Commit Graph

28153 Commits

Author SHA1 Message Date
David Goulet
7f5355826b test: Really fix the mem leak from prior commit
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 09:07:43 -04:00
David Goulet
faff592c3b test: Fix a mem leak reported by Coverity
Here is the report:

  *** CID 1531835:  Resource leaks  (RESOURCE_LEAK)
  /src/test/test_crypto_slow.c: 683 in test_crypto_equix()
  677
  678           /* Solve phase: Make sure the test vector matches */
  679           memset(&output, 0xa5, sizeof output);
  680           equix_result result;
  681           result = equix_solve(solve_ctx, challenge_literal,
  682                                challenge_len, &output);
  >>>     CID 1531835:  Resource leaks  (RESOURCE_LEAK)
  >>>     Variable "solve_ctx" going out of scope leaks the storage it points to.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 08:35:08 -04:00
David Goulet
97008526db Merge branch 'maint-0.4.7' 2023-05-31 14:32:07 -04:00
David Goulet
d77f1e7aea Merge branch 'tor-gitlab/mr/714' into maint-0.4.7 2023-05-31 14:28:44 -04:00
Micah Elizabeth Scott
3036bedf30 Update CI builds to Debian Bullseye, fix associated compatibility bugs
This is a change intended for 0.4.7 maintenance as well as main.

The CI builds use Debian Buster which is now end of life, and I was
experiencing inconsistent CI failures with accessing its security update
server. I wanted to update CI to a distro that isn't EOL, and Bullseye
is the current stable release of Debian.

This opened up a small can of worms that this commit also deals with.
In particular there's a docker engine bug that we work around by
removing the docker-specific apt cleanup script if it exists, and
there's a new incompatibility between tracing and sandbox support.

The tracing/sandbox incompatibility itself had two parts:

  - The membarrier() syscall is used to deliver inter-processor
    synchronization events, and the external "userspace-rcu"
    data structure library would make assumptions that if membarrier
    is available at initialization it always will be. This caused
    segfaults in some cases when running trace + sandbox. Resolved this
    by allowing membarrier entirely, in the sandbox.

  - userspace-rcu also assumes it can block signals, and fails
    hard if this can't be done. We already include a similar carveout
    to allow this in the sandbox for fragile-hardening, so I extended
    that to cover tracing as well.

Addresses issue #40799

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-31 11:08:27 -07:00
David Goulet
925201c946 Merge branch 'tor-gitlab/mr/713' 2023-05-31 09:07:45 -04:00
orbea
9850dc59c0 tls: Disable a warning with LibreSSL >= 3.8.0
Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL
3.8.

Based on a patch from OpenBSD.

33fe251a08

These functions are deprecated since OpenSSL 3.0.

https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html
2023-05-29 13:00:32 -07:00
Micah Elizabeth Scott
415c0354b2 hs_pow: Add CompiledProofOfWorkHash torrc option
This exposes the new fallback behavior in hashx via a new AUTOBOOL
configuration option, available to both clients and services. The
default should be fine for nearly everyone, but it might be necessary
to enable or disable the compiler manually for diagnostic purposes.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:03 -07:00
Micah Elizabeth Scott
a397a92be2 hs_pow: Update for equix API to fix issue 40794
This change adapts the hs_pow layer and unit tests to API changes
in hashx and equix which modify the fault recovery responsibilities
and reporting behaivor.

This and the corresponding implementation changes in hashx and equix
form the fix for #40794, both solving the segfault and giving hashx a
way to report those failures up the call chain without them being
mistaken for a different error (unusable seed) that would warrant a
retry.

To handle these new late compiler failures with a minimum of fuss or
inefficiency, the failover is delegated to the internals of hashx and
tor needs only pass in a EQUIX_CTX_TRY_COMPILE flag to get the behavior
that tor was previously responsible for implementing.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
a3513dea54 equix: API changes for new result codes and hashx compatibility
This change adapts Equi-X to the corresponding HashX API changes that
added HASHX_TRY_COMPILE. The new regularized HashX return codes are
reflected by revised corresponding Equi-X return codes.

Both solve and verify operations now return an error/success code, and a
new equix_solutions_buffer struct includes both the solution buffer
and information about the solution count and hashx implementation.

With this change, it's possible to discern between hash construction
failures (invalid seed) and some external error like an mprotect()
failure.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
5a4f92ea7b hashx: API changes to allow recovery from late compile failures
This is an API breaking change to hashx, which modifies the error
handling strategy. The main goal here is to allow unproblematic
recovery from hashx_compile failures.

hashx_alloc can no longer fail for reasons other than memory
allocation. All platform-specific compile failures are now reported via
hashx_make(), in order to both allow later failure and avoid requiring
users of the API to maintain and test multiple failure paths.

Note that late failures may be more common in actual use than early
failures. Early failures represent architectures other than x86_64 and
aarch64. Late failures could represent a number of system configurations
where syscalls are restricted.

The definition of a hashx context no longer tries to overlay storage for
the different types of program, and instead allows one context to always
contain an interpretable description of the program as well as an optional
buffer for compiled code.

The hashx_type enum is now used to mean either a specific type of hash
function or a type of hashx context. You can allocate a context for use
only with interpreted or compiled functions, or you can use
HASHX_TRY_COMPILE to prefer the compiler with an automatic fallback on
the interpreter. After calling hashx_make(), the new hashx_query_type()
can be used if needed to determine which implementation was actually
chosen.

The error return types have been overhauled so that everyone uses the
hashx_result enum, and seed failures vs compile failures are always
clearly distinguishable.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
6fd5ca4914 hashx: allow hashx_compile to fail, avoid segfault without changing API
This is a minimal portion of the fix for tor issue #40794, in which
hashx segfaults due to denial of mprotect() syscalls at runtime.

Prior to this fix, hashx makes the assumption that if the JIT is
supported on the current architecture, it will also be usable at
runtime. This isn't true if mprotect fails on linux, which it may for
various reasons: the tor built-in sandbox, the shadow simulator, or
external security software that implements a syscall filter.

The necessary error propagation was missing internally in hashx,
causing us to obliviously call into code which was never made
executable. With this fix, hashx_make() will instead fail by returning
zero.

A proper fix will require API changes so that callers can discern
between different types of failures. Zero already means that a program
couldn't be constructed, which requires a different response: choosing a
different seed, vs switching implementations. Callers would also benefit
from a way to use one context (with its already-built program) to
run in either compiled or interpreted mode.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
Micah Elizabeth Scott
941613c663 hashx: minor, another logical operator change
The code style in equix and hashx sometimes uses bitwise operators
in place of logical ones in cases where it doesn't really matter
either way. This sometimes annoys our static analyzer tools.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
Micah Elizabeth Scott
c40c5adec2 test_sandbox: equix crypto test case for issue 40794
This is an additional test case for test_sandbox that runs a small
subset of test_crypto_equix() inside the syscall sandbox, where
mprotect() is filtered.

It's reasonable for the sandbox to disallow JIT. We could revise this
policy if we want, but it seems a good default for now. The problem
in issue 40794 is that both equix and hashx need improvements in their
API to handle failures after allocation time, and this failure occurs
while the hash function is being compiled.

With this commit only, the segfault from issue 40794 is reproduced.
Subsequent commits will fix the segfault and revise the API.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
friendly73
273227afe1 Forgot about the stub names 2023-05-25 11:03:35 -04:00
friendly73
3d5d8d59c1 Added relay prefix to new metrics functions 2023-05-25 11:03:35 -04:00
friendly73
7e57b9dbbf Fixed enum type not found in relay_stub 2023-05-25 11:03:35 -04:00
friendly73
5b76ce1843 Added void stubs for the relay metrics functions to fix building without relay module 2023-05-25 11:03:35 -04:00
friendly73
8cbfc90686 Fixed new arguments for metrics_store_add 2023-05-25 11:03:35 -04:00
friendly73
1899b6230d Removed getter abstraction and moved from rephist to relay_metrics. 2023-05-25 11:03:35 -04:00
friendly73
2f8a88448d Fixed est intro getter using wrong array 2023-05-25 11:03:35 -04:00
friendly73
24bc66f663 Fixed REND1 metric label value 2023-05-25 11:03:35 -04:00
friendly73
36076d3c46 Added INTRO and REND metrics for relay. 2023-05-25 11:03:35 -04:00
David Goulet
a1042f4873 Merge branch 'tor-gitlab/mr/443' 2023-05-25 10:50:15 -04:00
Alexander Færøy
506781d41e Restart PT processes when they die on us.
This patch forces a PT reconfigure of infant PT processes as part of the
PT process' exit handler.

See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
58f0e548ff Log at LD_PT instead of LD_GENERAL for PT process stdout lines.
See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
3338b34ec9 Only terminate PT processes that are running.
See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
0d51dfa605 Log name of managed proxy in exit handler.
This patch ensures that we can figure out which PT that terminated in
the PT exit handler.

See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
5118a8003b Log state transitions for Pluggable Transports
This patch makes Tor log state transitions within the PT layer at the
info log-level. This should make it easier to figure out if Tor ends up
in a strange state.

See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
David Goulet
970a534f03 test: Fix parseconf to account for ClientUseIPv6 change for dirauth disabled
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-25 10:20:12 -04:00
David Goulet
86bc3cc452 test: Fix parseconf to account for ClientUseIPv6 change
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-25 09:21:23 -04:00
David Goulet
a2ec9a1199 Merge branch 'tor-gitlab/mr/711' 2023-05-24 11:45:40 -04:00
Micah Elizabeth Scott
23f4a28f97 token_bucket_ctr: replace 32-bit wallclock time with monotime
This started as a response to ticket #40792 where Coverity is
complaining about a potential year 2038 bug where we cast time_t from
approx_time() to uint32_t for use in token_bucket_ctr.

There was a larger can of worms though, since token_bucket really
doesn't want to be using wallclock time here. I audited the call sites
for approx_time() and changed any that used a 32-bit cast or made
inappropriate use of wallclock time. Things like certificate lifetime,
consensus intervals, etc. need wallclock time. Measurements of rates
over time, however, are better served with a monotonic timer that does
not try and sync with wallclock ever.

Looking closer at token_bucket, its design is a bit odd because it was
initially intended for use with tick units but later forked into
token_bucket_rw which uses ticks to count bytes per second, and
token_bucket_ctr which uses seconds to count slower events. The rates
represented by either token bucket can't be lower than 1 per second, so
the slower timer in 'ctr' is necessary to represent the slower rates of
things like connections or introduction packets or rendezvous attempts.

I considered modifying token_bucket to use 64-bit timestamps overall
instead of 32-bit, but that seemed like an unnecessarily invasive change
that would grant some peace of mind but probably not help much. I was
more interested in removing the dependency on wallclock time. The
token_bucket_rw timer already uses monotonic time. This patch converts
token_bucket_ctr to use monotonic time as well. It introduces a new
monotime_coarse_absolute_sec(), which is currently the same as nsec
divided by a billion but could be optimized easily if we ever need to.

This patch also might fix a rollover bug.. I haven't tested this
extensively but I don't think the previous version of the rollover code
on either token bucket was correct, and I would expect it to get stuck
after the first rollover.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-24 11:43:11 -04:00
David Goulet
9976da9367 Merge branch 'tor-gitlab/mr/709' 2023-05-24 11:37:05 -04:00
David Goulet
0781c2968d Merge branch 'tor-gitlab/mr/710' 2023-05-24 11:12:22 -04:00
Micah Elizabeth Scott
71b2958a62 test_hs_descriptor: Add a test case that fails without the fix for 40793
This adds a bit more to hs_descriptor/test_decode_descriptor, mostly
testing pow-params and triggering the tor_assert() in issue #40793.

There was no mechanism for adding arbitrary test strings to the
encrypted portion of the desc without duplicating encode logic. One
option might be to publicize get_inner_encrypted_layer_plaintext enough
to add a mock implementation. In this patch I opt for what seems like
the simplest solution, at the cost of a small amount of #ifdef noise.
The unpacked descriptor grows a new test-only member that's used for
dropping arbitrary data in at encode time.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-24 11:12:15 -04:00
David Goulet
6afe03aa51 Merge branch 'tor-gitlab/mr/708' 2023-05-24 11:03:47 -04:00
agowa338
ffb764949e ipv6: Flip ClientUseIPv6 to 1
Fixes #40785

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-24 11:03:15 -04:00
David Goulet
8eae9f17ae metrics: Add ticket 40546 changes file and code fix
The MR was using an old function definition so the code fix is for that.

Closes #40546

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-24 10:45:21 -04:00
David Goulet
21ec9017f6 Merge branch 'tor-gitlab/mr/698' 2023-05-24 10:40:25 -04:00
David Goulet
6bf56ac301 Merge branch 'tor-gitlab/mr/703' 2023-05-24 10:38:58 -04:00
Micah Elizabeth Scott
459b775a7e hs_pow: fix insufficient length check in pow-params
The descriptor validation table had an out of date minimum length
for pow-params (3) whereas the spec and the current code expect at
least 4 parameters. This was an opportunity for a malicious service
to cause an assert failure in clients which attempted to parse its
descriptor.

Addresses issue #40793

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-15 12:11:00 -07:00
Micah Elizabeth Scott
a3ff3155c2 test_crypto: avoid memory leak in some hashx test failures
This should fix one of the warnings in issue #40792.

I was sloppy with freeing memory in the failure cases for
test_crypto_hashx. ASAN didn't notice but coverity did. Okay, I'll eat
my vegetables and put hashx_ctx's deinit in an upper scope and use
'goto done' correctly like a properly diligent C programmer.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-11 11:17:43 -07:00
Micah Elizabeth Scott
c71b6a14a3 equix: avoid a coverity warning in hashx_alloc()
This addresses one of the warnings in issue #40792. As far as I can tell
this is a false positive, since the use of "ctx->type" in hashx_free()
can only be hit after the unioned code/program pointer is non-NULL. It's
no big deal to zero this value explicitly to silence the warning though.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-11 11:10:15 -07:00
Mike Perry
79dab29a05 Add torrc option for conflux client UX. 2023-05-11 18:05:28 +00:00
Mike Perry
0c11577987 Fix unit tests. 2023-05-11 18:05:28 +00:00
Mike Perry
a340acb492 Clean up UX decision logic; hardcode for browser UX case. 2023-05-11 18:02:51 +00:00
Roger Dingledine
34da50718a fix minor typos in conflux and pow areas 2023-05-11 13:09:34 -04:00
Mike Perry
c8341abf82 Clean up and disable switch rate limiting.
Switch rate limiting will likely be helpful for limiting OOQ, but according to
shadow it was the cause of slower performance in Hong Kong endpoints.

So let's disable it, and then optimize for OOQ later.
2023-05-10 17:49:51 +00:00
Mike Perry
a98b1d3ab6 Remove two conflux algs: maxrate and cwndrate.
Maxrate had slower throughput than lowrtt in Shadow, which is not too
surprising. We just wanted to test it.
2023-05-10 17:49:51 +00:00