/** Note that we've seen a client connect from the IP <b>addr</b>
* at time <b>now</b>. Ignored by all but bridges and directories if
* configured accordingly. */
void
geoip_note_client_seen(geoip_client_action_t action,
const tor_addr_t *addr, time_t now)
{
const or_options_t *options = get_options();
clientmap_entry_t lookup, *ent;
if (action == GEOIP_CLIENT_CONNECT) {
/* Only remember statistics as entry guard or as bridge. */
if (!options->EntryStatistics &&
(!(options->BridgeRelay && options->BridgeRecordUsageByCountry)))
return;
} else {
if (options->BridgeRelay || options->BridgeAuthoritativeDir ||
!options->DirReqStatistics)
return;
}
tor_addr_copy(&lookup.addr, addr);
lookup.action = (int)action;
ent = HT_FIND(clientmap, &client_history, &lookup);
if (! ent) {
ent = tor_malloc_zero(sizeof(clientmap_entry_t));
tor_addr_copy(&ent->addr, addr);
ent->action = (int)action;
HT_INSERT(clientmap, &client_history, ent);
}
if (now / 60 <= (int)MAX_LAST_SEEN_IN_MINUTES && now >= 0)
ent->last_seen_in_minutes = (unsigned)(now/60);
else
ent->last_seen_in_minutes = 0;
if (action == GEOIP_CLIENT_NETWORKSTATUS ||
action == GEOIP_CLIENT_NETWORKSTATUS_V2) {
int country_idx = geoip_get_country_by_addr(addr);
if (country_idx < 0)
country_idx = 0; /** unresolved requests are stored at index 0. */
if (country_idx >= 0 && country_idx < smartlist_len(geoip_countries)) {
geoip_country_t *country = smartlist_get(geoip_countries, country_idx);
if (action == GEOIP_CLIENT_NETWORKSTATUS)
++country->n_v3_ns_requests;
else
++country->n_v2_ns_requests;
}
/* Periodically determine share of requests that we should see */
if (last_time_determined_shares + REQUEST_SHARE_INTERVAL < now)
geoip_determine_shares(now);
}
}
/** Returns a transport_t struct for a transport proxy supporting the
protocol <b>name</b> listening at <b>addr</b>:<b>port</b> using
SOCKS version <b>socks_ver</b>. */
static transport_t *
transport_new(const tor_addr_t *addr, uint16_t port,
const char *name, int socks_ver)
{
transport_t *t = tor_malloc_zero(sizeof(transport_t));
tor_addr_copy(&t->addr, addr);
t->port = port;
t->name = tor_strdup(name);
t->socks_version = socks_ver;
return t;
}
/** Return a deep copy of <b>transport</b>. */
static transport_t *
transport_copy(const transport_t *transport)
{
transport_t *new_transport = NULL;
tor_assert(transport);
new_transport = tor_malloc_zero(sizeof(transport_t));
new_transport->socks_version = transport->socks_version;
new_transport->name = tor_strdup(transport->name);
tor_addr_copy(&new_transport->addr, &transport->addr);
new_transport->port = transport->port;
new_transport->marked_for_removal = transport->marked_for_removal;
return new_transport;
}
static void
test_virtaddrmap(void *data)
{
/* Let's start with a bunch of random addresses. */
int ipv6, bits, iter, b;
virtual_addr_conf_t cfg[2];
uint8_t bytes[16];
(void)data;
tor_addr_parse(&cfg[0].addr, "64.65.0.0");
tor_addr_parse(&cfg[1].addr, "3491:c0c0::");
for (ipv6 = 0; ipv6 <= 1; ++ipv6) {
for (bits = 0; bits < 18; ++bits) {
tor_addr_t last_a;
cfg[ipv6].bits = bits;
memset(bytes, 0, sizeof(bytes));
tor_addr_copy(&last_a, &cfg[ipv6].addr);
/* Generate 128 addresses with each addr/bits combination. */
for (iter = 0; iter < 128; ++iter) {
tor_addr_t a;
get_random_virtual_addr(&cfg[ipv6], &a);
//printf("%s\n", fmt_addr(&a));
/* Make sure that the first b bits match the configured network */
tt_int_op(0, OP_EQ, tor_addr_compare_masked(&a, &cfg[ipv6].addr,
bits, CMP_EXACT));
/* And track which bits have been different between pairs of
* addresses */
update_difference(ipv6, bytes, &last_a, &a);
}
/* Now make sure all but the first 'bits' bits of bytes are true */
for (b = bits+1; b < (ipv6?128:32); ++b) {
tt_assert(1 & (bytes[b/8] >> (7-(b&7))));
}
}
}
done:
;
}
/** Helper function: called by evdns whenever the client sends a request to our
* DNSPort. We need to eventually answer the request <b>req</b>.
*/
static void
evdns_server_callback(struct evdns_server_request *req, void *data_)
{
const listener_connection_t *listener = data_;
entry_connection_t *entry_conn;
edge_connection_t *conn;
int i = 0;
struct evdns_server_question *q = NULL, *supported_q = NULL;
struct sockaddr_storage addr;
struct sockaddr *sa;
int addrlen;
tor_addr_t tor_addr;
uint16_t port;
int err = DNS_ERR_NONE;
char *q_name;
tor_assert(req);
log_info(LD_APP, "Got a new DNS request!");
req->flags |= 0x80; /* set RA */
/* First, check whether the requesting address matches our SOCKSPolicy. */
if ((addrlen = evdns_server_request_get_requesting_addr(req,
(struct sockaddr*)&addr, (socklen_t)sizeof(addr))) < 0) {
log_warn(LD_APP, "Couldn't get requesting address.");
evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
return;
}
(void) addrlen;
sa = (struct sockaddr*) &addr;
if (tor_addr_from_sockaddr(&tor_addr, sa, &port)<0) {
log_warn(LD_APP, "Requesting address wasn't recognized.");
evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
return;
}
if (!socks_policy_permits_address(&tor_addr)) {
log_warn(LD_APP, "Rejecting DNS request from disallowed IP.");
evdns_server_request_respond(req, DNS_ERR_REFUSED);
return;
}
/* Now, let's find the first actual question of a type we can answer in this
* DNS request. It makes us a little noncompliant to act like this; we
* should fix that eventually if it turns out to make a difference for
* anybody. */
if (req->nquestions == 0) {
log_info(LD_APP, "No questions in DNS request; sending back nil reply.");
evdns_server_request_respond(req, 0);
return;
}
if (req->nquestions > 1) {
log_info(LD_APP, "Got a DNS request with more than one question; I only "
"handle one question at a time for now. Skipping the extras.");
}
for (i = 0; i < req->nquestions; ++i) {
if (req->questions[i]->dns_question_class != EVDNS_CLASS_INET)
continue;
switch (req->questions[i]->type) {
case EVDNS_TYPE_A:
case EVDNS_TYPE_AAAA:
case EVDNS_TYPE_PTR:
/* We always pick the first one of these questions, if there is
one. */
if (! supported_q)
supported_q = req->questions[i];
break;
default:
break;
}
}
if (supported_q)
q = supported_q;
if (!q) {
log_info(LD_APP, "None of the questions we got were ones we're willing "
"to support. Sending NOTIMPL.");
evdns_server_request_respond(req, DNS_ERR_NOTIMPL);
return;
}
/* Make sure the name isn't too long: This should be impossible, I think. */
if (err == DNS_ERR_NONE && strlen(q->name) > MAX_SOCKS_ADDR_LEN-1)
err = DNS_ERR_FORMAT;
if (err != DNS_ERR_NONE || !supported_q) {
/* We got an error? There's no question we're willing to answer? Then
* send back an answer immediately; we're done. */
evdns_server_request_respond(req, err);
return;
}
/* Make a new dummy AP connection, and attach the request to it. */
entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
conn = ENTRY_TO_EDGE_CONN(entry_conn);
CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
TO_CONN(conn)->state = AP_CONN_STATE_RESOLVE_WAIT;
conn->is_dns_request = 1;
tor_addr_copy(&TO_CONN(conn)->addr, &tor_addr);
TO_CONN(conn)->port = port;
TO_CONN(conn)->address = tor_addr_to_str_dup(&tor_addr);
if (q->type == EVDNS_TYPE_A || q->type == EVDNS_TYPE_AAAA ||
q->type == EVDNS_QTYPE_ALL) {
entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
} else {
tor_assert(q->type == EVDNS_TYPE_PTR);
entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
}
/* This serves our DNS port so enable DNS request by default. */
entry_conn->entry_cfg.dns_request = 1;
if (q->type == EVDNS_TYPE_A || q->type == EVDNS_QTYPE_ALL) {
entry_conn->entry_cfg.ipv4_traffic = 1;
entry_conn->entry_cfg.ipv6_traffic = 0;
entry_conn->entry_cfg.prefer_ipv6 = 0;
} else if (q->type == EVDNS_TYPE_AAAA) {
entry_conn->entry_cfg.ipv4_traffic = 0;
entry_conn->entry_cfg.ipv6_traffic = 1;
entry_conn->entry_cfg.prefer_ipv6 = 1;
}
strlcpy(entry_conn->socks_request->address, q->name,
sizeof(entry_conn->socks_request->address));
entry_conn->socks_request->listener_type = listener->base_.type;
entry_conn->dns_server_request = req;
entry_conn->entry_cfg.isolation_flags = listener->entry_cfg.isolation_flags;
entry_conn->entry_cfg.session_group = listener->entry_cfg.session_group;
entry_conn->nym_epoch = get_signewnym_epoch();
if (connection_add(ENTRY_TO_CONN(entry_conn)) < 0) {
log_warn(LD_APP, "Couldn't register dummy connection for DNS request");
evdns_server_request_respond(req, DNS_ERR_SERVERFAILED);
connection_free(ENTRY_TO_CONN(entry_conn));
return;
}
control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
/* Now, unless a controller asked us to leave streams unattached,
* throw the connection over to get rewritten (which will
* answer it immediately if it's in the cache, or completely bogus, or
* automapped), and then attached to a circuit. */
log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
escaped_safe_str_client(q->name));
q_name = tor_strdup(q->name); /* q could be freed in rewrite_and_attach */
connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
/* Now, the connection is marked if it was bad. */
log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
escaped_safe_str_client(q_name));
tor_free(q_name);
}
/** Helper function: called whenever the client sends a resolve request to our
* controller. We need to eventually answer the request <b>req</b>.
* Returns 0 if the controller will be getting (or has gotten) an event in
* response; -1 if we couldn't launch the request.
*/
int
dnsserv_launch_request(const char *name, int reverse,
control_connection_t *control_conn)
{
entry_connection_t *entry_conn;
edge_connection_t *conn;
char *q_name;
/* Make a new dummy AP connection, and attach the request to it. */
entry_conn = entry_connection_new(CONN_TYPE_AP, AF_INET);
conn = ENTRY_TO_EDGE_CONN(entry_conn);
CONNECTION_AP_EXPECT_NONPENDING(entry_conn);
conn->base_.state = AP_CONN_STATE_RESOLVE_WAIT;
tor_addr_copy(&TO_CONN(conn)->addr, &control_conn->base_.addr);
#ifdef AF_UNIX
/*
* The control connection can be AF_UNIX and if so tor_addr_to_str_dup will
* unhelpfully say "<unknown address type>"; say "(Tor_internal)"
* instead.
*/
if (control_conn->base_.socket_family == AF_UNIX) {
TO_CONN(conn)->port = 0;
TO_CONN(conn)->address = tor_strdup("(Tor_internal)");
} else {
TO_CONN(conn)->port = control_conn->base_.port;
TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
}
#else
TO_CONN(conn)->port = control_conn->base_.port;
TO_CONN(conn)->address = tor_addr_to_str_dup(&control_conn->base_.addr);
#endif
if (reverse)
entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE_PTR;
else
entry_conn->socks_request->command = SOCKS_COMMAND_RESOLVE;
conn->is_dns_request = 1;
strlcpy(entry_conn->socks_request->address, name,
sizeof(entry_conn->socks_request->address));
entry_conn->socks_request->listener_type = CONN_TYPE_CONTROL_LISTENER;
entry_conn->original_dest_address = tor_strdup(name);
entry_conn->entry_cfg.session_group = SESSION_GROUP_CONTROL_RESOLVE;
entry_conn->nym_epoch = get_signewnym_epoch();
entry_conn->entry_cfg.isolation_flags = ISO_DEFAULT;
if (connection_add(TO_CONN(conn))<0) {
log_warn(LD_APP, "Couldn't register dummy connection for RESOLVE request");
connection_free(TO_CONN(conn));
return -1;
}
control_event_stream_status(entry_conn, STREAM_EVENT_NEW_RESOLVE, 0);
/* Now, unless a controller asked us to leave streams unattached,
* throw the connection over to get rewritten (which will
* answer it immediately if it's in the cache, or completely bogus, or
* automapped), and then attached to a circuit. */
log_info(LD_APP, "Passing request for %s to rewrite_and_attach.",
escaped_safe_str_client(name));
q_name = tor_strdup(name); /* q could be freed in rewrite_and_attach */
connection_ap_rewrite_and_attach_if_allowed(entry_conn, NULL, NULL);
/* Now, the connection is marked if it was bad. */
log_info(LD_APP, "Passed request for %s to rewrite_and_attach_if_allowed.",
escaped_safe_str_client(q_name));
tor_free(q_name);
return 0;
}
/**
* Generate a routerstatus for v3_networkstatus test.
*/
vote_routerstatus_t *
dir_common_gen_routerstatus_for_v3ns(int idx, time_t now)
{
vote_routerstatus_t *vrs=NULL;
routerstatus_t *rs = NULL;
tor_addr_t addr_ipv6;
char *method_list = NULL;
switch (idx) {
case 0:
/* Generate the first routerstatus. */
vrs = tor_malloc_zero(sizeof(vote_routerstatus_t));
rs = &vrs->status;
vrs->version = tor_strdup("0.1.2.14");
rs->published_on = now-1500;
strlcpy(rs->nickname, "router2", sizeof(rs->nickname));
memset(rs->identity_digest, TEST_DIR_ROUTER_ID_1, DIGEST_LEN);
memset(rs->descriptor_digest, TEST_DIR_ROUTER_DD_1, DIGEST_LEN);
rs->addr = 0x99008801;
rs->or_port = 443;
rs->dir_port = 8000;
/* all flags but running and v2dir cleared */
rs->is_flagged_running = 1;
rs->is_v2_dir = 1;
break;
case 1:
/* Generate the second routerstatus. */
vrs = tor_malloc_zero(sizeof(vote_routerstatus_t));
rs = &vrs->status;
vrs->version = tor_strdup("0.2.0.5");
rs->published_on = now-1000;
strlcpy(rs->nickname, "router1", sizeof(rs->nickname));
memset(rs->identity_digest, TEST_DIR_ROUTER_ID_2, DIGEST_LEN);
memset(rs->descriptor_digest, TEST_DIR_ROUTER_DD_2, DIGEST_LEN);
rs->addr = 0x99009901;
rs->or_port = 443;
rs->dir_port = 0;
tor_addr_parse(&addr_ipv6, "[1:2:3::4]");
tor_addr_copy(&rs->ipv6_addr, &addr_ipv6);
rs->ipv6_orport = 4711;
rs->is_exit = rs->is_stable = rs->is_fast = rs->is_flagged_running =
rs->is_valid = rs->is_possible_guard = rs->is_v2_dir = 1;
break;
case 2:
/* Generate the third routerstatus. */
vrs = tor_malloc_zero(sizeof(vote_routerstatus_t));
rs = &vrs->status;
vrs->version = tor_strdup("0.1.0.3");
rs->published_on = now-1000;
strlcpy(rs->nickname, "router3", sizeof(rs->nickname));
memset(rs->identity_digest, TEST_DIR_ROUTER_ID_3, DIGEST_LEN);
memset(rs->descriptor_digest, TEST_DIR_ROUTER_DD_3, DIGEST_LEN);
rs->addr = 0xAA009901;
rs->or_port = 400;
rs->dir_port = 9999;
rs->is_authority = rs->is_exit = rs->is_stable = rs->is_fast =
rs->is_flagged_running = rs->is_valid = rs->is_v2_dir =
rs->is_possible_guard = 1;
break;
case 3:
/* Generate a fourth routerstatus that is not running. */
vrs = tor_malloc_zero(sizeof(vote_routerstatus_t));
rs = &vrs->status;
vrs->version = tor_strdup("0.1.6.3");
rs->published_on = now-1000;
strlcpy(rs->nickname, "router4", sizeof(rs->nickname));
memset(rs->identity_digest, TEST_DIR_ROUTER_ID_4, DIGEST_LEN);
memset(rs->descriptor_digest, TEST_DIR_ROUTER_DD_4, DIGEST_LEN);
rs->addr = 0xC0000203;
rs->or_port = 500;
rs->dir_port = 1999;
rs->is_v2_dir = 1;
/* Running flag (and others) cleared */
break;
case 4:
/* No more for this test; return NULL */
vrs = NULL;
break;
default:
/* Shouldn't happen */
tt_assert(0);
}
if (vrs) {
vrs->microdesc = tor_malloc_zero(sizeof(vote_microdesc_hash_t));
method_list = make_consensus_method_list(MIN_SUPPORTED_CONSENSUS_METHOD,
MAX_SUPPORTED_CONSENSUS_METHOD,
",");
tor_asprintf(&vrs->microdesc->microdesc_hash_line,
"m %s "
"sha256=xyzajkldsdsajdadlsdjaslsdksdjlsdjsdaskdaaa%d\n",
method_list, idx);
}
done:
tor_free(method_list);
return vrs;
}
/** Extract status information from <b>ri</b> and from other authority
* functions and store it in <b>rs</b>. <b>rs</b> is zeroed out before it is
* set.
*
* We assume that ri-\>is_running has already been set, e.g. by
* dirserv_set_router_is_running(ri, now);
*/
void
set_routerstatus_from_routerinfo(routerstatus_t *rs,
node_t *node,
const routerinfo_t *ri,
time_t now,
int listbadexits)
{
const or_options_t *options = get_options();
uint32_t routerbw_kb = dirserv_get_credible_bandwidth_kb(ri);
memset(rs, 0, sizeof(routerstatus_t));
rs->is_authority =
router_digest_is_trusted_dir(ri->cache_info.identity_digest);
/* Already set by compute_performance_thresholds. */
rs->is_exit = node->is_exit;
rs->is_stable = node->is_stable =
!dirserv_thinks_router_is_unreliable(now, ri, 1, 0);
rs->is_fast = node->is_fast =
!dirserv_thinks_router_is_unreliable(now, ri, 0, 1);
rs->is_flagged_running = node->is_running; /* computed above */
rs->is_valid = node->is_valid;
if (node->is_fast && node->is_stable &&
ri->supports_tunnelled_dir_requests &&
((options->AuthDirGuardBWGuarantee &&
routerbw_kb >= options->AuthDirGuardBWGuarantee/1000) ||
routerbw_kb >= MIN(guard_bandwidth_including_exits_kb,
guard_bandwidth_excluding_exits_kb))) {
long tk = rep_hist_get_weighted_time_known(
node->identity, now);
double wfu = rep_hist_get_weighted_fractional_uptime(
node->identity, now);
rs->is_possible_guard = (wfu >= guard_wfu && tk >= guard_tk) ? 1 : 0;
} else {
rs->is_possible_guard = 0;
}
rs->is_bad_exit = listbadexits && node->is_bad_exit;
rs->is_hs_dir = node->is_hs_dir =
dirserv_thinks_router_is_hs_dir(ri, node, now);
rs->is_named = rs->is_unnamed = 0;
rs->published_on = ri->cache_info.published_on;
memcpy(rs->identity_digest, node->identity, DIGEST_LEN);
memcpy(rs->descriptor_digest, ri->cache_info.signed_descriptor_digest,
DIGEST_LEN);
rs->addr = ri->addr;
strlcpy(rs->nickname, ri->nickname, sizeof(rs->nickname));
rs->or_port = ri->or_port;
rs->dir_port = ri->dir_port;
rs->is_v2_dir = ri->supports_tunnelled_dir_requests;
rs->is_staledesc =
(ri->cache_info.published_on + DESC_IS_STALE_INTERVAL) < now;
if (options->AuthDirHasIPv6Connectivity == 1 &&
!tor_addr_is_null(&ri->ipv6_addr) &&
node->last_reachable6 >= now - REACHABLE_TIMEOUT) {
/* We're configured as having IPv6 connectivity. There's an IPv6
OR port and it's reachable so copy it to the routerstatus. */
tor_addr_copy(&rs->ipv6_addr, &ri->ipv6_addr);
rs->ipv6_orport = ri->ipv6_orport;
} else {
tor_addr_make_null(&rs->ipv6_addr, AF_INET6);
rs->ipv6_orport = 0;
}
if (options->TestingTorNetwork) {
dirserv_set_routerstatus_testing(rs);
}
}