[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r8442: Consider non-exit servers unsuitable for RESOLVE commands. (in tor/trunk: . doc src/or)



Author: nickm
Date: 2006-09-21 17:48:42 -0400 (Thu, 21 Sep 2006)
New Revision: 8442

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/doc/TODO
   tor/trunk/src/or/circuituse.c
   tor/trunk/src/or/connection_edge.c
   tor/trunk/src/or/or.h
   tor/trunk/src/or/policies.c
Log:
 r8877@Kushana:  nickm | 2006-09-21 17:12:33 -0400
 Consider non-exit servers unsuitable for RESOLVE commands.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/branches/eventdns [r8877] on c95137ef-5f19-0410-b913-86e773d04f59

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2006-09-21 21:48:37 UTC (rev 8441)
+++ tor/trunk/ChangeLog	2006-09-21 21:48:42 UTC (rev 8442)
@@ -11,6 +11,8 @@
     - Check for name servers (like Earthlink's) that hijack failing DNS
       requests and replace the 'no such server' answer with a "helpful"
       redirect to an advertising-driven search portal.  [Resolves bug 330.]
+    - When asked to resolve a hostname, don't use non-exit servers.  This
+      allows servers with broken DNS be useful to the network.
 
   o Security Fixes, minor
     - If a client asked for a server by name, and we didn't have a

Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO	2006-09-21 21:48:37 UTC (rev 8441)
+++ tor/trunk/doc/TODO	2006-09-21 21:48:42 UTC (rev 8442)
@@ -90,7 +90,7 @@
     o Option to deal with broken DNS of the "ggoogle.com? Ah, you meant
       ads.me.com!" variety.
       o Autodetect whether DNS is broken in this way.
-    - Don't ask reject *:* nodes for DNS unless client wants you to.
+    o Don't ask reject *:* nodes for DNS unless client wants you to.
     . Asynchronous DNS
       o Document and rename SearchDomains, ResolvConf options
       D Make API closer to getaddrinfo()

Modified: tor/trunk/src/or/circuituse.c
===================================================================
--- tor/trunk/src/or/circuituse.c	2006-09-21 21:48:37 UTC (rev 8441)
+++ tor/trunk/src/or/circuituse.c	2006-09-21 21:48:42 UTC (rev 8442)
@@ -929,9 +929,9 @@
   n_circuit_failures = 0;
 }
 
-/** Find an open circ that we're happy with: return 1. If there isn't
- * one, and there isn't one on the way, launch one and return 0. If it
- * will never work, return -1.
+/** Find an open circ that we're happy to use for <b>conn</b> and return 1. If
+ * there isn't one, and there isn't one on the way, launch one and return
+ * 0. If it will never work, return -1.
  *
  * Write the found or in-progress or launched circ into *circp.
  */

Modified: tor/trunk/src/or/connection_edge.c
===================================================================
--- tor/trunk/src/or/connection_edge.c	2006-09-21 21:48:37 UTC (rev 8441)
+++ tor/trunk/src/or/connection_edge.c	2006-09-21 21:48:42 UTC (rev 8442)
@@ -2082,6 +2082,10 @@
                                     exit->exit_policy);
     if (r == ADDR_POLICY_REJECTED || r == ADDR_POLICY_PROBABLY_REJECTED)
       return 0;
+  } else {
+    /* Don't send DNS requests to non-exit servers by default. */
+    if (policy_is_reject_star(exit->exit_policy))
+      return 0;
   }
   return 1;
 }

Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h	2006-09-21 21:48:37 UTC (rev 8441)
+++ tor/trunk/src/or/or.h	2006-09-21 21:48:42 UTC (rev 8442)
@@ -2269,6 +2269,7 @@
                                addr_policy_t **dest,
                                int rejectprivate);
 int exit_policy_is_general_exit(addr_policy_t *policy);
+int policy_is_reject_star(addr_policy_t *policy);
 int policies_getinfo_helper(const char *question, char **answer);
 
 void addr_policy_free(addr_policy_t *p);

Modified: tor/trunk/src/or/policies.c
===================================================================
--- tor/trunk/src/or/policies.c	2006-09-21 21:48:37 UTC (rev 8441)
+++ tor/trunk/src/or/policies.c	2006-09-21 21:48:42 UTC (rev 8442)
@@ -629,7 +629,23 @@
   return n_allowed >= 2;
 }
 
+/** Return false if <b>policy</b> might permit access to some addr:port;
+ * otherwise if we are certain it rejects everything, return true. */
 int
+policy_is_reject_star(addr_policy_t *p)
+{
+  for ( ; p; p = p->next) {
+    if (p->policy_type == ADDR_POLICY_ACCEPT)
+      return 0;
+    else if (p->policy_type == ADDR_POLICY_REJECT &&
+             p->prt_min <= 1 && p->prt_max == 65535 &&
+             p->msk == 0)
+      return 1;
+  }
+  return 1;
+}
+
+int
 policies_getinfo_helper(const char *question, char **answer)
 {
   if (!strcmp(question, "exit-policy/default")) {