From c89cac578377a2cc4c56896db84fff908c3ccdca Mon Sep 17 00:00:00 2001 From: Kittywhiskers Van Gogh <63189531+kittywhiskers@users.noreply.github.com> Date: Mon, 17 Apr 2023 08:27:07 +0000 Subject: [PATCH] merge bitcoin#19991: Use alternative port for incoming Tor connections --- doc/tor.md | 9 +++--- src/chainparamsbase.cpp | 12 +++++--- src/chainparamsbase.h | 9 ++++-- src/init.cpp | 40 +++++++++++++++++++----- src/net.cpp | 27 ++++++++++++---- src/net.h | 7 ++++- src/torcontrol.cpp | 68 +++++++++++++++++++++++++---------------- src/torcontrol.h | 7 ++++- 8 files changed, 125 insertions(+), 54 deletions(-) diff --git a/doc/tor.md b/doc/tor.md index 8e6d6be525..40245a516d 100644 --- a/doc/tor.md +++ b/doc/tor.md @@ -53,11 +53,12 @@ config file): *Needed for Tor version 0.2.7.0 and older versions of Tor only. Fo versions of Tor see [Section 4](#4-automatically-listen-on-tor).* HiddenServiceDir /var/lib/tor/dashcore-service/ - HiddenServicePort 9999 127.0.0.1:9999 - HiddenServicePort 19999 127.0.0.1:19999 + HiddenServicePort 9999 127.0.0.1:9996 + HiddenServicePort 19999 127.0.0.1:19996 -The directory can be different of course, but (both) port numbers should be equal to -your dashd's P2P listen port (9999 by default). +The directory can be different of course, but virtual port numbers should be equal to +your dashd's P2P listen port (9999 by default), and target addresses and ports +should be equal to binding address and port for inbound Tor connections (127.0.0.1:9996 by default). -externalip=X You can tell Dash Core about its publicly reachable address using this option, and this can be a .onion address. Given the above diff --git a/src/chainparamsbase.cpp b/src/chainparamsbase.cpp index 926dd85023..74a9039c6f 100644 --- a/src/chainparamsbase.cpp +++ b/src/chainparamsbase.cpp @@ -49,16 +49,20 @@ const CBaseChainParams& BaseParams() return *globalChainBaseParams; } +/** + * Port numbers for incoming Tor connections (9996, 19996, 19796, 19896) have + * been chosen arbitrarily to keep ranges of used ports tight. + */ std::unique_ptr CreateBaseChainParams(const std::string& chain) { if (chain == CBaseChainParams::MAIN) - return std::make_unique("", 9998); + return std::make_unique("", 9998, 9996); else if (chain == CBaseChainParams::TESTNET) - return std::make_unique("testnet3", 19998); + return std::make_unique("testnet3", 19998, 19996); else if (chain == CBaseChainParams::DEVNET) - return std::make_unique(gArgs.GetDevNetName(), 19798); + return std::make_unique(gArgs.GetDevNetName(), 19798, 19796); else if (chain == CBaseChainParams::REGTEST) - return std::make_unique("regtest", 19898); + return std::make_unique("regtest", 19898, 19896); else throw std::runtime_error(strprintf("%s: Unknown chain %s.", __func__, chain)); } diff --git a/src/chainparamsbase.h b/src/chainparamsbase.h index 65580dd80d..298577923c 100644 --- a/src/chainparamsbase.h +++ b/src/chainparamsbase.h @@ -26,13 +26,16 @@ public: ///@} const std::string& DataDir() const { return strDataDir; } - uint16_t RPCPort() const { return nRPCPort; } + uint16_t RPCPort() const { return m_rpc_port; } + uint16_t OnionServiceTargetPort() const { return m_onion_service_target_port; } CBaseChainParams() = delete; - CBaseChainParams(const std::string& data_dir, int rpc_port) : nRPCPort(rpc_port), strDataDir(data_dir) {} + CBaseChainParams(const std::string& data_dir, uint16_t rpc_port, uint16_t onion_service_target_port) + : m_rpc_port(rpc_port), m_onion_service_target_port(onion_service_target_port), strDataDir(data_dir) {} private: - uint16_t nRPCPort; + const uint16_t m_rpc_port; + const uint16_t m_onion_service_target_port; std::string strDataDir; }; diff --git a/src/init.cpp b/src/init.cpp index 00f8025e4a..fd758a1201 100644 --- a/src/init.cpp +++ b/src/init.cpp @@ -552,7 +552,7 @@ void SetupServerArgs(NodeContext& node) argsman.AddArg("-allowprivatenet", strprintf("Allow RFC1918 addresses to be relayed and connected to (default: %u)", DEFAULT_ALLOWPRIVATENET), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); argsman.AddArg("-banscore=", strprintf("Threshold for disconnecting and discouraging misbehaving peers (default: %u)", DEFAULT_BANSCORE_THRESHOLD), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); argsman.AddArg("-bantime=", strprintf("Default duration (in seconds) of manually configured bans (default: %u)", DEFAULT_MISBEHAVING_BANTIME), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); - argsman.AddArg("-bind=", "Bind to given address and always listen on it. Use [host]:port notation for IPv6", ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION); + argsman.AddArg("-bind=[:][=onion]", strprintf("Bind to given address and always listen on it (default: 0.0.0.0). Use [host]:port notation for IPv6. Append =onion to tag any incoming connections to that address and port as incoming Tor connections (default: 127.0.0.1:%u=onion, testnet: 127.0.0.1:%u=onion, regtest: 127.0.0.1:%u=onion)", defaultBaseParams->OnionServiceTargetPort(), testnetBaseParams->OnionServiceTargetPort(), regtestBaseParams->OnionServiceTargetPort()), ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION); argsman.AddArg("-connect=", "Connect only to the specified node; -noconnect disables automatic connections (the rules for this peer are the same as for -addnode). This option can be specified multiple times to connect to multiple nodes.", ArgsManager::ALLOW_ANY | ArgsManager::NETWORK_ONLY, OptionsCategory::CONNECTION); argsman.AddArg("-discover", "Discover own IP addresses (default: 1 when listening and no -externalip or -proxy)", ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); argsman.AddArg("-dns", strprintf("Allow DNS lookups for -addnode, -seednode and -connect (default: %u)", DEFAULT_NAME_LOOKUP), ArgsManager::ALLOW_ANY, OptionsCategory::CONNECTION); @@ -2480,8 +2480,6 @@ bool AppInitMain(const CoreContext& context, NodeContext& node, interfaces::Bloc } } LogPrintf("::ChainActive().Height() = %d\n", chain_active_height); - if (args.GetBoolArg("-listenonion", DEFAULT_LISTEN_ONION)) - StartTorControl(); Discover(); @@ -2506,13 +2504,39 @@ bool AppInitMain(const CoreContext& context, NodeContext& node, interfaces::Bloc connOptions.nMaxOutboundLimit = 1024 * 1024 * args.GetArg("-maxuploadtarget", DEFAULT_MAX_UPLOAD_TARGET); connOptions.m_peer_connect_timeout = peer_connect_timeout; - for (const std::string& strBind : args.GetArgs("-bind")) { - CService addrBind; - if (!Lookup(strBind, addrBind, GetListenPort(), false)) { - return InitError(ResolveErrMsg("bind", strBind)); + for (const std::string& bind_arg : args.GetArgs("-bind")) { + CService bind_addr; + const size_t index = bind_arg.rfind('='); + if (index == std::string::npos) { + if (Lookup(bind_arg, bind_addr, GetListenPort(), false)) { + connOptions.vBinds.push_back(bind_addr); + continue; + } + } else { + const std::string network_type = bind_arg.substr(index + 1); + if (network_type == "onion") { + const std::string truncated_bind_arg = bind_arg.substr(0, index); + if (Lookup(truncated_bind_arg, bind_addr, BaseParams().OnionServiceTargetPort(), false)) { + connOptions.onion_binds.push_back(bind_addr); + continue; + } + } } - connOptions.vBinds.push_back(addrBind); + return InitError(ResolveErrMsg("bind", bind_arg)); } + + if (connOptions.onion_binds.empty()) { + connOptions.onion_binds.push_back(DefaultOnionServiceTarget()); + } + + if (args.GetBoolArg("-listenonion", DEFAULT_LISTEN_ONION)) { + const auto bind_addr = connOptions.onion_binds.front(); + if (connOptions.onion_binds.size() > 1) { + InitWarning(strprintf(_("More than one onion bind address is provided. Using %s for the automatically created Tor onion service."), bind_addr.ToStringIPPort())); + } + StartTorControl(bind_addr); + } + for (const std::string& strBind : args.GetArgs("-whitebind")) { NetWhitebindPermissions whitebind; bilingual_str error; diff --git a/src/net.cpp b/src/net.cpp index 51bf6c3c0f..165d15858a 100644 --- a/src/net.cpp +++ b/src/net.cpp @@ -99,6 +99,11 @@ enum BindFlags { BF_NONE = 0, BF_EXPLICIT = (1U << 0), BF_REPORT_ERROR = (1U << 1), + /** + * Do not call AddLocal() for our special addresses, e.g., for incoming + * Tor connections, to prevent gossiping them over the network. + */ + BF_DONT_ADVERTISE = (1U << 2), }; #ifndef USE_WAKEUP_PIPE @@ -2875,9 +2880,6 @@ bool CConnman::BindListenPort(const CService& addrBind, bilingual_str& strError, vhListenSocket.push_back(ListenSocket(sock->Release(), permissions)); - if (addrBind.IsRoutable() && fDiscover && (permissions & PF_NOBAN) == 0) - AddLocal(addrBind, LOCAL_BIND); - return true; } @@ -2974,10 +2976,18 @@ bool CConnman::Bind(const CService &addr, unsigned int flags, NetPermissionFlags } return false; } + + if (addr.IsRoutable() && fDiscover && !(flags & BF_DONT_ADVERTISE) && !(permissions & PF_NOBAN)) { + AddLocal(addr, LOCAL_BIND); + } + return true; } -bool CConnman::InitBinds(const std::vector& binds, const std::vector& whiteBinds) +bool CConnman::InitBinds( + const std::vector& binds, + const std::vector& whiteBinds, + const std::vector& onion_binds) { bool fBound = false; for (const auto& addrBind : binds) { @@ -2988,11 +2998,16 @@ bool CConnman::InitBinds(const std::vector& binds, const std::vectorThreadSafeMessageBox( _("Failed to listen on any port. Use -listen=0 if you want this."), diff --git a/src/net.h b/src/net.h index 773b19b3bd..e4c323f4ac 100644 --- a/src/net.h +++ b/src/net.h @@ -178,6 +178,7 @@ public: std::vector vWhitelistedRange; std::vector vWhiteBinds; std::vector vBinds; + std::vector onion_binds; bool m_use_addrman_outgoing = true; std::vector m_specified_outgoing; std::vector m_added_nodes; @@ -496,7 +497,11 @@ private: bool BindListenPort(const CService& bindAddr, bilingual_str& strError, NetPermissionFlags permissions); bool Bind(const CService& addr, unsigned int flags, NetPermissionFlags permissions); - bool InitBinds(const std::vector& binds, const std::vector& whiteBinds); + bool InitBinds( + const std::vector& binds, + const std::vector& whiteBinds, + const std::vector& onion_binds); + void ThreadOpenAddedConnections(); void AddOneShot(const std::string& strDest); void ProcessOneShot(); diff --git a/src/torcontrol.cpp b/src/torcontrol.cpp index cfcb63d107..38c63e5af2 100644 --- a/src/torcontrol.cpp +++ b/src/torcontrol.cpp @@ -3,14 +3,17 @@ // Distributed under the MIT software license, see the accompanying // file COPYING or http://www.opensource.org/licenses/mit-license.php. -#include #include -#include -#include + +#include +#include +#include #include +#include +#include +#include #include #include -#include #include #include @@ -79,12 +82,12 @@ public: /** * Connect to a Tor control port. - * target is address of the form host:port. + * tor_control_center is address of the form host:port. * connected is the handler that is called when connection is successfully established. * disconnected is a handler that is called when the connection is broken. * Return true on success. */ - bool Connect(const std::string &target, const ConnectionCB& connected, const ConnectionCB& disconnected); + bool Connect(const std::string& tor_control_center, const ConnectionCB& connected, const ConnectionCB& disconnected); /** * Disconnect from Tor control port. @@ -191,16 +194,16 @@ void TorControlConnection::eventcb(struct bufferevent *bev, short what, void *ct } } -bool TorControlConnection::Connect(const std::string &target, const ConnectionCB& _connected, const ConnectionCB& _disconnected) +bool TorControlConnection::Connect(const std::string& tor_control_center, const ConnectionCB& _connected, const ConnectionCB& _disconnected) { if (b_conn) Disconnect(); - // Parse target address:port + // Parse tor_control_center address:port struct sockaddr_storage connect_to_addr; int connect_to_addrlen = sizeof(connect_to_addr); - if (evutil_parse_sockaddr_port(target.c_str(), + if (evutil_parse_sockaddr_port(tor_control_center.c_str(), (struct sockaddr*)&connect_to_addr, &connect_to_addrlen)<0) { - LogPrintf("tor: Error parsing socket address %s\n", target); + LogPrintf("tor: Error parsing socket address %s\n", tor_control_center); return false; } @@ -213,9 +216,9 @@ bool TorControlConnection::Connect(const std::string &target, const ConnectionCB this->connected = _connected; this->disconnected = _disconnected; - // Finally, connect to target + // Finally, connect to tor_control_center if (bufferevent_socket_connect(b_conn, (struct sockaddr*)&connect_to_addr, connect_to_addrlen) < 0) { - LogPrintf("tor: Error connecting to address %s\n", target); + LogPrintf("tor: Error connecting to address %s\n", tor_control_center); return false; } return true; @@ -408,7 +411,7 @@ static bool WriteBinaryFile(const fs::path &filename, const std::string &data) class TorController { public: - TorController(struct event_base* base, const std::string& target); + TorController(struct event_base* base, const std::string& tor_control_center, const CService& target); ~TorController(); /** Get name of file to store private key in */ @@ -418,7 +421,7 @@ public: void Reconnect(); private: struct event_base* base; - std::string target; + const std::string m_tor_control_center; TorControlConnection conn; std::string private_key; std::string service_id; @@ -426,6 +429,7 @@ private: struct event *reconnect_ev; float reconnect_timeout; CService service; + const CService m_target; /** Cookie for SAFECOOKIE auth */ std::vector cookie; /** ClientNonce for SAFECOOKIE auth */ @@ -448,18 +452,19 @@ private: static void reconnect_cb(evutil_socket_t fd, short what, void *arg); }; -TorController::TorController(struct event_base* _base, const std::string& _target): +TorController::TorController(struct event_base* _base, const std::string& tor_control_center, const CService& target): base(_base), - target(_target), conn(base), reconnect(true), reconnect_ev(0), - reconnect_timeout(RECONNECT_TIMEOUT_START) + m_tor_control_center(tor_control_center), conn(base), reconnect(true), reconnect_ev(0), + reconnect_timeout(RECONNECT_TIMEOUT_START), + m_target(target) { reconnect_ev = event_new(base, -1, 0, reconnect_cb, this); if (!reconnect_ev) LogPrintf("tor: Failed to create event for reconnection: out of memory?\n"); // Start connection attempts immediately - if (!conn.Connect(_target, std::bind(&TorController::connected_cb, this, std::placeholders::_1), + if (!conn.Connect(m_tor_control_center, std::bind(&TorController::connected_cb, this, std::placeholders::_1), std::bind(&TorController::disconnected_cb, this, std::placeholders::_1) )) { - LogPrintf("tor: Initiating connection to Tor control port %s failed\n", _target); + LogPrintf("tor: Initiating connection to Tor control port %s failed\n", m_tor_control_center); } // Read service private key if cached std::pair pkf = ReadBinaryFile(GetPrivateKeyFile()); @@ -535,7 +540,7 @@ void TorController::auth_cb(TorControlConnection& _conn, const TorControlReply& } // Request hidden service, redirect port. // Note that the 'virtual' port is always the default port to avoid decloaking nodes using other ports. - _conn.Command(strprintf("ADD_ONION %s Port=%i,127.0.0.1:%i", private_key, Params().GetDefaultPort(), GetListenPort()), + _conn.Command(strprintf("ADD_ONION %s Port=%i,%s", private_key, Params().GetDefaultPort(), m_target.ToStringIPPort()), std::bind(&TorController::add_onion_cb, this, std::placeholders::_1, std::placeholders::_2)); } else { LogPrintf("tor: Authentication failed\n"); @@ -697,7 +702,7 @@ void TorController::disconnected_cb(TorControlConnection& _conn) if (!reconnect) return; - LogPrint(BCLog::TOR, "tor: Not connected to Tor control port %s, trying to reconnect\n", target); + LogPrint(BCLog::TOR, "tor: Not connected to Tor control port %s, trying to reconnect\n", m_tor_control_center); // Single-shot timer for reconnect. Use exponential backoff. struct timeval time = MillisToTimeval(int64_t(reconnect_timeout * 1000.0)); @@ -711,9 +716,9 @@ void TorController::Reconnect() /* Try to reconnect and reestablish if we get booted - for example, Tor * may be restarting. */ - if (!conn.Connect(target, std::bind(&TorController::connected_cb, this, std::placeholders::_1), + if (!conn.Connect(m_tor_control_center, std::bind(&TorController::connected_cb, this, std::placeholders::_1), std::bind(&TorController::disconnected_cb, this, std::placeholders::_1) )) { - LogPrintf("tor: Re-initiating connection to Tor control port %s failed\n", target); + LogPrintf("tor: Re-initiating connection to Tor control port %s failed\n", m_tor_control_center); } } @@ -732,14 +737,14 @@ void TorController::reconnect_cb(evutil_socket_t fd, short what, void *arg) static struct event_base *gBase; static std::thread torControlThread; -static void TorControlThread() +static void TorControlThread(CService onion_service_target) { - TorController ctrl(gBase, gArgs.GetArg("-torcontrol", DEFAULT_TOR_CONTROL)); + TorController ctrl(gBase, gArgs.GetArg("-torcontrol", DEFAULT_TOR_CONTROL), onion_service_target); event_base_dispatch(gBase); } -void StartTorControl() +void StartTorControl(CService onion_service_target) { assert(!gBase); #ifdef WIN32 @@ -753,7 +758,9 @@ void StartTorControl() return; } - torControlThread = std::thread(std::bind(&TraceThread, "torcontrol", &TorControlThread)); + torControlThread = std::thread(&TraceThread>, "torcontrol", [onion_service_target] { + TorControlThread(onion_service_target); + }); } void InterruptTorControl() @@ -774,3 +781,10 @@ void StopTorControl() gBase = nullptr; } } + +CService DefaultOnionServiceTarget() +{ + struct in_addr onion_service_target; + onion_service_target.s_addr = htonl(INADDR_LOOPBACK); + return {onion_service_target, BaseParams().OnionServiceTargetPort()}; +} diff --git a/src/torcontrol.h b/src/torcontrol.h index 4bf3aac2f0..ad5dada39b 100644 --- a/src/torcontrol.h +++ b/src/torcontrol.h @@ -8,12 +8,17 @@ #ifndef BITCOIN_TORCONTROL_H #define BITCOIN_TORCONTROL_H +#include + +class CService; extern const std::string DEFAULT_TOR_CONTROL; static const bool DEFAULT_LISTEN_ONION = true; -void StartTorControl(); +void StartTorControl(CService onion_service_target); void InterruptTorControl(); void StopTorControl(); +CService DefaultOnionServiceTarget(); + #endif /* BITCOIN_TORCONTROL_H */