Commit Graph

27643 Commits

Author SHA1 Message Date
David Goulet
3a247ca92a ns: Call notify_networkstatus_changed() after the new consensus is set globally
In 0.3.2.1-alpha, we've added this function in order to have a way to notify
other subsystems that the consensus just changed. The old consensus and the
new one are passed to it.

Before this patch, this was done _before_ the new consensus was set globally
(thus NOT accessible by getting the latest consensus). The scheduler
notification was assuming that it was set and select_scheduler() is looking at
the latest consensus to get the parameters it might needs. This was very wrong
because at that point it is still the old consensus set globally.

With this commit, notify_networkstatus_changed() has been moved _after_ the
new consensus is set globally. The main obvious reasons is to fix the bug
described above and in #24975. The other reason is that this notify function
doesn't return anything which could be allowing the possibility of refusing to
set the new consensus on error. In other words, the new consensus is set right
after the notification whatever happens.

It does no harm or change in behavior to set the new consensus first and then
notify the subsystems. The two functions currently used are for the control
port using the old and new consensus and sending the diff. The second is the
scheduler that needs the new consensus to be set globally before being called.

Of course, the function has been documented accordinly to clearly state it is
done _after_ the new consensus is set.

Fixes #24975

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 11:21:18 -05:00
Nick Mathewson
1e81aaa62f Merge branch 'maint-0.3.2' 2018-01-31 10:06:49 -05:00
Nick Mathewson
9bfb6fe395 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 10:06:49 -05:00
Nick Mathewson
5fc0437e74 But in most Earth cultures, there are 60s in a minute. 2018-01-31 10:06:43 -05:00
Nick Mathewson
8b162443b9 Merge branch 'maint-0.3.2' 2018-01-31 10:01:13 -05:00
Nick Mathewson
cb90defba6 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 10:01:13 -05:00
Nick Mathewson
86e6cb6409 add a rate-limit. 2018-01-31 10:01:10 -05:00
Nick Mathewson
69e242f845 Merge branch 'maint-0.3.2' 2018-01-31 09:50:24 -05:00
Nick Mathewson
e81896adda Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 09:50:24 -05:00
Nick Mathewson
914ec372a9 Merge branch 'bug24927' 2018-01-31 09:47:36 -05:00
Nick Mathewson
80c8689be1 Merge remote-tracking branch 'public/ticket24849_032' 2018-01-31 09:38:24 -05:00
Nick Mathewson
94878cf1ea Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-01-31 09:35:07 -05:00
teor
1f4a73133c test: Add unit tests for overflows and underflows in cc_stats_refill_bucket
Closes #25094.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 09:27:59 -05:00
teor
a09d5f5735 dos: Make sure cc_stats_refill_bucket can't overflow while calculating
Debug log the elapsed time in cc_stats_refill_bucket

Part of #25094.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 09:27:59 -05:00
Nick Mathewson
c0447033f5 Merge branch 'maint-0.3.2' 2018-01-31 09:19:55 -05:00
teor
b45ae1b002 test: Remove a redundant round from test_dos_bucket_refill
This round is left over from the tenths of a second code.

Part of #25094.
2018-01-31 09:19:39 -05:00
Roger Dingledine
3d9dcb49eb count flushing as channel activity
Stop adding unneeded channel padding right after we finish flushing
to a connection that has been trying to flush for many seconds.
Instead, treat all partial or complete flushes as activity on the
channel, which will defer the time until we need to add padding.

This fix should resolve confusing and scary log messages like
"Channel padding timeout scheduled 221453ms in the past."

Fixes bug 22212; bugfix on 0.3.1.1-alpha.

I think technically we could resolve bug 22212 by adding a call to
channel_timestamp_active() only in the finished_flushing case. But I added
a call in the flushed_some case too since that seems to more accurately
reflect the notion of "active".
2018-01-31 05:26:06 -05:00
Nick Mathewson
d2ae1bfcb3 remove a redundant semicolon 2018-01-30 18:11:16 -05:00
David Goulet
cd81403cc0 Merge branch 'ticket24902_029_05' into ticket24902_033_02 2018-01-30 09:33:12 -05:00
David Goulet
9aca7d4730 dos: Add changes file for ticket 24902
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
e58a4fc6cf dos: Make circuit rate limit per second, not tenths anymore
Because this touches too many commits at once, it is made into one single
commit.

Remove the use of "tenths" for the circuit rate to simplify things. We can
only refill the buckets at best once every second because of the use of
approx_time() and our token system is set to be 1 token = 1 circuit so make
the rate a flat integer of circuit per second.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
a3714268f6 dos: Man page entry for DoS mitigation
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
George Kadianakis
c3c2b55dec test: Add unit tests for the DoS subsystem
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
82de4ea900 dos: Clear connection tracked flag if geoip entry is removed
Imagine this scenario. We had 10 connections over the 24h lifetime of a geoip
cache entry. The lifetime of the entry has been reached so it is about to get
freed but 2 connections remain for it. After the free, a third connection
comes in thus making us create a new geoip entry for that address matching the
2 previous ones that are still alive. If they end up being closed, we'll have
a concurrent count desynch from what the reality is.

To mitigate this probably very rare scenario in practice, when we free a geoip
entry and it has a concurrent count above 0, we'll go over all connections
matching the address and clear out the tracked flag. So once they are closed,
we don't try to decrement the count.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
14a8b87852 dos: Add a heartbeat log
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
36a0ae151f dos: Add the DoSRefuseSingleHopClientRendezvous option
This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client
connection. Its default value is "auto" for which we can turn it on or off
with a consensus parameter. Default value is 0.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
acf7ea77d8 dos: Add the connection DoS mitigation subsystem
Defend against an address that has reached the concurrent connection count
threshold.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
1bfc91a029 dos: Apply defense for circuit creation DoS
If the client address was detected as malicious, apply a defense which is at
this commit to return a DESTROY cell.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
97abb3543b dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also be
marked as malicious if it is above threshold.

At this commit, no defense is applied, just detection with a circuit creation
token bucket system.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
c05272783d dos: Track new and closed OR client connections
Implement a basic connection tracking that counts the number of concurrent
connections when they open and close.

This commit also adds the circuit creation mitigation data structure that will
be needed at later commit to keep track of the circuit rate.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
51fda85c23 geoip: Remember client stats if DoS mitigation is enabled
Make the geoip cache track client address if the DoS subsystem is enabled.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
64149353dd dos: Initial code of Denial of Service mitigation
This commit introduces the src/or/dos.{c|h} files that contains the code for
the Denial of Service mitigation subsystem. It currently contains basic
functions to initialize and free the subsystem. They are used at this commit.

The torrc options and consensus parameters are defined at this commit and
getters are implemented.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
teor
e4528624b1
Changes file for 25070 2018-01-30 02:20:34 +11:00
teor
8bb79ca4a7
Add unit tests for supported protocols
Prevents future regressions like #25070.
2018-01-30 02:20:30 +11:00
teor
b67f010678
Add Link protocol version 5 to the supported protocols list in protover.rs
And fix the unsupported protover example so it uses a Link protover much
higher than 5.

Part of  #25070, bugfix on 0.3.3.1-alpha, which introduced the protover crate.
2018-01-30 02:18:57 +11:00
teor
9656ad3232
Changes file for 25070 2018-01-30 02:08:42 +11:00
teor
a8e5e3a492
Add Link protocol version 5 to the supported protocols list in protover.c
Part of #25070, bugfix on 0.3.1.1-alpha.
2018-01-30 01:56:50 +11:00
teor
7a701f2603
Add Link protocol version 5 to the supported protocols list in protover.c
Part of #25070, bugfix on 0.3.1.1-alpha.
2018-01-30 01:51:03 +11:00
Corey Farwell
124caf28e6 Wrap types in protover.rs.
https://trac.torproject.org/projects/tor/ticket/24030

Introduce new wrapper types:

- `SupportedProtocols`
- `Versions`

Introduce a type alias:

- `Version` (`u32`)
2018-01-29 07:30:51 -05:00
Nick Mathewson
03ab24b44c Make more notes about important stuff in ReleasingTor.md 2018-01-26 14:39:08 -05:00
Nick Mathewson
73e5be5619 ReleasingTor.md: check for recommendation, listing on dl page
Closes ticket 23118.
2018-01-26 14:34:25 -05:00
Nick Mathewson
75d4bd3497 Improve log when unable to add sigs to pending consensus
Closes ticket 24849.
2018-01-26 14:19:59 -05:00
Nick Mathewson
ee5c624beb When a tor_cert_T check fails, log the reason why.
Diagnostic attempt for 24972.
2018-01-26 13:55:25 -05:00
Nick Mathewson
0755bcc36a Remove a needless (always-true) check.
Also add an assertion and rename a variable.

Closes ticekt 24927.
2018-01-26 13:35:00 -05:00
Nick Mathewson
9c2bc441f8 If out-of-disk when saving a consensus cache entry, don't BUG.
Just warn instead.

Fixes bug 24859.
2018-01-26 13:14:14 -05:00
Nick Mathewson
9a06282546 Change the sandbox behavior on all failed opens() to EACCES
Previously, most disallowed open(O_RDONLY) attempts would EACCES,
but others would fail with a crash.
2018-01-26 12:18:43 -05:00
Fernando Fernandez Mancera
54783b4c22 Refactor crypto.[ch] into smaller RSA module.
Add two new files (crypto_rsa.c, crypto_rsa.h) as new module of crypto.[ch].
This new module includes all functions and dependencies related to RSA
operations. Those have been removed from crypto.[ch].

All new changes related to RSA operations must be done in these files.

Follows #24658

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-26 13:09:52 +01:00
David Goulet
93b826faaa geoip: Add a lookup function for client map entry
The upcoming DoS mitigation subsytem needs to keep information on a per-IP
basis which is also what the geoip clientmap does.

For another subsystem to access that clientmap, this commit adds a lookup
function that returns the entry. For this, the clientmap_entry_t had to be
moved to the header file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-25 15:44:48 -05:00
Nick Mathewson
7a74b3663f Merge remote-tracking branch 'ahf-oniongit/bugs/25026' 2018-01-25 13:57:37 -05:00
Nick Mathewson
b1fc383bdb Bump version to 0.3.3.1-alpha-dev 2018-01-25 13:50:55 -05:00