Commit Graph

5177 Commits

Author SHA1 Message Date
Nick Mathewson
18734d3b25 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-26 12:58:22 -04:00
Nick Mathewson
32b9edeb91 Fix build warnings from Coverity related to our BUG macro
In the Linux kernel, the BUG() macro causes an instant panic.  Our
BUG() macro is different, however: it generates a nonfatal assertion
failure, and is usable as an expression.

Additionally, this patch tells util_bug.h to make all assertion
failures into fatal conditions when we're building with a static
analysis tool, so that the analysis tool can look for instances
where they're reachable.

Fixes bug 23030.
2017-07-26 12:57:49 -04:00
Nick Mathewson
3c017e823b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-26 12:53:38 -04:00
Nick Mathewson
6d3c5b8fb5 Merge branch 'bug22915_029_2' into maint-0.2.9 2017-07-26 12:53:13 -04:00
Nick Mathewson
fca1934c88 Suppress clang4-specific -Wdouble-promotion warnings
Wow, it sure seems like some compilers can't implement isnan() and
friends in a way that pleases themselves!

Fixes bug 22915. Bug trigged by 0.2.8.1-alpha and later; caused by
clang 4.
2017-07-26 12:53:00 -04:00
Isis Lovecruft
7b4585e2a3
Add a changes file for bug22636. 2017-07-17 21:44:59 +00:00
Nick Mathewson
f5d2f79aca Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-14 09:11:14 -04:00
Nick Mathewson
3a7d757140 Merge branch 'bug22916_027' into maint-0.2.9 2017-07-14 09:11:08 -04:00
Nick Mathewson
c1afbbe8fe Merge branch 'bug22803_030' into maint-0.3.0 2017-07-14 09:06:33 -04:00
Nick Mathewson
3cec1783b7 Fix compiler warnings with openssl-scrypt/libscrypt test on clang
Clang didn't like that we were passing uint64_t values to an API
that wanted uint32_t.  GCC has either not cared, or has figured out
that the values in question were safe to cast to uint32_t.

Fixes bug22916; bugfix on 0.2.7.2-alpha.
2017-07-13 17:49:48 -04:00
Nick Mathewson
ed0fb21834 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-07-07 10:56:31 -04:00
Nick Mathewson
66c85cd881 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-07 10:56:31 -04:00
Nick Mathewson
48e45e2fb1 Merge branch 'bug22838_028' into maint-0.2.8 2017-07-07 10:55:51 -04:00
Nick Mathewson
ae756f251f mingw fix: avoid "unused var" warning.
This is a backport of 19615bce64 to
fix bug 22838.
2017-07-07 10:54:24 -04:00
Nick Mathewson
5472066cd2 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-07-07 10:51:28 -04:00
Nick Mathewson
715185477d Merge branch 'maint-0.2.5' into maint-0.2.6 2017-07-07 10:51:28 -04:00
Nick Mathewson
78dfa76ddc Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-07 10:51:28 -04:00
Nick Mathewson
4858cda2df Merge branch 'maint-0.2.8' into maint-0.2.9 2017-07-07 10:51:28 -04:00
Nick Mathewson
2dd1e21212 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-07 10:51:28 -04:00
Nick Mathewson
c1e4aff384 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-07-07 10:51:28 -04:00
Nick Mathewson
b47249e0bb Mention TROVE-2017-007 in changes file for 22789 2017-07-07 10:51:25 -04:00
Karsten Loesing
b6acfa491e Update geoip and geoip6 to the July 4 2017 database. 2017-07-07 16:27:54 +02:00
Nick Mathewson
759154b1ad Fix unit test memory leak in certs_ok_ed25519.
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
2017-07-05 15:42:25 -04:00
Nick Mathewson
546f5b364b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-05 13:43:31 -04:00
Nick Mathewson
32c0066e4b Merge branch 'maint-0.2.8' into maint-0.2.9 2017-07-05 13:43:21 -04:00
Nick Mathewson
5ff0f1ab9e Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-07-05 13:42:47 -04:00
Nick Mathewson
6cd6d488dc Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-07-05 13:42:37 -04:00
Nick Mathewson
f6420bceec Merge branch 'maint-0.2.5' into maint-0.2.6 2017-07-05 13:42:32 -04:00
Nick Mathewson
ff8c230d7c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-05 13:42:26 -04:00
Nick Mathewson
16d2bce893 Allow setsockopt(IPV6_V6ONLY) in sandbox.
Fixes bug 20247.  We started setting V6ONLY in 0.2.3.13-alpha and
added the sandbox on 0.2.5.1-alpha.
2017-07-05 13:09:21 -04:00
Nick Mathewson
8bc70a2ad2 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-05 11:19:03 -04:00
Nick Mathewson
bb97f680e7 Merge branch 'bug22801_028' into maint-0.2.9 2017-07-05 11:18:59 -04:00
teor
878e0d45a5 Always allow extra file descriptors when setting the connection maximum
When setting the maximum number of connections allowed by the OS,
always allow some extra file descriptors for other files.

Fixes bug 22797; bugfix on 0.2.0.10-alpha.
2017-07-05 11:15:10 -04:00
Nick Mathewson
bb3f74e66b Fix assertion failure related to openbsd strtol().
Fixes bug 22789; bugfix on 0.2.3.8-alpha.
2017-07-03 11:22:27 -04:00
Nick Mathewson
5361032219 Fix -Wfloat-conversion C warnings on mingw in clamp_double_to_int64.
We just have to suppress these warnings: Mingw's math.h uses gcc's
__builtin_choose_expr() facility to declare isnan, isfinite, and
signbit.  But as implemented in at least some versions of gcc,
__builtin_choose_expr() can generate type warnings even from
branches that are not taken.

Fixes bug 22801; bugfix on 0.2.8.1-alpha.
2017-07-03 10:59:31 -04:00
Nick Mathewson
52c4440c48 Merge branch 'trove-2017-006' into maint-0.3.0 2017-06-29 15:57:42 -04:00
Nick Mathewson
665baf5ed5 Consider the exit family when applying guard restrictions.
When the new path selection logic went into place, I accidentally
dropped the code that considered the _family_ of the exit node when
deciding if the guard was usable, and we didn't catch that during
code review.

This patch makes the guard_restriction_t code consider the exit
family as well, and adds some (hopefully redundant) checks for the
case where we lack a node_t for a guard but we have a bridge_info_t
for it.

Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-006
and CVE-2017-0377.
2017-06-29 09:57:00 -04:00
Nick Mathewson
4c21d4ef7a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-28 14:03:23 -04:00
Nick Mathewson
ec9c6d7723 Merge remote-tracking branch 'teor/bug21507-029' into maint-0.2.9 2017-06-28 14:03:20 -04:00
Nick Mathewson
4060253749 Merge remote-tracking branch 'teor/bug21576_029_v2' into maint-0.2.9 2017-06-28 13:57:54 -04:00
Nick Mathewson
e84127d99e Merge remote-tracking branch 'asn/bug21969_bridges_030' into maint-0.3.0 2017-06-28 13:48:52 -04:00
Nick Mathewson
f367453cb5 Mark descriptors as undownloadable when dirserv_add_() rejects them
As of ac2f6b608a in 0.2.1.19-alpha,
Sebastian fixed bug 888 by marking descriptors as "impossible" by
digest if they got rejected during the
router_load_routers_from_string() phase. This fix stopped clients
and relays from downloading the same thing over and over.

But we never made the same change for descriptors rejected during
dirserv_add_{descriptor,extrainfo}.  Instead, we tried to notice in
advance that we'd reject them with dirserv_would_reject().

This notice-in-advance check stopped working once we added
key-pinning and didn't make a corresponding key-pinning change to
dirserv_would_reject() [since a routerstatus_t doesn't include an
ed25519 key].

So as a fix, let's make the dirserv_add_*() functions mark digests
as undownloadable when they are rejected.

Fixes bug 22349; I am calling this a fix on 0.2.1.19-alpha, though
you could also argue for it being a fix on 0.2.7.2-alpha.
2017-06-27 12:01:46 -04:00
Nick Mathewson
3483f7c003 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-27 11:04:44 -04:00
Nick Mathewson
9a0fd2dbb1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-27 11:04:44 -04:00
Nick Mathewson
3de27618e6 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-27 11:04:44 -04:00
Nick Mathewson
ccae991662 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-27 11:04:44 -04:00
Nick Mathewson
a242d194c7 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-27 11:04:44 -04:00
Nick Mathewson
711160a46f Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-27 11:04:44 -04:00
Nick Mathewson
8d2978b13c Fix an errant memset() into the middle of a struct in cell_pack().
This mistake causes two possible bugs. I believe they are both
harmless IRL.

BUG 1: memory stomping

When we call the memset, we are overwriting two 0 bytes past the end
of packed_cell_t.body. But I think that's harmless in practice,
because the definition of packed_cell_t is:

// ...
typedef struct packed_cell_t {
  TOR_SIMPLEQ_ENTRY(packed_cell_t) next;
  char body[CELL_MAX_NETWORK_SIZE];
  uint32_t inserted_time;
} packed_cell_t;

So we will overwrite either two bytes of inserted_time, or two bytes
of padding, depending on how the platform handles alignment.

If we're overwriting padding, that's safe.

If we are overwriting the inserted_time field, that's also safe: In
every case where we call cell_pack() from connection_or.c, we ignore
the inserted_time field. When we call cell_pack() from relay.c, we
don't set or use inserted_time until right after we have called
cell_pack(). SO I believe we're safe in that case too.

BUG 2: memory exposure

The original reason for this memset was to avoid the possibility of
accidentally leaking uninitialized ram to the network. Now
remember, if wide_circ_ids is false on a connection, we shouldn't
actually be sending more than 512 bytes of packed_cell_t.body, so
these two bytes can only leak to the network if there is another bug
somewhere else in the code that sends more data than is correct.

Fortunately, in relay.c, where we allocate packed_cell_t in
packed_cell_new() , we allocate it with tor_malloc_zero(), which
clears the RAM, right before we call cell_pack. So those
packed_cell_t.body bytes can't leak any information.

That leaves the two calls to cell_pack() in connection_or.c, which
use stack-alocated packed_cell_t instances.

In or_handshake_state_record_cell(), we pass the cell's contents to
crypto_digest_add_bytes(). When we do so, we get the number of
bytes to pass using the same setting of wide_circ_ids as we passed
to cell_pack(). So I believe that's safe.

In connection_or_write_cell_to_buf(), we also use the same setting
of wide_circ_ids in both calls. So I believe that's safe too.

I introduced this bug with 1c0e87f6d8
back in 0.2.4.11-alpha; it is bug 22737 and CID 1401591
2017-06-27 10:47:20 -04:00
Nick Mathewson
32e486de97 Don't expand guard sample set unless consensus is "reasonably live"
Fixes what I think is the main root cause of 22400. Bugfix on
0.3.0.1-alpha.
2017-06-19 15:48:47 -04:00
Nick Mathewson
71c701927a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-19 13:52:19 -04:00
Nick Mathewson
59f29970fa Permit the fchmod system call.
Fixes bug 22516; bugfix on 0.2.5.4-alpha.
2017-06-16 14:03:02 -04:00
Nick Mathewson
493d9cd17b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-09 09:58:46 -04:00
Nick Mathewson
cd7d006e08 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-09 09:58:46 -04:00
Nick Mathewson
307be8d4a7 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-09 09:58:45 -04:00
Nick Mathewson
24ee8595bf Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-09 09:58:45 -04:00
Nick Mathewson
3913f959e3 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-09 09:58:45 -04:00
Nick Mathewson
325c507a09 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-09 09:58:45 -04:00
Karsten Loesing
104e8fa751 Update geoip and geoip6 to the June 8 2017 database. 2017-06-09 15:47:49 +02:00
Nick Mathewson
a0664fd0c3 bump to 0.3.0.8 2017-06-08 09:24:28 -04:00
Nick Mathewson
d15d09a968 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-08 09:21:15 -04:00
Nick Mathewson
c1646d6e89 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-08 09:21:15 -04:00
Nick Mathewson
40bccc2004 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-08 09:21:15 -04:00
Nick Mathewson
dec7998f5c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-08 09:21:15 -04:00
Nick Mathewson
987c7cae70 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-08 09:21:15 -04:00
Nick Mathewson
53011e3e54 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-08 09:21:15 -04:00
David Goulet
56a7c5bc15 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
On an hidden service rendezvous circuit, a BEGIN_DIR could be sent
(maliciously) which would trigger a tor_assert() because
connection_edge_process_relay_cell() thought that the circuit is an
or_circuit_t but is an origin circuit in reality.

Fixes #22494

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-08 09:21:10 -04:00
Nick Mathewson
eb5d05f696 Another changes fix. 2017-06-08 09:20:53 -04:00
Nick Mathewson
0c46dc8097 tweak changes file. 2017-06-08 09:16:33 -04:00
David Goulet
79b59a2dfc TROVE-2017-004: Fix assertion failure in relay_send_end_cell_from_edge_
This fixes an assertion failure in relay_send_end_cell_from_edge_() when an
origin circuit and a cpath_layer = NULL were passed.

A service rendezvous circuit could do such a thing when a malformed BEGIN cell
is received but shouldn't in the first place because the service needs to send
an END cell on the circuit for which it can not do without a cpath_layer.

Fixes #22493

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-08 09:14:10 -04:00
Nick Mathewson
d5acdadaef Merge branch 'bug22460_030_01' into maint-0.3.0 2017-06-05 15:44:36 -04:00
Nick Mathewson
d1c1dc229e Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-05 15:44:12 -04:00
Nick Mathewson
9fea00928c Merge branch 'bug22460_case2_029_01_squashed' into maint-0.2.9 2017-06-05 15:28:13 -04:00
Nick Mathewson
01878fa309 Changes file for the x509 link certificate case of bug22460 2017-06-05 15:27:33 -04:00
Nick Mathewson
578a4392e9 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-05 12:02:26 -04:00
Nick Mathewson
d75be189df Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-05 12:02:15 -04:00
Nick Mathewson
33fcc0f61d Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-05 12:01:17 -04:00
Nick Mathewson
3f2d1f7f07 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-05 12:00:41 -04:00
Nick Mathewson
9ea3d0877a Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-05 12:00:27 -04:00
Nick Mathewson
1a540b5792 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-05 12:00:08 -04:00
Nick Mathewson
e3ebae4804 Fix undefined behavior in geoip_parse_entry().
Fixes bug 22490; bugfix on 6a241ff3ff in 0.2.4.6-alpha.

Found by teor using clang-5.0's AddressSanitizer stack-use-after-scope.
2017-06-05 10:09:39 -04:00
Nick Mathewson
41ed9e978b Regenerate RSA->ed25519 identity crosscertificate as needed 2017-06-01 10:04:52 -04:00
Nick Mathewson
34a6755b94 Fix ed25519 link certificate race on tls context rotation
Whenever we rotate our TLS context, we change our Ed25519
Signing->Link certificate.  But if we've already started a TLS
connection, then we've already sent the old X509 link certificate,
so the new Ed25519 Signing->Link certificate won't match it.

To fix this, we now store a copy of the Signing->Link certificate
when we initialize the handshake state, and send that certificate
as part of our CERTS cell.

Fixes one case of bug22460; bugfix on 0.3.0.1-alpha.
2017-06-01 09:26:24 -04:00
Nick Mathewson
a9be768959 Bugfix: Regenerate more certificates when appropriate
Previously we could sometimes change our signing key, but not
regenerate the certificates (signing->link and signing->auth) that
were signed with it.  Also, we would regularly replace our TLS x.509
link certificate (by rotating our TLS context) but not replace our
signing->link ed25519 certificate.  In both cases, the resulting
inconsistency would make other relays reject our link handshakes.

Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha.
2017-05-31 18:45:35 -04:00
David Goulet
5b33d95a3d hs: Correctly validate v3 descriptor encrypted length
The encrypted_data_length_is_valid() function wasn't validating correctly the
length of the encrypted data of a v3 descriptor. The side effect of this is
that an HSDir was rejecting the descriptor and ultimately not storing it.

Fixes #22447

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-30 10:27:42 -04:00
Roger Dingledine
83439e78cc Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-25 00:27:27 -04:00
teor
ec61ae59a5 Stop leaking keypin-rejected routerinfos on directory authorities
When directory authorities reject a router descriptor due to keypinning,
free the router descriptor rather than leaking the memory.

Fixes bug 22370; bugfix on 0.2.7.2-alpha.
2017-05-25 00:09:40 -04:00
George Kadianakis
6009c89165 Set guard state on bridge descriptor fetches.
We used to not set the guard state in launch_direct_bridge_descriptor_fetch().
So when a bridge descriptor fetch failed, the guard subsystem would never
learn about the fail (and hence the guard's reachability state would not
be updated).
2017-05-22 15:56:32 +03:00
Nick Mathewson
5c52d3c2c0 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-22 08:32:07 -04:00
Roger Dingledine
6e5486b11a dir auths reject 0.2.9.x for x<5, due to bug 20499
Directory authorities now reject relays running versions
0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
suffer from bug 20499 and don't keep their consensus cache
up-to-date.

Resolves ticket 20509.
2017-05-22 08:31:39 -04:00
Nick Mathewson
935cd77f62 Merge branch 'bug22252_029' into maint-0.3.0 2017-05-18 10:06:06 -04:00
Nick Mathewson
2ba58f275c Fix crash when starting with LearnCircuitBuildTimeout 0.
Before we've set our options, we can neither call get_options() nor
networkstatus_get_latest_consensus().

Fixes bug 22252; bugfix on 4d9d2553ba
in 0.2.9.3-alpha.
2017-05-16 11:20:12 -04:00
Nick Mathewson
492f8a7c44 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-16 08:39:22 -04:00
Nick Mathewson
a7bcab2639 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-05-16 08:38:59 -04:00
teor
5b45d73293
Update fallback directory mirrors in May 2017
Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
December 2016 (of which ~126 were still functional), with a list of
151 fallbacks (32 new, 119 existing, 58 removed) generated in May 2017.

Resolves ticket 21564.
2017-05-16 19:02:42 +10:00
Nick Mathewson
3b8888c544 Initialize the HS cache at startup
Failure to do this caused an assertion failure with #22246 . This
assertion failure can be triggered remotely, so we're tracking it as
medium-severity TROVE-2017-002.
2017-05-15 13:49:29 -04:00
Nick Mathewson
a6514b8a20 Fix a logic error in hibernate.c
Closes bug 22245; bugfix on 0.0.9rc1, when bandwidth accounting was
first introduced.

Found by Andrey Karpov and reported at https://www.viva64.com/en/b/0507/
2017-05-15 11:43:18 -04:00
Nick Mathewson
4473271c66 Fix the TRPOXY typo in connection_edge.c
Also add a get_options() call so it compiles.

Fixes bug 18100; bugfix on 0.2.6.3-alpha. Patch from "d4fq0fQAgoJ".
2017-05-15 11:16:50 -04:00
Nick Mathewson
503f101d2b Enable some windows hardening features
One (HeapEnableTerminationOnCorruption) is on-by-default since win8;
the other (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) supposedly only
affects ATL, which (we think) we don't use.  Still, these are good
hygiene. Closes ticket 21953.
2017-05-11 16:39:02 -04:00
Nick Mathewson
a868b84599 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-10 16:27:15 -04:00
Nick Mathewson
8f5da804da Merge branch 'prop275_minimal_029' into maint-0.2.9 2017-05-10 16:26:45 -04:00
Nick Mathewson
ff7e8531ec Report common reasons for rejecting a relay before uncommon ones
"You're running 0.2.2; upgrade!" is more sensible than "You have no
ntor key!"

Closes ticket 20270; bugfix on 0.2.9.3-alpha.
2017-05-09 10:28:51 -04:00
Nick Mathewson
d792d2a14d Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-08 13:40:26 -04:00
Nick Mathewson
0df22e8f5f Merge branch 'bug21943_029' into maint-0.2.9 2017-05-08 13:40:14 -04:00
Nick Mathewson
1cdad9782d Add a changes file for 21943. 2017-05-08 13:39:59 -04:00
Nick Mathewson
f5876917aa Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-08 08:07:38 -04:00
Nick Mathewson
5ff0b519ec Merge branch 'maint-0.2.8' into maint-0.2.9 2017-05-08 08:07:32 -04:00
Nick Mathewson
dc34cd7a04 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-05-08 08:07:19 -04:00
Nick Mathewson
71dd1d716a Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-05-08 08:07:11 -04:00
Nick Mathewson
159ddf6dde Merge branch 'maint-0.2.5' into maint-0.2.6 2017-05-08 08:07:04 -04:00
Nick Mathewson
68d6720452 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-05-08 08:06:59 -04:00
Karsten Loesing
5207e41ffe Update geoip and geoip6 to the May 2 2017 database. 2017-05-08 10:09:42 +02:00
Nick Mathewson
ae374e0a56 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-04-24 09:20:26 -04:00
David Goulet
4a9f689430 control: Wrong check on base16_decode return value
The GETINFO extra-info/digest/<digest> broke in commit 568dc27a19 that
refactored the base16_decode() API to return the decoded length.
Unfortunately, that if() condition should have checked for the correct length
instead of an error which broke the command in tor-0.2.9.1-alpha.

Fixes #22034

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-24 09:20:13 -04:00
Nick Mathewson
f1613b53c5 Merge remote-tracking branch 'public/bug21894_029' into maint-0.3.0 2017-04-07 14:03:25 -04:00
Nick Mathewson
4812441d34 Never read off the end of a buffer in base32_encode()
When we "fixed" #18280 in 4e4a7d2b0c
in 0291 it appears that we introduced a bug: The base32_encode
function can read off the end of the input buffer, if the input
buffer size modulo 5 is not equal to 0 or 3.

This is not completely horrible, for two reasons:
   * The extra bits that are read are never actually used: so this
     is only a crash when asan is enabled, in the worst case.  Not a
     data leak.

   * The input sizes passed to base32_encode are only ever multiples
      of 5. They are all either DIGEST_LEN (20), REND_SERVICE_ID_LEN
      (10), sizeof(rand_bytes) in addressmap.c (10), or an input in
      crypto.c that is forced to a multiple of 5.

So this bug can't actually trigger in today's Tor.

Closes bug 21894; bugfix on 0.2.9.1-alpha.
2017-04-07 10:47:16 -04:00
Nick Mathewson
a5b50ef25b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-04-06 08:32:04 -04:00
Nick Mathewson
7d7770f735 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-04-06 08:31:54 -04:00
Nick Mathewson
91c6b18ca0 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-04-06 08:31:32 -04:00
Nick Mathewson
44bc8821b1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-04-06 08:31:23 -04:00
Nick Mathewson
21d776738c Merge branch 'maint-0.2.5' into maint-0.2.6 2017-04-06 08:31:18 -04:00
Nick Mathewson
a8a860e1da Merge branch 'maint-0.2.4' into maint-0.2.5 2017-04-06 08:31:12 -04:00
Karsten Loesing
9d7933296c Update geoip and geoip6 to the April 4 2017 database. 2017-04-06 10:52:39 +02:00
David Goulet
7519584347 hs: Expose hs_service.c functions for unit tests
In order to avoid src/or/hs_service.o to contain no symbols and thus making
clang throw a warning, the functions are now exposed not just to unit tests.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-04 09:41:14 -04:00
Nick Mathewson
a06c465333 Merge remote-tracking branch 'teor/bug21596_030' into maint-0.3.0 2017-04-03 09:28:33 -04:00
George Kadianakis
ef4c10fb42 Fix max sampled size logic when in bridge mode.
When calculating max sampled size, Tor would only count the number of
bridges in torrc, without considering that our state file might already
have sampled bridges in it. This caused problems when people swap
bridges, since the following error would trigger:

         [warn] Not expanding the guard sample any further; just hit the
                maximum sample threshold of 1
2017-03-27 15:39:26 +02:00
Nick Mathewson
4f6025498d Use update_approx_time() to run a test 100 days in the past.
Fixes bug21799.
2017-03-23 10:44:43 +01:00
Nick Mathewson
567a56ae2e Merge branch 'bug20059_024_v2' into maint-0.3.0 2017-03-15 11:07:38 -04:00
Nick Mathewson
ec5fe41209 Avoid a double-mark bug when makring a pending circuit as "too old"
Fixes bug 20059; bugfix on 0.1.0.1-rc.
2017-03-15 11:05:37 -04:00
Nick Mathewson
92813941b5 #21720: Update "directory server options" preamble in manpage 2017-03-14 11:25:54 -04:00
Nick Mathewson
e2cd600da6 Merge remote-tracking branch 'public/bug21682_030' into maint-0.3.0 2017-03-13 16:22:40 -04:00
Nick Mathewson
ded2c8c689 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-03-08 10:12:27 -05:00
Nick Mathewson
d642ceb8df Merge branch 'maint-0.2.8' into maint-0.2.9 2017-03-08 10:12:06 -05:00
Nick Mathewson
2cfecec9c7 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-03-08 10:11:23 -05:00
Nick Mathewson
25c28bc2d9 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-03-08 10:11:05 -05:00
Nick Mathewson
ecc73c3c03 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-03-08 10:10:44 -05:00
Nick Mathewson
933a1e7997 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-03-08 10:10:29 -05:00
Nick Mathewson
27058bd8cb Fix a memory leak in config_get_assigned_option()
This was introducd in 4d83999213 in 0.3.0.3-alpha.  This is bug
21682.
2017-03-08 10:06:48 -05:00
Karsten Loesing
4488c319dd Update geoip and geoip6 to the March 7 2017 database. 2017-03-08 09:41:35 +01:00
Nick Mathewson
552bc39c32 Merge branch 'bug21594_030_squashed' into maint-0.3.0 2017-03-07 08:05:16 -05:00
teor
93ede051c2 Remove delay in hidden service introduction point checks
Make hidden services with 8 to 10 introduction points check for failed
circuits immediately after startup. Previously, they would wait for 5
minutes before performing their first checks.

Fixes bug 21594; bugfix on commit 190aac0eab in Tor 0.2.3.9-alpha.
Reported by alecmuffett.
2017-03-07 08:04:57 -05:00
Nick Mathewson
85cf6dcba3 Stop declining to download microdescs with future published times.
This change is the only one necessary to allow future versions of
the microdescriptor consensus to replace every 'published' date with
e.g. 2038-01-01 00:00:00; this will save 50-75% in compressed
microdescriptor diff size, which is quite significant.

This commit is a minimal change for 0.2.9; future series will
reduce the use of the 'published' date even more.

Implements part of ticket 21642; implements part of proposal 275.
2017-03-06 15:37:01 -05:00
Nick Mathewson
333d5d0f2a Merge remote-tracking branch 'teor/bug21576_029_v2' into maint-0.3.0 2017-03-04 20:23:38 -05:00
teor
e0486c9371
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:34:45 +11:00
teor
4b5cdb2c30
Fix a crash when a connection tries to open just after it has been unlinked
Fixes bug 21576; bugfix on Tor 0.2.9.3-alpha.
Reported by alecmuffett.
2017-03-02 11:10:30 +11:00
George Kadianakis
18a98206ed Improve descriptor checks in the new guard algorithm.
- Make sure we check at least two guards for descriptor before making
  circuits. We typically use the first primary guard for circuits, but
  it can also happen that we use the second primary guard (e.g. if we
  pick our first primary guard as an exit), so we should make sure we
  have descriptors for both of them.

- Remove BUG() from the guard_has_descriptor() check since we now know
  that this can happen in rare but legitimate situations as well, and we
  should just move to the next guard in that case.
2017-03-01 08:46:53 -05:00
teor
004ec8dc58
Restore support for test-network.sh on BSD and other systems without bash
(But use bash if it's available.)
This is a workaround until we remove bash-specific code in 19699.

Fixes bug 21581; bugfix on 21562, not in any released version of tor.
2017-03-01 11:40:54 +11:00
Nick Mathewson
3a60214f32 Merge remote-tracking branch 'public/bug21007_case2_030' into maint-0.3.0 2017-02-28 08:28:46 -05:00
Nick Mathewson
16f337e763 Merge branch 'bug21027_v2_squashed' into maint-0.3.0 2017-02-28 08:16:43 -05:00
Nick Mathewson
1582adabbb Change approach to preventing duplicate guards.
Previously I'd made a bad assumption in the implementation of
prop271 in 0.3.0.1-alpha: I'd assumed that there couldn't be two
guards with the same identity.  That's true for non-bridges, but in
the bridge case, we allow two bridges to have the same ID if they
have different addr:port combinations -- in order to have the same
bridge ID running multiple PTs.

Fortunately, this assumption wasn't deeply ingrained: we stop
enforcing the "one guard per ID" rule in the bridge case, and
instead enforce "one guard per <id,addr,port>".

We also needed to tweak our implementation of
get_bridge_info_for_guard, since it made the same incorrect
assumption.

Fixes bug 21027; bugfix on 0.3.0.1-alpha.
2017-02-28 08:16:33 -05:00