When a relay starts testing reachability, log its IPv6 ORPort.
The existing code logs the IPv4 ORPort and DirPort.
The IPv4 ORPort is required. The other ports are only logged if they
are present.
Part of 33222.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
check_whether_orport_reachable router_skip_orport_reachability_check \
check_whether_dirport_reachable router_skip_dirport_reachability_check
It was generated with --no-verify, so it probably breaks some commit hooks.
The commiter should be sure to fix them up in a subsequent commit.
Part of 33222.
Change some function names to distinguish between:
* client first hop reachability (ReachableAddresses)
* relay port reachability self-tests
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
router_skip_or_reachability router_connect_assume_or_reachable \
router_skip_dir_reachability router_connect_assume_dir_reachable
It was generated with --no-verify, so it probably breaks some commit hooks.
The commiter should be sure to fix them up in a subsequent commit.
Part of 33222.
Split "can extend over IPv6" and "has advertised IPv6 ORPort" into
separate functions. They currently have the same result, but this may
change in 33818 with ExtendAllowIPv6Addresses.
Part of 33817.
Refactor circuit_open_connection_for_extend(), splitting out the IP
address choice code into a new function.
Adds unit tests. No behaviour changes in tor.
Part of 33817.
Allow extend cells with IPv6-only link specifiers.
Warn and fail if both IPv4 and IPv6 are invalid.
Also warn if the IPv4 or IPv6 addresses are unexpectedly internal,
but continue with the valid address.
Part of 33817.
The client auth protocol allows attacker-controlled x25519 private keys being
passed around, which allows an attacker to potentially trigger the all-zeroes
assert for client_auth_sk in hs_descriptor.c:decrypt_descriptor_cookie().
We fixed that by making sure that an all-zeroes client auth key will not be
used.
There are no guidelines for validating x25519 private keys, and the assert was
there as a sanity check for code flow issues (we don't want to enter that
function with an unitialized key if client auth is being used). To avoid such
crashes in the future, we also changed the assert to a BUG-and-err.
circuit_extend() may be called when a client receives an extend cell,
even if the relay module is disabled.
Log a protocol warning when the relay module is disabled.
Part of 33633.
This is to allow a visual feedback in the logs for operators setting up Onion
Balance so they can confirm they properly configured the instances.
Signed-off-by: David Goulet <dgoulet@torproject.org>
The ob_subcreds array was not copied after SIGHUP, and that left the
post-SIGHUP service with a NULL ob_subcreds pointer (until the next descriptor
gets build where we regenerate ob_subcreds in hs_ob_refresh_keys()).
Fixes bug #33762; not in any released tor version.
This patch doesn't actually use the results of the parsed object to
create the service configuration: subsequent patches will do
that. This patch just introduces the necessary configuration tables
and starts using them to validate the configuration.
As of this writing, this patch breaks tests. I'll likely fix that
in a rebase later on: the current error messages for failures to
parse options are a regression, so I've opened #33640 for that.
Return early when there is no suitable IPv6 ORPort.
Show the address and port on error, using a convenience function.
Code simplification and refactoring.
Cleanup after 32588.
When IPv6 ORPorts are set to "auto", tor relays and bridges would
advertise an incorrect port in their descriptor.
This may be a low-severity memory safety issue, because the published
port number may be derived from uninitialised or out-of-bounds memory
reads.
Fixes bug 32588; bugfix on 0.2.3.9-alpha.
Previously we just ignored this option, which would leave it unset,
and cause an assertion failure later on when running with the User
option.
Fixes bug 33668; bugfix on 0.4.3.1-alpha.
Add an inline helper function that indicates if the cached object contains a
decrypted descriptor or not.
The descriptor object is NULL if tor is unable to decrypt it (lacking client
authorization) and some actions need to be done only when we have a decrypted
object.
This improves code semantic.
Fixes#33458
Signed-off-by: David Goulet <dgoulet@torproject.org>
Given that ed25519 public key validity checks are usually not needed
and (so far) they are only necessary for onion addesses in the Tor
protocol, we decided to fix this specific bug instance without
modifying the rest of the codebase (see below for other fix
approaches).
In our minimal fix we check that the pubkey in
hs_service_add_ephemeral() is valid and error out otherwise.
When a service can not upload its descriptor(s), we have no logs on why. This
adds logging for each possible reason for each descriptors.
That logging is emitted every second so it is rate limited for each reason and
per descriptor.
Closes#33400
Signed-off-by: David Goulet <dgoulet@torproject.org>
In this case, when we're looking for the voting interval, we should
try looking at the _latest_ consensus if we have one. When we're
looking for the start of the current voting period, we can use our
existing fallback logic without complaint, since the voting interval
code will already have given us a reasonable voting interval, and we
want to have a round starting time based on the current time.
This is not as clean a patch as I would like: see the comment on
ASSUME_AUTHORITY_SCHEDULING. This issue here is that the unit tests
sometimes assume that we are going to be looking at the dirauth
options and behaving like a dirauth, but without setting the options
to turn is into one.
This isn't an issue for actually running Tor, as far as I can tell
with chutney.
Most of this function was about recreating a voting schedule on
demand if it didn't exist yet or was not up-to-date. I've made that
into its own function.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
voting_schedule_recalculate_timing dirauth_sched_recalculate_timing \
voting_schedule_get_start_of_next_interval voting_sched_get_start_of_interval_after \
voting_schedule_get_next_valid_after_time dirauth_sched_get_next_valid_after_time
Apparently it is only used by the unit tests: tor doesn't want it at
all.
I've opened a new ticket (33383) to we if we should remove this
whole feature.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
MIN_DNS_TTL_AT_EXIT MIN_DNS_TTL \
MAX_DNS_TTL_AT_EXIT MAX_DNS_TTL \
dns_clip_ttl clip_dns_ttl
If we receive via 'post' a vote from a dir auth after the
fetch_missing_votes cutoff, that means we didn't get it by the time we
begin the "fetching missing votes from everybody else" phase, which means
it is very likely to cause a consensus split if we count it. Instead,
we reject it.
But we still allow votes that we fetch ourselves after that cutoff.
This is a demo branch for making progress on #4631.
I've been running it on moria1 and it catches and handles real buggy
behavior from directory authorities, e.g.
Jan 28 15:59:50.804 [warn] Rejecting vote from 199.58.81.140 received at 2020-01-28 20:59:50; our cutoff for received votes is 2020-01-28 20:52:30
Jan 28 15:59:50.805 [warn] Rejected vote from 199.58.81.140 ("Vote received too late, would be dangerous to count it").
Jan 29 01:52:52.667 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 06:52:52; our cutoff for received votes is 2020-01-29 06:52:30
Jan 29 01:52:52.669 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Jan 29 04:53:26.323 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 09:53:26; our cutoff for received votes is 2020-01-29 09:52:30
Jan 29 04:53:26.326 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Add doxygen comments to the new recommended and required subprotocol
version strings.
Add a warning to the required protocol documentation, because requiring
the wrong protocols can break the tor network. Also reference
proposal 303: When and how to remove support for protocol versions.
Part of 33285.
Move the recommended and required protocol version lists into the
private section of the dirvote header, and turn them into macros.
Preparation for 33285.
This patch ensures that we always lowercase the BridgeDistribution from
torrc in descriptors before submitting it.
See: https://bugs.torproject.org/32753
Conflicts:
doc/tor.1.txt
src/app/config/config.c
src/app/config/or_options_st.h
src/core/mainloop/connection.h
Between 042 and 043, the dirauth options were modularized so this merge commit
address this by moving the AuthDirRejectUncompressedRequests to the module
along with a series of accessors.
Signed-off-by: David Goulet <dgoulet@torproject.org>
The configured, within the torrc or hardcoded, directory authorities addresses
are now added to the nodelist address set.
Signed-off-by: David Goulet <dgoulet@torproject.org>
We separate v4 and v6 because we often use an IPv4 address represented with
a uint32_t instead of a tor_addr_t.
This will be used to also add the trusted directory addresses taken from the
configuration.
The trusted directories from the consensus are already added to the address
set from their descriptor.
Signed-off-by: David Goulet <dgoulet@torproject.org>
That function is only used to test the global bucket write limit for a
directory connection.
It should _not_ be used for anything else since that function looks to see if
we are a directory authority.
Rename it to something more meaningful. No change in behavior at this commit,
only renaming.
Part of #33029
Signed-off-by: David Goulet <dgoulet@torproject.org>
clang-format sometimes thinks that "#name" should be written as
"# name" if it appears at the start of a line. Using () appears
to suppress this, while confusing Coccinelle.
Doing this makes our macro usage a little clear IMO, and also avoids
having to use an unadorned "new" within a macro. (Clang-format
seems to think that "new" means we're doing C++, and so it generates
some output that checkSpace.pl doesn't care for.)
When the ONION_CLIENT_AUTH_REMOVE command is given to tor, now also remove the
descriptor associated with the client authorization credentials.
Fixes#33148
Signed-off-by: David Goulet <dgoulet@torproject.org>
