policies.c 49.3 KB
Newer Older
1
/* Copyright (c) 2001-2004, Roger Dingledine.
2
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3
 * Copyright (c) 2007-2010, The Tor Project, Inc. */
4
5
6
7
8
9
10
11
/* See LICENSE for licensing information */

/**
 * \file policies.c
 * \brief Code to parse and use address policies and exit policies.
 **/

#include "or.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
12
#include "config.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
13
#include "dirserv.h"
14
#include "nodelist.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
15
#include "policies.h"
Sebastian Hahn's avatar
Sebastian Hahn committed
16
#include "routerparse.h"
17
#include "ht.h"
18

19
/** Policy that addresses for incoming SOCKS connections must match. */
20
static smartlist_t *socks_policy = NULL;
21
/** Policy that addresses for incoming directory connections must match. */
22
static smartlist_t *dir_policy = NULL;
23
24
/** Policy that addresses for incoming router descriptors must match in order
 * to be published by us. */
25
static smartlist_t *authdir_reject_policy = NULL;
26
27
/** Policy that addresses for incoming router descriptors must match in order
 * to be marked as valid in our networkstatus. */
28
static smartlist_t *authdir_invalid_policy = NULL;
29
30
/** Policy that addresses for incoming router descriptors must <b>not</b>
 * match in order to not be marked as BadDirectory. */
31
static smartlist_t *authdir_baddir_policy = NULL;
32
33
/** Policy that addresses for incoming router descriptors must <b>not</b>
 * match in order to not be marked as BadExit. */
34
static smartlist_t *authdir_badexit_policy = NULL;
35
36
37

/** Parsed addr_policy_t describing which addresses we believe we can start
 * circuits at. */
38
static smartlist_t *reachable_or_addr_policy = NULL;
39
40
/** Parsed addr_policy_t describing which addresses we believe we can connect
 * to directories at. */
41
42
static smartlist_t *reachable_dir_addr_policy = NULL;

43
44
45
46
47
/** Element of an exit policy summary */
typedef struct policy_summary_item_t {
    uint16_t prt_min; /**< Lowest port number to accept/reject. */
    uint16_t prt_max; /**< Highest port number to accept/reject. */
    uint64_t reject_count; /**< Number of IP-Addresses that are rejected to
Nick Mathewson's avatar
Nick Mathewson committed
48
                                this port range. */
49
50
51
    int accepted:1; /** Has this port already been accepted */
} policy_summary_item_t;

52
53
54
55
56
57
58
59
60
61
62
63
/** Private networks.  This list is used in two places, once to expand the
 *  "private" keyword when parsing our own exit policy, secondly to ignore
 *  just such networks when building exit policy summaries.  It is important
 *  that all authorities agree on that list when creating summaries, so don't
 *  just change this without a proper migration plan and a proposal and stuff.
 */
static const char *private_nets[] = {
  "0.0.0.0/8", "169.254.0.0/16",
  "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
  // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
  NULL };

64
65
66
67
68
69
70
71
72
73
/** Replace all "private" entries in *<b>policy</b> with their expanded
 * equivalents. */
void
policy_expand_private(smartlist_t **policy)
{
  uint16_t port_min, port_max;

  int i;
  smartlist_t *tmp;

74
  if (!*policy) /*XXXX disallow NULL policies? */
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
    return;

  tmp = smartlist_create();

  SMARTLIST_FOREACH(*policy, addr_policy_t *, p,
  {
     if (! p->is_private) {
       smartlist_add(tmp, p);
       continue;
     }
     for (i = 0; private_nets[i]; ++i) {
       addr_policy_t policy;
       memcpy(&policy, p, sizeof(addr_policy_t));
       policy.is_private = 0;
       policy.is_canonical = 0;
90
91
       if (tor_addr_parse_mask_ports(private_nets[i], &policy.addr,
                                  &policy.maskbits, &port_min, &port_max)<0) {
92
93
94
95
96
97
98
99
100
101
         tor_assert(0);
       }
       smartlist_add(tmp, addr_policy_get_canonical_entry(&policy));
     }
     addr_policy_free(p);
  });

  smartlist_free(*policy);
  *policy = tmp;
}
102
103
104
105

/**
 * Given a linked list of config lines containing "allow" and "deny"
 * tokens, parse them and append the result to <b>dest</b>. Return -1
106
 * if any tokens are malformed (and don't append any), else return 0.
107
108
109
110
 *
 * If <b>assume_action</b> is nonnegative, then insert its action
 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
 * action.
111
112
 */
static int
113
parse_addr_policy(config_line_t *cfg, smartlist_t **dest,
114
115
                  int assume_action)
{
116
  smartlist_t *result;
117
  smartlist_t *entries;
118
  addr_policy_t *item;
119
120
121
122
123
  int r = 0;

  if (!cfg)
    return 0;

124
  result = smartlist_create();
125
126
127
128
129
130
131
  entries = smartlist_create();
  for (; cfg; cfg = cfg->next) {
    smartlist_split_string(entries, cfg->value, ",",
                           SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
    SMARTLIST_FOREACH(entries, const char *, ent,
    {
      log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
132
133
134
      item = router_parse_addr_policy_item_from_string(ent, assume_action);
      if (item) {
        smartlist_add(result, item);
135
136
137
138
139
140
141
142
143
      } else {
        log_warn(LD_CONFIG,"Malformed policy '%s'.", ent);
        r = -1;
      }
    });
    SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
    smartlist_clear(entries);
  }
  smartlist_free(entries);
144
145
146
147
148
149
150
151
152
153
154
155
156
  if (r == -1) {
    addr_policy_list_free(result);
  } else {
    policy_expand_private(&result);

    if (*dest) {
      smartlist_add_all(*dest, result);
      smartlist_free(result);
    } else {
      *dest = result;
    }
  }

157
158
159
160
  return r;
}

/** Helper: parse the Reachable(Dir|OR)?Addresses fields into
161
162
163
164
 * reachable_(or|dir)_addr_policy.  The options should already have
 * been validated by validate_addr_policies.
 */
static int
165
166
167
parse_reachable_addresses(void)
{
  or_options_t *options = get_options();
168
  int ret = 0;
169
170
171
172
173
174
175
176

  if (options->ReachableDirAddresses &&
      options->ReachableORAddresses &&
      options->ReachableAddresses) {
    log_warn(LD_CONFIG,
             "Both ReachableDirAddresses and ReachableORAddresses are set. "
             "ReachableAddresses setting will be ignored.");
  }
177
  addr_policy_list_free(reachable_or_addr_policy);
178
179
180
181
182
183
184
185
186
187
188
  reachable_or_addr_policy = NULL;
  if (!options->ReachableORAddresses && options->ReachableAddresses)
    log_info(LD_CONFIG,
             "Using ReachableAddresses as ReachableORAddresses.");
  if (parse_addr_policy(options->ReachableORAddresses ?
                          options->ReachableORAddresses :
                          options->ReachableAddresses,
                        &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
    log_warn(LD_CONFIG,
             "Error parsing Reachable%sAddresses entry; ignoring.",
             options->ReachableORAddresses ? "OR" : "");
189
    ret = -1;
190
191
  }

192
  addr_policy_list_free(reachable_dir_addr_policy);
193
194
195
196
197
198
199
200
201
202
203
  reachable_dir_addr_policy = NULL;
  if (!options->ReachableDirAddresses && options->ReachableAddresses)
    log_info(LD_CONFIG,
             "Using ReachableAddresses as ReachableDirAddresses");
  if (parse_addr_policy(options->ReachableDirAddresses ?
                          options->ReachableDirAddresses :
                          options->ReachableAddresses,
                        &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
    if (options->ReachableDirAddresses)
      log_warn(LD_CONFIG,
               "Error parsing ReachableDirAddresses entry; ignoring.");
204
    ret = -1;
205
  }
206
  return ret;
207
208
209
210
211
212
213
214
}

/** Return true iff the firewall options might block any address:port
 * combination.
 */
int
firewall_is_fascist_or(void)
{
215
  return reachable_or_addr_policy != NULL;
216
217
218
219
220
221
}

/** Return true iff <b>policy</b> (possibly NULL) will allow a
 * connection to <b>addr</b>:<b>port</b>.
 */
static int
222
addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
223
                            smartlist_t *policy)
224
225
{
  addr_policy_result_t p;
226
  p = compare_tor_addr_to_addr_policy(addr, port, policy);
227
228
229
230
231
232
233
234
235
236
237
238
239
  switch (p) {
    case ADDR_POLICY_PROBABLY_ACCEPTED:
    case ADDR_POLICY_ACCEPTED:
      return 1;
    case ADDR_POLICY_PROBABLY_REJECTED:
    case ADDR_POLICY_REJECTED:
      return 0;
    default:
      log_warn(LD_BUG, "Unexpected result: %d", (int)p);
      return 0;
  }
}

240
241
242
243
/** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
 * <b>addr</b>:<b>port</b>.  <b>addr</b> is an IPv4 address given in host
 * order. */
/* XXXX deprecate when possible. */
244
245
246
247
248
249
250
251
252
static int
addr_policy_permits_address(uint32_t addr, uint16_t port,
                            smartlist_t *policy)
{
  tor_addr_t a;
  tor_addr_from_ipv4h(&a, addr);
  return addr_policy_permits_tor_addr(&a, port, policy);
}

253
254
/** Return true iff we think our firewall will let us make an OR connection to
 * addr:port. */
255
int
256
fascist_firewall_allows_address_or(const tor_addr_t *addr, uint16_t port)
257
{
258
  return addr_policy_permits_tor_addr(addr, port,
259
260
261
                                     reachable_or_addr_policy);
}

262
263
/** Return true iff we think our firewall will let us make an OR connection to
 * <b>ri</b>. */
264
int
265
fascist_firewall_allows_or(const routerinfo_t *ri)
266
{
267
  /* XXXX proposal 118 */
268
269
270
271
272
  tor_addr_t addr;
  tor_addr_from_ipv4h(&addr, ri->addr);
  return fascist_firewall_allows_address_or(&addr, ri->or_port);
}

273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
/** Return true iff we think our firewall will let us make an OR connection to
 * <b>node</b>. */
int
fascist_firewall_allows_node(const node_t *node)
{
  if (node->ri) {
    return fascist_firewall_allows_or(node->ri);
  } else if (node->rs) {
    tor_addr_t addr;
    tor_addr_from_ipv4h(&addr, node->rs->addr);
    return fascist_firewall_allows_address_or(&addr, node->rs->or_port);
  } else {
    return 1;
  }
}

289
290
/** Return true iff we think our firewall will let us make a directory
 * connection to addr:port. */
291
int
292
fascist_firewall_allows_address_dir(const tor_addr_t *addr, uint16_t port)
293
{
294
295
  return addr_policy_permits_tor_addr(addr, port,
                                      reachable_dir_addr_policy);
296
297
298
299
300
301
}

/** Return 1 if <b>addr</b> is permitted to connect to our dir port,
 * based on <b>dir_policy</b>. Else return 0.
 */
int
302
dir_policy_permits_address(const tor_addr_t *addr)
303
{
304
  return addr_policy_permits_tor_addr(addr, 1, dir_policy);
305
306
307
308
309
310
}

/** Return 1 if <b>addr</b> is permitted to connect to our socks port,
 * based on <b>socks_policy</b>. Else return 0.
 */
int
311
socks_policy_permits_address(const tor_addr_t *addr)
312
{
313
  return addr_policy_permits_tor_addr(addr, 1, socks_policy);
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
}

/** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
 */
int
authdir_policy_permits_address(uint32_t addr, uint16_t port)
{
  return addr_policy_permits_address(addr, port, authdir_reject_policy);
}

/** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
 */
int
authdir_policy_valid_address(uint32_t addr, uint16_t port)
{
  return addr_policy_permits_address(addr, port, authdir_invalid_policy);
}

334
335
336
337
338
339
340
341
342
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
 * based on <b>authdir_baddir_policy</b>. Else return 0.
 */
int
authdir_policy_baddir_address(uint32_t addr, uint16_t port)
{
  return ! addr_policy_permits_address(addr, port, authdir_baddir_policy);
}

343
344
345
346
347
348
349
350
351
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
 * based on <b>authdir_badexit_policy</b>. Else return 0.
 */
int
authdir_policy_badexit_address(uint32_t addr, uint16_t port)
{
  return ! addr_policy_permits_address(addr, port, authdir_badexit_policy);
}

352
#define REJECT(arg) \
353
  STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
354

355
356
357
/** Config helper: If there's any problem with the policy configuration
 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
 * allocated description of the error. Else return 0. */
358
359
360
int
validate_addr_policies(or_options_t *options, char **msg)
{
361
362
363
  /* XXXX Maybe merge this into parse_policies_from_options, to make sure
   * that the two can't go out of sync. */

364
  smartlist_t *addr_policy=NULL;
365
366
367
  *msg = NULL;

  if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
Karsten Loesing's avatar
Karsten Loesing committed
368
369
                                 options->ExitPolicyRejectPrivate, NULL,
                                 !options->BridgeRelay))
370
371
372
373
374
375
376
377
    REJECT("Error in ExitPolicy entry.");

  /* The rest of these calls *append* to addr_policy. So don't actually
   * use the results for anything other than checking if they parse! */
  if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
    REJECT("Error in DirPolicy entry.");
  if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1))
    REJECT("Error in SocksPolicy entry.");
378
379
380
381
382
383
384
385
386
387
388
389
390
  if (parse_addr_policy(options->AuthDirReject, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirReject entry.");
  if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirInvalid entry.");
  if (parse_addr_policy(options->AuthDirBadDir, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirBadDir entry.");
  if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
                        ADDR_POLICY_REJECT))
    REJECT("Error in AuthDirBadExit entry.");

391
392
393
394
395
396
397
398
399
400
  if (parse_addr_policy(options->ReachableAddresses, &addr_policy,
                        ADDR_POLICY_ACCEPT))
    REJECT("Error in ReachableAddresses entry.");
  if (parse_addr_policy(options->ReachableORAddresses, &addr_policy,
                        ADDR_POLICY_ACCEPT))
    REJECT("Error in ReachableORAddresses entry.");
  if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
                        ADDR_POLICY_ACCEPT))
    REJECT("Error in ReachableDirAddresses entry.");

Sebastian Hahn's avatar
Sebastian Hahn committed
401
 err:
402
  addr_policy_list_free(addr_policy);
403
404
405
406
  return *msg ? -1 : 0;
#undef REJECT
}

407
/** Parse <b>string</b> in the same way that the exit policy
408
409
410
 * is parsed, and put the processed version in *<b>policy</b>.
 * Ignore port specifiers.
 */
411
static int
412
load_policy_from_option(config_line_t *config, smartlist_t **policy,
413
414
                        int assume_action)
{
415
  int r;
416
  addr_policy_list_free(*policy);
417
  *policy = NULL;
418
  r = parse_addr_policy(config, policy, assume_action);
419
420
  if (r < 0) {
    return -1;
421
  }
422
  if (*policy) {
423
424
425
426
427
428
429
    SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, n) {
      /* ports aren't used in these. */
      if (n->prt_min > 1 || n->prt_max != 65535) {
        addr_policy_t newp, *c;
        memcpy(&newp, n, sizeof(newp));
        newp.prt_min = 1;
        newp.prt_max = 65535;
430
        newp.is_canonical = 0;
431
432
433
434
435
        c = addr_policy_get_canonical_entry(&newp);
        SMARTLIST_REPLACE_CURRENT(*policy, n, c);
        addr_policy_free(n);
      }
    } SMARTLIST_FOREACH_END(n);
436
437
  }
  return 0;
438
439
}

440
/** Set all policies based on <b>options</b>, which should have been validated
441
442
 * first by validate_addr_policies. */
int
443
policies_parse_from_options(or_options_t *options)
444
{
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
  int ret = 0;
  if (load_policy_from_option(options->SocksPolicy, &socks_policy, -1) < 0)
    ret = -1;
  if (load_policy_from_option(options->DirPolicy, &dir_policy, -1) < 0)
    ret = -1;
  if (load_policy_from_option(options->AuthDirReject,
                              &authdir_reject_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
  if (load_policy_from_option(options->AuthDirInvalid,
                              &authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
  if (load_policy_from_option(options->AuthDirBadDir,
                              &authdir_baddir_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
  if (load_policy_from_option(options->AuthDirBadExit,
                              &authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
    ret = -1;
  if (parse_reachable_addresses() < 0)
    ret = -1;
  return ret;
465
466
467
468
469
470
471
472
473
474
}

/** Compare two provided address policy items, and return -1, 0, or 1
 * if the first is less than, equal to, or greater than the second. */
static int
cmp_single_addr_policy(addr_policy_t *a, addr_policy_t *b)
{
  int r;
  if ((r=((int)a->policy_type - (int)b->policy_type)))
    return r;
475
476
  if ((r=((int)a->is_private - (int)b->is_private)))
    return r;
477
  if ((r=tor_addr_compare(&a->addr, &b->addr, CMP_EXACT)))
478
    return r;
479
  if ((r=((int)a->maskbits - (int)b->maskbits)))
480
481
482
483
484
485
486
487
488
489
490
    return r;
  if ((r=((int)a->prt_min - (int)b->prt_min)))
    return r;
  if ((r=((int)a->prt_max - (int)b->prt_max)))
    return r;
  return 0;
}

/** Like cmp_single_addr_policy() above, but looks at the
 * whole set of policies in each case. */
int
491
cmp_addr_policies(smartlist_t *a, smartlist_t *b)
492
{
493
494
495
496
497
498
  int r, i;
  int len_a = a ? smartlist_len(a) : 0;
  int len_b = b ? smartlist_len(b) : 0;

  for (i = 0; i < len_a && i < len_b; ++i) {
    if ((r = cmp_single_addr_policy(smartlist_get(a, i), smartlist_get(b, i))))
499
500
      return r;
  }
501
  if (i == len_a && i == len_b)
502
    return 0;
503
  if (i < len_a)
504
505
506
507
508
    return -1;
  else
    return 1;
}

509
510
511
512
513
514
/** Node in hashtable used to store address policy entries. */
typedef struct policy_map_ent_t {
  HT_ENTRY(policy_map_ent_t) node;
  addr_policy_t *policy;
} policy_map_ent_t;

515
static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532

/** Return true iff a and b are equal. */
static INLINE int
policy_eq(policy_map_ent_t *a, policy_map_ent_t *b)
{
  return cmp_single_addr_policy(a->policy, b->policy) == 0;
}

/** Return a hashcode for <b>ent</b> */
static unsigned int
policy_hash(policy_map_ent_t *ent)
{
  addr_policy_t *a = ent->policy;
  unsigned int r;
  if (a->is_private)
    r = 0x1234abcd;
  else
533
    r = tor_addr_hash(&a->addr);
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
  r += a->prt_min << 8;
  r += a->prt_max << 16;
  r += a->maskbits;
  if (a->policy_type == ADDR_POLICY_REJECT)
    r ^= 0xffffffff;

  return r;
}

HT_PROTOTYPE(policy_map, policy_map_ent_t, node, policy_hash,
             policy_eq)
HT_GENERATE(policy_map, policy_map_ent_t, node, policy_hash,
            policy_eq, 0.6, malloc, realloc, free)

/** Given a pointer to an addr_policy_t, return a copy of the pointer to the
 * "canonical" copy of that addr_policy_t; the canonical copy is a single
 * reference-counted object. */
addr_policy_t *
addr_policy_get_canonical_entry(addr_policy_t *e)
{
  policy_map_ent_t search, *found;
  if (e->is_canonical)
    return e;

  search.policy = e;
  found = HT_FIND(policy_map, &policy_root, &search);
  if (!found) {
    found = tor_malloc_zero(sizeof(policy_map_ent_t));
    found->policy = tor_memdup(e, sizeof(addr_policy_t));
    found->policy->is_canonical = 1;
564
    found->policy->refcnt = 0;
565
566
567
568
569
570
571
572
    HT_INSERT(policy_map, &policy_root, found);
  }

  tor_assert(!cmp_single_addr_policy(found->policy, e));
  ++found->policy->refcnt;
  return found->policy;
}

573
/** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
574
 * in host order. */
575
addr_policy_result_t
576
577
compare_addr_to_addr_policy(uint32_t addr, uint16_t port,
                            const smartlist_t *policy)
578
{
579
  /*XXXX deprecate this function when possible. */
580
581
582
583
584
  tor_addr_t a;
  tor_addr_from_ipv4h(&a, addr);
  return compare_tor_addr_to_addr_policy(&a, port, policy);
}

585
586
587
588
589
590
591
592
593
594
595
/** Helper for compare_tor_addr_to_addr_policy.  Implements the case where
 * addr and port are both known. */
static addr_policy_result_t
compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
                                      const smartlist_t *policy)
{
  /* We know the address and port, and we know the policy, so we can just
   * compute an exact match. */
  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
    /* Address is known */
    if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
596
                                 CMP_EXACT)) {
597
598
599
600
      if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
        /* Exact match for the policy */
        return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
          ADDR_POLICY_ACCEPTED : ADDR_POLICY_REJECTED;
601
      }
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
    }
  } SMARTLIST_FOREACH_END(tmpe);

  /* accept all by default. */
  return ADDR_POLICY_ACCEPTED;
}

/** Helper for compare_tor_addr_to_addr_policy.  Implements the case where
 * addr is known but port is not. */
static addr_policy_result_t
compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr,
                                             const smartlist_t *policy)
{
  /* We look to see if there's a definite match.  If so, we return that
     match's value, unless there's an intervening possible match that says
     something different. */
  int maybe_accept = 0, maybe_reject = 0;

  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
    if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
622
                                 CMP_EXACT)) {
623
624
625
626
627
628
629
630
631
632
      if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
        /* Definitely matches, since it covers all ports. */
        if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
          /* If we already hit a clause that might trigger a 'reject', than we
           * can't be sure of this certain 'accept'.*/
          return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
            ADDR_POLICY_ACCEPTED;
        } else {
          return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
            ADDR_POLICY_REJECTED;
633
        }
634
635
636
637
638
639
      } else {
        /* Might match. */
        if (tmpe->policy_type == ADDR_POLICY_REJECT)
          maybe_reject = 1;
        else
          maybe_accept = 1;
640
641
      }
    }
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
  } SMARTLIST_FOREACH_END(tmpe);

  /* accept all by default. */
  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
}

/** Helper for compare_tor_addr_to_addr_policy.  Implements the case where
 * port is known but address is not. */
static addr_policy_result_t
compare_unknown_tor_addr_to_addr_policy(uint16_t port,
                                        const smartlist_t *policy)
{
  /* We look to see if there's a definite match.  If so, we return that
     match's value, unless there's an intervening possible match that says
     something different. */
  int maybe_accept = 0, maybe_reject = 0;

  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
    if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
       if (tmpe->maskbits == 0) {
        /* Definitely matches, since it covers all addresses. */
        if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
          /* If we already hit a clause that might trigger a 'reject', than we
           * can't be sure of this certain 'accept'.*/
          return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
            ADDR_POLICY_ACCEPTED;
        } else {
          return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
            ADDR_POLICY_REJECTED;
        }
672
      } else {
673
674
675
676
677
        /* Might match. */
        if (tmpe->policy_type == ADDR_POLICY_REJECT)
          maybe_reject = 1;
        else
          maybe_accept = 1;
678
679
      }
    }
680
  } SMARTLIST_FOREACH_END(tmpe);
681

682
683
684
685
  /* accept all by default. */
  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
}

686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
/** Decide whether a given addr:port is definitely accepted,
 * definitely rejected, probably accepted, or probably rejected by a
 * given policy.  If <b>addr</b> is 0, we don't know the IP of the
 * target address.  If <b>port</b> is 0, we don't know the port of the
 * target address.  (At least one of <b>addr</b> and <b>port</b> must be
 * provided.  If you want to know whether a policy would definitely reject
 * an unknown address:port, use policy_is_reject_star().)
 *
 * We could do better by assuming that some ranges never match typical
 * addresses (127.0.0.1, and so on).  But we'll try this for now.
 */
addr_policy_result_t
compare_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
                                const smartlist_t *policy)
{
  if (!policy) {
    /* no policy? accept all. */
    return ADDR_POLICY_ACCEPTED;
  } else if (tor_addr_is_null(addr)) {
    tor_assert(port != 0);
    return compare_unknown_tor_addr_to_addr_policy(port, policy);
  } else if (port == 0) {
    return compare_known_tor_addr_to_addr_policy_noport(addr, policy);
  } else {
    return compare_known_tor_addr_to_addr_policy(addr, port, policy);
  }
}

714
715
716
717
718
719
720
/** Return true iff the address policy <b>a</b> covers every case that
 * would be covered by <b>b</b>, so that a,b is redundant. */
static int
addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
{
  /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
   * to "accept *:80". */
721
722
  if (a->maskbits > b->maskbits) {
    /* a has more fixed bits than b; it can't possibly cover b. */
723
724
    return 0;
  }
725
  if (tor_addr_compare_masked(&a->addr, &b->addr, a->maskbits, CMP_EXACT)) {
726
727
728
729
730
731
732
733
734
735
736
737
738
    /* There's a fixed bit in a that's set differently in b. */
    return 0;
  }
  return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max);
}

/** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
 * that is, there exists an address/port that is covered by <b>a</b> that
 * is also covered by <b>b</b>.
 */
static int
addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
{
739
  maskbits_t minbits;
740
741
742
743
  /* All the bits we care about are those that are set in both
   * netmasks.  If they are equal in a and b's networkaddresses
   * then the networks intersect.  If there is a difference,
   * then they do not. */
744
745
746
747
  if (a->maskbits < b->maskbits)
    minbits = a->maskbits;
  else
    minbits = b->maskbits;
748
  if (tor_addr_compare_masked(&a->addr, &b->addr, minbits, CMP_EXACT))
749
750
751
752
753
754
755
756
757
    return 0;
  if (a->prt_max < b->prt_min || b->prt_max < a->prt_min)
    return 0;
  return 1;
}

/** Add the exit policy described by <b>more</b> to <b>policy</b>.
 */
static void
758
append_exit_policy_string(smartlist_t **policy, const char *more)
759
760
761
762
763
764
{
  config_line_t tmp;

  tmp.key = NULL;
  tmp.value = (char*) more;
  tmp.next = NULL;
765
766
767
  if (parse_addr_policy(&tmp, policy, -1)<0) {
    log_warn(LD_BUG, "Unable to parse internally generated policy %s",more);
  }
768
769
770
771
}

/** Detect and excise "dead code" from the policy *<b>dest</b>. */
static void
772
exit_policy_remove_redundancies(smartlist_t *dest)
773
{
774
775
  addr_policy_t *ap, *tmp, *victim;
  int i, j;
776
777

  /* Step one: find a *:* entry and cut off everything after it. */
778
779
  for (i = 0; i < smartlist_len(dest); ++i) {
    ap = smartlist_get(dest, i);
780
    if (ap->maskbits == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
781
      /* This is a catch-all line -- later lines are unreachable. */
782
783
784
785
      while (i+1 < smartlist_len(dest)) {
        victim = smartlist_get(dest, i+1);
        smartlist_del(dest, i+1);
        addr_policy_free(victim);
786
      }
787
      break;
788
789
790
791
792
    }
  }

  /* Step two: for every entry, see if there's a redundant entry
   * later on, and remove it. */
793
794
795
796
797
798
  for (i = 0; i < smartlist_len(dest)-1; ++i) {
    ap = smartlist_get(dest, i);
    for (j = i+1; j < smartlist_len(dest); ++j) {
      tmp = smartlist_get(dest, j);
      tor_assert(j > i);
      if (addr_policy_covers(ap, tmp)) {
799
        char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
800
801
        policy_write_item(p1, sizeof(p1), tmp, 0);
        policy_write_item(p2, sizeof(p2), ap, 0);
802
803
804
805
        log(LOG_DEBUG, LD_CONFIG, "Removing exit policy %s (%d).  It is made "
            "redundant by %s (%d).", p1, j, p2, i);
        smartlist_del_keeporder(dest, j--);
        addr_policy_free(tmp);
806
807
808
809
810
811
812
813
814
      }
    }
  }

  /* Step three: for every entry A, see if there's an entry B making this one
   * redundant later on.  This is the case if A and B are of the same type
   * (accept/reject), A is a subset of B, and there is no other entry of
   * different type in between those two that intersects with A.
   *
Nick Mathewson's avatar
Nick Mathewson committed
815
   * Anybody want to double-check the logic here? XXX
816
   */
817
818
819
  for (i = 0; i < smartlist_len(dest)-1; ++i) {
    ap = smartlist_get(dest, i);
    for (j = i+1; j < smartlist_len(dest); ++j) {
820
821
      // tor_assert(j > i); // j starts out at i+1; j only increases; i only
      //                    // decreases.
822
      tmp = smartlist_get(dest, j);
823
      if (ap->policy_type != tmp->policy_type) {
824
        if (addr_policy_intersects(ap, tmp))
825
826
827
          break;
      } else { /* policy_types are equal. */
        if (addr_policy_covers(tmp, ap)) {
828
          char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
829
830
          policy_write_item(p1, sizeof(p1), ap, 0);
          policy_write_item(p2, sizeof(p2), tmp, 0);
831
          log(LOG_DEBUG, LD_CONFIG, "Removing exit policy %s.  It is already "
Roger Dingledine's avatar
Roger Dingledine committed
832
              "covered by %s.", p1, p2);
833
834
          smartlist_del_keeporder(dest, i--);
          addr_policy_free(ap);
835
          break;
836
837
838
839
840
841
842
843
        }
      }
    }
  }
}

#define DEFAULT_EXIT_POLICY                                         \
  "reject *:25,reject *:119,reject *:135-139,reject *:445,"         \
844
  "reject *:563,reject *:1214,reject *:4661-4666,"                  \
845
846
847
  "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"

/** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
Karsten Loesing's avatar
Karsten Loesing committed
848
849
 * cfg doesn't end in an absolute accept or reject and if
 * <b>add_default_policy</b> is true, add the default exit
850
851
852
853
854
 * policy afterwards. If <b>rejectprivate</b> is true, prepend
 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
 * else return 0.
 */
int
855
policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
Karsten Loesing's avatar
Karsten Loesing committed
856
857
                           int rejectprivate, const char *local_address,
                           int add_default_policy)
858
{
859
  if (rejectprivate) {
860
    append_exit_policy_string(dest, "reject private:*");
861
862
863
864
865
866
    if (local_address) {
      char buf[POLICY_BUF_LEN];
      tor_snprintf(buf, sizeof(buf), "reject %s:*", local_address);
      append_exit_policy_string(dest, buf);
    }
  }
867
868
  if (parse_addr_policy(cfg, dest, -1))
    return -1;
Karsten Loesing's avatar
Karsten Loesing committed
869
870
871
872
  if (add_default_policy)
    append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
  else
    append_exit_policy_string(dest, "reject *:*");
873
874
  exit_policy_remove_redundancies(*dest);

875
876
877
  return 0;
}

878
879
880
881
/** Replace the exit policy of <b>node</b> with reject *:* */
void
policies_set_node_exitpolicy_to_reject_all(node_t *node)
{
882
  node->rejects_all = 1;
883
}
884

885
/** Return 1 if there is at least one /8 subnet in <b>policy</b> that
886
 * allows exiting to <b>port</b>.  Otherwise, return 0. */
887
888
889
static int
exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
{
890
  uint32_t mask, ip, i;
891
892
893
894
895
896
897
  /* Is this /8 rejected (1), or undecided (0)? */
  char subnet_status[256];

  memset(subnet_status, 0, sizeof(subnet_status));
  SMARTLIST_FOREACH(policy, addr_policy_t *, p, {
    if (p->prt_min > port || p->prt_max < port)
      continue; /* Doesn't cover our port. */
898
899
900
901
902
903
904
905
906
907
    mask = 0;
    tor_assert(p->maskbits <= 32);

    if (p->maskbits)
      mask = UINT32_MAX<<(32-p->maskbits);
    ip = tor_addr_to_ipv4h(&p->addr);

    /* Calculate the first and last subnet that this exit policy touches
     * and set it as loop boundaries. */
    for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
908
      tor_addr_t addr;
909
      if (subnet_status[i] != 0)
910
        continue; /* We already reject some part of this /8 */
911
      tor_addr_from_ipv4h(&addr, i<<24);
912
      if (tor_addr_is_internal(&addr, 0))
913
        continue; /* Local or non-routable addresses */
914
915
916
917
918
919
920
921
      if (p->policy_type == ADDR_POLICY_ACCEPT) {
        if (p->maskbits > 8)
          continue; /* Narrower than a /8. */
        /* We found an allowed subnet of at least size /8. Done
         * for this port! */
        return 1;
      } else if (p->policy_type == ADDR_POLICY_REJECT) {
        subnet_status[i] = 1;
922
923
924
925
926
927
      }
    }
  });
  return 0;
}

928
929
/** Return true iff <b>ri</b> is "useful as an exit node", meaning
 * it allows exit to at least one /8 address space for at least
930
 * two of ports 80, 443, and 6667. */
931
int
932
exit_policy_is_general_exit(smartlist_t *policy)
933
934
{
  static const int ports[] = { 80, 443, 6667 };
935
  int n_allowed = 0;
936
  int i;
937
  if (!policy) /*XXXX disallow NULL policies? */
938
939
    return 0;

940
  for (i = 0; i < 3; ++i) {
941
    n_allowed += exit_policy_is_general_exit_helper(policy, ports[i]);
942
  }
943
  return n_allowed >= 2;
944
945
}

946
947
948
/** Return false if <b>policy</b> might permit access to some addr:port;
 * otherwise if we are certain it rejects everything, return true. */
int
949
policy_is_reject_star(const smartlist_t *policy)
950
{
951
  if (!policy) /*XXXX disallow NULL policies? */
952
    return 1;
953
  SMARTLIST_FOREACH(policy, addr_policy_t *, p, {
954
955
956
957
    if (p->policy_type == ADDR_POLICY_ACCEPT)
      return 0;
    else if (p->policy_type == ADDR_POLICY_REJECT &&
             p->prt_min <= 1 && p->prt_max == 65535 &&
958
             p->maskbits == 0)
959
      return 1;
960
  });
961
962
963
  return 1;
}

964
965
966
/** Write a single address policy to the buf_len byte buffer at buf.  Return
 * the number of characters written, or -1 on failure. */
int
967
968
policy_write_item(char *buf, size_t buflen, addr_policy_t *policy,
                  int format_for_desc)
969
970
{
  size_t written = 0;
971
  char addrbuf[TOR_ADDR_BUF_LEN];
972
  const char *addrpart;
973
  int result;
974
975
976
  const int is_accept = policy->policy_type == ADDR_POLICY_ACCEPT;
  const int is_ip6 = tor_addr_family(&policy->addr) == AF_INET6;

977
  tor_addr_to_str(addrbuf, &policy->addr, sizeof(addrbuf), 1);
978
979

  /* write accept/reject 1.2.3.4 */
980
981
982
983
984
985
  if (policy->is_private)
    addrpart = "private";
  else if (policy->maskbits == 0)
    addrpart = "*";
  else
    addrpart = addrbuf;
986
987
988
989
990

  result = tor_snprintf(buf, buflen, "%s%s%s %s",
                        (is_ip6&&format_for_desc)?"opt ":"",
                        is_accept ? "accept" : "reject",
                        (is_ip6&&format_for_desc)?"6":"",
991
                        addrpart);
992
993
994
  if (result < 0)
    return -1;
  written += strlen(buf);
995
  /* If the maskbits is 32 we don't need to give it.  If the mask is 0,
996
   * we already wrote "*". */
997
998
999
  if (policy->maskbits < 32 && policy->maskbits > 0) {
    if (tor_snprintf(buf+written, buflen-written, "/%d", policy->maskbits)<0)
      return -1;
1000
    written += strlen(buf+written);
For faster browsing, not all history is shown. View entire blame