Commit Graph

1688 Commits

Author SHA1 Message Date
Alexander Færøy
853b54dea4 Add periodic timer for expiring old onion keys.
This patch adds a new timer that is executed when it is time to expire
our current set of old onion keys. Because of proposal #274 this can no
longer be assumed to be at the same time we rotate our onion keys since
they will be updated less frequently.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
23ae5b655b Make MIN_ONION_KEY_LIFETIME a consensus parameter defined value.
This patch turns `MIN_ONION_KEY_LIFETIME` into a new function
`get_onion_key_lifetime()` which gets its value from a network consensus
parameter named "onion-key-rotation-days". This allows us to tune the
value at a later point in time with no code modifications.

We also bump the default onion key lifetime from 7 to 28 days as per
proposal #274.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Nick Mathewson
7505f452c8 Run the copyright update script. 2017-03-15 16:13:17 -04:00
George Kadianakis
931948ac6a Prevent SRV assert when called from misconfigured bridge auth. 2017-03-01 15:56:29 +02:00
Nick Mathewson
6777cd0a84 Merge remote-tracking branch 'public/bug21356_029' 2017-02-02 09:03:13 -05:00
Nick Mathewson
d183ec231b Call monotime_init() earlier.
We need to call it before nt_service_parse_options(), since
nt_service_parse_options() can call back into nt_service_main(),
which calls do_main_loop().

Fixes bug 21356; bugfix on 0.2.9.1-alpha.
2017-01-31 13:02:49 -05:00
Chelsea H. Komlo
655ffeadd5 comment fixups 2017-01-08 13:14:56 -05:00
Nick Mathewson
2cee38f76a Merge branch 'prop271_030_v1_squashed' 2016-12-16 11:20:59 -05:00
Nick Mathewson
404e9e5611 Have multiple guard contexts we can switch between.
Currently, this code doesn't actually have the contexts behave
differently, (except for the legacy context), but it does switch
back and forth between them nicely.
2016-12-16 11:06:18 -05:00
Nick Mathewson
2ea5aa7182 Expire circuits that have been WAITING_FOR_BETTER_GUARD too long
(This is required by 3.9 in prop271, but is better done as a
separate function IMO)
2016-12-16 11:06:16 -05:00
Nick Mathewson
897626953b Rebuild the guard lists as appropriate on torrc change.
(Also, prepare to tie guard changes into the mark-all-old-circuits
logic.)
2016-12-16 11:06:15 -05:00
Nick Mathewson
c838d34921 Merge branch 'dgoulet_ticket19043_030_03_squashed' 2016-12-14 15:28:28 -05:00
George Kadianakis
9192e5928c prop224 prepwork: Use of HS circuitmap in existing HS code.
The new HS circuitmap API replaces old public functions as follows:
   circuit_clear_rend_token -> hs_circuitmap_remove_circuit
   circuit_get_rendezvous -> hs_circuitmap_get_rend_circ
   circuit_get_intro_point -> hs_circuitmap_get_intro_circ_v2
   circuit_set_rendezvous_cookie -> hs_circuitmap_register_rend_circ
   circuit_set_intro_point_digest -> hs_circuitmap_register_intro_circ_v2

This commit also removes the old rendinfo code that is now unused.
It also fixes the broken rendinfo unittests.
2016-12-14 15:17:58 -05:00
Nick Mathewson
6aa239df36 Rename connection_or_remove_from_identity_map 2016-12-08 16:47:57 -05:00
Nick Mathewson
a20c8a81d7 Migrate main data loop for set_bad_connections to use channel structures
This was the last user of our or_connections-by-ID map.  It also had
a tendency to be O(N) in cases that only had to be O(1).
2016-12-08 16:47:57 -05:00
Nick Mathewson
dbbaa51518 Use the new guard notification/selection APIs throughout Tor
This patch doesn't cover every case; omitted cases are marked with
"XXXX prop271", as usual.  It leaves both the old interface and the
new interface for guard status notification, since they don't
actually work in the same way: the new API wants to be told when a
circuit has failed or succeeded, whereas the old API wants to know
when a channel has failed or succeeded.

I ran into some trouble with directory guard stuff, since when we
pick the directory guard, we don't actually have a circuit to
associate it with.  I solved that by allowing guard states to be
associated with directory connections, not just circuits.
2016-11-30 14:42:53 -05:00
Nick Mathewson
8da24c99bd Split bridge functions into a new module.
This patch is just:
   * Code movement
   * Adding headers here and there as needed
   * Adding a bridges_free_all() with a call to it.

It breaks compilation, since the bridge code needed to make exactly
2 calls into entrynodes.c internals.  I'll fix those in the next
commit.
2016-11-30 14:42:52 -05:00
Nick Mathewson
c35c43d7d9 Merge branch 'ticket17238_029_02-resquash'
Conflicts:
	src/or/rendclient.c
	src/or/rendcommon.c
	src/or/routerparse.c
	src/test/test_dir.c
	src/trunnel/ed25519_cert.h
2016-11-04 13:26:37 -04:00
David Goulet
1eed6edf36 prop224: Add a cache free all function
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-11-04 10:32:50 -04:00
David Goulet
025610612d prop224: Directory cache support
This implements the proposal 224 directory descriptor cache store and lookup
functionalities. Furthermore, it merges the OOM call for the HSDir cache with
current protocol v2 and the new upcoming v3.

Add hs_cache.{c|h} with store/lookup API.

Closes #18572

Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-11-04 10:31:35 -04:00
Nick Mathewson
272572c3a2 Merge branch 'maint-0.2.9' 2016-11-03 15:45:16 -04:00
Nick Mathewson
3cd520a52d Merge branch 'maint-0.2.8' into maint-0.2.9 2016-11-03 15:44:46 -04:00
Nick Mathewson
b2f82d45b7 Always call connection_ap_attach_pending() once a second.
Fixes bug 19969; bugfix on b1d56fc58.  We can fix this some more in
later Tors, but for now, this is probably the simplest fix possible.

This is a belt-and-suspenders fix, where the earlier fix ("Ask
event_base_loop to finish when we add a pending stream") aims to respond
to new streams as soon as they arrive, and this one aims to make sure
that we definitely respond to all of the streams.
2016-11-01 20:09:44 -04:00
Roger Dingledine
28b755e660 refactor out the tor_event_base_loopexit() call
no actual changes
2016-11-01 19:52:54 -04:00
Nick Mathewson
dc79504e2a Document main.c a lot better 2016-10-27 10:25:26 -04:00
Nick Mathewson
97337844b7 Merge branch 'protover_v2_squashed' 2016-09-26 11:00:08 -07:00
Nick Mathewson
b2b2e1c7f2 checkpoint basic protover backend 2016-09-26 10:56:48 -07:00
teor
07d32d2e68 Remove a duplicate non-anonymous warning log message
We log this message every time we validate tor's options.
There's no need to log a duplicate in main() as well.

(It is impossible to run main() without validating our options.)
2016-09-13 10:13:56 -04:00
teor (Tim Wilson-Brown)
831cf6d1d8 Refactor crypto init to use existing options variable 2016-09-13 10:13:56 -04:00
teor (Tim Wilson-Brown)
b560f852f2 Implement Prop #260: Single Onion Services
Add experimental OnionServiceSingleHopMode and
OnionServiceNonAnonymousMode options. When both are set to 1, every
hidden service on a tor instance becomes a non-anonymous Single Onion
Service. Single Onions make one-hop (direct) connections to their
introduction and renzedvous points. One-hop circuits make Single Onion
servers easily locatable, but clients remain location-anonymous.
This is compatible with the existing hidden service implementation, and
works on the current tor network without any changes to older relays or
clients.

Implements proposal #260, completes ticket #17178. Patch by teor & asn.

squash! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Implement Prop #260: Single Onion Services

Redesign single onion service poisoning.

When in OnionServiceSingleHopMode, each hidden service key is poisoned
(marked as non-anonymous) on creation by creating a poison file in the
hidden service directory.

Existing keys are considered non-anonymous if this file exists, and
anonymous if it does not.

Tor refuses to launch in OnionServiceSingleHopMode if any existing keys
are anonymous. Similarly, it refuses to launch in anonymous client mode
if any existing keys are non-anonymous.

Rewrite the unit tests to match and be more comprehensive.
Adds a bonus unit test for rend_service_load_all_keys().
2016-09-13 10:10:54 -04:00
Nick Mathewson
1dfa2213a4 Merge remote-tracking branch 'andrea/ticket18640_v3' 2016-08-25 14:29:06 -04:00
Andrea Shepard
3efe92ba58 Consider the case that a connection doesn't have a valid socket during OOS 2016-08-20 03:57:32 +00:00
Andrea Shepard
1a7709d409 Add connection_is_moribund() inline 2016-08-20 03:34:16 +00:00
Andrea Shepard
a403230fe3 Use SMARTLIST_FOREACH in connection_count_moribund() per code review 2016-08-20 03:12:58 +00:00
Andrea Shepard
d65f030915 Unit test for pick_oos_victims() 2016-08-20 01:43:52 +00:00
Andrea Shepard
26c2ded00c Unit test for connection_handle_oos() 2016-08-20 01:43:51 +00:00
Andrea Shepard
2bc19171ef Implement connection_count_moribund() for OOS handler 2016-08-20 01:43:50 +00:00
Daniel Pinto
3d6ae798cf Fixes inconsistent version prefix in log messages.
Fixes #15381.
2016-08-16 17:22:16 +01:00
Nick Mathewson
7f145b54af Merge remote-tracking branch 'public/Fix_19450' 2016-08-12 16:11:28 -04:00
Andrea Shepard
09a0f2d0b2 Eliminate redundant hourly reset of descriptor download failures 2016-08-10 03:34:54 +00:00
Nick Mathewson
4d4ccc505b Search for remaining references to 'bufferevent'.
Remove or adjust as appropriate.
2016-08-02 13:59:47 -04:00
Nick Mathewson
c68a23a135 Bufferevent removal: remove HAS_BUFFEREVENT macros and usage
This is another way that we had bufferevents-only code marked.
2016-08-02 13:15:10 -04:00
Nick Mathewson
8e9a6543e1 More bufferevent removal: bev_str is no longer needed in tor_init 2016-08-02 13:08:00 -04:00
Nick Mathewson
1e3cf1cc83 Be sure to call monotime_init() at startup. 2016-07-19 11:40:47 +02:00
U+039b
c735220a0b
Remove bufferevents dead code
Signed-off-by: U+039b <*@0x39b.fr>
2016-07-14 18:46:37 +02:00
Nick Mathewson
466259eb50 Merge remote-tracking branch 'sebastian/libevent2' 2016-07-08 09:57:31 -04:00
Nick Mathewson
78196c8822 Merge remote-tracking branch 'teor/bug18456' 2016-07-05 19:10:08 -04:00
Nick Mathewson
8cae4abbac Merge branch 'maint-0.2.8' 2016-07-05 12:43:17 -04:00
Sebastian Hahn
265e40b481 Raise libevent dependency to 2.0.10-stable or newer
Only some very ancient distributions don't ship with Libevent 2 anymore,
even the oldest supported Ubuntu LTS version has it. This allows us to
get rid of a lot of compat code.
2016-07-04 12:40:09 +02:00
Peter Palfrader
55d380f3df sandboxing: allow writing to stats/hidserv-stats
Our sandboxing code would not allow us to write to stats/hidserv-stats,
causing tor to abort while trying to write stats.  This was previously
masked by bug#19556.
2016-07-03 18:05:43 +02:00
Peter Palfrader
2c4e78d95b sandboxing: allow open() of stats dir
When sandboxing is enabled, we could not write any stats to disk.
check_or_create_data_subdir("stats"), which prepares the private stats
directory, calls check_private_dir(), which also opens and not just stats() the
directory.  Therefore, we need to also allow open() for the stats dir in our
sandboxing setup.
2016-07-03 17:47:45 +02:00
Nick Mathewson
aaa3129043 Merge remote-tracking branch 'dgoulet/ticket16943_029_05-squashed'
Trivial Conflicts:
	src/or/or.h
	src/or/routerparse.c
2016-07-01 15:29:05 -04:00
David Goulet
727d419a9d prop250: Initialize the SR subsystem and us it!
This commit makes it that tor now uses the shared random protocol by
initializing the subsystem.

Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-07-01 14:01:41 -04:00
teor (Tim Wilson-Brown)
514f0041d1
Avoid disclosing exit IP addresses in exit policies by default
From 0.2.7.2-alpha onwards, Exits would reject all the IP addresses
they knew about in their exit policy. But this may have disclosed
addresses that were otherwise unlisted.

Now, only advertised addresses are rejected by default by
ExitPolicyRejectPrivate. All known addresses are only rejected when
ExitPolicyRejectLocalInterfaces is explicitly set to 1.
2016-07-01 15:37:13 +10:00
Andrea Shepard
38cced90ef Move unparseable descriptor dumps into subdirectory of DataDir 2016-06-30 07:03:25 +00:00
Andrea Shepard
1cde3e2776 Add multiple descriptor dump support for dump_desc() in routerparse.c; fixes bug 18322 2016-06-30 07:03:24 +00:00
Nick Mathewson
dd9cebf109 Merge branch 'maint-0.2.8' 2016-06-21 08:54:49 -04:00
George Kadianakis
f038e9cb00 Fix bug when disabling heartbeats.
Callbacks can't return 0.
2016-06-21 08:54:30 -04:00
Nick Mathewson
d6b2af7a3a Merge branch 'bug19180_easy_squashed' 2016-06-11 10:15:40 -04:00
Nick Mathewson
53a3b39da1 Add -Wmissing-variable-declarations, with attendant fixes
This is a big-ish patch, but it's very straightforward.  Under this
clang warning, we're not actually allowed to have a global variable
without a previous extern declaration for it.  The cases where we
violated this rule fall into three roughly equal groups:
  * Stuff that should have been static.
  * Stuff that was global but where the extern was local to some
    other C file.
  * Stuff that was only global when built for the unit tests, that
    needed a conditional extern in the headers.

The first two were IMO genuine problems; the last is a wart of how
we build tests.
2016-06-11 10:11:54 -04:00
Nick Mathewson
4f1a04ff9c Replace nearly all XXX0vv comments with smarter ones
So, back long ago, XXX012 meant, "before Tor 0.1.2 is released, we
had better revisit this comment and fix it!"

But we have a huge pile of such comments accumulated for a large
number of released versions!  Not cool.

So, here's what I tried to do:

  * 0.2.9 and 0.2.8 are retained, since those are not yet released.

  * XXX+ or XXX++ or XXX++++ or whatever means, "This one looks
    quite important!"

  * The others, after one-by-one examination, are downgraded to
    plain old XXX.  Which doesn't mean they aren't a problem -- just
    that they cannot possibly be a release-blocking problem.
2016-05-30 16:18:16 -04:00
Nick Mathewson
d718c717a6 Merge branch 'maint-0.2.8' 2016-05-19 08:25:12 -04:00
Nick Mathewson
9f217c83b0 Merge branch 'bug18809_028_squashed' into maint-0.2.8 2016-05-19 08:17:02 -04:00
Nick Mathewson
6382cd93cb Merge branch 'maint-0.2.8' 2016-05-17 11:10:20 -04:00
Roger Dingledine
06031b441e touchups and refactorings on bug 18616 branch
no behavior changes
2016-05-16 17:43:47 -04:00
Roger Dingledine
a7665df2f8 close other consensus fetches when we get a consensus
not once per second, and only do it when a consensus arrives
2016-05-09 14:41:14 -04:00
Roger Dingledine
ce8266d52d fix typos/etc before i go nuts on #18809 2016-05-09 14:40:21 -04:00
Nick Mathewson
0e354ad459 Merge branch 'assert_nonfatal_squashed' 2016-04-14 16:25:21 -04:00
Nick Mathewson
a885271c08 Add new tor_assert_nonfatal*() macros.
Unlike tor_assert(), these macros don't abort the process.  They're
good for checking conditions we want to warn about, but which don't
warrant a full crash.

This commit also changes the default implementation for
tor_fragile_assert() to tor_assert_nonfatal_unreached_once().

Closes ticket 18613.
2016-04-14 16:24:28 -04:00
Roger Dingledine
525307c0ea fix typos/etc before i go nuts on #18809 2016-04-13 00:06:30 -04:00
Nick Mathewson
68e663f777 Fix memory leaks that stopped chutney working with asan 2016-03-28 10:24:28 -04:00
Nick Mathewson
dd572dac34 Fix all doxygen warnings (other than missing docs) 2016-03-26 09:53:12 -04:00
teor (Tim Wilson-Brown)
6057fb2f5b Clarify excess consensus connection cleanup by adding comments
Comment-only change
2016-03-26 08:16:33 -04:00
Nick Mathewson
ca8423a703 Merge remote-tracking branch 'public/bug18253' 2016-03-22 10:08:50 -04:00
Nick Mathewson
368825ff45 Sandbox: Don't preseed getaddrinfo(gethostname()) in client mode.
If we're a server with no address configured, resolve_my_hostname
will need this.  But not otherwise.  And the preseeding itself can
consume a few seconds if like tails we have no resolvers.

Fixes bug 18548.
2016-03-15 11:19:59 -04:00
Nick Mathewson
b48f8a8114 Fix whitespace. 2016-03-15 09:21:29 -04:00
Nick Mathewson
dd7c999617 Make unix sockets work with the linux seccomp2 sandbox again
I didn't want to grant blanket permissions for chmod() and chown(),
so here's what I had to do:
   * Grant open() on all parent directories of a unix socket
   * Write code to allow chmod() and chown() on a given file only.
   * Grant chmod() and chown() on the unix socket.
2016-03-14 14:07:02 -04:00
Nick Mathewson
a64be7eaa9 Merge remote-tracking branch 'public/bug16248_027' 2016-03-14 12:53:57 -04:00
Nick Mathewson
307b863556 Add comments to connection_check_event(). 2016-03-14 12:53:21 -04:00
Nick Mathewson
91d7cf50c6 Change behavior on missing/present event to warn instead of asserting.
Add a changes file.
2016-03-11 10:50:36 -05:00
Nick Mathewson
e79da62645 If we start/stop reading on a dnsserv connection, don't assert.
Fixes bug 16248. Patch from cypherpunks.  Bugfix on 0.2.0.1-alpha.
2016-03-11 10:33:19 -05:00
Nick Mathewson
57699de005 Update the copyright year. 2016-02-27 18:48:19 +01:00
Nick Mathewson
7a782820e9 Make the sandbox work again with chutney.
Previously, we had a problem due to the check_private_dir() rewrite.

Bug not in any released Tor.
2016-02-24 16:01:24 -05:00
Nick Mathewson
73c433a48a Remove the freelist from memarea.c
This is in accordance with our usual policy against freelists,
now that working allocators are everywhere.

It should also make memarea.c's coverage higher.

I also doubt that this code ever helped performance.
2016-02-24 14:32:09 -05:00
Roger Dingledine
43193ec888 refactor directory_info_has_arrived so we can quiet the logs
no actual behavior changes
2016-02-22 02:54:32 -05:00
Nick Mathewson
c0a6c34652 Merge remote-tracking branch 'teor/bug18208' 2016-02-10 16:32:05 -05:00
Nick Mathewson
162d2022e1 Merge branch 'bug17682_squashed' 2016-02-10 15:50:28 -05:00
Nick Mathewson
601b41084a Bulletproof the safe_timer_diff function
Originally it can overflow in some weird cases.  Now it should no longer
be able to do so.

Additionally, limit main's timers to 30 days rather than to 38 years;
we don't actually want any 38-year timers.

Closes bug 17682.
2016-02-10 15:49:11 -05:00
Alec Heifetz
6852868b4a Removed dead code in main.c 2016-02-06 14:41:31 -05:00
teor (Tim Wilson-Brown)
92b1c3b604 Update ExitPolicy when interface addresses change
Tor exit relays reject local interface addresses in their exit policy.

Make sure those policies are updated when interface addresses change.
2016-02-02 15:05:59 +11:00
Nick Mathewson
0ace22ef6d Merge remote-tracking branch 'origin/maint-0.2.7' 2016-01-18 19:52:34 -05:00
Nick Mathewson
83dfcfbc4a Merge remote-tracking branch 'teor/bug18050' into maint-0.2.7 2016-01-18 19:51:57 -05:00
teor (Tim Wilson-Brown)
6094a886cf Check ORPort and DirPort reachability before publishing a relay descriptor
Otherwise, relays publish a descriptor with DirPort 0 when the DirPort
reachability test takes longer than the ORPort reachability test.

Closes bug #18050. Reported by "starlight", patch by "teor".
Bugfix on 0.1.0.1-rc, commit a1f1fa6ab on 27 Feb 2005.
2016-01-18 14:00:29 +11:00
teor (Tim Wilson-Brown)
ce5406b71a Fix a comment typo in main.c 2016-01-03 17:34:42 +11:00
Nick Mathewson
8585cc57f8 Merge branch 'maint-0.2.7' 2015-12-17 14:57:16 -05:00
Nick Mathewson
2cbaf39af4 Add some more ed25519 key files to the seccomp sandbox list
Fixes bug 17675; bugfix on 0.2.7.3-alpha.
2015-12-17 14:56:24 -05:00
cypherpunks
2d2312d989 Conform to the type signature of setsockopt(2)
According to the POSIX standard the option value is a pointer to void
and the option length a socklen_t. The Windows implementation makes the
option value be a pointer to character and the option length an int.

Casting the option value to a pointer to void conforms to the POSIX
standard while the implicit cast to a pointer to character conforms to
the Windows implementation.

The casts of the option length to the socklen_t data type conforms to
the POSIX standard. The socklen_t data type is actually an alias of an
int so it also conforms to the Windows implementation.
2015-12-17 08:34:27 -05:00
teor (Tim Wilson-Brown)
2212530bf5 Prop210: Close excess connections once a consensus is downloading
Once tor is downloading a usable consensus, any other connection
attempts are not needed.

Choose a connection to keep, favouring:
* fallback directories over authorities,
* connections initiated earlier over later connections

Close all other connections downloading a consensus.
2015-12-16 04:37:59 +11:00
teor (Tim Wilson-Brown)
35bbf2e4a4 Prop210: Add schedules for simultaneous client consensus downloads
Prop210: Add attempt-based connection schedules

Existing tor schedules increment the schedule position on failure,
then retry the connection after the scheduled time.

To make multiple simultaneous connections, we need to increment the
schedule position when making each attempt, then retry a (potentially
simultaneous) connection after the scheduled time.

(Also change find_dl_schedule_and_len to find_dl_schedule, as it no
longer takes or returns len.)

Prop210: Add multiple simultaneous consensus downloads for clients

Make connections on TestingClientBootstrapConsensus*DownloadSchedule,
incrementing the schedule each time the client attempts to connect.

Check if the number of downloads is less than
TestingClientBootstrapConsensusMaxInProgressTries before trying any
more connections.
2015-12-16 04:37:49 +11:00
cypherpunks
7e7188cb00 Assert when the TLS contexts fail to initialize 2015-12-10 08:50:40 -05:00
teor (Tim Wilson-Brown)
fb3e862b86 Update comment: get_connection_array no longer takes "n" 2015-12-07 16:10:37 +11:00
Nick Mathewson
e5754c42d1 Merge branch 'bug17686_v2_027' 2015-11-25 22:33:49 -05:00
Nick Mathewson
dedea28c2e Make crypto_seed_rng() and crypto_rand() less scary.
These functions must really never fail; so have crypto_rand() assert
that it's working okay, and have crypto_seed_rng() demand that
callers check its return value.  Also have crypto_seed_rng() check
RAND_status() before returning.
2015-11-25 22:29:59 -05:00
Nick Mathewson
118bdc3a6d Merge remote-tracking branch 'public/decouple_conn_attach_2' 2015-11-19 10:44:31 -05:00
Yawning Angel
85bb71049a Fix a startup time assert caused by periodic events not being initialized.
Loading a on disk bridge descriptor causes a directory download to be
scheduled, which asserts due to the periodic events not being
initialized yet.

Fixes bug #17635, not in any released version of tor.
2015-11-18 11:31:05 +00:00
Nick Mathewson
8af5afedc9 windows already has a CALLBACK macro... 2015-11-17 10:00:41 -05:00
Nick Mathewson
d3cb659541 Fix a server-side crash on DNS init 2015-11-17 09:37:50 -05:00
Nick Mathewson
70f337fdb2 Some unit tests now require that periodic events be initialized. 2015-11-17 09:26:50 -05:00
Nick Mathewson
58edf92678 Free pending_entry_connections on shutdown. 2015-11-17 09:06:47 -05:00
Nick Mathewson
84b3350c83 Be more conservative in scanning the list of pending streams
Now we only re-scan the list in the cases we did before: when we
have a new circuit that we should try attaching to, or when we have
added a new stream that we haven't tried to attach yet.

This is part of 17590.
2015-11-17 09:04:25 -05:00
Nick Mathewson
b1d56fc589 Decouple ..attach_circuit() from most of its callers.
Long ago we used to call connection_ap_handshake_attach_circuit()
only in a few places, since connection_ap_attach_pending() attaches
all the pending connections, and does so regularly.  But this turned
out to have a performance problem: it would introduce a delay to
launching or connecting a stream.

We couldn't just call connection_ap_attach_pending() every time we
make a new connection, since it walks the whole connection list.  So
we started calling connection_ap_attach_pending all over, instead!
But that's kind of ugly and messes up our callgraph.

So instead, we now have connection_ap_attach_pending() use a list
only of the pending connections, so we can call it much more
frequently.  We have a separate function to scan the whole
connection array to see if we missed adding anything, and log a
warning if so.

Closes ticket #17590
2015-11-17 08:53:34 -05:00
Nick Mathewson
b91bd27e6f Whoops; in this context the EV_TIMEOUT flag is needed 2015-11-17 08:53:16 -05:00
Nick Mathewson
661e5bdbfa Changes to 3199 branch based on feedback from special 2015-11-17 08:26:04 -05:00
Nick Mathewson
eb721ed2d9 Add documentation for periodic event api 2015-11-16 10:40:23 -05:00
Nick Mathewson
65a6489e5e fix whitespace; remove dead code 2015-11-13 16:24:45 -05:00
Nick Mathewson
2bf8fb5ee3 Fold all of the run-every-second stuff back into run_scheduled_events() 2015-11-13 16:24:45 -05:00
Nick Mathewson
9f31908a40 Turn all of run_scheduled_events() into a bunch of periodic events
This patch is designed to look good when you see it through 'diff -b':
it mostly leaves entries in the same order, and leaves the code unmodified.
2015-11-13 16:24:45 -05:00
Nick Mathewson
e8b459a2fa Connect periodic events to main 2015-11-13 16:24:44 -05:00
Nick Mathewson
a8a26ca30e Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-15 13:56:53 -04:00
Nick Mathewson
7e7683b254 Merge remote-tracking branch 'origin/maint-0.2.6' into maint-0.2.7 2015-10-15 13:56:41 -04:00
David Goulet
2ec5e24c58 Add hidserv-stats filname to our sandbox filter
Fixes #17354

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-10-15 13:42:34 -04:00
Nick Mathewson
0b3190d4b7 Merge remote-tracking branch 'donncha/feature14846_4' 2015-10-02 13:40:26 +02:00
Nick Mathewson
41891cbf93 Merge remote-tracking branch 'public/ed25519_hup_v2' 2015-09-10 10:37:13 -04:00
Donncha O'Cearbhaill
335d0b95d3 Clean old descriptors from the service-side rend cache
Parameterize the rend_cache_clean() function to allow it clean
old rendezvous descriptors from the service-side cache as well as
the client descriptor cache.
2015-09-08 12:34:05 +02:00
Nick Mathewson
f6bd8fbb80 Let recent relays run with the chutney sandbox.
Fixes 16965
2015-09-02 09:59:50 -04:00
Nick Mathewson
910e25358a Let bridge authorities run under the sandbox
(found thanks to teor's chutney haxx)
2015-09-02 09:59:22 -04:00
Nick Mathewson
037e8763a7 Reload Ed25519 keys on sighup.
Closes ticket 16790.
2015-08-19 13:37:21 -04:00
Nick Mathewson
428bb2d1c8 Merge branch 'ed25519_keygen_squashed' 2015-08-19 13:36:59 -04:00
Nick Mathewson
a1b5e8b30b Don' call failure to get keys a bug; it's possible now. 2015-08-19 13:36:50 -04:00
Nick Mathewson
8f6f1544c9 Resolve failing test_keygen tests. 2015-08-19 13:36:50 -04:00
Nick Mathewson
eafae7f677 Merge branch 'decouple_controller_events_squashed' 2015-08-18 08:56:31 -04:00
Nick Mathewson
bab221f113 Refactor our logic for sending events to controllers
Previously we'd put these strings right on the controllers'
outbufs. But this could cause some trouble, for these reasons:

  1) Calling the network stack directly here would make a huge portion
     of our networking code (from which so much of the rest of Tor is
     reachable) reachable from everything that potentially generated
     controller events.

  2) Since _some_ events (EVENT_ERR for instance) would cause us to
     call connection_flush(), every control_event_* function would
     appear to be able to reach even _more_ of the network stack in
     our cllgraph.

  3) Every time we generated an event, we'd have to walk the whole
     connection list, which isn't exactly fast.

This is an attempt to break down the "blob" described in
http://archives.seul.org/tor/dev/Mar-2015/msg00197.html -- the set of
functions from which nearly all the other functions in Tor are
reachable.

Closes ticket 16695.
2015-08-18 08:55:28 -04:00
Nick Mathewson
d07fe5dffe Merge remote-tracking branches 'public/decouple_lost_owner' and 'public/decouple_signals' 2015-08-17 16:24:45 -04:00
Nick Mathewson
573bd1f033 Merge remote-tracking branch 'public/decouple_retry_directory' 2015-08-17 13:50:19 -04:00
Nick Mathewson
34aefe6f38 Merge remote-tracking branch 'public/decouple_init_keys' 2015-08-14 08:40:51 -04:00
Nick Mathewson
e62518865b Decouple routerlist_retry_directory_downloads() from the blob
Instead of having it call update_all_descriptor_downloads and
update_networkstatus_downloads directly, we can have it cause them to
get rescheduled and called from run_scheduled_events.

Closes ticket 16789.
2015-08-13 09:45:30 -04:00
Nick Mathewson
3cc6d59521 Fix a windows compilation error 2015-08-12 13:16:08 -04:00
Nick Mathewson
f4f0b43268 Try to decouple process_signal() from anything not event-driven
This needs debugging; it currently breaks the stem tests.
2015-08-12 11:25:00 -04:00
Nick Mathewson
b65d53519a Decouple the backend for directory_all_unreachable to simplify our CFG
See ticket 16762.
2015-08-12 11:02:20 -04:00
Nick Mathewson
835e09e54b Split the client-only parts of init_keys() into a separate function
This should simplify the callgraph a little more.
2015-08-11 10:41:20 -04:00
David Goulet
7dce409802 Expire after 5 minutes rend cache failure entries
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-11 09:34:41 -04:00
cypherpunks
2d3f88f6b9 Remove casting of void pointers when handling signals. 2015-07-21 14:06:15 -04:00
Nick Mathewson
8596ccce01 Change the name for the keypinning file; delete the old one if found
This is a brute-force fix for #16580, wherein #16530 caused some
routers to do bad things with the old keypinning journal.
2015-07-14 11:33:35 -04:00
Nick Mathewson
d68133c745 Merge branch '13642_offline_master_v2_squashed' 2015-06-17 10:12:37 -04:00
Nick Mathewson
b6eee531bb Support encrypted offline master keys with a new --keygen flag
When --keygen is provided, we prompt for a passphrase when we make a
new master key; if it is nonempty, we store the secret key in a new
crypto_pwbox.

Also, if --keygen is provided and there *is* an encrypted master key,
we load it and prompt for a passphrase unconditionally.

We make a new signing key unconditionally when --keygen is provided.
We never overwrite a master key.
2015-06-17 10:11:18 -04:00
Nick Mathewson
43a98c7da6 Merge remote-tracking branch 'origin/maint-0.2.6' 2015-06-17 09:19:11 -04:00
Nick Mathewson
c8cb55659a Merge remote-tracking branch 'origin/maint-0.2.5' into maint-0.2.6 2015-06-17 09:18:45 -04:00
teor
75388f67c0 Correctly handle failed crypto_early_init
If crypto_early_init fails, a typo in a return value from tor_init
means that tor_main continues running, rather than returning
an error value.

Fixes bug 16360; bugfix on d3fb846d8c in 0.2.5.2-alpha,
introduced when implementing #4900.

Patch by "teor".
2015-06-17 09:18:32 -04:00
Nick Mathewson
e8386cce1c Merge remote-tracking branch 'origin/maint-0.2.6' 2015-06-02 14:29:37 -04:00
Peter Palfrader
a68e5323f8 Fix sandboxing to work when running as a relay
This includes correctly allowing renaming secret_id_key and allowing the
eventfd2 and futex syscalls.  Fixes bug 16244; bugfix on 0.2.6.1-alpha.
2015-06-02 14:20:01 -04:00
Nick Mathewson
1b52e95028 Merge branch '12498_ed25519_keys_v6'
Fixed numerous conflicts, and ported code to use new base64 api.
2015-05-28 11:04:33 -04:00
Nick Mathewson
3bee74c6d1 Generate weird certificates correctly
(Our link protocol assumes that the link cert certifies the TLS key,
and there is an RSA->Ed25519 crosscert)
2015-05-28 10:47:47 -04:00
Nick Mathewson
57189acd6f # This is a combination of 2 commits.
# The first commit's message is:

Regenerate ed25519 keys when they will expire soon.

Also, have testing-level options to set the lifetimes and
expiration-tolerances of all key types, plus a non-testing-level
option to set the lifetime of any auto-generated signing key.

# The 2nd commit message will be skipped:

#	fixup! Regenerate ed25519 keys when they will expire soon.
2015-05-28 10:42:30 -04:00
Nick Mathewson
592a439107 Tie key-pinning logic into directory authority operation
With this patch:
  * Authorities load the key-pinning log at startup.
  * Authorities open a key-pinning log for writing at startup.
  * Authorities reject any router with an ed25519 key where they have
    previously seen that ed25519 key with a different RSA key, or vice
    versa.
  * Authorities warn about, but *do not* reject, RSA-only descriptors
    when the RSA key has previously gone along with an Ed25519 key.
    (We should make this a 'reject' too, but we can't do that until we're
    sure there's no legit reason to downgrade to 0.2.5.)
2015-05-28 10:41:49 -04:00
Nick Mathewson
818e6f939d prop220: Implement certificates and key storage/creation
For prop220, we have a new ed25519 certificate type. This patch
implements the code to create, parse, and validate those, along with
code for routers to maintain their own sets of certificates and
keys.  (Some parts of master identity key encryption are done, but
the implementation of that isn't finished)
2015-05-28 10:40:56 -04:00
Nick Mathewson
ed02a409cf Merge branch 'bug16034_no_more_openssl_098_squashed'
Conflicts:
	src/test/testing_common.c
2015-05-20 15:33:22 -04:00
Nick Mathewson
f8f407d66a Now that OpenSSL 0.9.8 is dead, crypto_seed_rng() needs no args
It needed an argument before because it wasn't safe to call
RAND_poll() on openssl 0.9.8c if you had already opened more fds
than would fit in fd_set.
2015-05-20 15:27:36 -04:00
Nick Mathewson
d55db221e8 tor_tls_get_buffer_sizes() will not work on openssl 1.1. Patch from yawning 2015-05-13 12:12:53 -04:00
Nick Mathewson
c3894473fe whitespace fixes 2015-04-23 09:36:43 -04:00
Nick Mathewson
241e6b0937 Fix some conversion problems 2015-04-23 09:16:42 -04:00
David Goulet
3f41318472 Add crypto_rand_int_range() and use it
Incidently, this fixes a bug where the maximum value was never used when
only using crypto_rand_int(). For instance this example below in
rendservice.c never gets to INTRO_POINT_LIFETIME_MAX_SECONDS.

  int intro_point_lifetime_seconds =
    INTRO_POINT_LIFETIME_MIN_SECONDS +
    crypto_rand_int(INTRO_POINT_LIFETIME_MAX_SECONDS -
                    INTRO_POINT_LIFETIME_MIN_SECONDS);

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-04-21 11:06:12 -04:00
Nick Mathewson
06939551f4 code style fixes 2015-04-16 11:17:16 -04:00
Nick Mathewson
fabfa28c48 Fix missing-initializer warning 2015-04-16 11:16:20 -04:00
Nick Mathewson
f152081de1 Merge remote-tracking branch 'arma/ticket8766' 2015-04-16 11:15:29 -04:00
cypherpunks
59e753a4a6 Make --hash-password imply --hush to prevent unnecessary noise. 2015-04-15 09:39:41 -04:00
rl1987
e89c200c47 Print the error message for --dump-config even if no arguments are given. 2015-04-07 14:09:41 -04:00
rl1987
ad54c197a9 Fix error message in do_dump_config(). 2015-04-06 21:01:43 +03:00
Nick Mathewson
54d6e5e71e Merge remote-tracking branch 'public/feature15053' 2015-03-18 14:27:00 -04:00
Nick Mathewson
d8263ac254 Merge remote-tracking branch 'origin/maint-0.2.6' 2015-03-18 08:58:15 -04:00
Nick Mathewson
a0f892f190 Simplify the loop. 2015-03-14 14:31:26 -04:00
Nick Mathewson
ddb1889eb8 Add comments for new functions 2015-03-14 14:28:29 -04:00
Nick Mathewson
92d04721a2 remove a needless "if (1)" that was there for indentation; fix indentation. 2015-03-14 14:28:29 -04:00
Nick Mathewson
b78803f9f5 Extract main part of main loop into a separate function
For 15176; Shadow would like this.

Based on a patch by Rob Jansen, but revised to have a minimal-sized diff.
2015-03-14 14:28:29 -04:00
cypherpunks
5176f6f103 Remove relative paths to header files.
The paths are already in the directory search path of the compiler therefore no
need to include them in the source code.
2015-03-14 13:00:05 -04:00
Nick Mathewson
4247ce99e5 ug. test, _then_ commit, nick. 2015-03-14 12:14:32 -04:00
Nick Mathewson
f70f1d283e Do not printf success messages when we are --quieted or --hushed.
Fixes 14994. Calling this a bug on when --quiet and --hush began to have
their current behavior.
2015-03-14 12:12:53 -04:00
Nick Mathewson
783a44f9e9 Log less/better about systemd at startup
Report errors if the notification fails; report success only if it
succeeds; and if we are not notifying systemd because we aren't
running with systemd, don't log at notice.
2015-02-24 11:11:24 -05:00
cypherpunks
5246e8f992 Remove lingering mempool code 2015-02-23 11:19:31 -05:00
Nick Mathewson
6f331645c7 Remove mempools and buf freelists
They have been off-by-default since 0.2.5 and nobody has complained. :)

Also remove the buf_shrink() function, which hasn't done anything
since we first stopped using contiguous memory to store buffers.

Closes ticket 14848.
2015-02-11 09:03:50 -05:00
Roger Dingledine
56061976db Recover better when our clock jumps back many hours
like might happen for Tails or Whonix users who start with a very wrong
hardware clock, use Tor to discover a more accurate time, and then
fix their clock.

Resolves part of ticket 8766.

(There are still some timers in various places that aren't addressed yet.)
2015-02-09 01:05:31 -05:00
Roger Dingledine
1cb9064d7d shift all the static times into a struct
no actual behavior changes yet
2015-02-09 00:07:15 -05:00
Nick Mathewson
1e896214e7 Refactor cpuworker to use workqueue/threadpool code. 2015-01-14 11:23:34 -05:00
Nick Mathewson
d8b7dcca8d Merge remote-tracking branch 'andrea/ticket12585_v3' 2015-01-13 12:50:55 -05:00
Nick Mathewson
c2e200cef8 Merge branch 'bug13806_squashed'
Conflicts:
	src/or/relay.c
2015-01-12 13:59:26 -05:00
Nick Mathewson
3033ba9f5e When OOM, free cached hidden service descriptors too. 2015-01-12 13:47:52 -05:00
Nick Mathewson
e009c2da51 Fix unused-parameter warning in systemd_watchdog_callback 2015-01-11 11:19:51 -05:00
Tomasz Torcz
a8999acc3b fix and enable systemd watchdog
There were following problems:
  - configure.ac wrongly checked for defined HAVE_SYSTEMD; this
    wasn't working, so the watchdog code was not compiled in.
    Replace library search with explicit version check
  - sd_notify() watchdog call was unsetting NOTIFY_SOCKET from env;
    this means only first "watchdog ping" was delivered, each
    subsequent one did not have socket to be sent to and systemd
    was killing service
  - after those fixes, enable Watchdog in systemd unit with one
    minute intervals
2015-01-11 11:14:32 -05:00
Tomasz Torcz
2aa2d0a1c5 send more details about daemon status to supervisor
If running under systemd, send back information when reloading
configuration and gracefully shutting down.  This gives administator
more information about current Tor daemon state.
2015-01-11 11:14:14 -05:00
Nick Mathewson
71f409606a Unconfuse coverity when it sees the systemd headers 2015-01-07 21:09:41 -05:00
Andrea Shepard
a3bcde3638 Downgrade open/close log message for SocksSocket 2015-01-07 22:57:51 +00:00
Jacob Appelbaum
8d59ddf3cb Commit second draft of Jake's SOCKS5-over-AF_UNIX patch. See ticket #12585.
Signed-off-by: Andrea Shepard <andrea@torproject.org>
2015-01-07 17:42:57 +00:00
Nick Mathewson
7c5a45575f Spelling -- readyness->readiness. 2015-01-06 17:10:27 -05:00
Nick Mathewson
f54e54b0b4 Bump copyright dates to 2015, in case someday this matters. 2015-01-02 14:27:39 -05:00
Nick Mathewson
2f46e5e755 Adjust systemd watchdog support
Document why we divide it by two.

Check for > 0 instead of nonzero for success, since that's what the
manpage says.

Allow watchdog timers greater than 1 second.
2014-12-23 11:27:18 -05:00
Michael Scherer
29ac883606 Add support for systemd watchdog protocol
It work by notifying systemd on a regular basis. If
there is no notification, the daemon is restarted.
This requires a version newer than the 209 version
of systemd, as it is not supported before.
2014-12-23 11:22:42 -05:00
Michael Scherer
aabaed6f49 add support for systemd notification protocol
This permit for now to signal readiness in a cleaner way
to systemd.
2014-12-23 11:06:01 -05:00
George Kadianakis
14e83e626b Add two hidden-service related statistics.
The two statistics are:
 1. number of RELAY cells observed on successfully established
    rendezvous circuits; and
 2. number of .onion addresses observed as hidden-service
    directory.

Both statistics are accumulated over 24 hours, obfuscated by rounding
up to the next multiple of a given number and adding random noise,
and written to local file stats/hidserv-stats.

Notably, no statistics will be gathered on clients or services, but
only on relays.
2014-12-19 10:35:25 -05:00
Nick Mathewson
e2641484a7 One more, appease "make check-spaces" 2014-11-27 22:57:04 -05:00
Nick Mathewson
a28df3fb67 Merge remote-tracking branch 'andrea/cmux_refactor_configurable_threshold'
Conflicts:
	src/or/or.h
	src/test/Makefile.nmake
2014-11-27 22:39:46 -05:00
Nick Mathewson
3a91a08e21 Merge branch 'feature9503_squashed' 2014-11-25 12:49:09 -05:00
rl1987
bf67a60b86 Sending response to SIGNAL HEARTBEAT controller command. 2014-11-25 12:48:41 -05:00
rl1987
8c135062e5 Adding 'SIGNAL HEARTBEAT' message that causes unscheduled heartbeat. 2014-11-25 12:48:41 -05:00
Nick Mathewson
336c856e52 Make can_complete_circuits a static variable. 2014-11-20 12:03:46 -05:00
Nick Mathewson
fcdcb377a4 Add another year to our copyright dates.
Because in 95 years, we or our successors will surely care about
enforcing the BSD license terms on this code.  Right?
2014-10-28 15:30:16 -04:00
Nick Mathewson
8e4daa7bb0 Merge remote-tracking branch 'public/ticket6938'
Conflicts:
	src/tools/tor-resolve.c
2014-10-22 10:14:03 -04:00
Nick Mathewson
472b62bfe4 Uglify scheduler init logic to avoid crash on startup.
Otherwise, when we authority try to do a self-test because of
init-keys, if that self-test can't be launched for whatever reason and
so we close the channel immediately, we crash.

Yes, this a silly way for initialization to work.
2014-09-30 22:48:26 -07:00
Andrea Shepard
d438cf1ec9 Implement scheduler mechanism to track lists of channels wanting cells or writes; doesn't actually drive the cell flow from it yet 2014-09-30 22:48:24 -07:00
Nick Mathewson
e84e1c9745 More generic passphrase hashing code, including scrypt support
Uses libscrypt when found; otherwise, we don't have scrypt and we
only support openpgp rfc2440 s2k hashing, or pbkdf2.

Includes documentation and unit tests; coverage around 95%. Remaining
uncovered code is sanity-checks that shouldn't be reachable fwict.
2014-09-25 11:58:13 -04:00
Nick Mathewson
93dfb12037 Remember log messages that happen before logs are configured
(And replay them once we know our first real logs.)

This is an implementation for issue 6938.  It solves the problem of
early log mesages not getting sent to log files, but not the issue of
early log messages not getting sent to controllers.
2014-09-10 23:34:43 -04:00
Nick Mathewson
9b2d8c4e20 Rename secret_to_key to secret_to_key_rfc2440 2014-08-28 11:20:31 -04:00
Nick Mathewson
7c1143e11f Terser ways to sandbox-allow related filenames
Using the *_array() functions here confused coverity, and was actually
a bit longer than we needed.  Now we just use macros for the repeated
bits, so that we can mention a file and a suffix-appended version in
one line.
2014-08-24 13:30:55 -04:00
Arlo Breault
15e170e01b Add an option to overwrite logs
* Issue #5583
2014-07-16 12:16:49 +02:00
Nick Mathewson
7591ce64fb Merge remote-tracking branch 'origin/maint-0.2.5' 2014-07-16 11:01:20 +02:00
Nick Mathewson
856114ab1c Merge remote-tracking branch 'public/bug8387_024' into maint-0.2.5 2014-07-16 10:01:56 +02:00
Nick Mathewson
ed3d7892c7 Fix a bug where streams would linger forever when we had no dirinfo
fixes bug 8387; fix on 0.1.1.11-alpha (code), or on 0.2.4.10-alpha (behavior).
2014-07-09 16:15:05 -04:00
Nick Mathewson
5b4ee475aa Remove code for Windows CE support
As far as I know, nobody has used this in ages.  It would be a
pretty big surprise if it had worked.

Closes ticket 11446.
2014-06-20 09:49:36 -04:00
Nick Mathewson
a7cafb1ea9 Merge branch 'bug8746_v2_squashed'
Conflicts:
	src/common/include.am
2014-06-14 11:46:38 -04:00
Nick Mathewson
4ed03965a5 New waitpid-handler functions to run callbacks when a child exits.
Also, move 'procmon' into libor_event library, since it uses libevent.
2014-06-14 11:40:27 -04:00
Nick Mathewson
bbb1ffe535 sandbox: Permit stat() of DataDir/stats
This is a fix for another case of 12064 that alphawolf just spotted.

There's already an 0.2.5.5 changelog entry for this.
2014-06-13 08:36:43 -04:00
Nick Mathewson
02dafc270c whitespaces fixes 2014-06-11 12:00:14 -04:00
Nick Mathewson
3a2e25969f Merge remote-tracking branch 'public/ticket6799_024_v2_squashed'
Conflicts:
	src/or/channel.c
	src/or/circuitlist.c
	src/or/connection.c

Conflicts involved removal of next_circ_id and addition of
unusable-circid tracking.
2014-06-11 11:57:56 -04:00
Nick Mathewson
6557e61295 Replace last_added_nonpadding with last_had_circuits
The point of the "idle timeout" for connections is to kill the
connection a while after it has no more circuits.  But using "last
added a non-padding cell" as a proxy for that is wrong, since if the
last circuit is closed from the other side of the connection, we
will not have sent anything on that connection since well before the
last circuit closed.

This is part of fixing 6799.

When applied to 0.2.5, it is also a fix for 12023.
2014-06-11 11:27:04 -04:00
Nick Mathewson
463f6628d3 Give each or_connection_t a slightly randomized idle_timeout
Instead of killing an or_connection_t that has had no circuits for
the last 3 minutes, give every or_connection_t a randomized timeout,
so that an observer can't so easily infer from the connection close
time the time at which its last circuit closed.

Also, increase the base timeout for canonical connections from 3
minutes to 15 minutes.

Fix for ticket 6799.
2014-06-11 11:27:04 -04:00
Nick Mathewson
6f20dd7bfc Merge remote-tracking branch 'public/bug11970' 2014-06-11 11:01:52 -04:00
Nick Mathewson
dd0745d066 Don't try to fetch bridge descriptors when DisableNetwork is set
Patch from Roger; changes file by me.

Fixes 10405; bugfix on 0.2.3.9-alpha, where DisableNetwork was
introduced.
2014-06-02 02:17:28 -04:00
Nick Mathewson
14842de9a7 sandbox: Allow DirPortFrontPage unconditionally if it's set
fixes 12114; bug not in any release.

Improves fix for 12028
2014-05-27 19:21:11 -04:00
Nick Mathewson
824bebd409 sandbox: Correct fix for hs part of 12064
Bugfix on cfd0ee514c279bc6c7b; bug not in any released version of tor
2014-05-23 11:46:44 -04:00
Nick Mathewson
5de91d118d Merge branch 'bug11965_v2' 2014-05-23 11:23:00 -04:00
Nick Mathewson
802c063148 Postpone fetches based on should_delay_dir_fetch(), not DisableNetwork
Without this fix, when running with bridges, we would try fetching
directory info far too early, and have up to a 60 second delay if we
started with bridge descriptors available.

Fixes bug 11965. Fix on 0.2.3.6-alpha, arma thinks.
2014-05-23 11:22:35 -04:00
Nick Mathewson
cfd0ee514c sandbox: allow reading of hidden service configuration files.
fixes part of 12064
2014-05-22 20:39:10 -04:00
Nick Mathewson
ffc1fde01f sandbox: allow access to cookie files, approved-routers
fixes part of 12064
2014-05-22 19:56:56 -04:00
Michael Wolf
387f294d40 sandbox: allow access to various stats/*-stats files
Fix for 12064 part 1
2014-05-22 19:48:24 -04:00
Nick Mathewson
e425fc7804 sandbox: revamp sandbox_getaddrinfo cacheing
The old cache had problems:
     * It needed to be manually preloaded. (It didn't remember any
       address you didn't tell it to remember)
     * It was AF_INET only.
     * It looked at its cache even if the sandbox wasn't turned on.
     * It couldn't remember errors.
     * It had some memory management problems. (You can't use memcpy
       to copy an addrinfo safely; it has pointers in.)

This patch fixes those issues, and moves to a hash table.

Fixes bug 11970; bugfix on 0.2.5.1-alpha.
2014-05-22 17:39:36 -04:00
Nick Mathewson
1a73e17801 Merge remote-tracking branch 'andrea/bug11476' 2014-05-22 16:27:29 -04:00
Nick Mathewson
2609b939d6 fix a wide line 2014-05-20 15:22:27 -04:00
Nick Mathewson
c21377e7bc sandbox: support logfile rotation
Fixes bug 12032; bugfix on 0.2.5.1-alpha
2014-05-20 15:21:48 -04:00
Nick Mathewson
268a117cdf sandbox: tolerate reloading with DirPortFrontPage set
Also, don't tolerate changing DirPortFrontPage.

Fixes bug 12028; bugfix on 0.2.5.1-alpha.
2014-05-20 14:58:28 -04:00
Nick Mathewson
f87071f49e sandbox: Permit access to stats/dirreq-stats
This prevents a crash when rotating logs with dirreq-stats enabled

fixes 12035; bugfix on 0.2.5.1-alpha.
2014-05-20 12:06:08 -04:00
Nick Mathewson
0b2b5b7606 Oops; permit rename with the correct filename 2014-05-20 12:03:27 -04:00
Nick Mathewson
f6d3006363 Sandbox: allow access to stats/bridge-stats
Fix for 12041; bugfix on 0.2.5.1-alpha.
2014-05-20 11:57:29 -04:00
Nick Mathewson
e12af2adb0 Add a pair of wrapper functions: tor_getpwnam() and tor_getpwuid()
We'll use these to deal with being unable to access the user DB
after we install the sandbox, to fix bug 11946.
2014-05-14 13:50:43 -04:00
Andrea Shepard
39d4e67be8 Add --disable-mempools configure option 2014-05-12 18:23:34 -07:00
dana koch
d6e6c63baf Quench clang's complaints with -Wshorten-64-to-32 when time_t is not long.
On OpenBSD 5.4, time_t is a 32-bit integer. These instances contain
implicit treatment of long and time_t as comparable types, so explicitly
cast to time_t.
2014-05-11 23:36:00 -04:00
Nick Mathewson
5d496963b4 Don't start sandbox except for CMD_RUN_TOR
This was crashing on --verify-config in the debian startup script, if you
had sandboxing enabled.  Fixes 11609; fix on 0.2.5.1-alpha.
2014-05-05 10:29:35 -04:00
Nick Mathewson
67aa3685e7 Merge branch 'bug11396_v2_squashed'
Conflicts:
	src/or/main.c
2014-04-24 10:31:38 -04:00
Nick Mathewson
aca05fc5c0 get_total_system_memory(): see how much RAM we have 2014-04-24 10:26:14 -04:00
Nick Mathewson
18f7f49a8c Allow reloading torrc and writing to router-stability 2014-04-16 22:03:17 -04:00
Nick Mathewson
ce776cf270 Add a couple of missing renames so the server sandbox works again 2014-04-16 22:03:09 -04:00
Nick Mathewson
e6785ee16d Get Libevent's PRNG functioning under the linux sandbox
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization.  But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}).  To make _that_ work, we
were permitting sysctl unconditionally.  That's not such a great
idea.

Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
2014-04-16 22:03:09 -04:00
Nick Mathewson
71eaebd971 Drop 'fr' parameter from sandbox code.
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.

(Maybe buggy; revise when I can test.)
2014-04-16 22:03:08 -04:00