policies.c 107 KB
Newer Older
1
/* Copyright (c) 2001-2004, Roger Dingledine.
2
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3
 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4
5
6
7
8
/* See LICENSE for licensing information */

/**
 * \file policies.c
 * \brief Code to parse and use address policies and exit policies.
9
10
11
12
13
14
15
 *
 * We have two key kinds of address policy: full and compressed.  A full
 * policy is an array of accept/reject patterns, to be applied in order.
 * A short policy is simply a list of ports.  This module handles both
 * kinds, including generic functions to apply them to addresses, and
 * also including code to manage the global policies that we apply to
 * incoming and outgoing connections.
16
17
 **/

Nick Mathewson's avatar
Nick Mathewson committed
18
19
#define POLICIES_PRIVATE

20
21
22
#include "core/or/or.h"
#include "feature/client/bridges.h"
#include "app/config/config.h"
23
#include "core/or/policies.h"
24
#include "feature/dirparse/policy_parse.h"
25
26
27
28
#include "feature/nodelist/microdesc.h"
#include "feature/nodelist/networkstatus.h"
#include "feature/nodelist/nodelist.h"
#include "feature/relay/router.h"
29
#include "feature/relay/routermode.h"
30
#include "lib/geoip/geoip.h"
31
#include "ht.h"
32
#include "lib/crypt_ops/crypto_rand.h"
33
#include "lib/encoding/confline.h"
34
#include "trunnel/ed25519_cert.h"
35

36
37
38
39
40
41
42
#include "core/or/addr_policy_st.h"
#include "feature/dirclient/dir_server_st.h"
#include "feature/nodelist/microdesc_st.h"
#include "feature/nodelist/node_st.h"
#include "core/or/port_cfg_st.h"
#include "feature/nodelist/routerinfo_st.h"
#include "feature/nodelist/routerstatus_st.h"
43

44
45
46
/** Maximum length of an exit policy summary. */
#define MAX_EXITPOLICY_SUMMARY_LEN 1000

47
/** Policy that addresses for incoming SOCKS connections must match. */
48
static smartlist_t *socks_policy = NULL;
49
/** Policy that addresses for incoming directory connections must match. */
50
static smartlist_t *dir_policy = NULL;
David Goulet's avatar
David Goulet committed
51
52
/** Policy for incoming MetricsPort connections that must match. */
static smartlist_t *metrics_policy = NULL;
53
54
/** Policy that addresses for incoming router descriptors must match in order
 * to be published by us. */
55
static smartlist_t *authdir_reject_policy = NULL;
56
57
/** Policy that addresses for incoming router descriptors must match in order
 * to be marked as valid in our networkstatus. */
58
static smartlist_t *authdir_invalid_policy = NULL;
59
60
/** Policy that addresses for incoming router descriptors must <b>not</b>
 * match in order to not be marked as BadExit. */
61
static smartlist_t *authdir_badexit_policy = NULL;
62
63
64

/** Parsed addr_policy_t describing which addresses we believe we can start
 * circuits at. */
65
static smartlist_t *reachable_or_addr_policy = NULL;
66
67
/** Parsed addr_policy_t describing which addresses we believe we can connect
 * to directories at. */
68
69
static smartlist_t *reachable_dir_addr_policy = NULL;

70
71
72
73
74
/** Element of an exit policy summary */
typedef struct policy_summary_item_t {
    uint16_t prt_min; /**< Lowest port number to accept/reject. */
    uint16_t prt_max; /**< Highest port number to accept/reject. */
    uint64_t reject_count; /**< Number of IP-Addresses that are rejected to
Nick Mathewson's avatar
Nick Mathewson committed
75
                                this port range. */
76
    unsigned int accepted:1; /** Has this port already been accepted */
77
78
} policy_summary_item_t;

79
80
81
82
83
84
85
86
87
/** Private networks.  This list is used in two places, once to expand the
 *  "private" keyword when parsing our own exit policy, secondly to ignore
 *  just such networks when building exit policy summaries.  It is important
 *  that all authorities agree on that list when creating summaries, so don't
 *  just change this without a proper migration plan and a proposal and stuff.
 */
static const char *private_nets[] = {
  "0.0.0.0/8", "169.254.0.0/16",
  "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
88
89
90
91
  "[::]/8",
  "[fc00::]/7", "[fe80::]/10", "[fec0::]/10", "[ff00::]/8", "[::]/127",
  NULL
};
92

93
static int policies_parse_exit_policy_internal(
94
95
96
97
98
99
100
                                      config_line_t *cfg,
                                      smartlist_t **dest,
                                      int ipv6_exit,
                                      int rejectprivate,
                                      const smartlist_t *configured_addresses,
                                      int reject_interface_addresses,
                                      int reject_configured_port_addresses,
101
102
                                      int add_default_policy,
                                      int add_reduced_policy);
103

104
105
106
107
108
109
110
111
112
113
/** Replace all "private" entries in *<b>policy</b> with their expanded
 * equivalents. */
void
policy_expand_private(smartlist_t **policy)
{
  uint16_t port_min, port_max;

  int i;
  smartlist_t *tmp;

114
  if (!*policy) /*XXXX disallow NULL policies? */
115
116
    return;

117
  tmp = smartlist_new();
118

119
  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
120
121
122
123
124
     if (! p->is_private) {
       smartlist_add(tmp, p);
       continue;
     }
     for (i = 0; private_nets[i]; ++i) {
125
126
127
128
       addr_policy_t newpolicy;
       memcpy(&newpolicy, p, sizeof(addr_policy_t));
       newpolicy.is_private = 0;
       newpolicy.is_canonical = 0;
129
130
       if (tor_addr_parse_mask_ports(private_nets[i], 0,
                               &newpolicy.addr,
131
                               &newpolicy.maskbits, &port_min, &port_max)<0) {
132
         tor_assert_unreached();
133
       }
134
       smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy));
135
136
     }
     addr_policy_free(p);
137
  } SMARTLIST_FOREACH_END(p);
138
139
140
141

  smartlist_free(*policy);
  *policy = tmp;
}
142

143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
/** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
 * specific and one IPv6-specific. */
void
policy_expand_unspec(smartlist_t **policy)
{
  smartlist_t *tmp;
  if (!*policy)
    return;

  tmp = smartlist_new();
  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
    sa_family_t family = tor_addr_family(&p->addr);
    if (family == AF_INET6 || family == AF_INET || p->is_private) {
      smartlist_add(tmp, p);
    } else if (family == AF_UNSPEC) {
      addr_policy_t newpolicy_ipv4;
      addr_policy_t newpolicy_ipv6;
      memcpy(&newpolicy_ipv4, p, sizeof(addr_policy_t));
      memcpy(&newpolicy_ipv6, p, sizeof(addr_policy_t));
      newpolicy_ipv4.is_canonical = 0;
      newpolicy_ipv6.is_canonical = 0;
      if (p->maskbits != 0) {
        log_warn(LD_BUG, "AF_UNSPEC policy with maskbits==%d", p->maskbits);
        newpolicy_ipv4.maskbits = 0;
        newpolicy_ipv6.maskbits = 0;
      }
      tor_addr_from_ipv4h(&newpolicy_ipv4.addr, 0);
      tor_addr_from_ipv6_bytes(&newpolicy_ipv6.addr,
172
          (const uint8_t *)"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
173
174
175
176
177
178
179
180
181
182
183
184
185
      smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv4));
      smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv6));
      addr_policy_free(p);
    } else {
      log_warn(LD_BUG, "Funny-looking address policy with family %d", family);
      smartlist_add(tmp, p);
    }
  } SMARTLIST_FOREACH_END(p);

  smartlist_free(*policy);
  *policy = tmp;
}

186
/**
187
 * Given a linked list of config lines containing "accept[6]" and "reject[6]"
188
 * tokens, parse them and append the result to <b>dest</b>. Return -1
189
 * if any tokens are malformed (and don't append any), else return 0.
190
191
192
193
 *
 * If <b>assume_action</b> is nonnegative, then insert its action
 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
 * action.
194
195
 */
static int
196
parse_addr_policy(config_line_t *cfg, smartlist_t **dest,
197
198
                  int assume_action)
{
199
  smartlist_t *result;
200
  smartlist_t *entries;
201
  addr_policy_t *item;
202
  int malformed_list;
203
204
205
206
207
  int r = 0;

  if (!cfg)
    return 0;

208
209
  result = smartlist_new();
  entries = smartlist_new();
210
211
212
  for (; cfg; cfg = cfg->next) {
    smartlist_split_string(entries, cfg->value, ",",
                           SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
213
    SMARTLIST_FOREACH_BEGIN(entries, const char *, ent) {
214
      log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
215
216
217
      malformed_list = 0;
      item = router_parse_addr_policy_item_from_string(ent, assume_action,
                                                       &malformed_list);
218
219
      if (item) {
        smartlist_add(result, item);
220
221
222
223
      } else if (malformed_list) {
        /* the error is so severe the entire list should be discarded */
        log_warn(LD_CONFIG, "Malformed policy '%s'. Discarding entire policy "
                 "list.", ent);
224
        r = -1;
225
226
227
228
229
230
      } else {
        /* the error is minor: don't add the item, but keep processing the
         * rest of the policies in the list */
        log_debug(LD_CONFIG, "Ignored policy '%s' due to non-fatal error. "
                  "The remainder of the policy list will be used.",
                  ent);
231
      }
232
    } SMARTLIST_FOREACH_END(ent);
233
234
235
236
    SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
    smartlist_clear(entries);
  }
  smartlist_free(entries);
237
238
239
240
  if (r == -1) {
    addr_policy_list_free(result);
  } else {
    policy_expand_private(&result);
241
    policy_expand_unspec(&result);
242
243
244
245
246
247
248
249
250

    if (*dest) {
      smartlist_add_all(*dest, result);
      smartlist_free(result);
    } else {
      *dest = result;
    }
  }

251
252
253
254
  return r;
}

/** Helper: parse the Reachable(Dir|OR)?Addresses fields into
255
256
257
258
 * reachable_(or|dir)_addr_policy.  The options should already have
 * been validated by validate_addr_policies.
 */
static int
259
260
parse_reachable_addresses(void)
{
261
  const or_options_t *options = get_options();
262
  int ret = 0;
263
264
265
266
267
268
269
270

  if (options->ReachableDirAddresses &&
      options->ReachableORAddresses &&
      options->ReachableAddresses) {
    log_warn(LD_CONFIG,
             "Both ReachableDirAddresses and ReachableORAddresses are set. "
             "ReachableAddresses setting will be ignored.");
  }
271
  addr_policy_list_free(reachable_or_addr_policy);
272
273
274
275
276
277
278
279
280
281
282
  reachable_or_addr_policy = NULL;
  if (!options->ReachableORAddresses && options->ReachableAddresses)
    log_info(LD_CONFIG,
             "Using ReachableAddresses as ReachableORAddresses.");
  if (parse_addr_policy(options->ReachableORAddresses ?
                          options->ReachableORAddresses :
                          options->ReachableAddresses,
                        &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
    log_warn(LD_CONFIG,
             "Error parsing Reachable%sAddresses entry; ignoring.",
             options->ReachableORAddresses ? "OR" : "");
283
    ret = -1;
284
285
  }

286
  addr_policy_list_free(reachable_dir_addr_policy);
287
288
289
290
291
292
293
294
295
296
297
  reachable_dir_addr_policy = NULL;
  if (!options->ReachableDirAddresses && options->ReachableAddresses)
    log_info(LD_CONFIG,
             "Using ReachableAddresses as ReachableDirAddresses");
  if (parse_addr_policy(options->ReachableDirAddresses ?
                          options->ReachableDirAddresses :
                          options->ReachableAddresses,
                        &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
    if (options->ReachableDirAddresses)
      log_warn(LD_CONFIG,
               "Error parsing ReachableDirAddresses entry; ignoring.");
298
    ret = -1;
299
300
  }

301
302
  /* We ignore ReachableAddresses for relays */
  if (!server_mode(options)) {
Nick Mathewson's avatar
Nick Mathewson committed
303
304
    if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
        || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
305
306
307
308
      log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
               "ReachableAddresses, ReachableORAddresses, or "
               "ReachableDirAddresses reject all addresses. Please accept "
               "some addresses in these options.");
309
    } else if (options->ClientUseIPv4 == 1
Nick Mathewson's avatar
Nick Mathewson committed
310
311
       && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
           || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
312
313
314
315
          log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
                   "ReachableAddresses, ReachableORAddresses, or "
                   "ReachableDirAddresses reject all IPv4 addresses. "
                   "Tor will not connect using IPv4.");
316
    } else if (reachable_addr_use_ipv6(options)
Nick Mathewson's avatar
Nick Mathewson committed
317
318
       && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
         || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
319
320
          log_warn(LD_CONFIG, "You have configured tor to use or prefer IPv6 "
                   "(or UseBridges 1), but "
321
322
323
                   "ReachableAddresses, ReachableORAddresses, or "
                   "ReachableDirAddresses reject all IPv6 addresses. "
                   "Tor will not connect using IPv6.");
324
325
326
    }
  }

Roger Dingledine's avatar
Roger Dingledine committed
327
  /* Append a reject *:* to reachable_(or|dir)_addr_policy */
328
329
330
331
332
333
334
  if (!ret && (options->ReachableDirAddresses ||
               options->ReachableORAddresses ||
               options->ReachableAddresses)) {
    append_exit_policy_string(&reachable_or_addr_policy, "reject *:*");
    append_exit_policy_string(&reachable_dir_addr_policy, "reject *:*");
  }

335
  return ret;
336
337
}

338
339
340
341
/* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
 * address:port combination. */
static int
firewall_is_fascist_impl(void)
342
343
344
345
{
  const or_options_t *options = get_options();
  /* Assume every non-bridge relay has an IPv4 address.
   * Clients which use bridges may only know the IPv6 address of their
346
347
   * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
  return options->ClientUseIPv4 == 0;
348
349
350
351
}

/** Return true iff the firewall options, including ClientUseIPv4 0 and
 * ClientUseIPv6 0, might block any OR address:port combination.
352
353
 * Address preferences may still change which address is selected even if
 * this function returns false.
354
355
356
357
 */
int
firewall_is_fascist_or(void)
{
358
359
360
361
362
  return (reachable_or_addr_policy != NULL || firewall_is_fascist_impl());
}

/** Return true iff the firewall options, including ClientUseIPv4 0 and
 * ClientUseIPv6 0, might block any Dir address:port combination.
363
364
 * Address preferences may still change which address is selected even if
 * this function returns false.
365
366
367
368
369
 */
int
firewall_is_fascist_dir(void)
{
  return (reachable_dir_addr_policy != NULL || firewall_is_fascist_impl());
370
371
372
373
374
375
}

/** Return true iff <b>policy</b> (possibly NULL) will allow a
 * connection to <b>addr</b>:<b>port</b>.
 */
static int
376
addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
377
                            smartlist_t *policy)
378
379
{
  addr_policy_result_t p;
380
  p = compare_tor_addr_to_addr_policy(addr, port, policy);
381
382
383
384
385
386
387
388
389
390
391
392
393
  switch (p) {
    case ADDR_POLICY_PROBABLY_ACCEPTED:
    case ADDR_POLICY_ACCEPTED:
      return 1;
    case ADDR_POLICY_PROBABLY_REJECTED:
    case ADDR_POLICY_REJECTED:
      return 0;
    default:
      log_warn(LD_BUG, "Unexpected result: %d", (int)p);
      return 0;
  }
}

394
395
396
/** Return true iff we think our firewall will let us make a connection to
 * addr:port.
 *
397
398
 * If we are configured as a server, ignore any address family preference and
 * just use IPv4.
399
400
401
402
403
 * Otherwise:
 *  - return false for all IPv4 addresses:
 *    - if ClientUseIPv4 is 0, or
 *      if pref_only and pref_ipv6 are both true;
 *  - return false for all IPv6 addresses:
404
 *    - if reachable_addr_use_ipv6() is 0, or
405
406
407
408
 *    - if pref_only is true and pref_ipv6 is false.
 *
 * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
STATIC int
409
reachable_addr_allows(const tor_addr_t *addr,
410
411
412
                                uint16_t port,
                                smartlist_t *firewall_policy,
                                int pref_only, int pref_ipv6)
413
{
414
  const or_options_t *options = get_options();
415
  const int client_mode = !server_mode(options);
416
417
418
419
420

  if (!addr || tor_addr_is_null(addr) || !port) {
    return 0;
  }

421
422
423
424
425
426
  /* Clients stop using IPv4 if it's disabled. In most cases, clients also
   * stop using IPv4 if it's not preferred.
   * Servers must have IPv4 enabled and preferred. */
  if (tor_addr_family(addr) == AF_INET && client_mode &&
      (!options->ClientUseIPv4 || (pref_only && pref_ipv6))) {
    return 0;
427
428
  }

429
430
  /* Clients and Servers won't use IPv6 unless it's enabled (and in most
   * cases, IPv6 must also be preferred before it will be used). */
431
  if (tor_addr_family(addr) == AF_INET6 &&
432
      (!reachable_addr_use_ipv6(options) || (pref_only && !pref_ipv6))) {
433
    return 0;
434
  }
435

436
  return addr_policy_permits_tor_addr(addr, port,
437
438
439
                                      firewall_policy);
}

440
/** Is this client configured to use IPv6?
441
442
443
 * Returns true if the client might use IPv6 for some of its connections
 * (including dual-stack and IPv6-only clients), and false if it will never
 * use IPv6 for any connections.
444
445
 * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
 * port: it supports bridge client per-node IPv6 preferences.
446
 */
Nick Mathewson's avatar
Nick Mathewson committed
447
int
448
reachable_addr_use_ipv6(const or_options_t *options)
449
{
450
  /* Clients use IPv6 if it's set, or they use bridges, or they don't use
451
452
453
454
   * IPv4, or they prefer it.
   * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
  return (options->ClientUseIPv6 == 1 || options->ClientUseIPv4 == 0 ||
          options->ClientPreferIPv6ORPort == 1 ||
455
          options->ClientPreferIPv6DirPort == 1 || options->UseBridges == 1);
456
457
458
459
460
461
462
}

/** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
 * ClientPreferIPv6DirPort?
 * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
 */
static int
463
reachable_addr_prefer_ipv6_impl(const or_options_t *options)
464
465
466
467
468
469
470
{
  /*
   Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
   If we're a server or IPv6 is disabled, use IPv4.
   If IPv4 is disabled, use IPv6.
   */

471
  if (server_mode(options) || !reachable_addr_use_ipv6(options)) {
472
473
474
475
476
477
478
479
480
481
482
    return 0;
  }

  if (!options->ClientUseIPv4) {
    return 1;
  }

  return -1;
}

/** Do we prefer to connect to IPv6 ORPorts?
483
484
 * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
 * per-node IPv6 preferences.
485
486
 */
int
487
reachable_addr_prefer_ipv6_orport(const or_options_t *options)
488
{
489
  int pref_ipv6 = reachable_addr_prefer_ipv6_impl(options);
490
491
492
493
494
495

  if (pref_ipv6 >= 0) {
    return pref_ipv6;
  }

  /* We can use both IPv4 and IPv6 - which do we prefer? */
496
  if (options->ClientPreferIPv6ORPort == 1) {
497
498
499
500
    return 1;
  }

  return 0;
501
502
}

503
/** Do we prefer to connect to IPv6 DirPorts?
504
505
506
 *
 * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
 * preferences. There's no reason to use it instead of this function.)
507
 */
508
int
509
reachable_addr_prefer_ipv6_dirport(const or_options_t *options)
510
{
511
  int pref_ipv6 = reachable_addr_prefer_ipv6_impl(options);
512
513
514
515
516
517
518
519
520
521
522

  if (pref_ipv6 >= 0) {
    return pref_ipv6;
  }

  /* We can use both IPv4 and IPv6 - which do we prefer? */
  if (options->ClientPreferIPv6DirPort == 1) {
    return 1;
  }

  return 0;
523
524
}

525
526
527
/** Return true iff we think our firewall will let us make a connection to
 * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
 * fw_connection.
528
529
530
 * If pref_only is true, return true if addr is in the client's preferred
 * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
 * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
531
 */
532
int
533
reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port,
534
                                     firewall_connection_t fw_connection,
535
                                     int pref_only, int pref_ipv6)
536
537
{
  if (fw_connection == FIREWALL_OR_CONNECTION) {
538
    return reachable_addr_allows(addr, port,
Nick Mathewson's avatar
Nick Mathewson committed
539
                               reachable_or_addr_policy,
540
                               pref_only, pref_ipv6);
541
  } else if (fw_connection == FIREWALL_DIR_CONNECTION) {
542
    return reachable_addr_allows(addr, port,
Nick Mathewson's avatar
Nick Mathewson committed
543
                               reachable_dir_addr_policy,
544
                               pref_only, pref_ipv6);
545
  } else {
546
547
548
549
550
551
552
553
554
    log_warn(LD_BUG, "Bad firewall_connection_t value %d.",
             fw_connection);
    return 0;
  }
}

/** Return true iff we think our firewall will let us make a connection to
 * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
 * fw_connection.
555
 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
556
 */
557
static int
558
reachable_addr_allows_ap(const tor_addr_port_t *ap,
559
                                   firewall_connection_t fw_connection,
560
                                   int pref_only, int pref_ipv6)
561
562
{
  tor_assert(ap);
563
  return reachable_addr_allows_addr(&ap->addr, ap->port,
564
565
                                              fw_connection, pref_only,
                                              pref_ipv6);
566
567
568
569
570
571
}

/** Return true iff we think our firewall will let us make a connection to
 * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
 * <b>fw_connection</b>.
572
 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
573
 */
574
static int
575
reachable_addr_allows_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport,
576
577
578
579
                             uint16_t ipv4_dirport,
                             const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
                             uint16_t ipv6_dirport,
                             firewall_connection_t fw_connection,
580
                             int pref_only, int pref_ipv6)
581
{
582
  if (reachable_addr_allows_addr(ipv4_addr,
583
584
585
586
                                      (fw_connection == FIREWALL_OR_CONNECTION
                                       ? ipv4_orport
                                       : ipv4_dirport),
                                      fw_connection,
587
                                      pref_only, pref_ipv6)) {
588
589
    return 1;
  }
590

591
  if (reachable_addr_allows_addr(ipv6_addr,
592
593
594
595
                                      (fw_connection == FIREWALL_OR_CONNECTION
                                       ? ipv6_orport
                                       : ipv6_dirport),
                                      fw_connection,
596
                                      pref_only, pref_ipv6)) {
597
598
599
600
601
602
    return 1;
  }

  return 0;
}

603
/** Like reachable_addr_allows_base(), but takes ri. */
604
static int
605
reachable_addr_allows_ri_impl(const routerinfo_t *ri,
606
                                firewall_connection_t fw_connection,
607
                                int pref_only, int pref_ipv6)
608
609
610
611
612
613
{
  if (!ri) {
    return 0;
  }

  /* Assume IPv4 and IPv6 DirPorts are the same */
614
  return reachable_addr_allows_base(&ri->ipv4_addr, ri->ipv4_orport,
615
616
617
                                      ri->ipv4_dirport, &ri->ipv6_addr,
                                      ri->ipv6_orport, ri->ipv4_dirport,
                                      fw_connection, pref_only, pref_ipv6);
618
619
}

620
/** Like reachable_addr_allows_rs, but takes pref_ipv6. */
621
static int
622
reachable_addr_allows_rs_impl(const routerstatus_t *rs,
623
                                firewall_connection_t fw_connection,
624
                                int pref_only, int pref_ipv6)
625
626
627
628
629
630
{
  if (!rs) {
    return 0;
  }

  /* Assume IPv4 and IPv6 DirPorts are the same */
631
  return reachable_addr_allows_base(&rs->ipv4_addr, rs->ipv4_orport,
632
633
634
                                      rs->ipv4_dirport, &rs->ipv6_addr,
                                      rs->ipv6_orport, rs->ipv4_dirport,
                                      fw_connection, pref_only, pref_ipv6);
635
636
}

637
/** Like reachable_addr_allows_base(), but takes rs.
638
639
640
641
642
 * When rs is a fake_status from a dir_server_t, it can have a reachable
 * address, even when the corresponding node does not.
 * nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
 * or when there is a microdescriptor consensus, but no microdescriptors
 * (microdescriptors have IPv6, the microdesc consensus does not). */
643
int
644
reachable_addr_allows_rs(const routerstatus_t *rs,
645
                           firewall_connection_t fw_connection, int pref_only)
646
{
647
648
649
650
  if (!rs) {
    return 0;
  }

651
652
653
654
  /* We don't have access to the node-specific IPv6 preference, so use the
   * generic IPv6 preference instead. */
  const or_options_t *options = get_options();
  int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
655
656
                   ? reachable_addr_prefer_ipv6_orport(options)
                   : reachable_addr_prefer_ipv6_dirport(options));
657

658
  return reachable_addr_allows_rs_impl(rs, fw_connection, pref_only,
659
                                         pref_ipv6);
660
661
}

662
663
664
/** Return true iff we think our firewall will let us make a connection to
 * ipv6_addr:ipv6_orport based on ReachableORAddresses.
 * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
665
 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
666
 */
667
static int
668
reachable_addr_allows_md_impl(const microdesc_t *md,
669
                                firewall_connection_t fw_connection,
670
                                int pref_only, int pref_ipv6)
671
672
673
674
675
676
677
678
679
680
681
{
  if (!md) {
    return 0;
  }

  /* Can't check dirport, it doesn't have one */
  if (fw_connection == FIREWALL_DIR_CONNECTION) {
    return 0;
  }

  /* Also can't check IPv4, doesn't have that either */
682
  return reachable_addr_allows_addr(&md->ipv6_addr, md->ipv6_orport,
683
684
                                              fw_connection, pref_only,
                                              pref_ipv6);
685
686
}

687
/** Like reachable_addr_allows_base(), but takes node, and looks up pref_ipv6
688
 * from node_ipv6_or/dir_preferred(). */
689
int
690
reachable_addr_allows_node(const node_t *node,
691
692
                             firewall_connection_t fw_connection,
                             int pref_only)
693
{
694
695
696
697
698
699
  if (!node) {
    return 0;
  }

  node_assert_ok(node);

700
701
702
703
  const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
                         ? node_ipv6_or_preferred(node)
                         : node_ipv6_dir_preferred(node));

704
705
  /* Sometimes, the rs is missing the IPv6 address info, and we need to go
   * all the way to the md */
706
  if (node->ri && reachable_addr_allows_ri_impl(node->ri, fw_connection,
707
                                                  pref_only, pref_ipv6)) {
708
    return 1;
709
  } else if (node->rs && reachable_addr_allows_rs_impl(node->rs,
710
                                                         fw_connection,
711
712
                                                         pref_only,
                                                         pref_ipv6)) {
713
    return 1;
714
  } else if (node->md && reachable_addr_allows_md_impl(node->md,
715
                                                         fw_connection,
716
717
                                                         pref_only,
                                                         pref_ipv6)) {
718
719
720
721
722
723
724
725
    return 1;
  } else {
    /* If we know nothing, assume it's unreachable, we'll never get an address
     * to connect to. */
    return 0;
  }
}

726
/** Like reachable_addr_allows_rs(), but takes ds. */
727
int
728
reachable_addr_allows_dir_server(const dir_server_t *ds,
729
730
731
732
733
734
735
736
737
738
                                   firewall_connection_t fw_connection,
                                   int pref_only)
{
  if (!ds) {
    return 0;
  }

  /* A dir_server_t always has a fake_status. As long as it has the same
   * addresses/ports in both fake_status and dir_server_t, this works fine.
   * (See #17867.)
739
740
   * reachable_addr_allows_rs only checks the addresses in fake_status. */
  return reachable_addr_allows_rs(&ds->fake_status, fw_connection,
741
742
743
744
745
746
747
                                    pref_only);
}

/** If a and b are both valid and allowed by fw_connection,
 * choose one based on want_a and return it.
 * Otherwise, return whichever is allowed.
 * Otherwise, return NULL.
748
 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
749
 */
750
static const tor_addr_port_t *
751
reachable_addr_choose_impl(const tor_addr_port_t *a,
752
753
754
                                     const tor_addr_port_t *b,
                                     int want_a,
                                     firewall_connection_t fw_connection,
755
                                     int pref_only, int pref_ipv6)
756
757
758
759
{
  const tor_addr_port_t *use_a = NULL;
  const tor_addr_port_t *use_b = NULL;

760
  if (reachable_addr_allows_ap(a, fw_connection, pref_only,
761
                                         pref_ipv6)) {
762
763
764
    use_a = a;
  }

765
  if (reachable_addr_allows_ap(b, fw_connection, pref_only,
766
                                         pref_ipv6)) {
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
    use_b = b;
  }

  /* If both are allowed */
  if (use_a && use_b) {
    /* Choose a if we want it */
    return (want_a ? use_a : use_b);
  } else {
    /* Choose a if we have it */
    return (use_a ? use_a : use_b);
  }
}

/** If a and b are both valid and preferred by fw_connection,
 * choose one based on want_a and return it.
 * Otherwise, return whichever is preferred.
 * If neither are preferred, and pref_only is false:
 *  - If a and b are both allowed by fw_connection,
 *    choose one based on want_a and return it.
 *  - Otherwise, return whichever is preferred.
 * Otherwise, return NULL. */
788
STATIC const tor_addr_port_t *
789
reachable_addr_choose(const tor_addr_port_t *a,
790
791
792
                                const tor_addr_port_t *b,
                                int want_a,
                                firewall_connection_t fw_connection,
793
                                int pref_only, int pref_ipv6)
794
{
795
  const tor_addr_port_t *pref = reachable_addr_choose_impl(
796
797
                                                                a, b, want_a,
                                                                fw_connection,
798
                                                                1, pref_ipv6);
799
800
801
802
803
804
805
806
  if (pref_only || pref) {
    /* If there is a preferred address, use it. If we can only use preferred
     * addresses, and neither address is preferred, pref will be NULL, and we
     * want to return NULL, so return it. */
    return pref;
  } else {
    /* If there's no preferred address, and we can return addresses that are
     * not preferred, use an address that's allowed */
807
    return reachable_addr_choose_impl(a, b, want_a, fw_connection,
808
                                                0, pref_ipv6);
809
810
811
812
813
814
815
816
817
818
  }
}

/** Copy an address and port into <b>ap</b> that we think our firewall will
 * let us connect to. Uses ipv4_addr/ipv6_addr and
 * ipv4_orport/ipv6_orport/ReachableORAddresses or
 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
 * <b>fw_connection</b>.
 * If pref_only, only choose preferred addresses. In either case, choose
 * a preferred address before an address that's not preferred.
819
 * If both addresses could be chosen (they are both preferred or both allowed)
820
821
 * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4. */
static void
822
reachable_addr_choose_base(const tor_addr_t *ipv4_addr,
823
824
825
826
827
828
829
                                     uint16_t ipv4_orport,
                                     uint16_t ipv4_dirport,
                                     const tor_addr_t *ipv6_addr,
                                     uint16_t ipv6_orport,
                                     uint16_t ipv6_dirport,
                                     firewall_connection_t fw_connection,
                                     int pref_only,
830
                                     int pref_ipv6,
831
832
833
                                     tor_addr_port_t* ap)
{
  const tor_addr_port_t *result = NULL;
834
  const int want_ipv4 = !pref_ipv6;
835
836
837
838

  tor_assert(ipv6_addr);
  tor_assert(ap);

839
840
841
  tor_addr_make_null(&ap->addr, AF_UNSPEC);
  ap->port = 0;

842
843
844
845
846
847
848
849
850
851
852
853
  tor_addr_port_t ipv4_ap;
  tor_addr_copy(&ipv4_ap.addr, ipv4_addr);
  ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
                  ? ipv4_orport
                  : ipv4_dirport);

  tor_addr_port_t ipv6_ap;
  tor_addr_copy(&ipv6_ap.addr, ipv6_addr);
  ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
                  ? ipv6_orport
                  : ipv6_dirport);

854
  result = reachable_addr_choose(&ipv4_ap, &ipv6_ap,
855
856
857
                                           want_ipv4,
                                           fw_connection, pref_only,
                                           pref_ipv6);
858
859
860
861
862
863
864

  if (result) {
    tor_addr_copy(&ap->addr, &result->addr);
    ap->port = result->port;
  }
}

865
/** Like reachable_addr_choose_base(), but takes <b>rs</b>.
866
867
868
869
 * Consults the corresponding node, then falls back to rs if node is NULL.
 * This should only happen when there's no valid consensus, and rs doesn't
 * correspond to a bridge client's bridge.
 */
870
void
871
reachable_addr_choose_from_rs(const routerstatus_t *rs,
872
873
874
875
876
                                   firewall_connection_t fw_connection,
                                   int pref_only, tor_addr_port_t* ap)
{
  tor_assert(ap);

877
878
879
  tor_addr_make_null(&ap->addr, AF_UNSPEC);
  ap->port = 0;

880
881
882
883
  if (!rs) {
    return;
  }

884
  const or_options_t *options = get_options();
885
886
  const node_t *node = node_get_by_id(rs->identity_digest);

887
  if (node) {
888
    reachable_addr_choose_from_node(node, fw_connection, pref_only, ap);
889
  } else {
890
891
892
    /* There's no node-specific IPv6 preference, so use the generic IPv6
     * preference instead. */
    int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
893
894
                     ? reachable_addr_prefer_ipv6_orport(options)
                     : reachable_addr_prefer_ipv6_dirport(options));
895

896
    reachable_addr_choose_base(&rs->ipv4_addr, rs->ipv4_orport,
897
898
899
900
                                          rs->ipv4_dirport, &rs->ipv6_addr,
                                          rs->ipv6_orport, rs->ipv4_dirport,
                                          fw_connection, pref_only, pref_ipv6,
                                          ap);
901
  }
902
903
}

904
/** Like reachable_addr_choose_base(), but takes in a smartlist
905
906
907
 * <b>lspecs</b> consisting of one or more link specifiers. We assume
 * fw_connection is FIREWALL_OR_CONNECTION as link specifiers cannot
 * contain DirPorts.
908
909
 */
void
910
reachable_addr_choose_from_ls(const smartlist_t *lspecs,
911
                                   int pref_only, tor_addr_port_t* ap)
912
913
914
915
916
{
  int have_v4 = 0, have_v6 = 0;
  uint16_t port_v4 = 0, port_v6 = 0;
  tor_addr_t addr_v4, addr_v6;

917
918
  tor_assert(ap);

919
920
921
922
923
924
925
926
927
  if (lspecs == NULL) {
    log_warn(LD_BUG, "Unknown or missing link specifiers");
    return;
  }
  if (smartlist_len(lspecs) == 0) {
    log_warn(LD_PROTOCOL, "Link specifiers are empty");
    return;
  }

928
929
930
931
932
933
  tor_addr_make_null(&ap->addr, AF_UNSPEC);
  ap->port = 0;

  tor_addr_make_null(&addr_v4, AF_INET);
  tor_addr_make_null(&addr_v6, AF_INET6);

934
935
936
937
938
939
940
941
942
943
944
945
946
  SMARTLIST_FOREACH_BEGIN(lspecs, const link_specifier_t *, ls) {
    switch (link_specifier_get_ls_type(ls)) {
    case LS_IPV4:
      /* Skip if we already seen a v4. */
      if (have_v4) continue;
      tor_addr_from_ipv4h(&addr_v4,
                          link_specifier_get_un_ipv4_addr(ls));
      port_v4 = link_specifier_get_un_ipv4_port(ls);
      have_v4 = 1;
      break;
    case LS_IPV6:
      /* Skip if we already seen a v6, or deliberately skip it if we're not a
       * direct connection. */
947
      if (have_v6) continue;
948
      tor_addr_from_ipv6_bytes(&addr_v6,
949
          link_specifier_getconstarray_un_ipv6_addr(ls));
950
951
952
953
954
955
956
957
958
      port_v6 = link_specifier_get_un_ipv6_port(ls);
      have_v6 = 1;
      break;
    default:
      /* Ignore unknown. */
      break;
    }
  } SMARTLIST_FOREACH_END(ls);

959
960
961
962
963
964
965
966
967
968
  /* If we don't have IPv4 or IPv6 in link specifiers, log a bug and return. */
  if (!have_v4 && !have_v6) {
    if (!have_v6) {
      log_warn(LD_PROTOCOL, "None of our link specifiers have IPv4 or IPv6");
    } else {
      log_warn(LD_PROTOCOL, "None of our link specifiers have IPv4");
    }
    return;
  }

969
970
971
  /* Here, don't check for DirPorts as link specifiers are only used for
   * ORPorts. */
  const or_options_t *options = get_options();
972
  int pref_ipv6 = reachable_addr_prefer_ipv6_orport(options);
973
  /* Assume that the DirPorts are zero as link specifiers only use ORPorts. */
974
  reachable_addr_choose_base(&addr_v4, port_v4, 0,
975
976
977
978
979
980
                                       &addr_v6, port_v6, 0,
                                       FIREWALL_OR_CONNECTION,
                                       pref_only, pref_ipv6,
                                       ap);
}

981
/** Like reachable_addr_choose_base(), but takes <b>node</b>, and
982
983
 * looks up the node's IPv6 preference rather than taking an argument
 * for pref_ipv6. */
984
void
985
reachable_addr_choose_from_node(const node_t *node,
986
987
988
                                     firewall_connection_t fw_connection,
                                     int pref_only, tor_addr_port_t *ap)
{
989
990
991
992
  tor_assert(ap);

  tor_addr_make_null(&ap->addr, AF_UNSPEC);
  ap->port = 0;
993

994
995
996
997
998
  if (!node) {
    return;
  }

  node_assert_ok(node);
999

1000
  const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION