[tor-commits] [tor/master] Refactor UseEntryNodes so the original configured value is preserved

nickm at torproject.org nickm at torproject.org
Tue Sep 13 14:42:00 UTC 2016


commit 41f96078c23e3ef1c39a853841332cac3e133a94
Author: teor <teor2345 at gmail.com>
Date:   Tue Sep 6 16:22:07 2016 +1000

    Refactor UseEntryNodes so the original configured value is preserved
    
    Parse the value to UseEntryNodes_option, then set UseEntryNodes before
    validating options.
    
    This way, Authorities, Tor2web, and Single Onion Services don't write
    spurious "UseEntryNodes 0" lines to their configs. Document the fact that
    these tor configurations ignore UseEntryNodes in the manual page.
    
    Also reorder options validation so we modify UseEntryNodes first, then
    check its value against EntryNodes.
    
    And silence a warning about disabled UseEntryNodes for hidden services
    when we're actually in non-anonymous single onion service mode.
---
 changes/feature17178 |  7 +++++++
 doc/tor.1.txt        |  4 +++-
 src/or/config.c      | 19 +++++++++++++------
 src/or/or.h          | 12 ++++++++++--
 4 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/changes/feature17178 b/changes/feature17178
index df6aae3..060b85a 100644
--- a/changes/feature17178
+++ b/changes/feature17178
@@ -21,3 +21,10 @@
   o Minor bug fixes (circuits):
     - Use CircuitBuildTimeout whenever LearnCircuitBuildTimeout is disabled.
       Fixes bug #19678 in commit 5b0b51ca3 in 0.2.4.12-alpha. Patch by teor.
+  o Minor bug fixes (options):
+    - Stop changing the configured value of UseEntryGuards on authorities
+      and Tor2web clients.
+      Fixes bug #20074 in commits 51fc6799 in tor-0.1.1.16-rc and
+      acda1735 in tor-0.2.4.3-alpha. Patch by teor.
+    - Check the consistency of UseEntryGuards and EntryNodes more reliably.
+      Fixes bug #20074 in commit 686aaa5c in tor-0.2.4.12-alpha. Patch by teor.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index bd25a61..f353637 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1184,7 +1184,9 @@ The following options are useful only for clients (that is, if
     If this option is set to 1, we pick a few long-term entry servers, and try
     to stick with them. This is desirable because constantly changing servers
     increases the odds that an adversary who owns some servers will observe a
-    fraction of your paths. (Default: 1)
+    fraction of your paths. Entry Guards can not be used by Directory
+    Authorities, Single Onion Services, and Tor2web clients. In these cases,
+    the this option is ignored. (Default: 1)
 
 [[UseEntryGuardsAsDirGuards]] **UseEntryGuardsAsDirGuards** **0**|**1**::
     If this option is set to 1, and UseEntryGuards is also set to 1,
diff --git a/src/or/config.c b/src/or/config.c
index 36b2062..48f1ab9 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -437,7 +437,7 @@ static config_var_t option_vars_[] = {
   OBSOLETE("TunnelDirConns"),
   V(UpdateBridgesFromAuthority,  BOOL,     "0"),
   V(UseBridges,                  BOOL,     "0"),
-  V(UseEntryGuards,              BOOL,     "1"),
+  VAR("UseEntryGuards",          BOOL,     UseEntryGuards_option, "1"),
   V(UseEntryGuardsAsDirGuards,   BOOL,     "1"),
   V(UseGuardFraction,            AUTOBOOL, "auto"),
   V(UseMicrodescriptors,         AUTOBOOL, "auto"),
@@ -2926,6 +2926,12 @@ options_validate(or_options_t *old_options, or_options_t *options,
   tor_assert(msg);
   *msg = NULL;
 
+  /* Set UseEntryGuards from the configured value, before we check it below.
+   * We change UseEntryGuards whenn it's incompatible with other options,
+   * but leave UseEntryGuards_option with the original value.
+   * Always use the value of UseEntryGuards, not UseEntryGuards_option. */
+  options->UseEntryGuards = options->UseEntryGuards_option;
+
   warn_about_relative_paths(options);
 
   if (server_mode(options) &&
@@ -3301,10 +3307,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
   if (options->UseBridges && options->EntryNodes)
     REJECT("You cannot set both UseBridges and EntryNodes.");
 
-  if (options->EntryNodes && !options->UseEntryGuards) {
-    REJECT("If EntryNodes is set, UseEntryGuards must be enabled.");
-  }
-
   options->MaxMemInQueues =
     compute_real_max_mem_in_queues(options->MaxMemInQueues_raw,
                                    server_mode(options));
@@ -3419,8 +3421,13 @@ options_validate(or_options_t *old_options, or_options_t *options,
     REJECT("Tor2webRendezvousPoints cannot be set without Tor2webMode.");
   }
 
+  if (options->EntryNodes && !options->UseEntryGuards) {
+    REJECT("If EntryNodes is set, UseEntryGuards must be enabled.");
+  }
+
   if (!(options->UseEntryGuards) &&
-      (options->RendConfigLines != NULL)) {
+      (options->RendConfigLines != NULL) &&
+      !rend_service_non_anonymous_mode_enabled(options)) {
     log_warn(LD_CONFIG,
              "UseEntryGuards is disabled, but you have configured one or more "
              "hidden services on this Tor instance.  Your hidden services "
diff --git a/src/or/or.h b/src/or/or.h
index 12459dd..7104a5c 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3963,8 +3963,16 @@ typedef struct {
   int TokenBucketRefillInterval;
   char *AccelName; /**< Optional hardware acceleration engine name. */
   char *AccelDir; /**< Optional hardware acceleration engine search dir. */
-  int UseEntryGuards; /**< Boolean: Do we try to enter from a smallish number
-                       * of fixed nodes? */
+
+  /** Boolean: Do we try to enter from a smallish number
+   * of fixed nodes? */
+  int UseEntryGuards_option;
+  /** Internal variable to remember whether we're actually acting on
+   * UseEntryGuards_option -- when we're a non-anonymous Tor2web client or
+   * Single Onion Service, it is alwasy false, otherwise we use the value of
+   * UseEntryGuards_option. */
+  int UseEntryGuards;
+
   int NumEntryGuards; /**< How many entry guards do we try to establish? */
   int UseEntryGuardsAsDirGuards; /** Boolean: Do we try to get directory info
                                   * from a smallish number of fixed nodes? */





More information about the tor-commits mailing list