Commit Graph

13336 Commits

Author SHA1 Message Date
David Goulet
7519584347 hs: Expose hs_service.c functions for unit tests
In order to avoid src/or/hs_service.o to contain no symbols and thus making
clang throw a warning, the functions are now exposed not just to unit tests.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-04 09:41:14 -04:00
Nick Mathewson
67c88fd10d Merge branch 'bug13790_rebased' 2017-04-03 11:58:37 -04:00
Taylor Yu
ceedcfe9f2 Refactor and comment new_route_len()
Add a new helper function route_len_for_purpose(), which explicitly
lists all of the known circuit purposes for a circuit with a chosen
exit node (unlike previously, where the default route length for a
chosen exit was DEFAULT_ROUTE_LEN + 1 except for two purposes).  Add a
non-fatal assertion for unhandled purposes that conservatively returns
DEFAULT_ROUTE_LEN + 1.

Add copious comments documenting which circuits need an extra hop and
why.

Thanks to nickm and dgoulet for providing background information.
2017-04-03 11:58:11 -04:00
Taylor Yu
1e8e8a4e94 Add tests for new_route_len() 2017-04-03 11:58:11 -04:00
Nick Mathewson
a06c465333 Merge remote-tracking branch 'teor/bug21596_030' into maint-0.3.0 2017-04-03 09:28:33 -04:00
Nick Mathewson
5d8061cd01 Merge remote-tracking branch 'public/bug21415_testfix_030' into maint-0.3.0 2017-04-03 09:27:40 -04:00
Nick Mathewson
e7506c03cf Isolate dmalloc/openssl bridge code to crypto.c
This makes it so main.c, and the rest of src/or, no longer need to
include any openssl headers.
2017-03-31 10:04:44 -04:00
Nick Mathewson
fc02b8cf7a Fix another 32-bit warning in the spooling code 2017-03-29 09:07:51 +02:00
Nick Mathewson
be778a65df Fix i386 compilation from spooling patch. I seem to be good at breaking that. 2017-03-28 21:41:59 +02:00
Nick Mathewson
208c2a5c74 Merge branch 'spooling_squashed' 2017-03-28 19:55:18 +02:00
Nick Mathewson
003a7fe2a3 Add nonfatal asserts for return val of dirserv_flushed_some 2017-03-28 19:55:04 +02:00
Nick Mathewson
436b975e21 Improve documentation for connection_dirserv_flushed_some. 2017-03-28 19:55:03 +02:00
Nick Mathewson
8aa69a1b69 Refactor the directory spool implementation
The old implementation had duplicated code in a bunch of places, and
it interspersed spool-management with resource management.  The new
implementation should make it easier to add new resource types and
maintain the spooling code.

Closing ticket 21651.
2017-03-28 19:55:03 +02:00
Nick Mathewson
4d5b46aad9 Merge remote-tracking branch 'origin/maint-0.3.0' 2017-03-27 15:44:31 +02:00
George Kadianakis
ef4c10fb42 Fix max sampled size logic when in bridge mode.
When calculating max sampled size, Tor would only count the number of
bridges in torrc, without considering that our state file might already
have sampled bridges in it. This caused problems when people swap
bridges, since the following error would trigger:

         [warn] Not expanding the guard sample any further; just hit the
                maximum sample threshold of 1
2017-03-27 15:39:26 +02:00
Daniel Pinto
e843481bf5 Fix very small memory leak #21788
Leak caused by clean_up_backtrace_handler not being called
on shutdown.
2017-03-20 01:03:05 +00:00
Nick Mathewson
58680d0429 Merge branch 'ahf_bugs_21641_squashed' 2017-03-17 11:16:24 -04:00
Alexander Færøy
946ccf3e4d Check onion key consensus parameters every hour.
This patch changes the way we decide when to check for whether it's time
to rotate and/or expiry our onion keys. Due to proposal #274 we can now
have the keys rotate at different frequencies than before and we thus
do the check once an hour when our Tor daemon is running in server mode.

This should allow us to quickly notice if the network consensus
parameter have changed while we are running instead of having to wait
until the current parameters timeout value have passed.

See: See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
853b54dea4 Add periodic timer for expiring old onion keys.
This patch adds a new timer that is executed when it is time to expire
our current set of old onion keys. Because of proposal #274 this can no
longer be assumed to be at the same time we rotate our onion keys since
they will be updated less frequently.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
d88f10cdf2 Add API to query the current onion key grace period.
This patch adds an API to get the current grace period, in days, defined
as the consensus parameter "onion-key-grace-period-days".

As per proposal #274 the values for "onion-key-grace-period-days" is a
default value of 7 days, a minimum value of 1 day, and a maximum value
defined by other consensus parameter "onion-key-rotation-days" also
defined in days.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
23ae5b655b Make MIN_ONION_KEY_LIFETIME a consensus parameter defined value.
This patch turns `MIN_ONION_KEY_LIFETIME` into a new function
`get_onion_key_lifetime()` which gets its value from a network consensus
parameter named "onion-key-rotation-days". This allows us to tune the
value at a later point in time with no code modifications.

We also bump the default onion key lifetime from 7 to 28 days as per
proposal #274.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Nick Mathewson
eca9b3424d consdiff: Fix 32-bit compilation.
Thanks, jenkins!
2017-03-16 15:14:16 -04:00
Nick Mathewson
4a4f1e44af Merge branch 'prop140_21643_diff_only_squashed' 2017-03-16 14:58:43 -04:00
Nick Mathewson
643c9078c9 Switch ed-command parsing to use tor_parse_long. 2017-03-16 14:42:56 -04:00
Nick Mathewson
672e2a5461 Consdiff: extract router ID hash iteration functions
There was a frequent block of code that did "find the next router
line, see if we've hit the end of the list, get the ID hash from the
line, and enforce well-ordering."  Per Ahf's review, I'm extracting
it to its own function.
2017-03-16 14:42:56 -04:00
Nick Mathewson
83049cebc0 Make CONSENSUS_LINE_MAX_LEN a real define 2017-03-16 14:42:56 -04:00
Nick Mathewson
5e81436428 Remove a couple of {\n\n instances 2017-03-16 14:42:56 -04:00
Nick Mathewson
e84276124b Use a better for X outside of base64_compare_table. 2017-03-16 14:42:56 -04:00
Nick Mathewson
91e3250bf1 Reindent a few labels. 2017-03-16 14:42:56 -04:00
Nick Mathewson
d8c129a11a Avoid all needless memory copies when computing consensus diffs.
Previously, we operated on smartlists of NUL-terminated strings,
which required us to copy both inputs to produce the NUL-terminated
strings.  Then we copied parts of _those_ inputs to produce an
output smartlist of NUL-terminated strings.  And finally, we
concatenated everything into a final resulting string.

This implementation, instead, uses a pointer-and-extent pattern to
represent each line as a pointer into the original inputs and a
length.  These line objects are then added by reference into the
output. No actual bytes are copied from the original strings until
we finally concatenate the final result together.

Bookkeeping structures and newly allocated strings (like ed
commands) are allocated inside a memarea, to avoid needless mallocs
or complicated should-I-free-this-or-not bookkeeping.

In my measurements, this improves CPU performance by something like
18%.  The memory savings should be much, much higher.
2017-03-16 14:42:56 -04:00
Nick Mathewson
52fa6bb947 Swap memory allocation strategy for lists of lines for diffs
Now we use a single allocation block for all the lines, rather than
calling strdup on them one at a time.  This should help performance
a tiny bit.
2017-03-16 14:42:56 -04:00
Nick Mathewson
b36e311eab Fill in the missing documentation on the new functions 2017-03-16 14:42:56 -04:00
Nick Mathewson
12d428aaff Prop140: Fix a crash bug.
Found while fuzzing: this could occur if we tried to copy a
nonexistent "line 0" while applying a diff.
2017-03-16 14:42:56 -04:00
Nick Mathewson
653c6d129e Make consensus diff sha3 operations mockable.
(We'll want this for fuzzing)
2017-03-16 14:40:33 -04:00
Nick Mathewson
6a36e5ff3b String-based API for consensus diffs.
Also, add very strict split/join functions, and totally forbid
nonempty files that end with somethig besides a newline.  This
change is necessary to ensure that diff/apply are actually reliable
inverse operations.
2017-03-16 14:39:54 -04:00
Nick Mathewson
eff9fbd17d Fix an abstraction violation.
Don't alias the insides of smartlist_t; that way lies madness.
2017-03-16 14:38:29 -04:00
Nick Mathewson
69b3e11e59 Use "const" in consdiff.[ch] 2017-03-16 14:38:29 -04:00
Nick Mathewson
3647751c2a prop140: Use sha3-256, not sha2-256
This is a protocol update from recent prop140 changes.

Also, per #21673, we need to check the entire document, including
signatures.
2017-03-16 14:38:29 -04:00
Nick Mathewson
e1418c09fc Fix an unreachable memory leak.
Also add a missing newline.
2017-03-16 14:38:29 -04:00
Nick Mathewson
f193b666cd Remove digest[12]_hex 2017-03-16 14:38:29 -04:00
Nick Mathewson
c6046f4db8 Tweak&test log messages on apply_diff 2017-03-16 14:38:29 -04:00
Nick Mathewson
5766eed38f Fixes when applying diffs: Allow 2-line diffs, fix bogus free
The 2-line diff changs is needed to make the unit tests actually
test the cases that they thought they were testing.

The bogus free was found while testing those cases
2017-03-16 14:38:29 -04:00
Nick Mathewson
ab1fd85c99 Mark some warnings as bugs, and as (hopefully) unreachable. 2017-03-16 14:38:28 -04:00
Nick Mathewson
06017f35e8 Fix some logging on failed apply_ed_diff 2017-03-16 14:38:28 -04:00
Nick Mathewson
97620cf18f No need to end a log message with newline. 2017-03-16 14:38:28 -04:00
Nick Mathewson
360d043ac7 Use "STATIC" to export consdiff fns for testing
Previously test_consdiff.c just did #include "consdiff.c", which is
not great style, and messes up coverage testing.
2017-03-16 14:38:28 -04:00
Daniel Martí
590ffdb2c9 Consensus diff backend from Daniel Martí GSOC project.
(This commit was extracted by nickm based on the final outcome of
the project, taking only the changes in the files touched by this
commit from the consdiff_rebased branch.  The directory-system
changes are going to get worked on separately.)
2017-03-16 14:38:28 -04:00
Nick Mathewson
7505f452c8 Run the copyright update script. 2017-03-15 16:13:17 -04:00
Nick Mathewson
3b2d6da453 Merge branch 'maint-0.3.0' 2017-03-15 11:09:22 -04:00
Nick Mathewson
567a56ae2e Merge branch 'bug20059_024_v2' into maint-0.3.0 2017-03-15 11:07:38 -04:00
Nick Mathewson
ec5fe41209 Avoid a double-mark bug when makring a pending circuit as "too old"
Fixes bug 20059; bugfix on 0.1.0.1-rc.
2017-03-15 11:05:37 -04:00
Nick Mathewson
6004dd2162 Merge branch 'deprecate_getinfo_network_status' 2017-03-15 11:01:26 -04:00
Nick Mathewson
a783c5cbae Merge remote-tracking branch 'public/feature21496' 2017-03-15 10:59:30 -04:00
teor
c34411d9cb Log info about intro point limits when they are reached and reset
Depends on 21594, part of 21622.
2017-03-14 11:54:08 -04:00
teor
c99d0e742a Log more info when a service descriptor has the wrong number of intro points
Depends on 21598, part of 21622.
2017-03-14 11:53:34 -04:00
teor
d0927b6646 Create function to log service introduction point creation limits
Depends on 21594, part of 21622.

(Resolved merge conflict in static function declarations.
2017-03-14 11:53:34 -04:00
Nick Mathewson
236e1f31d9 Fix some compilation warnings in {test_,}hs_descriptor.c
Nothing big: just some const char[]s that should have been static,
and some integer truncation warnings.

Warnings not in any released Tor.
2017-03-13 22:36:47 -04:00
Nick Mathewson
d9cd4b7072 Merge branch 'maint-0.3.0' 2017-03-13 16:22:54 -04:00
Nick Mathewson
43dd9bf0fc Merge remote-tracking branch 'asn/bug21334_v3' 2017-03-13 16:18:55 -04:00
George Kadianakis
61f318b1b0 prop224: Rename padding size def to something less confusing.
People felt it could refer to the descriptor header section instead of
the plaintext of the superencrypted section.
2017-03-13 15:58:28 +02:00
George Kadianakis
e6b03151fb prop224: Add unittests for decode_superencrypted(). 2017-03-13 15:55:21 +02:00
George Kadianakis
163596d9c2 prop224: Move some utility crypto funcs to the top of the file. 2017-03-13 15:55:21 +02:00
George Kadianakis
d0fe199269 prop224: Implement decoding of superencrypted HS descriptor.
[Consider starting review from desc_decrypt_all() ]
2017-03-13 15:55:20 +02:00
George Kadianakis
b2e37b87a7 prop224: Implement encoding of superencrypted HS descriptor.
Also, relaxed the checks of encrypted_data_length_is_valid() since now
only one encrypted section has padding requirements and we don't
actually care to check that all the padding is there.

Consider starting code review from function encode_superencrypted_data().
2017-03-13 15:55:20 +02:00
George Kadianakis
bb602f6197 prop224: Prepare for superencrypted HS descriptors.
- Refactor our HS desc crypto funcs to be able to differentiate between
  the superencrypted layer and the encrypted layer so that different
  crypto constants and padding is used in each layer.

- Introduce some string constants.

- Add some comments.
2017-03-13 15:49:14 +02:00
Nick Mathewson
8587f663ee Remove DIR_SPOOL_CACHED_DIR: Nothing uses it. 2017-03-13 08:02:25 -04:00
Nick Mathewson
16b64fcfe1 Mark GETINFO network-status as deprecated with a warning
control-spec has marked it deprecated for a long time.

Closes ticket 21703.
2017-03-10 12:05:50 -05:00
Alexander Færøy
85dccce35d
Make MAX_DIR_PERIOD independent of MIN_ONION_KEY_LIFETIME.
As part of the work for proposal #274 we are going to remove the need
for MIN_ONION_KEY_LIFETIME and turn it into a dynamic value defined by a
consensus parameter.

See: https://bugs.torproject.org/21641
2017-03-10 13:04:43 +01:00
Nick Mathewson
118d7018d0 Merge branch 'bug21415_testfix_030' 2017-03-09 09:25:19 -05:00
George Kadianakis
6cab0f8ad7 Fix failing bridges+ipv6-min integration test.
The bridges+ipv6-min integration test has a client with bridges:
    Bridge 127.0.0.1:5003
    Bridge [::1]:5003
which got stuck in guard_selection_have_enough_dir_info_to_build_circuits()
because it couldn't find the descriptor of both bridges.

Specifically, the guard_has_descriptor() function could not find the
node_t of the [::1] bridge, because the [::1] bridge had no identity
digest assigned to it.

After further examination, it seems that during fetching the descriptor
for our bridges, we used the CERTS cell to fill the identity digest of
127.0.0.1:5003 properly. However, when we received a CERTS cell from
[::1]:5003 we actually ignored its identity digest because the
learned_router_identity() function was using
get_configured_bridge_by_addr_port_digest() which was returning the
127.0.0.1 bridge instead of the [::1] bridge (because it prioritizes
digest matching over addrport matching).

The fix replaces get_configured_bridge_by_addr_port_digest() with the
recent get_configured_bridge_by_exact_addr_port_digest() function. It
also relaxes the constraints of the
get_configured_bridge_by_exact_addr_port_digest() function by making it
return bridges whose identity digest is not yet known.

By using the _exact_() function, learned_router_identity() actually
fills in the identity digest of the [::1] bridge, which then allows
guard_has_descriptor() to find the right node_t and verify that the
descriptor is there.

FWIW, in the bridges+ipv6-min test both 127.0.0.1 and [::1] bridges
correspond to the same node_t, which I guess makes sense given that it's
actually the same underlying bridge.
2017-03-09 09:19:19 -05:00
George Kadianakis
41324b5ae1 Revert "Restore correct behavior of 0.3.0.4-rc with bridges+ipv6-min"
This reverts commit 5298ab5917.
2017-03-09 09:19:12 -05:00
Alexander Færøy
02fc0a5ecf
Remove fgets() compatbility function and related tests.
This patch removes the `tor_fgets()` wrapper around `fgets(3)` since it
is no longer needed. The function was created due to inconsistency
between the returned values of `fgets(3)` on different versions of Unix
when using `fgets(3)` on non-blocking file descriptors, but with the
recent changes in bug #21654 we switch from unbuffered to direct I/O on
non-blocking file descriptors in our utility module.

We continue to use `fgets(3)` directly in the geoip and dirserv module
since this usage is considered safe.

This patch also removes the test-case that was created to detect
differences in the implementation of `fgets(3)` as well as the changes
file since these changes was not included in any releases yet.

See: https://bugs.torproject.org/21654
2017-03-09 00:10:18 +01:00
Nick Mathewson
27058bd8cb Fix a memory leak in config_get_assigned_option()
This was introducd in 4d83999213 in 0.3.0.3-alpha.  This is bug
21682.
2017-03-08 10:06:48 -05:00
Nick Mathewson
ad19f1507a Merge branch 'maint-0.3.0' 2017-03-07 08:08:28 -05:00
Nick Mathewson
552bc39c32 Merge branch 'bug21594_030_squashed' into maint-0.3.0 2017-03-07 08:05:16 -05:00
teor
93ede051c2 Remove delay in hidden service introduction point checks
Make hidden services with 8 to 10 introduction points check for failed
circuits immediately after startup. Previously, they would wait for 5
minutes before performing their first checks.

Fixes bug 21594; bugfix on commit 190aac0eab in Tor 0.2.3.9-alpha.
Reported by alecmuffett.
2017-03-07 08:04:57 -05:00
Nick Mathewson
88b91d7753 Merge remote-tracking branch 'ahf/bugs/20988' 2017-03-06 12:04:58 -05:00
Nick Mathewson
5203cd2f11 Check for NULL as input to extrainfo_parse_entry_from_string()
We hope this will make the clangalyzer less worried about this function.

Closes ticket 21496.
2017-03-06 11:31:11 -05:00
Nick Mathewson
0a54e5d148 Fix a function name in a comment. Closes 21580 2017-03-06 11:27:50 -05:00
Nick Mathewson
00d1093daf Merge branch 'feature21598_squashed' 2017-03-04 23:22:46 -05:00
teor
f24638aa49 Log a message when a hidden service has fewer intro points than expected
Closes ticket 21598.
2017-03-04 23:22:34 -05:00
Nick Mathewson
958ec0f5f8 Merge branch 'bug21599_squashed' 2017-03-04 23:16:29 -05:00
teor
684778e705 Simplify hidden service descriptor creation
Use an existing flag to check if an introduction point is established.

Cleanup after 21596.

Fixes bug 21599; bugfix on 0.2.7.2-alpha.
2017-03-04 23:15:55 -05:00
Nick Mathewson
fe17955661 Merge remote-tracking branch 'teor/bug21596_030' 2017-03-04 23:10:40 -05:00
Nick Mathewson
3a1cba7d90 Merge branch 'maint-0.3.0' 2017-03-04 20:24:02 -05:00
Nick Mathewson
333d5d0f2a Merge remote-tracking branch 'teor/bug21576_029_v2' into maint-0.3.0 2017-03-04 20:23:38 -05:00
teor
3e2d06bd3d
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:57:58 +11:00
teor
e0486c9371
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:34:45 +11:00
teor
4b5cdb2c30
Fix a crash when a connection tries to open just after it has been unlinked
Fixes bug 21576; bugfix on Tor 0.2.9.3-alpha.
Reported by alecmuffett.
2017-03-02 11:10:30 +11:00
Alexander Færøy
3dca5a6e71
Use tor_fgets() instead of fgets().
This patch changes our use of fgets() to tor_fgets() for more consistent
error handling across different versions of the C library.
2017-03-01 21:26:27 +01:00
Nick Mathewson
7d3883d084 Merge branch 'maint-0.3.0' 2017-03-01 15:11:23 -05:00
Nick Mathewson
5298ab5917 Restore correct behavior of 0.3.0.4-rc with bridges+ipv6-min
In that chutney test, the bridge client is configured to connect to
the same bridge at 127.0.0.1:5003 _and_ at [::1]:5003, with no
change in transports.

That meant, I think, that the descriptor is only assigned to the
first bridge when it arrives, and never the second.
2017-03-01 15:02:16 -05:00
Nick Mathewson
a0a4f8ae5d Merge remote-tracking branch 'asn/bug21586' 2017-03-01 09:21:34 -05:00
George Kadianakis
931948ac6a Prevent SRV assert when called from misconfigured bridge auth. 2017-03-01 15:56:29 +02:00
Nick Mathewson
d8fa6f9ddb Merge branch 'maint-0.3.0' 2017-03-01 08:54:58 -05:00
George Kadianakis
18a98206ed Improve descriptor checks in the new guard algorithm.
- Make sure we check at least two guards for descriptor before making
  circuits. We typically use the first primary guard for circuits, but
  it can also happen that we use the second primary guard (e.g. if we
  pick our first primary guard as an exit), so we should make sure we
  have descriptors for both of them.

- Remove BUG() from the guard_has_descriptor() check since we now know
  that this can happen in rare but legitimate situations as well, and we
  should just move to the next guard in that case.
2017-03-01 08:46:53 -05:00
teor
9340035873
Remove the unused field or_connection_t.is_connection_with_client
To discover if a connection is from a tor client, use:
channel_is_client(TLS_CHAN_TO_BASE(or_connection_t.chan))

Part of 21406.
2017-03-01 16:22:37 +11:00
Nick Mathewson
ef610467fa Merge remote-tracking branch 'teor/bug21507-029' 2017-02-28 11:19:24 -05:00
Nick Mathewson
242f9b3ffb Merge remote-tracking branch 'public/bug21407' 2017-02-28 11:17:30 -05:00
Nick Mathewson
8112800138 Merge branch 'maint-0.3.0' 2017-02-28 08:28:55 -05:00
Nick Mathewson
3a60214f32 Merge remote-tracking branch 'public/bug21007_case2_030' into maint-0.3.0 2017-02-28 08:28:46 -05:00
Nick Mathewson
928235506b Merge branch 'maint-0.3.0' 2017-02-28 08:20:09 -05:00
Nick Mathewson
16f337e763 Merge branch 'bug21027_v2_squashed' into maint-0.3.0 2017-02-28 08:16:43 -05:00
Nick Mathewson
1582adabbb Change approach to preventing duplicate guards.
Previously I'd made a bad assumption in the implementation of
prop271 in 0.3.0.1-alpha: I'd assumed that there couldn't be two
guards with the same identity.  That's true for non-bridges, but in
the bridge case, we allow two bridges to have the same ID if they
have different addr:port combinations -- in order to have the same
bridge ID running multiple PTs.

Fortunately, this assumption wasn't deeply ingrained: we stop
enforcing the "one guard per ID" rule in the bridge case, and
instead enforce "one guard per <id,addr,port>".

We also needed to tweak our implementation of
get_bridge_info_for_guard, since it made the same incorrect
assumption.

Fixes bug 21027; bugfix on 0.3.0.1-alpha.
2017-02-28 08:16:33 -05:00
Nick Mathewson
c0aa7ac5ac Merge branch 'disable_memory_sentinels_squashed' 2017-02-27 16:25:25 -05:00
Nick Mathewson
b923c4dc9f Code to disable memory sentinels for fuzzing
This feature makes it possible to turn off memory sentinels (like
those used for safety in buffers.c and memarea.c) when fuzzing, so
that we can catch bugs that they would otherwise prevent.
2017-02-27 16:25:10 -05:00
Nick Mathewson
b6a9be0415 Merge branch 'maint-0.3.0' 2017-02-27 11:25:46 -05:00
Nick Mathewson
c51919b0da Merge branch 'bug21369_check_029_squashed' into maint-0.3.0 2017-02-27 11:25:34 -05:00
Nick Mathewson
1421f75331 Merge branch 'maint-0.3.0' 2017-02-27 11:03:25 -05:00
Nick Mathewson
2b3518b81f Merge remote-tracking branch 'teor/bug20711' into maint-0.3.0 2017-02-27 11:00:02 -05:00
Nick Mathewson
65b012c90b Fix a wide line 2017-02-27 10:58:26 -05:00
Nick Mathewson
135a0c2054 Fix a "directive within macro arguments" warning 2017-02-27 10:58:19 -05:00
Nick Mathewson
0e7d2882f9 Merge remote-tracking branch 'ahf/bugs/21206' 2017-02-27 10:53:12 -05:00
Nick Mathewson
074f248463 Add one other BUG check to try to fix/solve 21369.
Teor thinks that this connection_dirserv_add_dir_bytes_to_outbuf()
might be the problem, if the "remaining" calculation underflows.  So
I'm adding a couple of checks there, and improving the casts.
2017-02-27 10:01:27 -05:00
Nick Mathewson
ee5471f9aa Try to check for (and prevent) buffer size INT_MAX overflow better.
Possible fix or diagnostic for 21369.
2017-02-27 10:01:27 -05:00
Nick Mathewson
02aaa7f9ed Merge branch 'maint-0.3.0' 2017-02-24 11:37:41 -05:00
Nick Mathewson
619771f60b Whitespace fix. 2017-02-24 11:37:33 -05:00
Nick Mathewson
d73755e36e Merge branch 'maint-0.3.0' 2017-02-24 11:37:04 -05:00
David Goulet
4ed10e5053 hs: Fix bad use of sizeof() when encoding ESTABLISH_INTRO legacy cell
When encoding a legacy ESTABLISH_INTRO cell, we were using the sizeof() on a
pointer instead of using the real size of the destination buffer leading to an
overflow passing an enormous value to the signing digest function.
Fortunately, that value was only used to make sure the destination buffer
length was big enough for the key size and in this case it always was because
of the overflow.

Fixes #21553

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-24 11:36:36 -05:00
Nick Mathewson
5e08fc8557 Also allow C_MEASURE_TIMEOUT circuits to lack guard state.
Fixes a case of 21007; bugfix on 0.3.0.1-alpha when prop271 was
implemented. Found by toralf.
2017-02-24 11:12:21 -05:00
George Kadianakis
f8ac4bb9fd prop224: Rename desc->encrypted_blob to desc->superencrypted_blob 2017-02-24 16:37:24 +02:00
George Kadianakis
6d71eda263 prop224: Rename auth_required HS desc field to intro_auth_required.
And remove "password" type from the list of intro auths.
2017-02-24 16:37:24 +02:00
Nick Mathewson
515e1f663a Add an O(1) map from channel->global_identifier to channel 2017-02-21 20:58:25 -05:00
teor
57154e71aa
Reject Tor versions that contain non-numeric prefixes
strto* and _atoi64 accept +, -, and various whitespace before numeric
characters. And permitted whitespace is different between POSIX and Windows.

Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.
2017-02-19 22:38:06 +11:00
Nick Mathewson
efa5bbaba0 Merge branch 'maint-0.3.0' 2017-02-17 11:47:49 -05:00
Nick Mathewson
823fb68a14 Remove a redundant check in ..transition_affects_guards()
scan-build found that we we checking UseEntryGuards twice.

Fixes bug 21492.
2017-02-17 11:47:25 -05:00
Nick Mathewson
9b1d99018b Merge branch 'maint-0.3.0' 2017-02-17 11:33:04 -05:00
Nick Mathewson
5dbbd6bc39 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-02-17 11:32:45 -05:00
Nick Mathewson
67cec7578c Check for micro < 0, rather than checking "minor" twice.
Bug found with clang scan-build.  Fixes bug on f63e06d3dc.
Bug not present in any released Tor.
2017-02-17 11:31:39 -05:00
Nick Mathewson
d004b9222e The UseCreateFast consensus parameter now defaults to 0.
You can still override it with FastFirstHopPK.  But that's
deprecated.

Closes ticket 21407.
2017-02-16 15:30:26 -05:00
Alexander Færøy
3848d23643 Save number of sent/received RELAY_DATA cells for directory connections.
This patch makes us store the number of sent and received RELAY_DATA
cells used for directory connections. We log the numbers after we have
received an EOF in connection_dir_client_reached_eof() from the
directory server.
2017-02-16 15:11:53 +00:00
Nick Mathewson
31be66ea5a Merge remote-tracking branch 'meejah/ticket-21329-onions-current' 2017-02-16 09:40:56 -05:00
David Goulet
3336f26e60 hs: Avoid a strlen(NULL) if descriptor is not found in cache
Instead of returning 404 error code, this led to a NULL pointer being used and
thus a crash of tor.

Fixes #21471

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-15 10:27:41 -05:00
Nick Mathewson
d633c4757c Merge branch 'maint-0.2.9' 2017-02-15 08:19:51 -05:00
Nick Mathewson
fea93abecd whoops; make 21450 compile 2017-02-15 08:19:37 -05:00
Nick Mathewson
62f98ad485 Merge branch 'maint-0.2.9' 2017-02-15 07:58:15 -05:00
Nick Mathewson
cb6b3b7cad Limit version numbers to 0...INT32_MAX.
Closes 21450; patch from teor.
2017-02-15 07:57:34 -05:00
Nick Mathewson
76d79d597a Merge branch 'maint-0.2.9' 2017-02-15 07:48:42 -05:00
Nick Mathewson
5d88267bf4 Merge branch 'bug21278_extra_029' into maint-0.2.9 2017-02-15 07:48:30 -05:00
Nick Mathewson
ec6b5a098d Merge branch 'bug21278_redux_029_squashed' into maint-0.2.9 2017-02-15 07:48:18 -05:00
Nick Mathewson
eeb743588a Merge branch 'maint-0.2.8' into maint-0.2.9 2017-02-15 07:48:10 -05:00
Nick Mathewson
1ebdae6171 Merge branch 'maint-0.2.7' into maint-0.2.8 2017-02-15 07:47:28 -05:00
Nick Mathewson
ed806843dc Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-15 07:47:21 -05:00
Nick Mathewson
3781f24b80 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-15 07:47:12 -05:00
Nick Mathewson
a452b71395 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-15 07:47:04 -05:00
Roger Dingledine
3c4da8a130 give tor_version_parse_platform some function documentation 2017-02-15 07:46:34 -05:00
Nick Mathewson
02e05bd74d When examining descriptors as a dirserver, reject ones with bad versions
This is an extra fix for bug 21278: it ensures that these
descriptors and platforms will never be listed in a legit consensus.
2017-02-15 07:46:34 -05:00
Nick Mathewson
f63e06d3dc Extract the part of tor_version_as_new_as that extracts platform
Also add a "strict" mode to reject negative inputs.
2017-02-15 07:46:34 -05:00
Nick Mathewson
dec7dc3d82 Merge remote-tracking branch 'dgoulet/ticket20656_030_01' 2017-02-14 19:15:10 -05:00
Nick Mathewson
7e469c1002 Merge branch 'bug20894_029_v3' 2017-02-14 19:10:20 -05:00
Nick Mathewson
4c1ecd7583 fixup! Don't atoi off the end of a buffer chunk.
Use STATIC.
2017-02-14 16:45:18 -05:00
Nick Mathewson
c4f2faf301 Don't atoi off the end of a buffer chunk.
Fixes bug 20894; bugfix on 0.2.0.16-alpha.

We already applied a workaround for this as 20834, so no need to
freak out (unless you didn't apply 20384 yet).
2017-02-14 16:38:47 -05:00
Nick Mathewson
a0ef3cf088 Prevent int underflow in dirvote.c compare_vote_rs_.
This should be "impossible" without making a SHA1 collision, but
let's not keep the assumption that SHA1 collisions are super-hard.

This prevents another case related to 21278.  There should be no
behavioral change unless -ftrapv is on.
2017-02-14 16:31:23 -05:00
Nick Mathewson
1afc2ed956 Fix policies.c instance of the "if (r=(a-b)) return r" pattern
I think this one probably can't underflow, since the input ranges
are small.  But let's not tempt fate.

This patch also replaces the "cmp" functions here with just "eq"
functions, since nothing actually checked for anything besides 0 and
nonzero.

Related to 21278.
2017-02-14 16:31:11 -05:00
Nick Mathewson
194e31057f Avoid integer underflow in tor_version_compare.
Fix for TROVE-2017-001 and bug 21278.

(Note: Instead of handling signed ints "correctly", we keep the old
behavior, except for the part where we would crash with -ftrapv.)
2017-02-14 16:10:27 -05:00
David Goulet
3f005c0433 protover: Add new version for prop224 for HSIntro/HSDir
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-14 10:51:18 -05:00
Nick Mathewson
f5995692da Replace entry_guard_get_by_id_digest_for_guard_selection impl.
We already implemented this whole function somewhere else; no need
to have the same code twice.
2017-02-14 10:28:54 -05:00
Alexander Færøy
89334a040d Remove unused variable in directory_command_should_use_begindir()
This patch removes the unused router_purpose variable in
directory_command_should_use_begindir().
2017-02-10 23:01:52 +00:00
Alexander Færøy
a0ee5777b0 Change RELAY_BEGINDIR to RELAY_BEGIN_DIR in comments.
This is a purely cosmetic patch that changes RELAY_BEGINDIR in various
comments to RELAY_BEGIN_DIR, which should make it easier to grep for the
symbols.
2017-02-09 16:48:11 +00:00
Nick Mathewson
2670844b2b whoops, removed a semicolon :( 2017-02-09 10:59:48 -05:00
Nick Mathewson
f594bdb3ad One more prop271 XXX. 2017-02-09 10:52:47 -05:00
Nick Mathewson
14c2a1f403 Update some more XXXXprop271 comments to refer to actual tickets or to be up-to-date 2017-02-09 10:48:28 -05:00
Nick Mathewson
3919f4f529 Remove an XXXprop271 comment: turns out we didn't need a tristate 2017-02-09 10:30:20 -05:00
Nick Mathewson
d15273e9f5 Change "prop271" in XXXXs about guard Ed identity to refer to #20872. 2017-02-09 10:29:02 -05:00
Nick Mathewson
fe76741021 Remove a suggestion in an XXX271 comment; it is now 21424. 2017-02-09 10:25:32 -05:00
Nick Mathewson
41f880c396 Remove an XXXprop271 comment that has been replaced by #21423 2017-02-09 10:13:54 -05:00
Nick Mathewson
875e5ee3f7 Revise an XXXprop271 comment -- it has been superseded by #21422 2017-02-09 10:11:44 -05:00
Nick Mathewson
58208457a6 Remove an XXXprop271 comment -- it has been replaced by #21421 2017-02-09 10:07:56 -05:00
Nick Mathewson
f263cf954a Remove a redundant XXX271 comment 2017-02-09 09:57:39 -05:00
Alexander Færøy
56bbaed0dc Log response size in connection_dir_client_reached_eof()
This patch ensures that we log the size of the inbuf when a directory
client have reached EOF on the connection.

See: https://bugs.torproject.org/21206
2017-02-07 16:11:01 +00:00
Alexander Færøy
bf37ca07fc Be explicit about body size in log messages.
This patch makes the log-statements in `connection_dir_client_reached_eof`
more explicit by writing "body size" instead of just "size" which could
be confused as being the size of the entire response, which would
include HTTP status-line and headers.

See: https://bugs.torproject.org/21206
2017-02-07 16:08:56 +00:00
Nick Mathewson
4bce2072ac Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-07 10:39:03 -05:00
Nick Mathewson
f2a30413a3 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 10:37:53 -05:00
Nick Mathewson
2ce4330249 Merge remote-tracking branch 'public/bug18710_025' into maint-0.2.5 2017-02-07 10:37:43 -05:00
Nick Mathewson
c056d19323 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 10:37:31 -05:00
Alexander Færøy
06e15c8b7c Add debug log statement when sending a directory command.
This patch adds a debug log statement when sending a request to a
directory server. The information logged includes: the payload size (if
available), the total size of the request, the address and port of the
directory server, and the purpose of the directory connection.

See: https://bugs.torproject.org/21206
2017-02-07 15:04:59 +00:00
Nick Mathewson
85a2487f97 Disable a log_backtrace (which 0.2.4 does not have) in 16248 fix 2017-02-07 09:49:23 -05:00
Nick Mathewson
cfeb1db2fb Add comments to connection_check_event(). 2017-02-07 09:48:24 -05:00
Nick Mathewson
457d38a6e9 Change behavior on missing/present event to warn instead of asserting.
Add a changes file.
2017-02-07 09:48:19 -05:00
Nick Mathewson
650c03127a If we start/stop reading on a dnsserv connection, don't assert.
Fixes bug 16248. Patch from cypherpunks.  Bugfix on 0.2.0.1-alpha.
2017-02-07 09:48:13 -05:00
Nick Mathewson
5446cb8d3d Revert "Add hidserv-stats filname to our sandbox filter"
Reverting this in 0.2.6 only -- we're no backporting
seccomp2-loosening fixes to 0.2.6.

This reverts commit 2ec5e24c58.
2017-02-07 09:28:50 -05:00
Nick Mathewson
9379984128 Merge branch 'teor_bug21357-v2_029' into maint-0.2.9 2017-02-07 09:24:08 -05:00
Nick Mathewson
c6f2ae514e Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 09:18:54 -05:00
Nick Mathewson
b9ef21cf56 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 09:17:59 -05:00
Nick Mathewson
e4a42242ea Backport the tonga->bifroest move to 0.2.4.
This is a backport of 19728 and 19690
2017-02-07 09:15:21 -05:00
John Brooks
053e11f397 Fix out-of-bounds read in INTRODUCE2 client auth
The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.
2017-02-07 08:31:37 -05:00
Nick Mathewson
19e25d5cab Prevention: never die from extend_info_from_node() failure.
Bug 21242 occurred because we asserted that extend_info_from_node()
had succeeded...even though we already had the code to handle such a
failure.  We fixed that in 93b39c5162.

But there were four other cases in our code where we called
extend_info_from_node() and either tor_assert()ed that it returned
non-NULL, or [in one case] silently assumed that it returned
non-NULL. That's not such a great idea.  This patch makes those
cases check for a bug of this kind instead.

Fixes bug 21372; bugfix on 0.2.3.1-alpha when
extend_info_from_node() was introduced.
2017-02-03 10:35:07 -05:00
Nick Mathewson
9d5a9feb40 Merge branch 'dgoulet/bug21302_030_01_squashed' 2017-02-03 09:54:24 -05:00
David Goulet
eea763400f hs: Remove intro point expiring node if no circuit
Once a second, we go over all services and consider the validity of the intro
points. Now, also try to remove expiring nodes that have no more circuit
associated to them. This is possible if we moved an intro point object
previously to that list and the circuit actually timed out or was closed by
the introduction point itself.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-03 09:54:07 -05:00
David Goulet
8573d99470 hs: Fix an underflow in rend_service_intro_has_opened()
In rend_service_intro_has_opened(), this is subject to a possible underflow
because of how the if() casts the results. In the case where the expiring
nodes list length is bigger than the number of IP circuits, we end up in the
following situation where the result will be cast to an unsigned int. For
instance, "5 - 6" is actually a BIG number.

Ultimately leading to closing IP circuits in a non stop loop.

Partially fixes #21302.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-03 09:54:06 -05:00
cypherpunks
27df23abb6 Use the standard OpenBSD preprocessor definition 2017-02-03 09:37:39 -05:00
Nick Mathewson
0f79fb51e5 dirauth: Fix for calling routers unreachable for wrong ed25519
Previously the dirserv_orconn_tls_done() function would skip routers
when they advertised an ed25519 key but didn't present it during the
link handshake.  But that covers all versions between 0.2.7.2-alpha
and 0.2.9.x inclusive!

Fixes bug 21107; bugfix on 0.3.0.1-alpha.
2017-02-02 10:37:25 -05:00
Nick Mathewson
d732409402 In dirserv_single_reachability_test, node can be const. 2017-02-02 09:36:36 -05:00
Nick Mathewson
6777cd0a84 Merge remote-tracking branch 'public/bug21356_029' 2017-02-02 09:03:13 -05:00
Nick Mathewson
b11f00c153 Merge branch 'bug21294_030_01_squashed' 2017-02-02 08:48:20 -05:00
David Goulet
83df359214 config: Stop recommending Tor2web if in non anonymous mode
Because we don't allow client functionalities in non anonymous mode,
recommending Tor2web is a bad idea.

If a user wants to use Tor2web as a client (losing all anonymity), it should
run a second tor, not use it with a single onion service tor.

Fixes #21294.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-02 08:47:59 -05:00
Nick Mathewson
2d2ab29ce8 Merge remote-tracking branch 'asn/bug21052' 2017-02-01 15:53:16 -05:00
David Goulet
cc0342a2ae hs: Fix possible integer underflow with IP nodes
In rend_consider_services_intro_points(), we had a possible interger underflow
which could lead to creating a very large number of intro points. We had a
safe guard against that *except* if the expiring_nodes list was not empty
which is realistic thing.

This commit removes the check on the expiring nodes length being zero. It's
not because we have an empty list of expiring nodes that we don't want to open
new IPs. Prior to this check, we remove invalid IP nodes from the main list of
a service so it should be the only thing to look at when deciding if we need
to create new IP(s) or not.

Partially fixes #21302.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-01 11:07:09 -05:00
Nick Mathewson
f1530d0e5a Merge branch 'teor_bug21357-v2_029' 2017-02-01 09:39:25 -05:00
teor
408c53b7a7 Scale IPv6 address counts in policy_summary_reject to avoid overflow
This disregards anything smaller than an IPv6 /64, and rejects ports that
are rejected on an IPv6 /16 or larger.

Adjust existing unit tests, and add more to cover exceptional cases.

No IPv4 behaviour changes.

Fixes bug 21357
2017-02-01 09:39:06 -05:00