Commit Graph

21350 Commits

Author SHA1 Message Date
Nick Mathewson
61d87dfa15 Merge branch 'postloop_callbacks_2' 2018-04-13 12:12:46 -04:00
Nick Mathewson
4c03af4880 Remove tell_event_loop_to_run_external_code() per review
(This function is no longer used.)
2018-04-13 12:11:22 -04:00
Nick Mathewson
03b96882de Rename token_bucket_t to token_bucket_rw_t.
This is a simple search-and-replace to rename the token bucket type
to indicate that it contains both a read and a write bucket, bundled
with their configuration.  It's preliminary to refactoring the
bucket type.
2018-04-13 10:54:26 -04:00
Nick Mathewson
b152d62cee Merge branch 'token_bucket_refactor_squashed' 2018-04-13 10:47:24 -04:00
Nick Mathewson
62f4d5a265 Add a unit test for post-loop events
This test works by having two post-loop events activate one another
in a tight loop.  If the "post-loop" mechanism didn't work, this
would be enough to starve all other events.
2018-04-13 10:44:15 -04:00
Nick Mathewson
320bd2b3a5 Move connection_ap_attach_pending(0) into a postloop event
This is a second motivating case for our postloop event logic.
2018-04-13 10:44:15 -04:00
Nick Mathewson
5719dfb48f Move the "activate linked connections" logic to a postloop event.
A linked connection_t is one that gets its I/O, not from the
network, but from another connection_t.  When such a connection has
something to write, we want the corresponding connection to run its
read callback ... but not immediately, to avoid infinite recursion
and/or event loop starvation.

Previously we handled this case by activating the read events
outside the event loop.  Now we use the "postloop event" logic.
This lets us simplify do_main_loop_once() a little.
2018-04-13 10:44:15 -04:00
Nick Mathewson
c5a3e2ca44 Generic mechaism for "post-loop" callbacks
We've been labeling some events as happening "outside the event
loop", to avoid Libevent starvation.  This patch provides a cleaner
mechanism to avoid that starvation.

For background, the problem here is that Libevent only scans for new
events once it has run all its active callbacks.  So if the
callbacks keep activating new callbacks, they could potentially
starve Libevent indefinitely and keep it from ever checking for
timed, socket, or signal events.

To solve this, we add the ability to label some events as
"post-loop".  The rule for a "post-loop" event is that any events
_it_ activates can only be run after libevent has re-scanned for new
events at least once.
2018-04-13 10:44:15 -04:00
Nick Mathewson
ad57b1279a Disable load_geoip_file() tests on windows
See bug #25787 for discussion; we should have a better fix here.
2018-04-13 10:42:19 -04:00
Nick Mathewson
787bafc0f9 Increase tolerances for imprecise time. 2018-04-13 10:41:15 -04:00
Nick Mathewson
3f514fe3b1 Accept small hops backward in the monotonic timer. 2018-04-13 10:41:15 -04:00
Nick Mathewson
12f58f2f87 Remove a bunch of int casts; make clang happier. 2018-04-13 10:41:14 -04:00
Nick Mathewson
6be994fa71 Ensure that global buckets are updated on configuration change 2018-04-13 10:41:14 -04:00
Nick Mathewson
a38fd9bc5b Replace the global buckets with token_bucket_t 2018-04-13 10:41:14 -04:00
Nick Mathewson
9fced56ef1 Refactor or_connection token buckets to use token_bucket_t 2018-04-13 10:41:14 -04:00
Nick Mathewson
8a85239746 Add a helper function to decrement read and write at the same time 2018-04-13 10:41:14 -04:00
Nick Mathewson
c376200f6a Add a new token-bucket backend abstraction, with tests
This differs from our previous token bucket abstraction in a few
ways:

  1) It is an abstraction, and not a collection of fields.
  2) It is meant to be used with monotonic timestamps, which should
     produce better results than calling gettimeofday over and over.
2018-04-13 10:41:14 -04:00
Nick Mathewson
d8ef9a2d1e Expose a function that computes stamp units from msec.
(It turns out we can't just expose STAMP_TICKS_PER_SECOND, since
Apple doesn't have that.)
2018-04-13 10:41:08 -04:00
Nick Mathewson
2d6914e391 Refine extend_info_for_node's "enough info" check once again.
In d1874b4339, we adjusted this check so that we insist on
using routerinfos for bridges.  That's almost correct... but if we
have a bridge that is also a regular relay, then we should use
insist on its routerinfo when connecting to it as a bridge
(directly), and be willing to use its microdescriptor when
connecting to it elsewhere in our circuits.

This bug is a likely cause of some (all?) of the (exit_ei == NULL)
failures we've been seeing.

Fixes bug 25691; bugfix on 0.3.3.4-alpha
2018-04-12 16:56:29 -04:00
Nick Mathewson
d3b9b5a3dd Remove windows log_from_handle as unused.
This function was only used by PortForwardingHelper, which was
removed in 9df110cd72.  Its presence caused warnings on windows.
2018-04-12 12:38:46 -04:00
Nick Mathewson
f0887e30dd Merge branch 'maint-0.3.3' 2018-04-12 12:31:41 -04:00
Nick Mathewson
46795a7be6 Attempt to fix 32-bit clang builds, which broke with 31508a0abc
When size_t is 32 bits, the unit tests can't fit anything more than
4GB-1 into a size_t.

Additionally, tt_int_op() uses "long" -- we need tt_u64_op() to
safely test uint64_t values for equality.

Bug caused by tests for #24782 fix; not in any released Tor.
2018-04-12 12:30:36 -04:00
Nick Mathewson
467c882baa Merge branch 'maint-0.3.3' 2018-04-12 12:25:51 -04:00
Nick Mathewson
4aaa4215e7 Attempt to fix 32-bit builds, which broke with 31508a0abc
When size_t is 32 bits, doing "size_t ram; if (ram > 8GB) { ... }"
produces a compile-time warning.

Bug caused by #24782 fix; not in any released Tor.
2018-04-12 12:25:09 -04:00
Nick Mathewson
037fb0c804 Merge branch 'maint-0.3.3' 2018-04-12 11:14:42 -04:00
Alexander Færøy
31508a0abc Use less memory for MaxMemInQueues for machines with more than 8 GB of RAM.
This patch changes the algorithm of compute_real_max_mem_in_queues() to
use 0.4 * RAM iff the system has more than or equal to 8 GB of RAM, but
will continue to use the old value of 0.75 * RAM if the system have less
than * GB of RAM available.

This patch also adds tests for compute_real_max_mem_in_queues().

See: https://bugs.torproject.org/24782
2018-04-12 11:14:16 -04:00
Alexander Færøy
5633a63379 Use STATIC for compute_real_max_mem_in_queues
This patch makes compute_real_max_mem_in_queues use the STATIC macro,
which allows us to test the function.

See: https://bugs.torproject.org/24782
2018-04-12 10:51:48 -04:00
Alexander Færøy
bd42367a1e Make get_total_system_memory mockable.
This patch makes get_total_system_memory mockable, which allows us to
alter the return value of the function in tests.

See: https://bugs.torproject.org/24782
2018-04-12 10:51:45 -04:00
Nick Mathewson
a51630cc9a Merge branch 'maint-0.3.3' 2018-04-11 15:38:00 -04:00
Nick Mathewson
0803d79f55 Merge branch 'bug25581_033_v2_asn_squashed' into maint-0.3.3 2018-04-11 15:37:56 -04:00
Nick Mathewson
8b8630a501 Rename HSLayer{2,3}Nodes to start without an underscore.
The old single-underscore names remain as a deprecated synonym.

Fixes bug 25581; bugfix on 0.3.3.1-alpha.
2018-04-11 15:37:49 -04:00
Nick Mathewson
0c8f901ee7 Merge branch 'maint-0.3.3' 2018-04-11 10:48:46 -04:00
Mike Perry
f9ba0c6546 Bug 24989: Count client hsdir gets towards MaxClientCircuitsPending.
We removed this by breaking them out from general in #13837.
2018-04-11 10:47:06 -04:00
Nick Mathewson
6bdfaa8b24 Merge remote-tracking branch 'isis-github/bug25425_squashed2' 2018-04-10 15:32:26 -04:00
Nick Mathewson
6e467a7a34 Merge remote-tracking branch 'isis-github/bug25409' 2018-04-10 15:27:09 -04:00
Isis Lovecruft
65d6b66e99
config: Obsolete PortForwarding and PortForwardingHelper options.
* FIXES part of #25409: https://bugs.torproject.org/25409
2018-04-10 19:08:59 +00:00
Nick Mathewson
386f8016b7 Fix another crash-on-no-threadpool bug.
This one happens if for some reason you start with DirPort enabled
but server mode turned off entirely.

Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
2018-04-10 14:44:38 -04:00
Nick Mathewson
d3ac47b415 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-10 14:26:32 -04:00
Nick Mathewson
0b1a054d68 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-10 14:26:32 -04:00
Nick Mathewson
ef16a11b90 Merge branch 'maint-0.3.3' 2018-04-10 14:26:32 -04:00
Nick Mathewson
db6902c235 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-04-10 14:26:29 -04:00
Nick Mathewson
10a1969ca3 Merge remote-tracking branch 'ahf-github/bugs/24854_029_2' into maint-0.2.9 2018-04-10 14:25:57 -04:00
Nick Mathewson
16f08de0fd Remove TestingEnableTbEmptyEvent
This option was used for shadow testing previously, but is no longer
used for anything.  It interferes with refactoring our token buckets.
2018-04-10 12:16:21 -04:00
Isis Lovecruft
3ee7a8d3a5
tests: Make tt_finished() macro for tests without tt_*_op() calls. 2018-04-09 19:32:47 +00:00
Isis Lovecruft
c2c5b13e5d
test: Add testing module and some unittests for bridges.c.
This roughly doubles our test coverage of the bridges.c module.

 * ADD new testing module, .../src/test/test_bridges.c.
 * CHANGE a few function declarations from `static` to `STATIC`.
 * CHANGE one function in transports.c, transport_get_by_name(), to be
   mockable.
 * CLOSES #25425: https://bugs.torproject.org/25425
2018-04-09 19:32:46 +00:00
Nick Mathewson
e0809ec5f5 Prefer 32-bit implementation for timing wheels on 32-bit systems.
This might make our timing-wheel code a tiny bit faster there.

Closes ticket 24688.
2018-04-09 15:21:10 -04:00
David Goulet
395fa0258d compat: Fix unchecked return value from event_del()
Explicitly tell the compiler we don't care about it.

Coverity CID 1434156

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-09 14:12:45 -04:00
Nick Mathewson
e58555135a Add a comment explaining why we do a certain redundant check
Closes ticket 25291.
2018-04-09 12:58:17 -04:00
Alexander Færøy
1295044dc8 Lift the list of default directory servers into their own file.
This patch lifts the list of default directory authorities from config.c
into their own auth_dirs.inc file, which is then included in config.c
using the C preprocessor.

Patch by beastr0.

See: https://bugs.torproject.org/24854
2018-04-09 16:00:26 +02:00
Isis Lovecruft
809f6fae84
refactor: Remove unnecessary #include "crypto.h" throughout codebase.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:18 +00:00
Isis Lovecruft
e32fc0806d
refactor: Alphabetise some includes in /src/or/*. 2018-04-06 22:49:17 +00:00
Isis Lovecruft
88190026b3
crypto: Alphabetise some #includes in /src/common/crypto*.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:15 +00:00
Isis Lovecruft
64e6551b8b
crypto: Remove unnecessary includes from src/common/crypto.[ch]
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:13 +00:00
Isis Lovecruft
fe3aca1491
crypto: Refactor (P)RNG functionality into new crypto_rand module.
* ADD new /src/common/crypto_rand.[ch] module.
 * ADD new /src/common/crypto_util.[ch] module (contains the memwipe()
   function, since all crypto_* modules need this).
 * FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 21:45:28 +00:00
Nick Mathewson
2fac948158 Include tor_log rust files in source distribution.
Fixes another case of #25732; bug not in any released Tor.
2018-04-06 16:19:14 -04:00
Nick Mathewson
fb2fe41f6f Merge branch 'maint-0.3.3' 2018-04-06 16:18:47 -04:00
Nick Mathewson
306563ac68 Ship all files needed to build Tor with rust
Fixes bug 25732; bugfix on 0.3.3.2-alpha when strings.rs was
introduced.
2018-04-06 16:18:11 -04:00
Nick Mathewson
98b694bfd5 Merge branch 'isolate_libevent_2_squashed' 2018-04-06 08:50:35 -04:00
Roger Dingledine
0b0e4886cf fix confusing comment
presumably introduced by copy-and-paste mistake
2018-04-05 15:59:37 -04:00
Nick Mathewson
245fdf8ca0 Remove needless event2/thread.h include from test_compat_libevent.c 2018-04-05 12:36:28 -04:00
Nick Mathewson
4225300648 Remove redundant event2/event.h usage from test_scheduler.c
This module doesn't actually need to mock the libevent mainloop at
all: it can just use the regular mainloop that the test environment
sets up.

Part of ticket 23750.
2018-04-05 12:36:28 -04:00
Nick Mathewson
6a5f62f68f Move responsibility for threadpool reply-handler events to workqueue
This change makes cpuworker and test_workqueue no longer need to
include event2/event.h.  Now workqueue.c needs to include it, but
that is at least somewhat logical here.
2018-04-05 12:36:28 -04:00
Nick Mathewson
b3586629c9 Wrap the function we use to run the event loop.
Doing this lets us remove the event2/event.h header from a few more
modules, particularly in the tests.

Part of work on 23750.
2018-04-05 12:36:27 -04:00
Nick Mathewson
39cb04335f Add wrappers for event_base_loopexit and event_base_loopbreak. 2018-04-05 12:36:05 -04:00
Nick Mathewson
f0d2733b46 Revise procmon.c to use periodic_timer_t
This removes its need to use event2/event.h, and thereby fixes
another instance of 23750.
2018-04-05 12:35:11 -04:00
Nick Mathewson
871ff0006d Add an API for a scheduled/manually activated event in the mainloop
Using this API lets us remove event2/event.h usage from half a dozen
modules, to better isolate libevent.  Implements part of ticket
23750.
2018-04-05 12:35:11 -04:00
Nick Mathewson
c6d7e0becf Merge remote-tracking branch 'public/split_relay_crypto' 2018-04-05 12:12:18 -04:00
Fernando Fernandez Mancera
9504fabb02 Enable DISABLE_DISABLING_ED25519.
We are going to stop recommending 0.2.5 so there is no reason to keep the
undef statement anymore.

Fixes #20522.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-04-05 16:19:40 +02:00
Neel Chauhan
f5f9c25546 Switch to use should_record_bridge_info()
Both in geoip_note_client_seen() and options_need_geoip_info(), switch from
accessing the options directly to using the should_record_bridge_info() helper
function.

Fixes #25290

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-05 08:37:39 -04:00
Nick Mathewson
ad8347418f Merge branch 'maint-0.3.3' 2018-04-05 08:22:35 -04:00
Nick Mathewson
78bf564168 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-05 08:22:34 -04:00
Nick Mathewson
9b10eb2d7a Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-05 08:22:34 -04:00
Nick Mathewson
834eef2452 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-04-05 08:22:34 -04:00
Nick Mathewson
b68e636b33 Merge branch 'maint-0.2.5' into maint-0.2.9 2018-04-05 08:22:33 -04:00
Karsten Loesing
1fa396b0a4 Update geoip and geoip6 to the April 3 2018 database. 2018-04-05 10:42:25 +02:00
David Goulet
3d5bf12ac2 relay: Remove max middle cells dead code
Next commit is addressing the circuit queue cell limit so cleanup before doing
anything else.

Part of #25226

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-04 11:03:50 -04:00
Nick Mathewson
52846f728d Merge branch 'maint-0.3.3' 2018-04-04 08:57:24 -04:00
Nick Mathewson
ec8ee54129 Merge branch 'bug21394_029_redux' into maint-0.3.3 2018-04-04 08:55:37 -04:00
Dhalgren
06484eb5e1 Bug 21394 touchup: Increase DNS attempts to 3
Also don't give up on a resolver as quickly if multiple are configured.
2018-04-04 08:54:25 -04:00
Neel Chauhan
9df110cd72
Remove PortForwarding options
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2018-04-04 00:19:33 +00:00
Nick Mathewson
218b1746ba Merge remote-tracking branch 'fristonio/ticket-25645' 2018-04-03 19:19:02 -04:00
Deepesh Pathak
2680a8b5b1
ticket(25645): remove unused variable n_possible from channel_get_for_extend() 2018-04-03 09:17:23 +05:30
Isis Lovecruft
c65088cb19
rust: Fix ProtoSet and ProtoEntry to use the same DoS limits as C.
Previously, the limit for MAX_PROTOCOLS_TO_EXPAND was actually being applied
in Rust to the maximum number of version (total, for all subprotocols).
Whereas in C, it was being applied to the number of subprotocols that were
allowed.  This changes the Rust to match C's behaviour.
2018-04-02 19:59:16 +00:00
Isis Lovecruft
4b4e36a413
rust: Port all C protover_all_supported tests to Rust.
The behaviours still do not match, unsurprisingly, but now we know where a
primary difference is: the Rust is validating version ranges more than the C,
so in the C it's possible to call protover_all_supported on a ridiculous
version range like "Sleen=0-4294967294" because the C uses
MAX_PROTOCOLS_TO_EXPAND to count the number of *subprotocols* whereas the Rust
uses it to count the total number of *versions* of all subprotocols.
2018-04-02 19:59:15 +00:00
Isis Lovecruft
6739a69c59
tests: Run all existing protover tests in both languages.
There's now no difference in these tests w.r.t. the C or Rust: both
fail miserably (well, Rust fails with nice descriptive errors, and C
gives you a traceback, because, well, C).
2018-04-02 19:59:14 +00:00
Isis Lovecruft
f769edd148
tests: Make inline comments in test_protover.c more accurate.
The DoS potential is slightly higher in C now due to some differences to the
Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs.

Also, the comment about "failing at the splitting stage" in Rust wasn't true,
since when we split, we ignore empty chunks (e.g. "1--1" parses into
"(1,None),(None,1)" and "None" can't be parsed into an integer).

Finally, the comment about "Rust seems to experience an internal error" is only
true in debug mode, where u32s are bounds-checked at runtime.  In release mode,
code expressing the equivalent of this test will error with
`Err(ProtoverError::Unparseable)` because 4294967295 is too large.
2018-04-02 19:59:13 +00:00
Isis Lovecruft
ad369313f8
protover: Change protover_all_supported() to return only unsupported.
Previously, if "Link=1-5" was supported, and you asked protover_all_supported()
(or protover::all_supported() in Rust) if it supported "Link=3-999", the C
version would return "Link=3-999" and the Rust would return "Link=6-999".  These
both behave the same now, i.e. both return "Link=6-999".
2018-04-02 19:59:12 +00:00
Isis Lovecruft
cd28b4c7f5
rust: Refactor protover::compute_for_old_tor().
During code review and discussion with Chelsea Komlo, she pointed out
that protover::compute_for_old_tor() was a public function whose
return type was `&'static CStr`.  We both agree that C-like parts of
APIs should:

1. not be exposed publicly (to other Rust crates),
2. only be called in the appropriate FFI code,
3. not expose types which are meant for FFI code (e.g. `*mut char`,
   `CString`, `*const c_int`, etc.) to the pure-Rust code of other
   crates.
4. FFI code (e.g. things in `ffi.rs` modules) should _never_ be called
   from pure-Rust, not even from other modules in its own crate
   (i.e. do not call `protover::ffi::*` from anywhere in
   `protover::protoset::*`, etc).

With that in mind, this commit makes the following changes:

 * CHANGE `protover::compute_for_old_tor()` to be
   visible only at the `pub(crate)` level.
 * RENAME `protover::compute_for_old_tor()` to
   `protover::compute_for_old_tor_cstr()` to reflect the last change.
 * ADD a new `protover::compute_for_old_tor()` function wrapper which
   is public and intended for other Rust code to use, which returns a
   `&str`.
2018-04-02 19:59:12 +00:00
Isis Lovecruft
fd127bfbfa
rust: Refactor Rust implementation of protover_is_supported_here().
It was changed to take borrows instead of taking ownership.

 * REFACTOR `protover::ffi::protover_is_supported_here()` to use changed method
   signature on `protover::is_supported_here()`.
2018-04-02 19:36:26 +00:00
Isis Lovecruft
32638ed4a6
rust: Refactor Rust impl of protover_compute_vote().
This includes a subtle difference in behaviour to the previous Rust
implementation, where, for each vote that we're computing over, if a single one
fails to parse, we skip it.  This now matches the current behaviour in the C
implementation.

 * REFACTOR `protover::ffi::protover_compute_vote()` to use
   new types and methods.
2018-04-02 19:36:25 +00:00
Isis Lovecruft
269053a380
rust: Refactor Rust impl of protover_list_supports_protocol_or_later().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol_or_later()` to use
   new types and methods.
2018-04-02 19:36:25 +00:00
Isis Lovecruft
63eeda89ea
rust: Refactor Rust impl of protover_list_supports_protocol().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol()` to use new types
   and methods.
2018-04-02 19:34:26 +00:00
Isis Lovecruft
c7bcca0233
rust: Refactor Rust impl of protover_all_supported().
This includes differences in behaviour to before, which should now more closely
match the C version:

 - If parsing a protover `char*` from C, and the string is not parseable, this
   function will return 1 early, which matches the C behaviour when protocols
   are unparseable.  Previously, we would parse it and its version numbers
   simultaneously, i.e. there was no fail early option, causing us to spend more
   time unnecessarily parsing versions.

 * REFACTOR `protover::ffi::protover_all_supported()` to use new types and
   methods.
2018-04-02 19:34:26 +00:00
Isis Lovecruft
493e565226
rust: Refactor protover tests with new methods; note altered behaviours.
Previously, the rust implementation of protover considered an empty string to be
a valid ProtoEntry, while the C version did not (it must have a "=" character).
Other differences include that unknown protocols must now be parsed as
`protover::UnknownProtocol`s, and hence their entries as
`protover::UnvalidatedProtoEntry`s, whereas before (nearly) all protoentries
could be parsed regardless of how erroneous they might be considered by the C
version.

My apologies for this somewhat messy and difficult to read commit, if any part
is frustrating to the reviewer, please feel free to ask me to split this into
smaller changes (possibly hard to do, since so much changed), or ask me to
comment on a specific line/change and clarify how/when the behaviours differ.

The tests here should more closely match the behaviours exhibited by the C
implementation, but I do not yet personally guarantee they match precisely.

 * REFACTOR unittests in protover::protover.
 * ADD new integration tests for previously untested behaviour.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:34:25 +00:00
Isis Lovecruft
35b86a12e6
rust: Refactor protover::is_supported_here().
This changes `protover::is_supported_here()` to be aware of new datatypes
(e.g. don't call `.0` on things which are no longer tuple structs) and also
changes the method signature to take borrows, making it faster, threadable, and
easier to read (i.e. the caller can know from reading the function signature
that the function won't mutate values passed into it).

 * CHANGE the `protover::is_supported_here()` function to take borrows.
 * REFACTOR the `protover::is_supported_here()` function to be aware of new
   datatypes.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:34:25 +00:00
Isis Lovecruft
2eb1b7f2fd
rust: Add new ProtoverVote type and refactor functions to methods.
This adds a new type for votes upon `protover::ProtoEntry`s (technically, on
`protover::UnvalidatedProtoEntry`s, because the C code does not validate based
upon currently known protocols when voting, in order to maintain
future-compatibility), and converts several functions which would have operated
on this datatype into methods for ease-of-use and readability.

This also fixes a behavioural differentce to the C version of
protover_compute_vote().  The C version of protover_compute_vote() calls
expand_protocol_list() which checks if there would be too many subprotocols *or*
expanded individual version numbers, i.e. more than MAX_PROTOCOLS_TO_EXPAND, and
does this *per vote* (but only in compute_vote(), everywhere else in the C seems
to only care about the number of subprotocols, not the number of individual
versions).  We need to match its behaviour in Rust and ensure we're not allowing
more than it would to get the votes to match.

 * ADD new `protover::ProtoverVote` datatype.
 * REMOVE the `protover::compute_vote()` function and refactor it into an
   equivalent-in-behaviour albeit more memory-efficient voting algorithm based
   on the new underlying `protover::protoset::ProtoSet` datatype, as
   `ProtoverVote::compute()`.
 * REMOVE the `protover::write_vote_to_string()` function, since this
   functionality is now generated by the impl_to_string_for_proto_entry!() macro
   for both `ProtoEntry` and `UnvalidatedProtoEntry` (the latter of which is the
   correct type to return from a voting protocol instance, since the entity
   voting may not know of all protocols being voted upon or known about by other
   voting parties).
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix a difference in compute_vote() behaviour to C version.
2018-04-02 19:34:24 +00:00
Isis Lovecruft
fa15ea104d
rust: Add macro for impl ToString for {Unvalidated}ProtoEntry.
This implements conversions from either a ProtoEntry or an UnvalidatedProtoEntry
into a String, for use in replacing such functions as
`protover::write_vote_to_string()`.

 * ADD macro for implementing ToString trait for ProtoEntry and
   UnvalidatedProtoEntry.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:34:24 +00:00
Isis Lovecruft
3c47d31e1f
rust: Add new protover::UnvalidatedProtoEntry type.
This adds a new protover::UnvalidatedProtoEntry type, which is the
UnknownProtocol variant of a ProtoEntry, and refactors several functions which
should operate on this type into methods.

This also fixes what was previously another difference to the C implementation:
if you asked the C version of protovet_compute_vote() to compute a single vote
containing "Fribble=", it would return NULL.  However, the Rust version would
return "Fribble=" since it didn't check if the versions were empty before
constructing the string of differences.  ("Fribble=" is technically a valid
protover string.)  This is now fixed, and the Rust version in that case will,
analogous to (although safer than) C returning a NULL, return None.

 * REMOVE internal `contains_only_supported_protocols()` function.
 * REMOVE `all_supported()` function and refactor it into
   `UnvalidatedProtoEntry::all_supported()`.
 * REMOVE `parse_protocols_from_string_with_no_validation()` and
   refactor it into the more rusty implementation of
   `impl FromStr for UnvalidatedProtoEntry`.
 * REMOVE `protover_string_supports_protocol()` and refactor it into
   `UnvalidatedProtoEntry::supports_protocol()`.
 * REMOVE `protover_string_supports_protocol_or_later()` and refactor
   it into `UnvalidatedProtoEntry::supports_protocol_or_later()`.
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix another C/Rust different in compute_vote().

This fixes the unittest from the prior commit by checking if the versions are
empty before adding a protocol to a vote.
2018-04-02 19:34:23 +00:00
Isis Lovecruft
54c964332b
rust: Add new protover::ProtoEntry type which uses new datatypes.
This replaces the `protover::SupportedProtocols` (why would you have a type just
for things which are supported?) with a new, more generic type,
`protover::ProtoEntry`, which utilises the new, more memory-efficient datatype
in protover::protoset.

 * REMOVE `get_supported_protocols()` and `SupportedProtocols::tor_supported()`
   (since they were never used separately) and collapse their functionality into
   a single `ProtoEntry::supported()` method.
 * REMOVE `SupportedProtocols::from_proto_entries()` and reimplement its
   functionality as the more rusty `impl FromStr for ProtoEntry`.
 * REMOVE `get_proto_and_vers()` function and refactor it into the more rusty
   `impl FromStr for ProtoEntry`.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:32:36 +00:00
Isis Lovecruft
60daaa68b1
rust: Add new protover::UnknownProtocol type.
* ADD new type, protover::UnknownProtocol, so that we have greater type safety
   and our protover functionality which works with unsanitised protocol names is
   more clearly demarcated.
 * REFACTOR protover::Proto, renaming it protover::Protocol to mirror the new
   protover::UnknownProtocol type name.
 * ADD a utility conversion of `impl From<Protocol> for UnknownProtocol` so that
   we can easily with known protocols and unknown protocols simultaneously
   (e.g. doing comparisons, checking their version numbers), while not allowing
   UnknownProtocols to be accidentally used in functions which should only take
   Protocols.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:27:51 +00:00
Isis Lovecruft
e6625113c9
rust: Implement more memory-efficient protover datatype.
* ADD new protover::protoset module.
 * ADD new protover::protoset::ProtoSet class for holding protover versions.
 * REMOVE protover::Versions type implementation and its method
   `from_version_string()`, and instead implement this behaviour in a more
   rust-like manner as `impl FromStr for ProtoSet`.
 * MOVE the `find_range()` utility function from protover::protover to
   protover::protoset since it's only used internally in the
   implementation of ProtoSet.
 * REMOVE the `contract_protocol_list()` function from protover::protover and
   instead refactor it (reusing nearly the entire thing, with minor superficial,
   i.e. non-behavioural, changes) into a more rusty
   `impl ToString for ProtoSet`.
 * REMOVE the `expand_version_range()` function from protover::protover and
   instead refactor it into a more rusty implementation of
   `impl Into<Vec<Version>> for ProtoSet` using the new error types in
   protover::errors.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:26:26 +00:00
Isis Lovecruft
88204f91df
rust: Implement error types for Rust protover implementation.
This will allow us to do actual error handling intra-crate in a more
rusty manner, e.g. propogating errors in match statements, conversion
between error types, logging messages, etc.

 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:24:32 +00:00
Isis Lovecruft
f2daf82794
rust: Fix ProtoSet and ProtoEntry to use the same DoS limits as C.
Previously, the limit for MAX_PROTOCOLS_TO_EXPAND was actually being applied
in Rust to the maximum number of version (total, for all subprotocols).
Whereas in C, it was being applied to the number of subprotocols that were
allowed.  This changes the Rust to match C's behaviour.
2018-04-02 19:20:40 +00:00
Isis Lovecruft
6eea0dc5f1
rust: Port all C protover_all_supported tests to Rust.
The behaviours still do not match, unsurprisingly, but now we know where a
primary difference is: the Rust is validating version ranges more than the C,
so in the C it's possible to call protover_all_supported on a ridiculous
version range like "Sleen=0-4294967294" because the C uses
MAX_PROTOCOLS_TO_EXPAND to count the number of *subprotocols* whereas the Rust
uses it to count the total number of *versions* of all subprotocols.
2018-04-02 19:20:39 +00:00
Isis Lovecruft
527a239863
tests: Run all existing protover tests in both languages.
There's now no difference in these tests w.r.t. the C or Rust: both
fail miserably (well, Rust fails with nice descriptive errors, and C
gives you a traceback, because, well, C).
2018-04-02 19:20:38 +00:00
Isis Lovecruft
22c65a0e4b
tests: Make inline comments in test_protover.c more accurate.
The DoS potential is slightly higher in C now due to some differences to the
Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs.

Also, the comment about "failing at the splitting stage" in Rust wasn't true,
since when we split, we ignore empty chunks (e.g. "1--1" parses into
"(1,None),(None,1)" and "None" can't be parsed into an integer).

Finally, the comment about "Rust seems to experience an internal error" is only
true in debug mode, where u32s are bounds-checked at runtime.  In release mode,
code expressing the equivalent of this test will error with
`Err(ProtoverError::Unparseable)` because 4294967295 is too large.
2018-04-02 19:20:37 +00:00
Isis Lovecruft
6e353664dd
protover: Change protover_all_supported() to return only unsupported.
Previously, if "Link=1-5" was supported, and you asked protover_all_supported()
(or protover::all_supported() in Rust) if it supported "Link=3-999", the C
version would return "Link=3-999" and the Rust would return "Link=6-999".  These
both behave the same now, i.e. both return "Link=6-999".
2018-04-02 19:20:36 +00:00
Isis Lovecruft
fc2a42cc49
rust: Refactor protover::compute_for_old_tor().
During code review and discussion with Chelsea Komlo, she pointed out
that protover::compute_for_old_tor() was a public function whose
return type was `&'static CStr`.  We both agree that C-like parts of
APIs should:

1. not be exposed publicly (to other Rust crates),
2. only be called in the appropriate FFI code,
3. not expose types which are meant for FFI code (e.g. `*mut char`,
   `CString`, `*const c_int`, etc.) to the pure-Rust code of other
   crates.
4. FFI code (e.g. things in `ffi.rs` modules) should _never_ be called
   from pure-Rust, not even from other modules in its own crate
   (i.e. do not call `protover::ffi::*` from anywhere in
   `protover::protoset::*`, etc).

With that in mind, this commit makes the following changes:

 * CHANGE `protover::compute_for_old_tor()` to be
   visible only at the `pub(crate)` level.
 * RENAME `protover::compute_for_old_tor()` to
   `protover::compute_for_old_tor_cstr()` to reflect the last change.
 * ADD a new `protover::compute_for_old_tor()` function wrapper which
   is public and intended for other Rust code to use, which returns a
   `&str`.
2018-04-02 19:20:36 +00:00
Isis Lovecruft
9766d53cf9
rust: Refactor Rust implementation of protover_is_supported_here().
It was changed to take borrows instead of taking ownership.

 * REFACTOR `protover::ffi::protover_is_supported_here()` to use changed method
   signature on `protover::is_supported_here()`.
2018-04-02 19:20:35 +00:00
Isis Lovecruft
6f252e0986
rust: Refactor Rust impl of protover_compute_vote().
This includes a subtle difference in behaviour to the previous Rust
implementation, where, for each vote that we're computing over, if a single one
fails to parse, we skip it.  This now matches the current behaviour in the C
implementation.

 * REFACTOR `protover::ffi::protover_compute_vote()` to use
   new types and methods.
2018-04-02 19:20:34 +00:00
Isis Lovecruft
0a5494b81d
rust: Refactor Rust impl of protover_list_supports_protocol_or_later().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol_or_later()` to use
   new types and methods.
2018-04-02 19:20:33 +00:00
Isis Lovecruft
52c3ea5045
rust: Refactor Rust impl of protover_list_supports_protocol().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol()` to use new types
   and methods.
2018-04-02 19:20:32 +00:00
Isis Lovecruft
2f3a7376c0
rust: Refactor Rust impl of protover_all_supported().
This includes differences in behaviour to before, which should now more closely
match the C version:

 - If parsing a protover `char*` from C, and the string is not parseable, this
   function will return 1 early, which matches the C behaviour when protocols
   are unparseable.  Previously, we would parse it and its version numbers
   simultaneously, i.e. there was no fail early option, causing us to spend more
   time unnecessarily parsing versions.

 * REFACTOR `protover::ffi::protover_all_supported()` to use new types and
   methods.
2018-04-02 19:20:31 +00:00
Isis Lovecruft
15e59a1fed
rust: Refactor protover tests with new methods; note altered behaviours.
Previously, the rust implementation of protover considered an empty string to be
a valid ProtoEntry, while the C version did not (it must have a "=" character).
Other differences include that unknown protocols must now be parsed as
`protover::UnknownProtocol`s, and hence their entries as
`protover::UnvalidatedProtoEntry`s, whereas before (nearly) all protoentries
could be parsed regardless of how erroneous they might be considered by the C
version.

My apologies for this somewhat messy and difficult to read commit, if any part
is frustrating to the reviewer, please feel free to ask me to split this into
smaller changes (possibly hard to do, since so much changed), or ask me to
comment on a specific line/change and clarify how/when the behaviours differ.

The tests here should more closely match the behaviours exhibited by the C
implementation, but I do not yet personally guarantee they match precisely.

 * REFACTOR unittests in protover::protover.
 * ADD new integration tests for previously untested behaviour.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:20:31 +00:00
Isis Lovecruft
aa241e99de
rust: Refactor protover::is_supported_here().
This changes `protover::is_supported_here()` to be aware of new datatypes
(e.g. don't call `.0` on things which are no longer tuple structs) and also
changes the method signature to take borrows, making it faster, threadable, and
easier to read (i.e. the caller can know from reading the function signature
that the function won't mutate values passed into it).

 * CHANGE the `protover::is_supported_here()` function to take borrows.
 * REFACTOR the `protover::is_supported_here()` function to be aware of new
   datatypes.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:30 +00:00
Isis Lovecruft
9abbd23df7
rust: Add new ProtoverVote type and refactor functions to methods.
This adds a new type for votes upon `protover::ProtoEntry`s (technically, on
`protover::UnvalidatedProtoEntry`s, because the C code does not validate based
upon currently known protocols when voting, in order to maintain
future-compatibility), and converts several functions which would have operated
on this datatype into methods for ease-of-use and readability.

This also fixes a behavioural differentce to the C version of
protover_compute_vote().  The C version of protover_compute_vote() calls
expand_protocol_list() which checks if there would be too many subprotocols *or*
expanded individual version numbers, i.e. more than MAX_PROTOCOLS_TO_EXPAND, and
does this *per vote* (but only in compute_vote(), everywhere else in the C seems
to only care about the number of subprotocols, not the number of individual
versions).  We need to match its behaviour in Rust and ensure we're not allowing
more than it would to get the votes to match.

 * ADD new `protover::ProtoverVote` datatype.
 * REMOVE the `protover::compute_vote()` function and refactor it into an
   equivalent-in-behaviour albeit more memory-efficient voting algorithm based
   on the new underlying `protover::protoset::ProtoSet` datatype, as
   `ProtoverVote::compute()`.
 * REMOVE the `protover::write_vote_to_string()` function, since this
   functionality is now generated by the impl_to_string_for_proto_entry!() macro
   for both `ProtoEntry` and `UnvalidatedProtoEntry` (the latter of which is the
   correct type to return from a voting protocol instance, since the entity
   voting may not know of all protocols being voted upon or known about by other
   voting parties).
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix a difference in compute_vote() behaviour to C version.
2018-04-02 19:20:29 +00:00
Isis Lovecruft
26bafb3c33
rust: Add macro for impl ToString for {Unvalidated}ProtoEntry.
This implements conversions from either a ProtoEntry or an UnvalidatedProtoEntry
into a String, for use in replacing such functions as
`protover::write_vote_to_string()`.

 * ADD macro for implementing ToString trait for ProtoEntry and
   UnvalidatedProtoEntry.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:28 +00:00
Isis Lovecruft
b786b146ed
rust: Add new protover::UnvalidatedProtoEntry type.
This adds a new protover::UnvalidatedProtoEntry type, which is the
UnknownProtocol variant of a ProtoEntry, and refactors several functions which
should operate on this type into methods.

This also fixes what was previously another difference to the C implementation:
if you asked the C version of protovet_compute_vote() to compute a single vote
containing "Fribble=", it would return NULL.  However, the Rust version would
return "Fribble=" since it didn't check if the versions were empty before
constructing the string of differences.  ("Fribble=" is technically a valid
protover string.)  This is now fixed, and the Rust version in that case will,
analogous to (although safer than) C returning a NULL, return None.

 * REMOVE internal `contains_only_supported_protocols()` function.
 * REMOVE `all_supported()` function and refactor it into
   `UnvalidatedProtoEntry::all_supported()`.
 * REMOVE `parse_protocols_from_string_with_no_validation()` and
   refactor it into the more rusty implementation of
   `impl FromStr for UnvalidatedProtoEntry`.
 * REMOVE `protover_string_supports_protocol()` and refactor it into
   `UnvalidatedProtoEntry::supports_protocol()`.
 * REMOVE `protover_string_supports_protocol_or_later()` and refactor
   it into `UnvalidatedProtoEntry::supports_protocol_or_later()`.
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix another C/Rust different in compute_vote().

This fixes the unittest from the prior commit by checking if the versions are
empty before adding a protocol to a vote.
2018-04-02 19:20:27 +00:00
Isis Lovecruft
88b2f170e4
rust: Add new protover::ProtoEntry type which uses new datatypes.
This replaces the `protover::SupportedProtocols` (why would you have a type just
for things which are supported?) with a new, more generic type,
`protover::ProtoEntry`, which utilises the new, more memory-efficient datatype
in protover::protoset.

 * REMOVE `get_supported_protocols()` and `SupportedProtocols::tor_supported()`
   (since they were never used separately) and collapse their functionality into
   a single `ProtoEntry::supported()` method.
 * REMOVE `SupportedProtocols::from_proto_entries()` and reimplement its
   functionality as the more rusty `impl FromStr for ProtoEntry`.
 * REMOVE `get_proto_and_vers()` function and refactor it into the more rusty
   `impl FromStr for ProtoEntry`.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:26 +00:00
Isis Lovecruft
811178434e
rust: Add new protover::UnknownProtocol type.
* ADD new type, protover::UnknownProtocol, so that we have greater type safety
   and our protover functionality which works with unsanitised protocol names is
   more clearly demarcated.
 * REFACTOR protover::Proto, renaming it protover::Protocol to mirror the new
   protover::UnknownProtocol type name.
 * ADD a utility conversion of `impl From<Protocol> for UnknownProtocol` so that
   we can easily with known protocols and unknown protocols simultaneously
   (e.g. doing comparisons, checking their version numbers), while not allowing
   UnknownProtocols to be accidentally used in functions which should only take
   Protocols.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:12 +00:00
Isis Lovecruft
9925d2e687
rust: Implement more memory-efficient protover datatype.
* ADD new protover::protoset module.
 * ADD new protover::protoset::ProtoSet class for holding protover versions.
 * REMOVE protover::Versions type implementation and its method
   `from_version_string()`, and instead implement this behaviour in a more
   rust-like manner as `impl FromStr for ProtoSet`.
 * MOVE the `find_range()` utility function from protover::protover to
   protover::protoset since it's only used internally in the
   implementation of ProtoSet.
 * REMOVE the `contract_protocol_list()` function from protover::protover and
   instead refactor it (reusing nearly the entire thing, with minor superficial,
   i.e. non-behavioural, changes) into a more rusty
   `impl ToString for ProtoSet`.
 * REMOVE the `expand_version_range()` function from protover::protover and
   instead refactor it into a more rusty implementation of
   `impl Into<Vec<Version>> for ProtoSet` using the new error types in
   protover::errors.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:04:19 +00:00
Isis Lovecruft
b6059297d7
rust: Implement error types for Rust protover implementation.
This will allow us to do actual error handling intra-crate in a more
rusty manner, e.g. propogating errors in match statements, conversion
between error types, logging messages, etc.

 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 18:27:39 +00:00
Nick Mathewson
f9e32a2084 Remove an unnecessary event2 include.
The rest, are, unfortunately, necessary for now.
2018-04-02 11:11:34 -04:00
Nick Mathewson
f4bcf3f34c Remove event2/event.h include from compat_libevent.h
Only one module was depending on this include (test_helpers.c), and
it was doing so incorrectly.
2018-04-02 11:11:31 -04:00
Nick Mathewson
3df9545492 Merge branch 'maint-0.3.3' 2018-04-02 08:51:47 -04:00
Roger Dingledine
6190593256 use channel_is_client for create cell counts
When a relay is collecting internal statistics about how many
create cell requests it has seen of each type, accurately count the
requests from relays that temporarily fall out of the consensus.

(To be extra conservative, we were already ignoring requests from clients
in our counts, and we continue ignoring them here.)

Fixes bug 24910; bugfix on 0.2.4.17-rc.
2018-04-02 01:00:31 -04:00
Roger Dingledine
961d2ad597 dir auths no longer vote Guard if they're not voting V2Dir
Directory authorities no longer vote in favor of the Guard flag
for relays that don't advertise directory support.

Starting in Tor 0.3.0.1-alpha, Tor clients have been avoiding using
such relays in the Guard position, leading to increasingly broken load
balancing for the 5%-or-so of Guards that don't advertise directory
support.

Fixes bug 22310; bugfix on 0.3.0.6.
2018-04-02 00:20:01 -04:00
Roger Dingledine
0983c203e5 misc tiny fixes 2018-04-01 23:47:44 -04:00
Taylor Yu
596eed3715 Fix CID 1433643
Add a missing lock acquisition around access to queued_control_events
in control_free_all().  Use the reassign-and-unlock strategy as in
queued_events_flush_all().  Fixes bug 25675.  Coverity found this bug,
but only after we recently added an access to
flush_queued_event_pending.
2018-03-29 17:21:33 -05:00
Nick Mathewson
2c1afc2def Merge branch 'maint-0.3.3' 2018-03-29 14:59:01 -04:00
Nick Mathewson
4f473fadbd Merge branch 'bug25617_029' into maint-0.3.3 2018-03-29 14:58:58 -04:00
Nick Mathewson
2e9e91ebbf bump version to 0.3.3.4-alpha-dev 2018-03-29 11:24:02 -04:00
Nick Mathewson
e35eb9baaa Mark controller-initiated DNS lookups as permitted to do DNS.
Fixes bug 25617; bugfix on 0.2.9.3-alpha.
2018-03-29 09:27:28 -04:00
Nick Mathewson
3fa66f9799 Bump version to 0.3.3.4-alpha 2018-03-29 08:01:37 -04:00
Nick Mathewson
2f872f9762 Merge remote-tracking branch 'hello71/bug25398' 2018-03-28 14:47:05 -04:00
Nick Mathewson
4c0e434f33 Merge remote-tracking branch 'public/bug25512' 2018-03-28 14:45:47 -04:00
Nick Mathewson
cb083b5d3e Merge remote-tracking branch 'asn-github/t-25432' 2018-03-28 14:43:33 -04:00
Nick Mathewson
794a25f8c1 Merge branch 'maint-0.3.3' 2018-03-28 14:23:06 -04:00
Nick Mathewson
e0bbef48bf Merge remote-tracking branch 'dgoulet/bug24767_033_03' into maint-0.3.3 2018-03-28 14:21:04 -04:00
Nick Mathewson
6317aa2cc0 Merge branch 'maint-0.3.3' 2018-03-28 07:50:47 -04:00
Nick Mathewson
d4bf1f6c8e Add a paranoia check in string_is_valid_nonrfc_hostname()
The earlier checks in this function should ensure that components is
always nonempty.  But in case somebody messes with them in the
future, let's add an extra check to make sure we aren't crashing.
2018-03-28 07:48:18 -04:00
Nick Mathewson
b504c854d3 Rename string_is_valid_hostname -> string_is_valid_nonrfc_hostname
Per discussion on 25055.
2018-03-28 07:42:27 -04:00
rl1987
09351c34e9 Don't strlen before checking for NULL 2018-03-28 07:39:03 -04:00
rl1987
a28e350cff Tweak loop condition 2018-03-28 07:39:03 -04:00
rl1987
6b6d003f43 Don't explode on NULL or empty string 2018-03-28 07:39:03 -04:00
rl1987
d891010fdd Allow alphanumeric TLDs in test for now 2018-03-28 07:39:03 -04:00
rl1987
ee1fca727c Simplify hostname validation code 2018-03-28 07:39:03 -04:00
rl1987
dbb7c8e6fd Validate hostnames with punycode TLDs correctly 2018-03-28 07:39:03 -04:00
rl1987
4413e52f9e Improve handling of trailing dot 2018-03-28 07:39:03 -04:00
rl1987
db850fec3a Test TLD validation 2018-03-28 07:39:03 -04:00
rl1987
6335db9fce Refrain from including <ctype.h> 2018-03-28 07:39:03 -04:00
rl1987
12afd8bfed Also test bracket-less IPv6 string validation 2018-03-28 07:39:03 -04:00
rl1987
5986589b48 Call strlen() once 2018-03-28 07:39:03 -04:00
rl1987
b0ba4aa7e9 Fix bracketed IPv6 string validation 2018-03-28 07:39:03 -04:00
rl1987
1af016e96e Do not consider IP strings valid DNS names. Fixes #25055 2018-03-28 07:39:03 -04:00
rl1987
0e453929d2 Allow IPv6 address strings to be used as hostnames in SOCKS5 requests 2018-03-28 07:39:03 -04:00
Nick Mathewson
fa6eaab83e Merge branch 'maint-0.3.3' 2018-03-27 18:25:52 -04:00
Nick Mathewson
5acfc30876 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-27 18:23:53 -04:00
Taylor Yu
471f28a2a8 Fix CID 1430932
Coverity found a null pointer reference in nodelist_add_microdesc().
This is almost certainly impossible assuming that the routerstatus_t
returned by router_get_consensus_status_by_descriptor_digest() always
corresponds to an entry in the nodelist.  Fixes bug 25629.
2018-03-27 16:11:29 -05:00
Taylor Yu
0c13a84c0d Fix CID 1430932
Coverity found a null pointer reference in nodelist_add_microdesc().
This is almost certainly impossible assuming that the routerstatus_t
returned by router_get_consensus_status_by_descriptor_digest() always
corresponds to an entry in the nodelist.  Fixes bug 25629.
2018-03-27 16:08:39 -05:00
Taylor Yu
4bb7d9fd12 Fix CID 1430932
Coverity found a null pointer reference in nodelist_add_microdesc().
This is almost certainly impossible assuming that the routerstatus_t
returned by router_get_consensus_status_by_descriptor_digest() always
corresponds to an entry in the nodelist.  Fixes bug 25629.
2018-03-27 15:29:00 -05:00
George Kadianakis
ab16f1e2a1 test: Add unittest for the OR connection failure cache
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-27 12:43:39 -04:00
David Goulet
f29d158330 relay: Avoid connecting to down relays
If we failed to connect at the TCP level to a relay, note it down and refuse
to connect again for another 60 seconds.

Fixes #24767

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-27 12:42:31 -04:00
Nick Mathewson
979c7e5c83 Merge branch 'maint-0.3.3' 2018-03-27 07:05:15 -04:00
Nick Mathewson
46c2b0ca22 Merge branch 'bug25213_033' into maint-0.3.3 2018-03-27 07:04:33 -04:00
Nick Mathewson
0eed0899cd Merge branch 'bug24658-rm-curve25519-header' into bug24658-merge 2018-03-26 20:12:59 -04:00
Nick Mathewson
d96dc2060a Merge branch 'maint-0.3.3' 2018-03-26 19:47:48 -04:00
Nick Mathewson
841ed9dbb9 Merge remote-tracking branch 'dgoulet/bug24904_033_01' into maint-0.3.3 2018-03-26 19:47:44 -04:00
Nick Mathewson
5278d72f97 Merge branch 'maint-0.3.3' 2018-03-26 10:32:53 -04:00
Nick Mathewson
ca2d9cbb93 Merge branch 'bug24903_029' into maint-0.3.3 2018-03-26 10:32:49 -04:00
Nick Mathewson
068d092749 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-26 10:29:29 -04:00
Nick Mathewson
b5a6c03998 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-26 10:29:29 -04:00
Nick Mathewson
c68bfc556c Merge branch 'maint-0.3.3' 2018-03-26 10:29:29 -04:00
Nick Mathewson
33606405e3 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-26 10:29:29 -04:00
Nick Mathewson
969a38a375 Fix a unit test which was broken by the previous commit
This test was expecting Tor to find and use routerinfos, but hadn't
cleared the UseMicrodescriptors flag.  Part of the fix for 25213.
2018-03-26 09:57:39 -04:00
Nick Mathewson
d1874b4339 Make extend_info_from_node() more picky about node contents
This update is needed to make it consistent with the behavior of
node_awaiting_ipv6(), which doesn't believe in the addresses from
routerinfos unless it actually plans to use those routerinfos.

Fixes bug 25213; bugfix on b66b62fb75 in 0.3.3.1-alpha,
which tightened up the definition of node_awaiting_ipv6().
2018-03-26 09:56:12 -04:00
Nick Mathewson
33a80921a2 When extending a circuit's path length, clear onehop_tunnel.
There was a nonfatal assertion in pathbias_should_count that would
trigger if onehop_tunnel was set, but the desired_path_length was
greater than 1.  This patch fixes that.  Fixes bug 24903; bugfix on
0.2.5.2-alpha.
2018-03-26 09:17:50 -04:00
Nick Mathewson
a9fa483004 Document a requirement for cells to be encrypted. 2018-03-24 13:49:44 -04:00
Nick Mathewson
7db4d0c55f Basic unit tests for relay_crypto.c
These tests handle incoming and outgoing cells on a three-hop
circuit, and make sure that the crypto works end-to-end.  They don't
yet test spec conformance, leaky-pipe, or various error cases.
2018-03-24 13:49:08 -04:00
Nick Mathewson
d749f6b5f6 Merge branch 'maint-0.3.3' 2018-03-23 17:49:29 -04:00
Nick Mathewson
eacfd29112 Fix windows compilation warnings in hs_service.c
These were breaking jenkins builds.  Bugfix on 5804ccc9070dc54;
bug not in any released Tor.
2018-03-23 17:47:56 -04:00
Nick Mathewson
bb9012c818 test: more data on geoip load failure. 2018-03-23 11:48:15 -04:00
Nick Mathewson
3519d0c808 Clear all control.c flags on control_free_all()
Fixes bug 25512.
2018-03-23 11:31:56 -04:00
Nick Mathewson
e263317e07 Merge remote-tracking branch 'fristonio/ticket-24740' 2018-03-23 11:22:58 -04:00
Nick Mathewson
11114c7e83 Merge branch 'maint-0.3.3' 2018-03-23 11:19:19 -04:00
Isis Lovecruft
657d5cbbbc tests: Automatically detect Rust crates to test and also pass --verbose.
* FIXES #25560: https://bugs.torproject.org/25560.
2018-03-23 11:13:04 -04:00
David Goulet
236c92a0a7 chan: Use channel_is_client() in channel_do_open_actions()
Make sure we actually only report client channel to the geoip cache instead of
looking if it is a known relay. Looking if it is a known relay can be
unreliable because they come and go from the consensus.

Fixes #24904

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-23 10:11:37 -04:00
Isis Lovecruft
fae5254783
hs: Fix two typos in an inline comment.
* FIXES #25602: https://bugs.torproject.org/25602
2018-03-22 22:33:34 +00:00
Nick Mathewson
24abcf9771 Merge branch 'bug25399_squashed' 2018-03-22 08:49:43 -04:00
Alex Xu (Hello71)
946ed24ca5 Do not page-align mmap length. #25399 2018-03-22 08:47:37 -04:00
Nick Mathewson
d9ba7db38b Merge remote-tracking branch 'public/geoip_testing' 2018-03-22 08:43:28 -04:00
Nick Mathewson
f8e53a545a Update tor_log to libc 0.2.39 as well. 2018-03-21 17:14:15 -04:00
Nick Mathewson
4e82441e4c Merge branch 'maint-0.3.3' 2018-03-21 17:10:10 -04:00
Nick Mathewson
2b31387410 Update src/ext/rust to latest master for libc update. 2018-03-21 17:09:59 -04:00
Nick Mathewson
03e787e220 Merge branch 'maint-0.3.3' 2018-03-21 17:05:42 -04:00
Isis Lovecruft
00a473733d maint: Update Rust libc dependency from 0.2.22 to 0.2.39.
Requires the update/libc-0.2.39 branch from
https://github.com/isislovecruft/tor-rust-dependencies to be merged
first.
2018-03-21 17:04:28 -04:00
Nick Mathewson
2c36a02bb1 Merge branch 'maint-0.3.3' 2018-03-20 12:55:46 -04:00
Nick Mathewson
b069979142 Merge branch 'bug25306_032_01_squashed_v2' into maint-0.3.3 2018-03-20 12:54:51 -04:00
David Goulet
5804ccc907 hs-v3: BUG() on missing descriptors during rotation
Because of #25306 for which we are unable to reproduce nor understand how it
is possible, this commit removes the asserts() and BUG() on the missing
descriptors instead when rotating them.

This allows us to log more data on error but also to let tor recover
gracefully instead of dying.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-20 12:54:05 -04:00
Nick Mathewson
9f93bcd16d Remove sb_poll check: all poll() calls are ok. 2018-03-20 08:30:21 -04:00
Nick Mathewson
070eda5a21 Add the poll() syscall as permitted by the sandbox
Apparently, sometimes getpwnam will call this.

Fixes bug 25513.
2018-03-20 08:23:44 -04:00
Nick Mathewson
56ae6d8766 Merge branch 'maint-0.3.3' 2018-03-20 07:50:46 -04:00
Alexander Færøy
fd36bd8971 Log information on specific compression backends in the OOM handler.
This patch adds some additional logging to circuits_handle_oom() to give
us more information about which specific compression backend that is
using a certain amount of memory.

See: https://bugs.torproject.org/25372
2018-03-20 07:47:19 -04:00
Nick Mathewson
228b655935 Move rust-specific declarations outside of #else block
These declarations need to exist unconditionally, but they were
trapped inside an "#else /* !(defined(HAVE_SYSLOG_H)) */" block.

Fixes a travis regression caused by 23881; bug not in any released tor.
2018-03-19 19:18:23 -04:00
Nick Mathewson
d8893bc93c Merge remote-tracking branch 'isis/bug23881_r1' 2018-03-19 17:20:37 -04:00
Nick Mathewson
910422e8fa Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-19 16:59:49 -04:00
Nick Mathewson
3716611fea Merge branch 'maint-0.3.3' 2018-03-19 16:59:49 -04:00
Isis Lovecruft
66d3120634 tests: Fix HS test against max IP lifetime.
* FIXES part of #25450: https://bugs.torproject.org/25450
2018-03-19 16:59:07 -04:00
Isis Lovecruft
1f8bd93ecb
rust: Fix typo in name of logged function. 2018-03-19 19:23:35 +00:00
Isis Lovecruft
547c62840e
rust: Remove #[no_mangle]s on two constants.
These won't/shouldn't ever be called from C, so there's no reason to
preserve naming.
2018-03-19 19:23:34 +00:00
Neel Chauhan
bc5f79b95c Use tor_asprintf for in have_enough_mem_for_dircache()
(Fixes bug 20887)
2018-03-19 12:38:28 -04:00
Nick Mathewson
b0f0c0f550 Merge remote-tracking branch 'fristonio/ticket-6236' 2018-03-19 06:42:10 -04:00
Nick Mathewson
a324cd9020 Merge branch 'ticket25268_034_01' 2018-03-19 06:01:02 -04:00
Nick Mathewson
92c60b572c Merge branch 'maint-0.3.3' 2018-03-19 05:39:56 -04:00
Gisle Vanem
53914f7dae tests: Fix crash on win32 due to uninitialised mutex in bench.c.
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2018-03-19 05:38:19 -04:00
Nick Mathewson
bcea98a4b4 Merge branch 'maint-0.3.3' 2018-03-19 05:36:06 -04:00
Nick Mathewson
296e429ebc Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-19 05:36:06 -04:00
Nick Mathewson
a0cc7e9492 Merge remote-tracking branch 'isis/bug25450_032' into maint-0.3.2 2018-03-19 05:35:39 -04:00
Nick Mathewson
5ecad6c95d Extract the cryptographic parts of crypt_path_t and or_circuit_t.
Additionally, this change extracts the functions that created and
freed these elements.

These structures had common "forward&reverse stream&digest"
elements, but they were initialized and freed through cpath objects,
and different parts of the code depended on them.  Now all that code
is extacted, and kept in relay_crypto.c
2018-03-17 10:59:15 -04:00
Nick Mathewson
80955be6ec Move relay-crypto functions from relay.[ch] to relay_crypto.[ch]
This should help us improve modularity, and should also make it
easier for people to experiment with other relay crypto strategies
down the road.

This commit is pure function movement.
2018-03-17 10:23:44 -04:00
Nick Mathewson
320dcf65b7 Extract the crypto parts of circuit_package_relay_cell. 2018-03-17 10:16:41 -04:00
Nick Mathewson
2989326054 Rename 'relay_crypt' to 'relay_decrypt_cell'
This function is used upon receiving a cell, and only handles the
decrypting part.  The encryption part is currently handled inside
circuit_package_relay_cell.
2018-03-17 10:05:25 -04:00
Nick Mathewson
becae4c943 Add a test for geoip_load_file(). 2018-03-15 15:21:34 +01:00
Nick Mathewson
1debe57563 On geoip_free_all, reset geoip[6]_digest. 2018-03-15 15:21:23 +01:00
Nick Mathewson
ffb00404b1 Split geoip tests into a separate module. 2018-03-15 15:12:54 +01:00
Nick Mathewson
4e5e973421 Merge remote-tracking branch 'public/restart_reset_bootstrap' 2018-03-14 12:12:37 +01:00
Nick Mathewson
c6d364e8ae Merge branch 'maint-0.3.3' 2018-03-13 10:59:56 -04:00
Nick Mathewson
d60dc27555 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-13 10:59:30 -04:00
Nick Mathewson
950606dcc9 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-13 10:58:03 -04:00
Nick Mathewson
38b7885c90 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-13 10:58:03 -04:00
Nick Mathewson
0e7f15fdb6 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-13 10:58:02 -04:00
Nick Mathewson
67a313f0ec Merge branch 'maint-0.2.5' into maint-0.2.9 2018-03-13 10:58:02 -04:00
Karsten Loesing
3418a3a7f0 Update geoip and geoip6 to the March 8 2018 database. 2018-03-13 10:57:49 -04:00
Nick Mathewson
40154c1f9e Merge branch 'maint-0.3.3' 2018-03-13 10:00:58 +01:00
Nick Mathewson
e9dbd6dd8f Update the documentation in tor_api.h 2018-03-13 10:00:41 +01:00
Isis Lovecruft
0545f64d24
test: Increase time limit for IP creation in an HS test.
This should avoid most intermittent test failures on developer and CI machines,
but there could (and probably should) be a more elegant solution.

Also, this test was testing that the IP was created and its expiration time was
set to a time greater than or equal to `now+INTRO_POINT_LIFETIME_MIN_SECONDS+5`:

    /* Time to expire MUST also be in that range. We add 5 seconds because
     * there could be a gap between setting now and the time taken in
     * service_intro_point_new. On ARM, it can be surprisingly slow... */
    tt_u64_op(ip->time_to_expire, OP_GE,
              now + INTRO_POINT_LIFETIME_MIN_SECONDS + 5);

However, this appears to be a typo, since, according to the comment above it,
adding five seconds was done because the IP creation can be slow on some
systems.  But the five seconds is added to the *minimum* time we're comparing
against, and so it actually functions to make this test *more* likely to fail on
slower systems.  (It should either subtract five seconds, or instead add it to
time_to_expire.)

 * FIXES #25450: https://bugs.torproject.org/25450
2018-03-08 20:50:50 +00:00
Caio Valente
8775c93a99 Refactor: suppress duplicated functions from router.c and encapsulate NODE_DESC_BUF_LEN constant.
Also encapsulates format_node_description().

Closes ticket 25432.
2018-03-06 20:42:32 +01:00
Deepesh Pathak
930b985581
Fix redundant authority certificate fetch
- Fixes #24740
- Fetch certificates only in those cases when consensus are waiting for certs.
2018-03-04 21:13:58 +05:30
Nick Mathewson
699bb803ba Fix a crash bug when testing reachability
Fixes bug 25415; bugfix on 0.3.3.2-alpha.
2018-03-04 10:31:17 -05:00
Nick Mathewson
df9d2de441 Merge remote-tracking branch 'fristonio/ticket4187' 2018-03-03 12:02:30 -05:00
Nick Mathewson
338dbdab93 Merge branch 'maint-0.3.3' 2018-03-03 11:59:27 -05:00
Alexander Færøy
59a7b00384 Update tor.1.txt with the currently available log domains.
See: https://bugs.torproject.org/25378
2018-03-03 11:58:14 -05:00
Nick Mathewson
62482ea279 Merge branch 'maint-0.3.3' 2018-03-03 11:53:05 -05:00
Nick Mathewson
cc7de9ce1d Merge branch 'ticket23814' into maint-0.3.3 2018-03-03 11:53:01 -05:00
Nick Mathewson
aec505a310 bump to 0.3.3.3-alpha-dev 2018-03-03 11:33:56 -05:00
Nick Mathewson
0026d1a673 bump version to 0.3.2.10-dev 2018-03-03 11:33:27 -05:00
Nick Mathewson
0aa794d309 version bump to 0.3.1.10-dev 2018-03-03 11:32:51 -05:00
Nick Mathewson
9eb6f9d3c8 Bump version to 0.2.9.15-dev 2018-03-03 11:32:16 -05:00
Alex Xu (Hello71)
45d3b5fa4c Remove uncompilable tor_mmap_file fallback. #25398 2018-03-02 09:51:53 -05:00
Nick Mathewson
15f6201a5b increment to 0.3.3.3-alpha 2018-03-01 16:44:07 -05:00
Nick Mathewson
1ec386561e version bump to 0.3.2.10 2018-03-01 16:43:35 -05:00
Nick Mathewson
c527a8a9c9 Update to 0.3.1.10 2018-03-01 16:43:01 -05:00
Nick Mathewson
35753c0774 version bump to 0.2.9.15 2018-03-01 16:42:17 -05:00
Nick Mathewson
d22963938f Merge branch 'maint-0.3.3' 2018-03-01 16:10:47 -05:00
Nick Mathewson
f7eff2f8c5 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-01 16:10:43 -05:00
Nick Mathewson
d01abb9346 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-01 16:07:59 -05:00
Nick Mathewson
d4a758e083 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-01 16:07:59 -05:00
Nick Mathewson
c1bb8836ff Protover tests: disable some obsoleted tests
These were meant to demonstrate old behavior, or old rust behavior.

One of them _should_ work in Rust, but won't because of
implementation details.  We'll fix that up later.
2018-03-01 16:05:17 -05:00
Nick Mathewson
c5295cc1be Spec conformance on protover: always reject ranges where lo>hi 2018-03-01 16:05:17 -05:00
Nick Mathewson
1fe0bae508 Forbid UINT32_MAX as a protocol version
The C code and the rust code had different separate integer overflow
bugs here.  That suggests that we're better off just forbidding this
pathological case.

Also, add tests for expected behavior on receiving a bad protocol
list in a consensus.

Fixes another part of 25249.
2018-03-01 16:05:17 -05:00
Nick Mathewson
8b405c609e Forbid "-0" as a protocol version.
Fixes part of 24249; bugfix on 0.2.9.4-alpha.
2018-03-01 16:05:17 -05:00
Nick Mathewson
0953c43c95 Add more of Teor's protover tests.
These are as Teor wrote them; I've disabled the ones that don't pass
yet, with XXXX comments.
2018-03-01 16:05:17 -05:00
Nick Mathewson
d3a1bdbf56 Add some protover vote round-trip tests from Teor.
I've refactored these to be a separate function, to avoid tricky
merge conflicts.

Some of these are disabled with "XXXX" comments; they should get
fixed moving forward.
2018-03-01 16:05:17 -05:00
Nick Mathewson
a83650852d Add another NULL-pointer fix for protover.c.
This one can only be exploited if you can generate a correctly
signed consensus, so it's not as bad as 25074.

Fixes bug 25251; also tracked as TROVE-2018-004.
2018-03-01 16:05:17 -05:00
Nick Mathewson
65f2eec694 Correctly handle NULL returns from parse_protocol_list when voting.
In some cases we had checked for it, but in others we had not.  One
of these cases could have been used to remotely cause
denial-of-service against directory authorities while they attempted
to vote.

Fixes TROVE-2018-001.
2018-03-01 16:05:17 -05:00
Isis Lovecruft
167da4bc81
rust: Remove extra whitespace from a static log/error message. 2018-02-27 20:43:54 +00:00
Deepesh Pathak
130e2ffad7
Remove duplicate code between parse_{c,s}method in transport.c
- Merged common code in function parse_{c,s}method to a single function
- Removed duplicate code in transport.c
- Fixes #6236
2018-02-24 20:27:08 +05:30
Nick Mathewson
fc22bcadb5 Revert 4438ef32's changes to test_address.c
Apparently some versions of the mac sdk care about the ordering of
net/if.h wrt other headers.

Fixes bug 25319; bug not in any released tor.
2018-02-21 09:36:37 -05:00
Isis Lovecruft
7759ac8df2
crypto: Remove crypto_rsa.h from crypto_digest.c.
* ADD include for "crypto_openssl_mgt.h" so that we have OpenSSL
   defined SHA* types and functions.
 * FIXES part of #24658: https://bugs.torproject.org/24658#comment:30
2018-02-20 20:29:54 +00:00
Isis Lovecruft
3e9140e79a
crypto: Remove unnecessary curve25519 header from crypto_digest.h.
* ADD includes for "torint.h" and "container.h" to crypto_digest.h.
 * ADD includes for "crypto_digest.h" to a couple places in which
   crypto_digest_t was then missing.
 * FIXES part of #24658: https://bugs.torproject.org/24658#comment:30
2018-02-20 20:29:54 +00:00
Nick Mathewson
4438ef3288 Remove a bunch of other redundant #includes
Folks have found two in the past week or so; we may as well fix the
others.

Found with:

\#!/usr/bin/python3
import re

def findMulti(fname):
    includes = set()
    with open(fname) as f:
        for line in f:
            m = re.match(r'^\s*#\s*include\s+["<](\S+)[>"]', line)
            if m:
                inc = m.group(1)
                if inc in includes:
                    print("{}: {}".format(fname, inc))
                includes.add(m.group(1))

import sys
for fname in sys.argv[1:]:
    findMulti(fname)
2018-02-20 10:14:15 -05:00
Nick Mathewson
a4ab273a0d Merge remote-tracking branch 'fristonio/ticket-25261' 2018-02-20 10:03:52 -05:00
Nick Mathewson
5199b9b337 Use autoconf to check for optional zstd functionality.
Fixes a bug in our zstd-static code.  Bug not in any released
version of Tor.
2018-02-18 16:19:43 -05:00
Fernando Fernandez Mancera
0fad49e1c4 Move crypto_pk_obsolete_* functions into RSA module.
We moved the crypto_pk_obselete_* functions into crypto_rsa.[ch] because they fit
better with the RSA module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-16 18:23:21 +01:00
Fernando Fernandez Mancera
541b6b2433 Remove useless included files in crypto_rsa.[ch].
Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-16 17:49:58 +01:00
Nick Mathewson
bd71e0a0c8 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-16 09:54:13 -05:00
Nick Mathewson
2bcd264a28 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-16 09:48:11 -05:00
Nick Mathewson
cb92d47dec Merge remote-tracking branch 'dgoulet/ticket24902_029_05' into maint-0.2.9 2018-02-16 09:41:06 -05:00
Nick Mathewson
bbc73c5d1c Whoops. 256 was not big enough. 2018-02-16 09:40:29 -05:00
Nick Mathewson
a34fc1dad2 Allow checkpointing of non-sha1 digests.
This is necessary because apparently v3 rendezvous cpath hops use
sha3, which I had forgotten.

Bugfix on master; bug not in any released Tor.
2018-02-16 09:25:50 -05:00
Roger Dingledine
d21e5cfc24 stop calling channel_mark_client in response to a create_fast
since all it does is produce false positives

this commit should get merged into 0.2.9 and 0.3.0 *and* 0.3.1, even
though the code in the previous commit is already present in 0.3.1. sorry
for the mess.

[Cherry-picked]
2018-02-16 08:46:57 -05:00
Roger Dingledine
2b99350ca4 stop calling channel_mark_client in response to a create_fast
since all it does is produce false positives

this commit should get merged into 0.2.9 and 0.3.0 *and* 0.3.1, even
though the code in the previous commit is already present in 0.3.1. sorry
for the mess.
2018-02-16 08:46:31 -05:00
Roger Dingledine
8d5dcdbda2 backport to make channel_is_client() accurate
This commit takes a piece of commit af8cadf3a9 and a piece of commit
46fe353f25, with the goal of making channel_is_client() be based on what
sort of connection handshake the other side used, rather than seeing
whether the other side ever sent a create_fast cell to us.
2018-02-16 08:39:10 -05:00
Neel Chauhan
c2fa743806 Remove the return value of node_get_prim_orport() and node_get_prim_dirport() 2018-02-16 08:20:33 -05:00
Nick Mathewson
200fc8c640 Compilation workaround for windows, which lacks O_SYNC
Bug not in any released Tor.
2018-02-16 08:16:12 -05:00
Nick Mathewson
5a9ada342f tor_zstd_format_version shouldn't be built when !HAVE_ZSTD
Fixes bug 25276; bugfix not in any released Tor.
2018-02-16 08:06:01 -05:00
Fernando Fernandez Mancera
f9f0dd5b9a Move the pk-digest functions into crypto_rsa.[ch].
We moved the crypto_pk_* digest functions into crypto_rsa.[ch] because they fit
better with the RSA module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-16 12:04:22 +01:00
Nick Mathewson
b56fd17d00 Merge branch 'maint-0.3.3' 2018-02-15 21:05:12 -05:00
Nick Mathewson
d662d4470a Merge remote-tracking branch 'dgoulet/ticket24343_033_01' into maint-0.3.3 2018-02-15 21:05:08 -05:00
Nick Mathewson
d9804691df Merge remote-tracking branch 'ffmancera-1/bug18918' 2018-02-15 21:00:10 -05:00
Nick Mathewson
92a42f795c Merge branch 'bug23909' 2018-02-15 20:56:23 -05:00
Nick Mathewson
8da6bfa5de Merge branch 'bug24914' 2018-02-15 20:53:50 -05:00
Nick Mathewson
4d994e7a9c Fix a stack-protector warning: don't use a variable-length buffer
Instead, define a maximum size, and enforce it with an assertion.
2018-02-15 20:52:01 -05:00
Nick Mathewson
ed1d630f0e Merge branch 'onion_ntor_malloc_less' 2018-02-15 20:40:03 -05:00
Nick Mathewson
28c3f538e5 Documentation fixes suggested by catalyst. 2018-02-15 20:38:08 -05:00
Nick Mathewson
bda1dfb9e0 Merge remote-tracking branch 'isis/bug25185' 2018-02-15 20:35:30 -05:00
Nick Mathewson
acb7a536c2 Merge branch 'maint-0.3.3' 2018-02-15 20:33:00 -05:00
Nick Mathewson
799c82be70 Merge remote-tracking branch 'isis/bug25171' into maint-0.3.3 2018-02-15 20:32:57 -05:00
Nick Mathewson
a1dd8afc16 Merge branch '25162_zstd_static' 2018-02-15 20:28:07 -05:00
Nick Mathewson
066a15af63 This stats_n_seconds_working variable needs to be static now.
(When a variable isn't going to be declared extern in the header, we
require that it be static.)
2018-02-15 20:26:09 -05:00
Nick Mathewson
3ca04aada2 Merge remote-tracking branch 'valentecaio/t-25081' 2018-02-15 20:23:23 -05:00
Nick Mathewson
3d7bf98d13 Merge remote-tracking branch 'valentecaio/t-24714' 2018-02-15 20:19:53 -05:00
Isis Lovecruft
5f7d78ce2a
tests: Remove duplicate included header file in src/test/test.c.
* FIXES #25271: https://bugs.torproject.org/25271
2018-02-16 01:19:12 +00:00
Nick Mathewson
3c8a481599 Merge branch 'bug18105' 2018-02-15 20:17:31 -05:00
Nick Mathewson
3e2b48f8b4 Merge branch 'bug24484_squashed' 2018-02-15 20:13:53 -05:00
Nick Mathewson
4dc228e35b Remove workaround code for systems where free(NULL) is busted.
Add an autoconf test to make sure we won't regret it.

Closes ticket 24484.
2018-02-15 20:13:44 -05:00
Nick Mathewson
cfff582e4d Bump version in master to 0.3.4.0-alpha-dev 2018-02-15 20:11:25 -05:00
Nick Mathewson
5af03c1ef3 rust protover: match the C implementation on empty-str cases
Empty versions lists are permitted; empty keywords are not.
2018-02-15 19:08:52 -05:00
Nick Mathewson
b58a2febe3 Forbid u32::MAX as a protover range element in rust
Part of the 25249 fix to make rust match the C.
2018-02-15 19:07:38 -05:00
Nick Mathewson
f69510ba4b Rust protover compat: forbid more than MAX_VERSIONS_TO_EXPAND in a range
Also correct MAX_VERSIONS_TO_EXPAND to match the C.

NOTE that this patch leads to incorrect behavior: the C code allows
huge ranges; it just doesn't allow votes on them (currently).  For
full compatibility, we'll need to make the rust code store ranges as
ranges natively, possibly using something like the range_map crate.

Still, this patch is smaller than a "proper" fix.

Fixes TROVE-2018-003.
2018-02-15 19:07:25 -05:00
David Goulet
779eded6bb man: Update the CircuitPriorityHalflife entry
The behavior has changed slightly in the previous commits.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:54:48 -05:00
David Goulet
e19cd38f08 cmux: Always use the cmux policy
Remove the checks on cmux->policy since it should always be set.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:54:24 -05:00
David Goulet
c235c32bbc cmux: Remove round-robin circuit policy
Since 0.2.4, tor uses EWMA circuit policy to prioritize. The previous
algorithm, round-robin, hasn't been used since then but was still used as a
fallback.

Now that EWMA is mandatory, remove that code entirely and enforce a cmux
policy to be set.

This is part of a circuitmux cleanup to improve performance and reduce
complexity in the code. We'll be able to address future optimization with this
work.

Closes #25268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:36:39 -05:00
David Goulet
9d68647ba3 cmux: Remove PARANOIA assert functions
The reason to do so is because these functions haven't been used in years so
since 0.2.4, every callsite is NOP.

In future commits, we'll remove the round robin circuit policy which is mostly
validated within those function.

This simplifies the code greatly and remove dead code for which we never had a
configure option in the first place nor an easy way to use them in production.

Part of #25268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:02:09 -05:00
David Goulet
9af5b625e8 cmux: Rename cell_ewma_set_scale_factor()
It is rename to something more meaningful that explains what it does exactly
which is sets the EWMA options (currently only one exists). The new name is
cmux_ewma_set_options().

Also, remove a public function from circuitmux_ewma.h that is only used in the
C file. Make it static inline as well.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 13:51:34 -05:00
David Goulet
6b1dba214d cmux: Make EWMA policy mandatory
To achieve this, a default value for the CircuitPriorityHalflife option was
needed. We still look in the options and then the consensus but in case no
value can be found, the default CircuitPriorityHalflifeMsec=30000 is used. It
it the value we've been using since 0.2.4.4-alpha.

This means that EWMA, our only policy, can not be disabled anymore fallbacking
to the round robin algorithm. Unneeded code to control that is removed in this
commit.

Part of #25268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 13:45:21 -05:00
Deepesh Pathak
3553383312
ticket 25261: Removed multiple includes of transports.h in connection.c 2018-02-15 22:28:34 +05:30
Nick Mathewson
f6a230ec95 Merge remote-tracking branch 'mikeperry/bug24769' 2018-02-14 10:03:14 -05:00
Nick Mathewson
9e566f3a72 Merge branch 'tests_rust' 2018-02-13 18:12:01 -05:00
Nick Mathewson
86f461e362 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-13 15:00:43 -05:00
David Goulet
b60ffc5ce0 Merge remote-tracking branch 'dgoulet/bug25223_029_01' into ticket24902_029_05 2018-02-13 13:11:10 -05:00
David Goulet
305e39d0f8 dos: Add extra safety asserts in cc_stats_refill_bucket()
Never allow the function to set a bucket value above the allowed circuit
burst.

Closes #25202

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-13 10:41:21 -05:00
David Goulet
4fe4f8179f dos: Don't set consensus param if we aren't a public relay
We had this safeguard around dos_init() but not when the consensus changes
which can modify consensus parameters and possibly enable the DoS mitigation
even if tor wasn't a public relay.

Fixes #25223

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-13 10:35:41 -05:00
Nick Mathewson
b062730a11 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-13 08:50:59 -05:00
Nick Mathewson
17a923941a Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-13 08:50:58 -05:00
David Goulet
e658dad625 dirserv: Improve returned message when relay is rejected
Explicitly inform the operator of the rejected relay to set a valid email
address in the ContactInfo field and contact bad-relays@ mailing list.

Fixes #25170

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-13 08:47:42 -05:00
Nick Mathewson
ef164346d4 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-13 08:47:06 -05:00
Nick Mathewson
1555946e20 Have tor_addr hashes return a randomized hash for AF_UNSPEC.
We don't expect this to come up very much, but we may as well make
sure that the value isn't predictable (as we do for the other
addresses) in case the issue ever comes up.

Spotted by teor.
2018-02-12 11:14:36 -05:00
Nick Mathewson
99fbbc6c47 Fix a typo in an address_set.c comment. 2018-02-12 11:14:34 -05:00
Nick Mathewson
91109bc813 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-12 08:33:47 -05:00
Nick Mathewson
e91bae66d8 Merge branch 'bug23318-redux_029' into maint-0.2.9 2018-02-12 08:33:03 -05:00
Fernando Fernandez Mancera
3dd2c1d022 Tweaks into router_should_be_dirserver() log msg.
Fixed log message that has been changed in commit 5ea993fa5a.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-12 12:30:52 +01:00
Nick Mathewson
b2c4d4e7fa Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-11 18:11:04 -05:00
Nick Mathewson
84c13336c4 Merge remote-tracking branch 'public/bug24198_029' into maint-0.2.9 2018-02-11 18:10:59 -05:00
Nick Mathewson
8939eaf479 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-11 18:09:35 -05:00
Nick Mathewson
848ba26c18 Merge branch 'ticket24315_029' into maint-0.2.9 2018-02-11 18:07:37 -05:00
Nick Mathewson
684d57fe8a Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-11 17:00:52 -05:00
Nick Mathewson
eccef6ba60 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-11 16:51:56 -05:00
Nick Mathewson
5dc785ceef Merge remote-tracking branch 'public/bug21074_029' into maint-0.2.9 2018-02-11 16:51:53 -05:00
Nick Mathewson
a75ae628c7 Merge remote-tracking branch 'isis/bug25127_redux' 2018-02-11 16:17:41 -05:00
Nick Mathewson
7aa94f7441 fix compilation. 2018-02-11 16:16:58 -05:00
Nick Mathewson
627974b02e Merge branch 'bug25120' 2018-02-11 16:10:58 -05:00
Alexander Færøy
14c47a0b5c Lower log-level in different error conditions in entropy selection.
This patch lowers the log-level from warning to info in the cases where
we are going to attempt another method as entropy source to hopefully
make the user feel less concerned.

See: https://bugs.torproject.org/25120
2018-02-11 16:10:50 -05:00
Nick Mathewson
4de20d1754 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-10 16:09:01 -05:00
Nick Mathewson
1df701c082 Merge branch 'maint-0.3.2' 2018-02-10 16:09:01 -05:00
Nick Mathewson
86583ad78e Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-10 16:09:00 -05:00
Nick Mathewson
320dac4602 Merge branch 'bug24978_029_enable' into maint-0.2.9 2018-02-10 16:08:58 -05:00
Nick Mathewson
791ceb2028 Bump version to 0.3.3.2-alpha-dev 2018-02-10 10:41:23 -05:00
Isis Lovecruft
a4797a7e62
rust: Remove now unused byte_slice_is_c_like() utility. 2018-02-10 02:31:07 +00:00
Isis Lovecruft
081e99c16f
rust: Remove empty_static_cstr() in favour of new cstr!() macro. 2018-02-10 02:19:18 +00:00
Isis Lovecruft
6c77593a57
rust: Use tor_util::strings utils for protover_compute_for_old_tor. 2018-02-10 02:18:55 +00:00
Isis Lovecruft
3c4e006e7e
rust: Use tor_util::strings utils for protover_get_supported_protocols. 2018-02-10 02:15:06 +00:00
Isis Lovecruft
8fff331bb0
rust: Add macro for passing static borrowed strings from Rust to C.
* ADD a new macro, tor_util::string::cstr!() which takes Rust strings,
   concatenates them together, appends a NUL byte, and converts it into a
   std::ffi::CStr for handing to C.
2018-02-10 02:15:06 +00:00
Isis Lovecruft
45c59eff6c
rust: Replace two unwrap()s in FFI code with unwrap_or()s. 2018-02-10 01:21:31 +00:00
Nick Mathewson
9e0d468498 Bump to 0.3.3.2-alpha 2018-02-09 17:25:58 -05:00
Roger Dingledine
99666dc6c4 whitespace and typo cleanups 2018-02-09 17:05:20 -05:00
Nick Mathewson
abdf2a6f7f Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-09 12:08:12 -05:00
David Goulet
1a4fc9cddf test: DoS test to make sure we exclude known relays
Part of #25193

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-09 11:31:01 -05:00
David Goulet
666582a679 dos: Exclude known relays from client connection count
This is to avoid positively identifying Exit relays if tor client connection
comes from them that is reentering the network.

One thing to note is that this is done only in the DoS subsystem but we'll
still add it to the geoip cache as a "client" seen. This is done that way so
to avoid as much as possible changing the current behavior of the geoip client
cache since this is being backported.

Closes #25193

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-09 11:13:04 -05:00
Nick Mathewson
549a450f52 Add a "make test-rust" target to run the rust tests only. 2018-02-08 17:51:57 -05:00
Nick Mathewson
d9826b0a30 Merge remote-tracking branch 'frewsxcv/frewsxcv-protover' 2018-02-08 17:45:17 -05:00
Nick Mathewson
af049657eb Stop claiming that compute_for_old_tor() returns pairs 2018-02-08 17:36:08 -05:00
Nick Mathewson
d8307cb0e9 Remove new unsafe {} use.
Rationale: this helps for performance only, but we don't actually
have any reason to think that the checks here are
performance-critical.  Let's not normalize the use of unsafe {}.
2018-02-08 17:29:50 -05:00
Nick Mathewson
8d142e2322 Merge remote-tracking branch 'isis/bug25127' 2018-02-08 17:16:14 -05:00
David Goulet
112638921b Merge branch 'ticket25183_029_01' into ticket24902_029_05 2018-02-08 16:56:21 -05:00
David Goulet
a445327b80 test: Add unit tests for addressset.c
This also adds one that tests the integration with the nodelist.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-08 16:56:05 -05:00
Nick Mathewson
6892d32921 Add an address_set to the nodelist.
This set is rebuilt whenever a consensus arrives.  In between
consensuses, it is add-only.
2018-02-08 14:40:05 -05:00
Nick Mathewson
0640da4269 Function to add an ipv4 address to an address_set
This is a convenience function, so callers don't need to wrap
the IPv4 address.
2018-02-08 14:38:14 -05:00
Nick Mathewson
46bd2aed91 Add an address-set backend using a bloom filter.
We're going to need this to make our anti-DoS code (see 24902) more
robust.
2018-02-08 14:38:11 -05:00
Nick Mathewson
84bc75b2e7 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-08 10:29:06 -05:00
Nick Mathewson
cce76fbbe2 Merge branch 'maint-0.3.2' 2018-02-08 10:29:06 -05:00
Nick Mathewson
04a8e81fa9 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-08 10:29:05 -05:00
Nick Mathewson
0ddc2dc531 Merge branch 'maint-0.2.5' into maint-0.2.9 2018-02-08 10:29:05 -05:00
David Goulet
211fe44e07 dirserv: Improve returned message when relay is rejected
Explicitly inform the operator of the rejected relay to set a valid email
address in the ContactInfo field and contact bad-relays@ mailing list.

Fixes #25170

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-08 09:42:26 -05:00
Karsten Loesing
f1278b7e57 Update geoip and geoip6 to the February 7 2018 database. 2018-02-08 10:32:41 +01:00
Isis Lovecruft
b85436c596
protover: Fix memleak in Rust impl of protover_compute_for_old_tor.
* FIXES #25127: https://bugs.torproject.org/25127
 * ADDS a new module to the Rust tor_util crate for small utilities
   for working with static strings between languages.
 * CHANGES the return type of protover_compute_for_old_tor to point to
   immutable data.
 * CHANGES the code from the previous commit to use the new static
   string utilities.
2018-02-07 22:51:58 +00:00
David Goulet
652d3a5b66 Remove anything related to the old SocksSockets option
At this commit, the SocksSocketsGroupWritable option is renamed to
UnixSocksGroupWritable. A deprecated warning is triggered if the old option is
used and tor will use it properly.

Fixes #24343

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-07 14:05:33 -05:00
Roger Dingledine
bf91da75ab remove blank line between function-comment and function
also be more consistent about punctuation in doxygen comments
2018-02-07 12:51:05 -05:00
Nick Mathewson
12b58ba551 Merge remote-tracking branch 'dgoulet/ticket25163_033_01' 2018-02-07 12:46:27 -05:00
Roger Dingledine
a7440d9c9d more fixes for typos, grammar, whitespace, etc
some of these ought to have been noticed by the "misspell" tool,
so if anybody is debugging it, here are some bug reports :)
2018-02-07 12:22:29 -05:00
Nick Mathewson
78382d557a Merge remote-tracking branch 'dgoulet/bug25113_029_01' 2018-02-07 11:33:14 -05:00
David Goulet
fe3dfe7e38 test: Bump to 10 msec gap in the monotonic test
On slow system, 1 msec between one read and the other was too tight. For
instance, it failed on armel with a 4msec gap:

  https://buildd.debian.org/status/package.php?p=tor&suite=experimental

Increase to 10 msec for now to address slow system. It is important that we
keep this OP_LE test in so we make sure the msec/usec/nsec read aren't
desynchronized by huge gaps. We'll adjust again if we ever encounter a system
that goes slower than 10 msec between calls.

Fixes #25113

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-07 10:50:52 -05:00
Nick Mathewson
86498e5aa5 Fix wide lines from typo-fix patch. 2018-02-07 10:46:05 -05:00
Deepesh Pathak
ca6682f3f8 Fix spelling mistakes corresponding to ticket #23650 2018-02-07 10:41:57 -05:00
George Kadianakis
13f5adc86c Improve doc of primary_guards_up_to_date. 2018-02-07 11:46:30 +02:00
David Goulet
93ebcc2b8f rephist: Stop tracking relay connection status
Remove a series of connection counters that were only used when dumping the
rephist statistics with SIGUSR1 signal.

This reduces the or_history_t structure size.

Closes #25163

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-06 12:56:36 -05:00
David Goulet
199bc37290 rephist: Stop tracking EXTEND attempts
This removes the code that tracks the extend attemps a client makes. We don't
use it and it was only used to provide statistics on a SIGUSR1 from the
rephist dump stats function.

Part of #25163

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-06 12:43:55 -05:00
Nick Mathewson
6961609a1c Merge remote-tracking branch 'dgoulet/bug25116_029_01' 2018-02-06 12:13:41 -05:00
Nick Mathewson
a03488954c Add configure option to control ZSTD_STATIC_LINKING_ONLY 2018-02-06 11:58:05 -05:00
Nick Mathewson
87db5a6b75 Merge remote-tracking branch 'arma/bug22212' 2018-02-06 11:36:13 -05:00
Nick Mathewson
a77a366b87 Warn on zstd header/library version mismatch
If we're going to potentially degrade performance in this case, we
may as well tell people so.
2018-02-06 11:05:07 -05:00
Nick Mathewson
f98cb5d355 Use "static-only" zstd functions to estimate memory usage.
These should provide better and more accurate results when we can
use them; we fall back to the old approach when we can't.
2018-02-06 11:05:07 -05:00
Nick Mathewson
7cb954209d Make zstd unit tests try running with static-only fns disabled
Since we're making it so that unstable zstd apis can be disabled,
we need to test them.  I do this by adding a variant setup/cleanup
function for the tests, and teaching it about a fake compression
method called "x-zstd:nostatic".
2018-02-06 11:05:07 -05:00
Nick Mathewson
358b609e9d Enable (safe) use of zstd static-only APIs
We'll only use these when the compile-time version and the run-time
version of the zstd library match.  Part of ticket 25162.
2018-02-06 11:05:07 -05:00
Nick Mathewson
22a5d3dd2a remove a redundant semicolon 2018-02-06 08:13:11 -05:00
Isis Lovecruft
7ea9e080c5
protover: Fix memleak in Rust implementation.
* FIXES #25127: https://bugs.torproject.org/25127.
2018-02-06 02:56:16 +00:00
Nick Mathewson
b5a8fd1566 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-05 14:00:50 -05:00
David Goulet
7ce8d5513b Make circuit_log_ancient_one_hop_circuits() ignore established service rendezvous
Services can keep rendezvous circuits for a while so don't log them if tor is
a single onion service.

Fixes #25116

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-05 13:46:43 -05:00
David Goulet
f08fa97460 geoip: Make geoip_client_cache_total_allocation() return the counter
The HT_FOREACH() is insanely heavy on the CPU and this is part of the fast
path so make it return the nice memory size counter we added in
4d812e29b9.

Fixes #25148

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-05 13:38:55 -05:00
Nick Mathewson
e3d4154486 Avoid a malloc/free pair for each (server-side) ntor handshake
Closes ticket 25150
2018-02-05 11:53:33 -05:00
Nick Mathewson
f0d7905bc9 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-05 11:38:58 -05:00
Fernando Fernandez Mancera
60b8e088c3 Add crypto_digest.[ch] to include.am
Included crypto_digest.[ch] into include.am in order to solve a compiling
issue. Also EOF line in crypto_digest.c added.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:13:04 +01:00
Fernando Fernandez Mancera
61c7ec29f1 Include crypto_digest.h in order to solve dependency issues.
Included crypto_digest.h in some files in order to solve xof+digest module
dependency issues. Removed crypto.h where it isn't needed anymore.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:04:36 +01:00
Fernando Fernandez Mancera
202d27af71 Add xof functions into crypto_digest.[ch]
Added xof functions and operations into xof+digest module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:04:29 +01:00
Fernando Fernandez Mancera
f8b1493681 Refactor crypto.[ch] into smaller xof+digest module.
Add two new files (crypto_digest.c, crypto_digest.h) as new module of
crypto.[ch].  This new module includes all functions and dependencies related
to digest and xof operations. Those have been removed from crypto.[ch].

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 15:27:55 +01:00
Deepesh Pathak
1c8f55310f
Rename a verified unverified-consensus to cached-consensus on the disk
- Fixes ticket #4187
- Change the name of a unverified-*consensus to cached-*consensus
on disk when it has been verified.
2018-02-03 06:45:52 +05:30
Nick Mathewson
953c769a86 fuzz: Move init_protocol_warning_severity_level() into global_init()
This is needed so llvm_fuzz will see it too.
2018-02-02 17:42:23 -05:00
David Goulet
78d6cb5870 dos: We can put less token than the current amount
Becasue the circuit creation burst and rate can change at runtime it is
possible that between two refill of a bucket, we end up setting the bucket
value to less than there currently is.

Fixes #25128

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 17:04:12 -05:00
Nick Mathewson
3bed8fdb91 Use tt_u64_op() for uint64_t inputs. 2018-02-02 15:23:55 -05:00
Nick Mathewson
eafa252b26 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-02 15:00:35 -05:00
David Goulet
475218c108 Merge branch 'ticket25122_029_02' into ticket24902_029_05 2018-02-02 14:55:01 -05:00
David Goulet
e758d659a0 geoip: Add clientmap_entry_new() function
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 14:48:41 -05:00
David Goulet
4d812e29b9 geoip: Increment and decrement functions for the geoip client cache
These functions protect againts over and underflow. They BUG() in case we
overflow the counter.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 14:48:41 -05:00
David Goulet
51839f4765 geoip: Hook the client history cache into the OOM handler
If the cache is using 20% of our maximum allowed memory, clean 10% of it. Same
behavior as the HS descriptor cache.

Closes #25122

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 14:48:41 -05:00
Nick Mathewson
9e48338a12 Merge branch 'maint-0.3.2' 2018-02-02 12:03:54 -05:00
David Goulet
005e228f80 sched: When releasing a channel, do not BUG() if absent from the pending list
The current code flow makes it that we can release a channel in a PENDING
state but not in the pending list. This happens while the channel is being
processed in the scheduler loop.

Fixes #25125

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 12:03:27 -05:00
David Goulet
d40a4e46b6 test: KIST Scheduler unit tests to test the pending list state
This tests many cases of the KIST scheduler with the pending list state by
calling entry point in the scheduler while channels are scheduled or not.

Also, it adds a test for the bug #24700.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-01 17:05:04 -05:00
Nick Mathewson
77634795b0 Merge remote-tracking branch 'dgoulet/bug24700_032_01' into maint-0.3.2 2018-02-01 16:57:57 -05:00
David Goulet
e1a40535ea Merge branch 'bug24700_032_01' into bug24700_033_01 2018-02-01 16:39:04 -05:00
Nick Mathewson
cb5654f300 sched: Use the sched_heap_idx field to double-check our fix for 24700.
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-01 16:00:59 -05:00
Alexander Færøy
a2990081d5
Slightly different wording for error cases around entropy source selection.
This patch makes the wording around error cases for selecting an entropy
source in Tor slightly more verbose. We also let the user know when
something goes wrong that we are trying out a fallback method instead.

See: https://bugs.torproject.org/25120
2018-02-01 21:32:32 +01:00
Nick Mathewson
5516d22a26 Merge remote-tracking branch 'teor/bug25070' 2018-02-01 15:28:25 -05:00
Nick Mathewson
31542cc306 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-01 15:28:17 -05:00
Nick Mathewson
9773cd0f94 Merge branch 'maint-0.3.2' 2018-02-01 15:28:17 -05:00
Nick Mathewson
9cbc40e376 Merge remote-tracking branch 'teor/bug25070_031' into maint-0.3.1 2018-02-01 15:28:11 -05:00
Nick Mathewson
51377a917e Merge branch 'bug24658-rsa_squashed' 2018-02-01 12:10:07 -05:00
Fernando Fernandez Mancera
bdaf7ebc26 Add crypto_rsa.[ch] to include.am
Included crypto_rsa.[ch] into include.am in order to resolve a compiling issue.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-01 12:09:36 -05:00
Fernando Fernandez Mancera
3812319bb1 Tweaks into functions and variables in crypto_rsa.[ch]
crypto_get_rsa_padding_overhead() and crypto_get_rsa_padding() are
not static inline anymore in order to split the crypto_rsa module
from crypto.[ch].

Also included necessary modules in order to solve dependency issues.

Also made two functions in crypto.c use crypto_pk_asn1_encdoe()
instead of reaching into the crypto_pk_t struct.
2018-02-01 12:08:54 -05:00
Fernando Fernandez Mancera
44a9ed7df2 Remove commented functions in crypto module.
OpenSSL never uses these callbacks anymore so the code is disabled.

Fixes #25097.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-01 16:42:30 +01:00
Nick Mathewson
c2757c3774 Remove nodelist_recompute_all_hsdir_indices() as unused.
Closes 25108.
2018-02-01 08:44:47 -05:00
Nick Mathewson
ea8e9f17f5 Revert "Change the sandbox behavior on all failed opens() to EACCES"
This reverts commit 9a06282546.

It appears that I misunderstood how the seccomp2 filter rules
interact.  It appears that `SCMP_ACT_ERRNO()` always takes
precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
earlier rules would override later ones.  But this change caused bug
25115 (not in any released Tor).
2018-02-01 08:39:38 -05:00
Nick Mathewson
88b146cda5 Merge remote-tracking branch 'dgoulet/bug24469_033_01' 2018-02-01 08:22:44 -05:00
Nick Mathewson
ca85d66217 Merge branch 'maint-0.3.2' 2018-02-01 08:15:09 -05:00
Nick Mathewson
61cb2993dd Merge remote-tracking branch 'dgoulet/bug24975_032_01' into maint-0.3.2 2018-02-01 08:10:34 -05:00
Caio Valente
7884ce76e1 refactor: rename connection_t struct fields.
connection_t.timestamp_lastwritten renamed to
connection_t.timestamp_last_write_allowed

connection_t.timestamp_lastread renamed to
connection_t.timestamp_last_read_allowed

Closes ticket 24714.
2018-02-01 03:12:38 +01:00
Nick Mathewson
d1c2597096 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-01-31 16:17:04 -05:00
Fernando Fernandez Mancera
33d9889a2b channel_tls_get_remote_addr_method now returns real_addr.
The accurate address of a connection is real_addr, not the addr member.
channel_tls_get_remote_addr_method() now returns real_addr instead.

Fixes #24952; bugfix on 707c1e2 in 0.2.4.11-alpha.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-31 16:12:13 -05:00
David Goulet
fb93c6fc51 circ: Don't cannibalize a circuit if the guard state is unusable
Tor preemptiely builds circuits and they can be cannibalized later in their
lifetime. A Guard node can become unusable (from our guard state) but we can
still have circuits using that node opened. It is important to not pick those
circuits for any usage through the cannibalization process.

Fixes #24469

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 16:10:48 -05:00
Nick Mathewson
8b0b850efa Merge remote-tracking branch 'public/bug16106_02_nm' 2018-01-31 15:51:58 -05:00
Nick Mathewson
946ebd8419 Obsolete the now-unused MaxTries options. 2018-01-31 15:11:47 -05:00
Nick Mathewson
c0024edd26 Remove two vestigial MaxDownloadTries checks from directory.c
These are no longer meaningful, since there's no longer an upper
limit to how many times (in the exponential-backoff world) one can
retry a download.  download_status_is_ready() didn't check these any
more, and neither do we.
2018-01-31 15:08:46 -05:00
Nick Mathewson
b8ff7407a7 remove the max_failures argument from download_status_is_ready. 2018-01-31 15:03:47 -05:00
Nick Mathewson
a846fd267e Merge branch 'bug23954_squashed' 2018-01-31 14:37:48 -05:00
Nick Mathewson
da778f2921 Use thread-safe types to store the LOG_PROTOCOL_WARN severity
Fixes a race condition; resolves 23954.
2018-01-31 14:37:09 -05:00
Nick Mathewson
98dd3757bf Merge branch 'bug25008' 2018-01-31 14:32:24 -05:00
David Goulet
fbc455cbd2 ns: Add a before and after consensus has changed notification
In 0.3.2.1-alpha, we've added notify_networkstatus_changed() in order to have
a way to notify other subsystems that the consensus just changed. The old and
new consensus are passed to it.

Before this patch, this was done _before_ the new consensus was set globally
(thus NOT accessible by getting the latest consensus). The scheduler
notification was assuming that it was set and select_scheduler() is looking at
the latest consensus to get the parameters it might needs. This was very wrong
because at that point it is still the old consensus set globally.

This commit changes the notify_networkstatus_changed() to be the "before"
function and adds an "after" notification from which the scheduler subsystem
is notified.

Fixes #24975
2018-01-31 14:15:02 -05:00
Nick Mathewson
31f2a8771c Look at the correct protocol for supports_v3_rendezvous_point
Fixes bug 25105; bugfix on 0.3.2.1-alpha.

(This is a backport of bbf2d9cf6b for 0.3.2.)
2018-01-31 14:09:47 -05:00
Nick Mathewson
3d937043c2 Fix a failing unit test.
When we stopped looking at the "protocols" variable directly, we
broke the hs_service/build_update_descriptors test, since it didn't
actually update any of the flags.

The fix here is to call summarize_protover_flags() from that test,
and to expose summarize_protover_flags() as "STATIC" from
routerparse.c.
2018-01-31 14:06:37 -05:00
Nick Mathewson
bbf2d9cf6b Look at the correct protocol for supports_v3_rendezvous_point
Fixes bug 25105; bugfix on 0.3.2.1-alpha.
2018-01-31 14:01:49 -05:00
David Goulet
c85f78e74c Revert "ns: Call notify_networkstatus_changed() after the new consensus is set globally"
This reverts commit 3a247ca92a.
2018-01-31 13:59:05 -05:00
Nick Mathewson
144bf015f8 Document remaining cases for protocol support
For each support flag, document which subprotocol version it requires.
2018-01-31 13:50:04 -05:00
Nick Mathewson
0dc1595d03 Merge branch 'maint-0.3.2' 2018-01-31 13:47:01 -05:00
Nick Mathewson
1c39d969b9 Merge remote-tracking branch 'dgoulet/bug24975_032_01' into maint-0.3.2 2018-01-31 13:46:58 -05:00
David Goulet
adaf3e9b89 sched: Avoid adding the same channel twice to the KIST pending list
This is the quick fix that is keeping the channel in PENDING state so if we
ever try to reschedule the same channel, it won't happened.

Fixes #24700

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 13:46:31 -05:00
Nick Mathewson
2294e330bd Merge branch 'maint-0.3.2' 2018-01-31 12:51:45 -05:00
David Goulet
df312b3cf6 hs-v3: Remove a BUG() when storing a descriptor in the client cache
It is possible in normal circumstances that  a client fetches a descriptor
that has a lower revision counter than the one in its cache. This can happen
due to HSDir desync.

Fixes #24976

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 12:51:42 -05:00
Mike Perry
ac1a78b977 Bug 24769: Reduce and parameterize the max number of cbt circs.
Setting the default for this at 10 and the learning timeout to 3 minutes means
we will complete our cbt learning in 30 minutes, which is under the reduced
padding connection timeout window.
2018-01-31 17:21:53 +00:00
Mike Perry
148c2410af Bug 24769: Reduce and parameterize the cbt learning idle timeout.
This is only half of the changes needed. We should also parameterize the
number of concurrent cbt learning circuits in needs_circuits_for_build().
2018-01-31 17:21:53 +00:00
David Goulet
3a247ca92a ns: Call notify_networkstatus_changed() after the new consensus is set globally
In 0.3.2.1-alpha, we've added this function in order to have a way to notify
other subsystems that the consensus just changed. The old consensus and the
new one are passed to it.

Before this patch, this was done _before_ the new consensus was set globally
(thus NOT accessible by getting the latest consensus). The scheduler
notification was assuming that it was set and select_scheduler() is looking at
the latest consensus to get the parameters it might needs. This was very wrong
because at that point it is still the old consensus set globally.

With this commit, notify_networkstatus_changed() has been moved _after_ the
new consensus is set globally. The main obvious reasons is to fix the bug
described above and in #24975. The other reason is that this notify function
doesn't return anything which could be allowing the possibility of refusing to
set the new consensus on error. In other words, the new consensus is set right
after the notification whatever happens.

It does no harm or change in behavior to set the new consensus first and then
notify the subsystems. The two functions currently used are for the control
port using the old and new consensus and sending the diff. The second is the
scheduler that needs the new consensus to be set globally before being called.

Of course, the function has been documented accordinly to clearly state it is
done _after_ the new consensus is set.

Fixes #24975

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 11:21:18 -05:00
Nick Mathewson
1e81aaa62f Merge branch 'maint-0.3.2' 2018-01-31 10:06:49 -05:00
Nick Mathewson
9bfb6fe395 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 10:06:49 -05:00
Nick Mathewson
5fc0437e74 But in most Earth cultures, there are 60s in a minute. 2018-01-31 10:06:43 -05:00
Nick Mathewson
8b162443b9 Merge branch 'maint-0.3.2' 2018-01-31 10:01:13 -05:00
Nick Mathewson
cb90defba6 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 10:01:13 -05:00
Nick Mathewson
86e6cb6409 add a rate-limit. 2018-01-31 10:01:10 -05:00
Nick Mathewson
69e242f845 Merge branch 'maint-0.3.2' 2018-01-31 09:50:24 -05:00
Nick Mathewson
e81896adda Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 09:50:24 -05:00
Nick Mathewson
914ec372a9 Merge branch 'bug24927' 2018-01-31 09:47:36 -05:00
Nick Mathewson
80c8689be1 Merge remote-tracking branch 'public/ticket24849_032' 2018-01-31 09:38:24 -05:00
Nick Mathewson
94878cf1ea Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-01-31 09:35:07 -05:00
teor
1f4a73133c test: Add unit tests for overflows and underflows in cc_stats_refill_bucket
Closes #25094.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 09:27:59 -05:00
teor
a09d5f5735 dos: Make sure cc_stats_refill_bucket can't overflow while calculating
Debug log the elapsed time in cc_stats_refill_bucket

Part of #25094.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 09:27:59 -05:00
Nick Mathewson
c0447033f5 Merge branch 'maint-0.3.2' 2018-01-31 09:19:55 -05:00
teor
b45ae1b002 test: Remove a redundant round from test_dos_bucket_refill
This round is left over from the tenths of a second code.

Part of #25094.
2018-01-31 09:19:39 -05:00
Roger Dingledine
3d9dcb49eb count flushing as channel activity
Stop adding unneeded channel padding right after we finish flushing
to a connection that has been trying to flush for many seconds.
Instead, treat all partial or complete flushes as activity on the
channel, which will defer the time until we need to add padding.

This fix should resolve confusing and scary log messages like
"Channel padding timeout scheduled 221453ms in the past."

Fixes bug 22212; bugfix on 0.3.1.1-alpha.

I think technically we could resolve bug 22212 by adding a call to
channel_timestamp_active() only in the finished_flushing case. But I added
a call in the flushed_some case too since that seems to more accurately
reflect the notion of "active".
2018-01-31 05:26:06 -05:00
Caio Valente
a4c8531260 refactor: using get_uptime() (and reset_uptime()) consistently.
Using get_uptime() and reset_uptime() instead of
accessing stats_n_seconds_working directly.

stats_n_seconds_working is not extern anymore.

Ticket #25081
2018-01-31 02:36:38 +01:00
Nick Mathewson
d2ae1bfcb3 remove a redundant semicolon 2018-01-30 18:11:16 -05:00
David Goulet
cd81403cc0 Merge branch 'ticket24902_029_05' into ticket24902_033_02 2018-01-30 09:33:12 -05:00
David Goulet
e58a4fc6cf dos: Make circuit rate limit per second, not tenths anymore
Because this touches too many commits at once, it is made into one single
commit.

Remove the use of "tenths" for the circuit rate to simplify things. We can
only refill the buckets at best once every second because of the use of
approx_time() and our token system is set to be 1 token = 1 circuit so make
the rate a flat integer of circuit per second.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
George Kadianakis
c3c2b55dec test: Add unit tests for the DoS subsystem
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
82de4ea900 dos: Clear connection tracked flag if geoip entry is removed
Imagine this scenario. We had 10 connections over the 24h lifetime of a geoip
cache entry. The lifetime of the entry has been reached so it is about to get
freed but 2 connections remain for it. After the free, a third connection
comes in thus making us create a new geoip entry for that address matching the
2 previous ones that are still alive. If they end up being closed, we'll have
a concurrent count desynch from what the reality is.

To mitigate this probably very rare scenario in practice, when we free a geoip
entry and it has a concurrent count above 0, we'll go over all connections
matching the address and clear out the tracked flag. So once they are closed,
we don't try to decrement the count.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
14a8b87852 dos: Add a heartbeat log
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
36a0ae151f dos: Add the DoSRefuseSingleHopClientRendezvous option
This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client
connection. Its default value is "auto" for which we can turn it on or off
with a consensus parameter. Default value is 0.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
acf7ea77d8 dos: Add the connection DoS mitigation subsystem
Defend against an address that has reached the concurrent connection count
threshold.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
1bfc91a029 dos: Apply defense for circuit creation DoS
If the client address was detected as malicious, apply a defense which is at
this commit to return a DESTROY cell.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
97abb3543b dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also be
marked as malicious if it is above threshold.

At this commit, no defense is applied, just detection with a circuit creation
token bucket system.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
c05272783d dos: Track new and closed OR client connections
Implement a basic connection tracking that counts the number of concurrent
connections when they open and close.

This commit also adds the circuit creation mitigation data structure that will
be needed at later commit to keep track of the circuit rate.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
51fda85c23 geoip: Remember client stats if DoS mitigation is enabled
Make the geoip cache track client address if the DoS subsystem is enabled.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
64149353dd dos: Initial code of Denial of Service mitigation
This commit introduces the src/or/dos.{c|h} files that contains the code for
the Denial of Service mitigation subsystem. It currently contains basic
functions to initialize and free the subsystem. They are used at this commit.

The torrc options and consensus parameters are defined at this commit and
getters are implemented.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
teor
8bb79ca4a7
Add unit tests for supported protocols
Prevents future regressions like #25070.
2018-01-30 02:20:30 +11:00
teor
b67f010678
Add Link protocol version 5 to the supported protocols list in protover.rs
And fix the unsupported protover example so it uses a Link protover much
higher than 5.

Part of  #25070, bugfix on 0.3.3.1-alpha, which introduced the protover crate.
2018-01-30 02:18:57 +11:00
teor
a8e5e3a492
Add Link protocol version 5 to the supported protocols list in protover.c
Part of #25070, bugfix on 0.3.1.1-alpha.
2018-01-30 01:56:50 +11:00
teor
7a701f2603
Add Link protocol version 5 to the supported protocols list in protover.c
Part of #25070, bugfix on 0.3.1.1-alpha.
2018-01-30 01:51:03 +11:00
Corey Farwell
124caf28e6 Wrap types in protover.rs.
https://trac.torproject.org/projects/tor/ticket/24030

Introduce new wrapper types:

- `SupportedProtocols`
- `Versions`

Introduce a type alias:

- `Version` (`u32`)
2018-01-29 07:30:51 -05:00
Nick Mathewson
75d4bd3497 Improve log when unable to add sigs to pending consensus
Closes ticket 24849.
2018-01-26 14:19:59 -05:00
Nick Mathewson
ee5c624beb When a tor_cert_T check fails, log the reason why.
Diagnostic attempt for 24972.
2018-01-26 13:55:25 -05:00
Nick Mathewson
0755bcc36a Remove a needless (always-true) check.
Also add an assertion and rename a variable.

Closes ticekt 24927.
2018-01-26 13:35:00 -05:00
Nick Mathewson
9c2bc441f8 If out-of-disk when saving a consensus cache entry, don't BUG.
Just warn instead.

Fixes bug 24859.
2018-01-26 13:14:14 -05:00
Nick Mathewson
aedcb1644d Improve the keypin-loading log message to be a bit less scary. 2018-01-26 12:39:38 -05:00
Nick Mathewson
9a06282546 Change the sandbox behavior on all failed opens() to EACCES
Previously, most disallowed open(O_RDONLY) attempts would EACCES,
but others would fail with a crash.
2018-01-26 12:18:43 -05:00
Nick Mathewson
6ed384b827 Use tor_addr_from_getsockname() in several places
I'm leaving the getsockname code in transproxy alone, since it is
comparatively isolated, rather platform-specific, and hard to test.

Implements 18105.
2018-01-26 12:08:15 -05:00
Nick Mathewson
2a7bfec364 Add a new tor_addr_from_getsockname()
We use this pattern all over, and this should simplify matters a
bit.  Part of 18105.
2018-01-26 12:07:37 -05:00
Fernando Fernandez Mancera
54783b4c22 Refactor crypto.[ch] into smaller RSA module.
Add two new files (crypto_rsa.c, crypto_rsa.h) as new module of crypto.[ch].
This new module includes all functions and dependencies related to RSA
operations. Those have been removed from crypto.[ch].

All new changes related to RSA operations must be done in these files.

Follows #24658

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-26 13:09:52 +01:00
Nick Mathewson
5b55e15707 Remove all the old max_delay logic.
We had tests for it, but it was always INT_MAX.
2018-01-25 16:05:20 -05:00
Nick Mathewson
bf74194f57 fixup! Remove the old ("deterministic") download schedule.
Un-indent a block.

I'm doing this as a separate fixup commit to make review simpler.
2018-01-25 15:52:33 -05:00
Nick Mathewson
e0049ef022 Remove the old ("deterministic") download schedule.
We haven't meant to use it since we introduced the random
exponential schedule.

Closes ticket 23814.
2018-01-25 15:51:13 -05:00
David Goulet
93b826faaa geoip: Add a lookup function for client map entry
The upcoming DoS mitigation subsytem needs to keep information on a per-IP
basis which is also what the geoip clientmap does.

For another subsystem to access that clientmap, this commit adds a lookup
function that returns the entry. For this, the clientmap_entry_t had to be
moved to the header file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-25 15:44:48 -05:00
Nick Mathewson
91c63aae84 In relay_digest_matches(), use stack instead of heap.
We'd been using crypto_digest_dup() and crypto_digest_assign() here,
but they aren't necessary.  Instead we can just use the stack to
store the previous state of the SHA_CTX and avoid a malloc/free pair.

Closes ticket 24914.
2018-01-25 13:59:55 -05:00
Nick Mathewson
b1fc383bdb Bump version to 0.3.3.1-alpha-dev 2018-01-25 13:50:55 -05:00
Nick Mathewson
25a1183fbe bump version to 0.3.3.1-alpha 2018-01-25 11:48:42 -05:00
Fernando Fernandez Mancera
5ea993fa5a Clarify directory and ORPort checking functions.
In order to make the OR and dir checking functions in router.c less confusing
we renamed some functions and splitted consider_testing_reachability() into
router_should_check_reachability() and router_do_reachability_checks(). Also we
improved the documentation.

Fixes #18918.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-24 20:19:24 +01:00
Nick Mathewson
7e504515b3 Always look at the subprotocol versions summary flags
Previously, we wouldn't do this when running with a routerinfo_t in
some cases, leading to many needless calls to the protover module.

This change also cleans up the code in nodelist.c a bit.

Fixes bug 25008; bugfix on 0.2.9.4-alpha.
2018-01-24 13:53:56 -05:00
Nick Mathewson
92496a739a Also cache the protover summary in the routerinfo_t, if we're using that 2018-01-24 13:53:56 -05:00
Nick Mathewson
7792be2d44 Extract code to summarize protocol versions into new function
This will let us put this summary into routerinfo_t too.

No behavior change.
2018-01-24 13:53:55 -05:00
Nick Mathewson
d9fbd34f42 Extract protover summary flags into a new structure
This will let us use them on routerinfo_t as well as on
routerstatus_t, and save some time on relays.

No behavioral changes here.
2018-01-24 13:53:55 -05:00
Nick Mathewson
fd8ee1d7c3 Merge branch 'maint-0.3.2' 2018-01-24 12:09:07 -05:00
Nick Mathewson
2484d1eb35 Fix a memory leak in build_unopened_fourhop
This is a unit-test-only leak, but let's fix it anyway so it doesn't
hide real bugs.

Bug not in any released version of Tor.
2018-01-24 12:08:39 -05:00
Nick Mathewson
6ba2881aec Fix a memory leak in scheduler/loop_kist
Fixes bug 25005.
2018-01-24 12:07:45 -05:00
Taylor Yu
37f26aa470 Add missing static keywords
crypto_openssl_header_version_str and crypto_openssl_version_str in
crypto_openssl_mgt.c should be static.
2018-01-23 16:01:26 -06:00
Nick Mathewson
23473f5e74 openssl_mutexes code belongs in openssl_mgt.c 2018-01-23 14:43:06 -05:00
Nick Mathewson
fa694f5af3 add a missing "compat_openssl.h" 2018-01-23 14:41:46 -05:00
Nick Mathewson
a172f02dfb perhaps this was the missing include? 2018-01-23 14:19:25 -05:00
Nick Mathewson
a34629fa28 Add a missing include for openssl 1.0.2 2018-01-23 14:16:53 -05:00
Nick Mathewson
6f4ee6e5e7 Merge remote-tracking branch 'mikeperry/bug24946' 2018-01-23 14:08:47 -05:00
Nick Mathewson
58f4aee90b Merge remote-tracking branch 'asn/bug24896' 2018-01-23 14:06:27 -05:00
Nick Mathewson
13a2acba3c Merge remote-tracking branch 'ffmancera/bug24658-openssl' 2018-01-23 14:02:45 -05:00
Nick Mathewson
0dbe3ddc33 Make Tor support TLS1.3 ciphers with OpenSSL 1.1.1
Without this patch, not only will TLS1.3 not work with Tor, but
OpenSSL 1.1.1 with TLS1.3 enabled won't build any connections at
all: It requires that either TLS1.3 be disabled, or some TLS1.3
ciphersuites be listed.

Closes ticket 24978.
2018-01-23 09:23:21 -05:00
George Kadianakis
17daab76b8 Add onion service activity information to our heartbeat logs. 2018-01-23 12:31:06 +02:00
Chelsea Holland Komlo
d0184963f9 fixups from code review 2018-01-22 18:33:22 -05:00
Fernando Fernandez Mancera
f2fca51976 Move the openssl namespace back into .c files.
As we're trying not to have all the other modules in Tor, we moved the openssl
namespace includes back into crypto.c and crypto_openssl_mgt.c files.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-22 16:48:33 +01:00
Mike Perry
db5b670d85 Bug 24946: Fix a warning message caused by a missed purpose check.
Also fix three other checks (found by inspection of all
CIRCUIT_PURPOSE_C_GENERAL occurrences).
2018-01-20 03:18:31 +00:00
Roger Dingledine
48a51c5f8b oxford comma for-the-win 2018-01-19 18:42:53 -05:00
Nick Mathewson
ef148638a1 Add a "falls through" comment to make gcc happy. 2018-01-19 17:29:36 -05:00
Nick Mathewson
1bcbb1bb0b Merge remote-tracking branch 'mikeperry/bug23101-mergeready-squashed' 2018-01-19 17:28:10 -05:00
Mike Perry
489628a7e4 Bug 23101: Pre-build HS-specific circuits (instead of general).
Prebuilt circs are 4 hops, since only server side HSDIR and intro circs
are 3 hops, and it is OK if those sometimes take longer to build.
2018-01-19 22:21:49 +00:00
Mike Perry
86ee771c28 Add new circuit purposes for hsdir activity.
This lets us control their path len and usage.
2018-01-19 22:21:48 +00:00
Mike Perry
20a3f61105 Implement layer 2 and layer 3 guard pinning via torrc.
Block circuit canibalization when HSRendezvousMiddleNodes is active.
Also make it apply to all HS circuits, not just rends.
2018-01-19 22:21:48 +00:00
Nick Mathewson
edd427a8ba Merge branch 'disable_signal_handlers' 2018-01-19 16:35:24 -05:00
Nick Mathewson
df4d5ebb7d Merge branch 'maint-0.3.2' 2018-01-19 16:30:53 -05:00
David Goulet
f870f9c8bc Merge branch 'bug24895_031_02' into bug24895_032_02 2018-01-19 16:26:26 -05:00
David Goulet
f98f7ca898 Merge branch 'bug24895_029_02' into bug24895_031_02 2018-01-19 16:21:55 -05:00
Roger Dingledine
490ae26b24 hs: Use hs_service_max_rdv_failures consensus param, defaulting to 2 2018-01-19 16:13:54 -05:00
Fernando Fernandez Mancera
5cd74b4884 Add crypto_openssl_mgt.[ch] for compiling dependencies.
Included crypto_openssl_mgt.[ch] into the appropiate files in order to resolve
compiling and dependencies issues.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-19 18:56:13 +01:00
Fernando Fernandez Mancera
b3aa7be26c Tweaks into functions and variables in crypto_openssl_mgt.[ch]
Renamed free_openssl() to crypto_openssl_free_all(). Also we made variables and
functions static again.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-19 18:07:49 +01:00
Nick Mathewson
65a27d95e7 Improve documentation for signal code 2018-01-19 10:02:20 -05:00
Nick Mathewson
2c9e0a286c Merge branch 'restart_debug_squashed' 2018-01-19 09:52:14 -05:00
Nick Mathewson
97d9ba2380 Add a mostly disabled feature to debug restarting in-process
For 23847, we want Tor to be able to shut down and then restart in
the same process.  Here's a patch to make the Tor binary do that.
To test it, you need to build with --enable-restart-debugging, and
then you need to set the environment variable TOR_DEBUG_RESTART.
With this option, Tor will then run for 5 seconds, then restart
itself in-process without exiting.  This only happens once.

You can change the 5-second interval using
TOR_DEBUG_RESTART_AFTER_SECONDS.

Implements ticket 24583.
2018-01-19 09:52:05 -05:00
Nick Mathewson
e7907f15f9 Don't call Libevent's event_base_free() on NULL.
It doesn't crash, but it produces a warning.

Fixes bug 24933; bugfix on 322abc030e. Bug
not in any released Tor.
2018-01-19 09:45:10 -05:00
Roger Dingledine
cc5a9e9667 turn MAX_REND_FAILURES into a function
no actual changes in behavior
2018-01-19 02:38:07 -05:00
Roger Dingledine
a15eb9ff43 MAX_REND_FAILURES is 1, but we would try three times
Fix an "off by 2" error in counting rendezvous failures on the onion
service side.

While we thought we would stop the rendezvous attempt after one failed
circuit, we were actually making three circuit attempts before giving up.

Fixes bug 24895; bugfix on 0.0.6.
2018-01-19 02:28:55 -05:00