Commit Graph

7882 Commits

Author SHA1 Message Date
Nick Mathewson
8beb560bfd Reverse the direction of the test for openssl 3.0.0
Previously the logic was reversed, and always gave the wrong answer.
This has no other effect than to change whether we suppress
deprecated API warnings.

Fixes #40429; bugfix on 0.3.5.13.
2021-11-05 13:23:05 -04:00
David Goulet
92fedb9f44 changes: Add file for ticket 26299
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-10-29 09:19:21 -04:00
David Goulet
66e8e0f71b fallbackdir: Regenerate the list for October 2021
Closes #40493

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-10-21 09:13:40 -04:00
Alexander Færøy
7372739765 Announce URL to bridge status page when starting Tor as a bridge relay.
This patch makes Tor announce the relay specific bridge status page URL
when Tor is starting up before bootstrap occours.

See: tor#30477
2021-10-20 21:44:45 +00:00
Alexander Færøy
db112329a0 Merge remote-tracking branch 'tor-gitlab/mr/369' into maint-0.3.5 2021-10-20 17:35:35 +00:00
David Goulet
18b5630a7c changes: Add file for ticket 40476
Closes #40476

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-10-19 09:51:24 -04:00
Alexander Færøy
eca5b62213 Update GeoIP files to match IPFire location DB as per 2021/08/12. 2021-08-12 15:38:11 +00:00
Alexander Færøy
7e0971d868 Merge remote-tracking branch 'tor-gitlab/mr/417' into maint-0.3.5 2021-08-11 13:15:35 +00:00
George Kadianakis
fe5a9db1e6 Disable ed25519-donna's batch verification.
Fixes bug 40078.

As reported by hdevalence our batch verification logic can cause an assert
crash.

The assert happens because when the batch verification of ed25519-donna fails,
the code in `ed25519_checksig_batch()` falls back to doing a single
verification for each signature.

The crash occurs because batch verification failed, but then all signatures
individually verified just fine.

That's because batch verification and single verification use a different
equation which means that there are sigs that can pass single verification
but fail batch verification.

Fixing this would require modding ed25519-donna which is not in scope for
this ticket, and will be soon deprecated in favor of arti and
ed25519-dalek, so my branch instead removes batch verification.
2021-08-11 13:14:05 +00:00
David Goulet
0e60b65f6c fallbackdir: Regenerate list
New list for all stable releases.

Closes #40447

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 09:07:05 -04:00
David Goulet
399518da02 relay: Reduce streaming compression ratio from HIGH to LOW
Fixes #40301

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 12:51:32 +00:00
George Kadianakis
f57b5c48e0 Fix TROVE-2021-006: Out-of-bounds read on v3 desc parsing 2021-06-10 12:11:10 -04:00
David Goulet
adb248b6d6 TROVE-2021-003: Check layer_hint before half-closed end and resolve cells
This issue was reported by Jann Horn part of Google's Project Zero.

Jann's one-sentence summary: entry/middle relays can spoof RELAY_END cells on
half-closed streams, which can lead to stream confusion between OP and
exit.

Fixes #40389
2021-06-10 08:50:05 -04:00
Nick Mathewson
d71bf986b4 Merge branch 'bug40391_035' into maint-0.3.5 2021-06-10 08:41:59 -04:00
Nick Mathewson
7fdfc2ea54 Merge branch 'bug40390_035_squashed' into maint-0.3.5 2021-06-10 08:34:25 -04:00
Nick Mathewson
c0aa9e0a1b Assert on _all_ failures from RAND_bytes().
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.

Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation.  Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
2021-06-10 08:33:57 -04:00
Nick Mathewson
520d5c108f Update geoip files to match ipfire location db, 2021/06/10. 2021-06-10 08:20:13 -04:00
Nick Mathewson
42ba87d964 Remove the function tor_tls_assert_renegotiation_unblocked.
It was used nowhere outside its own unit tests, and it was causing
compilation issues with recent OpenSSL 3.0.0 alphas.

Closes ticket 40399.
2021-05-25 07:38:31 -04:00
Nick Mathewson
4c06c619fa Use a more secure hash function for the circuitmux hashtable.
Fixes bug 40931; bugfix on 0.2.4.4-alpha. Also tracked as
TROVE-2021-005.

This issue was reported by Jann Horn from Google's Project Zero.
2021-05-18 08:40:09 -04:00
Nick Mathewson
e2c1ac214c Reindent a few lines to fix a GCC warning.
As of GCC 11.1.1, the compiler warns us about code like this:

     if (a)
         b;
         c;

and that's a good thing: we wouldn't want to "goto fail".  But we
had an instance if this in circuituse.c, which was making our
compilation sad.

Fixes bug 40380; bugfix on 0.3.0.1-alpha.
2021-05-07 10:39:20 -04:00
Nick Mathewson
621f8a304a Update geoip files to match ipfire location db, 2021/05/07. 2021-05-07 09:53:46 -04:00
Nick Mathewson
f20f5a4e37 Stop calling evdns_set_random_bytes_fn()
This function has been a no-op since Libevent 2.0.4-alpha, when
libevent got an arc4random() implementation.  Libevent has finally
removed it, which will break our compilation unless we stop calling
it.  (This is currently breaking compilation in OSS-fuzz.)

Closes #40371.
2021-04-16 17:26:59 -04:00
David Goulet
ee7c50b8a7 fallbackdir: Renegerate list with 200 relays
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-04-13 15:15:58 -04:00
Nick Mathewson
32f5ad7665 Update geoip files to match ipfire location db, 2021/04/13. 2021-04-13 10:35:50 -04:00
Nick Mathewson
f078aab71e Merge branch 'bug40316_035_v2' into maint-0.3.5 2021-03-15 08:58:54 -04:00
Nick Mathewson
890ae4fb1a Fix detection of point to insert signatures on a pending consensus.
We were looking for the first instance of "directory-signature "
when instead the correct behavior is to look for the first instance
of "directory-signature " at the start of a line.

Unfortunately, this can be exploited as to crash authorities while
they're voting.

Fixes #40316; bugfix on 0.2.2.4-alpha.  This is TROVE-2021-002,
also tracked as CVE-2021-28090.
2021-03-15 08:56:58 -04:00
Nick Mathewson
efca9ce41c Clarify new intended strategy with TROVE-2021-001
We're going to disable this feature in all versions for now.
2021-03-15 08:53:36 -04:00
Nick Mathewson
f46f4562cf Merge branch 'bug40286_disable_min_035' into maint-0.3.5 2021-03-15 08:41:03 -04:00
Nick Mathewson
c1ce126c74 Use the right ticket number. 2021-03-12 11:31:36 -05:00
Nick Mathewson
aa6c7741e8 update geoip-2021-03-12 to mention provider transition. 2021-03-12 11:29:09 -05:00
Nick Mathewson
a7b3cb06f5 Update geoip files to match ipfire location db, 2021/03/12. 2021-03-12 11:26:07 -05:00
David Goulet
296a557bfc Remove mallinfo() from codebase
Now deprecated in libc >= 2.33

Closes #40309

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-23 11:02:33 -05:00
Nick Mathewson
ede88c374c Disable the dump_desc() function.
It can be called with strings that should have been
length-delimited, but which in fact are not.  This can cause a
CPU-DoS bug or, in a worse case, a crash.

Since this function isn't essential, the best solution for older
Tors is to just turn it off.

Fixes bug 40286; bugfix on 0.2.2.1-alpha when dump_desc() was
introduced.
2021-02-19 12:31:19 -05:00
Roger Dingledine
93ac6ec4d3 exit: Deny re-entry into the network
Exit relays now reject exit attempts to known relay addresses + ORPort and
also to authorities on the ORPort and DirPort.

Closes #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:19:17 -05:00
David Goulet
9556276f07 Merge branch 'tor-gitlab/mr/50' into maint-0.3.5 2021-01-28 12:46:24 -05:00
David Goulet
290007e3c4 Merge branch 'tor-gitlab/mr/239' into maint-0.3.5 2021-01-28 12:42:26 -05:00
David Goulet
02bd135cb1 Merge branch 'tor-gitlab/mr/243' into maint-0.3.5 2021-01-28 12:36:35 -05:00
David Goulet
1bdccc03a9 Merge branch 'tor-gitlab/mr/254' into maint-0.3.5 2021-01-28 12:10:39 -05:00
David Goulet
045db909c2 Merge remote-tracking branch 'tor-gitlab/mr/140' into maint-0.3.5 2021-01-28 12:08:14 -05:00
David Goulet
c6fb26695b Merge remote-tracking branch 'tor-gitlab/mr/186' into maint-0.3.5 2021-01-28 12:04:37 -05:00
David Goulet
8500700aa4 build: Add "make lsp" command
Generates the compile_commands.json file using the "bear" application so the
ccls server can be more efficient with our code base.

Closes #40227

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-21 16:06:31 -05:00
Nick Mathewson
faf7b550e7 Merge remote-tracking branch 'tor-gitlab/mr/143' into maint-0.3.5 2021-01-19 12:53:30 -05:00
Nick Mathewson
fa8ecf8820 Better fix for #40241 (--enable-all-bugs-are-fatal and fallthrough)
This one should work on GCC _and_ on Clang.  The previous version
made Clang happier by not having unreachable "fallthrough"
statements, but made GCC sad because GCC didn't think that the
unconditional failures were really unconditional, and therefore
_wanted_ a FALLTHROUGH.

This patch adds a FALLTHROUGH_UNLESS_ALL_BUGS_ARE_FATAL macro that
seems to please both GCC and Clang in this case: ordinarily it is a
FALLTHROUGH, but when ALL_BUGS_ARE_FATAL is defined, it's an
abort().

Fixes bug 40241 again.  Bugfix on earlier fix for 40241, which was
merged into maint-0.3.5 and forward, and released in 0.4.5.3-rc.
2021-01-13 09:54:43 -05:00
David Goulet
04b0263974 hs-v3: Require reasonably live consensus
Some days before this commit, the network experienced a DDoS on the directory
authorities that prevented them to generate a consensus for more than 5 hours
straight.

That in turn entirely disabled onion service v3, client and service side, due
to the subsystem requiring a live consensus to function properly.

We know require a reasonably live consensus which means that the HSv3
subsystem will to its job for using the best consensus tor can find. If the
entire network is using an old consensus, than this should be alright.

If the service happens to use a live consensus while a client is not, it
should still work because the client will use the current SRV it sees which
might be the previous SRV for the service for which it still publish
descriptors for.

If the service is using an old one and somehow can't get a new one while
clients are on a new one, then reachability issues might arise. However, this
is a situation we already have at the moment since the service will simply not
work if it doesn't have a live consensus while a client has one.

Fixes #40237

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-12 09:46:35 -05:00
Nick Mathewson
ccdbbae4ec Fix warnings in current debian-hardened CI.
We're getting "fallback annotation annotation in unreachable code"
warnings when we build with ALL_BUGS_ARE_FATAL. This patch fixes
that.

Fixes bug 40241.  Bugfix on 0.3.5.4-alpha.
2021-01-11 14:25:56 -05:00
George Kadianakis
d89974c5c6 Fix Keccak undefined behavior on exotic platforms.
Bug reported and diagnosed in:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975977

Fixes bug #40210.
2020-12-17 13:49:17 +02:00
Nick Mathewson
c4fe66e342 Socks5: handle truncated client requests correctly
Previously, our code would send back an error if the socks5 request
parser said anything but DONE.  But there are other non-error cases,
like TRUNCATED: we shouldn't send back errors for them.

This patch lowers the responsibility for setting the error message
into the parsing code, since the actual type of the error message
will depend on what problem was encountered.

Fixes bug 40190; bugfix on 0.3.5.1-alpha.
2020-12-14 10:14:03 -05:00
Nick Mathewson
fcae26adf7 Merge remote-tracking branch 'tor-gitlab/mr/195' into maint-0.3.5 2020-11-16 22:42:15 -05:00
Nick Mathewson
52e439c13e Merge remote-tracking branch 'tor-gitlab/mr/189' into maint-0.3.5 2020-11-09 16:13:24 -05:00
Nick Mathewson
31a6a101a0 Handle a change in the implementation of hashlib in Python 3.9
Previously, hashlib.shake_256 was a class (if present); now it can
also be a function.  This change invalidated our old
compatibility/workaround code, and made one of our tests fail.

Fixes bug 40179; bugfix on 0.3.1.6-rc when the workaround code was
added.
2020-11-05 09:34:36 -05:00