Commit Graph

36862 Commits

Author SHA1 Message Date
David Goulet
841ee4641e relay: Fix Coverity warning for unchecked returned value
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-08 11:09:29 -05:00
Alexander Færøy
f420eacf18 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-02-05 19:18:47 +00:00
Alexander Færøy
49c61c1bb8 Delete changes/40241_v2 as it breaks CI.
Unreviewed build fix. Discussed the cnage on IRC with Nick.
2021-02-05 19:18:13 +00:00
Alexander Færøy
4f4728a004 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-02-05 17:40:25 +00:00
Alexander Færøy
aa1a053d55 Fix CI build: practracker error in connection_edge.c, take two.
This was a bad copy and paste error from the previous commit which
generated a duplicated entry error from practracker.

Unreviewed build fix.

See: tor#40275.
2021-02-05 17:39:21 +00:00
Alexander Færøy
3496804827 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-02-05 17:17:05 +00:00
Alexander Færøy
62b98716ff Fix CI build: practracker error in connection_edge.c.
We solve this error by allowing the connection_exit_connect() function
to be 130 lines long.

Unreviewed build fix commit.

See: tor#40275.
2021-02-05 17:16:05 +00:00
Alexander Færøy
af9107aff2 Fix Windows build.
While trying to resolve our CI issues, the Windows build broke with an
unused function error:

   src/test/test_switch_id.c:37:1: error: ‘unprivileged_port_range_start’
   defined but not used [-Werror=unused-function]

We solve this by moving the `#if !defined(_WIN32)` test above the
`unprivileged_port_range_start()` function defintion such that it is
included in its body.

This is an unreviewed commit.

See: tor#40275
2021-02-05 17:12:52 +00:00
Alexander Færøy
0a40892e8c Merge branch 'maint-0.4.4' into maint-0.4.5 2021-02-05 16:05:57 +00:00
Alexander Færøy
6578a3e865 Merge branch 'tor-gitlab/mr/292_squashed' into maint-0.4.4 2021-02-05 16:04:53 +00:00
Alexander Færøy
67aefd5520 Only check for bindable ports if we are unsure if it will fail.
We currently assume that the only way for Tor to listen on ports in the
privileged port range (1 to 1023), on Linux, is if we are granted the
NET_BIND_SERVICE capability. Today on Linux, it's possible to specify
the beginning of the unprivileged port range using a sysctl
configuration option. Docker (and thus the CI service Tor uses) recently
changed this sysctl value to 0, which causes our tests to fail as they
assume that we should NOT be able to bind to a privileged port *without*
the NET_BIND_SERVICE capability.

In this patch, we read the value of the sysctl value via the /proc/sys/
filesystem iff it's present, otherwise we assume the default
unprivileged port range begins at port 1024.

See: tor#40275
2021-02-05 16:04:21 +00:00
Nick Mathewson
ff1b24fb73 Merge branch 'maint-0.4.4' into maint-0.4.5
"ours" to avoid version bump.
2021-02-03 13:39:41 -05:00
Nick Mathewson
2933c37188 Merge branch 'maint-0.4.3' into maint-0.4.4
"ours" to avoid version bump.
2021-02-03 13:39:28 -05:00
Nick Mathewson
8a17999da3 Merge branch 'maint-0.3.5' into maint-0.4.3
"ours" to avoid version bump.
2021-02-03 13:39:08 -05:00
Nick Mathewson
f3ba71bbee bump to 0.4.4.7-dev 2021-02-03 13:39:03 -05:00
Nick Mathewson
0d14ac1e0e bump to 0.4.3.8-dev 2021-02-03 13:38:56 -05:00
Nick Mathewson
21317c9229 Bump to 0.3.5.13-dev. 2021-02-03 13:37:28 -05:00
David Goulet
44b4aa82aa nodelist: Remove merge artefact
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 09:35:45 -05:00
David Goulet
9e91bb31cc Merge branch 'maint-0.4.4' into maint-0.4.5 2021-02-03 09:11:15 -05:00
David Goulet
61e38deb56 Merge branch 'maint-0.4.3' into maint-0.4.4 2021-02-03 09:11:14 -05:00
David Goulet
890a9e89ba Merge branch 'maint-0.3.5' into maint-0.4.3 2021-02-03 09:11:14 -05:00
David Goulet
f322ea3fa8 Merge branch 'ticket40269_035_01' into maint-0.3.5 2021-02-03 09:11:09 -05:00
David Goulet
6f95cdf87e Remove unused addr_port_set code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 09:11:01 -05:00
David Goulet
a0b3e9116d Merge branch 'maint-0.4.4' into maint-0.4.5 2021-02-03 08:58:02 -05:00
David Goulet
eda81ea27e Merge branch 'maint-0.4.3' into maint-0.4.4 2021-02-03 08:56:38 -05:00
David Goulet
cc5d5a5d1e Merge branch 'maint-0.3.5' into maint-0.4.3 2021-02-03 08:56:38 -05:00
David Goulet
a3cef41fc3 Merge branch 'ticket40270_035_01' into maint-0.3.5 2021-02-03 08:56:30 -05:00
David Goulet
903bfc4eca Merge branch 'maint-0.4.3' into maint-0.4.4 2021-02-03 08:54:40 -05:00
David Goulet
e50648582b Merge branch 'maint-0.3.5' into maint-0.4.3 2021-02-03 08:54:40 -05:00
David Goulet
c2cee6c780 node: Move reentry set to use a digestmap_t
Any lookup now will be certain and not probabilistic as the bloomfilter.

Closes #40269

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 08:54:02 -05:00
David Goulet
59f1a41a7f relay: Send back CONNECTION_REFUSED on reentry
The TORPROTOCOL reason causes the client to close the circuit which is not
what we want because other valid streams might be on it.

Instead, CONNECTION_REFUSED will leave it open but will not allow more streams
to be attached to it. The client then open a new circuit to the destination.

Closes #40270

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 08:52:48 -05:00
David Goulet
36b51a1c71 Merge branch 'maint-0.4.3' into maint-0.4.4 2021-02-03 08:51:37 -05:00
David Goulet
0f8195406e Merge branch 'maint-0.3.5' into maint-0.4.3 2021-02-03 08:51:36 -05:00
David Goulet
98590621bb relay: Double the size of the relay reentry set
This is to minimize false positive and thus deny reentry to Exit connections
that were in reality not re-entering. Helps with overall UX.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 08:51:00 -05:00
David Goulet
ce3af5dd59 relay: Follow consensus parameter for network reentry
Obey the "allow-network-reentry" consensus parameters in order to decide to
allow it or not at the Exit.

Closes #40268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-03 08:50:56 -05:00
Nick Mathewson
40eeb63b5e bump to 0.4.5.5-rc-dev 2021-02-01 16:14:07 -05:00
David Goulet
ed373eaa8d Merge branch 'tor-gitlab/mr/289' into maint-0.4.5 2021-02-01 14:09:58 -05:00
David Goulet
387d1d8835 relay: Send back CONNECTION_REFUSED on reentry
The TORPROTOCOL reason causes the client to close the circuit which is not
what we want because other valid streams might be on it.

Instead, CONNECTION_REFUSED will leave it open but will not allow more streams
to be attached to it. The client then open a new circuit to the destination.

Closes #40270

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-01 12:45:32 -05:00
David Goulet
627e7d6625 Remove unused addr_port_set code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-01 12:28:29 -05:00
David Goulet
bd4a3f64a1 node: Move reentry set to use a digestmap_t
Any lookup now will be certain and not probabilistic as the bloomfilter.

Closes #40269

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-01 12:22:23 -05:00
David Goulet
838e07be9d relay: Double the size of the relay reentry set
This is to minimize false positive and thus deny reentry to Exit connections
that were in reality not re-entering. Helps with overall UX.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-01 09:04:50 -05:00
David Goulet
2c3c30e58f relay: Follow consensus parameter for network reentry
Obey the "allow-network-reentry" consensus parameters in order to decide to
allow it or not at the Exit.

Closes #40268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-01 08:56:27 -05:00
David Goulet
b2434d30d2 Merge branch 'tor-gitlab/mr/285' into ticket2667_044_01 2021-01-29 14:54:21 -05:00
David Goulet
705fd37875 Merge branch 'tor-gitlab/mr/284' into ticket2667_043_01 2021-01-29 14:51:38 -05:00
George Kadianakis
46efbcb116 test: Add test for exits blocking reentry to the network
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:28:56 -05:00
Roger Dingledine
632688c797 exit: Deny re-entry into the network
Exit relays now reject exit attempts to known relay addresses + ORPort and
also to authorities on the ORPort and DirPort.

Closes #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:28:54 -05:00
David Goulet
8dda7bfdb8 relay: Add bloomfiter of relay address + {OR|Dir}Port
In order to deny re-entry in the network, we now keep a bloomfilter of relay
ORPort + address and authorities ORPort + address and DirPort + address
combinations.

So when an Exit stream is handled, we deny anything connecting back into the
network on the ORPorts for relays and on the ORPort+DirPort for the
authorities.

Related to #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:28:51 -05:00
George Kadianakis
9eba65bd8b test: Add test for exits blocking reentry to the network
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:19:17 -05:00
Roger Dingledine
93ac6ec4d3 exit: Deny re-entry into the network
Exit relays now reject exit attempts to known relay addresses + ORPort and
also to authorities on the ORPort and DirPort.

Closes #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:19:17 -05:00
David Goulet
f26950fa7a relay: Add bloomfiter of relay address + {OR|Dir}Port
In order to deny re-entry in the network, we now keep a bloomfilter of relay
ORPort + address and authorities ORPort + address and DirPort + address
combinations.

So when an Exit stream is handled, we deny anything connecting back into the
network on the ORPorts for relays and on the ORPort+DirPort for the
authorities.

Related to #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:19:17 -05:00