Commit d9f1f353 authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

r11724@Kushana: nickm | 2006-12-28 14:22:35 -0500

 Refactor and unify my-ip-addr-changed logic.  Make change in IP address or in nameservers reset and relaunch DNS hijacking tests.


svn:r9200
parent e5f5b96c
......@@ -70,6 +70,8 @@ Changes in version 0.1.2.5-xxxx - 200?-??-??
- We now check for the case when common DNS requests are going to
wildcarded addresses, and change our exit policy to reject *:* if
it's happening. (Bug #364)
- When we change nameservers or IP addresses, reset and re-launch
our tests for DNS hijacking.
o Security bugfixes:
- Stop sending the HttpProxyAuthenticator string to directory
......
......@@ -112,8 +112,7 @@ d - Be a DNS proxy.
well-known sites) are all going to the same place.
o Bug 363: Warn and die if we can't find a nameserver and we're running a
server; don't fall back to 127.0.0.1.
? - maybe re-check dns when we change IP addresses, rather than
every 12 hours?
o Re-check dns when we change IP addresses, rather than every 12 hours
- Bug 326: Give fewer error messages from nameservers.
- Only warn when _all_ nameservers are down; otherwise info.
- Increase timeout; what's industry standard?
......
......@@ -976,7 +976,7 @@ options_act(or_options_t *old_options)
log_err(LD_BUG,"Error initializing keys; exiting");
return -1;
}
server_has_changed_ip();
ip_address_changed(0);
if (has_completed_circuit || !any_predicted_circuits(time(NULL)))
inform_testing_reachability();
}
......@@ -1908,7 +1908,7 @@ resolve_my_address(int warn_severity, or_options_t *options,
/* Leave this as a notice, regardless of the requested severity,
* at least until dynamic IP address support becomes bulletproof. */
log_notice(LD_NET, "Your IP address seems to have changed. Updating.");
server_has_changed_ip();
ip_address_changed(0);
}
last_resolved_addr = *addr_out;
if (hostname_out)
......
......@@ -2128,7 +2128,7 @@ client_check_address_changed(int sock)
smartlist_clear(outgoing_addrs);
smartlist_add(outgoing_addrs, ip);
/* Okay, now change our keys. */
init_keys(); /* XXXX NM return value-- safe to ignore? */
ip_address_changed(1);
}
}
......
......@@ -1399,6 +1399,11 @@ dns_seems_to_be_broken(void)
{
return 0;
}
void
dns_reset_correctness_checks(void)
{
}
#else /* !USE_EVENTDNS */
/** Eventdns helper: return true iff the eventdns result <b>err</b> is
......@@ -1514,6 +1519,8 @@ configure_nameservers(int force)
}
#endif
dns_servers_relaunch_checks();
nameservers_configured = 1;
return 0;
}
......@@ -1855,6 +1862,28 @@ dns_seems_to_be_broken(void)
return dns_is_completely_invalid;
}
void
dns_reset_correctness_checks(void)
{
if (dns_wildcard_response_count) {
strmap_free(dns_wildcard_response_count, _tor_free);
dns_wildcard_response_count = NULL;
}
n_wildcard_requests = 0;
if (dns_wildcard_list) {
SMARTLIST_FOREACH(dns_wildcard_list, char *, cp, tor_free(cp));
smartlist_clear(dns_wildcard_list);
}
if (dns_wildcarded_test_address_list) {
SMARTLIST_FOREACH(dns_wildcarded_test_address_list, char *, cp,
tor_free(cp));
smartlist_clear(dns_wildcarded_test_address_list);
}
dns_wildcard_one_notice_given = dns_wildcard_notice_given =
dns_wildcarded_test_address_notice_given = dns_is_completely_invalid = 0;
}
/** Return true iff we have noticed that the dotted-quad <b>ip</b> has been
* returned in response to requests for nonexistent hostnames. */
static int
......
......@@ -52,6 +52,8 @@ long stats_n_seconds_working = 0;
static time_t time_to_fetch_directory = 0;
/** When do we next download a running-routers summary? */
static time_t time_to_fetch_running_routers = 0;
/** When do we next launch DNS wildcarding checks? */
static time_t time_to_check_for_correct_dns = 0;
/** Array of all open connections. The first n_conns elements are valid. */
static connection_t *connection_array[MAXCONNECTIONS+1] =
......@@ -729,7 +731,6 @@ run_scheduled_events(time_t now)
static time_t time_to_try_getting_descriptors = 0;
static time_t time_to_reset_descriptor_failures = 0;
static time_t time_to_add_entropy = 0;
static time_t time_to_check_for_correct_dns = 0;
or_options_t *options = get_options();
int i;
int have_dir_info;
......@@ -1057,6 +1058,44 @@ got_libevent_error(void)
}
#endif
#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60)
/** Called when our IP address seems to have changed. <b>at_interface</b>
* should be true if we detected a change in our interface, and false if we
* detected a change in our published address. */
void
ip_address_changed(int at_interface)
{
int server = server_mode(get_options());
if (at_interface) {
if (! server) {
/* Okay, change our keys. */
init_keys();
}
} else {
if (server) {
if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST)
reset_bandwidth_test();
stats_n_seconds_working = 0;
router_reset_reachability();
mark_my_descriptor_dirty();
}
}
dns_servers_relaunch_checks();
}
/* DOCDOC */
void
dns_servers_relaunch_checks(void)
{
if (server_mode(get_options())) {
dns_reset_correctness_checks();
time_to_check_for_correct_dns = 0;
}
}
/** Called when we get a SIGHUP: reload configuration files and keys,
* retry all connections, re-upload all descriptors, and so on. */
static int
......
......@@ -2323,6 +2323,7 @@ void dns_cancel_pending_resolve(const char *question);
int dns_resolve(edge_connection_t *exitconn, or_circuit_t *circ);
void dns_launch_correctness_checks(void);
int dns_seems_to_be_broken(void);
void dns_reset_correctness_checks(void);
/********************************* hibernate.c **********************/
......@@ -2363,6 +2364,9 @@ void connection_start_writing(connection_t *conn);
void directory_all_unreachable(time_t now);
void directory_info_has_arrived(time_t now, int from_cache);
void ip_address_changed(int at_interface);
void dns_servers_relaunch_checks(void);
void control_signal_act(int the_signal);
void handle_signals(int is_parent);
void tor_cleanup(void);
......@@ -2632,7 +2636,6 @@ int check_whether_dirport_reachable(void);
void consider_testing_reachability(int test_or, int test_dir);
void router_orport_found_reachable(void);
void router_dirport_found_reachable(void);
void server_has_changed_ip(void);
void router_perform_bandwidth_test(int num_circs, time_t now);
int authdir_mode(or_options_t *options);
......@@ -2664,6 +2667,7 @@ int is_legal_nickname_or_hexdigest(const char *s);
int is_legal_hexdigest(const char *s);
void router_get_verbose_nickname(char *buf, routerinfo_t *router);
void router_reset_warnings(void);
void router_reset_reachability(void);
void router_free_all(void);
/********************************* routerlist.c ***************************/
......
......@@ -381,6 +381,13 @@ static int can_reach_or_port = 0;
/** Whether we can reach our DirPort from the outside. */
static int can_reach_dir_port = 0;
/** DOCDOC */
void
router_reset_reachability(void)
{
can_reach_or_port = can_reach_dir_port = 0;
}
/** Return 1 if ORPort is known reachable; else return 0. */
int
check_whether_orport_reachable(void)
......@@ -488,20 +495,6 @@ router_dirport_found_reachable(void)
}
}
#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60)
/** Our router has just moved to a new IP. Reset stats. */
void
server_has_changed_ip(void)
{
if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST)
reset_bandwidth_test();
stats_n_seconds_working = 0;
can_reach_or_port = 0;
can_reach_dir_port = 0;
mark_my_descriptor_dirty();
}
/** We have enough testing circuits open. Send a bunch of "drop"
* cells down each of them, to exercise our bandwidth. */
void
......@@ -996,9 +989,7 @@ check_descriptor_ipaddress_changed(time_t now)
if (prev != cur) {
log_addr_has_changed(LOG_INFO, prev, cur);
mark_my_descriptor_dirty();
/* the above call is probably redundant, since resolve_my_address()
* probably already noticed and marked it dirty. */
ip_address_changed(0);
}
}
......@@ -1044,7 +1035,7 @@ router_new_address_suggestion(const char *suggestion)
* resolve it. */
if (last_guessed_ip != addr) {
log_addr_has_changed(LOG_NOTICE, last_guessed_ip, addr);
server_has_changed_ip();
ip_address_changed(0);
last_guessed_ip = addr; /* router_rebuild_descriptor() will fetch it */
}
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment