Commit Graph

7220 Commits

Author SHA1 Message Date
Nick Mathewson
76582442a8 Handle failing cases of DH allocation 2011-01-25 18:09:38 -05:00
Mike Perry
9e7691b05c Comment remaining CBT functions.
Left circuit_build_times_get_bw_scale() uncommented because it is in the wrong
place due to an improper bug2317 fix. It needs to be moved and renamed, as it
is not a cbt parameter.
2011-01-25 17:52:01 -05:00
Mike Perry
7b24b8e375 Fix authority side of 2203.
Do not add Exit bandwidth to E if BadExit is set.
2011-01-25 17:49:02 -05:00
Mike Perry
ec2ab3800f Fix client side of 2203: Do not count BadExits as Exits. 2011-01-25 17:49:02 -05:00
Mike Perry
8b4a91c2b7 Fix bug #2004 by demoting a log message.
To quote arma: "So instead of stopping your CBT from screaming, you're just
going to throw it in the closet and hope you can't hear it?"

Yep. The log message can happen because at 95% point on the curve, we can be
way beyond the max timeout we've seen, if the curve has few points and is
shallow.

Also applied Nick's rule of thumb for rewriting some other notice log messages
to read like how you would explain them to a raving lunatic on #tor who was
shouting at you demanding what they meant. Hopefully the changes live up to
that standard.
2011-01-25 17:35:39 -05:00
Nick Mathewson
71862ed763 Fix bug in verifying directory signatures with short digests
If we got a signed digest that was shorter than the required digest
length, but longer than 20 bytes, we would accept it as long
enough.... and then immediately fail when we want to check it.

Fixes bug 2409; bug in 0.2.2.20-alpha; found by piebeer.
2011-01-25 17:15:22 -05:00
Sebastian Hahn
7a446e6754 Tell which geoip file we're parsing 2011-01-25 15:54:51 -05:00
Nick Mathewson
89ee779f92 Add a torrc option to report log domains 2011-01-25 15:53:15 -05:00
Sebastian Hahn
68f8ca357f Fix assert for relay/bridge state change
When we added support for separate client tls certs on bridges in
a2bb0bfdd5 we forgot to correctly initialize this when changing
from relay to bridge or vice versa while Tor is running. Fix that
by always initializing keys when the state changes.

Fixes bug 2433.
2011-01-25 14:13:06 -05:00
Nick Mathewson
a1073ee956 Simplest fix to bug2402: do not include SVN versions
When we stopped using svn, 0.2.1.x lost the ability to notice its svn
revision and report it in the version number.  However, it kept
looking at the micro-revision.i file... so if you switched to master,
built tor, then switched to 0.2.1.x, you'd get a micro-revision.i file
from master reported as an SVN tag.  This patch takes out the "include
the svn tag" logic entirely.

Bugfix on 0.2.1.15-rc; fixes bug 2402.
2011-01-25 14:08:13 -05:00
Nick Mathewson
5ed73e3807 Make the DH parameter we use for TLS match the one from Apache's mod_ssl
Our regular DH parameters that we use for circuit and rendezvous
crypto are unchanged.  This is yet another small step on the path of
protocol fingerprinting resistance.
2011-01-24 16:50:11 -05:00
Nick Mathewson
13e9a2b19d Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2011-01-20 15:00:24 -05:00
Nick Mathewson
1471e57743 Merge remote branch 'rransom/policy_summarize-assert' into maint-0.2.1 2011-01-20 14:59:23 -05:00
Robert Ransom
43414eb988 Fix bounds-checking in policy_summarize
Found by piebeer.
2011-01-20 11:17:57 -08:00
Nick Mathewson
a793f1f6f2 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2011-01-19 13:25:38 -05:00
Nick Mathewson
c8f94eed12 Oops; actually add the code to the last patch. :/ 2011-01-19 13:25:17 -05:00
Roger Dingledine
7699014e1e Merge commit 'sebastian/bug2317' into maint-0.2.2 2011-01-15 21:54:49 -05:00
Nick Mathewson
a7790d48af Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2011-01-15 14:15:19 -05:00
Nick Mathewson
ef6fa07e48 Fix a couple of non-cleared key issues in hidden services
we need to do more hunting, but this fixes the ones mentioned in 2385.
2011-01-15 14:10:54 -05:00
Sebastian Hahn
0df51a7f39 Tighten accepted circwindow parameters
Based on discussion in bug 2317, these values seem to be sane.
2011-01-15 19:42:17 +01:00
Sebastian Hahn
b06617c948 Provide constant limits for all consensus params
This addresses Nick's concern about doing non-constant bounds checking
inside networkstatus_get_param().
2011-01-15 19:42:17 +01:00
Sebastian Hahn
026e7987ad Sanity-check consensus param values
We need to make sure that the worst thing that a weird consensus param
can do to us is to break our Tor (and only if the other Tors are
reliably broken in the same way) so that the majority of directory
authorities can't pull any attacks that are worse than the DoS that
they can trigger by simply shutting down.

One of these worse things was the cbtnummodes parameter, which could
lead to heap corruption on some systems if the value was sufficiently
large.

This commit fixes this particular issue and also introduces sanity
checking for all consensus parameters.
2011-01-15 19:42:17 +01:00
Sebastian Hahn
ca6c813612 Make get_net_param_from_list() static
This prepares for making the accessor method for consensus parameters
safer in the next commit.
2011-01-15 19:42:17 +01:00
Nick Mathewson
1393985768 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
Conflicts:
	src/or/routerparse.c
	src/or/test.c
2011-01-15 13:25:13 -05:00
Nick Mathewson
b97b0efec8 Merge branch 'bug2352_obsize' into maint-0.2.1 2011-01-15 13:15:06 -05:00
Nick Mathewson
9d133464c8 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2011-01-15 13:10:14 -05:00
Nick Mathewson
31b562e10a Add missing check for hostname answer_len in dnsserv size
This is checked elsewhere too, but let's be RFC-conformant.
2011-01-15 13:09:12 -05:00
Nick Mathewson
ed87738ede Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
Conflicts:
	src/or/config.c
	src/or/networkstatus.c
	src/or/rendcommon.c
	src/or/routerparse.c
	src/or/test.c
2011-01-15 12:02:55 -05:00
Nick Mathewson
115782bdbe Fix a heap overflow found by debuger, and make it harder to make that mistake again
Our public key functions assumed that they were always writing into a
large enough buffer.  In one case, they weren't.

(Incorporates fixes from sebastian)
2011-01-15 11:49:25 -05:00
Nick Mathewson
a16902b9d4 Always nul-terminate the result passed to evdns_server_add_ptr_reply
In dnsserv_resolved(), we carefully made a nul-terminated copy of the
answer in a PTR RESOLVED cell... then never used that nul-terminated
copy.  Ouch.

Surprisingly this one isn't as huge a security problem as it could be.
The only place where the input to dnsserv_resolved wasn't necessarily
nul-terminated was when it was called indirectly from relay.c with the
contents of a relay cell's payload.  If the end of the payload was
filled with junk, eventdns.c would take the strdup() of the name [This
part is bad; we might crash there if the cell is in a bad part of the
stack or the heap] and get a name of at least length
495[*]. eventdns.c then rejects any name of length over 255, so the
bogus data would be neither transmitted nor altered.

  [*] If the name was less than 495 bytes long, the client wouldn't
     actually be reading off the end of the cell.

Nonetheless this is a reasonably annoying bug.  Better fix it.

Found while looking at bug 2332, reported by doorss.  Bugfix on
0.2.0.1-alpha.
2011-01-15 11:49:25 -05:00
Nick Mathewson
1f3b442023 catch another overlong malloc possibility. found by cypherpunks 2011-01-15 10:42:11 -05:00
Nick Mathewson
b27f5cc50d Fix another instance of "128" in buffers.c. More bug2330. 2011-01-15 10:25:58 -05:00
Nick Mathewson
43e12a7988 Merge remote branch 'public/bug2363' into maint-0.2.2 2011-01-12 14:00:20 -05:00
Nick Mathewson
597433bcec Merge branch 'bug2346' into maint-0.2.2 2011-01-12 12:37:51 -05:00
Nick Mathewson
5044cb9752 Explain bug2346 fix better based on suggestions from arma 2011-01-12 12:37:42 -05:00
Nick Mathewson
aa45e82593 Pull up more data when parsing socks messages
Previously, we only looked at up to 128 bytes.  This is a bad idea
since socks messages can be at least 256+x bytes long.  Now we look at
up to 512 bytes; this should be enough for 0.2.2.x to handle all valid
SOCKS messages.  For 0.2.3.x, we can think about handling trickier
cases.

Fixes 2330.  Bugfix on 0.2.0.16-alpha.
2011-01-10 17:24:16 -05:00
Nick Mathewson
95968a625e Wait 60 minutes before retrying failed state save; bug2346 2011-01-10 16:51:11 -05:00
Nick Mathewson
6a829a3404 Make eventdns server functions const void* to match libevent
partial fix for bug 2332
2011-01-10 16:00:48 -05:00
Nick Mathewson
80253ba4d7 fix some spelling in rephist comments 2011-01-10 15:13:07 -05:00
Nick Mathewson
105b94b75b Add Maxima lists to bandwidth state.
Right now, Tor routers don't save the maxima values from the
bw_history_t between sessions.  That's no good, since we use those
values to determine bandwidth.  This code adds a new BWHist.*Maximum
set of values to the state file.  If they're not present, we estimate
them by taking the observed total bandwidth and dividing it by the
period length, which provides a lower bound.

This should fix bug 1863.  I'm calling it a feature.
2011-01-10 14:47:39 -05:00
Nick Mathewson
28844c8403 On bwhist state load failure, clear dir_read/write hist too 2011-01-10 13:15:51 -05:00
Nick Mathewson
7e1502c0d1 Fix bug when parsing bwhist with unexpected Interval
Previously, our state parsing code would fail to parse a bwhist
correctly if the Interval was anything other than the default
hardcoded 15 minutes.  This change makes the parsing less incorrect,
though the resulting history array might get strange values in it if
the intervals don't match the one we're using.  (That is, if stuff was
generated in 15 minute intervals, and we read it into an array that
expects 30 minute intervals, we're fine, since values can be combined
pairwise.  But if we generate data at 30 minute intervals and read it
into 15 minute intervals, alternating buckets will be empty.)

Bugfix on 0.1.1.11-alpha.
2011-01-10 13:06:50 -05:00
Nick Mathewson
8dd4ecd14e Turn the loop bodies of rep_hist_save/load_state into functions
The trick of looping from i=0..4 , switching on i to set up some
variables, then running some common code is much better expressed by
just calling a function 4 times with 4 sets of arguments.  This should
make the code a little easier to follow and maintain here.
2011-01-10 12:59:07 -05:00
Nick Mathewson
373a1bc40e Impose maximum sizes on parsed objects
An object, you'll recall, is something between -----BEGIN----- and
-----END----- tags in a directory document.  Some of our code, as
doorss has noted in bug 2352, could assert if one of these ever
overflowed SIZE_T_CEILING but not INT_MAX.  As a solution, I'm setting
a maximum size on a single object such that neither of these limits
will ever be hit.  I'm also fixing the INT_MAX checks, just to be sure.
2011-01-10 12:12:11 -05:00
Nick Mathewson
729f404efe Add logic in routerparse to not read overlong private keys
I am not at all sure that it is possible to trigger a bug here,
but better safe than sorry.
2011-01-10 12:07:34 -05:00
Nick Mathewson
efc9a84108 Add missing parens to evdns_base_resolve_* macros while I am at it 2011-01-09 19:05:06 -05:00
Nick Mathewson
68d5b6bc52 Fix check for failed evdns request creation
When using libevent 2, we use evdns_base_resolve_*().  When not, we
fake evdns_base_resolve_*() using evdns_resolve_*().

Our old check was looking for negative values (like libevent 2
returns), but our eventdns.c code returns 1.  This code makes the
check just test for nonzero.

Note that this broken check was not for _resolve_ failures or even for
failures to _launch_ a resolve: it was for failures to _create_ or
_encode_ a resolve request.

Bug introduced in 81eee0ecfff3dac1e9438719d2f7dc0ba7e84a71; found by
lodger; uploaded to trac by rransom.  Bug 2363.  Fix on 0.2.2.6-alpha.
2011-01-09 19:02:57 -05:00
Nick Mathewson
54135b72f8 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2011-01-07 22:04:40 -05:00
Nick Mathewson
045e6ebd31 Remove a loud info log message 2011-01-07 22:03:22 -05:00
Nick Mathewson
0a35ac6a22 Correctly detect and exclude addresses outside of our virtual address range
Found by cypherpunks; fixes more of 2328.  Bug was introduced in 3623a122;
first appeared in 0.2.0.5-alpha.
2011-01-07 12:24:36 -05:00
Nick Mathewson
d6329eda96 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2011-01-06 13:37:39 -05:00
Nick Mathewson
d6b49c55c5 Merge branch 'bug2328_021' into maint-0.2.1 2011-01-06 13:36:29 -05:00
Nick Mathewson
2008728df7 Notice a little faster if we're running out of virtual addresses
We were not decrementing "available" every time we did
++next_virtual_addr in addressmap_get_virtual_address: we left out the
--available when we skipped .00 and .255 addresses.

This didn't actually cause a bug in most cases, since the failure mode
was to keep looping around the virtual addresses until we found one,
or until available hit zero.  It could have given you an infinite loop
rather than a useful message, however, if you said "VirtualAddrNetwork
127.0.0.255/32" or something broken like that.

Spotted by cypherpunks
2011-01-06 13:29:36 -05:00
Nick Mathewson
eabddd8ca0 Handle a NULL return from addressmap_get_virtual_address
Fix for bug 2328; bugfix on 0.1.2.1-alpha; bug found by doorss.
2011-01-05 16:36:48 -05:00
Nick Mathewson
31d6659d97 Fix a double-counting bug in addrmap_get_virtual_address
We were decrementing "available" twice for each in-use address we ran
across.  This would make us declare that we ran out of virtual
addresses when the address space was only half full.
2011-01-05 16:02:43 -05:00
Nick Mathewson
bb5f99d4df Merge remote branch 'sebastian/bug2314' into maint-0.2.2 2011-01-03 12:47:14 -05:00
Nick Mathewson
40ef9087cf Fix a function formatting warning in rephist.c 2011-01-03 11:59:47 -05:00
Nick Mathewson
66039d9843 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
Conflicts:
	src/or/routerparse.c
2011-01-03 11:58:59 -05:00
Nick Mathewson
989db9aed1 fix whitespace issues 2011-01-03 11:57:42 -05:00
Nick Mathewson
30b3475e6d Bump copyright statements to 2011 (0.2.2) 2011-01-03 11:52:09 -05:00
Nick Mathewson
f1de329e78 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2
Conflicts:
	src/common/test.h
	src/or/test.c
2011-01-03 11:51:17 -05:00
Nick Mathewson
1a07348a50 Bump copyright statements to 2011 2011-01-03 11:50:39 -05:00
Sebastian Hahn
59a3d536d8 Fix compile without warnings on OS X 10.6 2010-12-27 11:37:16 +01:00
Sebastian Hahn
9ecf133686 Fix compile wanrings revealed by gcc 4.5 on mingw 2010-12-27 09:47:41 +01:00
Nick Mathewson
e895919b17 Merge remote branch 'public/bug2060' into maint-0.2.2 2010-12-21 15:53:03 -05:00
Nick Mathewson
cdbd6d0fe8 Merge remote branch 'rransom/bug2190_the_hard_way' into maint-0.2.2 2010-12-21 15:48:14 -05:00
Roger Dingledine
c63c937465 Merge commit 'nickm/fix_security_bug_022' into maint-0.2.2 2010-12-16 17:24:11 -05:00
Roger Dingledine
975ffe4398 Merge commit 'nickm/fix_security_bug_021' into maint-0.2.1 2010-12-16 16:59:12 -05:00
Nick Mathewson
591f65dde6 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2010-12-16 10:05:07 -05:00
Karsten Loesing
3c3b1d14fd Change gabelmoo's IP address and ports. 2010-12-16 13:28:30 +01:00
Nick Mathewson
b5e293afe6 Merge remote branch fix_security_bug_021 into fix_security_bug_022
Conflicts:
	src/common/memarea.c
	src/or/or.h
	src/or/rendclient.c
2010-12-15 22:48:23 -05:00
Nick Mathewson
b8a7bad799 Make payloads into uint8_t.
This will avoid some signed/unsigned assignment-related bugs.
2010-12-15 22:31:11 -05:00
Nick Mathewson
f924fbf19f Merge branch 'bug2081_followup_022' into maint-0.2.2 2010-12-07 11:35:49 -05:00
Nick Mathewson
5efe6f04c6 Reject relay versions older than 0.2.0.26-rc
This was the first version to cache the correct directory information.

Fixes bug 2156.
2010-12-07 11:35:32 -05:00
Nick Mathewson
dc2f10bd81 Fix a bug in calculating wakeup time on 64-bit machines.
If you had TIME_MAX > INT_MAX, and your "time_to_exhaust_bw =
accountingmax/expected_bandwidth_usage * 60" calculation managed to
overflow INT_MAX, then your time_to_consider value could underflow and
wind up being rediculously low or high.  "Low" was no problem;
negative values got caught by the (time_to_consider <= 0) check.
"High", however, would get you a wakeup time somewhere in the distant
future.

The fix is to check for time_to_exhaust_bw overflowing INT_MAX, not
TIME_MAX: We don't allow any accounting interval longer than a month,
so if time_to_exhaust_bw is significantly larger than 31*24*60*60, we
can just clip it.

This is a bugfix on 0.0.9pre6, when accounting was first introduced.
It fixes bug 2146, unless there are other causes there too.  The fix
is from boboper.  (I tweaked it slightly by removing an assignment
that boboper marked as dead, and lowering a variable that no longer
needed to be function-scoped.)
2010-12-06 12:01:32 -05:00
Nick Mathewson
feffbce814 Add a missing ! to directory_fetches_from_authorities
The old logic would have us fetch from authorities if we were refusing
unknown exits and our exit policy was reject*.  Instead, we want to
fetch from authorities if we're refusing unknown exits and our exit
policy is _NOT_ reject*.

Fixed by boboper.  Fixes more of 2097.  Bugfix on 0.2.2.16-alpha.
2010-12-06 11:36:01 -05:00
Nick Mathewson
c0f1517d87 Don't crash when accountingmax is set in non-server Tors
We use a hash of the identity key to seed a prng to tell when an
accounting period should end.  But thanks to the bug998 changes,
clients no longer have server-identity keys to use as a long-term seed
in accounting calculations.  In any case, their identity keys (as used
in TLS) were never never fixed.  So we can just set the wakeup time
from a random seed instead there.  Still open is whether everybody
should be random.

This patch fixes bug 2235, which was introduced in 0.2.2.18-alpha.

Diagnosed with help from boboper on irc.
2010-12-03 13:37:13 -05:00
Nick Mathewson
ee8f451bf1 Fix a harmless off-by-one error in counting controller argument lengths
Bugfix on 0.1.1.1-alpha; found by boboper.
2010-12-02 13:19:21 -05:00
Nick Mathewson
25b0fd8868 Revise comment on 2210 a little; clean up n_streams/num_streams confusion
Also add a changes file
2010-11-29 16:07:27 -05:00
Nick Mathewson
89e97bdf94 Add wrappers function for libc random()
On windows, it's called something different.
2010-11-29 16:00:47 -05:00
Nick Mathewson
0eafe23ff3 Fix whitespace in patch for 2210 and backport to 0.2.2 2010-11-29 16:00:43 -05:00
Mashael AlSabah
12fa6e23cb Improve fairness when activating streams in circuit_resume_edge_reading_helper
The reason the "streams problem" occurs is due to the complicated
interaction between Tor's congestion control and libevent. At some point
during the experiment, the circuit window is exhausted, which blocks all
edge streams. When a circuit level sendme is received at Exit, it
resumes edge reading by looping over linked list of edge streams, and
calling connection_start_reading() to inform libevent to resume reading.
When the streams are activated again, Tor gets the chance to service the
first three streams activated before the circuit window is exhausted
again, which causes all streams to be blocked again. As an experiment,
we reversed the order in which the streams are activated, and indeed the
first three streams, rather than the last three, got service, while the
others starved.

 Our solution is to change the order in which streams are activated. We
choose a random edge connection from the linked list, and then we
activate streams starting from that chosen stream. When we reach the end
of the list, then we continue from the head of the list until our chosen
stream (treating the linked list as a circular linked list). It would
probably be better to actually remember which streams have received
service recently, but this way is simple and effective.
2010-11-29 15:34:21 -05:00
Nick Mathewson
a5174b092e Merge branch 'exitstats' into maint-0.2.2 2010-11-29 15:28:22 -05:00
Nick Mathewson
a8a8e08220 comment karsten's bug2196 patch a little 2010-11-29 15:27:54 -05:00
Robert Ransom
de75afc556 Avoid dereferencing NULL if a bridge fails to build an ei descriptor.
Reported by an anonymous commenter on Trac.
2010-11-24 13:18:11 -08:00
Karsten Loesing
4fed43ab2e Report only the top 10 ports in exit-port stats. 2010-11-24 08:45:05 +01:00
Nick Mathewson
ff014eb5ea Use S_CASE for ehostunreach, not E_CASE. Partial backport of 69deb22f. Fixes 0.2.1 compilation on windows 2010-11-23 12:47:21 -05:00
Nick Mathewson
12f3186719 Disable DirPort when BridgeRelay is set 2010-11-22 13:12:48 -05:00
Nick Mathewson
5a9903b9e0 Handle negative run lengths in wfu/mtbf calculations 2010-11-22 12:39:22 -05:00
Nick Mathewson
bea0a31c1c Treat routers whose IPs have changed as having been down for MTBF/routerinfo
calculation purposes.
2010-11-22 12:32:29 -05:00
Nick Mathewson
80357abb11 Remove an incorrect comment in connection_or_check_valid_tls_handshake 2010-11-22 11:36:22 -05:00
Nick Mathewson
2af14b671d Have authorities reject routers running verions susceptible to bug 1038. 2010-11-22 11:16:36 -05:00
Nick Mathewson
d166d18643 Better fix for 2190: defer libevent->controller messages instead of dropping 2010-11-19 22:52:32 -05:00
Nick Mathewson
54551f3148 Merge branch 'fix2183', remote branch 'rransom/fix2195-v2' into maint-0.2.2 2010-11-19 16:48:13 -05:00
Robert Ransom
69472ca421 Fix logic error in router_dump_router_to_string.
Spotted by Nick Mathewson.
2010-11-19 13:23:45 -08:00
Nick Mathewson
e88486bc9d Add comments to some of the bug2183 fix code 2010-11-19 16:13:11 -05:00
Robert Ransom
780b8f4287 Generate a router descriptor even if generating an extra-info descriptor fails.
Fixes bug #2195.
2010-11-17 08:33:48 -08:00
Robert Ransom
213bcb3c40 Do not emit an extra-info-digest descriptor line if the digest is zero. 2010-11-17 08:32:17 -08:00
Karsten Loesing
0f1afaf595 Tweak the bugfix for 2183 a bit more. 2010-11-17 10:43:14 +01:00
Roger Dingledine
a08a7e0fc6 warn more about AllowSingleHopExits 2010-11-16 00:13:25 -05:00
Roger Dingledine
a641646a98 Merge commit 'nickm/1776_redux_v1' into maint-0.2.2 2010-11-15 23:29:09 -05:00
Nick Mathewson
45b500d5a6 Clean up my 1776 fix a bit
Sebastian notes (and I think correctly) that one of our ||s should
have been an &&, which simplifies a boolean expression to decide
whether to replace bridges.  I'm also refactoring out the negation at
the start of the expression, to make it more readable.
2010-11-15 19:43:53 -05:00
Nick Mathewson
cbad9f4520 Move controller event for socks warning into log_unsafe_socks_warning 2010-11-15 15:41:21 -05:00
Nick Mathewson
522c204ac9 Merge branch 'bug2000_nm_022' into maint-0.2.2 2010-11-15 15:31:40 -05:00
Nick Mathewson
433a98131a Merge remote branch 'sebastian/manpagefixups' into maint-0.2.2 2010-11-15 14:07:00 -05:00
Sebastian Hahn
da3a6e724f Rate-limit unsafe socks warning
Pick 5 seconds as the limit. 5 seconds is a compromise here between
making sure the user notices that the bad behaviour is (still) happening
and not spamming their log too much needlessly (the log message is
pretty long). We also keep warning every time if safesocks is
specified, because then the user presumably wants to hear about every
blocked instance.

(This is based on the original patch by Sebastian, then backported to
0.2.2 and with warnings split into their own function.)
2010-11-15 13:57:37 -05:00
Karsten Loesing
ff1cf35442 Don't use log_err for non-criticial warnings. 2010-11-15 13:39:53 +01:00
Karsten Loesing
cec21652a7 Try harder not to exceed the 50 KB extra-info descriptor limit.
Our checks that we don't exceed the 50 KB size limit of extra-info
descriptors apparently failed. This patch fixes these checks and reserves
another 250 bytes for appending the signature. Fixes bug 2183.
2010-11-15 12:51:51 +01:00
Nick Mathewson
2392290c18 Fix a remaining bug in Robert's bug1859 fix.
When intro->extend_info is created for an introduction point, it
only starts out with a nickname, not necessarily an identity digest.
Thus, doing router_get_by_digest isn't necessarily safe.
2010-11-12 19:52:27 -05:00
Robert Hogan
7488fe5a22 Issues with router_get_by_nickname()
https://trac.torproject.org/projects/tor/ticket/1859

Use router_get_by_digest() instead of router_get_by_hexdigest()
in circuit_discard_optional_exit_enclaves() and
rend_client_get_random_intro(), per Nick's comments.

Using router_get_by_digest() in rend_client_get_random_intro() will
break hidden services published by Tor versions pre 0.1.2.18 and
0.2.07-alpha as they only publish by nickname. This is acceptable
however as these versions only publish to authority tor26 and
don't work for versions in the 0.2.2.x series anyway.
2010-11-12 19:51:06 -05:00
Robert Hogan
e1d86d3817 Issues with router_get_by_nickname()
https://trac.torproject.org/projects/tor/ticket/1859

There are two problems in this bug:

1. When an OP makes a .exit request specifying itself as the exit, and the exit
   is not yet listed, Tor gets all the routerinfos needed for the circuit but
   discovers in circuit_is_acceptable() that its own routerinfo is not in the
   routerdigest list and cannot be used. Tor then gets locked in a cycle of
   repeating these two steps. When gathering the routerinfos for a circuit,
   specifically when the exit has been chosen by .exit notation, Tor needs to
   apply the same rules it uses later on when deciding if it can build a
   circuit with those routerinfos.

2. A different bug arises in the above situation when the Tor instance's
   routerinfo *is* listed in the routerlist, it shares its nickname with a
   number of other Tor nodes, and it does not have 'Named' rights to its
   nickname.
   So for example, if (i) there are five nodes named Bob in the network, (ii) I
   am running one of them but am flagged as 'Unnamed' because someone else
   claimed the 'Bob' nickname first, and (iii) I run my Tor as both client
   and exit the following can happen to me:
     - I go to www.evil.com
     - I click on a link www.evil.com.bob.exit
     - My request will exit through my own Tor node rather than the 'Named'
       node Bob or any of the others.
     - www.evil.com now knows I am actually browsing from the same computer
       that is running my 'Bob' node

So to solve both issues we need to ensure:

- When fulfilling a .exit request we only choose a routerinfo if it exists in
  the routerlist, even when that routerinfo is ours.
- When getting a router by nickname we only return our own router information
  if it is not going to be used for building a circuit.

We ensure this by removing the special treatment afforded our own router in
router_get_by_nickname(). This means the function will only return the
routerinfo of our own router if it is in the routerlist built from authority
info and has a unique nickname or is bound to a non-unique nickname.

There are some uses of router_get_by_nickname() where we are looking for the
router by name because of a configuration directive, specifically local
declaration of NodeFamilies and EntryNodes and other routers' declaration of
MyFamily. In these cases it is not at first clear if we need to continue
returning our own routerinfo even if our router is not listed and/or has a
non-unique nickname with the Unnamed flag.

The patch treats each of these cases as follows:

Other Routers' Declaration of MyFamily
 This happens in routerlist_add_family(). If another router declares our router
 in its family and our router has the Unnamed flag or is not in the routerlist
 yet, should we take advantage of the fact that we know our own routerinfo to
 add us in anyway? This patch says 'no, treat our own router just like any
 other'. This is a safe choice because it ensures our client has the same view
 of the network as other clients. We also have no good way of knowing if our
 router is Named or not independently of the authorities, so we have to rely on
 them in this.

Local declaration of NodeFamilies
 Again, we have no way of knowing if the declaration 'NodeFamilies
 Bob,Alice,Ringo' refers to our router Bob or the Named router Bob, so we have
to defer to the authorities and treat our own router like any other.

Local declaration of NodeFamilies
 Again, same as above. There's also no good reason we would want our client to
 choose it's own router as an entry guard if it does not meet the requirements
 expected of any other router on the network.

In order to reduce the possibility of error, the patch also replaces two
instances where we were using router_get_by_nickname() with calls to
router_get_by_hexdigest() where the identity digest of the router
is available.
2010-11-12 19:51:06 -05:00
Nick Mathewson
dbba84c917 Avoid perma-blocking the controller on bug in shrink_freelist
In all likelihood, this bug would make Tor assert, but if it doesn't,
let's not have two bugs.
2010-11-12 13:05:58 -05:00
Robert Ransom
a421e284d0 Disable logging to control port connections in buf_shrink_freelists.
If buf_shrink_freelists calls log_warn for some reason, we don't want the log
call itself to throw buf_shrink_freelists further off the rails.
2010-11-12 03:07:09 -08:00
Robert Ransom
81affe1949 Move the original log_info call out of the core of buf_shrink_freelists.
Sending a log message to a control port can cause Tor to allocate a buffer,
thereby changing the length of the freelist behind buf_shrink_freelists's back,
thereby causing an assertion to fail.

Fixes bug #1125.
2010-11-12 03:04:07 -08:00
Robert Ransom
6a0657d4bb Disable logging to control port connections in buf_shrink_freelists.
If buf_shrink_freelists calls log_warn for some reason, we don't want the log
call itself to throw buf_shrink_freelists further off the rails.
2010-11-12 02:34:58 -08:00
Robert Ransom
6d2e02d79b Move the original log_info call out of the core of buf_shrink_freelists.
Sending a log message to a control port can cause Tor to allocate a buffer,
thereby changing the length of the freelist behind buf_shrink_freelists's back,
thereby causing an assertion to fail.

Fixes bug #1125.
2010-11-12 02:34:51 -08:00
Roger Dingledine
362bb5c625 Merge branch 'maint-0.2.1' into maint-0.2.2 2010-11-11 12:12:17 -05:00
Roger Dingledine
0a38358210 let unpublished bridges learn their ip address too 2010-11-11 11:26:42 -05:00
Nick Mathewson
a4bf5b51e9 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2010-11-10 16:06:43 -05:00
Nick Mathewson
2a50dd9359 Enforce multiplicity rules when parsing annotations.
We would never actually enforce multiplicity rules when parsing
annotations, since the counts array never got entries added to it for
annotations in the token list that got added by earlier calls to
tokenize_string.

Found by piebeer.
2010-11-10 16:02:02 -05:00
Nick Mathewson
089137f011 Fix a bug where seting allow_annotations==0 only ignores annotations, but does not block them 2010-11-10 16:02:02 -05:00
Nick Mathewson
accc51b68c Bulletproof the routerlist manipulation functions to handle reinserting the same descriptor 2010-11-10 14:55:00 -05:00
Sebastian Hahn
5040c855d1 Break NoPublish support 2010-11-10 15:48:26 +01:00
Sebastian Hahn
556a1b9e45 Change Natd into NATD in our options.
Breaking this out of the last commit because this might be more
controversial.
2010-11-10 15:48:26 +01:00
Sebastian Hahn
b9cac605ab Synx manpage and source wrt option capitalization
We had a spelling discrepancy between the manpage and the source code
for some option. Resolve these in favor of the manpage, because it
makes more sense (for example, HTTP should be capitalized).
2010-11-10 15:48:26 +01:00
Sebastian Hahn
13a7e8bea3 Comment out the (unused) RunTesting option
The code that makes use of the RunTesting option is #if 0, so setting
this option has no effect. Mark the option as obsolete for now, so that
Tor doesn't list it as an available option erroneously.
2010-11-10 15:48:25 +01:00
Nick Mathewson
114a371c0e Fix the assert in bug 1776
In the case where old_router == NULL but sdmap has an entry for the
router, we can currently safely infer that the old_router was not a
bridge.  Add an assert to ensure that this remains true, and fix the
logic not to die with the tor_assert(old_router) call.
2010-11-02 11:20:09 -04:00
Sebastian Hahn
f87c6f100d Remove delay to become HSDir in privnets 2010-10-26 18:37:57 +02:00
Sebastian Hahn
213139f887 Properly refcount client_identity_key
In a2bb0bf we started using a separate client identity key. When we are
in "public server mode" (that means not a bridge) we will use the same
key. Reusing the key without doing the proper refcounting leads to a
segfault on cleanup during shutdown. Fix that.

Also introduce an assert that triggers if our refcount falls below 0.
That should never happen.
2010-10-26 18:22:04 +02:00
Nick Mathewson
441241c136 Fix a whitespace error 2010-10-21 16:12:04 -04:00
Nick Mathewson
1587735c90 Merge branch 'bug988-nm' into maint-0.2.2 2010-10-21 16:11:02 -04:00
Nick Mathewson
03adb8caad Add some asserts to get_{tlsclient|server}_identity_key
We now require that:
  - Only actual servers should ever call get_server_identity_key
  - If you're being a client or bridge, the client and server keys should
    differ.
  - If you're being a public relay, the client and server keys
    should be the same.
2010-10-21 13:54:12 -04:00
Nick Mathewson
704076680a Rename get_client_identity_key to get_tlsclient_identity_key 2010-10-21 13:54:02 -04:00
Nick Mathewson
5f3010667d Fix a remaining bug in Robert's bug1859 fix.
When intro->extend_info is created for an introduction point, it
only starts out with a nickname, not necessarily an identity digest.
Thus, doing router_get_by_digest isn't necessarily safe.
2010-10-21 11:09:35 -04:00
Nick Mathewson
0e8d1c2217 Merge remote branch 'hoganrobert/bug1859' into maint-0.2.2 2010-10-21 11:01:12 -04:00
Nick Mathewson
ea7f4be6d2 Merge remote branch 'sebastian/relay_early_rend' into maint-0.2.2 2010-10-21 10:49:44 -04:00
Nick Mathewson
0ac9a3df6c Fix a logic error in 98aee84. Found by boboper 2010-10-20 14:40:09 -04:00
Nick Mathewson
2849a95691 Add a ! to directory_caches_dir_info() to fix a logic error
We want to fetch directory info more aggressively if we need it to
refuseunknownexits.  Thus, we'll want it if our exit policy is _NOT_
reject *.
2010-10-20 13:49:38 -04:00
Nick Mathewson
98aee8472f Fix a read of a freed pointer while in set_current_consensus
Found by rransom while working on issue #988.  Bugfix on
0.2.2.17-alpha.  Fixes bug 2097.
2010-10-20 13:10:20 -04:00
Sebastian Hahn
d3b67cba3c Send relay_early cells in rend circs
There are no relay left that run version 0.2.1.3 through 0.2.1.18, so
changing this behaviour should be safe now.
2010-10-18 07:46:51 +02:00
Robert Hogan
0acd5e6208 Issues with router_get_by_nickname()
https://trac.torproject.org/projects/tor/ticket/1859

Use router_get_by_digest() instead of router_get_by_hexdigest()
in circuit_discard_optional_exit_enclaves() and
rend_client_get_random_intro(), per Nick's comments.

Using router_get_by_digest() in rend_client_get_random_intro() will
break hidden services published by Tor versions pre 0.1.2.18 and
0.2.07-alpha as they only publish by nickname. This is acceptable
however as these versions only publish to authority tor26 and
don't work for versions in the 0.2.2.x series anyway.
2010-10-17 12:27:57 +01:00
Robert Hogan
2d8f7a8391 Issues with router_get_by_nickname()
https://trac.torproject.org/projects/tor/ticket/1859

There are two problems in this bug:

1. When an OP makes a .exit request specifying itself as the exit, and the exit
   is not yet listed, Tor gets all the routerinfos needed for the circuit but
   discovers in circuit_is_acceptable() that its own routerinfo is not in the
   routerdigest list and cannot be used. Tor then gets locked in a cycle of
   repeating these two steps. When gathering the routerinfos for a circuit,
   specifically when the exit has been chosen by .exit notation, Tor needs to
   apply the same rules it uses later on when deciding if it can build a
   circuit with those routerinfos.

2. A different bug arises in the above situation when the Tor instance's
   routerinfo *is* listed in the routerlist, it shares its nickname with a
   number of other Tor nodes, and it does not have 'Named' rights to its
   nickname.
   So for example, if (i) there are five nodes named Bob in the network, (ii) I
   am running one of them but am flagged as 'Unnamed' because someone else
   claimed the 'Bob' nickname first, and (iii) I run my Tor as both client
   and exit the following can happen to me:
     - I go to www.evil.com
     - I click on a link www.evil.com.bob.exit
     - My request will exit through my own Tor node rather than the 'Named'
       node Bob or any of the others.
     - www.evil.com now knows I am actually browsing from the same computer
       that is running my 'Bob' node

So to solve both issues we need to ensure:

- When fulfilling a .exit request we only choose a routerinfo if it exists in
  the routerlist, even when that routerinfo is ours.
- When getting a router by nickname we only return our own router information
  if it is not going to be used for building a circuit.

We ensure this by removing the special treatment afforded our own router in
router_get_by_nickname(). This means the function will only return the
routerinfo of our own router if it is in the routerlist built from authority
info and has a unique nickname or is bound to a non-unique nickname.

There are some uses of router_get_by_nickname() where we are looking for the
router by name because of a configuration directive, specifically local
declaration of NodeFamilies and EntryNodes and other routers' declaration of
MyFamily. In these cases it is not at first clear if we need to continue
returning our own routerinfo even if our router is not listed and/or has a
non-unique nickname with the Unnamed flag.

The patch treats each of these cases as follows:

Other Routers' Declaration of MyFamily
 This happens in routerlist_add_family(). If another router declares our router
 in its family and our router has the Unnamed flag or is not in the routerlist
 yet, should we take advantage of the fact that we know our own routerinfo to
 add us in anyway? This patch says 'no, treat our own router just like any
 other'. This is a safe choice because it ensures our client has the same view
 of the network as other clients. We also have no good way of knowing if our
 router is Named or not independently of the authorities, so we have to rely on
 them in this.

Local declaration of NodeFamilies
 Again, we have no way of knowing if the declaration 'NodeFamilies
 Bob,Alice,Ringo' refers to our router Bob or the Named router Bob, so we have
to defer to the authorities and treat our own router like any other.

Local declaration of NodeFamilies
 Again, same as above. There's also no good reason we would want our client to
 choose it's own router as an entry guard if it does not meet the requirements
 expected of any other router on the network.

In order to reduce the possibility of error, the patch also replaces two
instances where we were using router_get_by_nickname() with calls to
router_get_by_hexdigest() where the identity digest of the router
is available.
2010-10-13 18:29:01 +01:00
Robert Ransom
a2bb0bfdd5 Maintain separate server and client identity keys when appropriate.
Fixes a bug described in ticket #988.
2010-10-04 21:51:53 -07:00
Robert Ransom
17efbe031d Maintain separate server and client TLS contexts.
Fixes bug #988.
2010-10-04 21:51:47 -07:00
Robert Ransom
d3879dbd16 Refactor tor_tls_context_new:
* Make tor_tls_context_new internal to tortls.c, and return the new
  tor_tls_context_t from it.

* Add a public tor_tls_context_init wrapper function to replace it.
2010-10-04 17:57:29 -07:00
Robert Ransom
89dffade8d Add public_server_mode function. 2010-10-04 17:57:29 -07:00
Roger Dingledine
734ba2f937 fix comment 2010-10-01 14:11:08 -04:00
Roger Dingledine
6cb5383e56 log when we guess our ip address, not just when we fail 2010-10-01 13:32:38 -04:00
Sebastian Hahn
0702429cf7 Note an XXX about potential overflow 2010-09-30 06:24:01 +02:00
Sebastian Hahn
73def430e3 Use an upper and lower bound for bridge weights
When picking bridges (or other nodes without a consensus entry (and
thus no bandwidth weights)) we shouldn't just trust the node's
descriptor. So far we believed anything between 0 and 10MB/s, where 0
would mean that a node doesn't get any use from use unless it is our
only one, and 10MB/s would be a quite siginficant weight. To make this
situation better, we now believe weights in the range from 20kB/s to
100kB/s. This should allow new bridges to get use more quickly, and
means that it will be harder for bridges to see almost all our traffic.
2010-09-30 06:17:54 +02:00
Roger Dingledine
d17fcad3ae Merge commit 'mikeperry/bug1772' into maint-0.2.2 2010-09-30 00:00:06 -04:00
Mike Perry
7eedd0f6bc Nominaly lower the minimum timeout value to 1500.
This won't change any behavior, since it will still be rounded back
up to 2seconds, but should reduce the chances of some extra warns.
2010-09-29 20:58:09 -07:00
Roger Dingledine
3cbe463e96 Merge branch 'bug1772' into maint-0.2.2 2010-09-29 23:52:18 -04:00
Roger Dingledine
f2aa8f08cb fix two casts 2010-09-29 23:51:25 -04:00
Mike Perry
c8f731fabb Comment network liveness and change detection behavior. 2010-09-29 19:35:40 -07:00
Roger Dingledine
ceb3d4d578 no measurement circs if not enough build times
In the first 100 circuits, our timeout_ms and close_ms
are the same. So we shouldn't transition circuits to purpose
CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT, since they will just timeout again
next time we check.
2010-09-29 18:05:10 -04:00
Roger Dingledine
7f10707c42 refactor and recomment; no actual changes 2010-09-29 18:01:22 -04:00
Roger Dingledine
48cd096276 Merge commit 'mikeperry/bug1739' into maint-0.2.2 2010-09-29 17:17:59 -04:00
Roger Dingledine
474e4d2722 Merge commit 'mikeperry/bug1740' into maint-0.2.2 2010-09-29 17:05:38 -04:00
Mike Perry
4324bb1b21 Cap the circuit build timeout to the max time we've seen.
Also, cap the measurement timeout to 2X the max we've seen.
2010-09-29 11:49:43 -07:00
Mike Perry
11910cf5b3 Do away with the complexity of the network liveness detection.
We really should ignore any timeouts that have *no* network activity for their
entire measured lifetime, now that we have the 95th percentile measurement
changes. Usually this is up to a minute, even on fast connections.
2010-09-29 11:49:43 -07:00
Mike Perry
0744a175af Fix state checks on liveness handling.
If we really want all this complexity for these stages here, we need to handle
it better for people with large timeouts. It should probably go away, though.
2010-09-29 11:49:43 -07:00
Mike Perry
9a77743b7b Fix non-live condition checks.
Rechecking the timeout condition was foolish, because it is checked on the
same codepath. It was also wrong, because we didn't round.

Also, the liveness check itself should be <, and not <=, because we only have
1 second resolution.
2010-09-29 11:49:31 -07:00
Mike Perry
c5b5643965 Send control port events for timeouts.
We now differentiate between timeouts and cutoffs by the REASON string and
the PURPOSE string.
2010-09-29 11:46:36 -07:00
Mike Perry
5aa4564ab9 Only count timeout data for 3 hop circuits.
Use 4/3 of this timeout value for 4 hop circuits, and use half of it for
canabalized circuits.
2010-09-29 11:41:27 -07:00
Roger Dingledine
a58610a87e even more comment 2010-09-28 23:50:56 -04:00
Roger Dingledine
512433346f improve code comments, based on comments from nick 2010-09-28 23:27:00 -04:00
Roger Dingledine
9997676802 handle ugly edge case in retrying entrynodes
Specifically, a circ attempt that we'd launched while the network was
down could timeout after we've marked our entrynodes up, marking them
back down again. The fix is to annotate as bad the OR conns that were
around before we did the retry, so if a circuit that's attached to them
times out we don't do anything about it.
2010-09-28 22:32:38 -04:00
Roger Dingledine
7de1caa33f Actually notice when our last entrynode goes down
Otherwise we'd never set have_minimum_dir_info to false, so the
"optimistic retry" would never trigger.
2010-09-28 21:59:31 -04:00
Roger Dingledine
bb22360bad optimistically retry EntryNodes on socks request
We used to mark all our known bridges up when they're all down and we
get a new socks request. Now do that when we've set EntryNodes too.
2010-09-28 19:10:23 -04:00
Roger Dingledine
8bac188572 remove a redundant assert 2010-09-28 19:10:22 -04:00
Roger Dingledine
127f37ad29 refactor; no actual changes 2010-09-28 19:10:22 -04:00
Roger Dingledine
09a715bb72 Merge branch 'maint-0.2.1' into maint-0.2.2 2010-09-28 18:37:55 -04:00
Roger Dingledine
339993b409 actually retry bridges when your network goes away 2010-09-28 18:36:15 -04:00
Roger Dingledine
a467bf5fbb a dir-spec entry for refuseunknownexits
plus quiet a log line
2010-09-27 18:32:09 -04:00
Roger Dingledine
9d7f0badb5 changelog entry for bug1751 2010-09-27 17:44:00 -04:00
Nick Mathewson
614eeb378b Merge remote branch 'sebastian/bug1964' into maint-0.2.2 2010-09-27 17:26:32 -04:00
Sebastian Hahn
c951830002 Fix a bridge segfault
When we enabled support to change statistic options without restarting
Tor we forgot to initialize geoip_countries. Fix that.
2010-09-27 23:19:25 +02:00
Nick Mathewson
c97072ef34 Merge branch 'bug1751_enabling' into maint-0.2.2 2010-09-27 17:08:03 -04:00
Nick Mathewson
6c5b9ba625 Change bug1751 enabling code based on comments from arma 2010-09-27 17:07:22 -04:00
Nick Mathewson
e385961542 Merge remote branch 'public/bug1954' into maint-0.2.2 2010-09-27 15:39:40 -04:00
Nick Mathewson
24a45f54d2 Merge branch 'bug1805' into maint-0.2.2 2010-09-27 12:25:32 -04:00
Nick Mathewson
9c8fb75edf Clean up some bug1805 comments based on arma's feedback 2010-09-27 12:23:49 -04:00
Mike Perry
0ff86042ac Implement new Wxx constraints.
Cases 1 and 3b are provably correct. Case 2b has a fallback to first try to
maximize entropy.
2010-09-27 08:53:41 -07:00
Nick Mathewson
d073d7d4eb Consistency issues in load_windows_system_library patch. Thanks Sebastian 2010-09-24 14:16:55 -04:00
Nick Mathewson
9b49a89430 Merge branch 'bug1511' 2010-09-23 23:16:25 -04:00
Nick Mathewson
c9cb4f0a0e Rename has_completed_circuit to can_complete_circuit
Also redocument it.  Related to #1362.
2010-09-22 01:52:57 -04:00
Nick Mathewson
31f22505a6 Merge remote branch 'arma/bug1362' 2010-09-22 01:45:57 -04:00
Nick Mathewson
4ef9ccc883 Changes to bug1959_part1 on review from arma.
Significant one: we want to say "not enough entry nodes descriptors, so we
can't build circuits" only when we have 0 descriptors.
2010-09-22 01:30:23 -04:00
Nick Mathewson
49c177437b Make our min-info check also check for entry node presence
Part of a fix for bug1959
2010-09-21 15:17:40 -04:00
Nick Mathewson
52db5c2539 Even more accurate handling for shifting accounting intervals
Roger correctly pointed out that my code was broken for accounting
periods that shifted forwards, since
start_of_accounting_period_containing(interval_start_time) would not
be equal to interval_start_time, but potentially much earlier.
2010-09-21 14:59:43 -04:00
Nick Mathewson
aa7f55c45f Use load_windows_system_library in place of LoadLibrary 2010-09-21 14:40:10 -04:00
Nick Mathewson
e476ffc2ba Merge branch 'bug1789' 2010-09-21 14:29:59 -04:00
Nick Mathewson
9cba61eb8c Bug1789 cleanups suggested by arma
The significant one is that we look at RelayBandwidthRate if it is set.
2010-09-21 14:02:04 -04:00
Roger Dingledine
fe42f10954 log when we finish a circuit after being offline 2010-09-21 02:16:43 -04:00
Nick Mathewson
ef5925237d First cut of code to enable RefuseUnknownExits
The RefuseUnknownExits config option is now a tristate, with "1"
meaning "enable it no matter what the consensus says", "0" meaning
"disable it no matter what the consensus says", and "auto" meaning "do
what the consensus says".  If the consensus is silent, we enable
RefuseUnknownExits.

This patch also changes the dirserv logic so that refuseunknownexits
won't make us cache unless we're an exit.
2010-09-21 01:03:29 -04:00
Nick Mathewson
5a55662a6b Merge branch 'bug1956' 2010-09-21 00:07:45 -04:00
Roger Dingledine
47b23bd03e A start at a patch for bug 1943 (alignment issues) 2010-09-20 18:40:32 -04:00
Nick Mathewson
1411842933 Count unknown authorities as unknown only once, not once per signature.
Do not double-report signatures from unrecognized authorities both as
"from unknown authority" and "not present".  Fixes bug 1956, bugfix on
0.2.2.16-alpha.
2010-09-20 13:33:57 -04:00
Sebastian Hahn
ff5ffd1776 Attempt to fix compilation on Windows
Our attempt to make compilation work on old versions of Windows
again while keeping wince compatibility broke the build for Win2k+.
helix reports this patch fixes the issue for WinXP. Bugfix on
0.2.2.15-alpha; related to bug 1797.
2010-09-19 13:39:30 +02:00
Nick Mathewson
01c6b01137 I hear we are close to a release. Clean up the whitespace. 2010-09-16 15:44:14 -04:00
Nick Mathewson
c009c9da01 Merge remote branch 'sebastian/bug1921' 2010-09-16 10:52:43 -04:00
Roger Dingledine
0ac67bf3c3 perconnbwrate and perconnbwburst consensus params 2010-09-16 00:17:39 -04:00
Sebastian Hahn
4f1e36ca1d Demote a warn when enabling CellStatistics
When the CellStatistics option is off, we don't store cell insertion
times. Doing so would also not be very smart, because there seem to
still be some performance issues with this type of statistics. Nothing
harmful happens when we don't have insertion times, so we don't need to
alarm the user.
2010-09-16 01:13:51 +02:00
Nick Mathewson
144d92d538 finish a comment, lower a variable 2010-09-15 15:41:32 -04:00
Sebastian Hahn
bc081c254a How many seconds until != timestamp of that date 2010-09-15 21:13:17 +02:00
Nick Mathewson
c18bcc8a55 Merge branch 'bug1184' 2010-09-15 14:20:28 -04:00
Nick Mathewson
87f18c9578 Never queue a cell on a marked circuit 2010-09-15 13:06:54 -04:00
Nick Mathewson
6d8fc4eb38 Add a simple integer-ceiling-division macro before we get it wrong 2010-09-14 22:32:36 -04:00
Nick Mathewson
60e3def3ed Merge branch 'bug1899' 2010-09-14 22:19:25 -04:00
Nick Mathewson
e2b71d8841 Merge branch 'bug911' 2010-09-14 22:19:22 -04:00
Nick Mathewson
f5b7e039f3 Extract the "do these routers have the same addr:orport" logic into a fn 2010-09-14 22:19:00 -04:00
Nick Mathewson
d9e0550560 Tweak some issues found by arma in bug911 review. 2010-09-14 22:10:32 -04:00
Nick Mathewson
a445daf0cf Merge remote branch 'sebastian/bug1776_v3' 2010-09-14 13:50:28 -04:00
Nick Mathewson
424ca963ad Make circuit_resume_edge_reading_helper treat streams more fairly.
Previously[*], the function would start with the first stream on the
circuit, and let it package as many cells as it wanted before
proceeding to the next stream in turn.  If a circuit had many live
streams that all wanted to package data, the oldest would get
preference, and the newest would get ignored.

Now, we figure out how many cells we're willing to send per stream,
and try to allocate them fairly.

Roger diagnosed this in the comments for bug 1298.

[*] This bug has existed since before the first-ever public release
    of Tor.  It was added by r152 of Tor on 26 Jan 2003, which was
    the first commit to implement streams (then called "topics").

    This is not the oldest bug to be fixed in 0.2.2.x: that honor
    goes to the windowing bug in r54, which got fixed in e50b7768 by
    Roger with diagnosis by Karsten.  This is, however, the most
    long-lived bug to be fixed in 0.2.2.x: the r54 bug was fixed
    2580 days after it was introduced, whereas I am writing this
    commit message 2787 days after r152.
2010-09-13 18:59:50 -04:00
Nick Mathewson
b582eb32b8 Add a max_cells arg to connection_edge_process_raw_inbuf
I'm going to use this to implement more fairness in
circuit_resume_edge_reading_helper in an attempt to fix bug 1298.

(Updated with fixes from arma and Sebastian)
2010-09-13 18:59:42 -04:00
Nick Mathewson
61b7e36312 Fix function declaration linebreaks at start of relay.c 2010-09-13 17:38:11 -04:00
Nick Mathewson
13f684b573 Merge remote branch 'public/pretty-signature-log' 2010-09-13 15:56:46 -04:00
Nick Mathewson
286f407cd2 Merge remote branch 'sebastian/bug1525' 2010-09-13 01:36:31 -04:00
Nick Mathewson
126832a3f7 Merge branch 'bug1138' 2010-09-12 21:41:45 -04:00
Nick Mathewson
cc0efa8084 Make authorities download consensuses if appropriate
An authority should never download a consensus if it has a live one,
but when it doesn't, it should admit that it's not going to get one,
and see if anybody else can give it one.

Fixes 1300, fix on 0.2.0.9-alpha
2010-09-12 21:41:15 -04:00
Nick Mathewson
5634e03302 Clean up a couple more bug1138 issues mentioned by roger on code review 2010-09-12 21:12:17 -04:00
Robert Hogan
22ab997e83 Handle null conn->requested_resource rather than assert
Per arma's comments in bug1138
2010-09-12 14:10:16 +01:00
Roger Dingledine
b4942e3435 fix regression introduced by 1a65bdd2
noticed while reviewing hoganrobert/bug1138
2010-09-12 00:20:00 -04:00
Nick Mathewson
fca222f0ce be more consistent in using streamid_t 2010-09-08 10:53:19 -04:00
Nick Mathewson
aa42f941dc Merge branch 'bug1653' 2010-09-08 10:49:24 -04:00
Nick Mathewson
669fd05ed8 Merge remote branch 'origin/maint-0.2.1' 2010-09-08 10:28:41 -04:00
Nick Mathewson
2bc82324d5 Remove a needless keep_open_until_flushed 2010-09-08 10:23:29 -04:00
Sebastian Hahn
303beead53 Kill warn when picking bridges without bw weight
Bridges and other relays not included in the consensus don't
necessarily have a non-zero bandwidth capacity. If all our
configured bridges had a zero bw capacity we would warn the
user. Change that.
2010-09-06 18:44:11 +02:00
Nick Mathewson
edc9256e95 Merge remote branch 'public/win_unicode_fixes' 2010-09-06 10:06:07 -04:00
Nick Mathewson
2920d88667 Base our expected bw accounting usage on time before soft limit
Previously, we were also considering the time spent in
soft-hibernation.  If this was a long time, we would wind up
underestimating our bandwidth by a lot, and skewing our wakeup time
towards the start of the accounting interval.

This patch also makes us store a few more fields in the state file,
including the time at which we entered soft hibernation.

Fixes bug 1789.  Bugfix on 0.0.9pre5.
2010-09-03 14:29:17 -04:00
Nick Mathewson
d0acaac781 Use a more sophisticated soft-hibernation-limit calculation
This should help address bug 1789.
2010-09-03 14:09:55 -04:00
Nick Mathewson
17ebddbbdc Remove an obsolete comment from hibernate.c 2010-09-03 14:09:55 -04:00
Nick Mathewson
80b3de8753 Tolerate a little skew in accounting intervals.
This will make changes for DST still work, and avoid double-spending
bytes when there are slight changes to configurations.

Fixes bug 1511; the DST issue is a bugfix on 0.0.9pre5.
2010-09-03 12:19:17 -04:00
Nick Mathewson
4d2e9974f9 Close a non-open OR connection *only* after KeepalivePeriod.
When we introduced the code to close non-open OR connections after
KeepalivePeriod had passed, we replaced some code that said
    if (!connection_is_open(conn)) {
     /* let it keep handshaking forever */
    } else if (do other tests here) {
      ...
with new code that said
    if (!connection_is_open(conn) && past_keepalive) {
     /* let it keep handshaking forever */
    } else if (do other tests here) {
      ...

This was a mistake, since it made all the other tests start applying
to non-open connections, thus causing bug 1840, where non-open
connections get closed way early.

Fixes bug 1840.  Bugfix on 0.2.1.26 (commit 67b38d50).
2010-09-03 11:32:35 -04:00
Nick Mathewson
b2473357f2 Launch reachability tests for routers whose IP or ORPort change
Implements #1899, suggested by Sebastian.  Depends on #911 fix.
2010-09-03 10:53:29 -04:00
Nick Mathewson
296a7d8388 Fix a missing stream_id argument; found by "tracktor" 2010-09-03 10:26:50 -04:00
Robert Hogan
5799cdd9d3 Nick points out:
tor_assert(!conn->_base.purpose == DIR_PURPOSE_FETCH_EXTRAINFO)
!=
tor_assert(conn->_base.purpose != DIR_PURPOSE_FETCH_EXTRAINFO)
!!
2010-09-02 22:17:43 +01:00
Robert Hogan
2086588efe Amend per Sebastian's comments:
- Move checks for extra_info to callers
 - Change argument name from failed to descs
 - Use strlen("fp/") instead of a magic number
 - I passed on the suggestion to rename functions from *_failed() to
   *_handle_failure(). There are a lot of these so for now just follow
   the house style.
2010-09-02 22:17:27 +01:00
Nick Mathewson
bfa1962d80 Complicate the rules on WARN vs INFO in consensus verification
It's normal when bootstrapping to have a lot of different certs
missing, so we don't want missing certs to make us warn... unless
the certs we're missing are ones that we've tried to fetch a couple
of times and failed at.

May fix bug 1145.
2010-09-02 16:46:03 -04:00
Nick Mathewson
f89323afda Fix behavior of adding a cell to a blocked queue.
We frequently add cells to stream-blocked queues for valid reasons
that don't mean we need to block streams.  The most obvious reason
is if the cell arrives over a circuit rather than from an edge: we
don't block circuits, no matter how full queues get.  The next most
obvious reason is that we allow CONNECTED cells from a newly created
stream to get delivered just fine.

This patch changes the behavior so that we only iterate over the
streams on a circuit when the cell in question came from a stream,
and we only block the stream that generated the cell, so that other
streams can still get their CONNECTEDs in.
2010-09-02 15:26:17 -04:00
Nick Mathewson
2081740317 Merge branch 'ratelim' 2010-08-31 12:59:36 -04:00
Nick Mathewson
285addbd94 Fix some issues in rate-limiting noticed by Sebastian 2010-08-31 12:52:11 -04:00
Sebastian Hahn
2af6aadfe9 Fix a compile warning on OpenBSD 2010-08-22 13:58:23 +02:00
Sebastian Hahn
33ae3f4b5c Allow clients to use relays as bridges 2010-08-20 23:45:00 +02:00
Nick Mathewson
c0c7868250 Make the windows build succeed with or without -DUNICODE enabled.
This should keep WinCE working (unicode always-on) and get Win98
working again (unicode never-on).

There are two places where we explicitly use ASCII-only APIs, still:
in ntmain.c and in the unit tests.

This patch also fixes a bug in windoes tor_listdir that would cause
the first file to be listed an arbitrary number of times that was
also introduced with WinCE support.

Should fix bug 1797.
2010-08-20 13:40:01 -04:00
Sebastian Hahn
219f7415d1 Warn for bad combination of cookie options
Setting CookieAuthFileGroupReadable but without setting CookieAuthFile makes
no sense, because unix directory permissions for the data directory prevent
the group from accessing the file anyways.
2010-08-20 02:45:10 +02:00
Nick Mathewson
69deb22f34 Fix up compilation on windows. 2010-08-19 14:59:44 -04:00
Nick Mathewson
6f9f1f3324 Make the "2 unknown, 7 missing key..." messages easier to understand
This patch should fix the cases we care about for bugs 1290 and 1145.

     "30-56-99 are correct. Limited 4 and 8 are missing".
2010-08-19 11:13:35 -04:00
Roger Dingledine
c1260cb6ec delay geoip stats even more for relays-turned-bridges 2010-08-18 16:12:44 -04:00
Nick Mathewson
ba9c1275c4 Add a generic rate-limited log mechanism, and use it in a few places
Incidentally fixes bug 1042.
2010-08-18 15:55:49 -04:00
Nick Mathewson
8782dcf6a2 Detect if we try to put a cell onto a supposedly blocked cell queue.
When this happens, run through the streams on the circuit and make
sure they're all blocked.  If some aren't, that's a bug: block them
all and log it!  If they all are, where did the cell come from?  Log
it!

(I suspect that this actually happens pretty frequently, so I'm making
these log messages appear at INFO.)
2010-08-18 14:33:41 -04:00
Nick Mathewson
80391b88a5 Decide whether to ignore SENDMEs based on streams_blocked, not queue size 2010-08-18 14:33:41 -04:00
yetonetime
4dd3245abb Avoid over-filling cell queues when we receive a SENDME
Do not start reading on exit streams when we get a SENDME unless we
have space in the appropriate circuit's cell queue.

Draft fix for bug 1653.

(commit message by nickm)
2010-08-18 14:33:37 -04:00
Nick Mathewson
8c528bc320 Merge commit 'origin/maint-0.2.1'
Conflicts:
	src/or/reasons.c
2010-08-18 13:48:39 -04:00
Nick Mathewson
5926d9cfcc Move code for launching tests out of router_add_to_routerlist()
router_add_to_routerlist() is supposed to be a nice minimal function
that only touches the routerlist structures, but it included a call to
dirserv_single_reachability_test().

We have a function that gets called _after_ adding descriptors
successfully: routerlist_descriptors_added.  This patch moves the
responsibility for testing there.

Because the decision of whether to test or not depends on whether
there was an old routerinfo for this router or not, we have to first
detect whether we _will_ want to run the tests if the router is added.
We make this the job of
routers_update_status_from_consensus_networkstatus().

Finally, this patch makes the code notice if a router is going from
hibernating to non-hibernating, and if so causes a reachability test
to get launched.
2010-08-18 13:36:09 -04:00
Nick Mathewson
23fdf0b30f Allow some skew in checking when a router said it was hibernating
This solves the problem Roger noted as:
   What if the router has a clock that's 5 minutes off, so it
   publishes a descriptor for 5 minutes in the future, and we test it
   three minutes in. In this edge case, we will continue to advertise
   it as Running for the full 45 minute period.
2010-08-18 11:40:22 -04:00
Nick Mathewson
a4c5287e1b Clarify AssumeReachable semantics wrt hibernation 2010-08-18 11:31:19 -04:00
Nick Mathewson
5063a1c538 Add some braces to make arma happy 2010-08-18 11:28:51 -04:00
Sebastian Hahn
78e4aa63fb Backport END_STREAM_REASON_NOROUTE for client use.
(Partial backport of 150ed553df, 161b275028, and 4c948ffd6.)
2010-08-18 11:12:32 -04:00
Nick Mathewson
a509dbba50 Merge commit 'karsten/dirbytes2'
Conflicts:
	src/or/rephist.h
2010-08-18 10:06:14 -04:00
Karsten Loesing
58b6195455 Correctly report written bytes on linked connections. 2010-08-18 13:54:41 +02:00
Karsten Loesing
db94b7f46e Count bytes we spend on answering directory requests. 2010-08-18 13:54:41 +02:00
Sebastian Hahn
d5c83f2014 Remove unused function declarations
Also remove some #if 0'd code from the unit tests for buffers. The
code was killed in e6794e5808 (5 years
ago), and is now broken anyways.
2010-08-17 23:49:39 +02:00
Nick Mathewson
5ffe105598 Merge branch 'maint-0.2.1'
Resolved conflict in
	src/or/networkstatus.c
2010-08-17 12:07:19 -04:00
Nick Mathewson
6f58481335 Scale CONSENSUS_MIN_SECONDS_BEFORE_CACHING by voting interval
If the voting interval was short enough, the two-minutes delay
of CONSENSUS_MIN_SECONDS_BEFORE_CACHING would confuse bridges
to the point where they would assert before downloading a consensus.
It it was even shorter (<4 minutes, I think), caches would
assert too.  This patch fixes that by having replacing the
two-minutes value with MIN(2 minutes, interval/16).

Bugfix for 1141; the cache bug could occur since 0.2.0.8-alpha, so
I'm calling this a bugfix on that.  Robert Hogan diagnosed this.
Done as a patch against maint-0.2.1, since it makes it hard to
run some kinds of testing networks.
2010-08-17 11:55:39 -04:00
Robert Hogan
d6744d611f Fall back to direct descriptor request to bridges when
requests to authorities fail due to a network error.

Bug#1138
"When a Tor client starts up using a bridge, and UpdateBridgesFromAuthority
is set, Tor will go to the authority first and look up the bridge by
fingerprint. If the bridge authority is filtered, Tor will never notice that
the bridge authority lookup failed. So it will never fall back."

Add connection_dir_bridge_routerdesc_failed(), a function for unpacking
the bridge information from a failed request, and ensure
connection_dir_request_failed() calls it if the failed request
was for a bridge descriptor.

Test:

1. for ip in `grep -iR 'router ' cached-descriptors|cut -d ' ' -f 3`;
do sudo iptables -A OUTPUT -p tcp -d $ip -j DROP; done
2. remove all files from user tor directory
3. Put the following in torrc:

UseBridges 1
UpdateBridgesFromAuthority 1
Bridge 85.108.88.19:443 7E1B28DB47C175392A0E8E4A287C7CB8686575B7

4. Launch tor - it should fall back to downloading descriptors
   directly from the bridge.

Initial patch reviewed and corrected by mingw-san.
2010-08-16 21:15:49 +01:00
Nick Mathewson
bf8d66364f Merge commit 'public/warn1125' 2010-08-16 00:27:05 -04:00
Karsten Loesing
15379a7254 Fix compilation with --with-dmalloc
Fixes 1832; bugfix on 0.2.2.6-alpha
2010-08-16 00:14:06 -04:00
Roger Dingledine
4c948ffd6c 161b2750 didn't really retry the stream. this does. 2010-08-16 00:04:49 -04:00
Nick Mathewson
b51f1a64e4 Make Sebastian's bug1831 branch build with --enable-gcc-warnings 2010-08-15 23:46:09 -04:00
Nick Mathewson
a856f446c7 Merge commit 'sebastian/bug1831' 2010-08-15 23:43:36 -04:00
Nick Mathewson
6a77bde8d8 Make Sebastian's misc-reasons branch compile; frob the changes file 2010-08-15 21:32:06 -04:00
Nick Mathewson
9bcea4a8ef Merge commit 'sebastian/misc-reason' 2010-08-15 21:27:32 -04:00
Nick Mathewson
8351881b2e Merge commit 'karsten/stats-tests' 2010-08-15 20:49:37 -04:00
Sebastian Hahn
561ca9b987 Fix misplaced labels 2010-08-16 00:46:44 +02:00
Sebastian Hahn
b2dcff5766 Fix a memory leak in dirvote_compute_consensuses() 2010-08-16 00:46:44 +02:00
Sebastian Hahn
527581194c Fix a memory leak
It happened in dirvote_add_signatures_to_pending_consesus().
2010-08-16 00:46:42 +02:00
Sebastian Hahn
4c49d3c27e Refactor circuit_build_times_parse_state
Remove the msg parameter to pass an error message out. This
wasn't needed and made it harder to detect a memory leak.
2010-08-16 00:45:32 +02:00
Sebastian Hahn
70f0ba1495 Fix a memory leak in circuit_build_times_parse_state
Thanks weasel for noticing.
2010-08-16 00:33:29 +02:00
Karsten Loesing
69545efbaf Give rep_hist_exit_stats_history() a better name. 2010-08-15 14:15:58 +02:00
Karsten Loesing
3d77c67d93 Fix memory leak spotted by Nick. 2010-08-15 13:34:57 +02:00
Roger Dingledine
8d588e7b1a reinit per-conn token buckets on config or consensus change 2010-08-15 04:01:42 -04:00
Roger Dingledine
2bc1842aaa factor out rate/burst setting. no actual changes. 2010-08-15 02:27:07 -04:00
Roger Dingledine
a207d9db4c fix another piece of 1741 2010-08-14 04:22:08 -04:00
Roger Dingledine
e50857b67f changes entry for bug 1741 2010-08-13 20:50:51 -04:00
Mike Perry
5b0c0e1f89 Add check for CIRCUIT_PURPOSE_S_REND_JOINED.
These circuits stick around much longer than others on the server side for
performance reasons. Their lifetime is controlled by the client.
2010-08-13 20:46:33 -04:00
Roger Dingledine
b1a5888553 fix a memory leak introduced by df1ef2f0f0 2010-08-13 17:30:50 -04:00
Roger Dingledine
1ac1f048ef minor formatting / comment fixes 2010-08-13 17:18:45 -04:00
Karsten Loesing
acd25558b8 Refactor exit port statistics code and add unit tests. 2010-08-11 16:19:54 +02:00
Roger Dingledine
45c6b5de17 tiny change i found in my other sandbox 2010-08-11 01:48:29 -04:00
Nick Mathewson
8150e2ad24 Make buf_shrink_freelists warn, not crash, when n_to_skip is too high
This mitigates bug 1125, but doesn't fix its root cause (whatever
that is).
2010-08-10 15:58:41 -04:00
Roger Dingledine
0087a37bed tiny changes i found in my sandbox 2010-08-09 18:50:49 -04:00
Sebastian Hahn
162c8847de Update some documentation for the bug 1525 fix 2010-08-08 15:20:24 +02:00
Robert Hogan
462568674a Ensure controller RESOLVE commands respect __LeaveStreamsUnattached
https://trac.torproject.org/projects/tor/ticket/1525

"The codepath taken by the control port "RESOLVE" command to create a
synthetic SOCKS resolve request isn't the same as the path taken by
a real SOCKS request from 'tor-resolve'.
This prevents controllers who set LeaveStreamsUnattached=1 from
being able to attach RESOLVE streams to circuits of their choosing."

Create a new function connection_ap_rewrite_and_attach_if_allowed()
and call that when Tor needs to attach a stream to a circuit but
needs to know if the controller permits it.

No tests added.
2010-08-08 12:37:59 +01:00
Karsten Loesing
83626ec91c Move exit-stats code to the end of rephist.c. 2010-08-05 13:05:33 +02:00
Sebastian Hahn
d365bc965d Only delay counting bridge users if we were a relay before 2010-08-05 13:05:32 +02:00
Karsten Loesing
166c2f4d92 Allow enabling or disabling *Statistics while Tor is running.
With this patch we stop scheduling when we should write statistics using a
single timestamp in run_scheduled_events(). Instead, we remember when a
statistics interval starts separately for each statistic type in geoip.c
and rephist.c. Every time run_scheduled_events() tries to write stats to
disk, it learns when it should schedule the next such attempt.

This patch also enables all statistics to be stopped and restarted at a
later time.

This patch comes with a few refactorings, some of which were not easily
doable without the patch.
2010-08-05 13:05:25 +02:00
Sebastian Hahn
161b275028 Retry streams that ended with NOROUTE error
Also add the NOROUTE reason to control-spec.
2010-08-04 00:51:39 +02:00
Sebastian Hahn
150ed553df Introduce END_STREAM_REASON_NOROUTE 2010-08-03 16:46:28 +02:00