Commit Graph

24055 Commits

Author SHA1 Message Date
Mike Perry
e253a117c0 Bug 28780: Add tests
Also test circpad expiry safeguard.
2019-05-15 16:44:59 +03:00
Mike Perry
662825474c Bug 28780: Make use of purpose to keep padding circuits open.
When a circuit is marked for close, check to see if any of our padding
machines want to take ownership of it and continue padding until the machine
hits the END state.

For safety, we also ensure that machines that do not terminate are still
closed as follows: Because padding machine timers are UINT32_MAX in size, if
some sort of network event doesn't happen on a padding-only circuit within
that time, we can conclude it is deadlocked and allow
circuit_expire_old_circuits_clientside() to close it.

If too much network activity happens, then per-machine padding limits can be
used to cease padding, which will cause network cell events to cease, on the
circuit, which will cause circpad to abandon the circuit as per the above time
limit.
2019-05-15 16:44:59 +03:00
Mike Perry
d44e3e57b0 Bug 28780: Add purpose for keeping padding circuits open 2019-05-15 16:44:59 +03:00
George Kadianakis
a7779df84c Merge branch 'bug29085_rebase' 2019-05-15 15:13:08 +03:00
Mike Perry
5638d65f79 Check the token supply when we received a padding event, too.
We need to check here because otherwise we can try to schedule padding with no
tokens left upon the receipt of a padding event when our bins just became
empty.
2019-05-15 15:10:48 +03:00
Mike Perry
148c2d5bab Fix two typo bugs found by new state length test. 2019-05-15 15:10:48 +03:00
Mike Perry
e8a1f24178 Add test to explicitly check state lengths and token counts.
Our other tests tested state lengths against padding packets, and token counts
against non-padding packets. This test checks state lengths against
non-padding packets (and also padding packets too), and checks token counts
against padding packets (and also non-padding packets too).

The next three commits are needed to make this test pass (it found 3 bugs).
Yay?
2019-05-15 15:10:48 +03:00
Mike Perry
aef9be6ace Eliminate unneeded casts to circuit_t in circpad tests. 2019-05-15 15:10:48 +03:00
Mike Perry
14ec8b89f8 Bug 29085: Avoid monotime usage for rtt estimates if it is not in use. 2019-05-15 15:10:31 +03:00
Mike Perry
5c2d2b5d11 Make the relationship between mutable histograms and token removal explicit. 2019-05-15 15:09:49 +03:00
Nick Mathewson
536ba09ad1 Use reproducible RNG logic in circuitpadding tests. 2019-05-15 07:50:56 -04:00
Nick Mathewson
72e9c427b8 Testing: allow the user to pass a seed in for reproducible-RNG tests
The environment variable TOR_TEST_RNG_SEED, if provided, is a hex
value for the RNG seed.
2019-05-15 07:50:56 -04:00
Nick Mathewson
2d467544fe Use new RNG and tinytest code to simplify prob_distr tests
Since the reproducible RNG dumps its own seed, we don't need to do
it for it. Since tinytest can tell us if the test failed, we don't
need our own test_failed booleans.
2019-05-15 07:50:56 -04:00
Nick Mathewson
261d43cdd5 Make testing_disable_reproducible_rng() log seed on test failure
This should let us simplify test_prob_distr.c and other stuff in the
future.
2019-05-15 07:50:56 -04:00
Nick Mathewson
e4feb4ad01 Give tinytest a function to say whether the current test has failed 2019-05-15 07:50:56 -04:00
George Kadianakis
1de11dc47a Merge branch 'maint-0.4.0' 2019-05-15 13:46:20 +03:00
George Kadianakis
cd264e145b Merge branch 'tor-github/pr/1013' into maint-0.4.0 2019-05-15 13:45:39 +03:00
Mike Perry
57e5e940d3 Bug 29085: Minor unit test updates for refactoring.
Deliver nonpadding events instead of calling token removal functions.
2019-05-15 04:57:11 +00:00
Mike Perry
1c46790e0d Bug 29085: Refactor padding sent accounting out of callback.
This commit moves code that updates the state length and padding limit counts
out from the callback to its own function, for clarity.

It does not change functionality.
2019-05-15 04:57:11 +00:00
Mike Perry
010779176b Bug 29085: Refactor non-padding accounting out of token removal.
This commit moves the padding state limit checks and the padding rate limit
checks out of the token removal codepath, and causes all three functions to
get called from a single circpad_machine_count_nonpadding_sent() function.

It does not change functionality.
2019-05-15 04:57:11 +00:00
Nick Mathewson
370ea8d23b Merge branch 'ticket30452_035_v3' into ticket30452_041_v3 2019-05-14 19:55:51 -04:00
Nick Mathewson
0c451b31d2 Make --list-modules imply --hush 2019-05-14 19:55:35 -04:00
Nick Mathewson
1c95bdb83b Merge branch 'ticket30452_035_v3' into ticket30452_041_v3 2019-05-14 19:20:53 -04:00
Nick Mathewson
1b16fcb70c Add a --list-modules command
Closes ticket 30452.
2019-05-14 19:19:53 -04:00
Nick Mathewson
43d4119454 Merge remote-tracking branch 'tor-github/pr/1004' 2019-05-14 11:43:10 -04:00
George Kadianakis
0f4f4fdcf5 Merge branch 'tor-github/pr/1006' 2019-05-14 15:15:09 +03:00
Nick Mathewson
5d950f3edd Fix a compilation warning: function does not have to be STATIC. 2019-05-13 14:34:16 -04:00
Nick Mathewson
9ad2eb8f73 Merge branch 'bug28683_30173_29203_squashed' 2019-05-13 14:33:31 -04:00
Mike Perry
42eb02a327 Tests for bugs 28683, 30173, and 29203. 2019-05-13 14:30:35 -04:00
Mike Perry
621ea2315b Bug 29203: Provide ReducedCircuitPadding torrc and consensus params 2019-05-13 14:30:35 -04:00
Mike Perry
f4064d6ce2 Bug 28693: Provide Torrc option to disable circuit padding. 2019-05-13 14:30:35 -04:00
Nick Mathewson
c6523a6398 Merge remote-tracking branch 'tor-github/pr/998' 2019-05-13 14:25:54 -04:00
David Goulet
def96ce838 sendme: Fix coverity CID 1444999
The code flow in theory can end up with a layer_hint to be NULL but in
practice it should never happen because with an origin circuit, we must have
the layer_hint.

Just in case, BUG() on it if we ever end up in this situation and recover by
closing the circuit.

Fixes #30467.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-13 10:00:39 -04:00
David Goulet
2f44786e30 Merge branch 'tor-github/pr/976' 2019-05-13 07:34:00 -04:00
Nick Mathewson
ff55840343 Don't pass a NULL into a %s when logging client auth file load failure
Fortunately, in 0.3.5.1-alpha we improved logging for various
failure cases involved with onion service client auth.

Unfortunately, for this one, we freed the file right before logging
its name.

Fortunately, tor_free() sets its pointer to NULL, so we didn't have
a use-after-free bug.

Unfortunately, passing NULL to %s is not defined.

Fortunately, GCC 9.1.1 caught the issue!

Unfortunately, nobody has actually tried building Tor with GCC 9.1.1
before. Or if they had, they didn't report the warning.

Fixes bug 30475; bugfix on 0.3.5.1-alpha.
2019-05-10 17:47:43 -04:00
George Kadianakis
501d1ae0bd Merge branch 'tor-github/pr/973' 2019-05-10 12:49:01 +03:00
David Goulet
cbcc570ff4 hs: Remove usage of HS_INTRO_ACK_STATUS_CANT_RELAY
The INTRODUCE1 trunnel definition file doesn't support that value so it can
not be used else it leads to an assert on the intro point side if ever tried.

Fortunately, it was impossible to reach that code path.

Part of #30454

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-09 13:28:37 -04:00
David Goulet
3885e7b44b Merge branch 'tor-github/pr/1000'
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-08 08:02:28 -04:00
Neel Chauhan
3cafdeb8c0 Only call tor_addr_parse() in circuit_is_acceptable() when needed 2019-05-07 11:52:56 -04:00
David Goulet
b72f5da03d Merge branch 'tor-github/pr/994'
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-07 08:02:39 -04:00
Nick Mathewson
3c2648bbda Move "relay" and "router" periodic callbacks out of mainloop.c
(Some of these callbacks are specific to the OR module, so now it's
time to have an or_sys and or_periodic.)
2019-05-06 16:35:39 -04:00
Nick Mathewson
b394b5b2af Create a relay subsystem and move the shutdown functions there 2019-05-06 16:25:09 -04:00
David Goulet
07e4b09b5f sendme: Add FlowCtrl protover value
See proposal 289 section 4.3 for more details.

It describes the flow control protocol at the circuit and stream level. If
there is no FlowCtrl protocol version, tor supports the unauthenticated flow
control features from its supported Relay protocols.

At this commit, relay will start advertising FlowCtrl=1 meaning they support
authenticated SENDMEs v1.

Closes #30363

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-03 13:56:36 -04:00
David Goulet
2aa441b88e Merge branch 'tor-github/pr/954' 2019-05-03 13:11:03 -04:00
George Kadianakis
7f2cd6545c Hiding crypt_path_t: Hide 'crypto' usage in sendme.c 2019-05-03 18:29:51 +03:00
George Kadianakis
ea5f355fc9 Hiding crypt_path_t: Change code to use the privatization macro. 2019-05-03 18:15:26 +03:00
George Kadianakis
55d35c0caa Hiding crypt_path_t: Hiding 'crypto' using a macro. 2019-05-03 18:15:26 +03:00
George Kadianakis
2ef0324639 Revert "Hiding crypt_path_t: Ensure that ->private is initialized."
This reverts commit 7497c9193a0f2c891a0802bf5fbe73cf7ec1ca99.
2019-05-03 18:15:26 +03:00
George Kadianakis
4060b7623d Revert "Hiding crypt_path_t: Create a constructor for crypt_path_t."
This reverts commit ab8b80944967ee5a6a0c45dbf61839cf257bfe44.
2019-05-03 18:15:26 +03:00
George Kadianakis
2e9e3e7d41 Hiding crypt_path_t: Some TODO notes for future directions. 2019-05-03 18:15:26 +03:00
George Kadianakis
0ed5c6edf9 Hiding crypt_path_t: Move some more crypt_path-specific functions.
- Move test-only cpath_get_n_hops() to crypt_path.c.
- Move onion_next_hop_in_cpath() and rename to cpath_get_next_non_open_hop().

The latter function was directly accessing cpath->state, and it's a first step
at hiding ->state.
2019-05-03 18:15:26 +03:00
George Kadianakis
58fbbc1409 Hiding crypt_path_t: Rename some functions to fit the crypt_path API.
Some of these functions are now public and cpath-specific so their name should
signify the fact they are part of the cpath module:

assert_cpath_layer_ok -> cpath_assert_layer_ok
assert_cpath_ok -> cpath_assert_ok
onion_append_hop -> cpath_append_hop
circuit_init_cpath_crypto -> cpath_init_circuit_crypto
circuit_free_cpath_node -> cpath_free
onion_append_to_cpath -> cpath_extend_linked_list
2019-05-03 18:15:26 +03:00
George Kadianakis
593b7726e9 Hiding crypt_path_t: Trivial changes to satisfy check-local. 2019-05-03 18:15:26 +03:00
George Kadianakis
cd38e41620 Hiding crypt_path_t: Ensure that ->private is initialized.
Now that we are using a constructor we should be more careful that we are
always using the constructor to initialize crypt_path_t, so make sure that
->private is initialized.
2019-05-03 18:15:11 +03:00
George Kadianakis
f5635989b0 Hiding crypt_path_t: Create a constructor for crypt_path_t.
We are using an opaque pointer so the structure needs to be allocated on the
heap. This means we now need a constructor for crypt_path_t.

Also modify all places initializing a crypt_path_t to use the constructor.
2019-05-03 18:15:11 +03:00
George Kadianakis
18d61c0e6e Hiding crypt_path_t: Fixup broken unittests. 2019-05-03 18:15:11 +03:00
George Kadianakis
4bd0c4852a Hiding crypt_path_t: Move the free func in crypt_path.c.
Again everything is moved, apart from a free line using ->private.
2019-05-03 18:15:11 +03:00
George Kadianakis
5f96b7abcc Hiding crypt_path_t: Move some more init funcs in crypt_path.c.
Everything is moved, but the argument of the function is edited to access
->private->crypto.
2019-05-03 18:15:11 +03:00
George Kadianakis
0c5176d00c Hiding crypt_path_t: Start with crypt_path.crypto .
Create some functions to eventually be able to hide crypt_path_t.crypto.
2019-05-03 18:15:11 +03:00
George Kadianakis
f74a80dc3b Hiding crypt_path_t: Move init functions to crypt_path.c.
This commit only moves code.
2019-05-03 18:15:00 +03:00
George Kadianakis
9584798e57 Hiding crypt_path_t: Move assert functions in crypt_path.c.
This commit only moves code, and makes one function public.
2019-05-03 18:15:00 +03:00
George Kadianakis
c3a5e6b436 Hiding crypt_path_t: Introduce opaque crypt_path_private_t .
This will be our base for incrementally hiding crypt_path_t.
2019-05-03 18:15:00 +03:00
David Goulet
b3492d53c3 Merge branch 'tor-github/pr/984'
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-03 10:56:12 -04:00
Nick Mathewson
2b54733dc0 Bump to 0.4.0.5-dev 2019-05-02 14:32:55 -04:00
George Kadianakis
b2c2cb9287 Merge branch 'tor-github/pr/986' 2019-05-02 18:12:52 +03:00
George Kadianakis
4d461e20f7 Merge branch 'tor-github/pr/999' 2019-05-02 17:48:09 +03:00
Nick Mathewson
721e65a1d5 Add comments to include.am files to note where new sources go
This mechanism isn't perfect, and sometimes it will guess wrong,
but it will help our automation.
2019-05-02 09:37:18 -04:00
Nick Mathewson
9c3aa22740 Remove some now-needless dirauth includes 2019-05-02 09:22:13 -04:00
Nick Mathewson
a45413e7d5 Make keypin.c dirauth-only 2019-05-02 09:22:13 -04:00
Nick Mathewson
31fb4a7845 Make the bwauth.c module dirauth-only. 2019-05-02 09:22:13 -04:00
Nick Mathewson
6f42efaa59 Move voteflags.[ch] to become dirauth only.
For various reasons, this was a nontrivial movement.  There are
several places in the code where we do something like "update the
flags on this routerstatus or node if we're an authority", and at
least one where we pretended to be an authority when we weren't.
2019-05-02 09:22:13 -04:00
David Goulet
77bd219808 sendme: Improve logging messages
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-02 08:58:58 -04:00
Mike Perry
d0fb74c902 Bug 29231: Report correct padding write totals and enabled totals. 2019-05-01 21:00:26 +00:00
Nick Mathewson
4973ceb46b Merge remote-tracking branch 'tor-github/pr/950' 2019-05-01 09:11:20 -04:00
Nick Mathewson
cafb999810 bump to 0.4.0.5 2019-04-30 15:53:53 -04:00
Nick Mathewson
996f7c75ba Make the reachability.c module dirauth-only. 2019-04-30 15:00:08 -04:00
Nick Mathewson
339ac4dc67 Make the guardfraction.c module dirauth-only. 2019-04-30 15:00:08 -04:00
Nick Mathewson
857bfc7033 Make the process_descs.c module dirauth-only. 2019-04-30 15:00:07 -04:00
Nick Mathewson
aab0245924 Make the dsigs_parse.c module dirauth-only. 2019-04-30 15:00:07 -04:00
Nick Mathewson
853942b71e Make the recommend_pkg file dirauth-only. 2019-04-30 15:00:07 -04:00
Nick Mathewson
295feeb093 Replace all remaining tor_mem_is_zero() with fast_mem_is_zero() 2019-04-30 14:49:05 -04:00
Nick Mathewson
0034f10956 Use safe_mem_is_zero in a few more places.
I don't believe any of these represent a real timing vulnerability
(remote timing against memcmp() on a modern CPU is not easy), but
these are the ones where I believe we should be more careful.
2019-04-30 14:45:58 -04:00
Nick Mathewson
309467c64e Rename tor_mem_is_zero to fast_mem_is_zero()
For memeq and friends, "tor_" indicates constant-time and "fast_"
indicates optimized.  I'm fine with leaving the constant-time
"safe_mem_is_zero" with its current name, but the "tor_" prefix on
the current optimized version is misleading.

Also, make the tor_digest*_is_zero() uniformly constant-time, and
add a fast_digest*_is_zero() version to use as needed.

A later commit in this branch will fix all the users of
tor_mem_is_zero().

Closes ticket 30309.
2019-04-30 14:45:51 -04:00
Taylor Yu
68caca58a8 Clean up formatting after Coccinelle
Clean up some minor formatting quirks after the Coccinelle run.
2019-04-30 13:18:46 -05:00
Taylor Yu
983452e221 Run Coccinelle for control.c refactor 2019-04-30 13:18:46 -05:00
Taylor Yu
769eb07a7a Manually fix some control replies
Manually fix up some reply-generating code that the Coccinelle scripts
won't match.  Some more complicated ones remain -- these are mostly
ones that accumulate data to send, and then call connection_buf_add()
or connection_write_str_to_buf() directly.
2019-04-30 13:18:46 -05:00
Taylor Yu
61976a4b1c Factor out control reply output
Create a set of abstractions for controller commands and events to
output replies to the control channel.  The control protocol has a
relatively consistent SMTP-like structure, so it's helpful when code
that implements control commands and events doesn't explicitly format
everything on its own.
2019-04-30 13:18:46 -05:00
Taylor Yu
482437754a Add clarifying comments to control_proto.c
Refer to control-spec.txt grammar productions in comments in
control_proto.c for clarity.
2019-04-30 13:18:46 -05:00
Taylor Yu
8e7316bae4 Split reply formatting out of control_fmt.c
Split the core reply formatting code out of control_fmt.c into
control_proto.c.  The remaining code in control_format.c deals with
specific subsystems and will eventually move to join those subsystems.
2019-04-30 13:18:46 -05:00
Taylor Yu
965c2064da Correct file name in doxygen comment 2019-04-30 13:18:46 -05:00
George Kadianakis
847fc3280d Merge branch 'maint-0.4.0' 2019-04-30 19:26:30 +03:00
George Kadianakis
e1d4e2badb Merge branch 'tor-github/pr/978' into maint-0.4.0 2019-04-30 19:26:14 +03:00
George Kadianakis
d885ed867f Merge branch 'tor-github/pr/937' 2019-04-30 19:21:46 +03:00
George Kadianakis
9084a90b00 Merge branch 'tor-github/pr/936' 2019-04-30 19:21:15 +03:00
George Kadianakis
a44aca5453 Merge branch 'tor-github/pr/993' 2019-04-30 19:13:57 +03:00
George Kadianakis
86f8dfe419 Merge branch 'tor-github/pr/983' 2019-04-30 19:13:30 +03:00
David Goulet
43c119fedb Merge branch 'tor-github/pr/980'
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-30 11:50:36 -04:00
David Goulet
e543c4e20c Merge branch 'tor-github/pr/909'
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-30 11:17:45 -04:00
Nick Mathewson
b7cc631d23 Rename and clarify some functions for periodic events
When we tell the periodic event manager about an event, we are
"registering" that event.  The event sits around without being
usable, however, until we "connect" the event to libevent.  In the
end, we "disconnect" the event and remove its libevent parts.

Previously, we called these operations "add", "setup", and
"destroy", which led to confusion.
2019-04-30 11:14:59 -04:00
Nick Mathewson
9a62a820fb Remove now-extraneous calls to initialize_periodic_events().
This is now the responsibility of the mainloop's subsystem initializer.
2019-04-30 11:14:59 -04:00
Nick Mathewson
b5a62b1ef5 Move dirauth periodic events into dirauth module.
Closes ticket 30294.
2019-04-30 11:14:59 -04:00
Nick Mathewson
6eb1b8da0a Turn 'mainloop' into a subsystem.
We need a little refactoring for this to work, since the
initialization code for the periodic events assumes that libevent is
already initialized, which it can't be until it's configured.

This change, combined with the previous ones, lets other subsystems
declare their own periodic events, without mainloop.c having to know
about them.  Implements ticket 30293.
2019-04-30 11:14:59 -04:00
Nick Mathewson
730dddc380 Make sure that the rng is not replaced if it is already replaced. 2019-04-30 11:11:39 -04:00
Nick Mathewson
604e849d36 Make the deterministic and reproducible rng test code handle fast_rng 2019-04-30 11:11:39 -04:00
Nick Mathewson
587a525cc5 Add improved debugging support to crypto_rand_fast code. 2019-04-30 11:11:39 -04:00
Nick Mathewson
e66b5153bd Extract add-entropy code from crypto_fast_rng to a new function 2019-04-30 11:11:39 -04:00
Nick Mathewson
c6a93beed8 Use preloaded-rng code in test_hs_descriptor.c 2019-04-30 11:11:39 -04:00
Nick Mathewson
7086a9f90e Make rng mock code also cover strongest_rand. 2019-04-30 11:11:39 -04:00
Nick Mathewson
0a9fb6938d Use prefilled PRNG replacement in test_extorport
This is the last remaining place where our tests had mocked
crypto_rand.
2019-04-30 11:11:39 -04:00
Nick Mathewson
7bd34698af Use prefilled_rng in test_addr.c in place of existing code. 2019-04-30 11:11:39 -04:00
Nick Mathewson
fe173ce0bc Add a testing PRNG replacement that returns canned data. 2019-04-30 11:11:39 -04:00
Nick Mathewson
64d5ed0415 Update circuit_timeout test to use deterministic prng 2019-04-30 11:11:39 -04:00
Nick Mathewson
d3526d3f2c Update test_prob_distr to use new reproducible RNG override code 2019-04-30 11:11:39 -04:00
Nick Mathewson
11eaed66bb Add support for deterministic override of crypto_rand() in tests
We had this previously, but we did it differently in different
places. This implementation is pulled from test_prob_distr.c
2019-04-30 11:11:39 -04:00
Nick Mathewson
821dd54586 Merge branch 'bug30316_035' into bug30316_040
Fixes conflicts and also moves bandwidth-file-digest.
2019-04-29 14:34:03 -04:00
Nick Mathewson
0ab4dc7ef7 Move bandwidth-file-headers line to appear in the correct vote section
Fixes bug 30316; bugfix on 0.3.5.1-alpha.
2019-04-29 14:31:09 -04:00
David Goulet
0f2ff267c5 sendme: Do not poke at crypto.sendme_digest directly
As per review from nickm, keep as much as we can the relay_crypto_t object
opaque.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
0d8b9b56c5 sendme: Better function names
From nickm's review, improve the names of some functions.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
67c2254183 sendme: Move note_cell_digest() to relay_crypto module
Because this function is poking within the relay_crypto_t object, move the
function to the module so we can keep it opaque as much as possible.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
d084f9115d sendme: Better handle the random padding
We add random padding to every cell if there is room. This commit not only
fixes how we compute that random padding length/offset but also improves its
safety with helper functions and a unit test.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
c7385b5b14 sendme: Keep cell digest only if a SENDME is next
This way, we reduce the load by only hashing when we absolutely must.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
805c81efed sendme: Add helper to note the cell digest
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
7c8e519b34 sendme: Helper to know if next cell is a SENDME
We'll use it this in order to know when to hash the cell for the SENDME
instead of doing it at every cell.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
aef7095c3e prop289: Add documentation for the circuit FIFO list
Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
44750b0de6 prop289: Skip the first 4 unused bytes in a cell
When adding random to a cell, skip the first 4 bytes and leave them zeroed. It
has been very useful in the past for us to keep bytes like this.

Some code trickery was added to make sure we have enough room for this 4 bytes
offset when adding random.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
77d560af64 prop289: Keep the digest bytes, not the object
The digest object is as large as the entire internal digest object's state,
which is often much larger than the actual set of bytes you're transmitting.

This commit makes it that we keep the digest itself which is 20 bytes.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
4efe9d653a prop289: Move digest matching in its own function
No behavior change but code had to be refactored a bit. Also, the tor_memcmp()
was changed to tor_memneq().

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
217b553193 prop289: Rename packaged functions with better name
The circuit and stream level functions that update the package window have
been renamed to have a "_note_" in them to make their purpose more clear.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
2ec25e847e prop289: Move SENDME cell processing in a separate function
No behavior change. Only moving code and fixing part of it in order to use the
parameters passed as pointers.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
504e05b029 prop289: Use a 20 bytes digest instead of 4
To achieve such, this commit also changes the trunnel declaration to use a
union instead of a seperate object for the v1 data.

A constant is added for the digest length so we can use it within the SENDME
code giving us a single reference.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
cede93b2d8 tests: Implement unit tests for SENDME v1
Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
a6e012508e prop289: Add random bytes to the unused portion of the cell
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
402f0a4f5d prop289: Remember the last cell digest for v1 SENDMEs
In order to do so, depending on where the cell is going, we'll keep the last
cell digest that is either received inbound or sent outbound.

Then it can be used for validation.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
bb473a807a prop289: Match the SENDME digest
Now that we keep the last seen cell digests on the Exit side on the circuit
object, use that to match the SENDME v1 transforming this whole process into a
real authenticated SENDME mechanism.

Part of #26841

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
93f9fbbd34 prop289: Keep track of the last seen cell digests
This makes tor remember the last seen digest of a cell if that cell is the
last one before a SENDME on the Exit side.

Closes #26839

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
81706d8427 prop289: Support SENDME v1 cell parsing
This commit makes tor able to parse and handle a SENDME version 1. It will
look at the consensus parameter "sendme_accept_min_version" to know what is
the minimum version it should look at.

IMPORTANT: At this commit, the validation of the cell is not fully
implemented. For this, we need #26839 to be completed that is to match the
SENDME digest with the last cell digest.

Closes #26841

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
023a70da84 prop289: Support sending SENDME version 1
This code will obey the consensus parameter "sendme_emit_min_version" to know
which SENDME version it should send. For now, the default is 0 and the
parameter is not yet used in the consensus.

This commit adds the support to send version 1 SENDMEs but aren't sent on the
wire at this commit.

Closes #26840

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
eef78ac0b0 prop289: Add SENDME trunnel declaration
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
c38d46bf4a prop289: Add two consensus parameters
In order to be able to deploy the authenticated SENDMEs, these two consensus
parameters are needed to control the minimum version that we can emit and
accept.

See section 4 in prop289 for more details.

Note that at this commit, the functions that return the values aren't used so
compilation fails if warnings are set to errors.

Closes #26842

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
0e6e800c89 sendme: Always close stream if deliver window is negative
Previously, we would only close the stream when our deliver window was
negative at the circuit-level but _not_ at the stream-level when receiving a
DATA cell.

This commit adds an helper function connection_edge_end_close() which
sends an END and then mark the stream for close for a given reason.

That function is now used both in case the deliver window goes below zero for
both circuit and stream level.

Part of #26840

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
8e38791baf sendme: Add helper functions for DATA cell packaging
When we are about to send a DATA cell, we have to decrement the package window
for both the circuit and stream level.

This commit adds helper functions to handle the package window decrement.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
2d3c600915 sendme: Add helper functions for DATA cell delivery
When we get a relay DATA cell delivered, we have to decrement the deliver
window on both the circuit and stream level.

This commit adds helper functions to handle the deliver window decrement.

Part of #26840

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
9c42cc1eb2 sendme: Refactor SENDME cell processing
This is a bit of a complicated commit. It moves code but also refactors part
of it. No behavior change, the idea is to split things up so we can better
handle and understand how SENDME cells are processed where ultimately it will
be easier to handle authenticated SENDMEs (prop289) using the intermediate
functions added in this commit.

The entry point for the cell arriving at the edge (Client or Exit), is
connection_edge_process_relay_cell() for which we look if it is a circuit or
stream level SENDME. This commit refactors that part where two new functions
are introduced to process each of the SENDME types.

The sendme_process_circuit_level() has basically two code paths. If we are a
Client (the circuit is origin) or we are an Exit. Depending on which, the
package window is updated accordingly. Then finally, we resume the reading on
every edge streams on the circuit.

The sendme_process_stream_level() applies on the edge connection which will
update the package window if needed and then will try to empty the inbuf if
need be because we can now deliver more cells.

Again, no behavior change but in order to split that code properly into their
own functions and outside the relay.c file, code modification was needed.

Part of #26840.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
ed8593b9e0 sendme: Modernize and cleanup old moved code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
e5806dcea8 sendme: Move code to the new files sendme.{c|h}
Take apart the SENDME cell specific code and put it in sendme.{c|h}. This is
part of prop289 that implements authenticated SENDMEs.

Creating those new files allow for the already huge relay.c to not grow in LOC
and makes it easier to handle and test the SENDME cells in an isolated way.

This commit only moves code. No behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:33 -04:00
Nick Mathewson
806539b40a Use fast check for missing id in node_is_a_configured_bridge()
Fixes bug 30308; bugfix on 0.3.5.1-alpha.
2019-04-26 11:19:46 -04:00
Nick Mathewson
650b94ebc1 Use a linear algorithm to subtract two nodelists.
The nodelist_idx for each node_t serves as a unique identifier for
the node, so we can use a bitarray to hold all the excluded
nodes, and then remove them from the smartlist.

Previously use used smartlist_subtract(sl, excluded), which is
O(len(sl)*len(excluded)).

We can use this function in other places too, but this is the one
that showed up on the profiles of 30291.

Closes ticket 30307.
2019-04-26 11:04:44 -04:00
Nick Mathewson
1d44ac9acd Make nodelist_get_list() return a const pointer. 2019-04-26 10:36:49 -04:00
Nick Mathewson
efeb101b96 Merge remote-tracking branch 'tor-github/pr/889' 2019-04-25 20:25:34 -04:00
Nick Mathewson
36b4fc7437 Merge remote-tracking branch 'tor-github/pr/922' 2019-04-25 20:08:39 -04:00