Remove dirauth support for the BadDirectory flag
Implements the first half of #13060. The second half will be to remove client support, too.
This commit is contained in:
parent
59f3cce0dc
commit
8099dee992
|
@ -0,0 +1,4 @@
|
|||
o Removed features:
|
||||
- Directory authorities do not support giving out the BadDirectory
|
||||
flag anymore.
|
||||
|
|
@ -1884,19 +1884,14 @@ on the public Tor network.
|
|||
elements. Otherwise, if the address is not an IP address or is a private IP
|
||||
address, it will reject the router descriptor. (Default: 0)
|
||||
|
||||
[[AuthDirBadDir]] **AuthDirBadDir** __AddressPattern...__::
|
||||
Authoritative directories only. A set of address patterns for servers that
|
||||
will be listed as bad directories in any network status document this
|
||||
authority publishes, if **AuthDirListBadDirs** is set. +
|
||||
+
|
||||
(The address pattern syntax here and in the options below
|
||||
is the same as for exit policies, except that you don't need to say
|
||||
"accept" or "reject", and ports are not needed.)
|
||||
|
||||
[[AuthDirBadExit]] **AuthDirBadExit** __AddressPattern...__::
|
||||
Authoritative directories only. A set of address patterns for servers that
|
||||
will be listed as bad exits in any network status document this authority
|
||||
publishes, if **AuthDirListBadExits** is set.
|
||||
+
|
||||
(The address pattern syntax here and in the options below
|
||||
is the same as for exit policies, except that you don't need to say
|
||||
"accept" or "reject", and ports are not needed.)
|
||||
|
||||
[[AuthDirInvalid]] **AuthDirInvalid** __AddressPattern...__::
|
||||
Authoritative directories only. A set of address patterns for servers that
|
||||
|
@ -1909,8 +1904,6 @@ on the public Tor network.
|
|||
authority publishes, or accepted as an OR address in any descriptor
|
||||
submitted for publication by this authority.
|
||||
|
||||
[[AuthDirBadDirCCs]] **AuthDirBadDirCCs** __CC__,... +
|
||||
|
||||
[[AuthDirBadExitCCs]] **AuthDirBadExitCCs** __CC__,... +
|
||||
|
||||
[[AuthDirInvalidCCs]] **AuthDirInvalidCCs** __CC__,... +
|
||||
|
@ -1918,16 +1911,9 @@ on the public Tor network.
|
|||
[[AuthDirRejectCCs]] **AuthDirRejectCCs** __CC__,...::
|
||||
Authoritative directories only. These options contain a comma-separated
|
||||
list of country codes such that any server in one of those country codes
|
||||
will be marked as a bad directory/bad exit/invalid for use, or rejected
|
||||
will be marked as a bad exit/invalid for use, or rejected
|
||||
entirely.
|
||||
|
||||
[[AuthDirListBadDirs]] **AuthDirListBadDirs** **0**|**1**::
|
||||
Authoritative directories only. If set to 1, this directory has some
|
||||
opinion about which nodes are unsuitable as directory caches. (Do not set
|
||||
this to 1 unless you plan to list non-functioning directories as bad;
|
||||
otherwise, you are effectively voting in favor of every declared
|
||||
directory.)
|
||||
|
||||
[[AuthDirListBadExits]] **AuthDirListBadExits** **0**|**1**::
|
||||
Authoritative directories only. If set to 1, this directory has some
|
||||
opinion about which nodes are unsuitable as exit nodes. (Do not set this to
|
||||
|
|
|
@ -140,8 +140,8 @@ static config_var_t option_vars_[] = {
|
|||
V(AlternateDirAuthority, LINELIST, NULL),
|
||||
OBSOLETE("AlternateHSAuthority"),
|
||||
V(AssumeReachable, BOOL, "0"),
|
||||
V(AuthDirBadDir, LINELIST, NULL),
|
||||
V(AuthDirBadDirCCs, CSV, ""),
|
||||
OBSOLETE("AuthDirBadDir"),
|
||||
OBSOLETE("AuthDirBadDirCCs"),
|
||||
V(AuthDirBadExit, LINELIST, NULL),
|
||||
V(AuthDirBadExitCCs, CSV, ""),
|
||||
V(AuthDirInvalid, LINELIST, NULL),
|
||||
|
@ -151,7 +151,7 @@ static config_var_t option_vars_[] = {
|
|||
V(AuthDirReject, LINELIST, NULL),
|
||||
V(AuthDirRejectCCs, CSV, ""),
|
||||
OBSOLETE("AuthDirRejectUnlisted"),
|
||||
V(AuthDirListBadDirs, BOOL, "0"),
|
||||
OBSOLETE("AuthDirListBadDirs"),
|
||||
V(AuthDirListBadExits, BOOL, "0"),
|
||||
V(AuthDirMaxServersPerAddr, UINT, "2"),
|
||||
V(AuthDirMaxServersPerAuthAddr,UINT, "5"),
|
||||
|
|
|
@ -76,7 +76,7 @@ static uint32_t dirserv_get_credible_bandwidth_kb(const routerinfo_t *ri);
|
|||
/* 1 Historically used to indicate Named */
|
||||
#define FP_INVALID 2 /**< Believed invalid. */
|
||||
#define FP_REJECT 4 /**< We will not publish this router. */
|
||||
#define FP_BADDIR 8 /**< We'll tell clients to avoid using this as a dir. */
|
||||
/* 8 Historically used to avoid using this as a dir. */
|
||||
#define FP_BADEXIT 16 /**< We'll tell clients not to use this as an exit. */
|
||||
/* 32 Historically used to indicade Unnamed */
|
||||
|
||||
|
@ -209,8 +209,6 @@ dirserv_load_fingerprint_file(void)
|
|||
}
|
||||
if (!strcasecmp(nickname, "!reject")) {
|
||||
add_status = FP_REJECT;
|
||||
} else if (!strcasecmp(nickname, "!baddir")) {
|
||||
add_status = FP_BADDIR;
|
||||
} else if (!strcasecmp(nickname, "!badexit")) {
|
||||
add_status = FP_BADEXIT;
|
||||
} else if (!strcasecmp(nickname, "!invalid")) {
|
||||
|
@ -309,14 +307,6 @@ dirserv_get_status_impl(const char *id_digest, const char *nickname,
|
|||
*msg = "Fingerprint is marked invalid";
|
||||
}
|
||||
|
||||
if (authdir_policy_baddir_address(addr, or_port)) {
|
||||
if (should_log)
|
||||
log_info(LD_DIRSERV,
|
||||
"Marking '%s' as bad directory because of address '%s'",
|
||||
nickname, fmt_addr32(addr));
|
||||
result |= FP_BADDIR;
|
||||
}
|
||||
|
||||
if (authdir_policy_badexit_address(addr, or_port)) {
|
||||
if (should_log)
|
||||
log_info(LD_DIRSERV, "Marking '%s' as bad exit because of address '%s'",
|
||||
|
@ -443,7 +433,6 @@ dirserv_set_node_flags_from_authoritative_status(node_t *node,
|
|||
uint32_t authstatus)
|
||||
{
|
||||
node->is_valid = (authstatus & FP_INVALID) ? 0 : 1;
|
||||
node->is_bad_directory = (authstatus & FP_BADDIR) ? 1 : 0;
|
||||
node->is_bad_exit = (authstatus & FP_BADEXIT) ? 1 : 0;
|
||||
}
|
||||
|
||||
|
@ -694,11 +683,6 @@ directory_remove_invalid(void)
|
|||
(r&FP_INVALID) ? "in" : "");
|
||||
node->is_valid = (r&FP_INVALID)?0:1;
|
||||
}
|
||||
if (bool_neq((r & FP_BADDIR), node->is_bad_directory)) {
|
||||
log_info(LD_DIRSERV, "Router '%s' is now a %s directory", description,
|
||||
(r & FP_BADDIR) ? "bad" : "good");
|
||||
node->is_bad_directory = (r&FP_BADDIR) ? 1: 0;
|
||||
}
|
||||
if (bool_neq((r & FP_BADEXIT), node->is_bad_exit)) {
|
||||
log_info(LD_DIRSERV, "Router '%s' is now a %s exit", description,
|
||||
(r & FP_BADEXIT) ? "bad" : "good");
|
||||
|
@ -1843,10 +1827,9 @@ routerstatus_format_entry(const routerstatus_t *rs, const char *version,
|
|||
goto done;
|
||||
|
||||
smartlist_add_asprintf(chunks,
|
||||
"s%s%s%s%s%s%s%s%s%s%s%s\n",
|
||||
"s%s%s%s%s%s%s%s%s%s%s\n",
|
||||
/* These must stay in alphabetical order. */
|
||||
rs->is_authority?" Authority":"",
|
||||
rs->is_bad_directory?" BadDirectory":"",
|
||||
rs->is_bad_exit?" BadExit":"",
|
||||
rs->is_exit?" Exit":"",
|
||||
rs->is_fast?" Fast":"",
|
||||
|
@ -2123,7 +2106,7 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
|
|||
routerinfo_t *ri,
|
||||
time_t now,
|
||||
int listbadexits,
|
||||
int listbaddirs, int vote_on_hsdirs)
|
||||
int vote_on_hsdirs)
|
||||
{
|
||||
const or_options_t *options = get_options();
|
||||
uint32_t routerbw_kb = dirserv_get_credible_bandwidth_kb(ri);
|
||||
|
@ -2165,7 +2148,6 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
|
|||
rs->is_possible_guard = 1;
|
||||
}
|
||||
|
||||
rs->is_bad_directory = listbaddirs && node->is_bad_directory;
|
||||
rs->is_bad_exit = listbadexits && node->is_bad_exit;
|
||||
node->is_hs_dir = dirserv_thinks_router_is_hs_dir(ri, node, now);
|
||||
rs->is_hs_dir = vote_on_hsdirs && node->is_hs_dir;
|
||||
|
@ -2399,7 +2381,6 @@ dirserv_generate_networkstatus_vote_obj(crypto_pk_t *private_key,
|
|||
char identity_digest[DIGEST_LEN];
|
||||
char signing_key_digest[DIGEST_LEN];
|
||||
int listbadexits = options->AuthDirListBadExits;
|
||||
int listbaddirs = options->AuthDirListBadDirs;
|
||||
int vote_on_hsdirs = options->VoteOnHidServDirectoriesV2;
|
||||
routerlist_t *rl = router_get_routerlist();
|
||||
time_t now = time(NULL);
|
||||
|
@ -2491,7 +2472,7 @@ dirserv_generate_networkstatus_vote_obj(crypto_pk_t *private_key,
|
|||
vrs = tor_malloc_zero(sizeof(vote_routerstatus_t));
|
||||
rs = &vrs->status;
|
||||
set_routerstatus_from_routerinfo(rs, node, ri, now,
|
||||
listbadexits, listbaddirs,
|
||||
listbadexits,
|
||||
vote_on_hsdirs);
|
||||
|
||||
if (digestmap_get(omit_as_sybil, ri->cache_info.identity_digest))
|
||||
|
@ -2573,8 +2554,6 @@ dirserv_generate_networkstatus_vote_obj(crypto_pk_t *private_key,
|
|||
0, SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
|
||||
if (vote_on_reachability)
|
||||
smartlist_add(v3_out->known_flags, tor_strdup("Running"));
|
||||
if (listbaddirs)
|
||||
smartlist_add(v3_out->known_flags, tor_strdup("BadDirectory"));
|
||||
if (listbadexits)
|
||||
smartlist_add(v3_out->known_flags, tor_strdup("BadExit"));
|
||||
if (vote_on_hsdirs)
|
||||
|
|
|
@ -101,7 +101,7 @@ void set_routerstatus_from_routerinfo(routerstatus_t *rs,
|
|||
node_t *node,
|
||||
routerinfo_t *ri, time_t now,
|
||||
int listbadexits,
|
||||
int listbaddirs, int vote_on_hsdirs);
|
||||
int vote_on_hsdirs);
|
||||
networkstatus_t *
|
||||
dirserv_generate_networkstatus_vote_obj(crypto_pk_t *private_key,
|
||||
authority_cert_t *cert);
|
||||
|
|
|
@ -1655,7 +1655,7 @@ networkstatus_getinfo_by_purpose(const char *purpose_string, time_t now)
|
|||
if (bridge_auth && ri->purpose == ROUTER_PURPOSE_BRIDGE)
|
||||
dirserv_set_router_is_running(ri, now);
|
||||
/* then generate and write out status lines for each of them */
|
||||
set_routerstatus_from_routerinfo(&rs, node, ri, now, 0, 0, 0);
|
||||
set_routerstatus_from_routerinfo(&rs, node, ri, now, 0, 0);
|
||||
smartlist_add(statuses, networkstatus_getinfo_helper_single(&rs));
|
||||
} SMARTLIST_FOREACH_END(ri);
|
||||
|
||||
|
|
|
@ -3742,8 +3742,6 @@ typedef struct {
|
|||
config_line_t *NodeFamilies; /**< List of config lines for
|
||||
* node families */
|
||||
smartlist_t *NodeFamilySets; /**< List of parsed NodeFamilies values. */
|
||||
config_line_t *AuthDirBadDir; /**< Address policy for descriptors to
|
||||
* mark as bad dir mirrors. */
|
||||
config_line_t *AuthDirBadExit; /**< Address policy for descriptors to
|
||||
* mark as bad exits. */
|
||||
config_line_t *AuthDirReject; /**< Address policy for descriptors to
|
||||
|
@ -3752,19 +3750,16 @@ typedef struct {
|
|||
* never mark as valid. */
|
||||
/** @name AuthDir...CC
|
||||
*
|
||||
* Lists of country codes to mark as BadDir, BadExit, or Invalid, or to
|
||||
* Lists of country codes to mark as BadExit, or Invalid, or to
|
||||
* reject entirely.
|
||||
*
|
||||
* @{
|
||||
*/
|
||||
smartlist_t *AuthDirBadDirCCs;
|
||||
smartlist_t *AuthDirBadExitCCs;
|
||||
smartlist_t *AuthDirInvalidCCs;
|
||||
smartlist_t *AuthDirRejectCCs;
|
||||
/**@}*/
|
||||
|
||||
int AuthDirListBadDirs; /**< True iff we should list bad dirs,
|
||||
* and vote for all other dir mirrors as good. */
|
||||
int AuthDirListBadExits; /**< True iff we should list bad exits,
|
||||
* and vote for all other exits as good. */
|
||||
int AuthDirMaxServersPerAddr; /**< Do not permit more than this
|
||||
|
|
|
@ -28,9 +28,6 @@ static smartlist_t *authdir_reject_policy = NULL;
|
|||
/** Policy that addresses for incoming router descriptors must match in order
|
||||
* to be marked as valid in our networkstatus. */
|
||||
static smartlist_t *authdir_invalid_policy = NULL;
|
||||
/** Policy that addresses for incoming router descriptors must <b>not</b>
|
||||
* match in order to not be marked as BadDirectory. */
|
||||
static smartlist_t *authdir_baddir_policy = NULL;
|
||||
/** Policy that addresses for incoming router descriptors must <b>not</b>
|
||||
* match in order to not be marked as BadExit. */
|
||||
static smartlist_t *authdir_badexit_policy = NULL;
|
||||
|
@ -400,17 +397,6 @@ authdir_policy_valid_address(uint32_t addr, uint16_t port)
|
|||
return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
|
||||
}
|
||||
|
||||
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
|
||||
* based on <b>authdir_baddir_policy</b>. Else return 0.
|
||||
*/
|
||||
int
|
||||
authdir_policy_baddir_address(uint32_t addr, uint16_t port)
|
||||
{
|
||||
if (! addr_policy_permits_address(addr, port, authdir_baddir_policy))
|
||||
return 1;
|
||||
return addr_is_in_cc_list(addr, get_options()->AuthDirBadDirCCs);
|
||||
}
|
||||
|
||||
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
|
||||
* based on <b>authdir_badexit_policy</b>. Else return 0.
|
||||
*/
|
||||
|
@ -455,9 +441,6 @@ validate_addr_policies(const or_options_t *options, char **msg)
|
|||
if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
|
||||
ADDR_POLICY_REJECT))
|
||||
REJECT("Error in AuthDirInvalid entry.");
|
||||
if (parse_addr_policy(options->AuthDirBadDir, &addr_policy,
|
||||
ADDR_POLICY_REJECT))
|
||||
REJECT("Error in AuthDirBadDir entry.");
|
||||
if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
|
||||
ADDR_POLICY_REJECT))
|
||||
REJECT("Error in AuthDirBadExit entry.");
|
||||
|
@ -535,9 +518,6 @@ policies_parse_from_options(const or_options_t *options)
|
|||
if (load_policy_from_option(options->AuthDirInvalid, "AuthDirInvalid",
|
||||
&authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
|
||||
ret = -1;
|
||||
if (load_policy_from_option(options->AuthDirBadDir, "AuthDirBadDir",
|
||||
&authdir_baddir_policy, ADDR_POLICY_REJECT) < 0)
|
||||
ret = -1;
|
||||
if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
|
||||
&authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
|
||||
ret = -1;
|
||||
|
@ -1766,8 +1746,6 @@ policies_free_all(void)
|
|||
authdir_reject_policy = NULL;
|
||||
addr_policy_list_free(authdir_invalid_policy);
|
||||
authdir_invalid_policy = NULL;
|
||||
addr_policy_list_free(authdir_baddir_policy);
|
||||
authdir_baddir_policy = NULL;
|
||||
addr_policy_list_free(authdir_badexit_policy);
|
||||
authdir_badexit_policy = NULL;
|
||||
|
||||
|
|
|
@ -27,7 +27,6 @@ int dir_policy_permits_address(const tor_addr_t *addr);
|
|||
int socks_policy_permits_address(const tor_addr_t *addr);
|
||||
int authdir_policy_permits_address(uint32_t addr, uint16_t port);
|
||||
int authdir_policy_valid_address(uint32_t addr, uint16_t port);
|
||||
int authdir_policy_baddir_address(uint32_t addr, uint16_t port);
|
||||
int authdir_policy_badexit_address(uint32_t addr, uint16_t port);
|
||||
|
||||
int validate_addr_policies(const or_options_t *options, char **msg);
|
||||
|
|
Loading…
Reference in New Issue