Commit Graph

13609 Commits

Author SHA1 Message Date
Nick Mathewson
facecce176 Fix tests when building out-of-tree
(This was too hard. Silly autoconf.)
2014-07-16 21:07:22 +02:00
Nick Mathewson
b408125288 Merge remote-tracking branch 'andrea/bug11302' 2014-07-16 16:58:41 +02:00
Nick Mathewson
5690284559 Fix wide lines, make entry_is_live() non-inline 2014-07-16 16:52:16 +02:00
Nick Mathewson
368ff2291b Merge remote-tracking branch 'asn/bug12202' 2014-07-16 16:49:07 +02:00
Nick Mathewson
f74a932e0b Merge remote-tracking branch 'sysrqb/bug12573' 2014-07-16 15:38:10 +02:00
Nick Mathewson
d8705ec720 Merge remote-tracking branch 'asn/bug12207_second_draft' 2014-07-16 15:33:00 +02:00
Nick Mathewson
8c7fbdf3af fix a c99-ism 2014-07-16 15:30:14 +02:00
Nick Mathewson
867f5e6a76 Add a tor_ftruncate to replace ftruncate.
(Windows doesn't have ftruncate, and some ftruncates do not move the
file pointer to the start of the file.)
2014-07-16 13:58:55 +02:00
Arlo Breault
15e170e01b Add an option to overwrite logs
* Issue #5583
2014-07-16 12:16:49 +02:00
Nick Mathewson
3f683aadcd When making a tempdir for windows unit tests, avoid an extra backslash
The extra \ is harmless, but mildly unpleasant.

Fixes 12392; bugfix on 0.2.2.25-alpha where we started using
GetTempDir().  Based on a patch by Gisle Vanem.
2014-07-16 11:39:03 +02:00
Nick Mathewson
4da4c4c63f Apply GeoIPExcludeUnknown before checking transitions
Otherwise, it always seems as though our Exclude* options have
changed, since we're comparing modified to unmodified values.

Patch from qwerty1. Fixes bug 9801. Bugfix on 0.2.4.10-alpha, where
GeoIPExcludeUnknown was introduced.
2014-07-16 11:14:59 +02:00
Nick Mathewson
7591ce64fb Merge remote-tracking branch 'origin/maint-0.2.5' 2014-07-16 11:01:20 +02:00
Anthony G. Basile
d504a4e36f src/or/connection.c: expose bucket_millis_empty for bufferevents test
Currently tor fails to build its test when enabled with bufferevents
because an #ifndef USE_BUFFEREVENTS hides bucket_millis_empty() and
friends.  This is fine if we don't run tests, but if we do, we need
these functions in src/or/libtor-testing.a when linking src/test/test.

This patch moves the functions outside the #ifndef and exposes them.

See downstream bug:

	https://bugs.gentoo.org/show_bug.cgi?id=510124
2014-07-16 10:37:00 +02:00
Nick Mathewson
5d2045ee8b diagnostic for 12184: Add a call to channel_dump_statistics 2014-07-16 10:34:39 +02:00
Nick Mathewson
32495ee309 Add another 8387 diagnostic
When we run into bug 8387 (if we run into it again), report when we
last called circuit_expire_old_circuits_clientside().  This will let
us know -- if my fix for 8387 doesn't work -- whether my diagnosis
was at least correct.

Suggested by Andrea.
2014-07-16 10:05:00 +02:00
Nick Mathewson
856114ab1c Merge remote-tracking branch 'public/bug8387_024' into maint-0.2.5 2014-07-16 10:01:56 +02:00
cypherpunks
6150741791 Fixed fgets_eagain unit test.
On a non-blocking pipe fgets sets EAGAIN when it encounters partial lines. No
error is set on full lines or EOF. EOF is reached when the writing end of the
pipe is closed. Partial lines and full lines are both returned by fgets, EOF
results in NULL.

Mention of this behaviour can be found in #1903 and #2045.
2014-07-16 09:50:09 +02:00
Nick Mathewson
391861311c Small tweaks to make curve25519-donna32 compile with our warnings 2014-07-15 15:43:40 +02:00
Nick Mathewson
8cc0860592 Update to latest curve25519-donna32 2014-07-15 15:42:20 +02:00
Nick Mathewson
ed3d7892c7 Fix a bug where streams would linger forever when we had no dirinfo
fixes bug 8387; fix on 0.1.1.11-alpha (code), or on 0.2.4.10-alpha (behavior).
2014-07-09 16:15:05 -04:00
George Kadianakis
b74442db94 Change interface of router_descriptor_is_too_old(). 2014-07-09 19:20:41 +03:00
Nick Mathewson
35791f4238 Remove executable bit from control.c, router.c
Fix for 12512.
2014-07-09 08:54:08 -04:00
Matthew Finkel
43bba9541a Only active relays should be given HSDir
We should only assign a relay the HSDir flag if it is currently
considered valid. We can accomplish this by only considering active
relays, and as a consequence of this we also exclude relays that are
currently hibernating. Fixes #12573
2014-07-09 00:48:00 +00:00
George Kadianakis
8bbb217964 Change the interface of entry_is_live() to take a bitmap. 2014-06-25 15:44:36 -04:00
George Kadianakis
46d41e6e9b Basic entry_is_live() unittest. 2014-06-25 15:39:00 -04:00
George Kadianakis
a8fcdbf4a0 Add the entrynodes.c unit tests. 2014-06-24 14:22:52 -04:00
George Kadianakis
4245662b28 Functionify the descriptor age check so that we can NOP it in tests. 2014-06-24 14:19:07 -04:00
Arlo Breault
48d7fceee5 Update a comment and undef an identifier
* Trac #11452
2014-06-23 20:28:34 -04:00
Nick Mathewson
58f4200789 Thread support is now required
Long ago we supported systems where there was no support for
threads, or where the threading library was broken. We shouldn't
have do that any more: on every OS that matters, threads exist, and
the OS supports running threads across multiple CPUs.

This resolves tickets 9495 and 12439.  It's a prerequisite to making
our workqueue code work better, since sensible workqueue
implementations don't split across multiple processes.
2014-06-20 10:20:10 -04:00
Nick Mathewson
5b4ee475aa Remove code for Windows CE support
As far as I know, nobody has used this in ages.  It would be a
pretty big surprise if it had worked.

Closes ticket 11446.
2014-06-20 09:49:36 -04:00
Nick Mathewson
456184c2a0 Authorities also advertise caches-extra-info
(Whoops, thought I had committed this before)

Improvement to 11683 fix. Based on patch from Karsten.
2014-06-20 09:02:24 -04:00
Nick Mathewson
922be84ca3 Merge remote-tracking branch 'karsten/bug11683' 2014-06-19 10:42:19 -04:00
Nick Mathewson
c6e1080211 Bump version in master to 0.2.6.0-alpha-dev 2014-06-18 15:18:26 -04:00
Nick Mathewson
3487d26de3 Bump version to Tor 0.2.5.5-alpha-dev 2014-06-18 15:01:45 -04:00
Nick Mathewson
9329c3828d bump version to 0.2.5.5-alpha. Not released yet. 2014-06-16 15:32:35 -04:00
Nick Mathewson
dd362b52f3 whitespace fixes 2014-06-16 15:18:02 -04:00
George Kadianakis
727ed5448a Add some test descriptors to src/test/. 2014-06-15 19:03:38 -07:00
George Kadianakis
61629b4f6c Document choose_random_entry_impl() and populate_live_entry_guards(). 2014-06-15 19:03:38 -07:00
George Kadianakis
bf263a9b99 Make a few entrynodes.c functions testable. 2014-06-15 19:02:59 -07:00
George Kadianakis
71da44f159 Make populate_live_entry_guards() more smoothly testable. 2014-06-15 19:02:59 -07:00
George Kadianakis
c7b05a6aef Constify aggressively in populate_live_entry_guards(). 2014-06-15 19:02:59 -07:00
George Kadianakis
a59429f1e4 Fix the functionality of populate_live_entry_guards(). 2014-06-15 19:02:55 -07:00
George Kadianakis
427cc8a452 Move code from choose_random_entry_impl() to the new function.
This commit only _moves_ code.
2014-06-15 18:25:45 -07:00
George Kadianakis
e8c366e9ea Create skeleton for populate_live_entry_guards().
Now we are ready to move code from choose_random_entry_impl() to it.
2014-06-15 18:25:45 -07:00
George Kadianakis
f75c6ce981 choose_random_entry_impl(): Remove useless consider_exit_family.
The variable was useless since it was only toggled off in disabled code.

If the 'exit_family' smartlist is empty, we don't consider exit family
anyway.
2014-06-15 18:25:45 -07:00
George Kadianakis
115b3e7645 Remove a piece of disabled code in choose_random_entry_impl(). 2014-06-15 18:25:45 -07:00
Nick Mathewson
9b10d7a7dd Add ATTR_UNUSED to HT_FIND
The fix for bug 8746 added a hashtable instance that never actually
invoked HT_FIND.  This caused a warning, since we didn't mark HT_FIND
as okay-not-to-use.
2014-06-14 11:46:54 -04:00
Nick Mathewson
a7cafb1ea9 Merge branch 'bug8746_v2_squashed'
Conflicts:
	src/common/include.am
2014-06-14 11:46:38 -04:00
Nick Mathewson
a5c092b34b refactor win/nix handling for test_spawn_background*()
Instead of having a #if ... for every function, just define
TEST_CHILD to the right patch and EOL to the expected line terminator.
2014-06-14 11:40:28 -04:00
Nick Mathewson
e3833193af More unit tests for process spawning
Try killing a running process; try noticing that a process has
exited without checking its output; verify that waitpid_cb (when
present) is set to NULL when you would expect it to be.
2014-06-14 11:40:27 -04:00
Nick Mathewson
e2e588175e New testing-only tor_sleep_msec function
In the unit tests I want to loop with a delay, but I want less than
a 1 second delay.  This, sadly, requires compatibility code.
2014-06-14 11:40:27 -04:00
Nick Mathewson
34f8723dc7 On Windows, terminate processes by handle, not pid
When we create a process yourself with CreateProcess, we get a
handle to the process in the PROCESS_INFO output structure.  But
instead of using that handle, we were manually looking up a _new_
handle based on the process ID, which is a poor idea, since the
process ID might refer to a new process later on, but the handle
can't.
2014-06-14 11:40:27 -04:00
Nick Mathewson
f8344c2d28 Use waitpid code to learn when a controlled process dies
This lets us avoid sending SIGTERM to something that has already
died, since we realize it has already died, and is a fix for the
unix version of #8746.
2014-06-14 11:40:27 -04:00
Nick Mathewson
4ed03965a5 New waitpid-handler functions to run callbacks when a child exits.
Also, move 'procmon' into libor_event library, since it uses libevent.
2014-06-14 11:40:27 -04:00
Nick Mathewson
a58d94fb7c Merge branch 'bug12184_diagnostic_squashed' 2014-06-14 11:01:04 -04:00
Nick Mathewson
8f3e3279c1 Try to diagnose bug 12184
Check for consistency between the queued destroy cells and the marked
circuit IDs.  Check for consistency in the count of queued destroy
cells in several ways.  Check to see whether any of the marked circuit
IDs have somehow been marked longer than the channel has existed.
2014-06-14 11:00:44 -04:00
Nick Mathewson
cfca2a6037 Merge branch 'bug12191_squashed' 2014-06-13 08:40:59 -04:00
Nick Mathewson
f9f450d688 Also raise the check for 0 circuit ID in created cell.
And add a comment about why conditions that would cause us to drop a
cell should get checked before actions that would cause us to send a
destroy cell.

Spotted by 'cypherpunks'.

And note that these issues have been present since 0.0.8pre1 (commit
0da256ef), where we added a "shutting down" state, and started
responding to all create cells with DESTROY when shutting down.
2014-06-13 08:39:39 -04:00
Nick Mathewson
bbb1ffe535 sandbox: Permit stat() of DataDir/stats
This is a fix for another case of 12064 that alphawolf just spotted.

There's already an 0.2.5.5 changelog entry for this.
2014-06-13 08:36:43 -04:00
Nick Mathewson
02dafc270c whitespaces fixes 2014-06-11 12:00:14 -04:00
Nick Mathewson
3a2e25969f Merge remote-tracking branch 'public/ticket6799_024_v2_squashed'
Conflicts:
	src/or/channel.c
	src/or/circuitlist.c
	src/or/connection.c

Conflicts involved removal of next_circ_id and addition of
unusable-circid tracking.
2014-06-11 11:57:56 -04:00
Nick Mathewson
7f3563058d Fix a 32-big conversion warning in 11970 fix 2014-06-11 11:29:44 -04:00
Nick Mathewson
6557e61295 Replace last_added_nonpadding with last_had_circuits
The point of the "idle timeout" for connections is to kill the
connection a while after it has no more circuits.  But using "last
added a non-padding cell" as a proxy for that is wrong, since if the
last circuit is closed from the other side of the connection, we
will not have sent anything on that connection since well before the
last circuit closed.

This is part of fixing 6799.

When applied to 0.2.5, it is also a fix for 12023.
2014-06-11 11:27:04 -04:00
Nick Mathewson
463f6628d3 Give each or_connection_t a slightly randomized idle_timeout
Instead of killing an or_connection_t that has had no circuits for
the last 3 minutes, give every or_connection_t a randomized timeout,
so that an observer can't so easily infer from the connection close
time the time at which its last circuit closed.

Also, increase the base timeout for canonical connections from 3
minutes to 15 minutes.

Fix for ticket 6799.
2014-06-11 11:27:04 -04:00
Nick Mathewson
6f20dd7bfc Merge remote-tracking branch 'public/bug11970' 2014-06-11 11:01:52 -04:00
Nick Mathewson
b883b8d1a5 Yield a real error in the bug case of sandbox_getaddrinfo() 2014-06-11 11:00:56 -04:00
Nick Mathewson
e8dd34f165 Merge remote-tracking branch 'public/not_bug8093' 2014-06-11 09:24:16 -04:00
Nick Mathewson
a5036d20ce Merge remote-tracking branch 'public/more_bug8387_diagnosis' 2014-06-11 09:22:46 -04:00
Nick Mathewson
af53e4bd1c Move circuit-id-in-use check for CREATE cells to before all other checks
This means that we never send a DESTROY cell in response to an attempt
to CREATE an existing circuit.  Fixes bug 12191.
2014-06-10 22:41:13 -04:00
Nick Mathewson
173a1afc58 Merge remote-tracking branch 'origin/maint-0.2.4' 2014-06-10 21:09:27 -04:00
Nick Mathewson
3bc28c4c04 Merge remote-tracking branch 'karsten/geoip6-jun2014' into maint-0.2.4 2014-06-10 21:08:12 -04:00
Nick Mathewson
ab774a8500 Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4 2014-06-10 21:07:57 -04:00
Karsten Loesing
555c43cd03 Update geoip to the June 4 2014 database. 2014-06-10 21:33:52 +02:00
Karsten Loesing
40579cb6a5 Update geoip6 to the June 4 2014 database. 2014-06-10 21:32:24 +02:00
Nick Mathewson
562299d57b Improved diagnostic log for bug 8387.
When we find a stranded one-hop circuit, log whether it is dirty,
log information about any streams on it, and log information about
connections they might be linked to.
2014-06-10 12:04:06 -04:00
Nick Mathewson
55c7a559df Merge remote-tracking branch 'public/bug12227_024' 2014-06-10 11:17:39 -04:00
Nick Mathewson
cca6198c77 Avoid illegal read off end of an array in prune_v2_cipher_list
This function is supposed to construct a list of all the ciphers in
the "v2 link protocol cipher list" that are supported by Tor's
openssl.  It does this by invoking ssl23_get_cipher_by_char on each
two-byte ciphersuite ID to see which ones give a match.  But when
ssl23_get_cipher_by_char cannot find a match for a two-byte SSL3/TLS
ciphersuite ID, it checks to see whether it has a match for a
three-byte SSL2 ciphersuite ID.  This was causing a read off the end
of the 'cipherid' array.

This was probably harmless in practice, but we shouldn't be having
any uninitialized reads.

(Using ssl23_get_cipher_by_char in this way is a kludge, but then
again the entire existence of the v2 link protocol is kind of a
kludge.  Once Tor 0.2.2 clients are all gone, we can drop this code
entirely.)

Found by starlight. Fix on 0.2.4.8-alpha. Fixes bug 12227.
2014-06-10 11:11:47 -04:00
Nick Mathewson
307aa7eb43 Spell getrlimit correctly.
Fixes bug in b0c1c700114aa8d4dfc180d85870c5bbe15fcacb; bug
12229. Bugfix not in any released Tor.  Patch from "alphawolf".
2014-06-08 22:33:38 -04:00
Nick Mathewson
95d47a7481 Merge remote-tracking branch 'public/bug12169_relay_check' 2014-06-04 15:30:43 -04:00
Nick Mathewson
0073c5b517 Merge remote-tracking branch 'andrea/bug10616' 2014-06-04 15:12:45 -04:00
Nick Mathewson
b16321425f Bulletproof our 11246 fix a little, based on recommendation from andrea. 2014-06-04 12:27:42 -04:00
Nick Mathewson
e74c360156 Merge remote-tracking branch 'public/bug12195' 2014-06-04 12:16:03 -04:00
Nick Mathewson
84ed086d48 Fix ancient code that only checked circ_id, not circ_id and chan
This code mis-handled the case where a circuit got the same circuit
ID in both directions.  I found three instances of it in the
codebase, by grepping for [pn]_circ_id.

Because of the issue in command_process_relay_cell(), this would
have made roughly one circuit in a million completely nonfunctional.

Fixes bug 12195.
2014-06-03 18:19:08 -04:00
Andrea Shepard
2de0281879 Squelch spurious LD_BUG message in connection_ap_handshake_socks_reply() 2014-06-03 14:37:49 -07:00
Nick Mathewson
dd0745d066 Don't try to fetch bridge descriptors when DisableNetwork is set
Patch from Roger; changes file by me.

Fixes 10405; bugfix on 0.2.3.9-alpha, where DisableNetwork was
introduced.
2014-06-02 02:17:28 -04:00
Nick Mathewson
723894f114 Merge remote-tracking branch 'public/bug12170_024_v2' 2014-06-02 00:47:51 -04:00
Nick Mathewson
ad8977e394 Avoid needless router_dir_info_has_changed from router_set_status
On some profiles of Andrea's from #11332, I found that a great deal
of time can still be attributed to functions called from
update_router_have_minimum_dir_info().  This is making our
digestmap, tor_memeq, and siphash functions take a much bigger
portion of runtime than they really should.

If we're calling update_router_have_minimum_dir_info() too often,
that's because we're calling router_dir_info_changed() too often.
And it looks like most of the callers of router_dir_info_changed()
are coming as tail-calls from router_set_status() as invoked by
channel_do_open_actions().

But we don't need to call router_dir_info_changed() so much!  (I'm
not quite sure we need to call it from here at all, but...) Surely
we don't need to call it from router_set_status when the router's
status has not actually changed.

This patch makes us call router_dir_info_changed() from
router_set_status only when we are changing the router's status.

Fix for bug 12170.  This is leftover from our fix back in 273ee3e81
in 0.1.2.1-alpha, where we started caching the value of
update_router_have_minimum_dir_info().
2014-06-02 00:45:15 -04:00
Nick Mathewson
d9564d5285 Use uint32 !=, not tor_memneq, for relay cell integrity checking
tor_memeq has started to show up on profiles, and this is one of the
most frequent callers of that function, appearing as it does on every
cell handled for entry or exit.

59f9097d5c introduced tor_memneq here;
it went into Tor 0.2.1.31.  Fixes part of 12169.
2014-06-01 14:05:10 -04:00
Nick Mathewson
a6688f9cbb sandbox: allow enough setsockopt to make ConstrainedSockets work
fixes bug 12139; bugfix on 0.2.5.1-alpha
2014-05-29 11:04:32 -04:00
Nick Mathewson
a056ffabbb sandbox: permit listen(2)
Fix for 12115; bugfix on 0.2.5.1-alpha
2014-05-27 19:28:12 -04:00
Nick Mathewson
14842de9a7 sandbox: Allow DirPortFrontPage unconditionally if it's set
fixes 12114; bug not in any release.

Improves fix for 12028
2014-05-27 19:21:11 -04:00
Nick Mathewson
f0945ac270 Log the errno value if seccomp_load() fails.
(This is how I found out I was trying to test with a kernel too old
for seccomp. I think.)
2014-05-27 17:34:52 -04:00
Nick Mathewson
b0c1c70011 Make sandbox.c compile on arm
This is a minimal set of changes for compilation; I need a more
recent kernel to test this stuff.
2014-05-27 17:34:52 -04:00
Nick Mathewson
824bebd409 sandbox: Correct fix for hs part of 12064
Bugfix on cfd0ee514c279bc6c7b; bug not in any released version of tor
2014-05-23 11:46:44 -04:00
Nick Mathewson
5de91d118d Merge branch 'bug11965_v2' 2014-05-23 11:23:00 -04:00
Nick Mathewson
802c063148 Postpone fetches based on should_delay_dir_fetch(), not DisableNetwork
Without this fix, when running with bridges, we would try fetching
directory info far too early, and have up to a 60 second delay if we
started with bridge descriptors available.

Fixes bug 11965. Fix on 0.2.3.6-alpha, arma thinks.
2014-05-23 11:22:35 -04:00
Nick Mathewson
cfd0ee514c sandbox: allow reading of hidden service configuration files.
fixes part of 12064
2014-05-22 20:39:10 -04:00
Nick Mathewson
85f49abfbe sandbox: refactor string-based option-unchanged tests to use a macro
There was too much code duplication in doing it the old way, and I
nearly made a copy-and-paste error in the last commit.
2014-05-22 20:00:22 -04:00
Nick Mathewson
ffc1fde01f sandbox: allow access to cookie files, approved-routers
fixes part of 12064
2014-05-22 19:56:56 -04:00
Michael Wolf
387f294d40 sandbox: allow access to various stats/*-stats files
Fix for 12064 part 1
2014-05-22 19:48:24 -04:00
Nick Mathewson
e425fc7804 sandbox: revamp sandbox_getaddrinfo cacheing
The old cache had problems:
     * It needed to be manually preloaded. (It didn't remember any
       address you didn't tell it to remember)
     * It was AF_INET only.
     * It looked at its cache even if the sandbox wasn't turned on.
     * It couldn't remember errors.
     * It had some memory management problems. (You can't use memcpy
       to copy an addrinfo safely; it has pointers in.)

This patch fixes those issues, and moves to a hash table.

Fixes bug 11970; bugfix on 0.2.5.1-alpha.
2014-05-22 17:39:36 -04:00
Nick Mathewson
1a73e17801 Merge remote-tracking branch 'andrea/bug11476' 2014-05-22 16:27:29 -04:00
Andrea Shepard
170e0df741 Eliminate #ifdef ENABLE_MEMPOOLS in packed_cell_new/free() 2014-05-21 10:53:25 -07:00
Yawning Angel
60ac9f1c90 Improve the log message when a transport doesn't support proxies.
Per feedback, explicltly note that the transport will be killed when it
does not acknowledge the configured outgoing proxy.
2014-05-21 08:14:39 +00:00
Yawning Angel
1210bdf146 Log the correct proxy type on failure.
get_proxy_addrport fills in proxy_type with the correct value, so there
is no point in logging something that's a "best guess" based off the
config.
2014-05-21 08:14:39 +00:00
Yawning Angel
cd56b1a86e Remove get_bridge_pt_addrport().
The code was not disambiguating ClientTransportPlugin configured and
not used, and ClientTransportPlugin configured, but in a failed state.

The right thing to do is to undo moving the get_transport_by_addrport()
call back into get_proxy_addrport(), and remove and explicit check for
using a Bridge since by the time the check is made, if a Bridge is
being used, it is PT/proxy-less.
2014-05-21 08:14:39 +00:00
Yawning Angel
7a18ac7454 Fixed the test build with --enable-gcc-warnings 2014-05-21 08:14:38 +00:00
Yawning Angel
41d2b4d3af Allow ClientTransportPlugins to use proxies
This change allows using Socks4Proxy, Socks5Proxy and HTTPSProxy with
ClientTransportPlugins via the TOR_PT_PROXY extension to the
pluggable transport specification.

This fixes bug #8402.
2014-05-21 08:14:38 +00:00
Nick Mathewson
fef65fa643 sandbox: permit gettid, sched_getaffinity
These are needed under some circumstances if we are running with
expensive-hardening and sandbox at the same time.

fixes 11477, bugfix on 0.2.5.4-alpha (where we introduced
expensive-hardening)
2014-05-20 15:49:01 -04:00
Nick Mathewson
2609b939d6 fix a wide line 2014-05-20 15:22:27 -04:00
Nick Mathewson
c21377e7bc sandbox: support logfile rotation
Fixes bug 12032; bugfix on 0.2.5.1-alpha
2014-05-20 15:21:48 -04:00
Nick Mathewson
268a117cdf sandbox: tolerate reloading with DirPortFrontPage set
Also, don't tolerate changing DirPortFrontPage.

Fixes bug 12028; bugfix on 0.2.5.1-alpha.
2014-05-20 14:58:28 -04:00
Nick Mathewson
465982012c sandbox: Disallow options which would make us call exec()
None of the things we might exec() can possibly run under the
sanbox, so rather than crash later, we have to refuse to accept the
configuration nice and early.

The longer-term solution is to have an exec() helper, but wow is
that risky.

fixes 12043; bugfix on 0.2.5.1-alpha
2014-05-20 12:21:31 -04:00
Nick Mathewson
f87071f49e sandbox: Permit access to stats/dirreq-stats
This prevents a crash when rotating logs with dirreq-stats enabled

fixes 12035; bugfix on 0.2.5.1-alpha.
2014-05-20 12:06:08 -04:00
Nick Mathewson
0b2b5b7606 Oops; permit rename with the correct filename 2014-05-20 12:03:27 -04:00
Nick Mathewson
ace9063fb4 Fix a sentence that I never 2014-05-20 11:58:18 -04:00
Nick Mathewson
f6d3006363 Sandbox: allow access to stats/bridge-stats
Fix for 12041; bugfix on 0.2.5.1-alpha.
2014-05-20 11:57:29 -04:00
Roger Dingledine
767b18ea8e note a comment that nickm didn't finish 2014-05-17 00:02:41 -04:00
Nick Mathewson
8d9602c21c Bump maint-0.2.4 version to 0.2.4.22-dev
(See discussion on #9553)
2014-05-16 09:16:54 -04:00
Nick Mathewson
2d21a8f4d6 Merge remote-tracking branch 'public/bug11469_024' 2014-05-15 13:35:08 -04:00
Nick Mathewson
081ff5fa83 whitespace fix, more 2014-05-14 22:55:02 -04:00
Nick Mathewson
a6eea86a2c Merge branch 'bug11946' 2014-05-14 22:51:51 -04:00
Nick Mathewson
a88923e455 whitespace fix 2014-05-14 22:50:25 -04:00
Nick Mathewson
f694a443fc Improved comments on bug11946 fix 2014-05-14 22:49:38 -04:00
Nick Mathewson
1badef5cec Use DirPort for uploading descriptors.
When we converted the horrible set of options that previously
controlled "use ORPort or DirPort? Anonymously or Non-anonymouly?" to
a single 'indirection' argument, we missed
directory_post_to_dirservers.

The problematic code was introduced in 5cbeb6080, which went into
0.2.4.3-alpha.  This is a fix for bug 11469.
2014-05-14 21:49:57 -04:00
Nick Mathewson
79c875ecdc Would-be fix for bug 7733: learn bridge ID from descriptor
If somebody has configured a client to use a bridge without setting
an identity digest (not recommended), learn the identity digest from
whatever bridge descriptor we have downloaded or have in our cache.
2014-05-14 14:34:01 -04:00
Nick Mathewson
9b4ac986cb Use tor_getpw{nam,uid} wrappers to fix bug 11946
When running with User set, we frequently try to look up our
information in the user database (e.g., /etc/passwd).  The seccomp2
sandbox setup doesn't let us open /etc/passwd, and probably
shouldn't.

To fix this, we have a pair of wrappers for getpwnam and getpwuid.
When a real call to getpwnam or getpwuid fails, they fall back to a
cached value, if the uid/gid matches.

(Granting access to /etc/passwd isn't possible with the way we
handle opening files through the sandbox.  It's not desirable either.)
2014-05-14 13:53:14 -04:00
Nick Mathewson
e12af2adb0 Add a pair of wrapper functions: tor_getpwnam() and tor_getpwuid()
We'll use these to deal with being unable to access the user DB
after we install the sandbox, to fix bug 11946.
2014-05-14 13:50:43 -04:00
Andrea Shepard
39d4e67be8 Add --disable-mempools configure option 2014-05-12 18:23:34 -07:00
Nick Mathewson
585582fc8c Merge branch 'bug9781_v2' 2014-05-12 13:35:22 -04:00
Nick Mathewson
b5e142cb1b Log an error reply from tor-fw-helper correctly.
Fix for bug 9781; bugfix on cd05f35d2c in 0.2.4.2-alpha.
2014-05-12 13:35:01 -04:00
Gisle Vanem
c7ab8587c9 Fix compilation of test_status.c with MSVC 2014-05-12 00:34:23 -04:00
Nick Mathewson
6267d4f97a fix whitespace 2014-05-11 23:40:48 -04:00
dana koch
d6e6c63baf Quench clang's complaints with -Wshorten-64-to-32 when time_t is not long.
On OpenBSD 5.4, time_t is a 32-bit integer. These instances contain
implicit treatment of long and time_t as comparable types, so explicitly
cast to time_t.
2014-05-11 23:36:00 -04:00
Nick Mathewson
de2010e9c2 One more 64->32 2014-05-08 14:10:30 -04:00
Nick Mathewson
28538069b2 Fix numerous 64->32 errors in the unit tests
Before the 11825 fix, these were all silently ignored.
2014-05-08 14:01:17 -04:00
Nick Mathewson
df68478938 Fix unearthed problems in unit tests 2014-05-08 13:16:08 -04:00
Nick Mathewson
5bb6172367 Fix numerous type errors in the unit tests
Remove tinytest casts that were suppressing them.

Fix for #11825.
2014-05-08 13:08:13 -04:00
Nick Mathewson
1f11be2170 Fix test_util_max_mem on 32-bit CPUs 2014-05-08 12:48:41 -04:00
Nick Mathewson
891d239e01 More unit tests for #11648-related stuff
These are actually tests for #311.  It appears to me that we didn't
fix #311 properly when we thought we did in 475eb5d6; instead, the
real fix was 05eff35ac6, a few minutes earlier.
2014-05-08 12:41:01 -04:00
Nick Mathewson
4eb3018f94 Move structures into (private) part of buffers.h so we can inspect them while testing 2014-05-08 12:40:40 -04:00
Nick Mathewson
5b861ae53f Merge remote-tracking branch 'public/bug11648' 2014-05-08 12:01:23 -04:00
Nick Mathewson
a32d7e1910 Return success when get_total_system_memory() succeeds.
Fixes bug 11805; bugfix on 0.2.5.4-alpha.
2014-05-08 00:32:22 -04:00
Nick Mathewson
411c622906 Merge commit 'bb9b4c37f8e7f5cf78918f382e90d8b11ff42551' into maint-0.2.4 2014-05-07 23:11:32 -04:00
Nick Mathewson
0ad8133a7e Merge remote-tracking branch 'public/ticket11528_024' into maint-0.2.4 2014-05-07 23:04:59 -04:00
Nick Mathewson
882893c8c3 Merge remote-tracking branch 'public/bug11513_024' into maint-0.2.4 2014-05-07 23:04:48 -04:00
Nick Mathewson
894c8b2266 Merge remote-tracking branch 'public/update_ciphers_ff28' into maint-0.2.4 2014-05-07 23:04:22 -04:00
Nick Mathewson
683b80bf81 Merge remote-tracking branch 'public/bug11737_diagnostic' 2014-05-07 22:52:44 -04:00
Nick Mathewson
0de2625675 Merge remote-tracking branch 'public/bug8387_diagnostic' 2014-05-07 22:15:24 -04:00
Nick Mathewson
48b9c6fcc6 Better log message for 8387 diagnostic 2014-05-07 22:13:29 -04:00
Nick Mathewson
8ecfcf712c Synchronize less frequently when compressing descriptors
This may improve our compression ratios.

fix for 11787
2014-05-07 10:27:52 -04:00
Nick Mathewson
6d39c8d156 Always finalize a zlib stream of server descriptors.
Possible fix for bug 11648.
2014-05-07 10:23:08 -04:00
Nick Mathewson
8a2e66b623 Fix test_pick_circid on 32-bit platforms 2014-05-07 03:27:49 -04:00
Nick Mathewson
499e77663e Basic tests for get_unique_circ_id_by_chan. 2014-05-07 02:57:50 -04:00
Nick Mathewson
e198faa633 Quick-and-dirty test for packed_cell_is_destroy 2014-05-07 02:05:35 -04:00
Nick Mathewson
de3bbc4f53 Move code-generation scripts to scripts/codegen
Now that we have a scripts/* directory, let's put the scripts we use
for generating C there.
2014-05-07 01:17:41 -04:00
Nick Mathewson
a1cdc619bb Mention siphash in src/ext/README 2014-05-07 01:03:14 -04:00
Nick Mathewson
1adc98b9b5 Split portfw-error-logging code into a new function.
No code has changed; only moved. Part of a fix for 9781.
2014-05-06 21:22:40 -04:00
Nick Mathewson
ba5069b310 Remove a spurious variable. 2014-05-06 20:46:26 -04:00
Nick Mathewson
4a740451ac Merge remote-tracking branch 'public/bug11750' 2014-05-06 20:44:41 -04:00
Nick Mathewson
5cea500ce7 Merge branch 'bug11743_option_b' 2014-05-06 20:40:40 -04:00
Nick Mathewson
52416f8cfb Unit test for dirvote_create_microdescriptor 2014-05-06 20:36:19 -04:00
Nick Mathewson
ed0e2ecaa7 Unit test for write_to_buf_zlib 2014-05-06 19:29:56 -04:00
Nick Mathewson
2fa601c797 Future-proof "id" lines against proposal 220. 2014-05-06 17:10:59 -04:00
Nick Mathewson
f077bb55ab fix a copy-paste comment mistake 2014-05-06 17:09:16 -04:00
Nick Mathewson
c7549cb4cd Merge remote-tracking branch 'karsten/bug11742' 2014-05-06 13:54:37 -04:00
Nick Mathewson
a06044a485 Check HT_REP_IS_BAD_() when giving a bug-7164 warning.
This may let us know if we're hitting 7164 because of an
hte_hash-corruption situation proposed by "cypherpunks" in bug
11737.
2014-05-06 13:03:24 -04:00
Nick Mathewson
e9c1c3ff7f Add a siphash benchmark. 2014-05-06 12:55:39 -04:00
Nick Mathewson
0ad607d604 Faster chan_circid_entry_hash implementation
Since this is critical-path, let's tune the value we pass to
csiphash a little so it fits into one whole round.
2014-05-06 12:27:18 -04:00
Nick Mathewson
78301d99fe Fix compilation with DEBUG_DNS_CACHE
Reported by cypherpunks.

Fix for #11761; bugfix on 0.2.3.13-alpha where we made ht.h stop using
_identifiers.
2014-05-06 10:18:34 -04:00
Nick Mathewson
8127f4db30 Use siphash on channel/circuit-id map too
Fixes ticket 11750.
2014-05-05 12:13:58 -04:00
Nick Mathewson
4a621a50f5 Consensus method 18: Add a base64 ID digest to the microdesc
This is a stopgap measure to make sure that microdescriptors never
collide; see bug 11743.
2014-05-05 11:31:24 -04:00
Nick Mathewson
5d496963b4 Don't start sandbox except for CMD_RUN_TOR
This was crashing on --verify-config in the debian startup script, if you
had sandboxing enabled.  Fixes 11609; fix on 0.2.5.1-alpha.
2014-05-05 10:29:35 -04:00
Karsten Loesing
5e9bd1b5db Believe that v3 dirauths always serve extra infos.
Clients should always believe that v3 directory authorities serve
extra-info documents, regardless of whether their server descriptor
contains a "caches-extra-info" line or not.

Fixes part of #11683.
2014-05-05 15:31:52 +02:00
Karsten Loesing
1289474dbd Remove /tor/dbg-stability.txt URL.
The /tor/dbg-stability.txt URL was meant to help debug WFU and MTBF
calculations, but nobody was using it.

Fixes #11742.
2014-05-05 11:21:35 +02:00
Nick Mathewson
29b7397ebe Fix test_config_write_to_data_subdir
Bugfix on aa0eb2022342798fc78b2bde89d393f37c59fe78; bugfix not on any
released Tor.
2014-05-01 13:27:20 -04:00
Nick Mathewson
df03e9b737 have only one code path for #9635 logging 2014-05-01 12:40:33 -04:00
Nick Mathewson
7ad0cd209c Merge remote-tracking branch 'public/bug9635' 2014-05-01 12:39:39 -04:00
Nick Mathewson
c472ac4fb8 Merge remote-tracking branch 'public/bug11233_diagnose' 2014-05-01 12:37:16 -04:00
Nick Mathewson
a2b59dba71 Merge branch 'bug11654_squashed' 2014-05-01 12:34:59 -04:00
George Kadianakis
a787575b7f Fix a misuse of strlcpy() introduced by the #11156 patch. 2014-05-01 12:34:50 -04:00
Nick Mathewson
0e20825bf2 whitespace fix 2014-05-01 12:31:38 -04:00
Nick Mathewson
b51ce90777 Merge remote-tracking branch 'public/valgrind_tests' 2014-05-01 12:29:31 -04:00
Nick Mathewson
b6c8a14bf3 Merge remote-tracking branch 'public/bug4345a_024' 2014-05-01 12:13:07 -04:00
Nick Mathewson
1bbd3811c1 Merge remote-tracking branch 'public/bug10849_025'
Conflicts:
	src/or/config.c
2014-05-01 11:51:22 -04:00
Nick Mathewson
14bc6e8993 Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4
Conflicts:
	src/or/microdesc.c
2014-05-01 11:44:25 -04:00
Nick Mathewson
6a4f5d9b4d Downgrade bug 7164 warning to INFO
The 0.2.5.x warning is the one that might help us track this down; the
warnings in stable are just annoying users over and over and over.
2014-05-01 11:42:02 -04:00
Nick Mathewson
630b4af260 Merge remote-tracking branch 'andrea/bug11476' 2014-05-01 11:30:55 -04:00
Nick Mathewson
9511522bd4 Merge remote-tracking branch 'origin/maint-0.2.4' 2014-04-30 20:26:55 -04:00
Nick Mathewson
efab3484e6 Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4 2014-04-30 20:25:15 -04:00
Nick Mathewson
8828794dc2 Merge remote-tracking branch 'public/bug10849_023_bruteforce' into maint-0.2.3 2014-04-30 20:23:22 -04:00
Nick Mathewson
35699ef9f5 Drop the MaxMemInCellQueues lower limit down to 256 MB.
on #9686, gmorehose reports that the 500 MB lower limit is too high
for raspberry pi users.

This is a backport of 647248729f to 0.2.4.

Note that in 0.2.4, the option is called MaxMemInCellQueues.
2014-04-29 20:48:22 -04:00
Nick Mathewson
545e2119f2 Merge remote-tracking branch 'public/bug11605_024' 2014-04-29 14:33:39 -04:00
Nick Mathewson
b0e078d5af Log info on ancient one-hop circuits in heartbeat
This is an attempt to diagnose 8387.
2014-04-29 14:02:12 -04:00
dana koch
88679aa53f Quench gcc's complaints about discarding constness in TO_ORIGIN_CIRCUIT.
This was previously satisfied by using a temporary variable, but there
are three other instances in circuitlist.c that gcc is now bothered by,
so now introduce a CONST_TO_ORIGIN_CIRCUIT that takes a const
circuit_t instead.
2014-04-29 13:18:12 -04:00
Nick Mathewson
0514bcd37c Merge remote-tracking branch 'origin/maint-0.2.4' 2014-04-29 13:03:27 -04:00
Nick Mathewson
1d3ffc0ec9 Merge remote-tracking branch 'origin/maint-0.2.3' into maint-0.2.4 2014-04-29 13:02:18 -04:00
Nick Mathewson
65575b0755 Stop leaking memory in error cases of md parsing
When clearing a list of tokens, it's important to do token_clear()
on them first, or else any keys they contain will leak.  This didn't
leak memory on any of the successful microdescriptor parsing paths,
but it does leak on some failing paths when the failure happens
during tokenization.

Fixes bug 11618; bugfix on 0.2.2.6-alpha.
2014-04-29 13:00:00 -04:00
Nick Mathewson
aa0eb20223 Fix leaks in tests related to setting options->DataDirectory
We pre-populate that value in main(), and we weren't freeing it
before overriding it.
2014-04-29 12:48:02 -04:00
Nick Mathewson
ee9ed9d817 Fix memory leaks in test_status.c 2014-04-29 12:48:02 -04:00
Nick Mathewson
212e982d9b Fix leaks in dir voting tests 2014-04-29 12:48:02 -04:00
Andrea Shepard
91ff10f6be Make --disable-buf-freelists build and pass unit tests 2014-04-29 02:18:34 -07:00
Nick Mathewson
cdc64f020c Merge remote-tracking branch 'public/bug11608' 2014-04-28 15:52:57 -04:00
Nick Mathewson
1b7e297985 Fix capitalization of MaxMemInQueues
This won't affect anybody's configuration, but it makes it match what
we documented. Fixes part of 11634.
2014-04-28 12:25:52 -04:00
Nick Mathewson
4b519de5f9 Actually put ExtORPortCookieAuthFile into config.c
Fixes bug 11635; bugfix on 0.2.5.1-alpha.
2014-04-28 12:23:18 -04:00
Nick Mathewson
f4be34f70d Make the python test scripts work on python3
The python scripts invoked by 'make check' didn't work on python3
before.  That was a problem on systems where 'python' is python3.

Fixes bug 11608; bugfix on 0.2.5.2-alpha.
2014-04-27 22:54:24 -04:00
Nick Mathewson
504e2000ed Fix leaks in test_oom.c 2014-04-26 12:17:10 -04:00
Nick Mathewson
97664cfd2a Fix leaks in test_dir_formats 2014-04-26 12:16:12 -04:00
Nick Mathewson
b60782b6d6 Fix numerous leaks in test_pt.c
I didn't find a managed_proxy_free() function any place; shouldn't
there be one?
2014-04-26 11:28:39 -04:00
Nick Mathewson
b11ab0d91d test_cntev_append_cell_stats now no longer leaks 2014-04-26 00:40:22 -04:00
Nick Mathewson
b4b07c17e3 Fix leaks in test_exit_policy_dump_to_string 2014-04-26 00:36:09 -04:00
Nick Mathewson
558becad8c Memory leaks in test_config_addressmap 2014-04-26 00:27:21 -04:00
Nick Mathewson
ffffd860c9 Fix a leak in test_buffer_allocation_tracking 2014-04-26 00:18:15 -04:00
Nick Mathewson
1117889f4a Fix memory leak in unittest helper function. 2014-04-26 00:13:49 -04:00
Nick Mathewson
9fbb5a44b8 Fix memory leak in test_util_asprintf 2014-04-26 00:13:27 -04:00
Nick Mathewson
dc0fcbd812 Fix memory leaks in test_cntev_append_cell_stats 2014-04-26 00:12:39 -04:00
Nick Mathewson
3fa296ce28 fix uninitialized memory reads from test_geoip_with_pt. Found with valgrind 2014-04-26 00:12:16 -04:00
Nick Mathewson
fa202c4127 Fix memory leak in test_geoip 2014-04-26 00:11:46 -04:00
Nick Mathewson
1cf02605d4 Fix memory leak in test_onion_queues 2014-04-26 00:11:17 -04:00
Nick Mathewson
c7951731ed Fix memory leaks in test_circuit_timeout
Found with valgrind.
2014-04-26 00:10:04 -04:00
Nick Mathewson
3a3ed2abb2 Bump version to 0.2.5.4-alpha-dev 2014-04-25 23:38:12 -04:00
Nick Mathewson
9735ca6e30 resolve a typo: sanboxing->sandboxing. 2014-04-25 21:08:01 -04:00
Nick Mathewson
f8248abbd6 Forbid TunneledDirConns 0 and PreferTunneledDirConns 0 if being a HS
Fixes bug 10849; bugfix on 0.2.1.1-alpha (I believe)
2014-04-25 14:24:41 -04:00
Nick Mathewson
f0a57bd363 Make compilation of tor_memdup_nulterm() with dmalloc
Fixes bug 11605; bugfix on 0.2.4.10-alpha.
2014-04-25 13:52:07 -04:00
Nick Mathewson
b54669bc00 Bump version to 0.2.5.4-alpha.
Probably releasing within ~22 hours, pending testing
2014-04-25 02:07:53 -04:00
Nick Mathewson
167536a112 fix memory leak in dump_exit_policy_to_string tests 2014-04-25 01:59:20 -04:00
Nick Mathewson
d3c05a79f0 Merge branch 'scanbuild_fixes' 2014-04-25 01:24:39 -04:00
Nick Mathewson
95e617c828 whitespace fix 2014-04-24 12:34:23 -04:00
Nick Mathewson
5a9ac0df99 Merge remote-tracking branch 'public/bug11553_025' 2014-04-24 10:48:32 -04:00
Nick Mathewson
67aa3685e7 Merge branch 'bug11396_v2_squashed'
Conflicts:
	src/or/main.c
2014-04-24 10:31:38 -04:00
Nick Mathewson
e3af72647d Expose the real maxmeminqueues via a GETINFO
That is, GETINFO limits/max-mem-in-queues
2014-04-24 10:26:14 -04:00
Nick Mathewson
17ecd04fde Change the logic for the default for MaxMemInQueues
If we can't detect the physical memory, the new default is 8 GB on
64-bit architectures, and 1 GB on 32-bit architectures.

If we *can* detect the physical memory, the new default is
  CLAMP(256 MB, phys_mem * 0.75, MAX_DFLT)
where MAX_DFLT is 8 GB on 64-bit architectures and 2 GB on 32-bit
architectures.

You can still override the default by hand.  The logic here is simply
trying to choose a lower default value on systems with less than 12 GB
of physical RAM.
2014-04-24 10:26:14 -04:00
Nick Mathewson
aca05fc5c0 get_total_system_memory(): see how much RAM we have 2014-04-24 10:26:14 -04:00
Nick Mathewson
17ad309d33 Merge remote-tracking branch 'public/bug11553_024' into bug11553_025
Conflicts:
	src/or/circuitbuild.c
2014-04-23 12:44:18 -04:00
Nick Mathewson
a770b74501 Improvements to #11553 fix based on review
Use a per-channel ratelim_t to control the rate at which we report
failures for each channel.

Explain why I picked N=32.

Never return a zero circID.

Thanks to Andrea and to cypherpunks.
2014-04-23 12:39:01 -04:00
Nick Mathewson
7a8cac14d5 Merge remote-tracking branch 'public/bug10268' 2014-04-23 11:11:08 -04:00
Nick Mathewson
66833311eb Merge remote-tracking branch 'public/bug11200' 2014-04-23 11:07:52 -04:00
Nick Mathewson
830492fbda Merge branch 'bug11156_issue2_squashed' 2014-04-23 11:05:54 -04:00
George Kadianakis
29c28d312c Slightly improve the documentation of src/or/transports.c
Make it clear that a SIGHUP is not the only action that can cause a
config re-read.
2014-04-23 11:05:45 -04:00
George Kadianakis
fa0c5da68b Rename the got_hup element of managed proxies.
Since we need to toggle that element in non-SIGHUP situations too where
the config was re-read (like in SETCONF or RESETCONF).
2014-04-23 11:05:45 -04:00
George Kadianakis
bf7cb6acf6 Don't halt bootstrap to figure out if we should restart PT proxies.
Instead, figure out if we should restart PT proxies _immediately_ after
we re-read the config file.
2014-04-23 11:05:45 -04:00
Nick Mathewson
9e44df2c98 Merge remote-tracking branch 'public/bug9229_024' into maint-0.2.4 2014-04-23 11:01:39 -04:00
Nick Mathewson
7b4b137dc9 Merge remote-tracking branch 'public/bug9229_025'
Conflicts:
	src/or/entrynodes.c
2014-04-23 11:00:49 -04:00
Nick Mathewson
3b1f7f75a7 scan-build: memarea_strndup() undefined behavior
The memarea_strndup() function would have hit undefined behavior by
creating an 'end' pointer off the end of a string if it had ever been
given an 'n' argument bigger than the length of the memory ares that
it's scanning.  Fortunately, we never did that except in the unit
tests.  But it's not a safe behavior to leave lying around.
2014-04-19 13:16:56 -04:00
Nick Mathewson
685d450ab3 scan-build: avoid undef behaior in tor_inet_pton
If we had an address of the form "1.2.3.4" and we tried to pass it to
tor_inet_pton with AF_INET6, it was possible for our 'eow' pointer to
briefly move backwards to the point before the start of the string,
before we moved it right back to the start of the string.  C doesn't
allow that, and though we haven't yet hit a compiler that decided to
nuke us in response, it's best to fix.

So, be more explicit about requiring there to be a : before any IPv4
address part of the IPv6 address.  We would have rejected addresses
without a : for not being IPv6 later on anyway.
2014-04-19 13:14:33 -04:00
Nick Mathewson
78f555a248 scan-build: sizeof(ptr*) in a debugging log in ext_orport.c
Instead of taking the length of a buffer, we were taking the length of
a pointer, so that our debugging log would cover only the first
sizeof(void*) bytes of the client nonce.
2014-04-19 12:53:57 -04:00
Nick Mathewson
1800e79ca5 scan-build: Fix harmless sizeof(ptr) in test_oom.c
We meant to using random bytes to fill a buffer, up to 3000 at a
time. Instead we were taking them sizeof(void*) at a time.
2014-04-19 12:52:00 -04:00
Nick Mathewson
5670e38efb scan-build: close stdio FILEs on error in tor-gencert
This is harmless, since tor-gencert exits right afterwards, but it's
best to clean up after ourselves.
2014-04-19 12:47:58 -04:00
Nick Mathewson
9c9e07963d scan-build: truncate tinytest hexified outputs to 1024 bytes.
scan-build didn't like the unlimited version since we might need to
overflow size_t to hexify a string that took up half our address
space. (!)
2014-04-19 12:47:51 -04:00
Nick Mathewson
4d51dcda2f scan-build: limit hashtable size so it always fits in SSIZE_MAX
scan-build recognizes that in theory there could be a numeric overflow
here.

This can't numeric overflow can't trigger IRL, since in order to fill a
hash table with more than P=402653189 buckets with a reasonable load
factor of 0.5, we'd first have P/2 malloced objects to put in it--- and
each of those would have to take take at least sizeof(void*) worth of
malloc overhead plus sizeof(void*) content, which would run you out of
address space anyway on a 32-bit system.
2014-04-19 12:39:14 -04:00
Nick Mathewson
d4ad254917 scan-build: bulletproof last-chance errormsg generation in rendservice.c
If 'intro' is NULL in these functions, I'm pretty sure that the
error message must be set before we hit the end.  But scan-build
doesn't notice that, and is worried that we'll do a null-pointer
dereference in the last-chance errormsg generation.
2014-04-18 21:24:16 -04:00
Nick Mathewson
1b3bddd013 scan-build: Have clear_pending_onions walk the lists more obviously
As it stands, it relies on the fact that onion_queue_entry_remove
will magically remove each onionskin from the right list.  This
patch changes the logic to be more resilient to possible bugs in
onion_queue_entry_remove, and less confusing to static analysis tools.
2014-04-18 21:17:40 -04:00
Nick Mathewson
78bc814c04 scan-build: in cpuworker, initialize tv_start
scan-build doesn't realize that a request can't be timed at the end
unless it's timed at the start, and so it's not possible for us to
be subtracting start from end without start being set.
Nevertheless, let's not confuse it.
2014-04-18 21:12:45 -04:00
Nick Mathewson
895b6789e8 scan-build: get_proxy_addrport should always set its outputs
When get_proxy_addrport returned PROXY_NONE, it would leave
addr/port unset. This is inconsistent, and could (if we used the
function in a stupid way) lead to undefined behavior. Bugfix on
5b050a9b0, though I don't think it affects tor-as-it-is.
2014-04-18 20:41:40 -04:00
Nick Mathewson
7cd9520ba9 scan-build: when logging a path length, check build_state.
Throughout circuituse, when we log about a circuit, we log its
desired path length from build_state. scan-build is irrationally
concerned that build_state might be NULL.
2014-04-18 20:40:34 -04:00
Nick Mathewson
7106492571 scan-build: Be consistent with a needless check in circuitmux.c
In circuitmux_detach_all_circuits, we check whether an HT iterator
gives us NULL.  That should be impossible for an HT iterator.  But
our checking it has confused scan-build (justly) into thinking that
our later use of HT_NEXT_RMV might not be kosher.  I'm taking the
coward's route here and strengthening the check.  Bugfix on
fd31dd44. (Not a real bug though)
2014-04-18 20:35:59 -04:00
Nick Mathewson
69ea4450ca scan-build: fix a crash-on-fail possibility in test_policy.c 2014-04-18 20:33:21 -04:00
Nick Mathewson
0fd0f5f7a9 scan-build: Avoid crashing on BUG in circuit_get_by_rend_token_and_purpose
If we fail in circuit_get_by_rend_token_and_purpose because the
circuit has no rend_info, don't try to reference fiends from its
rend_info when logging an error.  Bugfix on 8b9a2cb68, which is
going into Tor 0.2.5.4-alpha.
2014-04-18 20:31:42 -04:00
Nick Mathewson
d1be2f5cf8 scan-build: circuit_cpath_support_ntor had a dead initialization
We were initializing cpath twice, which doesn't make sense.
2014-04-18 20:29:51 -04:00
Nick Mathewson
41a8930fa1 scan-build: check impossible null-pointer case in buffers.c
When maintaining buffer freelists, we don't skip more than there
are, so (*chp) can't be null to begin with.  scan-build has no way
to know that.
2014-04-18 20:28:46 -04:00
Nick Mathewson
08325b58be scan-build: Add a check for result from getaddrinfo
As documented, getaddrinfo always sets its result when it returns
no error.  But scan-build doesn't know that, and thinks we might
be def
2014-04-18 20:26:47 -04:00
Nick Mathewson
0cca8dc35a Merge remote-tracking branch 'public/bug9963_v2_024' 2014-04-18 15:25:36 -04:00
Nick Mathewson
b8fe8ee748 Improved message when running sandbox on Linux without libseccomp
Previously we said "Sandbox is not implemented on this platform" on
Linux boxes without libseccomp.  Now we say that you need to build
Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
2014-04-18 14:54:27 -04:00
Nick Mathewson
fd9961d220 Merge remote-tracking branch 'public/bug11553_024' into bug11553_025 2014-04-18 13:23:44 -04:00
Nick Mathewson
985deaaaf7 Add a rate-limiter for the other circuitID exhaustion warning 2014-04-18 13:22:42 -04:00
Nick Mathewson
47a0c10728 Diagnostic warning to see if it's pending destroys causing 11553 2014-04-18 13:04:37 -04:00
Nick Mathewson
bd169aa9a5 Merge remote-tracking branch 'public/bug11553_024' into bug11553_025
Conflicts:
	src/or/channel.h
2014-04-18 13:00:45 -04:00
Nick Mathewson
0d75344b0e Switch to random allocation on circuitIDs.
Fixes a possible root cause of 11553 by only making 64 attempts at
most to pick a circuitID.  Previously, we would test every possible
circuit ID until we found one or ran out.

This algorithm succeeds probabilistically. As the comment says:

  This potentially causes us to give up early if our circuit ID
  space is nearly full.  If we have N circuit IDs in use, then we
  will reject a new circuit with probability (N / max_range) ^
  MAX_CIRCID_ATTEMPTS.  This means that in practice, a few percent
  of our circuit ID capacity will go unused.

  The alternative here, though, is to do a linear search over the
  whole circuit ID space every time we extend a circuit, which is
  not so great either.

This makes new vs old clients distinguishable, so we should try to
batch it with other patches that do that, like 11438.
2014-04-18 12:58:58 -04:00
Nick Mathewson
bb9b4c37f8 Supply better and less frequent warnings on circID exhaustion
Fixes the surface behavior of #11553
2014-04-18 12:31:06 -04:00
Nick Mathewson
eb896d5e6f Merge remote-tracking branch 'public/ticket11528_024' 2014-04-17 12:17:14 -04:00
Nick Mathewson
9c3f7a6d35 Remove spurious libevent include in sandbox.c 2014-04-17 12:13:35 -04:00
Nick Mathewson
0b319de60f Elevate server TLS cipher preferences over client
The server cipher list is (thanks to #11513) chosen systematically to
put the best choices for Tor first.  The client cipher list is chosen
to resemble a browser.  So let's set SSL_OP_CIPHER_SERVER_PREFERENCE
to have the servers pick according to their own preference order.
2014-04-17 10:33:04 -04:00
Nick Mathewson
0175fcaf7c Fix uninitialized-ram free in unit tests
Fix on fb595922; bug not in any released Tor. Found with
--enable-expensive-hardening.
2014-04-17 01:03:10 -04:00
Nick Mathewson
4367cbd71b Merge remote-tracking branch 'public/sandbox_fixes_rebased_2' 2014-04-16 23:45:55 -04:00
Nick Mathewson
c856193199 Merge remote-tracking branch 'andrea/bug11304' 2014-04-16 23:13:30 -04:00
Nick Mathewson
74ddd5f739 Merge remote-tracking branch 'andrea/bug11306' 2014-04-16 23:13:27 -04:00
Nick Mathewson
973661394a Merge branch '10267_plus_10896_rebased_twice' 2014-04-16 23:03:41 -04:00
Nick Mathewson
89e520e2a7 Call pf-divert openbsd-specific, not no-linux 2014-04-16 23:03:25 -04:00
Nick Mathewson
c00c45fee1 Fix OSX compilation. 2014-04-16 23:03:25 -04:00
Nick Mathewson
db8259c230 Whitespace, doc fixes 2014-04-16 23:03:25 -04:00
dana koch
f680d0fdd2 Educate tor on OpenBSD's use of divert-to rules with the pf firewall.
This means that tor can run without needing to communicate with ioctls
to the firewall, and therefore doesn't need to run with privileges to
open the /dev/pf device node.

A new TransProxyType is added for this purpose, "pf-divert"; if the user
specifies this TransProxyType in their torrc, then the pf device node is
never opened and the connection destination is determined with getsockname
(as per pf(4)). The default behaviour (ie., when TransProxyType is "default"
when using the pf firewall) is still to assume that pf is configured with
rdr-to rules.
2014-04-16 23:03:25 -04:00
Nick Mathewson
08ef8c0958 tor_addr_from_sockaddr() is applicable in ipfw code, so use it. 2014-04-16 23:03:25 -04:00
Nick Mathewson
3e4680f312 ipfw TransPort support on FreeBSD (10267)
This isn't on by default; to get it, you need to set "TransProxyType
ipfw".  (The original patch had automatic detection for whether
/dev/pf is present and openable, but that seems marginally fragile.)
2014-04-16 23:03:25 -04:00
Nick Mathewson
f41491816c Log the name of the failing syscall on failure 2014-04-16 22:23:36 -04:00
Nick Mathewson
2ae47d3c3a Block certain option transitions while sandbox enabled 2014-04-16 22:03:18 -04:00
Nick Mathewson
f70cf9982a Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse
OpenSSL needs this, or RAND_poll() will kill the process.

Also, refuse with EACCESS, not errno==-1 (!).
2014-04-16 22:03:18 -04:00
Nick Mathewson
c80a6bd9d5 Don't reload logs or rewrite pidfile while sandbox is active 2014-04-16 22:03:18 -04:00
Nick Mathewson
6194970765 Don't allow change to ConnLimit while sandbox is active 2014-04-16 22:03:18 -04:00
Nick Mathewson
18f7f49a8c Allow reloading torrc and writing to router-stability 2014-04-16 22:03:17 -04:00
Nick Mathewson
69eb278830 Use SCMP_CMP_MASKED_EQ to allow flags, not force them
Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.

Also, permit PF_INET6 sockets. (D'oh!)
2014-04-16 22:03:10 -04:00
Nick Mathewson
ce776cf270 Add a couple of missing renames so the server sandbox works again 2014-04-16 22:03:09 -04:00
Nick Mathewson
e6785ee16d Get Libevent's PRNG functioning under the linux sandbox
Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization.  But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}).  To make _that_ work, we
were permitting sysctl unconditionally.  That's not such a great
idea.

Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
2014-04-16 22:03:09 -04:00
Nick Mathewson
156eefca45 Make sure everything using an interned string is preceded by a log
(It's nice to know what we were about to rename before we died from
renaming it.)
2014-04-16 22:03:09 -04:00
Nick Mathewson
8dc6755f6d Introduce arg-counting macros to wrap seccomp_rule_add()
The compiler doesn't warn about this code:
       rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
           SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
           SCMP_CMP(1, SCMP_CMP_EQ, param->value),
           SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1.  This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!

This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
2014-04-16 22:03:09 -04:00
Nick Mathewson
12028c29e6 Fix sandbox protection for rename
(We were only checking the first parameter of each rename call.)
2014-04-16 22:03:09 -04:00
Nick Mathewson
739a52592b Upgrade warning about missing interned string for sandbox 2014-04-16 22:03:09 -04:00
Nick Mathewson
5aaac938a9 Have sandbox string protection include multi-valued parmeters. 2014-04-16 22:03:09 -04:00
Nick Mathewson
f268101a61 Clean up sandbox structures a bit
Drop pindex,pindex2 as unused.

Admit a type to avoid using a void*
2014-04-16 22:03:08 -04:00
Nick Mathewson
6807b76a5e Add missing rename function for non-linux platforms 2014-04-16 22:03:08 -04:00
Nick Mathewson
71eaebd971 Drop 'fr' parameter from sandbox code.
Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.

(Maybe buggy; revise when I can test.)
2014-04-16 22:03:08 -04:00