Commit Graph

23987 Commits

Author SHA1 Message Date
David Goulet
0f2ff267c5 sendme: Do not poke at crypto.sendme_digest directly
As per review from nickm, keep as much as we can the relay_crypto_t object
opaque.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
0d8b9b56c5 sendme: Better function names
From nickm's review, improve the names of some functions.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
67c2254183 sendme: Move note_cell_digest() to relay_crypto module
Because this function is poking within the relay_crypto_t object, move the
function to the module so we can keep it opaque as much as possible.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
d084f9115d sendme: Better handle the random padding
We add random padding to every cell if there is room. This commit not only
fixes how we compute that random padding length/offset but also improves its
safety with helper functions and a unit test.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
c7385b5b14 sendme: Keep cell digest only if a SENDME is next
This way, we reduce the load by only hashing when we absolutely must.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
805c81efed sendme: Add helper to note the cell digest
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
7c8e519b34 sendme: Helper to know if next cell is a SENDME
We'll use it this in order to know when to hash the cell for the SENDME
instead of doing it at every cell.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
aef7095c3e prop289: Add documentation for the circuit FIFO list
Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
44750b0de6 prop289: Skip the first 4 unused bytes in a cell
When adding random to a cell, skip the first 4 bytes and leave them zeroed. It
has been very useful in the past for us to keep bytes like this.

Some code trickery was added to make sure we have enough room for this 4 bytes
offset when adding random.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
77d560af64 prop289: Keep the digest bytes, not the object
The digest object is as large as the entire internal digest object's state,
which is often much larger than the actual set of bytes you're transmitting.

This commit makes it that we keep the digest itself which is 20 bytes.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
4efe9d653a prop289: Move digest matching in its own function
No behavior change but code had to be refactored a bit. Also, the tor_memcmp()
was changed to tor_memneq().

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
217b553193 prop289: Rename packaged functions with better name
The circuit and stream level functions that update the package window have
been renamed to have a "_note_" in them to make their purpose more clear.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
2ec25e847e prop289: Move SENDME cell processing in a separate function
No behavior change. Only moving code and fixing part of it in order to use the
parameters passed as pointers.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
504e05b029 prop289: Use a 20 bytes digest instead of 4
To achieve such, this commit also changes the trunnel declaration to use a
union instead of a seperate object for the v1 data.

A constant is added for the digest length so we can use it within the SENDME
code giving us a single reference.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
cede93b2d8 tests: Implement unit tests for SENDME v1
Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
a6e012508e prop289: Add random bytes to the unused portion of the cell
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
402f0a4f5d prop289: Remember the last cell digest for v1 SENDMEs
In order to do so, depending on where the cell is going, we'll keep the last
cell digest that is either received inbound or sent outbound.

Then it can be used for validation.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
bb473a807a prop289: Match the SENDME digest
Now that we keep the last seen cell digests on the Exit side on the circuit
object, use that to match the SENDME v1 transforming this whole process into a
real authenticated SENDME mechanism.

Part of #26841

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
93f9fbbd34 prop289: Keep track of the last seen cell digests
This makes tor remember the last seen digest of a cell if that cell is the
last one before a SENDME on the Exit side.

Closes #26839

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
81706d8427 prop289: Support SENDME v1 cell parsing
This commit makes tor able to parse and handle a SENDME version 1. It will
look at the consensus parameter "sendme_accept_min_version" to know what is
the minimum version it should look at.

IMPORTANT: At this commit, the validation of the cell is not fully
implemented. For this, we need #26839 to be completed that is to match the
SENDME digest with the last cell digest.

Closes #26841

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
023a70da84 prop289: Support sending SENDME version 1
This code will obey the consensus parameter "sendme_emit_min_version" to know
which SENDME version it should send. For now, the default is 0 and the
parameter is not yet used in the consensus.

This commit adds the support to send version 1 SENDMEs but aren't sent on the
wire at this commit.

Closes #26840

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
eef78ac0b0 prop289: Add SENDME trunnel declaration
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
c38d46bf4a prop289: Add two consensus parameters
In order to be able to deploy the authenticated SENDMEs, these two consensus
parameters are needed to control the minimum version that we can emit and
accept.

See section 4 in prop289 for more details.

Note that at this commit, the functions that return the values aren't used so
compilation fails if warnings are set to errors.

Closes #26842

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
0e6e800c89 sendme: Always close stream if deliver window is negative
Previously, we would only close the stream when our deliver window was
negative at the circuit-level but _not_ at the stream-level when receiving a
DATA cell.

This commit adds an helper function connection_edge_end_close() which
sends an END and then mark the stream for close for a given reason.

That function is now used both in case the deliver window goes below zero for
both circuit and stream level.

Part of #26840

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
8e38791baf sendme: Add helper functions for DATA cell packaging
When we are about to send a DATA cell, we have to decrement the package window
for both the circuit and stream level.

This commit adds helper functions to handle the package window decrement.

Part of #26288

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
2d3c600915 sendme: Add helper functions for DATA cell delivery
When we get a relay DATA cell delivered, we have to decrement the deliver
window on both the circuit and stream level.

This commit adds helper functions to handle the deliver window decrement.

Part of #26840

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
9c42cc1eb2 sendme: Refactor SENDME cell processing
This is a bit of a complicated commit. It moves code but also refactors part
of it. No behavior change, the idea is to split things up so we can better
handle and understand how SENDME cells are processed where ultimately it will
be easier to handle authenticated SENDMEs (prop289) using the intermediate
functions added in this commit.

The entry point for the cell arriving at the edge (Client or Exit), is
connection_edge_process_relay_cell() for which we look if it is a circuit or
stream level SENDME. This commit refactors that part where two new functions
are introduced to process each of the SENDME types.

The sendme_process_circuit_level() has basically two code paths. If we are a
Client (the circuit is origin) or we are an Exit. Depending on which, the
package window is updated accordingly. Then finally, we resume the reading on
every edge streams on the circuit.

The sendme_process_stream_level() applies on the edge connection which will
update the package window if needed and then will try to empty the inbuf if
need be because we can now deliver more cells.

Again, no behavior change but in order to split that code properly into their
own functions and outside the relay.c file, code modification was needed.

Part of #26840.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
ed8593b9e0 sendme: Modernize and cleanup old moved code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:57 -04:00
David Goulet
e5806dcea8 sendme: Move code to the new files sendme.{c|h}
Take apart the SENDME cell specific code and put it in sendme.{c|h}. This is
part of prop289 that implements authenticated SENDMEs.

Creating those new files allow for the already huge relay.c to not grow in LOC
and makes it easier to handle and test the SENDME cells in an isolated way.

This commit only moves code. No behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-04-29 12:17:33 -04:00
Nick Mathewson
806539b40a Use fast check for missing id in node_is_a_configured_bridge()
Fixes bug 30308; bugfix on 0.3.5.1-alpha.
2019-04-26 11:19:46 -04:00
Nick Mathewson
650b94ebc1 Use a linear algorithm to subtract two nodelists.
The nodelist_idx for each node_t serves as a unique identifier for
the node, so we can use a bitarray to hold all the excluded
nodes, and then remove them from the smartlist.

Previously use used smartlist_subtract(sl, excluded), which is
O(len(sl)*len(excluded)).

We can use this function in other places too, but this is the one
that showed up on the profiles of 30291.

Closes ticket 30307.
2019-04-26 11:04:44 -04:00
Nick Mathewson
1d44ac9acd Make nodelist_get_list() return a const pointer. 2019-04-26 10:36:49 -04:00
Nick Mathewson
efeb101b96 Merge remote-tracking branch 'tor-github/pr/889' 2019-04-25 20:25:34 -04:00
Nick Mathewson
36b4fc7437 Merge remote-tracking branch 'tor-github/pr/922' 2019-04-25 20:08:39 -04:00
Nick Mathewson
a5cced2b7a Extract keyword argument checking from argument parsing. 2019-04-25 14:13:03 -04:00
Nick Mathewson
a0299cd240 In control command api, rename "object" to "cmddata"
This makes it match control-spec.txt.
2019-04-25 14:13:03 -04:00
Nick Mathewson
ff9ba7d6c4 expand CMD_FL_WIPE to wipe the parsed arguments too 2019-04-25 14:13:03 -04:00
Nick Mathewson
88d22b898e Simplify handler logic in control_cmd.c
Now that the legacy handlers are gone, we can simplify the
structures and macros here.
2019-04-25 14:13:03 -04:00
Nick Mathewson
ddd33d39c7 Port the authenticate and authchallenge commands to the new parser
These two presented their own challenge, because of their use of
QString, and their distinguished handling of quoted versus
non-quoted values.
2019-04-25 14:13:03 -04:00
Nick Mathewson
8799b4e805 Add rudimentary qstring support to kvline.c 2019-04-25 14:13:03 -04:00
Nick Mathewson
ba05324242 Move and rename decode_escaped_string()
This function decodes something different from the usual c-escaped
format.

It is only used in controller authorization.
2019-04-25 14:13:03 -04:00
Nick Mathewson
0c0b869ba4 Use the new controller command parser for EXTENDCIRCUIT.
This command does not fit perfectly with the others, since its
second argument is optional and may contain equal signs.  Still,
it's probably better to squeeze it into the new metaformat, since
doing so allows us to remove several pieces of the old
command-parsing machinery.
2019-04-25 14:13:03 -04:00
Nick Mathewson
95afdb005c Use new parser logic for SETCONF/RESETCONF code.
Here we get to throw away a LOT of unused code, since most of the
old parsing was redundant with kvline.
2019-04-25 14:13:03 -04:00
Nick Mathewson
d8b3ec865d Update more controller commands, now that we have kvline support 2019-04-25 14:13:03 -04:00
Nick Mathewson
dab35386ca Add a case-insensitive variant to config_line_find() 2019-04-25 14:13:03 -04:00
Nick Mathewson
9471391694 Add kvline support to controller command parser.
This should let us handle all (or nearly all) of the remaining
commands.
2019-04-25 14:13:03 -04:00
Nick Mathewson
0841a69357 Allow kvlines in control commands. 2019-04-25 14:13:03 -04:00
Nick Mathewson
bb37ad6957 Add fuzzing support for several more groups of kvlines flags 2019-04-25 14:13:03 -04:00
Nick Mathewson
73df91bbb5 kvline: handle empty alues as well as empty keys
The two options are mutually exclusive, since otherwise an entry
like "Foo" would be ambiguous.  We want to have the ability to treat
entries like this as keys, though, since some controller commands
interpret them as flags.
2019-04-25 14:13:03 -04:00
Nick Mathewson
01b07c548b Use parsing code for the simpler controller commands.
(This should be all of the command that work nicely with positional
arguments only.)

Some of these commands should probably treat extra arguments as
incorrect, but for now I'm trying to be careful not to break
any existing users.
2019-04-25 14:13:03 -04:00
Nick Mathewson
cbd1a7e053 Unit tests for current control-command parser logic 2019-04-25 14:13:03 -04:00
Nick Mathewson
dbfe1a14e4 When parsing a multiline controller command, be careful with linebreaks
The first line break in particular was mishandled: it was discarded
if no arguments came before it, which made it impossible to
distinguish arguments from the first line of the body.

To solve this, we need to allocate a copy of the command rather than
using NUL to separate it, since we might have "COMMAND\n" as our input.

Fixes ticket 29984.
2019-04-25 14:13:03 -04:00
Nick Mathewson
f18b7dc473 Extract the argument-splitting part of control.c's parser
This is preliminary work for fixing 29984; no behavior has changed.
2019-04-25 14:13:03 -04:00
Nick Mathewson
de70eebc65 Start on a command-parsing tool for controller commands.
There _is_ an underlying logic to these commands, but it isn't
wholly uniform, given years of tweaks and changes.  Fortunately I
think there is a superset that will work.

This commit adds a parser for some of the most basic cases -- the
ones currently handled by getargs_helper() and some of the
object-taking ones.  Soon will come initial tests; then I'll start using
the parser.

After that, I'll expand the parser to handle the other cases that come
up in the controller protocol.
2019-04-25 14:13:03 -04:00
Nick Mathewson
0d650e7958 Move responsibility for checking if events are setup into periodic.c
We have checks in various places in mainlook.c to make sure that
events are initialized before we invoke any periodic_foo() functions
on them.  But now that each subsystem will own its own periodic
events, it will be cleaner if we don't assume that they are all
setup or not.
2019-04-25 13:23:18 -04:00
Nick Mathewson
233835e14f Move the responsibility for listing periodic events to periodic.c
The end goal here is to move the periodic callback to their
respective modules, so that mainloop.c doesn't have to include so
many other things.

This patch doesn't actually move any of the callbacks out of
mainloop.c yet.
2019-04-25 10:09:36 -04:00
George Kadianakis
974c2674eb Merge branch 'maint-0.4.0' 2019-04-25 15:47:07 +03:00
George Kadianakis
a39789a02c Merge branch 'tor-github/pr/960' into maint-0.4.0 2019-04-25 15:46:45 +03:00
George Kadianakis
811a93f803 Merge branch 'tor-github/pr/953' 2019-04-25 15:43:47 +03:00
Alexander Færøy
0429072495 Lower log level of unlink() errors in networkstatus_set_current_consensus().
In this patch we lower the log level of the failures for the three calls
to unlink() in networkstatus_set_current_consensus(). These errors might
trigger on Windows because the memory mapped consensus file keeps the
file in open state even after we have close()'d it. Windows will then
error on the unlink() call with a "Permission denied" error.

The consequences of ignoring these errors is that we leave an unused
file around on the file-system, which is an easier way to fix this
problem right now than refactoring networkstatus_set_current_consensus().

See: https://bugs.torproject.org/29930
2019-04-25 01:59:37 +02:00
Nick Mathewson
6320b2988c Merge remote-tracking branch 'tor-github/pr/942' 2019-04-24 17:06:56 -04:00
David Goulet
f39dd0a700 Merge branch 'tor-github/pr/951' 2019-04-24 09:53:15 -04:00
David Goulet
608cf2ba8d Merge branch 'tor-github/pr/943' 2019-04-24 09:51:14 -04:00
David Goulet
5bcf87c224 Merge branch 'tor-github/pr/955' 2019-04-24 09:45:32 -04:00
David Goulet
4b599aaae4 Merge branch 'tor-github/pr/939' 2019-04-24 09:43:28 -04:00
teor
f35bd36814
test-network-all: Test IPv6-only v3 single onion services
In "make test-network-all", test IPv6-only v3 single onion services,
using the chutney network single-onion-v23-ipv6-md. This test will
not pass until 23588 has been merged.

Closes ticket 27251.
2019-04-24 17:42:59 +10:00
teor
3d89f0374a
hs_config: Allow Tor to be configured as an IPv6-only v3 single onion service
Part of #23588.
2019-04-24 17:29:18 +10:00
teor
f05e3f3c9a
test/hs: Correctly convert an IPv6 intro point to an extend_info
Part of #23588.
2019-04-24 17:29:14 +10:00
teor
abe086dd97
test/hs: Re-enable the IPv6 intro point in the HS tests
Tests 23588, partially reverts 23576.

Implements 29237.
2019-04-24 17:29:10 +10:00
Neel Chauhan
b65f8c419a
Add firewall_choose_address_ls() and hs_get_extend_info_from_lspecs() tests 2019-04-24 17:28:38 +10:00
Neel Chauhan
2618347657
Use fascist_firewall_choose_address_ls() in hs_get_extend_info_from_lspecs() 2019-04-24 17:28:34 +10:00
Neel Chauhan
da268e3b50
Add function fascist_firewall_choose_address_ls() 2019-04-24 17:28:30 +10:00
Nick Mathewson
15d4238383 Merge remote-tracking branch 'tor-github/pr/944' 2019-04-23 15:39:23 -04:00
Nick Mathewson
8bea0c2fa3 Rename outvar to follow _out convention. 2019-04-23 14:14:17 -04:00
Nick Mathewson
475ac11bc1 Merge remote-tracking branch 'tor-github/pr/935' 2019-04-23 14:11:04 -04:00
Nick Mathewson
a7599c5be2 Merge remote-tracking branch 'tor-github/pr/962' 2019-04-23 12:48:37 -04:00
Neel Chauhan
2ab19a48c2 Initialize rate_limited in hs_pick_hsdir() to false 2019-04-19 09:50:54 -04:00
Neel Chauhan
efde686aa5 Only set rate_limited in hs_pick_hsdir() if rate_limited_count or responsible_dirs_count is greater than 0 2019-04-19 09:21:20 -04:00
Neel Chauhan
144bc5026e Initialize rate_limited to false in directory_get_from_hs_dir() 2019-04-19 09:17:29 -04:00
Neel Chauhan
943559b180 Make rate_limited and is_rate_limited a bool 2019-04-19 08:33:00 -04:00
teor
231036a110
Merge branch 'maint-0.3.4' into maint-0.3.5 2019-04-19 12:00:41 +10:00
teor
742b5b32d5
Merge remote-tracking branch 'tor-github/pr/710' into maint-0.3.5 2019-04-19 11:52:48 +10:00
teor
cb084de5e5
Merge remote-tracking branch 'tor-github/pr/726' into maint-0.3.5 2019-04-19 11:51:05 +10:00
teor
2ae67fee42
Merge remote-tracking branch 'tor-github/pr/745' into maint-0.3.5 2019-04-19 11:48:41 +10:00
teor
116970dda7
Merge remote-tracking branch 'tor-github/pr/946' into maint-0.3.4 2019-04-19 11:47:10 +10:00
teor
b1762f8d12
Merge remote-tracking branch 'tor-github/pr/638' into maint-0.3.4 2019-04-19 11:44:38 +10:00
teor
8154b33f9c
Merge remote-tracking branch 'tor-github/pr/791' into maint-0.3.4 2019-04-19 11:43:46 +10:00
teor
2460b4461f
Merge remote-tracking branch 'tor-github/pr/792' into maint-0.2.9 2019-04-19 11:42:09 +10:00
teor
ec213ae8a0
Merge remote-tracking branch 'tor-github/pr/772' into maint-0.2.9 2019-04-19 11:38:52 +10:00
George Kadianakis
78223ab0fc Merge branch 'tor-github/pr/938' 2019-04-18 13:23:32 +03:00
George Kadianakis
d867b7ae1d Merge branch 'maint-0.4.0' 2019-04-18 13:22:23 +03:00
George Kadianakis
6a179b1072 Merge branch 'tor-github/pr/891' into maint-0.4.0 2019-04-18 13:21:59 +03:00
teor
c483ccf1c9
connection_edge: remove an extra ; 2019-04-17 18:43:20 +10:00
teor
728d20ed08
connection_edge: Return a web page when HTTPTunnelPort is misconfigured
Return an informative web page when the HTTPTunnelPort is used as an
HTTP proxy.

Closes ticket 27821, patch by "eighthave".
2019-04-17 17:58:40 +10:00
Mike Perry
17a164a827 Bug 30173: Rate limit padding rate limit log message.
Gotta limit to the limit when the limit is reached.
2019-04-17 02:51:48 +00:00
Mike Perry
21a4438c58 Bug 30173: Add consensus param to disable padding.
Disable padding via limit check and machine condition. Limits cause us to stop
sending padding. Machine conditions cause the machines to be shut down, and
not restarted.
2019-04-17 02:44:42 +00:00
Bernhard M. Wiedemann
8c4e68438d Do not warn about compatible OpenSSL upgrades
When releasing OpenSSL patch-level maintenance updates,
we do not want to rebuild binaries using it.
And since they guarantee ABI stability, we do not have to.

Without this patch, warning messages were produced
that confused users:
https://bugzilla.opensuse.org/show_bug.cgi?id=1129411

Fixes bug 30190; bugfix on 0.2.4.2-alpha commit 7607ad2bec

Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
2019-04-17 01:55:04 +02:00
Neel Chauhan
ada6732914 Clarify comment about IPv6Exit in policies_parse_exit_policy_from_options() 2019-04-16 08:22:17 -04:00
Neel Chauhan
06c76e79aa Clarify torrc comment for IPv6Exit 2019-04-16 08:20:48 -04:00
Neel Chauhan
e7c22e6e48 Add policy_using_default_exit_options() to determine if we're using the default exit options 2019-04-16 08:19:44 -04:00
Nick Mathewson
7b2357a37a Merge remote-tracking branch 'tor-github/pr/884' 2019-04-16 08:08:06 -04:00
Nick Mathewson
950d890f77 In warn_if_nul_found, log surrounding context.
We need to encode here instead of doing escaped(), since fwict
escaped() does not currently handle NUL bytes.

Also, use warn_if_nul_found in more cases to avoid duplication.
2019-04-15 15:33:09 -04:00
Nick Mathewson
0c42ddf28c fixup! Even more diagnostic messages for bug 28223.
Use TOR_PRIuSZ in place of %zu.
2019-04-15 15:21:18 -04:00
Nick Mathewson
82a3161c41 Document check for 30176, since it's a bit subtle. 2019-04-15 14:52:08 -04:00
Tobias Stoeckmann
670d0f9f5b Clear memory in smartlist_remove_keeporder.
The smartlist functions take great care to reset unused pointers inside
the smartlist memory to NULL.

The function smartlist_remove_keeporder does not clear memory in such
way when elements have been removed. Therefore call memset after the
for-loop that removes elements. If no element is removed, it is
effectively a no-op.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-15 14:51:36 -04:00
Tobias Stoeckmann
5a0c857996 Add test to verify that unused pointers are NULL.
The smartlist code takes great care to set all unused pointers inside
the smartlist memory to NULL. Check if this is also the case after
modifying the smartlist multiple times.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-15 14:46:26 -04:00
Nick Mathewson
3105081c2f Fix assertf() issues when ALL_BUGS_ARE_FATAL is defined.
Fix from Gisle Vanem; fixes bug 30179.  Bug not in any released
version of Tor.
2019-04-15 14:37:46 -04:00
Nick Mathewson
358df18064 Merge branch 'bug30189_035' into bug30189_041 2019-04-15 14:27:32 -04:00
Nick Mathewson
802ac8ad61 Use a tor_abort_() wrapper in our util_bug.h macros
Previously, our use of abort() would break anywhere that we didn't
include stdlib.h.  This was especially troublesome in case where
tor_assert_nonfatal() was used with ALL_BUGS_ARE_FATAL, since that
one seldom gets tested.

As an alternative, we could have just made this header include
stdlib.h.  But that seems bloaty.

Fixes bug 30189; bugfix on 0.3.4.1-alpha.
2019-04-15 14:16:23 -04:00
George Kadianakis
3f9efc5e88 Merge branch 'maint-0.4.0' 2019-04-15 13:56:48 +03:00
George Kadianakis
15591e1bbd Merge branch 'tor-github/pr/948' into maint-0.4.0 2019-04-15 13:56:37 +03:00
rl1987
55b4f02ba6 Fix shellcheck warnings in fixup_filenames.sh 2019-04-15 12:13:35 +03:00
teor
1177818c32
Merge branch 'rust-panic1-035' into rust-panic1-040 2019-04-15 10:18:59 +10:00
teor
a6d0420f7c
Merge branch 'rust-panic1-034' into rust-panic1-035
Trivial merge: a blank line was removed between 0.3.4 and 0.3.5.
2019-04-15 10:18:01 +10:00
teor
5ab5c8ec15
Merge branch 'rust-panic1' into rust-panic1-034 2019-04-15 10:15:02 +10:00
Neel Chauhan
cc87acf29b Remove unused get_options() 2019-04-14 14:51:42 -04:00
Neel Chauhan
03464a9165 Update torrc.sample.in to IPv6Exit 1 being an exit by default 2019-04-14 12:48:07 -04:00
Neel Chauhan
5cad9fb477 Become an exit relay if IPv6Exit is 1 2019-04-14 12:48:07 -04:00
Nick Mathewson
88dc7bc171 Add an assertion to test_hs_cache.c to appease coverity.
Coverity doesn't like to see a path where we test a pointer for
NULL if we have already ready dereferenced the pointer on that
path.  While in this case, the check is not needed, it's best not to
remove checks from the unit tests IMO.  Instead, I'm adding an
earlier check, so that coverity, when analyzing this function, will
think that we have always checked the pointer before dereferencing
it.

Closes ticket 30180; CID 1444641.
2019-04-14 11:31:50 -04:00
rl1987
4fa4fe0945 Fix remaining shellcheck warnings in fuzz_multi.sh 2019-04-12 22:41:39 +03:00
rl1987
1ee991ed4b Add shebang line to fuzz_multi.sh (fixes SC2148) 2019-04-12 22:38:06 +03:00
Nick Mathewson
e9ca904dbf Define two more commands as wipe-after-parse. 2019-04-12 08:33:27 -04:00
Nick Mathewson
f3bd0240a6 Add assertions for correct input to handle_control_command. 2019-04-12 08:33:27 -04:00
Nick Mathewson
d1f5957c4e Improve handling of controller commands
Use a table-based lookup to find the right command handler.  This
will serve as the basement for several future improvements, as we
improve the API for parsing commands.
2019-04-12 08:33:27 -04:00
George Kadianakis
7b386f2356 Merge branch 'tor-github/pr/908' 2019-04-12 13:47:08 +03:00
George Kadianakis
86aa141572 Merge branch 'tor-github/pr/754' 2019-04-12 13:45:53 +03:00
teor
ebbc2c3d8f
crypt_ops: Stop using a separate buffer in ed25519_signature_from_base64()
Part of 29960.
2019-04-12 13:00:02 +10:00
Neel Chauhan
398c736230 Remove unused variable in fmt_serverstatus.c 2019-04-11 22:11:27 -04:00
Neel Chauhan
994b8ba424 Update networkstatus_getinfo_by_purpose() comment 2019-04-11 21:36:38 -04:00
Neel Chauhan
14d7008045 Stop setting routers as running in list_server_status_v1() 2019-04-11 21:30:48 -04:00
Neel Chauhan
c07d854772 Remove callback for setting bridges as running 2019-04-11 21:28:35 -04:00
Neel Chauhan
4172dcaa62 Move code for setting bridges as running to voteflags.c 2019-04-11 20:44:30 -04:00
Neel Chauhan
30279a7c57 Use authdir_mode_bridge() in set_bridge_running_callback() 2019-04-11 20:28:11 -04:00
Neel Chauhan
aa9940ed21 Make SET_BRIDGES_RUNNING_INTERVAL 5 minutes 2019-04-11 20:24:08 -04:00
Nick Mathewson
cdafcc49bc Fix a memory leak in tor-resolve.c
Closes bug 30151/coverity CID 1441830. Bugfix on 0.4.0.1-alpha when
we started doing trunnel parsing in tor-resolve.c.
2019-04-11 19:10:05 -04:00
Nick Mathewson
48a574604b Remove an extraneous _ from __COVERITY__
We had a typo in this check, so that coverity wasn't taking the
right path.

Bug not in any released Tor.
2019-04-11 18:56:02 -04:00
Nick Mathewson
66b07e7ec1 Add an assertion to num_ntors_per_tap().
This should please coverity, and fix CID 1415721.  It didn't
understand that networkstatus_get_param() always returns a value
between its minimum and maximum values.
2019-04-11 18:44:10 -04:00
Nick Mathewson
96e310911f Add an assertion to compute_weighted_bandwidths()
This should please coverity, and fix CID 1415722.  It didn't
understand that networkstatus_get_param() always returns a value
between its minimum and maximum values.
2019-04-11 18:41:38 -04:00
Nick Mathewson
55690d05bd Add an assertion to pathbias_get_scale_ratio()
This should please coverity, and fix CID 1415723.  It didn't understand
that networkstatus_get_param() always returns a value between its
minimum and maximum values.
2019-04-11 18:38:59 -04:00
Nick Mathewson
85ff6f9114 Fix a memory leak on failure to create keys directory.
Fixes bug 30148, which is also CID 1437429 and CID 1437454. Bugfix
on 0.3.3.1-alpha, when separate key directories became a thing.
2019-04-11 18:18:14 -04:00
Nick Mathewson
781d69f3a7 Make it clear to coverity we aren't leaking in protover_all_supported()
The logic here should be "use versions or free it".  The "free it"
part was previously in a kind of obfuscated place, so coverity
wasn't sure it was invoked as appropriate.  CID 1437436.
2019-04-11 17:51:11 -04:00
Nick Mathewson
4e3d144fb0 Don't leak on logic error in string_is_valid_nonrfc_hostname()
This is CID 1437438.  No backport needed: this is unreachable, and
guarded with a BUG() check.
2019-04-11 17:40:05 -04:00
Nick Mathewson
7c98105d56 On failure to create extend info for an introduction point, don't leak.
This is CID 1438152.  No backport needed: this path is already
inside a BUG() guard.
2019-04-11 17:35:19 -04:00
Nick Mathewson
40471d73e5 bump to 0.4.0.4-rc-dev 2019-04-11 17:05:38 -04:00
Neel Chauhan
011307dd5f Make repeated/rate limited HSFETCH queries fail with QUERY_RATE_LIMITED 2019-04-11 15:21:17 -04:00
Nick Mathewson
9fabf104ed Merge remote-tracking branch 'tor-github/pr/913' 2019-04-11 14:30:05 -04:00
Nick Mathewson
d549440124 Merge remote-tracking branch 'tor-github/pr/887' 2019-04-11 14:29:16 -04:00
Nick Mathewson
f8dc935fb7 Merge remote-tracking branch 'tor-github/pr/741' 2019-04-11 14:27:06 -04:00
Nick Mathewson
b2fc57426c Bump version to 0.4.0.4-rc 2019-04-10 11:51:49 -04:00
Nick Mathewson
3be1e26b8d Merge branch 'maint-0.4.0' 2019-04-10 11:31:44 -04:00
Nick Mathewson
412bcc5b2a Merge remote-tracking branch 'tor-github/pr/926' into maint-0.4.0 2019-04-10 11:31:33 -04:00
Tobias Stoeckmann
9ce0bdd226 Prevent double free on huge files with 32 bit.
The function compat_getdelim_ is used for tor_getline if tor is compiled
on a system that lacks getline and getdelim. These systems should be
very rare, considering that getdelim is POSIX.

If this system is further a 32 bit architecture, it is possible to
trigger a double free with huge files.

If bufsiz has been already increased to 2 GB, the next chunk would
be 4 GB in size, which wraps around to 0 due to 32 bit limitations.

A realloc(*buf, 0) could be imagined as "free(*buf); return malloc(0);"
which therefore could return NULL. The code in question considers
that an error, but will keep the value of *buf pointing to already
freed memory.

The caller of tor_getline() would free the pointer again, therefore
leading to a double free.

This code can only be triggered in dirserv_read_measured_bandwidths
with a huge measured bandwith list file on a system that actually
allows to reach 2 GB of space through realloc.

It is not possible to trigger this on Linux with glibc or other major
*BSD systems even on unit tests, because these systems cannot reach
so much memory due to memory fragmentation.

This patch is effectively based on the penetration test report of
cure53 for curl available at https://cure53.de/pentest-report_curl.pdf
and explained under section "CRL-01-007 Double-free in aprintf() via
unsafe size_t multiplication (Medium)".
2019-04-10 12:46:27 +03:00
teor
a1d9f44971
Merge branch 'maint-0.4.0' 2019-04-10 18:27:11 +10:00
teor
454bdb22ee
Merge remote-tracking branch 'tor-github/pr/920' into maint-0.4.0 2019-04-10 18:26:49 +10:00
teor
ce9b101574
bwauth: update measured bandwidth file comments
We forgot to update function header comments and code comments when we
made changes in 0.3.5.1-alpha and later.

Closes 30112.
2019-04-10 15:57:54 +10:00
Nick Mathewson
c28cdcc9bf Merge branch 'maint-0.4.0' 2019-04-09 13:51:44 -04:00
Nick Mathewson
ffdca3dd14 Merge branch 'bug29922_035' into maint-0.4.0 2019-04-09 13:49:58 -04:00
Nick Mathewson
9f3f99938e Actually I believe this should be an EINVAL. 2019-04-09 13:49:10 -04:00
Tobias Stoeckmann
a628e36024 Check return value of buf_move_to_buf for error.
If the concatenation of connection buffer and the buffer of linked
connection exceeds INT_MAX bytes, then buf_move_to_buf returns -1 as an
error value.

This value is currently casted to size_t (variable n_read) and will
erroneously lead to an increasement of variable "max_to_read".

This in turn can be used to call connection_buf_read_from_socket to
store more data inside the buffer than expected and clogging the
connection buffer.

If the linked connection buffer was able to overflow INT_MAX, the call
of buf_move_to_buf would have previously internally triggered an integer
overflow, corrupting the state of the connection buffer.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:22 -04:00
Tobias Stoeckmann
5a6ab3e7db Protect buffers against INT_MAX datalen overflows.
Many buffer functions have a hard limit of INT_MAX for datalen, but
this limitation is not enforced in all functions:

- buf_move_all may exceed that limit with too many chunks
- buf_move_to_buf exceeds that limit with invalid buf_flushlen argument
- buf_new_with_data may exceed that limit (unit tests only)

This patch adds some annotations in some buf_pos_t functions to
guarantee that no out of boundary access could occur even if another
function lacks safe guards against datalen overflows.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-04-09 12:05:14 -04:00
George Kadianakis
16041d7918 Merge branch 'maint-0.4.0' 2019-04-09 12:25:18 +03:00
George Kadianakis
c7cf49dc3c Merge branch 'tor-github/pr/915' into maint-0.4.0 2019-04-09 12:24:52 +03:00
teor
3d45079c27
Merge branch 'maint-0.4.0' 2019-04-09 11:36:59 +10:00
teor
e4692fad96
Merge remote-tracking branch 'tor-github/pr/866' 2019-04-09 11:36:38 +10:00
teor
92e8bdf296
Merge remote-tracking branch 'tor-github/pr/892' into maint-0.4.0 2019-04-09 11:35:41 +10:00
Nick Mathewson
a63bd87760 Detect and suppress an additional gmtime() warning in test_util.c
Fixes bug 29922; bugfix on 0.2.9.3-alpha when we tried to capture
all these warnings.  No need to backport any farther than 0.3.5,
though -- these warnings don't cause test failures before then.

This one was tricky to find because apparently it only happened on
_some_ windows builds.
2019-04-08 17:02:14 -04:00
rl1987
0e0a0b9802 Fix SC2006 in minimize.sh 2019-04-08 11:16:45 +03:00
teor
4cffc7fe9c
Merge branch 'maint-0.4.0' 2019-04-06 12:23:25 +10:00
teor
b100c9e980
Merge remote-tracking branch 'tor-github/pr/911' into maint-0.4.0 2019-04-06 12:15:41 +10:00
Nick Mathewson
5cb94cbf9d
NSS: disable TLS1.2 SHA-384 ciphersuites.
In current NSS versions, these ciphersuites don't work with
SSL_ExportKeyingMaterial(), which was causing relays to fail when
they tried to negotiate the v3 link protocol authentication.

Fixes bug 29241; bugfix on 0.4.0.1-alpha.
2019-04-06 11:06:34 +10:00
Nick Mathewson
680fd3f8fb
NSS: Log an error message when SSL_ExportKeyingMaterial() fails
Diagnostic for 29241.
2019-04-06 11:06:22 +10:00
teor
48e990359b
Merge branch 'maint-0.2.9' into maint-0.3.4 2019-04-06 09:33:11 +10:00
George Kadianakis
df4e2c42a8 Merge branch 'tor-github/pr/907' 2019-04-05 16:45:55 +03:00
George Kadianakis
071a000d67 Merge branch 'tor-github/pr/906' into maint-0.4.0 2019-04-05 16:44:59 +03:00
George Kadianakis
3393c8d510 Merge branch 'maint-0.4.0' 2019-04-05 14:53:39 +03:00
George Kadianakis
217db9efe1 Merge branch 'tor-github/pr/902' into maint-0.4.0 2019-04-05 14:53:33 +03:00
George Kadianakis
b371ea5b0e Merge branch 'tor-github/pr/761' 2019-04-05 14:52:36 +03:00
George Kadianakis
574c207670 Merge branch 'maint-0.4.0' 2019-04-05 14:51:33 +03:00
George Kadianakis
747b74c182 Merge branch 'tor-github/pr/800' into maint-0.4.0 2019-04-05 14:51:21 +03:00
teor
c616f45776 binascii: Fix the base64_encode_nopad() buffer length requirement
Comment-only change.

Part of 29660.
2019-04-05 15:17:19 +10:00
teor
5e2cba8eb4 crypto_format: Stop adding padding in ed25519_signature_from_base64()
base64_decode() does not require padding.

Part of 29660.
2019-04-05 15:17:19 +10:00
teor
ce5e38642d crypto_format: Remove the return value from ed25519_signature_to_base64()
Also remove all checks for the return value, which were redundant anyway,
because the function never failed.

Part of 29660.
2019-04-05 15:17:19 +10:00
teor
e3124fef54 crypto_format: Remove the return value from curve25519_public_to_base64()
And fix the documentation on the function: it does produce trailing
"="s as padding.

Also remove all checks for the return value, which were redundant anyway,
because the function never failed.

Part of 29660.
2019-04-05 15:17:19 +10:00
teor
7d513a5d55 crypto_format: Remove the return values from digest256_to_base64()
... and ed25519_public_to_base64(). Also remove all checks for the return
values, which were redundant anyway, because the functions never failed.

Part of 29960.
2019-04-05 15:17:19 +10:00
teor
abaed046a6 crypto_format: Remove unused return value from digest_to_base64()
Part of 29660.
2019-04-05 15:17:19 +10:00
teor
0d136a12bb crypto_format: Remove outdated comments
(These functions look pretty unified to me.)

Part of 29660.
2019-04-05 15:17:08 +10:00
teor
e992c5e4bc
Merge branch 'bug29500_040_monoinit_revert' into bug29500_master_monoinit
Apply data structure changes between 0.4.0 and 0.4.1.
2019-04-05 12:24:20 +10:00
teor
593b33608d
Revert "test/circuitpadding: Delete circuitpadding_circuitsetup_machine()"
This reverts commit 387d9448de.
2019-04-05 12:22:18 +10:00
teor
da678213e0
circuitpadding: comment fixes 2019-04-05 12:17:21 +10:00
teor
387d9448de
test/circuitpadding: Delete circuitpadding_circuitsetup_machine()
This test was disabled in 0.4.0 and later, but the fix in #29298 was only
merged to 0.4.1. So this test will never be re-enabled in 0.4.0.

Part of 29500.
2019-04-05 12:17:10 +10:00
Mike Perry
b733044f7a
Bug #29500: Fix monotime mocking in circpad unittests.
Our monotime mocking forces us to call monotime_init() *before* we set the
mocked time value. monotime_init() thus stores the first ratchet value at
whatever the platform is at, and then we set fake mocked time to some later
value.

If monotime_init() gets a value from the host that is greater than what we
choose to mock time at for our unittests, all subsequent monotime_abosolute()
calls return zero, which breaks all unittests that depend on time moving
forward by updating mocked monotime values.

So, we need to adjust our mocked time to take the weird monotime_init() time
into account, when we set fake time.
2019-04-05 12:15:55 +10:00
Mike Perry
b027b06dbb
Bug 29500: Start monotime at 1000 nsec.
Hopefully this will stop monotime_absolute_usec() from returning 0 on some
platforms in the tests.
2019-04-05 12:14:11 +10:00
Mike Perry
1f48c6cd83
Bug 29500: Attempt to fix the tokens test.
Cancel the padding timer by changing order of sent vs recv (sent cancels).
2019-04-05 12:13:19 +10:00
Nick Mathewson
1779878f9e Merge remote-tracking branch 'tor-github/pr/752' 2019-04-04 20:39:36 -04:00
Nick Mathewson
0e7b34354a Merge branch 'maint-0.4.0' 2019-04-04 20:27:04 -04:00
Nick Mathewson
d016bbaa7d Merge branch 'bug29959_040_squashed' into maint-0.4.0 2019-04-04 20:26:47 -04:00
teor
8e961b2174 bwauth: Actually include the bandwidth-file-digest in authority votes
Fixes bug 29959; bugfix on 0.4.0.2-alpha.
2019-04-04 20:26:09 -04:00
Nick Mathewson
76912bf140 Use an enum for inherit_result_out. 2019-04-04 12:56:52 -04:00
Nick Mathewson
8c06f02c94 Syntax fix in test. 2019-04-04 12:56:52 -04:00
Nick Mathewson
027c536598 rename inherit values to avoid conflict with system defines 2019-04-04 12:56:52 -04:00