Commit Graph

38662 Commits

Author SHA1 Message Date
Mike Perry
31a3efa60b Changes file for 40569 2023-06-22 23:12:34 +00:00
Mike Perry
796e65e487 Bug 40569: Reduce accepted range for negotiated cc_sendme_inc 2023-06-22 23:12:34 +00:00
David Goulet
633355a88e Merge branch 'maint-0.4.7' 2023-06-21 10:21:42 -04:00
David Goulet
d60fab8c9e gitignore: Add .cache used by clangd LSP
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-21 10:21:28 -04:00
David Goulet
3f7923538b Merge branch 'bug40808' into 'main'
Bug40808

See merge request tpo/core/tor!723
2023-06-20 16:51:36 +00:00
Mike Perry
ba2e0bcc49 Changes file for bug40808 2023-06-20 16:30:55 +00:00
Mike Perry
27a0fee882 Bug 40808: Change KISTSchedRunInterval range and default; add KISTSchedRunIntervalClient 2023-06-20 16:29:48 +00:00
David Goulet
846bad3a96 scripts: Update git scripts with new gitlab canonical repository
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-19 14:33:12 -04:00
David Goulet
8286d88ed0 Merge branch 'ticket40773' into 'main'
Fix compilation error on older gcc versions and MSVC.

See merge request tpo/core/tor!717
2023-06-19 18:32:44 +00:00
David Goulet
3cb6a690be Merge branch 'maint-0.4.7' 2023-06-19 08:09:45 -04:00
David Goulet
94f4d0968b Change git.tpo URLs to gitlab.tpo
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-19 08:09:39 -04:00
David Goulet
623a55764b Use the new Stem repository on Gitlab
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-19 08:09:24 -04:00
David Goulet
7a83aa4f50 Merge branch 'tor-gitlab/mr/722' 2023-06-15 13:23:36 -04:00
David Goulet
cdb270d55e Change git.tpo URLs to gitlab.tpo
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-15 13:00:11 -04:00
Mike Perry
17037f8732 Changes file for Bug 40811 2023-06-15 16:14:56 +00:00
Mike Perry
44cd704636 Bug 40811: Count conflux leg launch attempts early.
Also, double check that the consensus has enough overall exits before
attempting conflux set launch.
2023-06-15 16:13:34 +00:00
David Goulet
44368a727a Merge branch 'tor-gitlab/mr/721' 2023-06-14 09:45:27 -04:00
Mike Perry
7ffda7512d Changes file for bug40810 2023-06-13 18:18:54 +00:00
Mike Perry
5d63842e86 Bug 40810: Avoid using 0 RTT legs 2023-06-13 18:18:46 +00:00
Mike Perry
dbd37c0e7b Bug 40810: Improve validation checks to ignore 0-RTT legs
Also add calls to dump the legs of a conflux set if we have too many
2023-06-13 18:18:07 +00:00
David Goulet
d5306e107f Merge branch 'tor-gitlab/mr/715' 2023-06-13 13:03:11 -04:00
Mike Perry
0149c1ff98 Bug 40801: Add changes file 2023-06-09 16:29:10 +00:00
Mike Perry
6a513e2ff5 Bug 40801: Do not change read state of marked conns 2023-06-09 16:29:10 +00:00
Mike Perry
da50d21c42 Bug 40801: Send LINKED_ACK before attaching streams
Otherwise, the BEGIN cell arrives at the exit before it has an RTT,
and then it does not know which circuit to prefer in response.
2023-06-09 16:29:10 +00:00
Mike Perry
ff59e2f490 Add BUG() macro to marked edge reads
This will give us a full stacktrace.
2023-06-09 16:24:03 +00:00
Mike Perry
176f0929bb Add conflux logs to diagnose cases where RTTs are absent/zero. 2023-06-09 16:24:03 +00:00
Neel Chauhan
a91315f931 Fix the spacing in the 'Your Tor identity key fingerprint is' log line' 2023-06-07 10:02:33 -07:00
Mike Perry
03d63bc7bd Add a conflux helper to log conflux sets. 2023-06-06 15:15:20 +00:00
Micah Elizabeth Scott
cfbf74352f More fixes for compile-time warnings in equix and hashx
This addresses issue #40800 and a couple other problems I noticed while
trying to reproduce that one.

The original issue is just a missing cast to void* on the args of
__builtin___clear_cache(), and clang is picky about the implicit cast
between what it considers to be char of different signedness. Original
report is from MacOS but it's also reproducible on other clang targets.

The cmake-based original build system for equix and hashx was a handy
way to run tests, but it suffered from some warnings due to incorrect
application of include_directories().

And lastly, there were some return codes from hashx_exec() that get
ignored on equix when asserts are disabled. It bugged me too much to
just silence this with a (void) cast, since even though this is in the
realm of low-likelyhood programming errors and not true runtime errors, I
don't want to make it easy for the hashx_exec() wrappers to return
values that are dangerously wrong if an error is ignored. I made sure
that even if asserts are disabled, we return values that will cause the
solver and verifier to both fail to validate a potential solution.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-06-05 11:45:33 -07:00
Gabriela Moldovan
45ee8a10e2
Fix compilation error on older gcc versions and MSVC.
This fixes an "initializer is not a constant" compilation error that manifests
itself on gcc versions < 8.1 and MSVC (see
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69960#c18).

Fixes bug #40773

Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
2023-06-05 15:03:39 +01:00
Tor CI Release
d4f4fb6088 version: Bump version to 0.4.8.1-alpha-dev 2023-06-01 12:16:06 -04:00
Tor CI Release
e30fdc14b2 version: Bump version to 0.4.8.1-alpha 2023-06-01 10:27:31 -04:00
Tor CI Release
8b46d1c6ca release: ChangeLog for 0.4.8.1-alpha 2023-06-01 10:26:46 -04:00
Tor CI Release
5e2f6d5433 fallbackdir: Update list generated on June 01, 2023 2023-06-01 09:47:36 -04:00
Tor CI Release
c2c6c7a5e6 Update geoip files to match ipfire location db, 2023/06/01. 2023-06-01 09:47:22 -04:00
David Goulet
2697723cf1 scripts: Use latest geoip database instead of using location
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 09:32:11 -04:00
David Goulet
7f5355826b test: Really fix the mem leak from prior commit
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 09:07:43 -04:00
David Goulet
faff592c3b test: Fix a mem leak reported by Coverity
Here is the report:

  *** CID 1531835:  Resource leaks  (RESOURCE_LEAK)
  /src/test/test_crypto_slow.c: 683 in test_crypto_equix()
  677
  678           /* Solve phase: Make sure the test vector matches */
  679           memset(&output, 0xa5, sizeof output);
  680           equix_result result;
  681           result = equix_solve(solve_ctx, challenge_literal,
  682                                challenge_len, &output);
  >>>     CID 1531835:  Resource leaks  (RESOURCE_LEAK)
  >>>     Variable "solve_ctx" going out of scope leaks the storage it points to.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 08:35:08 -04:00
David Goulet
97008526db Merge branch 'maint-0.4.7' 2023-05-31 14:32:07 -04:00
David Goulet
066da91521 changes: Add file for MR 714
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-31 14:31:59 -04:00
David Goulet
d77f1e7aea Merge branch 'tor-gitlab/mr/714' into maint-0.4.7 2023-05-31 14:28:44 -04:00
Micah Elizabeth Scott
3036bedf30 Update CI builds to Debian Bullseye, fix associated compatibility bugs
This is a change intended for 0.4.7 maintenance as well as main.

The CI builds use Debian Buster which is now end of life, and I was
experiencing inconsistent CI failures with accessing its security update
server. I wanted to update CI to a distro that isn't EOL, and Bullseye
is the current stable release of Debian.

This opened up a small can of worms that this commit also deals with.
In particular there's a docker engine bug that we work around by
removing the docker-specific apt cleanup script if it exists, and
there's a new incompatibility between tracing and sandbox support.

The tracing/sandbox incompatibility itself had two parts:

  - The membarrier() syscall is used to deliver inter-processor
    synchronization events, and the external "userspace-rcu"
    data structure library would make assumptions that if membarrier
    is available at initialization it always will be. This caused
    segfaults in some cases when running trace + sandbox. Resolved this
    by allowing membarrier entirely, in the sandbox.

  - userspace-rcu also assumes it can block signals, and fails
    hard if this can't be done. We already include a similar carveout
    to allow this in the sandbox for fragile-hardening, so I extended
    that to cover tracing as well.

Addresses issue #40799

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-31 11:08:27 -07:00
David Goulet
925201c946 Merge branch 'tor-gitlab/mr/713' 2023-05-31 09:07:45 -04:00
orbea
9850dc59c0 tls: Disable a warning with LibreSSL >= 3.8.0
Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL
3.8.

Based on a patch from OpenBSD.

33fe251a08

These functions are deprecated since OpenSSL 3.0.

https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html
2023-05-29 13:00:32 -07:00
Micah Elizabeth Scott
415c0354b2 hs_pow: Add CompiledProofOfWorkHash torrc option
This exposes the new fallback behavior in hashx via a new AUTOBOOL
configuration option, available to both clients and services. The
default should be fine for nearly everyone, but it might be necessary
to enable or disable the compiler manually for diagnostic purposes.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:03 -07:00
Micah Elizabeth Scott
a397a92be2 hs_pow: Update for equix API to fix issue 40794
This change adapts the hs_pow layer and unit tests to API changes
in hashx and equix which modify the fault recovery responsibilities
and reporting behaivor.

This and the corresponding implementation changes in hashx and equix
form the fix for #40794, both solving the segfault and giving hashx a
way to report those failures up the call chain without them being
mistaken for a different error (unusable seed) that would warrant a
retry.

To handle these new late compiler failures with a minimum of fuss or
inefficiency, the failover is delegated to the internals of hashx and
tor needs only pass in a EQUIX_CTX_TRY_COMPILE flag to get the behavior
that tor was previously responsible for implementing.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
a3513dea54 equix: API changes for new result codes and hashx compatibility
This change adapts Equi-X to the corresponding HashX API changes that
added HASHX_TRY_COMPILE. The new regularized HashX return codes are
reflected by revised corresponding Equi-X return codes.

Both solve and verify operations now return an error/success code, and a
new equix_solutions_buffer struct includes both the solution buffer
and information about the solution count and hashx implementation.

With this change, it's possible to discern between hash construction
failures (invalid seed) and some external error like an mprotect()
failure.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
5a4f92ea7b hashx: API changes to allow recovery from late compile failures
This is an API breaking change to hashx, which modifies the error
handling strategy. The main goal here is to allow unproblematic
recovery from hashx_compile failures.

hashx_alloc can no longer fail for reasons other than memory
allocation. All platform-specific compile failures are now reported via
hashx_make(), in order to both allow later failure and avoid requiring
users of the API to maintain and test multiple failure paths.

Note that late failures may be more common in actual use than early
failures. Early failures represent architectures other than x86_64 and
aarch64. Late failures could represent a number of system configurations
where syscalls are restricted.

The definition of a hashx context no longer tries to overlay storage for
the different types of program, and instead allows one context to always
contain an interpretable description of the program as well as an optional
buffer for compiled code.

The hashx_type enum is now used to mean either a specific type of hash
function or a type of hashx context. You can allocate a context for use
only with interpreted or compiled functions, or you can use
HASHX_TRY_COMPILE to prefer the compiler with an automatic fallback on
the interpreter. After calling hashx_make(), the new hashx_query_type()
can be used if needed to determine which implementation was actually
chosen.

The error return types have been overhauled so that everyone uses the
hashx_result enum, and seed failures vs compile failures are always
clearly distinguishable.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
6fd5ca4914 hashx: allow hashx_compile to fail, avoid segfault without changing API
This is a minimal portion of the fix for tor issue #40794, in which
hashx segfaults due to denial of mprotect() syscalls at runtime.

Prior to this fix, hashx makes the assumption that if the JIT is
supported on the current architecture, it will also be usable at
runtime. This isn't true if mprotect fails on linux, which it may for
various reasons: the tor built-in sandbox, the shadow simulator, or
external security software that implements a syscall filter.

The necessary error propagation was missing internally in hashx,
causing us to obliviously call into code which was never made
executable. With this fix, hashx_make() will instead fail by returning
zero.

A proper fix will require API changes so that callers can discern
between different types of failures. Zero already means that a program
couldn't be constructed, which requires a different response: choosing a
different seed, vs switching implementations. Callers would also benefit
from a way to use one context (with its already-built program) to
run in either compiled or interpreted mode.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
Micah Elizabeth Scott
941613c663 hashx: minor, another logical operator change
The code style in equix and hashx sometimes uses bitwise operators
in place of logical ones in cases where it doesn't really matter
either way. This sometimes annoys our static analyzer tools.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00