The right way to free a config object is now to wrap config_free(),
always. Instead of creating an alternative free function, objects
should provide an alternative clear callback to free any fields that
the configuration manager doesn't manage.
This lets us simplify our code a little, and lets us extend the
confparse.c code to manage additional fields in config_free.
Every time we finalize a config manager, we now generate a new magic
number for it, so that we'll get an assertion failure if we ever try
to use an object with a different configuration manager than the one
that generated it.
It's good style to always add parentheses when using macro
arguments, in case somebody someday provides an argument that
contains an operator you don't expect, or causes the expression to
parse differently.
In Tor's tests, the tt_*() macros can call "goto done" on failure.
When that happens, we need to make sure that all of our allocated
memory still gets freed, or else Coverity will complain.
Move everything to its own function in order to better log, document and tests
the introduction point validation process.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Remove the public functions returning the HS DoS consensus param or default
values as it is exclusively used internally now.
Rename the param_* variables to consensus_param_* for better code semantic.
Finally, make some private functions available to unit tests.
Signed-off-by: David Goulet <dgoulet@torproject.org>
We added a flag on the circuit to know if the DoS defenses are enabled or not.
Before, it was solely the consensus parameter.
Part of #30924
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit makes tor add the DoS cell extension to the ESTABLISH_INTRO cell
if the defense is enabled on the service side with a torrc option.
Furthermore, the cell extension is only added if the introduction point
supports it. The protover version HSIntro=5 is looked for.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Make it clear that these functions return the consensus param only.
Introduction point can not set those values with a torrc option.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Coverity wants us to free everything that we are potentially
allocating, even stuff where allocating it would be a bug. Adding
a smartlist_free() here will fix the warning.
Fixes bug 31452; bugfix on 16a0b7ed67, which is not in
any released Tor. This is CID 1447292.
Previously we tried multiplying by -1 before casting to int32_t,
which would cause us to cast the -1 to an unsigned before we
multiplied. This gave us compiler warnings on windows.
Fixes bug 31353; bug not in any released Tor.
Currently test the only available function which is hs_dos_can_send_intro2()
within the HS anti-DoS subsystem.
Closes#15516
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit add the hs_dos.{c|h} file that has the purpose of having the
anti-DoS code for onion services.
At this commit, it only has one which is a function that decides if an
INTRODUCE2 can be sent on the given introduction service circuit (S<->IP)
using a simple token bucket.
The rate per second is 25 and allowed burst to 200.
Basic defenses on #15516.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Now that we have a reasonable implementation for overriding the
default options for TestingTorNetwork, we don't need to modify
config_var_t structs any more. And therefore, we can have constant
format options, like reasonable people.
It's important to make sure that we don't change a config_mgr_t
after we start using it to make objects, or we could get into
inconsistent states. This feature is the start of a safety
mechanism to prevent this problem.
Remember that our goal in the present refactoring is to allow each
subsystem to declare its own configuration structure and
variables. To do this, each module will get its own
config_format_t, and so we'll want a different structure that wraps
several config_format_t objects. This is a "config_mgr_t".
The function make_intro_from_plaintext() in test_introduce.c would
leak memory if we ever hit a failure from our underlying crypto
functions. This kind of failure should be impossible, but it's best
to be safe here.
Bugfix on 0.2.4.1-alpha.
Coverity is worried that we check "service" at the end of these test
functions, since it doesn't see any way to reach the cleanup code
without having first dereferenced the variable.
Removing the check would be unwise in this case: instead we add a
tt_assert check before using "service" so that coverity thinks that
the check is doing something useful.
Bugfix on 0.3.2.1-alpha.
Coverity can't see that it is not in fact going to read
uninitialized memory here, so we initialize these values
unconditionally.
Bugfix on 0.4.0.1-alpha.
And that it does something sensible with host and host:port.
Also reorder the tests into valid, invalid, and ambiguous.
And add some missing cases.
Note: tor_addr_port_lookup() handles ip, ip:port, host, and host:port.
Tests for 30721.
Fix add_onion_helper_clientauth() and add_onion_helper_keyarg() to
explicitly call the appropriate control reply abstractions instead of
allocating a string to pass to their callers.
Part of ticket 30889.
Right now, this has been done at a high level by confparse.c, but it
makes more sense to lower it.
This API is radically un-typesafe as it stands; we'll be wrapping it
in a safer API as we do #30914 and lower the struct manipulation
code as well.
Closes ticket 30864.
When we consider all circuits in "waiting for guard" state to be promoted to
an "open" state, we were considering all circuits, even the one marked for
close.
This ultiamtely triggers a "circuit_has_opened()" called on the circuit that
is marked for close which then leads to possible undesirable behaviors within
a subsystem.
For instance, the HS subsystem would be unable to find the authentication key
of the introduction point circuit leading to a BUG() warning and a duplicate
mark for close on the circuit.
This commit also adds a unit test to make sure we never select marked for
close circuits when upgrading its guard state from waiting for guard to open.
Fixes#30871
Signed-off-by: David Goulet <dgoulet@torproject.org>
When we consider all circuits in "waiting for guard" state to be promoted to
an "open" state, we were considering all circuits, even the one marked for
close.
This ultiamtely triggers a "circuit_has_opened()" called on the circuit that
is marked for close which then leads to possible undesirable behaviors within
a subsystem.
For instance, the HS subsystem would be unable to find the authentication key
of the introduction point circuit leading to a BUG() warning and a duplicate
mark for close on the circuit.
This commit also adds a unit test to make sure we never select marked for
close circuits when upgrading its guard state from waiting for guard to open.
Fixes#30871
Signed-off-by: David Goulet <dgoulet@torproject.org>
When we consider all circuits in "waiting for guard" state to be promoted to
an "open" state, we were considering all circuits, even the one marked for
close.
This ultiamtely triggers a "circuit_has_opened()" called on the circuit that
is marked for close which then leads to possible undesirable behaviors within
a subsystem.
For instance, the HS subsystem would be unable to find the authentication key
of the introduction point circuit leading to a BUG() warning and a duplicate
mark for close on the circuit.
This commit also adds a unit test to make sure we never select marked for
close circuits when upgrading its guard state from waiting for guard to open.
Fixes#30871
Signed-off-by: David Goulet <dgoulet@torproject.org>
Note that the event base object is _not_ created from the initialize
function, since it is configuration-dependent. This will wait until
configuration is integrated into subsystems.
Closes ticket 30806.
Skip test_rebind when the TOR_SKIP_TEST_REBIND environmental variable
is set.
Skip test_rebind on macOS in Travis builds, because it is unreliable
on macOS on Travis.
Fixes bug 30713; bugfix on 0.3.5.1-alpha.
Because it invokes the Tor mainloop, it does unpredictable things to
test coverage of a lot of code that it doesn't actually test at
all. (It is more an integration test than anything else.)
We must not accumulate digests on the circuit if the other end point is using
another SENDME version that is not using those digests like v0.
This commit makes it that we always pop the digest regardless of the version.
Part of #30428
Signed-off-by: David Goulet <dgoulet@torproject.org>
There was a missing cell version check against our max supported version. In
other words, we do not fallback to v0 anymore in case we do know the SENDME
version.
We can either handle it or not, never fallback to the unauthenticated version
in order to avoid gaming the authenticated logic.
Add a unit tests making sure we properly test that and also test that we can
always handle the default emit and accepted versions.
Fixes#30428
Signed-off-by: David Goulet <dgoulet@torproject.org>
The validation of the SENDME cell is now done as the very first thing when
receiving it for both client and exit. On failure to validate, the circuit is
closed as detailed in the specification.
Part of #30428
Signed-off-by: David Goulet <dgoulet@torproject.org>
It turns out that only the exit side is validating the authenticated SENDME v1
logic and never the client side. Which means that if a client ever uploaded
data towards an exit, the authenticated SENDME logic wouldn't apply.
For this to work, we have to record the cell digest client side as well which
introduced a new function that supports both type of edges.
This also removes a test that is not valid anymore which was that we didn't
allow cell recording on an origin circuit (client).
Part of #30428
Signed-off-by: David Goulet <dgoulet@torproject.org>
Like the previous commit about the INTRODUCE_ACK status code, change all auth
key type to use the one defined in the trunnel file.
Standardize the use of these auth type to a common ABI.
Part of #30454
Signed-off-by: David Goulet <dgoulet@torproject.org>
The client side had garbage histograms and deadcode here, too. That code has
been removed.
The tests have also been updated to properly test the intro circ by sending
padding from the relay side to the client, and verifying that both shut down
when padding was up. (The tests previously erroneously tested only the client
side of intro circs, which actually were supposed to be doing nothing).
This is the first half of implementing proposal 301. The
RecommendedPackages torrc option is marked as obsolete and
the test cases for the option removed. Additionally, the code relating
to generating and formatting package lines in votes is removed.
These lines may still appear in votes from other directory authorities
running earlier versions of the code and so consensuses may still
contain package lines. A new consensus method will be needed to stop
including package lines in consensuses.
Fixes: #28465
Our other tests tested state lengths against padding packets, and token counts
against non-padding packets. This test checks state lengths against
non-padding packets (and also padding packets too), and checks token counts
against padding packets (and also non-padding packets too).
The next three commits are needed to make this test pass (it found 3 bugs).
Yay?
