r11724@Kushana: nickm | 2006-12-28 14:22:35 -0500

Refactor and unify my-ip-addr-changed logic. Make change in IP address or in nameservers reset and relaunch DNS hijacking tests. svn:r9200
2006-12-28 21:29:20 +00:00 · 2006-12-28 21:29:20 +00:00 · d9f1f3533d
parent e5f5b96ca6
commit d9f1f3533d
8 changed files with 89 additions and 25 deletions
--- a/2
+++ b/2
@ -70,6 +70,8 @@ Changes in version 0.1.2.5-xxxx - 200?-??-??
    - We now check for the case when common DNS requests are going to
      wildcarded addresses, and change our exit policy to reject *:* if
      it's happening.  (Bug #364)
+    - When we change nameservers or IP addresses, reset and re-launch
+      our tests for DNS hijacking.

  o Security bugfixes:
    - Stop sending the HttpProxyAuthenticator string to directory
--- a/doc/TODO
+++ b/doc/TODO
@ -112,8 +112,7 @@ d   - Be a DNS proxy.
      well-known sites) are all going to the same place.
    o Bug 363: Warn and die if we can't find a nameserver and we're running a
      server; don't fall back to 127.0.0.1.
-?   - maybe re-check dns when we change IP addresses, rather than
-      every 12 hours?
+    o Re-check dns when we change IP addresses, rather than every 12 hours
    - Bug 326: Give fewer error messages from nameservers. 
      - Only warn when _all_ nameservers are down; otherwise info.
      - Increase timeout; what's industry standard?
--- a/src/or/config.c
+++ b/src/or/config.c
@ -976,7 +976,7 @@ options_act(or_options_t *old_options)
          log_err(LD_BUG,"Error initializing keys; exiting");
          return -1;
        }
-        server_has_changed_ip();
+        ip_address_changed(0);
        if (has_completed_circuit || !any_predicted_circuits(time(NULL)))
          inform_testing_reachability();
      }
@ -1908,7 +1908,7 @@ resolve_my_address(int warn_severity, or_options_t *options,
    /* Leave this as a notice, regardless of the requested severity,
     * at least until dynamic IP address support becomes bulletproof. */
    log_notice(LD_NET, "Your IP address seems to have changed. Updating.");
-    server_has_changed_ip();
+    ip_address_changed(0);
  }
  last_resolved_addr = *addr_out;
  if (hostname_out)
--- a/src/or/connection.c
+++ b/src/or/connection.c
@ -2128,7 +2128,7 @@ client_check_address_changed(int sock)
    smartlist_clear(outgoing_addrs);
    smartlist_add(outgoing_addrs, ip);
    /* Okay, now change our keys. */
-    init_keys(); /* XXXX NM return value-- safe to ignore? */
+    ip_address_changed(1);
  }
 }

--- a/src/or/dns.c
+++ b/src/or/dns.c
@ -1399,6 +1399,11 @@ dns_seems_to_be_broken(void)
 {
  return 0;
 }
+
+void
+dns_reset_correctness_checks(void)
+{
+}
 #else /* !USE_EVENTDNS */

 /** Eventdns helper: return true iff the eventdns result <b>err</b> is
@ -1514,6 +1519,8 @@ configure_nameservers(int force)
  }
 #endif

+  dns_servers_relaunch_checks();
+
  nameservers_configured = 1;
  return 0;
 }
@ -1855,6 +1862,28 @@ dns_seems_to_be_broken(void)
  return dns_is_completely_invalid;
 }

+void
+dns_reset_correctness_checks(void)
+{
+  if (dns_wildcard_response_count) {
+    strmap_free(dns_wildcard_response_count, _tor_free);
+    dns_wildcard_response_count = NULL;
+  }
+  n_wildcard_requests = 0;
+
+  if (dns_wildcard_list) {
+    SMARTLIST_FOREACH(dns_wildcard_list, char *, cp, tor_free(cp));
+    smartlist_clear(dns_wildcard_list);
+  }
+  if (dns_wildcarded_test_address_list) {
+    SMARTLIST_FOREACH(dns_wildcarded_test_address_list, char *, cp,
+                      tor_free(cp));
+    smartlist_clear(dns_wildcarded_test_address_list);
+  }
+  dns_wildcard_one_notice_given = dns_wildcard_notice_given =
+    dns_wildcarded_test_address_notice_given = dns_is_completely_invalid = 0;
+}
+
 /** Return true iff we have noticed that the dotted-quad <b>ip</b> has been
 * returned in response to requests for nonexistent hostnames. */
 static int
--- a/src/or/main.c
+++ b/src/or/main.c
@ -52,6 +52,8 @@ long stats_n_seconds_working = 0;
 static time_t time_to_fetch_directory = 0;
 /** When do we next download a running-routers summary? */
 static time_t time_to_fetch_running_routers = 0;
+/** When do we next launch DNS wildcarding checks? */
+static time_t time_to_check_for_correct_dns = 0;

 /** Array of all open connections.  The first n_conns elements are valid. */
 static connection_t *connection_array[MAXCONNECTIONS+1] =
@ -729,7 +731,6 @@ run_scheduled_events(time_t now)
  static time_t time_to_try_getting_descriptors = 0;
  static time_t time_to_reset_descriptor_failures = 0;
  static time_t time_to_add_entropy = 0;
-  static time_t time_to_check_for_correct_dns = 0;
  or_options_t *options = get_options();
  int i;
  int have_dir_info;
@ -1057,6 +1058,44 @@ got_libevent_error(void)
 }
 #endif

+#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60)
+
+/** Called when our IP address seems to have changed. <b>at_interface</b>
+ * should be true if we detected a change in our interface, and false if we
+ * detected a change in our published address. */
+void
+ip_address_changed(int at_interface)
+{
+  int server = server_mode(get_options());
+
+  if (at_interface) {
+    if (! server) {
+      /* Okay, change our keys. */
+      init_keys();
+    }
+  } else {
+    if (server) {
+      if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST)
+        reset_bandwidth_test();
+      stats_n_seconds_working = 0;
+      router_reset_reachability();
+      mark_my_descriptor_dirty();
+    }
+  }
+
+  dns_servers_relaunch_checks();
+}
+
+/* DOCDOC */
+void
+dns_servers_relaunch_checks(void)
+{
+  if (server_mode(get_options())) {
+    dns_reset_correctness_checks();
+    time_to_check_for_correct_dns = 0;
+  }
+}
+
 /** Called when we get a SIGHUP: reload configuration files and keys,
 * retry all connections, re-upload all descriptors, and so on. */
 static int
--- a/src/or/or.h
+++ b/src/or/or.h
@ -2323,6 +2323,7 @@ void dns_cancel_pending_resolve(const char *question);
 int dns_resolve(edge_connection_t *exitconn, or_circuit_t *circ);
 void dns_launch_correctness_checks(void);
 int dns_seems_to_be_broken(void);
+void dns_reset_correctness_checks(void);

 /********************************* hibernate.c **********************/

@ -2363,6 +2364,9 @@ void connection_start_writing(connection_t *conn);
 void directory_all_unreachable(time_t now);
 void directory_info_has_arrived(time_t now, int from_cache);

+void ip_address_changed(int at_interface);
+void dns_servers_relaunch_checks(void);
+
 void control_signal_act(int the_signal);
 void handle_signals(int is_parent);
 void tor_cleanup(void);
@ -2632,7 +2636,6 @@ int check_whether_dirport_reachable(void);
 void consider_testing_reachability(int test_or, int test_dir);
 void router_orport_found_reachable(void);
 void router_dirport_found_reachable(void);
-void server_has_changed_ip(void);
 void router_perform_bandwidth_test(int num_circs, time_t now);

 int authdir_mode(or_options_t *options);
@ -2664,6 +2667,7 @@ int is_legal_nickname_or_hexdigest(const char *s);
 int is_legal_hexdigest(const char *s);
 void router_get_verbose_nickname(char *buf, routerinfo_t *router);
 void router_reset_warnings(void);
+void router_reset_reachability(void);
 void router_free_all(void);

 /********************************* routerlist.c ***************************/
--- a/src/or/router.c
+++ b/src/or/router.c
@ -381,6 +381,13 @@ static int can_reach_or_port = 0;
 /** Whether we can reach our DirPort from the outside. */
 static int can_reach_dir_port = 0;

+/** DOCDOC */
+void
+router_reset_reachability(void)
+{
+  can_reach_or_port = can_reach_dir_port = 0;
+}
+
 /** Return 1 if ORPort is known reachable; else return 0. */
 int
 check_whether_orport_reachable(void)
@ -488,20 +495,6 @@ router_dirport_found_reachable(void)
  }
 }

-#define UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST (6*60*60)
-
-/** Our router has just moved to a new IP. Reset stats. */
-void
-server_has_changed_ip(void)
-{
-  if (stats_n_seconds_working > UPTIME_CUTOFF_FOR_NEW_BANDWIDTH_TEST)
-    reset_bandwidth_test();
-  stats_n_seconds_working = 0;
-  can_reach_or_port = 0;
-  can_reach_dir_port = 0;
-  mark_my_descriptor_dirty();
-}
-
 /** We have enough testing circuits open. Send a bunch of "drop"
 * cells down each of them, to exercise our bandwidth. */
 void
@ -996,9 +989,7 @@ check_descriptor_ipaddress_changed(time_t now)

  if (prev != cur) {
    log_addr_has_changed(LOG_INFO, prev, cur);
-    mark_my_descriptor_dirty();
-    /* the above call is probably redundant, since resolve_my_address()
-     * probably already noticed and marked it dirty. */
+    ip_address_changed(0);
  }
 }

@ -1044,7 +1035,7 @@ router_new_address_suggestion(const char *suggestion)
   * resolve it. */
  if (last_guessed_ip != addr) {
    log_addr_has_changed(LOG_NOTICE, last_guessed_ip, addr);
-    server_has_changed_ip();
+    ip_address_changed(0);
    last_guessed_ip = addr; /* router_rebuild_descriptor() will fetch it */
  }
 }