Remove AllowDotExit.

It's been deprecated since 0.2.9.2-alpha. Closes ticket 23426.

Remove AllowDotExit.
It's been deprecated since 0.2.9.2-alpha. Closes ticket 23426.
f02fd6c3 · Nick Mathewson · 8421756d · f02fd6c3 · f02fd6c3 · f02fd6c3
Commit f02fd6c3 authored Sep 07, 2017 by Nick Mathewson 🎨
--- a/changes/bug23426
+++ b/changes/bug23426
+  o Removed features:
+    - The AllowDotExit option has been removed as unsafe.  It has
+      been deprecated since 0.2.9.2-alpha.  Closes ticket 23426.
+
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -924,7 +924,7 @@ The following options are useful only for clients (that is, if
    The ExcludeNodes option overrides this option: any node listed in both
    ExitNodes and ExcludeNodes is treated as excluded. +
 +
-    The .exit address notation, if enabled via AllowDotExit, overrides
+    The .exit address notation, if enabled via MapAddress, overrides
    this option.

 [[EntryNodes]] **EntryNodes** __node__,__node__,__...__::
@@ -1328,12 +1328,6 @@ The following options are useful only for clients (that is, if
    resolved. This helps trap accidental attempts to resolve URLs and so on.
    (Default: 0)

-[[AllowDotExit]] **AllowDotExit** **0**|**1**::
-    If enabled, we convert "www.google.com.foo.exit" addresses on the
-    SocksPort/TransPort/NATDPort into "www.google.com" addresses that exit from
-    the node "foo". Disabled by default since attacking websites and exit
-    relays can use it to manipulate your path selection. (Default: 0)
-
 [[HTTPTunnelPort]] **HTTPTunnelPort**  \['address':]__port__|**auto** [_isolation flags_]::
    Open this port to listen for proxy connections using the "HTTP CONNECT"
    protocol instead of SOCKS. Set this to 0

--- a/src/or/config.c
+++ b/src/or/config.c
@@ -206,7 +206,7 @@ static config_var_t option_vars_[] = {
  VAR("AccountingRule",          STRING,   AccountingRule_option,  "max"),
  V(AccountingStart,             STRING,   NULL),
  V(Address,                     STRING,   NULL),
-  V(AllowDotExit,                BOOL,     "0"),
+  OBSOLETE("AllowDotExit"),
  OBSOLETE("AllowInvalidNodes"),
  V(AllowNonRFC953Hostnames,     BOOL,     "0"),
  OBSOLETE("AllowSingleHopCircuits"),
@@ -671,8 +671,6 @@ static const config_var_t testing_tor_network_defaults[] = {

 static const config_deprecation_t option_deprecation_notes_[] = {
  /* Deprecated since 0.2.9.2-alpha... */
-  { "AllowDotExit", "Unrestricted use of the .exit notation can be used for "
-    "a wide variety of application-level attacks." },
  { "ClientDNSRejectInternalAddresses", "Turning this on makes your client "
    "easier to fingerprint, and may open you to esoteric attacks." },
  /* End of options deprecated since 0.2.9.2-alpha. */

--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1235,10 +1235,9 @@ connection_ap_handshake_rewrite(entry_connection_t *conn,
  /* Check for whether this is a .exit address.  By default, those are
   * disallowed when they're coming straight from the client, but you're
   * allowed to have them in MapAddress commands and so forth. */
-  if (!strcmpend(socks->address, ".exit") && !options->AllowDotExit) {
+  if (!strcmpend(socks->address, ".exit")) {
    log_warn(LD_APP, "The  \".exit\" notation is disabled in Tor due to "
-             "security risks. Set AllowDotExit in your torrc to enable "
-             "it (at your own risk).");
+             "security risks.");
    control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
                                escaped(socks->address));
    out->end_reason = END_STREAM_REASON_TORPROTOCOL;
@@ -1653,23 +1652,23 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
    const node_t *node = NULL;

    /* If this .exit was added by an AUTOMAP, then it came straight from
-     * a user.  Make sure that options->AllowDotExit permits that! */
-    if (exit_source == ADDRMAPSRC_AUTOMAP && !options->AllowDotExit) {
-      /* Whoops; this one is stale.  It must have gotten added earlier,
-       * when AllowDotExit was on. */
-      log_warn(LD_APP,"Stale automapped address for '%s.exit', with "
-               "AllowDotExit disabled. Refusing.",
+     * a user.  That's not safe. */
+    if (exit_source == ADDRMAPSRC_AUTOMAP) {
+      /* Whoops; this one is stale.  It must have gotten added earlier?
+       * (Probably this is not possible, since AllowDotExit no longer
+       * exists.) */
+      log_warn(LD_APP,"Stale automapped address for '%s.exit'. Refusing.",
               safe_str_client(socks->address));
      control_event_client_status(LOG_WARN, "SOCKS_BAD_HOSTNAME HOSTNAME=%s",
                                  escaped(socks->address));
      connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
+      tor_assert_nonfatal_unreached();
      return -1;
    }

    /* Double-check to make sure there are no .exits coming from
     * impossible/weird sources. */
-    if (exit_source == ADDRMAPSRC_DNS ||
-        (exit_source == ADDRMAPSRC_NONE && !options->AllowDotExit)) {
+    if (exit_source == ADDRMAPSRC_DNS || exit_source == ADDRMAPSRC_NONE) {
      /* It shouldn't be possible to get a .exit address from any of these
       * sources. */
      log_warn(LD_BUG,"Address '%s.exit', with impossible source for the "

--- a/src/or/or.h
+++ b/src/or/or.h
@@ -4160,13 +4160,6 @@ typedef struct {
   * if we are a cache).  For authorities, this is always true. */
  int DownloadExtraInfo;

-  /** If true, we convert "www.google.com.foo.exit" addresses on the
-   * socks/trans/natd ports into "www.google.com" addresses that
-   * exit from the node "foo". Disabled by default since attacking
-   * websites and exit relays can use it to manipulate your path
-   * selection. */
-  int AllowDotExit;
-
  /** If true, we're configured to collect statistics on clients
   * requesting network statuses from us as directory. */
  int DirReqStatistics_option;

--- a/src/test/test_entryconn.c
+++ b/src/test/test_entryconn.c
@@ -76,7 +76,6 @@ test_entryconn_rewrite_bad_dotexit(void *arg)
  entry_connection_t *ec = arg;
  rewrite_result_t rr;

-  get_options_mutable()->AllowDotExit = 0;
  tt_assert(ec->socks_request);
  strlcpy(ec->socks_request->address, "www.TORproject.org.foo.exit",
          sizeof(ec->socks_request->address));
@@ -480,7 +479,7 @@ test_entryconn_rewrite_reject_internal_reverse(void *arg)
  ;
 }

-/* Rewrite into .exit because of virtual address mapping */
+/* Rewrite into .exit because of virtual address mapping.  */
 static void
 test_entryconn_rewrite_automap_exit(void *arg)
 {
@@ -491,43 +490,21 @@ test_entryconn_rewrite_automap_exit(void *arg)

  ec2 = entry_connection_new(CONN_TYPE_AP, AF_INET);

-  get_options_mutable()->AutomapHostsOnResolve = 1;
-  get_options_mutable()->AllowDotExit = 1;
  smartlist_add_strdup(get_options_mutable()->AutomapHostsSuffixes,
                ".EXIT");
  parse_virtual_addr_network("127.1.0.0/16", AF_INET, 0, &msg);

-  /* Automap this on resolve. */
+  /* Try to automap this on resolve. */
  strlcpy(ec->socks_request->address, "website.example.exit",
          sizeof(ec->socks_request->address));
  ec->socks_request->command = SOCKS_COMMAND_RESOLVE;
  connection_ap_handshake_rewrite(ec, &rr);

-  tt_int_op(rr.automap, OP_EQ, 1);
-  tt_int_op(rr.should_close, OP_EQ, 0);
-  tt_int_op(rr.end_reason, OP_EQ, 0);
-  tt_i64_op(rr.map_expires, OP_EQ, TIME_MAX);
-  tt_int_op(rr.exit_source, OP_EQ, ADDRMAPSRC_NONE);
-  tt_str_op(rr.orig_address, OP_EQ, "website.example.exit");
-  tt_str_op(ec->original_dest_address, OP_EQ, "website.example.exit");
-
-  tt_assert(!strcmpstart(ec->socks_request->address,"127.1."));
-
-  /* Connect to it and make sure we get the original address back. */
-  strlcpy(ec2->socks_request->address, ec->socks_request->address,
-          sizeof(ec2->socks_request->address));
-
-  ec2->socks_request->command = SOCKS_COMMAND_CONNECT;
-  connection_ap_handshake_rewrite(ec2, &rr);
-
+  /* Make sure it isn't allowed -- there is no longer an AllowDotExit
+   * option. */
  tt_int_op(rr.automap, OP_EQ, 0);
-  tt_int_op(rr.should_close, OP_EQ, 0);
-  tt_int_op(rr.end_reason, OP_EQ, 0);
-  tt_i64_op(rr.map_expires, OP_EQ, TIME_MAX);
-  tt_int_op(rr.exit_source, OP_EQ, ADDRMAPSRC_AUTOMAP);
-  tt_str_op(rr.orig_address, OP_EQ, ec->socks_request->address);
-  tt_str_op(ec2->original_dest_address, OP_EQ, ec->socks_request->address);
-  tt_str_op(ec2->socks_request->address, OP_EQ, "website.example.exit");
+  tt_int_op(rr.should_close, OP_EQ, 1);
+  tt_int_op(rr.end_reason, OP_EQ, END_STREAM_REASON_TORPROTOCOL);

 done:
  connection_free_(ENTRY_TO_CONN(ec2));
@@ -577,7 +554,6 @@ test_entryconn_rewrite_mapaddress_automap_onion(void *arg)
  ec4 = entry_connection_new(CONN_TYPE_AP, AF_INET);

  get_options_mutable()->AutomapHostsOnResolve = 1;
-  get_options_mutable()->AllowDotExit = 1;
  smartlist_add_strdup(get_options_mutable()->AutomapHostsSuffixes,
                ".onion");
  parse_virtual_addr_network("192.168.0.0/16", AF_INET, 0, &msg);