summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/common/tortls.c12
-rw-r--r--src/common/tortls.h2
-rw-r--r--src/or/command.c15
-rw-r--r--src/or/config.c1
-rw-r--r--src/or/connection_or.c2
-rw-r--r--src/or/main.c8
-rw-r--r--src/or/or.h3
-rw-r--r--src/or/relay.c4
8 files changed, 30 insertions, 17 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index f647053eec..522deb09e0 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -724,10 +724,10 @@ log_cert_lifetime(X509 *cert, const char *problem)
/** If the provided tls connection is authenticated and has a
* certificate that is currently valid and signed, then set
* *<b>identity_key</b> to the identity certificate's key and return
- * 0. Else, return -1.
+ * 0. Else, return -1 and log complaints with log-level <b>severity</b>.
*/
int
-tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity_key)
+tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key)
{
X509 *cert = NULL, *id_cert = NULL;
STACK_OF(X509) *chain = NULL;
@@ -748,7 +748,7 @@ tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity_key)
* cert and the id_cert.
*/
if (num_in_chain < 1) {
- log_fn(LOG_WARN,"Unexpected number of certificates in chain (%d)",
+ log_fn(severity,"Unexpected number of certificates in chain (%d)",
num_in_chain);
goto done;
}
@@ -758,14 +758,14 @@ tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity_key)
break;
}
if (!id_cert) {
- log_fn(LOG_WARN,"No distinct identity certificate found");
+ log_fn(severity,"No distinct identity certificate found");
goto done;
}
if (!(id_pkey = X509_get_pubkey(id_cert)) ||
X509_verify(cert, id_pkey) <= 0) {
- log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0");
- tls_log_errors(LOG_WARN,"verifying certificate");
+ log_fn(severity,"X509_verify on cert and pkey returned <= 0");
+ tls_log_errors(severity,"verifying certificate");
goto done;
}
diff --git a/src/common/tortls.h b/src/common/tortls.h
index d5cf493872..8166a8dbb7 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -33,7 +33,7 @@ int tor_tls_is_server(tor_tls_t *tls);
void tor_tls_free(tor_tls_t *tls);
int tor_tls_peer_has_cert(tor_tls_t *tls);
int tor_tls_get_peer_cert_nickname(tor_tls_t *tls, char *buf, size_t buflen);
-int tor_tls_verify(tor_tls_t *tls, crypto_pk_env_t **identity);
+int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance);
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
int tor_tls_write(tor_tls_t *tls, char *cp, size_t n);
diff --git a/src/or/command.c b/src/or/command.c
index 7e5072712a..8e4521469b 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -144,7 +144,8 @@ command_process_cell(cell_t *cell, connection_t *conn)
#endif
break;
default:
- log_fn(LOG_WARN,"Cell of unknown type (%d) received. Dropping.", cell->command);
+ log_fn(LOG_PROTOCOL_WARN,
+ "Cell of unknown type (%d) received. Dropping.", cell->command);
break;
}
}
@@ -184,7 +185,9 @@ command_process_create_cell(cell_t *cell, connection_t *conn)
circ = circuit_get_by_circid_orconn(cell->circ_id, conn);
if (circ) {
- log_fn(LOG_WARN,"received CREATE cell (circID %d) for known circ. Dropping.", cell->circ_id);
+ log_fn(LOG_PROTOCOL_WARN,
+ "received CREATE cell (circID %d) for known circ. Dropping.",
+ cell->circ_id);
return;
}
@@ -238,7 +241,7 @@ command_process_created_cell(cell_t *cell, connection_t *conn)
}
if (circ->n_circ_id != cell->circ_id) {
- log_fn(LOG_WARN,"got created cell from OPward? Closing.");
+ log_fn(LOG_PROTOCOL_WARN,"got created cell from OPward? Closing.");
circuit_mark_for_close(circ);
return;
}
@@ -281,20 +284,20 @@ command_process_relay_cell(cell_t *cell, connection_t *conn)
}
if (circ->state == CIRCUIT_STATE_ONIONSKIN_PENDING) {
- log_fn(LOG_WARN,"circuit in create_wait. Closing.");
+ log_fn(LOG_PROTOCOL_WARN,"circuit in create_wait. Closing.");
circuit_mark_for_close(circ);
return;
}
if (cell->circ_id == circ->p_circ_id) { /* it's an outgoing cell */
if (circuit_receive_relay_cell(cell, circ, CELL_DIRECTION_OUT) < 0) {
- log_fn(LOG_WARN,"circuit_receive_relay_cell (forward) failed. Closing.");
+ log_fn(LOG_PROTOCOL_WARN,"circuit_receive_relay_cell (forward) failed. Closing.");
circuit_mark_for_close(circ);
return;
}
} else { /* it's an ingoing cell */
if (circuit_receive_relay_cell(cell, circ, CELL_DIRECTION_IN) < 0) {
- log_fn(LOG_WARN,"circuit_receive_relay_cell (backward) failed. Closing.");
+ log_fn(LOG_PROTOCOL_WARN,"circuit_receive_relay_cell (backward) failed. Closing.");
circuit_mark_for_close(circ);
return;
}
diff --git a/src/or/config.c b/src/or/config.c
index 74ae93ce9f..c33bebce0f 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -163,6 +163,7 @@ static config_var_t _option_vars[] = {
VAR("OutboundBindAddress", STRING, OutboundBindAddress, NULL),
VAR("PathlenCoinWeight", DOUBLE, PathlenCoinWeight, "0.3"),
VAR("PidFile", STRING, PidFile, NULL),
+ VAR("ProtocolWarnings", BOOL, ProtocolWarnings, "0"),
VAR("ReachableAddresses", LINELIST, ReachableAddresses, NULL),
VAR("RecommendedVersions", LINELIST, RecommendedVersions, NULL),
VAR("RecommendedClientVersions", LINELIST, RecommendedClientVersions, NULL),
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 466d97d680..bf27ff71a1 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -481,7 +481,7 @@ connection_or_check_valid_handshake(connection_t *conn, char *digest_rcvd)
log_fn(LOG_DEBUG, "Other side (%s:%d) claims to be router '%s'",
conn->address, conn->port, nickname);
- if (tor_tls_verify(conn->tls, &identity_rcvd) < 0) {
+ if (tor_tls_verify(severity, conn->tls, &identity_rcvd) < 0) {
log_fn(LOG_WARN,"Other side, which claims to be router '%s' (%s:%d), has a cert but it's invalid. Closing.",
nickname, conn->address, conn->port);
return -1;
diff --git a/src/or/main.c b/src/or/main.c
index b61b23478f..d1105a0407 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -463,7 +463,13 @@ conn_close_if_marked(int i)
return 0;
}
if (connection_wants_to_flush(conn)) {
- log_fn(LOG_NOTICE,"Something wrong with your network connection? Conn (addr %s, fd %d, type %s, state %d) tried to write %d bytes but timed out. (Marked at %s:%d)",
+ int severity;
+ if (conn->type == CONN_TYPE_EXIT ||
+ (conn->type == CONN_TYPE_DIR && conn->purpose == DIR_PURPOSE_SERVER))
+ severity = LOG_INFO;
+ else
+ severity = LOG_NOTICE;
+ log_fn(severity, "Something wrong with your network connection? Conn (addr %s, fd %d, type %s, state %d) tried to write %d bytes but timed out. (Marked at %s:%d)",
safe_str(conn->address), conn->s, conn_type_to_string(conn->type),
conn->state,
(int)buf_datalen(conn->outbuf), conn->marked_for_close_file,
diff --git a/src/or/or.h b/src/or/or.h
index 77951bbddf..2c30f6c55c 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1290,6 +1290,9 @@ typedef struct {
* long do we wait before exiting? */
int SafeLogging; /**< Boolean: are we allowed to log sensitive strings
* such as addresses (0), or do we scrub them first (1)? */
+#define LOG_PROTOCOL_WARN (get_options()->ProtocolWarnings ? LOG_WARN : LOG_INFO)
+ int ProtocolWarnings; /**< Boolean: when other parties screw up the Tor
+ * protocol, is it a warn or an info in our logs? */
int HardwareAccel; /**< Boolean: Should we enable OpenSSL hardware
* acceleration where available? */
int UseHelperNodes; /**< Boolean: Do we try to enter from a smallish number
diff --git a/src/or/relay.c b/src/or/relay.c
index bad68e4846..f78eb1be08 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -193,7 +193,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, int cell_direction)
}
return 0;
}
- log_fn(LOG_WARN,"Didn't recognize cell, but circ stops here! Closing circ.");
+ log_fn(LOG_PROTOCOL_WARN,"Didn't recognize cell, but circ stops here! Closing circ.");
return -1;
}
@@ -429,7 +429,7 @@ connection_edge_send_command(connection_t *fromconn, circuit_t *circ,
}
if (!circ) {
- log_fn(LOG_WARN,"no circ. Closing conn.");
+ log_fn(LOG_INFO,"no circ. Closing conn.");
tor_assert(fromconn);
if (fromconn->type == CONN_TYPE_AP) {
connection_mark_unattached_ap(fromconn, END_STREAM_REASON_INTERNAL);
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion