diff options
| -rw-r--r-- | changes/bug10722 | 8 | ||||
| -rw-r--r-- | changes/bug10842 | 4 | ||||
| -rw-r--r-- | changes/bug10881 | 7 | ||||
| -rw-r--r-- | doc/tor.1.txt | 22 | ||||
| -rw-r--r-- | src/or/config.c | 40 | ||||
| -rw-r--r-- | src/or/directory.c | 50 | ||||
| -rw-r--r-- | src/or/directory.h | 2 | ||||
| -rw-r--r-- | src/or/or.h | 5 | ||||
| -rw-r--r-- | src/or/rendclient.c | 27 | ||||
| -rw-r--r-- | src/or/router.c | 3 |
10 files changed, 66 insertions, 102 deletions
diff --git a/changes/bug10722 b/changes/bug10722 new file mode 100644 index 0000000000..dd4711f110 --- /dev/null +++ b/changes/bug10722 @@ -0,0 +1,8 @@ + o Minor bugfixes: + - Consider non-excluded hidden service directory servers before + excluded ones. Do not consider excluded hidden service directory + servers at all if StrictNodes was set. (Previously, we would + sometimes decide to connect to those servers, and then realize + before we initiated a connection that we had excluded them.) + Fix for bug #10722. Bugfix on 0.2.0.10-alpha. Reported by + "mr-4". diff --git a/changes/bug10842 b/changes/bug10842 new file mode 100644 index 0000000000..0ead9e7db8 --- /dev/null +++ b/changes/bug10842 @@ -0,0 +1,4 @@ + o Minor bugfixes: + - Suppress a warning that votes and signatures cannot be uploaded to + other directory authorities if there's only one directory authority + in the network. Bugfix on 0.2.2.26-beta. Resolves ticket 10842. diff --git a/changes/bug10881 b/changes/bug10881 new file mode 100644 index 0000000000..3fcc90e140 --- /dev/null +++ b/changes/bug10881 @@ -0,0 +1,7 @@ + o Removed code: + + - Remove code for designating authorities as "Hidden service + authorities". There has been no use of hidden service authorities + since 0.2.2.1-alpha, when we stopped uploading or downloading v0 + hidden service descriptors. Fixes bug 10881; part of a fix for bug + 10841. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index ee1e0866e3..b571b26cbb 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -331,12 +331,10 @@ GENERAL OPTIONS and port, with the specified key fingerprint. This option can be repeated many times, for multiple authoritative directory servers. Flags are separated by spaces, and determine what kind of an authority this directory - is. By default, every authority is authoritative for current ("v2")-style - directories, unless the "no-v2" flag is given. If the "v1" flags is + is. By default, an authority is not authoritative any directory style + or version, unless an appropriate flag is given. If the "v1" flag is provided, Tor will use this server as an authority for old-style (v1) - directories as well. (Only directory mirrors care about this.) Tor will - use this server as an authority for hidden service information if the "hs" - flag is set, or if the "v1" flag is set and the "no-hs" flag is **not** set. + directories as well. (Only directory mirrors care about this.) Tor will use this authority as a bridge authoritative directory if the "bridge" flag is set. If a flag "orport=**port**" is given, Tor will use the given port when opening encrypted tunnels to the dirserver. If a flag @@ -365,17 +363,14 @@ GENERAL OPTIONS [[AlternateDirAuthority]] **AlternateDirAuthority** [__nickname__] [**flags**] __address__:__port__ __fingerprint__ + -[[AlternateHSAuthority]] **AlternateHSAuthority** [__nickname__] [**flags**] __address__:__port__ __fingerprint__ + - [[AlternateBridgeAuthority]] **AlternateBridgeAuthority** [__nickname__] [**flags**] __address__:__port__ __ fingerprint__:: These options behave as DirAuthority, but they replace fewer of the default directory authorities. Using AlternateDirAuthority replaces the default Tor directory authorities, but - leaves the default hidden service authorities and bridge authorities in - place. Similarly, AlternateHSAuthority replaces the default hidden - service authorities, but not the directory or bridge authorities; and + leaves the default bridge authorities in + place. Similarly, AlternateBridgeAuthority replaces the default bridge authority, - but leaves the directory and hidden service authorities alone. + but leaves the directory authorities alone. [[DisableAllSwap]] **DisableAllSwap** **0**|**1**:: If set to 1, Tor will attempt to lock all current and future memory pages, @@ -1794,11 +1789,6 @@ if DirPort is non-zero): accept or publish descriptors that contradict a registered binding. See **approved-routers** in the **FILES** section below. -[[HSAuthoritativeDir]] **HSAuthoritativeDir** **0**|**1**:: - When this option is set in addition to **AuthoritativeDirectory**, Tor also - accepts and serves v0 hidden service descriptors, - which are produced and used by Tor 0.2.1.x and older. (Default: 0) - [[HidServDirectoryV2]] **HidServDirectoryV2** **0**|**1**:: When this option is set, Tor accepts and serves v2 hidden service descriptors. Setting DirPort is not required for this, because clients diff --git a/src/or/config.c b/src/or/config.c index e7847d5830..d2981771c0 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -137,7 +137,7 @@ static config_var_t option_vars_[] = { V(AllowSingleHopExits, BOOL, "0"), V(AlternateBridgeAuthority, LINELIST, NULL), V(AlternateDirAuthority, LINELIST, NULL), - V(AlternateHSAuthority, LINELIST, NULL), + OBSOLETE("AlternateHSAuthority"), V(AssumeReachable, BOOL, "0"), V(AuthDirBadDir, LINELIST, NULL), V(AuthDirBadDirCCs, CSV, ""), @@ -276,7 +276,7 @@ static config_var_t option_vars_[] = { VAR("HiddenServiceVersion",LINELIST_S, RendConfigLines, NULL), VAR("HiddenServiceAuthorizeClient",LINELIST_S,RendConfigLines, NULL), V(HidServAuth, LINELIST, NULL), - V(HSAuthoritativeDir, BOOL, "0"), + OBSOLETE("HSAuthoritativeDir"), OBSOLETE("HSAuthorityRecordStats"), V(CloseHSClientCircuitsImmediatelyOnTimeout, BOOL, "0"), V(CloseHSServiceRendCircuitsImmediatelyOnTimeout, BOOL, "0"), @@ -904,8 +904,7 @@ validate_dir_servers(or_options_t *options, or_options_t *old_options) config_line_t *cl; if (options->DirAuthorities && - (options->AlternateDirAuthority || options->AlternateBridgeAuthority || - options->AlternateHSAuthority)) { + (options->AlternateDirAuthority || options->AlternateBridgeAuthority)) { log_warn(LD_CONFIG, "You cannot set both DirAuthority and Alternate*Authority."); return -1; @@ -941,9 +940,6 @@ validate_dir_servers(or_options_t *options, or_options_t *old_options) for (cl = options->AlternateDirAuthority; cl; cl = cl->next) if (parse_dir_authority_line(cl->value, NO_DIRINFO, 1)<0) return -1; - for (cl = options->AlternateHSAuthority; cl; cl = cl->next) - if (parse_dir_authority_line(cl->value, NO_DIRINFO, 1)<0) - return -1; for (cl = options->FallbackDir; cl; cl = cl->next) if (parse_dir_fallback_line(cl->value, 1)<0) return -1; @@ -966,9 +962,7 @@ consider_adding_dir_servers(const or_options_t *options, !config_lines_eq(options->AlternateBridgeAuthority, old_options->AlternateBridgeAuthority) || !config_lines_eq(options->AlternateDirAuthority, - old_options->AlternateDirAuthority) || - !config_lines_eq(options->AlternateHSAuthority, - old_options->AlternateHSAuthority); + old_options->AlternateDirAuthority); if (!need_to_update) return 0; /* all done */ @@ -984,8 +978,6 @@ consider_adding_dir_servers(const or_options_t *options, if (!options->AlternateDirAuthority) type |= V1_DIRINFO | V3_DIRINFO | EXTRAINFO_DIRINFO | MICRODESC_DIRINFO; - if (!options->AlternateHSAuthority) - type |= HIDSERV_DIRINFO; add_default_trusted_dir_authorities(type); } if (!options->FallbackDir) @@ -1000,9 +992,6 @@ consider_adding_dir_servers(const or_options_t *options, for (cl = options->AlternateDirAuthority; cl; cl = cl->next) if (parse_dir_authority_line(cl->value, NO_DIRINFO, 0)<0) return -1; - for (cl = options->AlternateHSAuthority; cl; cl = cl->next) - if (parse_dir_authority_line(cl->value, NO_DIRINFO, 0)<0) - return -1; for (cl = options->FallbackDir; cl; cl = cl->next) if (parse_dir_fallback_line(cl->value, 0)<0) return -1; @@ -2605,11 +2594,11 @@ options_validate(or_options_t *old_options, or_options_t *options, "extra-info documents. Setting DownloadExtraInfo."); options->DownloadExtraInfo = 1; } - if (!(options->BridgeAuthoritativeDir || options->HSAuthoritativeDir || + if (!(options->BridgeAuthoritativeDir || options->V1AuthoritativeDir || options->V3AuthoritativeDir)) REJECT("AuthoritativeDir is set, but none of " - "(Bridge/HS/V1/V3)AuthoritativeDir is set."); + "(Bridge/V1/V3)AuthoritativeDir is set."); /* If we have a v3bandwidthsfile and it's broken, complain on startup */ if (options->V3BandwidthsFile && !old_options) { dirserv_read_measured_bandwidths(options->V3BandwidthsFile, NULL); @@ -2629,10 +2618,6 @@ options_validate(or_options_t *old_options, or_options_t *options, REJECT("FetchDirInfoExtraEarly requires that you also set " "FetchDirInfoEarly"); - if (options->HSAuthoritativeDir && proxy_mode(options)) - REJECT("Running as authoritative v0 HS directory, but also configured " - "as a client."); - if (options->ConnLimit <= 0) { tor_asprintf(msg, "ConnLimit must be greater than 0, but was set to %d", @@ -5031,7 +5016,6 @@ parse_dir_authority_line(const char *line, dirinfo_type_t required_type, char digest[DIGEST_LEN]; char v3_digest[DIGEST_LEN]; dirinfo_type_t type = 0; - int is_not_hidserv_authority = 0; double weight = 1.0; items = smartlist_new(); @@ -5052,11 +5036,11 @@ parse_dir_authority_line(const char *line, dirinfo_type_t required_type, if (TOR_ISDIGIT(flag[0])) break; if (!strcasecmp(flag, "v1")) { - type |= (V1_DIRINFO | HIDSERV_DIRINFO); - } else if (!strcasecmp(flag, "hs")) { - type |= HIDSERV_DIRINFO; - } else if (!strcasecmp(flag, "no-hs")) { - is_not_hidserv_authority = 1; + type |= V1_DIRINFO; + } else if (!strcasecmp(flag, "hs") || + !strcasecmp(flag, "no-hs")) { + log_warn(LD_CONFIG, "The DirAuthority options 'hs' and 'no-hs' are " + "obsolete; you don't need them any more."); } else if (!strcasecmp(flag, "bridge")) { type |= BRIDGE_DIRINFO; } else if (!strcasecmp(flag, "no-v2")) { @@ -5093,8 +5077,6 @@ parse_dir_authority_line(const char *line, dirinfo_type_t required_type, tor_free(flag); smartlist_del_keeporder(items, 0); } - if (is_not_hidserv_authority) - type &= ~HIDSERV_DIRINFO; if (smartlist_len(items) < 2) { log_warn(LD_CONFIG, "Too few arguments to DirAuthority line."); diff --git a/src/or/directory.c b/src/or/directory.c index ec1e776f03..c102512c26 100644 --- a/src/or/directory.c +++ b/src/or/directory.c @@ -155,8 +155,6 @@ authdir_type_to_string(dirinfo_type_t auth) smartlist_add(lst, (void*)"V3"); if (auth & BRIDGE_DIRINFO) smartlist_add(lst, (void*)"Bridge"); - if (auth & HIDSERV_DIRINFO) - smartlist_add(lst, (void*)"Hidden service"); if (smartlist_len(lst)) { result = smartlist_join_strings(lst, ", ", 0, NULL); } else { @@ -287,8 +285,12 @@ directory_post_to_dirservers(uint8_t dir_purpose, uint8_t router_purpose, if ((type & ds->type) == 0) continue; - if (exclude_self && router_digest_is_me(ds->digest)) + if (exclude_self && router_digest_is_me(ds->digest)) { + /* we don't upload to ourselves, but at least there's now at least + * one authority of this type that has what we wanted to upload. */ + found = 1; continue; + } if (options->StrictNodes && routerset_contains_routerstatus(options->ExcludeNodes, rs, -1)) { @@ -3172,32 +3174,6 @@ directory_handle_command_get(dir_connection_t *conn, const char *headers, goto done; } - if (options->HSAuthoritativeDir && !strcmpstart(url,"/tor/rendezvous/")) { - /* rendezvous descriptor fetch */ - const char *descp; - size_t desc_len; - const char *query = url+strlen("/tor/rendezvous/"); - - log_info(LD_REND, "Handling rendezvous descriptor get"); - switch (rend_cache_lookup_desc(query, 0, &descp, &desc_len)) { - case 1: /* valid */ - write_http_response_header_impl(conn, desc_len, - "application/octet-stream", - NULL, NULL, 0); - note_request("/tor/rendezvous?/", desc_len); - /* need to send descp separately, because it may include NULs */ - connection_write_to_buf(descp, desc_len, TO_CONN(conn)); - break; - case 0: /* well-formed but not present */ - write_http_status_line(conn, 404, "Not found"); - break; - case -1: /* not well-formed */ - write_http_status_line(conn, 400, "Bad request"); - break; - } - goto done; - } - if (options->BridgeAuthoritativeDir && options->BridgePassword_AuthDigest_ && connection_dir_is_encrypted(conn) && @@ -3397,22 +3373,6 @@ directory_handle_command_post(dir_connection_t *conn, const char *headers, goto done; } - if (options->HSAuthoritativeDir && - !strcmpstart(url,"/tor/rendezvous/publish")) { - /* rendezvous descriptor post */ - log_info(LD_REND, "Handling rendezvous descriptor post."); - if (rend_cache_store(body, body_len, 1, NULL) < 0) { - log_fn(LOG_PROTOCOL_WARN, LD_DIRSERV, - "Rejected rend descriptor (length %d) from %s.", - (int)body_len, conn->base_.address); - write_http_status_line(conn, 400, - "Invalid v0 service descriptor rejected"); - } else { - write_http_status_line(conn, 200, "Service descriptor (v0) stored"); - } - goto done; - } - if (authdir_mode_v3(options) && !strcmp(url,"/tor/post/vote")) { /* v3 networkstatus vote */ const char *msg = "OK"; diff --git a/src/or/directory.h b/src/or/directory.h index 0453160f7a..3de69329a4 100644 --- a/src/or/directory.h +++ b/src/or/directory.h @@ -30,7 +30,7 @@ typedef enum { DIRIND_ONEHOP=0, /** Connect over a multi-hop anonymizing Tor circuit */ DIRIND_ANONYMOUS=1, - /** Conncet to the DirPort directly */ + /** Connect to the DirPort directly */ DIRIND_DIRECT_CONN, /** Connect over a multi-hop anonymizing Tor circuit to our dirport */ DIRIND_ANON_DIRPORT, diff --git a/src/or/or.h b/src/or/or.h index 15cda284ca..cc4e5ed9d8 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3506,8 +3506,6 @@ typedef struct { * for version 1 directories? */ int V3AuthoritativeDir; /**< Boolean: is this an authoritative directory * for version 3 directories? */ - int HSAuthoritativeDir; /**< Boolean: does this an authoritative directory - * handle hidden service requests? */ int NamingAuthoritativeDir; /**< Boolean: is this an authoritative directory * that's willing to bind names? */ int VersioningAuthoritativeDir; /**< Boolean: is this an authoritative @@ -3711,9 +3709,6 @@ typedef struct { /** If set, use these bridge authorities and not the default one. */ config_line_t *AlternateBridgeAuthority; - /** If set, use these HS authorities and not the default ones. */ - config_line_t *AlternateHSAuthority; - char *MyFamily; /**< Declared family for this OR. */ config_line_t *NodeFamilies; /**< List of config lines for * node families */ diff --git a/src/or/rendclient.c b/src/or/rendclient.c index 4de010182c..2327a547c3 100644 --- a/src/or/rendclient.c +++ b/src/or/rendclient.c @@ -619,11 +619,14 @@ static int directory_get_from_hs_dir(const char *desc_id, const rend_data_t *rend_query) { smartlist_t *responsible_dirs = smartlist_new(); + smartlist_t *usable_responsible_dirs = smartlist_new(); + const or_options_t *options = get_options(); routerstatus_t *hs_dir; char desc_id_base32[REND_DESC_ID_V2_LEN_BASE32 + 1]; time_t now = time(NULL); char descriptor_cookie_base64[3*REND_DESC_COOKIE_LEN_BASE64]; - int tor2web_mode = get_options()->Tor2webMode; + const int tor2web_mode = options->Tor2webMode; + int excluded_some; tor_assert(desc_id); tor_assert(rend_query); /* Determine responsible dirs. Even if we can't get all we want, @@ -644,16 +647,32 @@ directory_get_from_hs_dir(const char *desc_id, const rend_data_t *rend_query) dir, desc_id_base32, rend_query, 0, 0); const node_t *node = node_get_by_id(dir->identity_digest); if (last + REND_HID_SERV_DIR_REQUERY_PERIOD >= now || - !node || !node_has_descriptor(node)) - SMARTLIST_DEL_CURRENT(responsible_dirs, dir); + !node || !node_has_descriptor(node)) { + SMARTLIST_DEL_CURRENT(responsible_dirs, dir); + continue; + } + if (! routerset_contains_node(options->ExcludeNodes, node)) { + smartlist_add(usable_responsible_dirs, dir); + } }); - hs_dir = smartlist_choose(responsible_dirs); + excluded_some = + smartlist_len(usable_responsible_dirs) < smartlist_len(responsible_dirs); + + hs_dir = smartlist_choose(usable_responsible_dirs); + if (! hs_dir && ! options->StrictNodes) + hs_dir = smartlist_choose(responsible_dirs); + smartlist_free(responsible_dirs); + smartlist_free(usable_responsible_dirs); if (!hs_dir) { log_info(LD_REND, "Could not pick one of the responsible hidden " "service directories, because we requested them all " "recently without success."); + if (options->StrictNodes && excluded_some) { + log_info(LD_REND, "There are others that we could have tried, but " + "they are all excluded, and StrictNodes is set."); + } return 0; } diff --git a/src/or/router.c b/src/or/router.c index fd0df52dce..b96428362b 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -935,8 +935,7 @@ init_keys(void) type = ((options->V1AuthoritativeDir ? V1_DIRINFO : NO_DIRINFO) | (options->V3AuthoritativeDir ? (V3_DIRINFO|MICRODESC_DIRINFO|EXTRAINFO_DIRINFO) : NO_DIRINFO) | - (options->BridgeAuthoritativeDir ? BRIDGE_DIRINFO : NO_DIRINFO) | - (options->HSAuthoritativeDir ? HIDSERV_DIRINFO : NO_DIRINFO)); + (options->BridgeAuthoritativeDir ? BRIDGE_DIRINFO : NO_DIRINFO)); ds = router_get_trusteddirserver_by_digest(digest); if (!ds) { |