| blob | b870161d325903996dc0536bf199accb3a18314c |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2016, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
7 #define ROUTER_PRIVATE
38 /**
39 * \file router.c
40 * \brief Miscellaneous relay functionality, including RSA key maintenance,
41 * generating and uploading server descriptors, picking an address to
42 * advertise, and so on.
43 *
44 * This module handles the job of deciding whether we are a Tor relay, and if
45 * so what kind. (Mostly through functions like server_mode() that inspect an
46 * or_options_t, but in some cases based on our own capabilities, such as when
47 * we are deciding whether to be a directory cache in
48 * router_has_bandwidth_to_be_dirserver().)
49 *
50 * Also in this module are the functions to generate our own routerinfo_t and
51 * extrainfo_t, and to encode those to signed strings for upload to the
52 * directory authorities.
53 *
54 * This module also handles key maintenance for RSA and Curve25519-ntor keys,
55 * and for our TLS context. (These functions should eventually move to
56 * routerkeys.c along with the code that handles Ed25519 keys now.)
57 **/
59 /************************************************************/
61 /*****
62 * Key management: ORs only.
63 *****/
65 /** Private keys for this OR. There is also an SSL key managed by tortls.c.
66 */
69 /** Current private onionskin decryption key: used to decode CREATE cells. */
71 /** Previous private onionskin decryption key: used to decode CREATE cells
72 * generated by clients that have an older version of our descriptor. */
74 /** Current private ntor secret key: used to perform the ntor handshake. */
76 /** Previous private ntor secret key: used to perform the ntor handshake
77 * with clients that have an older version of our descriptor. */
79 /** Private server "identity key": used to sign directory info and TLS
80 * certificates. Never changes. */
82 /** Digest of server_identitykey. */
84 /** Private client "identity key": used to sign bridges' and clients'
85 * outbound TLS certificates. Regenerated on startup and on IP address
86 * change. */
88 /** Signing key used for v3 directory material; only set for authorities. */
90 /** Key certificate to authenticate v3 directory material; only set for
91 * authorities. */
94 /** For emergency V3 authority key migration: An extra signing key that we use
95 * with our old (obsolete) identity key for a while. */
97 /** For emergency V3 authority key migration: An extra certificate to
98 * authenticate legacy_signing_key with our obsolete identity key.*/
101 /* (Note that v3 authorities also have a separate "authority identity key",
102 * but this key is never actually loaded by the Tor process. Instead, it's
103 * used by tor-gencert to sign new signing keys and make new key
104 * certificates. */
106 /** Replace the current onion key with <b>k</b>. Does not affect
107 * lastonionkey; to update lastonionkey correctly, call rotate_onion_key().
108 */
109 static void
111 {
113 /* k is already our onion key; free it and return */
116 }
122 }
124 /** Return the current onion key. Requires that the onion key has been
125 * loaded or generated. */
126 crypto_pk_t *
128 {
131 }
133 /** Store a full copy of the current onion key into *<b>key</b>, and a full
134 * copy of the most recent onion key into *<b>last</b>.
135 */
136 void
138 {
146 else
149 }
151 /** Return the current secret onion key for the ntor handshake. Must only
152 * be called from the main thread. */
155 {
157 }
158 /** Return a map from KEYID (the key itself) to keypairs for use in the ntor
159 * handshake. Must only be called from the main thread. */
160 di_digest256_map_t *
162 {
171 CURVE25519_PUBKEY_LEN)) {
176 }
179 }
180 /** Helper used to deallocate a di_digest256_map_t returned by
181 * construct_ntor_key_map. */
182 static void
184 {
188 }
189 /** Release all storage from a keymap returned by construct_ntor_key_map. */
190 void
192 {
196 }
198 /** Return the time when the onion key was last set. This is either the time
199 * when the process launched, or the time of the most recent key rotation since
200 * the process launched.
201 */
202 time_t
204 {
206 }
208 /** Set the current server identity key to <b>k</b>.
209 */
210 void
212 {
216 }
218 /** Make sure that we have set up our identity keys to match or not match as
219 * appropriate, and die with an assertion if we have not. */
220 static void
222 {
227 /* assert that we have set the client and server keys to be equal */
231 /* assert that we have set the client and server keys to be unequal */
234 }
235 }
237 /** Returns the current server identity key; requires that the key has
238 * been set, and that we are running as a Tor server.
239 */
240 crypto_pk_t *
242 {
247 }
249 /** Return true iff we are a server and the server identity key
250 * has been set. */
251 int
253 {
255 }
257 /** Set the current client identity key to <b>k</b>.
258 */
259 void
261 {
264 }
266 /** Returns the current client identity key for use on outgoing TLS
267 * connections; requires that the key has been set.
268 */
269 crypto_pk_t *
271 {
275 }
277 /** Return true iff the client identity key has been set. */
278 int
280 {
282 }
284 /** Return the key certificate for this v3 (voting) authority, or NULL
285 * if we have no such certificate. */
288 {
290 }
292 /** Return the v3 signing key for this v3 (voting) authority, or NULL
293 * if we have no such key. */
294 crypto_pk_t *
296 {
298 }
300 /** If we're an authority, and we're using a legacy authority identity key for
301 * emergency migration purposes, return the certificate associated with that
302 * key. */
303 authority_cert_t *
305 {
307 }
309 /** If we're an authority, and we're using a legacy authority identity key for
310 * emergency migration purposes, return that key. */
311 crypto_pk_t *
313 {
315 }
317 /** Replace the previous onion key with the current onion key, and generate
318 * a new previous onion key. Immediately after calling this function,
319 * the OR should:
320 * - schedule all previous cpuworkers to shut down _after_ processing
321 * pending work. (This will cause fresh cpuworkers to be generated.)
322 * - generate and upload a fresh routerinfo.
323 */
324 void
326 {
330 curve25519_keypair_t new_curve25519_keypair;
334 /* There isn't much point replacing an old key with an empty file */
338 }
342 }
346 }
350 }
357 /* There isn't much point replacing an old key with an empty file */
361 }
366 }
382 error:
386 done:
390 }
392 /** Log greeting message that points to new relay lifecycle document the
393 * first time this function has been called.
394 */
395 static void
397 {
404 "Thanks for helping the Tor network! If you wish to know "
405 "what will happen in the upcoming weeks regarding its usage, "
406 "have a look at https://blog.torproject.org/blog/lifecycle-of"
410 }
412 /** Try to read an RSA key from <b>fname</b>. If <b>fname</b> doesn't exist
413 * and <b>generate</b> is true, create a new RSA key and save it in
414 * <b>fname</b>. Return the read/created key, or NULL on error. Log all
415 * errors at level <b>severity</b>. If <b>log_greeting</b> is non-zero and a
416 * new key was created, log_new_relay_greeting() is called.
417 */
418 crypto_pk_t *
421 {
427 }
434 /* treat empty key files as if the file doesn't exist, and,
435 * if generate is set, replace the empty file in
436 * crypto_pk_write_private_key_to_filename() */
442 /* Make sure that --list-fingerprint only creates new keys
443 * if there is no possibility for a deadlock. */
446 /*XXXX The 'other process' might make a key in a second or two;
447 * maybe we should wait for it. */
449 }
450 }
452 fname);
456 }
460 }
464 }
469 }
473 }
479 }
483 }
485 error:
489 }
491 /** Load a curve25519 keypair from the file <b>fname</b>, writing it into
492 * <b>keys_out</b>. If the file isn't found, or is empty, and <b>generate</b>
493 * is true, create a new keypair and write it into the file. If there are
494 * errors, log them at level <b>severity</b>. Generate files using <b>tag</b>
495 * in their ASCII wrapper. */
496 static int
502 {
508 /* treat empty key files as if the file doesn't exist, and, if generate
509 * is set, replace the empty file in curve25519_keypair_write_to_file() */
515 /* Make sure that --list-fingerprint only creates new keys
516 * if there is no possibility for a deadlock. */
519 /*XXXX The 'other process' might make a key in a second or two;
520 * maybe we should wait for it. */
522 }
523 }
525 fname);
533 }
536 }
539 {
545 }
551 }
554 }
557 }
559 error:
561 }
563 /** Try to load the vote-signing private key and certificate for being a v3
564 * directory authority, and make sure they match. If <b>legacy</b>, load a
565 * legacy key/cert set for emergency key migration; otherwise load the regular
566 * key/cert set. On success, store them into *<b>key_out</b> and
567 * *<b>cert_out</b> respectively, and return 0. On failure, return -1. */
568 static int
571 {
584 }
591 fname);
593 }
598 }
603 }
614 done:
620 }
622 /** Load the v3 (voting) authority signing key and certificate, if they are
623 * present. Return -1 if anything is missing, mismatched, or unloadable;
624 * return 0 on success. */
625 static int
627 {
638 }
640 /** If we're a v3 authority, check whether we have a certificate that's
641 * likely to expire soon. Warn if we do, but not too often. */
642 void
644 {
668 }
682 }
684 }
686 /** Set up Tor's TLS contexts, based on our configuration and keys. Return 0
687 * on success, and -1 on failure. */
688 int
690 {
701 }
704 /* choose between 5 and 365 days, and round to the day */
711 /* Half the time we expire at midnight, and half the time we expire
712 * one second before midnight. (Some CAs wobble their expiry times a
713 * bit in practice, perhaps to reduce collision attacks; see ticket
714 * 8443 for details about observed certs in the wild.) */
715 lifetime--;
716 }
717 }
719 /* It's ok to pass lifetime in as an unsigned int, since
720 * config_parse_interval() checked it. */
726 }
728 /** Compute fingerprint (or hashed fingerprint if hashed is 1) and write
729 * it to 'fingerprint' (or 'hashed-fingerprint'). Return 0 on success, or
730 * -1 if Tor should die,
731 */
732 STATIC int
734 {
751 }
757 }
758 }
762 /* Check whether we need to write the (hashed-)fingerprint file. */
770 }
771 }
775 fingerprint);
778 done:
783 }
785 static int
787 {
791 /* There are a couple of paths that put us here before we've asked
792 * openssl to initialize itself. */
798 }
801 }
803 int
805 {
815 }
817 /* Create a TLS context. */
821 }
823 }
825 /** Initialize all OR private keys, and the TLS context, as necessary.
826 * On OPs, this only initializes the tls context. Return 0 on success,
827 * or -1 if Tor should die.
828 */
829 int
831 {
838 dirinfo_type_t type;
844 /* OP's don't need persistent keys; just make up an identity and
845 * initialize the TLS context. */
848 }
851 /* Make sure DataDirectory exists, and is private. */
859 }
860 /* Check the key directory. */
865 }
868 /* 1a. Read v3 directory authority key/cert information. */
873 "were unable to load our v3 authority keys and certificate! "
876 }
880 v3_digest);
882 }
883 }
885 /* 1b. Read identity key. Make it if none is found. */
893 /* 1c. If we are configured as a bridge, generate a client key;
894 * otherwise, set the server identity key as our client identity
895 * key. */
904 }
906 }
908 /* 1d. Load all ed25519 keys */
913 /* 2. Read onion key. Make it if none is found. */
921 /* only mess with the state file if we're actually running Tor */
924 /* We allow for some parsing slop, but we don't want to risk accepting
925 * values in the distant future. If we did, we might never rotate the
926 * onion key. */
929 /* We have no LastRotatedOnionKey set; either we just created the key
930 * or it's a holdover from 0.1.2.4-alpha-dev or earlier. In either case,
931 * start the clock ticking now so that we will eventually rotate it even
932 * if we don't stay up for a full MIN_ONION_KEY_LIFETIME. */
936 }
937 }
941 /* Load keys from non-empty files only.
942 * Missing old keys won't be replaced with freshly generated keys. */
946 }
949 {
950 /* 2b. Load curve25519 onion keys. */
962 CURVE25519_PUBKEY_LEN) &&
964 /* Load keys from non-empty files only.
965 * Missing old keys won't be replaced with freshly generated keys. */
968 }
970 }
972 /* 3. Initialize link key and TLS context. */
976 }
978 /* 3b. Get an ed25519 link certificate. Note that we need to do this
979 * after we set up the TLS context */
983 }
985 /* 4. Build our router descriptor. */
986 /* Must be called after keys are initialized. */
991 /* We need to add our own fingerprint so it gets recognized. */
995 }
997 was_router_added_t added;
1002 }
1010 /* If the descriptor was outdated, that's ok. This can happen
1011 * when some config options are toggled that affect workers, but
1012 * we don't really need new keys yet so the descriptor doesn't
1013 * change and the old one is still fresh. */
1017 }
1018 }
1019 }
1020 }
1022 /* 5. Dump fingerprint and possibly hashed fingerprint to files. */
1026 }
1030 }
1034 /* 6. [authdirserver only] load approved-routers file */
1038 }
1039 /* 6b. [authdirserver only] add own key to approved directories. */
1050 NULL,
1051 digest,
1052 v3_digest,
1058 }
1060 }
1066 }
1072 }
1082 }
1083 }
1086 }
1088 /* Keep track of whether we should upload our server descriptor,
1089 * and what type of server we are.
1090 */
1092 /** Whether we can reach our ORPort from the outside. */
1094 /** Whether we can reach our DirPort from the outside. */
1097 /** Forget what we have learned about our reachability status. */
1098 void
1100 {
1102 }
1104 /** Return 1 if we won't do reachability checks, because:
1105 * - AssumeReachable is set, or
1106 * - the network is disabled.
1107 * Otherwise, return 0.
1108 */
1109 static int
1111 {
1114 }
1116 /** Return 0 if we need to do an ORPort reachability check, because:
1117 * - no reachability check has been done yet, or
1118 * - we've initiated reachability checks, but none have succeeded.
1119 * Return 1 if we don't need to do an ORPort reachability check, because:
1120 * - we've seen a successful reachability check, or
1121 * - AssumeReachable is set, or
1122 * - the network is disabled.
1123 */
1124 int
1126 {
1129 can_reach_or_port;
1130 }
1132 /** Return 0 if we need to do a DirPort reachability check, because:
1133 * - no reachability check has been done yet, or
1134 * - we've initiated reachability checks, but none have succeeded.
1135 * Return 1 if we don't need to do a DirPort reachability check, because:
1136 * - we've seen a successful reachability check, or
1137 * - there is no DirPort set, or
1138 * - AssumeReachable is set, or
1139 * - the network is disabled.
1140 */
1141 int
1143 {
1147 can_reach_dir_port;
1148 }
1150 /** The lower threshold of remaining bandwidth required to advertise (or
1151 * automatically provide) directory services */
1152 /* XXX Should this be increased? */
1153 #define MIN_BW_TO_ADVERTISE_DIRSERVER 51200
1155 /** Return true iff we have enough configured bandwidth to cache directory
1156 * information. */
1157 static int
1159 {
1162 }
1166 }
1168 }
1170 /** Helper: Return 1 if we have sufficient resources for serving directory
1171 * requests, return 0 otherwise.
1172 * dir_port is either 0 or the configured DirPort number.
1173 * If AccountingMax is set less than our advertised bandwidth, then don't
1174 * serve requests. Likewise, if our advertised bandwidth is less than
1175 * MIN_BW_TO_ADVERTISE_DIRSERVER, don't bother trying to serve requests.
1176 */
1177 static int
1179 {
1186 /* Don't spend bytes for directory traffic if we could end up hibernating,
1187 * but allow DirPort otherwise. Some relay operators set AccountingMax
1188 * because they're confused or to get statistics. Directory traffic has a
1189 * much larger effect on output than input so there is no reason to turn it
1190 * off if using AccountingRule in. */
1198 }
1204 interval_length);
1213 }
1215 /* if we're advertising a small amount */
1218 }
1224 else
1230 }
1232 }
1235 }
1237 /** Return 1 if we are configured to accept either relay or directory requests
1238 * from clients and we aren't at risk of exceeding our bandwidth limits, thus
1239 * we should be a directory server. If not, return 0.
1240 */
1241 int
1243 {
1248 }
1250 /** Look at a variety of factors, and return 0 if we don't want to
1251 * advertise the fact that we have a DirPort open or begindir support, else
1252 * return 1.
1253 *
1254 * Where dir_port or supports_tunnelled_dir_requests are not relevant, they
1255 * must be 0.
1256 *
1257 * Log a helpful message if we change our mind about whether to publish.
1258 */
1259 static int
1263 {
1264 /* Part one: reasons to publish or not publish that aren't
1265 * worth mentioning to the user, either because they're obvious
1266 * or because they're normal behavior. */
1268 /* short circuit the rest of the function */
1281 /* Part two: consider config options that could make us choose to
1282 * publish or not publish that the user might find surprising. */
1284 }
1286 /** Front-end to decide_to_advertise_dir_impl(): return 0 if we don't want to
1287 * advertise the fact that we have a DirPort open, else return the
1288 * DirPort we want to advertise.
1289 */
1290 static int
1292 {
1293 /* supports_tunnelled_dir_requests is not relevant, pass 0 */
1295 }
1297 /** Front-end to decide_to_advertise_dir_impl(): return 0 if we don't want to
1298 * advertise the fact that we support begindir requests, else return 1.
1299 */
1300 static int
1303 {
1304 /* dir_port is not relevant, pass 0 */
1306 supports_tunnelled_dir_requests);
1307 }
1309 /** Allocate and return a new extend_info_t that can be used to build
1310 * a circuit to or through the router <b>r</b>. Uses the primary
1311 * address of the router, so should only be called on a server. */
1314 {
1315 tor_addr_port_t ap;
1318 /* Make sure we don't need to check address reachability */
1324 else
1329 ed_id_key,
1332 }
1334 /** Some time has passed, or we just got new directory information.
1335 * See if we currently believe our ORPort or DirPort to be
1336 * unreachable. If so, launch a new test for it.
1337 *
1338 * For ORPort, we simply try making a circuit that ends at ourselves.
1339 * Success is noticed in onionskin_answer().
1340 *
1341 * For DirPort, we make a connection via Tor to our DirPort and ask
1342 * for our own server descriptor.
1343 * Success is noticed in connection_dir_client_reached_eof().
1344 */
1345 void
1347 {
1351 tor_addr_t addr;
1357 /* If we've excluded ourself, and StrictNodes is set, we can't test
1358 * ourself. */
1360 #define SELF_EXCLUDED_WARN_INTERVAL 3600
1363 "Can't peform self-tests for this relay: we have "
1364 "listed ourself in ExcludeNodes, and StrictNodes is set. "
1365 "We cannot learn whether we are usable, and will not "
1367 }
1369 }
1373 /* XXX IPv6 self testing */
1380 }
1382 /* XXX IPv6 self testing */
1387 DIR_PURPOSE_FETCH_SERVERDESC)) {
1388 /* ask myself, via tor, for my server descriptor. */
1392 DIR_PURPOSE_FETCH_SERVERDESC,
1393 ROUTER_PURPOSE_GENERAL,
1396 }
1397 }
1399 /** Annotate that we found our ORPort reachable. */
1400 void
1402 {
1414 /* This is a significant enough change to upload immediately,
1415 * at least in a test network */
1418 }
1423 }
1424 }
1426 /** Annotate that we found our DirPort reachable. */
1427 void
1429 {
1442 /* This is a significant enough change to upload immediately,
1443 * at least in a test network */
1446 }
1447 }
1452 }
1453 }
1455 /** We have enough testing circuits open. Send a bunch of "drop"
1456 * cells down each of them, to exercise our bandwidth. */
1457 void
1459 {
1461 CELL_MAX_NETWORK_SIZE);
1469 CIRCUIT_PURPOSE_TESTING))) {
1470 /* dump cells_per_circuit drop cells onto this circ */
1477 RELAY_COMMAND_DROP,
1480 }
1481 }
1482 }
1483 }
1485 /** Return true iff our network is in some sense disabled: either we're
1486 * hibernating, entering hibernation, or the network is turned off with
1487 * DisableNetwork. */
1488 int
1490 {
1492 }
1494 /** Return true iff we believe ourselves to be an authoritative
1495 * directory server.
1496 */
1497 int
1499 {
1501 }
1502 /** Return true iff we believe ourselves to be a v3 authoritative
1503 * directory server.
1504 */
1505 int
1507 {
1509 }
1510 /** Return true iff we are a v3 directory authority. */
1511 int
1513 {
1515 }
1516 /** Return true if we believe ourselves to be any kind of
1517 * authoritative directory beyond just a hidserv authority. */
1518 int
1520 {
1523 }
1524 /** Return true iff we are an authoritative directory server that is
1525 * authoritative about receiving and serving descriptors of type
1526 * <b>purpose</b> on its dirport. Use -1 for "any purpose". */
1527 int
1529 {
1536 else
1538 }
1539 /** Return true iff we are an authoritative directory server that
1540 * publishes its own network statuses.
1541 */
1542 int
1544 {
1548 }
1549 /** Return true iff we are an authoritative directory server that
1550 * tests reachability of the descriptors it learns about.
1551 */
1552 int
1554 {
1556 }
1557 /** Return true iff we believe ourselves to be a bridge authoritative
1558 * directory server.
1559 */
1560 int
1562 {
1564 }
1566 /** Return true iff we are trying to be a server.
1567 */
1570 {
1572 /* XXXX I believe we can kill off ORListenAddress here.*/
1574 }
1576 /** Return true iff we are trying to be a non-bridge server.
1577 */
1580 {
1583 }
1585 /** Return true iff the combination of options in <b>options</b> and parameters
1586 * in the consensus mean that we don't want to allow exits from circuits
1587 * we got from addresses not known to be servers. */
1588 int
1590 {
1595 }
1596 }
1598 /** Remember if we've advertised ourselves to the dirservers. */
1601 /** Return true iff we have published our descriptor lately.
1602 */
1605 {
1607 }
1609 /**
1610 * Called with a boolean: set whether we have recently published our
1611 * descriptor.
1612 */
1613 static void
1615 {
1617 }
1619 /** Return true iff we are trying to proxy client connections. */
1620 int
1622 {
1632 }
1634 /** Decide if we're a publishable server. We are a publishable server if:
1635 * - We don't have the ClientOnly option set
1636 * and
1637 * - We have the PublishServerDescriptor option set to non-empty
1638 * and
1639 * - We have ORPort set
1640 * and
1641 * - We believe our ORPort and DirPort (if present) are reachable from
1642 * the outside; or
1643 * - We believe our ORPort is reachable from the outside, and we can't
1644 * check our DirPort because the consensus has no exits; or
1645 * - We are an authoritative directory server.
1646 */
1647 static int
1649 {
1665 /* All set: there are no exits in the consensus (maybe this is a tiny
1666 * test network), so we can't check our DirPort reachability. */
1670 }
1671 }
1673 /** Initiate server descriptor upload as reasonable (if server is publishable,
1674 * etc). <b>force</b> is as for router_upload_dir_desc_to_dirservers.
1675 *
1676 * We need to rebuild the descriptor if it's dirty even if we're not
1677 * uploading, because our reachability testing *uses* our descriptor to
1678 * determine what IP address and ports to test.
1679 */
1680 void
1682 {
1695 }
1696 }
1698 /** Return the port of the first active listener of type
1699 * <b>listener_type</b>. */
1700 /** XXX not a very good interface. it's not reliable when there are
1701 multiple listeners. */
1702 uint16_t
1704 sa_family_t family)
1705 {
1706 /* Iterate all connections, find one of the right kind and return
1707 the port. Not very sophisticated or fast, but effective. */
1713 }
1717 }
1719 /** Return the port that we should advertise as our ORPort; this is either
1720 * the one configured in the ORPort option, or the one we actually bound to
1721 * if ORPort is "auto".
1722 */
1723 uint16_t
1725 {
1727 }
1729 /** As router_get_advertised_or_port(), but allows an address family argument.
1730 */
1731 uint16_t
1733 sa_family_t family)
1734 {
1736 family);
1739 /* If the port is in 'auto' mode, we have to use
1740 router_get_listener_port_by_type(). */
1743 family);
1746 }
1748 /** Return the port that we should advertise as our DirPort;
1749 * this is one of three possibilities:
1750 * The one that is passed as <b>dirport</b> if the DirPort option is 0, or
1751 * the one configured in the DirPort option,
1752 * or the one we actually bound to if DirPort is "auto". */
1753 uint16_t
1755 {
1764 AF_INET);
1767 }
1769 /*
1770 * OR descriptor generation.
1771 */
1773 /** My routerinfo. */
1775 /** My extrainfo */
1777 /** Why did we most recently decide to regenerate our descriptor? Used to
1778 * tell the authorities why we're sending it to them. */
1780 /** Since when has our descriptor been "clean"? 0 if we need to regenerate it
1781 * now. */
1783 /** Why did we mark the descriptor dirty? */
1785 /** Boolean: do we need to regenerate the above? */
1788 /** OR only: If <b>force</b> is true, or we haven't uploaded this
1789 * descriptor successfully yet, try to upload our signed descriptor to
1790 * all the directory servers we know about.
1791 */
1792 void
1794 {
1805 }
1824 }
1829 ROUTER_PURPOSE_BRIDGE :
1830 ROUTER_PURPOSE_GENERAL,
1833 }
1835 /** OR only: Check whether my exit policy says to allow connection to
1836 * conn. Return 0 if we accept; non-0 if we reject.
1837 */
1838 int
1840 {
1845 /* make sure it's resolved to something. this way we can't get a
1846 'maybe' below. */
1850 /* look at router_get_my_routerinfo()->exit_policy for both the v4 and the
1851 * v6 policies. The exit_policy field in router_get_my_routerinfo() is a
1852 * bit unusual, in that it contains IPv6 and IPv6 entries. We don't want to
1853 * look at router_get_my_routerinfo()->ipv6_exit_policy, since that's a port
1854 * summary. */
1859 #if 0
1865 #endif
1868 }
1869 }
1871 /** Return true iff my exit policy is reject *:*. Return -1 if we don't
1872 * have a descriptor */
1875 {
1880 }
1882 /** Return true iff I'm a server and <b>digest</b> is equal to
1883 * my server identity key digest. */
1884 int
1886 {
1889 }
1891 /** Return my identity digest. */
1894 {
1896 }
1898 /** Return true iff I'm a server and <b>digest</b> is equal to
1899 * my identity digest. */
1900 int
1902 {
1909 DIGEST_LEN);
1910 }
1912 /** A wrapper around router_digest_is_me(). */
1913 int
1915 {
1917 }
1919 /** Return a routerinfo for this OR, rebuilding a fresh one if
1920 * necessary. Return NULL on error, or if called on an OP. */
1923 {
1929 }
1931 /** OR only: Return a signed server descriptor for this OR, rebuilding a fresh
1932 * one if necessary. Return NULL on error.
1933 */
1936 {
1943 /* Make sure this is nul-terminated. */
1947 }
1949 /** Return the extrainfo document for this OR, or NULL if we have none.
1950 * Rebuilt it (and the server descriptor) if necessary. */
1951 extrainfo_t *
1953 {
1959 }
1961 /** Return a human-readable string describing what triggered us to generate
1962 * our current descriptor, or NULL if we don't know. */
1965 {
1967 }
1969 /** A list of nicknames that we've warned about including in our family
1970 * declaration verbatim rather than as digests. */
1975 /** Make a current best guess at our address, either because
1976 * it's configured in torrc, or because we've learned it from
1977 * dirserver headers. Place the answer in *<b>addr</b> and return
1978 * 0 on success, else return -1 if we have no guess.
1979 *
1980 * If <b>cache_only</b> is true, just return any cached answers, and
1981 * don't try to get any new answers.
1982 */
1986 {
1987 /* First, check the cached output from resolve_my_address(). */
1992 /* Second, consider doing a resolve attempt right here. */
1997 }
1998 }
2000 /* Third, check the cached output from router_new_address_suggestion(). */
2004 /* We have no useful cached answers. Return failure. */
2006 }
2008 /* Like router_check_descriptor_address_consistency, but specifically for the
2009 * ORPort or DirPort.
2010 * listener_type is either CONN_TYPE_OR_LISTENER or CONN_TYPE_DIR_LISTENER. */
2011 static void
2014 {
2018 /* The first advertised Port may be the magic constant CFG_AUTO_PORT.
2019 */
2021 AF_INET);
2026 listener_type,
2027 AF_INET);
2028 /* If we're building a descriptor with no advertised address,
2029 * something is terribly wrong. */
2032 tor_addr_t desc_addr;
2044 "descriptor address %s. If you have a static public IPv4 "
2045 "address, use 'Address <IPv4>' and 'OutboundBindAddress "
2046 "<IPv4>'. If you are behind a NAT, use two %sPort lines: "
2047 "'%sPort <PublicPort> NoListen' and '%sPort <InternalPort> "
2051 }
2052 }
2054 /* Tor relays only have one IPv4 address in the descriptor, which is derived
2055 * from the Address torrc option, or guessed using various methods in
2056 * router_pick_published_address().
2057 * Warn the operator if there is no ORPort on the descriptor address
2058 * ipv4h_desc_addr.
2059 * Warn the operator if there is no DirPort on the descriptor address.
2060 * This catches a few common config errors:
2061 * - operators who expect ORPorts and DirPorts to be advertised on the
2062 * ports' listen addresses, rather than the torrc Address (or guessed
2063 * addresses in the absence of an Address config). This includes
2064 * operators who attempt to put their ORPort and DirPort on different
2065 * addresses;
2066 * - discrepancies between guessed addresses and configured listen
2067 * addresses (when the Address option isn't set).
2068 * If a listener is listening on all IPv4 addresses, it is assumed that it
2069 * is listening on the configured Address, and no messages are logged.
2070 * If an operators has specified NoAdvertise ORPorts in a NAT setting,
2071 * no messages are logged, unless they have specified other advertised
2072 * addresses.
2073 * The message tells operators to configure an ORPort and DirPort that match
2074 * the Address (using NoListen if needed).
2075 */
2076 static void
2078 {
2080 CONN_TYPE_OR_LISTENER);
2082 CONN_TYPE_DIR_LISTENER);
2083 }
2085 /** Build a fresh routerinfo, signed server descriptor, and extra-info document
2086 * for this OR. Set r to the generated routerinfo, e to the generated
2087 * extra-info document. Return 0 on success, -1 on temporary error. Failure to
2088 * generate an extra-info document is not an error and is indicated by setting
2089 * e to NULL. Caller is responsible for freeing generated documents if 0 is
2090 * returned.
2091 */
2092 int
2094 {
2105 }
2107 /* Log a message if the address in the descriptor doesn't match the ORPort
2108 * and DirPort addresses configured by the operator. */
2121 * main thread */
2126 /* For now, at most one IPv6 or-address is being advertised. */
2127 {
2134 /* Like IPv4, if the relay is configured using the default
2135 * authorities, disallow internal IPs. Otherwise, allow them. */
2144 "descriptor. Skipping it. "
2147 }
2148 }
2153 }
2154 }
2161 }
2170 /* compute ri->bandwidthrate as the min of various options */
2173 /* and compute ri->bandwidthburst similarly */
2179 /* DNS is screwed up; don't claim to be an exit. */
2184 }
2194 }
2208 else
2217 "declared family; I'll use the nickname as is, but "
2219 else
2221 "declared family, but that isn't a legal nickname. "
2224 }
2228 }
2230 /* Don't list ourself in our own family; that's redundant */
2231 /* XXX shouldn't be possible */
2240 }
2241 skip:
2245 /* remove duplicates from the list */
2250 }
2252 /* Now generate the extrainfo. */
2261 DIGEST_LEN);
2277 DIGEST_SHA256);
2278 }
2280 /* Now finish the router descriptor. */
2284 DIGEST_LEN);
2287 DIGEST256_LEN);
2289 /* ri was allocated with tor_malloc_zero, so there is no need to
2290 * zero ri->cache_info.extra_info_digest here. */
2291 }
2301 }
2308 /* Bridges shouldn't be able to send their descriptors unencrypted,
2309 anyway, since they don't have a DirPort, and always connect to the
2310 bridge authority anonymously. But just in case they somehow think of
2311 sending them on an unencrypted connection, don't allow them to try. */
2319 }
2329 }
2334 }
2336 /** If <b>force</b> is true, or our descriptor is out-of-date, rebuild a fresh
2337 * routerinfo, signed server descriptor, and extra-info document for this OR.
2338 * Return 0 on success, -1 on temporary error.
2339 */
2340 int
2342 {
2353 /* Stop trying to rebuild our descriptor every second. We'll
2354 * learn that it's time to try again when ip_address_changed()
2355 * marks it dirty. */
2358 }
2364 }
2377 }
2379 /** If our router descriptor ever goes this long without being regenerated
2380 * because something changed, we force an immediate regenerate-and-upload. */
2381 #define FORCE_REGENERATE_DESCRIPTOR_INTERVAL (18*60*60)
2383 /** If our router descriptor seems to be missing or unacceptable according
2384 * to the authorities, regenerate and reupload it _this_ often. */
2385 #define FAST_RETRY_DESCRIPTOR_INTERVAL (90*60)
2387 /** Mark descriptor out of date if it's been "too long" since we last tried
2388 * to upload one. */
2389 void
2391 {
2398 /* If it's already dirty, don't mark it. */
2402 /* If it's older than FORCE_REGENERATE_DESCRIPTOR_INTERVAL, it's always
2403 * time to rebuild it. */
2407 }
2408 /* Now we see whether we want to be retrying frequently or no. The
2409 * rule here is that we'll retry frequently if we aren't listed in the
2410 * live consensus we have, or if the publication time of the
2411 * descriptor listed for us in the consensus is very old. */
2419 }
2423 }
2425 /** Call when the current descriptor is out of date. */
2426 void
2428 {
2435 }
2437 /** How frequently will we republish our descriptor because of large (factor
2438 * of 2) shifts in estimated bandwidth? Note: We don't use this constant
2439 * if our previous bandwidth estimate was exactly 0. */
2440 #define MAX_BANDWIDTH_CHANGE_FREQ (20*60)
2442 /** Check whether bandwidth has changed a lot since the last time we announced
2443 * bandwidth. If so, mark our descriptor dirty. */
2444 void
2446 {
2462 }
2463 }
2464 }
2466 /** Note at log level severity that our best guess of address has changed from
2467 * <b>prev</b> to <b>cur</b>. */
2468 static void
2473 {
2484 "Our IP Address has changed from %s to %s; "
2487 else
2491 }
2493 /** Check whether our own address as defined by the Address configuration
2494 * has changed. This is for routers that get their address from a service
2495 * like dyndns. If our address has changed, mark our descriptor dirty. */
2496 void
2498 {
2509 /* XXXX ipv6 */
2514 }
2531 }
2534 }
2536 /** The most recently guessed value of our IP address, based on directory
2537 * headers. */
2540 /** A directory server <b>d_conn</b> told us our IP address is
2541 * <b>suggestion</b>.
2542 * If this address is different from the one we think we are now, and
2543 * if our computer doesn't actually know its IP address, then switch. */
2544 void
2547 {
2548 tor_addr_t addr;
2552 /* first, learn what the IP address actually is */
2557 }
2564 }
2566 /* XXXX ipv6 */
2570 /* We're all set -- we already know our address. Great. */
2572 need it later */
2574 }
2576 /* Don't believe anybody who says our IP is, say, 127.0.0.1. */
2578 }
2580 /* Don't believe anybody who says our IP is their IP. */
2583 suggestion);
2585 }
2587 /* Okay. We can't resolve our own address, and X-Your-Address-Is is giving
2588 * us an answer different from what we had the last time we managed to
2589 * resolve it. */
2593 suggestion);
2598 will fetch it */
2599 }
2600 }
2602 /** We failed to resolve our address locally, but we'd like to build
2603 * a descriptor and publish / test reachability. If we have a guess
2604 * about our address based on directory headers, answer it and return
2605 * 0; else return -1. */
2606 static int
2608 {
2612 }
2614 }
2616 /** Set <b>platform</b> (max length <b>len</b>) to a NUL-terminated short
2617 * string describing the version of Tor and the operating system we're
2618 * currently running on.
2619 */
2620 STATIC void
2622 {
2625 }
2627 /* XXX need to audit this thing and count fenceposts. maybe
2628 * refactor so we don't have to keep asking if we're
2629 * near the end of maxlen?
2630 */
2631 #define DEBUG_ROUTER_DUMP_ROUTER_TO_STRING
2633 /** OR only: Given a routerinfo for this router, and an identity key to sign
2634 * with, encode the routerinfo as a signed server descriptor and return a new
2635 * string encoding the result, or NULL on failure.
2636 */
2643 {
2664 /* Make sure the identity key matches the one in the routerinfo. */
2669 }
2678 }
2679 }
2681 /* record our fingerprint, so we can include it in the descriptor */
2685 }
2688 /* Encode ed25519 signing cert */
2697 }
2702 }
2705 "%s"
2709 }
2711 /* PEM-encode the onion key */
2716 }
2718 /* PEM-encode the identity key */
2723 }
2725 /* Cross-certify with RSA key */
2738 }
2745 }
2751 "%s"
2753 }
2755 /* Cross-certify with onion keys */
2760 /* XXXX Base the expiration date on the actual onion key expiration time?*/
2769 }
2778 }
2784 "%s"
2786 }
2788 /* Encode the publication time. */
2798 }
2811 extra_info_digest);
2812 }
2813 }
2824 }
2825 }
2831 }
2836 /* Generate the easy portion of the router descriptor. */
2839 "%s"
2840 "%s"
2842 "%s"
2847 "%s%s"
2850 "%s%s"
2853 address,
2859 proto_line,
2860 published,
2861 fingerprint,
2862 stats_n_seconds_working,
2872 family_line,
2882 }
2888 else
2891 }
2900 /* Authorities will start rejecting relays without ntor keys in 0.2.9 */
2903 }
2905 /* Write the exit policy to the end of 's'. */
2916 }
2923 }
2925 }
2930 }
2932 /* Sign the descriptor with Ed25519 */
2936 ED_DESC_SIGNATURE_PREFIX,
2938 ed25519_signature_t sig;
2947 }
2949 /* Sign the descriptor with RSA */
2955 {
2960 }
2962 }
2964 /* include a last '\n' */
2969 #ifdef DEBUG_ROUTER_DUMP_ROUTER_TO_STRING
2970 {
2981 }
2984 }
2985 #endif
2989 err:
2991 done:
2995 }
3008 }
3010 /**
3011 * OR only: Given <b>router</b>, produce a string with its exit policy.
3012 * If <b>include_ipv4</b> is true, include IPv4 entries.
3013 * If <b>include_ipv6</b> is true, include IPv6 entries.
3014 */
3019 {
3022 }
3025 include_ipv4,
3026 include_ipv6);
3027 }
3029 /** Copy the primary (IPv4) OR port (IP address and TCP port) for
3030 * <b>router</b> into *<b>ap_out</b>. */
3031 void
3033 {
3037 }
3039 /** Return 1 if any of <b>router</b>'s addresses are <b>addr</b>.
3040 * Otherwise return 0. */
3041 int
3043 {
3044 return
3047 }
3049 int
3051 {
3052 return
3057 }
3059 /** Load the contents of <b>filename</b>, find the last line starting with
3060 * <b>end_line</b>, ensure that its timestamp is not more than 25 hours in
3061 * the past or more than 1 hour in the future with respect to <b>now</b>,
3062 * and write the file contents starting with that line to *<b>out</b>.
3063 * Return 1 for success, 0 if the file does not exist or is empty, or -1
3064 * if the file does not contain a line matching these criteria or other
3065 * failure. */
3066 static int
3069 {
3076 /* X022 Find an alternative to reading the whole file to memory. */
3079 /* Find last block starting with end_line */
3083 }
3095 }
3096 notfound:
3099 /* treat empty stats files as if the file doesn't exist */
3108 }
3111 }
3113 /** Write the contents of <b>extrainfo</b> and aggregated statistics to
3114 * *<b>s_out</b>, signing them with <b>ident_key</b>. Return 0 on
3115 * success, negative on failure. */
3116 int
3120 {
3149 }
3157 }
3160 "%s"
3164 }
3168 ed_cert_line,
3185 }
3190 }
3195 }
3200 }
3205 }
3210 }
3211 }
3213 /* Add information about the pluggable transports we support. */
3218 }
3224 }
3225 }
3231 ED_DESC_SIGNATURE_PREFIX,
3233 ed25519_signature_t ed_sig;
3242 }
3248 /* So long as there are at least two chunks (one for the initial
3249 * extra-info line and one for the router-signature), we can keep removing
3250 * things. */
3252 /* We remove the next-to-last element (remember, len-1 is the last
3253 element), since we need to keep the router-signature element. */
3258 "with statistics that exceeds the 50 KB "
3259 "upload limit. Removing last added "
3268 }
3269 }
3278 }
3288 "with statistics that we can't parse. Not "
3289 "adding statistics to this or any future "
3293 signing_keypair);
3299 }
3300 }
3307 err:
3310 done:
3320 }
3322 /** Return true iff <b>s</b> is a valid server nickname. (That is, a string
3323 * containing between 1 and MAX_NICKNAME_LEN characters from
3324 * LEGAL_NICKNAME_CHARACTERS.) */
3325 int
3327 {
3333 }
3335 /** Return true iff <b>s</b> is a valid server nickname or
3336 * hex-encoded identity-key digest. */
3337 int
3339 {
3342 else
3344 }
3346 /** Return true iff <b>s</b> is a valid hex-encoded identity-key
3347 * digest. (That is, an optional $, followed by 40 hex characters,
3348 * followed by either nothing, or = or ~ followed by a nickname, or
3349 * a character other than =, ~, or a hex character.)
3350 */
3351 int
3353 {
3365 }
3366 }
3369 }
3371 /** Use <b>buf</b> (which must be at least NODE_DESC_BUF_LEN bytes long) to
3372 * hold a human-readable description of a node with identity digest
3373 * <b>id_digest</b>, named-status <b>is_named</b>, nickname <b>nickname</b>,
3374 * and address <b>addr</b> or <b>addr32h</b>.
3375 *
3376 * The <b>nickname</b> and <b>addr</b> fields are optional and may be set to
3377 * NULL. The <b>addr32h</b> field is optional and may be set to 0.
3378 *
3379 * Return a pointer to the front of <b>buf</b>.
3380 */
3388 {
3401 }
3411 }
3412 }
3414 }
3416 /** Use <b>buf</b> (which must be at least NODE_DESC_BUF_LEN bytes long) to
3417 * hold a human-readable description of <b>ri</b>.
3418 *
3419 *
3420 * Return a pointer to the front of <b>buf</b>.
3421 */
3424 {
3431 NULL,
3433 }
3435 /** Use <b>buf</b> (which must be at least NODE_DESC_BUF_LEN bytes long) to
3436 * hold a human-readable description of <b>node</b>.
3437 *
3438 * Return a pointer to the front of <b>buf</b>.
3439 */
3442 {
3457 }
3461 is_named,
3462 nickname,
3463 NULL,
3464 addr32h);
3465 }
3467 /** Use <b>buf</b> (which must be at least NODE_DESC_BUF_LEN bytes long) to
3468 * hold a human-readable description of <b>rs</b>.
3469 *
3470 * Return a pointer to the front of <b>buf</b>.
3471 */
3474 {
3481 NULL,
3483 }
3485 /** Use <b>buf</b> (which must be at least NODE_DESC_BUF_LEN bytes long) to
3486 * hold a human-readable description of <b>ei</b>.
3487 *
3488 * Return a pointer to the front of <b>buf</b>.
3489 */
3492 {
3501 }
3503 /** Return a human-readable description of the routerinfo_t <b>ri</b>.
3504 *
3505 * This function is not thread-safe. Each call to this function invalidates
3506 * previous values returned by this function.
3507 */
3510 {
3513 }
3515 /** Return a human-readable description of the node_t <b>node</b>.
3516 *
3517 * This function is not thread-safe. Each call to this function invalidates
3518 * previous values returned by this function.
3519 */
3522 {
3525 }
3527 /** Return a human-readable description of the routerstatus_t <b>rs</b>.
3528 *
3529 * This function is not thread-safe. Each call to this function invalidates
3530 * previous values returned by this function.
3531 */
3534 {
3537 }
3539 /** Return a human-readable description of the extend_info_t <b>ri</b>.
3540 *
3541 * This function is not thread-safe. Each call to this function invalidates
3542 * previous values returned by this function.
3543 */
3546 {
3549 }
3551 /** Set <b>buf</b> (which must have MAX_VERBOSE_NICKNAME_LEN+1 bytes) to the
3552 * verbose representation of the identity of <b>router</b>. The format is:
3553 * A dollar sign.
3554 * The upper-case hexadecimal encoding of the SHA1 hash of router's identity.
3555 * A "=" if the router is named; a "~" if it is not.
3556 * The router's nickname.
3557 **/
3558 void
3560 {
3565 DIGEST_LEN);
3568 DIGEST_LEN);
3571 }
3573 /** Forget that we have issued any router-related warnings, so that we'll
3574 * warn again if we see the same errors. */
3575 void
3577 {
3581 }
3582 }
3584 /** Given a router purpose, convert it to a string. Don't call this on
3585 * ROUTER_PURPOSE_UNKNOWN: The whole point of that value is that we don't
3586 * know its string representation. */
3589 {
3591 {
3597 }
3599 }
3601 /** Given a string, convert it to a router purpose. */
3602 uint8_t
3604 {
3611 else
3613 }
3615 /** Release all static resources held in router.c */
3616 void
3618 {
3637 }
3638 }
3640 /** Return a smartlist of tor_addr_port_t's with all the OR ports of
3641 <b>ri</b>. Note that freeing of the items in the list as well as
3642 the smartlist itself is the callers responsibility. */
3643 smartlist_t *
3645 {
3647 node_t fake_node;
3649 /* we don't modify ri, fake_node is passed as a const node_t *
3650 */
3653 }