Commit Graph

31348 Commits

Author SHA1 Message Date
David Goulet
59bae7cbee hs-v2: Disable version 2 directory
Relay do not accept both stores and lookups of version 2 descriptor.
This effectively disable version 2 HSDir supports for relays.

Part of #40476

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-09-30 10:46:17 -04:00
David Goulet
ff3ac02702 hs-v2: Disable version 2 introduction point
Upon receiving a v2 introduction request, the relay will close the
circuit and send back a tor protocol error.

Part of #40476

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-09-30 10:40:19 -04:00
David Goulet
765bdb9c33 hs-v2: Disable version 2 service
The minimum service version is raised from 2 to 3 which effectively
disable loading or creating an onion service v2.

As for ADD_ONION, for version 2, a 551 error is returned:

  "551 Failed to add Onion Service"

Part of #40476

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-09-30 10:38:08 -04:00
David Goulet
13b2b1108f hs-v2: Disable SOCKS connection for v2 addresses
This effectively turns off the ability of tor to use HSv2 as a client by
invalidating the v2 onion hostname passed through a SOCKS request.

Part of #40476

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-09-30 10:26:37 -04:00
Alexander Færøy
fcef8e3f75 Only check for bindable ports if we are unsure if it will fail.
We currently assume that the only way for Tor to listen on ports in the
privileged port range (1 to 1023), on Linux, is if we are granted the
NET_BIND_SERVICE capability. Today on Linux, it's possible to specify
the beginning of the unprivileged port range using a sysctl
configuration option. Docker (and thus the CI service Tor uses) recently
changed this sysctl value to 0, which causes our tests to fail as they
assume that we should NOT be able to bind to a privileged port *without*
the NET_BIND_SERVICE capability.

In this patch, we read the value of the sysctl value via the /proc/sys/
filesystem iff it's present, otherwise we assume the default
unprivileged port range begins at port 1024.

See: tor#40275
2021-09-13 18:33:27 +02:00
Alexander Færøy
12b64845ae Use Debian bullseye for our hardened build. 2021-09-13 18:13:10 +02:00
Alexander Færøy
84d6f977e7 Force amd64 for CI builds. 2021-09-13 18:08:49 +02:00
David Goulet
a8ce645ab0 Bump version to -dev
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-16 16:33:58 -04:00
Alexander Færøy
b07cd2ee90 Use debian:buster instead of debian:stable for now. 2021-08-16 13:57:56 +00:00
Nick Mathewson
2984fba97a Make the version 0.3.6.16, not 0.3.6.16-dev. 2021-08-16 08:17:59 -04:00
David Goulet
041a0a362f Update version to 0.3.5.16
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-13 09:43:44 -04:00
Alexander Færøy
eca5b62213 Update GeoIP files to match IPFire location DB as per 2021/08/12. 2021-08-12 15:38:11 +00:00
Alexander Færøy
7e0971d868 Merge remote-tracking branch 'tor-gitlab/mr/417' into maint-0.3.5 2021-08-11 13:15:35 +00:00
George Kadianakis
fe5a9db1e6 Disable ed25519-donna's batch verification.
Fixes bug 40078.

As reported by hdevalence our batch verification logic can cause an assert
crash.

The assert happens because when the batch verification of ed25519-donna fails,
the code in `ed25519_checksig_batch()` falls back to doing a single
verification for each signature.

The crash occurs because batch verification failed, but then all signatures
individually verified just fine.

That's because batch verification and single verification use a different
equation which means that there are sigs that can pass single verification
but fail batch verification.

Fixing this would require modding ed25519-donna which is not in scope for
this ticket, and will be soon deprecated in favor of arti and
ed25519-dalek, so my branch instead removes batch verification.
2021-08-11 13:14:05 +00:00
David Goulet
0e60b65f6c fallbackdir: Regenerate list
New list for all stable releases.

Closes #40447

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 09:07:05 -04:00
David Goulet
399518da02 relay: Reduce streaming compression ratio from HIGH to LOW
Fixes #40301

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 12:51:32 +00:00
Nick Mathewson
87492154e0 Bump to 0.3.5.15-dev 2021-06-14 11:45:30 -04:00
George Kadianakis
f57b5c48e0 Fix TROVE-2021-006: Out-of-bounds read on v3 desc parsing 2021-06-10 12:11:10 -04:00
David Goulet
adb248b6d6 TROVE-2021-003: Check layer_hint before half-closed end and resolve cells
This issue was reported by Jann Horn part of Google's Project Zero.

Jann's one-sentence summary: entry/middle relays can spoof RELAY_END cells on
half-closed streams, which can lead to stream confusion between OP and
exit.

Fixes #40389
2021-06-10 08:50:05 -04:00
Nick Mathewson
d71bf986b4 Merge branch 'bug40391_035' into maint-0.3.5 2021-06-10 08:41:59 -04:00
Nick Mathewson
7fdfc2ea54 Merge branch 'bug40390_035_squashed' into maint-0.3.5 2021-06-10 08:34:25 -04:00
Nick Mathewson
c0aa9e0a1b Assert on _all_ failures from RAND_bytes().
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.

Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation.  Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
2021-06-10 08:33:57 -04:00
Nick Mathewson
520d5c108f Update geoip files to match ipfire location db, 2021/06/10. 2021-06-10 08:20:13 -04:00
Nick Mathewson
ed7f4ad4a9 Bump to 0.3.5.15. 2021-06-07 13:29:35 -04:00
Nick Mathewson
42ba87d964 Remove the function tor_tls_assert_renegotiation_unblocked.
It was used nowhere outside its own unit tests, and it was causing
compilation issues with recent OpenSSL 3.0.0 alphas.

Closes ticket 40399.
2021-05-25 07:38:31 -04:00
Nick Mathewson
4c06c619fa Use a more secure hash function for the circuitmux hashtable.
Fixes bug 40931; bugfix on 0.2.4.4-alpha. Also tracked as
TROVE-2021-005.

This issue was reported by Jann Horn from Google's Project Zero.
2021-05-18 08:40:09 -04:00
Nick Mathewson
e2c1ac214c Reindent a few lines to fix a GCC warning.
As of GCC 11.1.1, the compiler warns us about code like this:

     if (a)
         b;
         c;

and that's a good thing: we wouldn't want to "goto fail".  But we
had an instance if this in circuituse.c, which was making our
compilation sad.

Fixes bug 40380; bugfix on 0.3.0.1-alpha.
2021-05-07 10:39:20 -04:00
Nick Mathewson
621f8a304a Update geoip files to match ipfire location db, 2021/05/07. 2021-05-07 09:53:46 -04:00
George Kadianakis
32eea3b006 Merge remote-tracking branch 'tor-gitlab/mr/363' into maint-0.3.5 2021-04-21 16:48:22 +03:00
David Goulet
131e2d99a4 fallbackdir: Remove two unspec lines
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-04-14 08:39:04 -04:00
Nick Mathewson
5e6905ed99 Fix test naming, and fix tests on windows.
This is a bugfix against my fix for #40133, which has not yet
appeared in 0.3.5.
2021-04-13 17:38:31 -04:00
David Goulet
ee7c50b8a7 fallbackdir: Renegerate list with 200 relays
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-04-13 15:15:58 -04:00
Nick Mathewson
32f5ad7665 Update geoip files to match ipfire location db, 2021/04/13. 2021-04-13 10:35:50 -04:00
Nick Mathewson
3271c0bde7 Bump to 0.3.5.14-dev 2021-03-16 09:17:31 -04:00
Nick Mathewson
f078aab71e Merge branch 'bug40316_035_v2' into maint-0.3.5 2021-03-15 08:58:54 -04:00
Nick Mathewson
890ae4fb1a Fix detection of point to insert signatures on a pending consensus.
We were looking for the first instance of "directory-signature "
when instead the correct behavior is to look for the first instance
of "directory-signature " at the start of a line.

Unfortunately, this can be exploited as to crash authorities while
they're voting.

Fixes #40316; bugfix on 0.2.2.4-alpha.  This is TROVE-2021-002,
also tracked as CVE-2021-28090.
2021-03-15 08:56:58 -04:00
Nick Mathewson
efca9ce41c Clarify new intended strategy with TROVE-2021-001
We're going to disable this feature in all versions for now.
2021-03-15 08:53:36 -04:00
Nick Mathewson
f46f4562cf Merge branch 'bug40286_disable_min_035' into maint-0.3.5 2021-03-15 08:41:03 -04:00
Nick Mathewson
1a0b5fd569 Bump to 0.3.5.14 2021-03-15 07:39:45 -04:00
Nick Mathewson
02230575c4 Remove maxmind license; add ipfire location database license (cc by-sa 4.0) 2021-03-12 11:36:28 -05:00
Nick Mathewson
c1ce126c74 Use the right ticket number. 2021-03-12 11:31:36 -05:00
Nick Mathewson
aa6c7741e8 update geoip-2021-03-12 to mention provider transition. 2021-03-12 11:29:09 -05:00
Nick Mathewson
a7b3cb06f5 Update geoip files to match ipfire location db, 2021/03/12. 2021-03-12 11:26:07 -05:00
David Goulet
296a557bfc Remove mallinfo() from codebase
Now deprecated in libc >= 2.33

Closes #40309

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-23 11:02:33 -05:00
Nick Mathewson
ede88c374c Disable the dump_desc() function.
It can be called with strings that should have been
length-delimited, but which in fact are not.  This can cause a
CPU-DoS bug or, in a worse case, a crash.

Since this function isn't essential, the best solution for older
Tors is to just turn it off.

Fixes bug 40286; bugfix on 0.2.2.1-alpha when dump_desc() was
introduced.
2021-02-19 12:31:19 -05:00
Nick Mathewson
21317c9229 Bump to 0.3.5.13-dev. 2021-02-03 13:37:28 -05:00
David Goulet
f322ea3fa8 Merge branch 'ticket40269_035_01' into maint-0.3.5 2021-02-03 09:11:09 -05:00
David Goulet
6f95cdf87e Remove unused addr_port_set code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 09:11:01 -05:00
David Goulet
a3cef41fc3 Merge branch 'ticket40270_035_01' into maint-0.3.5 2021-02-03 08:56:30 -05:00
David Goulet
c2cee6c780 node: Move reentry set to use a digestmap_t
Any lookup now will be certain and not probabilistic as the bloomfilter.

Closes #40269

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 08:54:02 -05:00