diff options
| author | teor <teor2345@gmail.com> | 2016-11-18 11:46:01 +1100 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-12-01 09:44:53 -0500 |
| commit | f80a43d16f5f7a5e63d0949df74077c875ee5d94 (patch) | |
| tree | a2a00189d5a2f94dc9ca641abc159b4fed220aee /src/or/config.c | |
| parent | 91abd60cad2fa3ca9f85fe20956f5f6a336c9c67 (diff) | |
| download | tor-f80a43d16f5f7a5e63d0949df74077c875ee5d94.tar.gz tor-f80a43d16f5f7a5e63d0949df74077c875ee5d94.zip | |
Stop ignoring hidden service key anonymity when first starting tor
Instead, refuse to start tor if any hidden service key has been used in
a different hidden service anonymity mode.
Fixes bug 20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf.
The original single onion service poisoning code checked poisoning state
in options_validate, and poisoned in options_act. This was problematic,
because the global array of hidden services had not been populated in
options_validate (and there were ordrering issues with hidden service
directory creation).
This patch fixes this issue in rend_service_check_dir_and_add, which:
* creates the directory, or checks permissions on an existing directory, then
* checks the poisoning state of the directory, then
* poisons the directory.
When validating, only the permissions checks and the poisoning state checks
are perfomed (the directory is not modified).
Diffstat (limited to 'src/or/config.c')
| -rw-r--r-- | src/or/config.c | 34 |
1 files changed, 0 insertions, 34 deletions
diff --git a/src/or/config.c b/src/or/config.c index 9ad5d63f8d..8568ea9d64 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1729,25 +1729,6 @@ options_act(const or_options_t *old_options) monitor_owning_controller_process(options->OwningControllerProcess); - /* We must create new keys after we poison the directories, because our - * poisoning code checks for existing keys, and refuses to modify their - * directories. */ - - /* If we use non-anonymous single onion services, make sure we poison any - new hidden service directories, so that we never accidentally launch the - non-anonymous hidden services thinking they are anonymous. */ - if (running_tor && rend_service_non_anonymous_mode_enabled(options)) { - if (options->RendConfigLines && !num_rend_services()) { - log_warn(LD_BUG,"Error: hidden services configured, but not parsed."); - return -1; - } - if (rend_service_poison_new_single_onion_dirs(NULL) < 0) { - log_warn(LD_GENERAL,"Failed to mark new hidden services as non-anonymous" - "."); - return -1; - } - } - /* reload keys as needed for rendezvous services. */ if (rend_service_load_all_keys(NULL)<0) { log_warn(LD_GENERAL,"Error loading rendezvous service keys"); @@ -2891,21 +2872,6 @@ options_validate_single_onion(or_options_t *options, char **msg) options->UseEntryGuards = 0; } - /* Check if existing hidden service keys were created in a different - * single onion service mode, and refuse to launch if they - * have. We'll poison new keys in options_act() just before we create them. - */ - if (rend_service_list_verify_single_onion_poison(NULL, options) < 0) { - log_warn(LD_GENERAL, "We are configured with " - "HiddenServiceNonAnonymousMode %d, but one or more hidden " - "service keys were created in %s mode. This is not allowed.", - rend_service_non_anonymous_mode_enabled(options) ? 1 : 0, - rend_service_non_anonymous_mode_enabled(options) ? - "an anonymous" : "a non-anonymous" - ); - return -1; - } - return 0; } |