r11724@Kushana: nickm | 2006-12-28 14:22:35 -0500
Refactor and unify my-ip-addr-changed logic. Make change in IP address or in nameservers reset and relaunch DNS hijacking tests. svn:r9200
This commit is contained in:
parent
e5f5b96ca6
commit
d9f1f3533d
|
@ -70,6 +70,8 @@ Changes in version 0.1.2.5-xxxx - 200?-??-??
|
|||
- We now check for the case when common DNS requests are going to
|
||||
wildcarded addresses, and change our exit policy to reject *:* if
|
||||
it's happening. (Bug #364)
|
||||
- When we change nameservers or IP addresses, reset and re-launch
|
||||
our tests for DNS hijacking.
|
||||
|
||||
o Security bugfixes:
|
||||
- Stop sending the HttpProxyAuthenticator string to directory
|
||||
|
|
3
doc/TODO
3
doc/TODO
|
@ -112,8 +112,7 @@ d - Be a DNS proxy.
|
|||
well-known sites) are all going to the same place.
|
||||
o Bug 363: Warn and die if we can't find a nameserver and we're running a
|
||||
server; don't fall back to 127.0.0.1.
|
||||
? - maybe re-check dns when we change IP addresses, rather than
|
||||
every 12 hours?
|
||||
o Re-check dns when we change IP addresses, rather than every 12 hours
|
||||
- Bug 326: Give fewer error messages from nameservers.
|
||||
- Only warn when _all_ nameservers are down; otherwise info.
|
||||
- Increase timeout; what's industry standard?
|
||||
|
|
|
@ -976,7 +976,7 @@ options_act(or_options_t *old_options)
|
|||
log_err(LD_BUG,"Error initializing keys; exiting");
|
||||
return -1;
|
||||
}
|
||||
server_has_changed_ip();
|
||||
ip_address_changed(0);
|
||||
if (has_completed_circuit || !any_predicted_circuits(time(NULL)))
|
||||
inform_testing_reachability();
|
||||
}
|
||||
|
@ -1908,7 +1908,7 @@ resolve_my_address(int warn_severity, or_options_t *options,
|
|||
/* Leave this as a notice, regardless of the requested severity,
|
||||
* at least until dynamic IP address support becomes bulletproof. */
|
||||
log_notice(LD_NET, "Your IP address seems to have changed. Updating.");
|
||||
server_has_changed_ip();
|
||||
ip_address_changed(0);
|
||||
}
|
||||
last_resolved_addr = *addr_out;
|
||||
if (hostname_out)
|
||||
|
|
|
@ -2128,7 +2128,7 @@ client_check_address_changed(int sock)
|
|||
smartlist_clear(outgoing_addrs);
|
||||
smartlist_add(outgoing_addrs, ip);
|
||||
/* Okay, now change our keys. */
|
||||
init_keys(); /* XXXX NM return value-- safe to ignore? */
|
||||
ip_address_changed(1);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
29
src/or/dns.c
29
src/or/dns.c
|
@ -1399,6 +1399,11 @@ dns_seems_to_be_broken(void)
|
|||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
dns_reset_correctness_checks(void)
|
||||
{
|
||||
}
|
||||
#else /* !USE_EVENTDNS */
|
||||
|
||||
/** Eventdns helper: return true iff the eventdns result <b>err</b> is
|
||||
|
@ -1514,6 +1519,8 @@ configure_nameservers(int force)
|
|||
}
|
||||
#endif
|
||||
|
||||
dns_servers_relaunch_checks();
|
||||
|
||||
nameservers_configured = 1;
|
||||
return 0;
|
||||
}
|
||||
|
@ -1855,6 +1862,28 @@ dns_seems_to_be_broken(void)
|
|||
return dns_is_completely_invalid;
|
||||
}
|
||||
|
||||
void
|
||||
dns_reset_correctness_checks(void)
|
||||
{
|
||||
if (dns_wildcard_response_count) {
|
||||
strmap_free(dns_wildcard_response_count, _tor_free);
|
||||
dns_wildcard_response_count = NULL;
|
||||
}
|
||||
n_wildcard_requests = 0;
|
||||
|
||||
if (dns_wildcard_list) {
|
||||
SMARTLIST_FOREACH(dns_wildcard_list, char *, cp, tor_free(cp));
|
||||
smartlist_clear(dns_wildcard_list);
|
||||
}
|
||||
if (dns_wildcarded_test_address_list) {
|
||||
SMARTLIST_FOREACH(dns_wildcarded_test_address_list, char *, cp,
|
||||
tor_free(cp));
|
||||
smartlist_clear(dns_wildcarded_test_address_list);
|
||||
}
|
||||
dns_wildcard_one_notice_given = dns_wildcard_notice_given =
|
||||
dns_wildcarded_test_address_notice_given = dns_is_completely_invalid = 0;
|
||||
}
|
||||
|
||||
/** Return true iff we have noticed that the dotted-quad <b>ip</b> has been
|
||||
* returned in response to requests for nonexistent hostnames. */
|
||||
static int
|
||||
|
|
|
@ -52,6 +52,8 @@ long stats_n_seconds_working = 0;
|
|||
static time_t time_to_fetch_directory = 0;
|
||||
/** When do we next download a running-routers summary? */
|
||||
static time_t time_to_fetch_running_routers = 0;
|
||||
/** When do we next launch DNS wildcarding checks? */
|
||||
static time_t time_to_check_for_correct_dns = 0;
|
||||
|
||||
/** Array of all open connections. The first n_conns elements are valid. */
|
||||
static connection_t *connection_array[MAXCONNECTIONS+1] =
|
||||
|
@ -729,7 +731,6 @@ run_scheduled_events(time_t now)
|
|||
static time_t time_to_try_getting_descriptors = 0;
|
||||
static time_t time_to_reset_descriptor_failures = 0;
|
||||
static time_t time_to_add_entropy = 0;
|
||||
static time_t time_to_check_for_correct_dns = 0;
|
||||
or_options_t *options = get_options();
|
||||
int i;
|
||||
int have_dir_info;
|
||||
|
@ -1057,6 +1058,44 @@ got_libevent_error(void)
|
|||
}
|
||||
#endif
|
||||
|
||||
#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60)
|
||||
|
||||
/** Called when our IP address seems to have changed. <b>at_interface</b>
|
||||
* should be true if we detected a change in our interface, and false if we
|
||||
* detected a change in our published address. */
|
||||
void
|
||||
ip_address_changed(int at_interface)
|
||||
{
|
||||
int server = server_mode(get_options());
|
||||
|
||||
if (at_interface) {
|
||||
if (! server) {
|
||||
/* Okay, change our keys. */
|
||||
init_keys();
|
||||
}
|
||||
} else {
|
||||
if (server) {
|
||||
if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST)
|
||||
reset_bandwidth_test();
|
||||
stats_n_seconds_working = 0;
|
||||
router_reset_reachability();
|
||||
mark_my_descriptor_dirty();
|
||||
}
|
||||
}
|
||||
|
||||
dns_servers_relaunch_checks();
|
||||
}
|
||||
|
||||
/* DOCDOC */
|
||||
void
|
||||
dns_servers_relaunch_checks(void)
|
||||
{
|
||||
if (server_mode(get_options())) {
|
||||
dns_reset_correctness_checks();
|
||||
time_to_check_for_correct_dns = 0;
|
||||
}
|
||||
}
|
||||
|
||||
/** Called when we get a SIGHUP: reload configuration files and keys,
|
||||
* retry all connections, re-upload all descriptors, and so on. */
|
||||
static int
|
||||
|
|
|
@ -2323,6 +2323,7 @@ void dns_cancel_pending_resolve(const char *question);
|
|||
int dns_resolve(edge_connection_t *exitconn, or_circuit_t *circ);
|
||||
void dns_launch_correctness_checks(void);
|
||||
int dns_seems_to_be_broken(void);
|
||||
void dns_reset_correctness_checks(void);
|
||||
|
||||
/********************************* hibernate.c **********************/
|
||||
|
||||
|
@ -2363,6 +2364,9 @@ void connection_start_writing(connection_t *conn);
|
|||
void directory_all_unreachable(time_t now);
|
||||
void directory_info_has_arrived(time_t now, int from_cache);
|
||||
|
||||
void ip_address_changed(int at_interface);
|
||||
void dns_servers_relaunch_checks(void);
|
||||
|
||||
void control_signal_act(int the_signal);
|
||||
void handle_signals(int is_parent);
|
||||
void tor_cleanup(void);
|
||||
|
@ -2632,7 +2636,6 @@ int check_whether_dirport_reachable(void);
|
|||
void consider_testing_reachability(int test_or, int test_dir);
|
||||
void router_orport_found_reachable(void);
|
||||
void router_dirport_found_reachable(void);
|
||||
void server_has_changed_ip(void);
|
||||
void router_perform_bandwidth_test(int num_circs, time_t now);
|
||||
|
||||
int authdir_mode(or_options_t *options);
|
||||
|
@ -2664,6 +2667,7 @@ int is_legal_nickname_or_hexdigest(const char *s);
|
|||
int is_legal_hexdigest(const char *s);
|
||||
void router_get_verbose_nickname(char *buf, routerinfo_t *router);
|
||||
void router_reset_warnings(void);
|
||||
void router_reset_reachability(void);
|
||||
void router_free_all(void);
|
||||
|
||||
/********************************* routerlist.c ***************************/
|
||||
|
|
|
@ -381,6 +381,13 @@ static int can_reach_or_port = 0;
|
|||
/** Whether we can reach our DirPort from the outside. */
|
||||
static int can_reach_dir_port = 0;
|
||||
|
||||
/** DOCDOC */
|
||||
void
|
||||
router_reset_reachability(void)
|
||||
{
|
||||
can_reach_or_port = can_reach_dir_port = 0;
|
||||
}
|
||||
|
||||
/** Return 1 if ORPort is known reachable; else return 0. */
|
||||
int
|
||||
check_whether_orport_reachable(void)
|
||||
|
@ -488,20 +495,6 @@ router_dirport_found_reachable(void)
|
|||
}
|
||||
}
|
||||
|
||||
#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60)
|
||||
|
||||
/** Our router has just moved to a new IP. Reset stats. */
|
||||
void
|
||||
server_has_changed_ip(void)
|
||||
{
|
||||
if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST)
|
||||
reset_bandwidth_test();
|
||||
stats_n_seconds_working = 0;
|
||||
can_reach_or_port = 0;
|
||||
can_reach_dir_port = 0;
|
||||
mark_my_descriptor_dirty();
|
||||
}
|
||||
|
||||
/** We have enough testing circuits open. Send a bunch of "drop"
|
||||
* cells down each of them, to exercise our bandwidth. */
|
||||
void
|
||||
|
@ -996,9 +989,7 @@ check_descriptor_ipaddress_changed(time_t now)
|
|||
|
||||
if (prev != cur) {
|
||||
log_addr_has_changed(LOG_INFO, prev, cur);
|
||||
mark_my_descriptor_dirty();
|
||||
/* the above call is probably redundant, since resolve_my_address()
|
||||
* probably already noticed and marked it dirty. */
|
||||
ip_address_changed(0);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1044,7 +1035,7 @@ router_new_address_suggestion(const char *suggestion)
|
|||
* resolve it. */
|
||||
if (last_guessed_ip != addr) {
|
||||
log_addr_has_changed(LOG_NOTICE, last_guessed_ip, addr);
|
||||
server_has_changed_ip();
|
||||
ip_address_changed(0);
|
||||
last_guessed_ip = addr; /* router_rebuild_descriptor() will fetch it */
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue