to addr_policy. So don't actually
   * use the results for anything other than checking if they parse! */
  if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
    REJECT("Error in DirPolicy entry.");
  if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1))
    REJECT("Error in SocksPolicy entry.");
452
453
454
455
456
457
458
459
460
461
462
463
464
  if (parse_addr_policy(options->AuthDirReject, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirReject entry.");
  if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirInvalid entry.");
  if (parse_addr_policy(options->AuthDirBadDir, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirBadDir entry.");
  if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirBadExit entry.");

465
466
467
468
469
470
471
472
473
474
  if (parse_addr_policy(options->ReachableAddresses, &addr_policy,
                        ADDR_POLICY_ACCEPT))
    REJECT("Error in ReachableAddresses entry.");
  if (parse_addr_policy(options->ReachableORAddresses, &addr_policy,
                        ADDR_POLICY_ACCEPT))
    REJECT("Error in ReachableORAddresses entry.");
  if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
                        ADDR_POLICY_ACCEPT))
    REJECT("Error in ReachableDirAddresses entry.");

Sebastian Hahn's avatar
Sebastian Hahn committed
475
 err:
476
  addr_policy_list_free(addr_policy);
477
478
479
480
  return *msg ? -1 : 0;
#undef REJECT
}

481
/** Parse <b>string</b> in the same way that the exit policy
482
483
484
 * is parsed, and put the processed version in *<b>policy</b>.
 * Ignore port specifiers.
 */
485
static int
486
487
load_policy_from_option(config_line_t *config, const char *option_name,
                        smartlist_t **policy,
488
489
                        int assume_action)
{
490
  int r;
491
  int killed_any_ports = 0;
492
  addr_policy_list_free(*policy);
493
  *policy = NULL;
494
  r = parse_addr_policy(config, policy, assume_action);
495
496
  if (r < 0) {
    return -1;
497
  }
498
  if (*policy) {
499
500
501
502
503
504
505
    SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, n) {
      /* ports aren't used in these. */
      if (n->prt_min > 1 || n->prt_max != 65535) {
        addr_policy_t newp, *c;
        memcpy(&newp, n, sizeof(newp));
        newp.prt_min = 1;
        newp.prt_max = 65535;
506
        newp.is_canonical = 0;
507
508
509
        c = addr_policy_get_canonical_entry(&newp);
        SMARTLIST_REPLACE_CURRENT(*policy, n, c);
        addr_policy_free(n);
510
        killed_any_ports = 1;
511
512
      }
    } SMARTLIST_FOREACH_END(n);
513
  }
514
515
516
  if (killed_any_ports) {
    log_warn(LD_CONFIG, "Ignoring ports in %s option.", option_name);
  }
517
  return 0;
518
519
}

520
/** Set all policies based on <b>options</b>, which should have been validated
521
522
 * first by validate_addr_policies. */
int
523
policies_parse_from_options(const or_options_t *options)
524
{
525
  int ret = 0;
526
527
  if (load_policy_from_option(options->SocksPolicy, "SocksPolicy",
                              &socks_policy, -1) < 0)
528
    ret = -1;
529
530
  if (load_policy_from_option(options->DirPolicy, "DirPolicy",
                              &dir_policy, -1) < 0)
531
    ret = -1;
532
  if (load_policy_from_option(options->AuthDirReject, "AuthDirReject",
533
534
                              &authdir_reject_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
535
  if (load_policy_from_option(options->AuthDirInvalid, "AuthDirInvalid",
536
537
                              &authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
538
  if (load_policy_from_option(options->AuthDirBadDir, "AuthDirBadDir",
539
540
                              &authdir_baddir_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
541
  if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
542
543
544
545
546
                              &authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
  if (parse_reachable_addresses() < 0)
    ret = -1;
  return ret;
547
548
549
550
551
552
553
554
555
556
}

/** Compare two provided address policy items, and return -1, 0, or 1
 * if the first is less than, equal to, or greater than the second. */
static int
cmp_single_addr_policy(addr_policy_t *a, addr_policy_t *b)
{
  int r;
  if ((r=((int)a->policy_type - (int)b->policy_type)))
    return r;
557
558
  if ((r=((int)a->is_private - (int)b->is_private)))
    return r;
559
  if ((r=tor_addr_compare(&a->addr, &b->addr, CMP_EXACT)))
560
    return r;
561
  if ((r=((int)a->maskbits - (int)b->maskbits)))
562
563
564
565
566
567
568
569
570
571
572
    return r;
  if ((r=((int)a->prt_min - (int)b->prt_min)))
    return r;
  if ((r=((int)a->prt_max - (int)b->prt_max)))
    return r;
  return 0;
}

/** Like cmp_single_addr_policy() above, but looks at the
 * whole set of policies in each case. */
int
573
cmp_addr_policies(smartlist_t *a, smartlist_t *b)
574
{
575
576
577
578
579
580
  int r, i;
  int len_a = a ? smartlist_len(a) : 0;
  int len_b = b ? smartlist_len(b) : 0;

  for (i = 0; i < len_a && i < len_b; ++i) {
    if ((r = cmp_single_addr_policy(smartlist_get(a, i), smartlist_get(b, i))))
581
582
      return r;
  }
583
  if (i == len_a && i == len_b)
584
    return 0;
585
  if (i < len_a)
586
587
588
589
590
    return -1;
  else
    return 1;
}

591
592
593
594
595
596
/** Node in hashtable used to store address policy entries. */
typedef struct policy_map_ent_t {
  HT_ENTRY(policy_map_ent_t) node;
  addr_policy_t *policy;
} policy_map_ent_t;

597
/* DOCDOC policy_root */
598
static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
599
600
601
602
603
604
605
606
607
608

/** Return true iff a and b are equal. */
static INLINE int
policy_eq(policy_map_ent_t *a, policy_map_ent_t *b)
{
  return cmp_single_addr_policy(a->policy, b->policy) == 0;
}

/** Return a hashcode for <b>ent</b> */
static unsigned int
609
policy_hash(const policy_map_ent_t *ent)
610
{
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
  const addr_policy_t *a = ent->policy;
  addr_policy_t aa;
  memset(&aa, 0, sizeof(aa));

  aa.prt_min = a->prt_min;
  aa.prt_max = a->prt_max;
  aa.maskbits = a->maskbits;
  aa.policy_type = a->policy_type;
  aa.is_private = a->is_private;

  if (a->is_private) {
    aa.is_private = 1;
  } else {
    tor_addr_copy_tight(&aa.addr, &a->addr);
  }
626

627
  return (unsigned) siphash24g(&aa, sizeof(aa));
628
629
630
631
}

HT_PROTOTYPE(policy_map, policy_map_ent_t, node, policy_hash,
             policy_eq)
632
633
HT_GENERATE2(policy_map, policy_map_ent_t, node, policy_hash,
             policy_eq, 0.6, tor_reallocarray_, tor_free_)
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650

/** Given a pointer to an addr_policy_t, return a copy of the pointer to the
 * "canonical" copy of that addr_policy_t; the canonical copy is a single
 * reference-counted object. */
addr_policy_t *
addr_policy_get_canonical_entry(addr_policy_t *e)
{
  policy_map_ent_t search, *found;
  if (e->is_canonical)
    return e;

  search.policy = e;
  found = HT_FIND(policy_map, &policy_root, &search);
  if (!found) {
    found = tor_malloc_zero(sizeof(policy_map_ent_t));
    found->policy = tor_memdup(e, sizeof(addr_policy_t));
    found->policy->is_canonical = 1;
651
    found->policy->refcnt = 0;
652
653
654
655
656
657
658
659
    HT_INSERT(policy_map, &policy_root, found);
  }

  tor_assert(!cmp_single_addr_policy(found->policy, e));
  ++found->policy->refcnt;
  return found->policy;
}

660
661
662
663
664
665
666
667
668
669
670
/** Helper for compare_tor_addr_to_addr_policy.  Implements the case where
 * addr and port are both known. */
static addr_policy_result_t
compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
                                      const smartlist_t *policy)
{
  /* We know the address and port, and we know the policy, so we can just
   * compute an exact match. */
  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
    /* Address is known */
    if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
671
                                 CMP_EXACT)) {
672
673
674
675
      if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
        /* Exact match for the policy */
        return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
          ADDR_POLICY_ACCEPTED : ADDR_POLICY_REJECTED;
676
      }
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
    }
  } SMARTLIST_FOREACH_END(tmpe);

  /* accept all by default. */
  return ADDR_POLICY_ACCEPTED;
}

/** Helper for compare_tor_addr_to_addr_policy.  Implements the case where
 * addr is known but port is not. */
static addr_policy_result_t
compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr,
                                             const smartlist_t *policy)
{
  /* We look to see if there's a definite match.  If so, we return that
     match's value, unless there's an intervening possible match that says
     something different. */
  int maybe_accept = 0, maybe_reject = 0;

  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
    if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
697
                                 CMP_EXACT)) {
698
699
700
701
702
703
704
705
706
707
      if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
        /* Definitely matches, since it covers all ports. */
        if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
          /* If we already hit a clause that might trigger a 'reject', than we
           * can't be sure of this certain 'accept'.*/
          return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
            ADDR_POLICY_ACCEPTED;
        } else {
          return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
            ADDR_POLICY_REJECTED;
708
        }
709
710
711
712
713
714
      } else {
        /* Might match. */
        if (tmpe->policy_type == ADDR_POLICY_REJECT)
          maybe_reject = 1;
        else
          maybe_accept = 1;
715
716
      }
    }
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
  } SMARTLIST_FOREACH_END(tmpe);

  /* accept all by default. */
  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
}

/** Helper for compare_tor_addr_to_addr_policy.  Implements the case where
 * port is known but address is not. */
static addr_policy_result_t
compare_unknown_tor_addr_to_addr_policy(uint16_t port,
                                        const smartlist_t *policy)
{
  /* We look to see if there's a definite match.  If so, we return that
     match's value, unless there's an intervening possible match that says
     something different. */
  int maybe_accept = 0, maybe_reject = 0;

  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
    if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
Roger Dingledine's avatar
Roger Dingledine committed
736
      if (tmpe->maskbits == 0) {
737
738
739
740
741
742
743
744
745
746
        /* Definitely matches, since it covers all addresses. */
        if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
          /* If we already hit a clause that might trigger a 'reject', than we
           * can't be sure of this certain 'accept'.*/
          return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
            ADDR_POLICY_ACCEPTED;
        } else {
          return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
            ADDR_POLICY_REJECTED;
        }
747
      } else {
748
749
750
751
752
        /* Might match. */
        if (tmpe->policy_type == ADDR_POLICY_REJECT)
          maybe_reject = 1;
        else
          maybe_accept = 1;
753
754
      }
    }
755
  } SMARTLIST_FOREACH_END(tmpe);
756

757
758
759
760
  /* accept all by default. */
  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
}

761
762
763
764
765
766
767
768
769
770
771
/** Decide whether a given addr:port is definitely accepted,
 * definitely rejected, probably accepted, or probably rejected by a
 * given policy.  If <b>addr</b> is 0, we don't know the IP of the
 * target address.  If <b>port</b> is 0, we don't know the port of the
 * target address.  (At least one of <b>addr</b> and <b>port</b> must be
 * provided.  If you want to know whether a policy would definitely reject
 * an unknown address:port, use policy_is_reject_star().)
 *
 * We could do better by assuming that some ranges never match typical
 * addresses (127.0.0.1, and so on).  But we'll try this for now.
 */
772
773
774
MOCK_IMPL(addr_policy_result_t,
compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port,
                                 const smartlist_t *policy))
775
776
777
778
{
  if (!policy) {
    /* no policy? accept all. */
    return ADDR_POLICY_ACCEPTED;
779
  } else if (addr == NULL || tor_addr_is_null(addr)) {
780
781
782
783
784
    if (port == 0) {
      log_info(LD_BUG, "Rejecting null address with 0 port (family %d)",
               addr ? tor_addr_family(addr) : -1);
      return ADDR_POLICY_REJECTED;
    }
785
786
787
788
789
790
791
792
    return compare_unknown_tor_addr_to_addr_policy(port, policy);
  } else if (port == 0) {
    return compare_known_tor_addr_to_addr_policy_noport(addr, policy);
  } else {
    return compare_known_tor_addr_to_addr_policy(addr, port, policy);
  }
}

793
794
795
796
797
/** Return true iff the address policy <b>a</b> covers every case that
 * would be covered by <b>b</b>, so that a,b is redundant. */
static int
addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
{
798
799
800
801
  if (tor_addr_family(&a->addr) != tor_addr_family(&b->addr)) {
    /* You can't cover a different family. */
    return 0;
  }
802
803
  /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
   * to "accept *:80". */
804
805
  if (a->maskbits > b->maskbits) {
    /* a has more fixed bits than b; it can't possibly cover b. */
806
807
    return 0;
  }
808
  if (tor_addr_compare_masked(&a->addr, &b->addr, a->maskbits, CMP_EXACT)) {
809
810
811
812
813
814
815
816
817
818
819
820
821
    /* There's a fixed bit in a that's set differently in b. */
    return 0;
  }
  return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max);
}

/** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
 * that is, there exists an address/port that is covered by <b>a</b> that
 * is also covered by <b>b</b>.
 */
static int
addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
{
822
  maskbits_t minbits;
823
824
825
826
  /* All the bits we care about are those that are set in both
   * netmasks.  If they are equal in a and b's networkaddresses
   * then the networks intersect.  If there is a difference,
   * then they do not. */
827
828
829
830
  if (a->maskbits < b->maskbits)
    minbits = a->maskbits;
  else
    minbits = b->maskbits;
831
  if (tor_addr_compare_masked(&a->addr, &b->addr, minbits, CMP_EXACT))
832
833
834
835
836
837
838
839
840
    return 0;
  if (a->prt_max < b->prt_min || b->prt_max < a->prt_min)
    return 0;
  return 1;
}

/** Add the exit policy described by <b>more</b> to <b>policy</b>.
 */
static void
841
append_exit_policy_string(smartlist_t **policy, const char *more)
842
843
844
845
846
847
{
  config_line_t tmp;

  tmp.key = NULL;
  tmp.value = (char*) more;
  tmp.next = NULL;
848
849
850
  if (parse_addr_policy(&tmp, policy, -1)<0) {
    log_warn(LD_BUG, "Unable to parse internally generated policy %s",more);
  }
851
852
}

853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
/** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
void
addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
{
  addr_policy_t p, *add;
  memset(&p, 0, sizeof(p));
  p.policy_type = ADDR_POLICY_REJECT;
  p.maskbits = tor_addr_family(addr) == AF_INET6 ? 128 : 32;
  tor_addr_copy(&p.addr, addr);
  p.prt_min = 1;
  p.prt_max = 65535;

  add = addr_policy_get_canonical_entry(&p);
  if (!*dest)
    *dest = smartlist_new();
  smartlist_add(*dest, add);
}

871
872
/** Detect and excise "dead code" from the policy *<b>dest</b>. */
static void
873
exit_policy_remove_redundancies(smartlist_t *dest)
874
{
875
  addr_policy_t *ap, *tmp;
876
  int i, j;
877

878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
  /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
   */
  {
    int kill_v4=0, kill_v6=0;
    for (i = 0; i < smartlist_len(dest); ++i) {
      sa_family_t family;
      ap = smartlist_get(dest, i);
      family = tor_addr_family(&ap->addr);
      if ((family == AF_INET && kill_v4) ||
          (family == AF_INET6 && kill_v6)) {
        smartlist_del_keeporder(dest, i--);
        addr_policy_free(ap);
        continue;
      }

      if (ap->maskbits == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
        /* This is a catch-all line -- later lines are unreachable. */
        if (family == AF_INET) {
          kill_v4 = 1;
        } else if (family == AF_INET6) {
          kill_v6 = 1;
        }
900
901
902
903
904
905
      }
    }
  }

  /* Step two: for every entry, see if there's a redundant entry
   * later on, and remove it. */
906
907
908
909
910
911
  for (i = 0; i < smartlist_len(dest)-1; ++i) {
    ap = smartlist_get(dest, i);
    for (j = i+1; j < smartlist_len(dest); ++j) {
      tmp = smartlist_get(dest, j);
      tor_assert(j > i);
      if (addr_policy_covers(ap, tmp)) {
912
        char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
913
914
        policy_write_item(p1, sizeof(p1), tmp, 0);
        policy_write_item(p2, sizeof(p2), ap, 0);
915
        log_debug(LD_CONFIG, "Removing exit policy %s (%d).  It is made "
916
917
918
            "redundant by %s (%d).", p1, j, p2, i);
        smartlist_del_keeporder(dest, j--);
        addr_policy_free(tmp);
919
920
921
922
923
924
925
926
927
      }
    }
  }

  /* Step three: for every entry A, see if there's an entry B making this one
   * redundant later on.  This is the case if A and B are of the same type
   * (accept/reject), A is a subset of B, and there is no other entry of
   * different type in between those two that intersects with A.
   *
Nick Mathewson's avatar
Nick Mathewson committed
928
   * Anybody want to double-check the logic here? XXX
929
   */
930
931
932
  for (i = 0; i < smartlist_len(dest)-1; ++i) {
    ap = smartlist_get(dest, i);
    for (j = i+1; j < smartlist_len(dest); ++j) {
933
934
      // tor_assert(j > i); // j starts out at i+1; j only increases; i only
      //                    // decreases.
935
      tmp = smartlist_get(dest, j);
936
      if (ap->policy_type != tmp->policy_type) {
937
        if (addr_policy_intersects(ap, tmp))
938
939
940
          break;
      } else { /* policy_types are equal. */
        if (addr_policy_covers(tmp, ap)) {
941
          char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
942
943
          policy_write_item(p1, sizeof(p1), ap, 0);
          policy_write_item(p2, sizeof(p2), tmp, 0);
944
          log_debug(LD_CONFIG, "Removing exit policy %s.  It is already "
Roger Dingledine's avatar
Roger Dingledine committed
945
              "covered by %s.", p1, p2);
946
947
          smartlist_del_keeporder(dest, i--);
          addr_policy_free(ap);
948
          break;
949
950
951
952
953
954
955
956
        }
      }
    }
  }
}

#define DEFAULT_EXIT_POLICY                                         \
  "reject *:25,reject *:119,reject *:135-139,reject *:445,"         \
957
  "reject *:563,reject *:1214,reject *:4661-4666,"                  \
958
959
960
  "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"

/** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
Karsten Loesing's avatar
Karsten Loesing committed
961
962
 * cfg doesn't end in an absolute accept or reject and if
 * <b>add_default_policy</b> is true, add the default exit
963
964
965
 * policy afterwards. If <b>rejectprivate</b> is true, prepend
 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
 * else return 0.
966
967
968
969
 *
 * This function is used to parse the exit policy from our torrc. For
 * the functions used to parse the exit policy from a router descriptor,
 * see router_add_exit_policy.
970
971
 */
int
972
policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
973
                           int ipv6_exit,
974
                           int rejectprivate, uint32_t local_address,
Karsten Loesing's avatar
Karsten Loesing committed
975
                           int add_default_policy)
976
{
977
978
979
  if (!ipv6_exit) {
    append_exit_policy_string(dest, "reject *6:*");
  }
980
  if (rejectprivate) {
981
    append_exit_policy_string(dest, "reject private:*");
982
983
    if (local_address) {
      char buf[POLICY_BUF_LEN];
984
      tor_snprintf(buf, sizeof(buf), "reject %s:*", fmt_addr32(local_address));
985
986
987
      append_exit_policy_string(dest, buf);
    }
  }
988
989
  if (parse_addr_policy(cfg, dest, -1))
    return -1;
990
  if (add_default_policy) {
Karsten Loesing's avatar
Karsten Loesing committed
991
    append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
992
993
994
995
  } else {
    append_exit_policy_string(dest, "reject *4:*");
    append_exit_policy_string(dest, "reject *6:*");
  }
996
997
  exit_policy_remove_redundancies(*dest);

998
999
1000
  return 0;
}