diff options
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | doc/TODO | 3 | ||||
| -rw-r--r-- | src/or/config.c | 4 | ||||
| -rw-r--r-- | src/or/connection.c | 2 | ||||
| -rw-r--r-- | src/or/dns.c | 29 | ||||
| -rw-r--r-- | src/or/main.c | 41 | ||||
| -rw-r--r-- | src/or/or.h | 6 | ||||
| -rw-r--r-- | src/or/router.c | 27 |
8 files changed, 89 insertions, 25 deletions
@@ -70,6 +70,8 @@ Changes in version 0.1.2.5-xxxx - 200?-??-?? - We now check for the case when common DNS requests are going to wildcarded addresses, and change our exit policy to reject *:* if it's happening. (Bug #364) + - When we change nameservers or IP addresses, reset and re-launch + our tests for DNS hijacking. o Security bugfixes: - Stop sending the HttpProxyAuthenticator string to directory @@ -112,8 +112,7 @@ d - Be a DNS proxy. well-known sites) are all going to the same place. o Bug 363: Warn and die if we can't find a nameserver and we're running a server; don't fall back to 127.0.0.1. -? - maybe re-check dns when we change IP addresses, rather than - every 12 hours? + o Re-check dns when we change IP addresses, rather than every 12 hours - Bug 326: Give fewer error messages from nameservers. - Only warn when _all_ nameservers are down; otherwise info. - Increase timeout; what's industry standard? diff --git a/src/or/config.c b/src/or/config.c index be22da7374..383ecc62f6 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -976,7 +976,7 @@ options_act(or_options_t *old_options) log_err(LD_BUG,"Error initializing keys; exiting"); return -1; } - server_has_changed_ip(); + ip_address_changed(0); if (has_completed_circuit || !any_predicted_circuits(time(NULL))) inform_testing_reachability(); } @@ -1908,7 +1908,7 @@ resolve_my_address(int warn_severity, or_options_t *options, /* Leave this as a notice, regardless of the requested severity, * at least until dynamic IP address support becomes bulletproof. */ log_notice(LD_NET, "Your IP address seems to have changed. Updating."); - server_has_changed_ip(); + ip_address_changed(0); } last_resolved_addr = *addr_out; if (hostname_out) diff --git a/src/or/connection.c b/src/or/connection.c index 8b6a209c0e..0b2f5c4b2a 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -2128,7 +2128,7 @@ client_check_address_changed(int sock) smartlist_clear(outgoing_addrs); smartlist_add(outgoing_addrs, ip); /* Okay, now change our keys. */ - init_keys(); /* XXXX NM return value-- safe to ignore? */ + ip_address_changed(1); } } diff --git a/src/or/dns.c b/src/or/dns.c index a85b5ee212..e7dbccb4b1 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -1399,6 +1399,11 @@ dns_seems_to_be_broken(void) { return 0; } + +void +dns_reset_correctness_checks(void) +{ +} #else /* !USE_EVENTDNS */ /** Eventdns helper: return true iff the eventdns result <b>err</b> is @@ -1514,6 +1519,8 @@ configure_nameservers(int force) } #endif + dns_servers_relaunch_checks(); + nameservers_configured = 1; return 0; } @@ -1855,6 +1862,28 @@ dns_seems_to_be_broken(void) return dns_is_completely_invalid; } +void +dns_reset_correctness_checks(void) +{ + if (dns_wildcard_response_count) { + strmap_free(dns_wildcard_response_count, _tor_free); + dns_wildcard_response_count = NULL; + } + n_wildcard_requests = 0; + + if (dns_wildcard_list) { + SMARTLIST_FOREACH(dns_wildcard_list, char *, cp, tor_free(cp)); + smartlist_clear(dns_wildcard_list); + } + if (dns_wildcarded_test_address_list) { + SMARTLIST_FOREACH(dns_wildcarded_test_address_list, char *, cp, + tor_free(cp)); + smartlist_clear(dns_wildcarded_test_address_list); + } + dns_wildcard_one_notice_given = dns_wildcard_notice_given = + dns_wildcarded_test_address_notice_given = dns_is_completely_invalid = 0; +} + /** Return true iff we have noticed that the dotted-quad <b>ip</b> has been * returned in response to requests for nonexistent hostnames. */ static int diff --git a/src/or/main.c b/src/or/main.c index e0be4281a6..2247210bf9 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -52,6 +52,8 @@ long stats_n_seconds_working = 0; static time_t time_to_fetch_directory = 0; /** When do we next download a running-routers summary? */ static time_t time_to_fetch_running_routers = 0; +/** When do we next launch DNS wildcarding checks? */ +static time_t time_to_check_for_correct_dns = 0; /** Array of all open connections. The first n_conns elements are valid. */ static connection_t *connection_array[MAXCONNECTIONS+1] = @@ -729,7 +731,6 @@ run_scheduled_events(time_t now) static time_t time_to_try_getting_descriptors = 0; static time_t time_to_reset_descriptor_failures = 0; static time_t time_to_add_entropy = 0; - static time_t time_to_check_for_correct_dns = 0; or_options_t *options = get_options(); int i; int have_dir_info; @@ -1057,6 +1058,44 @@ got_libevent_error(void) } #endif +#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60) + +/** Called when our IP address seems to have changed. <b>at_interface</b> + * should be true if we detected a change in our interface, and false if we + * detected a change in our published address. */ +void +ip_address_changed(int at_interface) +{ + int server = server_mode(get_options()); + + if (at_interface) { + if (! server) { + /* Okay, change our keys. */ + init_keys(); + } + } else { + if (server) { + if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST) + reset_bandwidth_test(); + stats_n_seconds_working = 0; + router_reset_reachability(); + mark_my_descriptor_dirty(); + } + } + + dns_servers_relaunch_checks(); +} + +/* DOCDOC */ +void +dns_servers_relaunch_checks(void) +{ + if (server_mode(get_options())) { + dns_reset_correctness_checks(); + time_to_check_for_correct_dns = 0; + } +} + /** Called when we get a SIGHUP: reload configuration files and keys, * retry all connections, re-upload all descriptors, and so on. */ static int diff --git a/src/or/or.h b/src/or/or.h index f107ab173b..6f35207100 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2323,6 +2323,7 @@ void dns_cancel_pending_resolve(const char *question); int dns_resolve(edge_connection_t *exitconn, or_circuit_t *circ); void dns_launch_correctness_checks(void); int dns_seems_to_be_broken(void); +void dns_reset_correctness_checks(void); /********************************* hibernate.c **********************/ @@ -2363,6 +2364,9 @@ void connection_start_writing(connection_t *conn); void directory_all_unreachable(time_t now); void directory_info_has_arrived(time_t now, int from_cache); +void ip_address_changed(int at_interface); +void dns_servers_relaunch_checks(void); + void control_signal_act(int the_signal); void handle_signals(int is_parent); void tor_cleanup(void); @@ -2632,7 +2636,6 @@ int check_whether_dirport_reachable(void); void consider_testing_reachability(int test_or, int test_dir); void router_orport_found_reachable(void); void router_dirport_found_reachable(void); -void server_has_changed_ip(void); void router_perform_bandwidth_test(int num_circs, time_t now); int authdir_mode(or_options_t *options); @@ -2664,6 +2667,7 @@ int is_legal_nickname_or_hexdigest(const char *s); int is_legal_hexdigest(const char *s); void router_get_verbose_nickname(char *buf, routerinfo_t *router); void router_reset_warnings(void); +void router_reset_reachability(void); void router_free_all(void); /********************************* routerlist.c ***************************/ diff --git a/src/or/router.c b/src/or/router.c index 48c70039a9..546e29d4b0 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -381,6 +381,13 @@ static int can_reach_or_port = 0; /** Whether we can reach our DirPort from the outside. */ static int can_reach_dir_port = 0; +/** DOCDOC */ +void +router_reset_reachability(void) +{ + can_reach_or_port = can_reach_dir_port = 0; +} + /** Return 1 if ORPort is known reachable; else return 0. */ int check_whether_orport_reachable(void) @@ -488,20 +495,6 @@ router_dirport_found_reachable(void) } } -#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60) - -/** Our router has just moved to a new IP. Reset stats. */ -void -server_has_changed_ip(void) -{ - if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST) - reset_bandwidth_test(); - stats_n_seconds_working = 0; - can_reach_or_port = 0; - can_reach_dir_port = 0; - mark_my_descriptor_dirty(); -} - /** We have enough testing circuits open. Send a bunch of "drop" * cells down each of them, to exercise our bandwidth. */ void @@ -996,9 +989,7 @@ check_descriptor_ipaddress_changed(time_t now) if (prev != cur) { log_addr_has_changed(LOG_INFO, prev, cur); - mark_my_descriptor_dirty(); - /* the above call is probably redundant, since resolve_my_address() - * probably already noticed and marked it dirty. */ + ip_address_changed(0); } } @@ -1044,7 +1035,7 @@ router_new_address_suggestion(const char *suggestion) * resolve it. */ if (last_guessed_ip != addr) { log_addr_has_changed(LOG_NOTICE, last_guessed_ip, addr); - server_has_changed_ip(); + ip_address_changed(0); last_guessed_ip = addr; /* router_rebuild_descriptor() will fetch it */ } } |