Commit Graph

21093 Commits

Author SHA1 Message Date
Nick Mathewson
df0b4f0342 Merge branch 'feature16769_squashed' 2015-09-22 09:26:30 -04:00
Nick Mathewson
8234fa0053 Remove --master-key form the changes file 2015-09-22 09:24:35 -04:00
Nick Mathewson
1911f80fb5 Disable --master-key as not-yet-working for 0.2.7 2015-09-22 09:24:35 -04:00
Nick Mathewson
bca4211de5 Add a --master-key option
This lets the user override the default location for the master key
when used with --keygen

Part of 16769.
2015-09-22 09:24:35 -04:00
Nick Mathewson
d8f031aec2 Add a new --newpass option to add or remove secret key passphrases. 2015-09-22 09:24:35 -04:00
Nick Mathewson
e94ef30a2f Merge branch 'feature16944_v2' 2015-09-22 09:19:28 -04:00
Nick Mathewson
2a9650625f Sort changelog entries a little more 2015-09-22 09:14:07 -04:00
Nick Mathewson
99f94feb6a Merge branch 'bug17109_v2_squashed' 2015-09-22 08:36:39 -04:00
Sebastian Hahn
ae98dd255b Check that openssl has ECC support during configure
This allows builds on machines with a crippled openssl to fail early
during configure. Bugfix on 0.2.7.1-alpha, which introduced the
requirement for ECC support. Fixes bug 17109.
2015-09-22 08:36:28 -04:00
teor (Tim Wilson-Brown)
b584152874 Update private ExitPolicy in man page and torrcs for 10727, formatting
Update the definition of the private exit policy in the man page
and torrcs. It didn't get merged correctly into the man page, and
it was incomplete in the torrcs. (Unfortunately, we only reject the
primary configured IPv4 and IPv6 addresses, not all configured IPv4
and IPv6 addresses.)

Also fixup msn page formatting errors from changes in tickets 16069
and 17027, mainly unescaped *s.
2015-09-22 12:14:27 +10:00
teor (Tim Wilson-Brown)
7268525142 Add IPv6 syntax to ExitPolicy intro paragraph in man page 2015-09-22 11:44:13 +10:00
teor (Tim Wilson-Brown)
249e82c906 Update docs with advice for separate IPv4 and IPv6 exit policies
Advise users how to configure separate IPv4 and IPv6 exit
policies in the manpage and sample torrcs.

Related to fixes in ticket #16069 and #17027. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-22 11:41:16 +10:00
Nick Mathewson
d27534eeb5 fold new entries into changelog for 0.2.7.3 2015-09-21 13:58:20 -04:00
Nick Mathewson
c84f3c9177 Merge remote-tracking branch 'public/bug17047' 2015-09-16 08:46:13 -04:00
Nick Mathewson
b257e34583 Merge remote-tracking branch 'teor/bug16069-bug17027' 2015-09-16 08:20:15 -04:00
Sebastian Hahn
98da122ab4 Don't enable SSE2 on X86-64.
This removes a comment presumably introduced for debugging that was left
in accidentally. Bug not in any released version of Tor. Fixes bug
17092.
2015-09-16 14:08:38 +02:00
teor (Tim Wilson-Brown)
a659a3fced Merge branch 'bug17027-reject-private-all-interfaces-v2' into bug16069-bug17027
src/test/test_policy.c:
Merged calls to policies_parse_exit_policy by adding additional arguments.
fixup to remaining instance of ~EXIT_POLICY_IPV6_ENABLED.
Compacting logic test now produces previous list length of 4, corrected this.

src/config/torrc.sample.in:
src/config/torrc.minimal.in-staging:
Merged torrc modification dates in favour of latest.
2015-09-16 09:09:54 +10:00
teor (Tim Wilson-Brown)
fd85f2cd70 fixup Clarify ambiguous log message in router_add_exit_policy 2015-09-16 03:59:30 +10:00
teor (Tim Wilson-Brown)
ab6f93caa7 fixup Only set TAPMP_STAR_IPV6_ONLY if TAPMP_EXTENDED_STAR is set
Also fix a comment.
2015-09-16 03:58:06 +10:00
teor (Tim Wilson-Brown)
eb1759e63c Log an info-level message for each IP blocked by ExitPolicyRejectPrivate
Log an info-level message containing the reject line added to the
exit policy for each local IP address blocked by ExitPolicyRejectPrivate:
 - Published IPv4 and IPv6 addresses
 - Publicly routable IPv4 and IPv6 interface addresses
2015-09-16 02:58:34 +10:00
teor (Tim Wilson-Brown)
098b82c7b2 ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
 * the relay's published IPv6 address (if any), and
 * any publicly routable IPv4 or IPv6 addresses on any local interfaces.

This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.

Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a15 (11 Nov 2007), released in 0.2.0.11-alpha.
2015-09-16 02:56:50 +10:00
Ola Bini
5b43ecf2b3
Fix procmon_new to correctly use zeroed memory - otherwise it can blow up if the free call by mistake works on something that is allocated 2015-09-15 18:44:53 +02:00
Reinaldo de Souza Jr
4ff08bb581 Add tests for directory_handle_command_get 2015-09-15 11:08:50 -05:00
Ola Bini
b4950c9334
Add tests for procmon. These currently fail. Investigation should happen before submitting 2015-09-15 17:56:56 +02:00
Ola Bini
28370fe77f
Add tests for util_format 2015-09-15 17:40:16 +02:00
Ola Bini
cf4f50f943
Add tests for util_process 2015-09-15 17:37:25 +02:00
Ola Bini
9985a62a67
Add tests for compat_libevent 2015-09-15 17:20:44 +02:00
Ola Bini
94e5db3dca
Add tests for tortls.c 2015-09-15 17:09:18 +02:00
teor (Tim Wilson-Brown)
047989ea28 fixup add malformed_list to unit tests from d3358a0a05 IPv6 wildcards
The unit tests added in e033d5e90b got malformed_list added to
router_parse_addr_policy_item_from_string calls, but unit tests from
subsequent commits didn't get the extra argument until now.
2015-09-16 00:34:12 +10:00
Ola Bini
ade5005853
Add tests for the rend cache 2015-09-15 16:21:50 +02:00
teor (Tim Wilson-Brown)
d3358a0a05 ExitPolicy accept6/reject6 produces IPv6 wildcard addresses only
In previous versions of Tor, ExitPolicy accept6/reject6 * produced
policy entries for IPv4 and IPv6 wildcard addresses.

To reduce operator confusion, change accept6/reject6 * to only produce
an IPv6 wildcard address.

Resolves bug #16069.

Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
36ad8d8fdc Warn about redundant torrc ExitPolicy lines due to accept/reject *:*
Tor now warns when ExitPolicy lines occur after accept/reject *:*
or variants. These lines are redundant, and were always ignored.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
e033d5e90b Ignore accept6/reject6 IPv4, warn about unexpected rule outcomes
When parsing torrc ExitPolicies, we now warn if:
  * an IPv4 address is used on an accept6 or reject6 line. The line is
    ignored, but the rest of the policy items in the list are used.
    (accept/reject continue to allow both IPv4 and IPv6 addresses in torrcs.)
  * a "private" address alias is used on an accept6 or reject6 line.
    The line filters both IPv4 and IPv6 private addresses, disregarding
    the 6 in accept6/reject6.

When parsing torrc ExitPolicies, we now issue an info-level message:
  * when expanding an accept/reject * line to include both IPv4 and IPv6
    wildcard addresses.

In each instance, usage advice is provided to avoid the message.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:03 +10:00
Ola Bini
73ba9f337c
Add several tests for address.h 2015-09-15 15:49:54 +02:00
teor (Tim Wilson-Brown)
31eb486c46 Add get_interface_address[6]_list for a list of interface IP addresses
Add get_interface_address[6]_list by refactoring
get_interface_address6. Add unit tests for new and existing functions.

Preparation for ticket 17027. Patch by "teor".
Patch on 42b8fb5a15 (11 Nov 2007), released in 0.2.0.11-alpha.
2015-09-15 17:04:18 +10:00
teor (Tim Wilson-Brown)
99d2869ab5 Add unit tests for wildcard, IPv4, IPv6 routerset parsing
Tests changes to enable IPv6 literals in routerset_parse in #17060.
Patch by "teor".
2015-09-14 20:16:43 +10:00
teor (Tim Wilson-Brown)
c58b3726d6 Allow IPv6 literal addresses in routersets
routerset_parse now accepts IPv6 literal addresses.

Fix for ticket 17060. Patch by "teor".
Patch on 3ce6e2fba2 (24 Jul 2008), and related commits,
released in 0.2.1.3-alpha.
2015-09-14 20:01:36 +10:00
teor (Tim Wilson-Brown)
60312dc08b Update comments about ExitPolicy parsing
Fix incomplete and incorrect comments.

Comment changes only.
2015-09-14 11:12:28 +10:00
Nick Mathewson
a444b11323 Convince coverity that we do not have a particular memory leak 2015-09-13 14:44:46 -04:00
Nick Mathewson
902517a7c0 Use SSL_get_client_ciphers() on openssl 1.1+, not SSL_get_ciphers...
(which isn't correct.)

Fixes bug 17047; bugfix on 0.2.7.2-alpha, introduced by the merge in
0030765e04, apparently.
2015-09-13 11:51:51 -04:00
David Goulet
8b98172579 Add a rend cache failure info dup function
When validating a new descriptor against our rend cache failure, we were
added the failure entry to the new cache entry without duplicating. It was
then freed just after the validation ending up in a very bad memory state
that was making tor abort(). To fix this, a dup function has been added and
used just before adding the failure entry.

Fixes #17041

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-11 15:09:07 +02:00
Nick Mathewson
41891cbf93 Merge remote-tracking branch 'public/ed25519_hup_v2' 2015-09-10 10:37:13 -04:00
Nick Mathewson
901732a1bc Merge remote-tracking branch 'teor/make-test-network-all' 2015-09-10 10:35:06 -04:00
Nick Mathewson
5342760a5b Merge remote-tracking branch 'teor/configure-use-colon' 2015-09-10 10:03:44 -04:00
teor (Tim Wilson-Brown)
4bc8dc1c76 fixup Some slower configurations need 35 seconds to bootstrap
Some slower configurations, like OS X i386, need 35 seconds to reliably
bootstrap larger chutney networks. Increase default bootstrap time in
src/test/test-network.h to 35 seconds.
2015-09-10 17:40:47 +10:00
teor (Tim Wilson-Brown)
c6383bf90b Use : rather than /bin/true in configure.ac
Some platforms have true at different locations, like /usr/bin/true.
2015-09-10 17:33:59 +10:00
Nick Mathewson
6f35fd07c9 Bump default test-network bootstrap time to 35 sec (see 16953) 2015-09-09 13:23:32 -04:00
Nick Mathewson
fa89eb60e9 Merge remote-tracking branch 'yawning/feature15482_fixup' 2015-09-09 09:56:59 -04:00
Yawning Angel
f6c446db47 Check NoKeepAliveIsolateSOCKSAuth in a better place.
No functional changes, but since NoKeepAliveIsolateSOCKSAuth isn't
part of isoflag, it should be checked where all other similar options
are, and bypass the (no-op) masking at the end.
2015-09-09 13:52:30 +00:00
Nick Mathewson
2f8c0584bf Fold changes files into changelog 2015-09-09 09:44:31 -04:00