These macros are used in multiple functions, and as such really
don't belong within a single function.
Also #undef them once we are done with them.
This change makes practracker pass again.
We previously used tor_fragile_assert() to declare that this case
could not happen: VERSIONS cells are always supposed to be
variable-sized, right?
This is incorrect, though. On a v1 link protocol connection, all
cells are fixed-sized. There aren't supposed to be any VERSIONS
cells with this version of the protocol, but apparently, somebody
was messing up. (The v1 link protocol is obsolete, so probably the
implementer responsible didn't mean to be using it.)
Fixes bug 31107. Bugfix on 0.2.4.4-alpha, when we introduced a
tor_fragile_assert() for this case.
There seems to be some unreliability issue with this test on
appveyor.
Addresses ticket 31757; This isn't a final fix for this issue, but
it should make CI pass.
This script takes a set of example torrcs and command-lines from
src/test/conf_examples. If a success is expected, it runs "tor
--dump-config" and compares the result with the one we expect. If a
failure is expected, it runs "tor --verify-config" and greps for the
error we expect.
GCC complains that we are using too many variables here, probably
because of the sheer number of locals used for our tinytest macros.
Eventually we should fix that (see 30968), but this commit just
makes the "note" go away by splitting the test function into two.
Here we make it clear we're only looking at listable variable names,
not at whether the variables themselves are gettable.
Also, remove an extraneous h.
(This commit is not a fixup, because of rebase conflicts.)
Since the flags are now stored with compatible numbering, we can
just OR them together and see whether the flag we want is in the
result.
(Net code removal!)
Using a bitfield here will enable us to unify the var_type_def_t flags
with the config_var_t flags.
(This commit does not yet do that unification, and does not yet
rename or refactor any flags. It only changes booleans into bits.)
Previously they checked the individual flags inside var_type_def_t;
now they call the appropriate var_type_is_*() functions.
(These functions will be removed entirely by the end of this branch.)
We had though to make all obsolete and invisible variables
ungettable, so that GETCONF would reject them. But it turns out
that this isn't the current behavior of GETCONF with those
variables. So for now, I'm leaving the current behavior unchanged.
(See ticket 31647 for a proposal to change the behavior.)
These errors can occur if we are built on a system with support for
madvise(MADV_NOFORK) but then we are run on a system whose kernel
does not support that flag.
If the error is something that we don't tolerate at all, we now log
it before crashing.
Fixes bug 31696. I am calling this a bugfix on 0.4.1.1-alpha, where
we actually started using the map_anon code.
This is similar to, but not the same as, the fix for #31570.
Our code assumes that when we're configured to get IPv6 addresses
out of a TRANS_PF transparent proxy connection, we actually will.
But we didn't check that, and so FreeBSD started warning us about a
potential NULL pointer dereference.
Fixes part of bug 31687; bugfix on 0.2.3.4-alpha when this code was
added.
We used to do this on Windows only, but it appears to affect
multiple platforms when building with certain versions of GCC, and a
common pattern for defining the floating-point classifier functions.
Fixes part of 31687. I'm calling this a bugfux on 31687, when we
started suppressing these warnings on Windows.
We have code in microdescs_parse_from_string() to record the digests
of microdescriptors that we could not parse. But right now, that
code looks at the md->digest field, which is a bit inelegant, and
will stand in the way of sensible refactoring.
Instead, use a local variable to hold the digest.
This test makes sure that we parse ed25519 identities to get the
correct data from them. It also tests:
* That a microdescriptor may not have two ed25519 identities.
* That a microdescriptor may not have an ed25519 identity that is
not a valid base64-encoded ed25519 key.
* That a microdescriptor may have an unrecognized identity type.
It will help test the refactoring of ticket31675.
These levels get out of date really easily: we'll implement a level
dump command in tor in 31614.
They also cause conflicts and inconsistencies when merging forward
level changes.
Part of 31615.
Fix levels for subsystems that depend on log/err
* winprocess (security) doesn't use err:
* call windows process security APIs as early as possible
* init err after winprocess
* move wallclock so it's still after err
* network and time depend on log:
* make sure that network and time can use logging.
* init network and time after log
Add comments explaining the module init order.
Fixes bug 31615; bugfix on 0.4.0.1-alpha.
When tor is missing descriptors for some primary entry guards, make the
log message less alarming. It's normal for descriptors to expire, as long
as tor fetches new ones soon after.
Fixes bug 31657; bugfix on 0.3.3.1-alpha.
Now that the variants of these functions that took config_line_t are
gone, there is no longer any reason for the remaining variants to
have "ex" at the end of their names.
This commit was made by running this perl script over all the files
in src/:
#!/usr/bin/perl -w -i -p
s{typed_var_(assign|free|encode|copy|eq|ok|kvassign|kvencode|mark_fragile)_ex}
{typed_var_$1}g;
Previously we used int in some places and off_t for others. Neither
is correct: ptrdiff_t is right for differences between pointers.
(off_t is only for offsets and sizes on the filesystem.)
Also add an explanation of a possible future refactoring where we
might remove the config_type_t enumeration entierly.
Fixes ticket 31624.
No changes file, since this is a comment-only change.
When we parse a CLEAR line (e.g., "/OrPort" or /OrPort blah blah"),
we always suppress the value, even if one exists. That means that
the block of code was meant to handle CLEAR lines didn't actually do
anything, since we previously handled them the same way as with
other empty values.
Closes ticket 31529.
Previously we used int here, but it is more correct to use
ptrdiff_t. (This never actually matters for our code in practice,
since the structure we are managing here never exceed INT_MAX in
size.)
We can't use strlcat() or strlcpy() in torerr, because they are defined
in string/compat_string.h on some platforms, and string uses torerr.
Part of 31571.
These errors can occur if we are built on a system with support for
madvise(MADV_NOFORK) but then we are run on a system whose kernel
does not support that flag.
If the error is something that we don't tolerate at all, we now log
it before crashing.
Fixes bug 31570. I am calling this a bugfix on 0.4.1.1-alpha, where
we actually started using the map_anon code.
Some platforms (macOS, maybe others?) can swallow the last write before an
abort. This issue is probably caused by a race condition between write
buffer cache flushing, and process termination. So we write an extra
newline, to make sure that the message always gets through.
Fixes bug 31571; bugfix on 0.3.5.1-alpha.
We want to report the tor version, even on platforms that don't have
backtrace support (like Android).
This commit stores the backtrace Tor version, regardless of USE_BACKTRACE.
Preparation for 31571.
This fixes LTO compilation for Android and -O0 compilation in
general, when --disable-module-dirauth is provided.
Fixes bug 31552; bugfix on 0.4.1.1-alpha.
Rewrite format_node_description() and router_get_verbose_nickname() to
use strlcpy() and strlcat(). The previous implementation used memcpy()
and pointer arithmetic, which was error-prone.
Closes ticket 31545. This is CID 1452819.
These functions are all used to implement the ROUTERSET_type_defn
object, which maps strings to and from routerset_t configuration
variables for the configuration module.
routerset_t has two representations of an empty routerset: NULL, and
a set containing no elements. But some of our config code assumes
that empty routersets are represented as NULL. So let's give it
what it assumes.
Fixes bug 31495. Bugfix on e16b90b88a76; but not in any released
Tor.
A configuration manager, in addition to a top-level format object,
may now also know about a suite of sub-formats. Top-level
configuration objects, in turn, may now have a suite of
sub-objects.
The right way to free a config object is now to wrap config_free(),
always. Instead of creating an alternative free function, objects
should provide an alternative clear callback to free any fields that
the configuration manager doesn't manage.
This lets us simplify our code a little, and lets us extend the
confparse.c code to manage additional fields in config_free.
Every time we finalize a config manager, we now generate a new magic
number for it, so that we'll get an assertion failure if we ever try
to use an object with a different configuration manager than the one
that generated it.
It's good style to always add parentheses when using macro
arguments, in case somebody someday provides an argument that
contains an operator you don't expect, or causes the expression to
parse differently.
In Tor's tests, the tt_*() macros can call "goto done" on failure.
When that happens, we need to make sure that all of our allocated
memory still gets freed, or else Coverity will complain.
Move everything to its own function in order to better log, document and tests
the introduction point validation process.
Signed-off-by: David Goulet <dgoulet@torproject.org>
When consensus changes, we also need to update the circuit INTRO2 defenses
enabled flag and not only the token bucket.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Remove the public functions returning the HS DoS consensus param or default
values as it is exclusively used internally now.
Rename the param_* variables to consensus_param_* for better code semantic.
Finally, make some private functions available to unit tests.
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit makes it that the hs_dos.c file only uses the consensus parameter
variables set when we initialize and when the consensus changes.
There is no need to call each time networkstatus_get_param(), which is
expensive, when we want access to a consensus value.
Signed-off-by: David Goulet <dgoulet@torproject.org>
A bit cleaner especially that the next commit(s) will make the consensus param
interface private to hs_dos.c so we expose as little as we can outside of the
subsystem.
Part of #30924
Signed-off-by: David Goulet <dgoulet@torproject.org>
We added a flag on the circuit to know if the DoS defenses are enabled or not.
Before, it was solely the consensus parameter.
Part of #30924
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit makes tor add the DoS cell extension to the ESTABLISH_INTRO cell
if the defense is enabled on the service side with a torrc option.
Furthermore, the cell extension is only added if the introduction point
supports it. The protover version HSIntro=5 is looked for.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Make it clear that these functions return the consensus param only.
Introduction point can not set those values with a torrc option.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Previously, v3 single onion services failed when all intro nodes were
unreachable via a 1-hop path. Now, we select intros that are only available
via a 3-hop path, and use a 3-hop path to connect to them.
Fixes bug 23507; bugfix on 0.3.2.1-alpha.
Previously, we used a 1-hop path when a single onion rend failed
immediately, and a 3-hop path when it failed after trying to build
a circuit.
Fixes bug 23818; bugfix on 0.3.2.1-alpha.
Previously, we used a 1-hop path when a single onion rend failed
immediately, and a 3-hop path when it failed after trying to build
a circuit.
Fixes bug 23818; bugfix on 0.2.9.3-alpha.
Coverity wants us to free everything that we are potentially
allocating, even stuff where allocating it would be a bug. Adding
a smartlist_free() here will fix the warning.
Fixes bug 31452; bugfix on 16a0b7ed67, which is not in
any released Tor. This is CID 1447292.
If unsigned int is 32-bits long, then our old code would give a
wrong result with any log domain whose mask was >= (1<<32).
Fortunately, there are no such log domains right now: the domain
mask is only 64 bits long to accommodate some flags.
Found by coverity as CID 1452041.
Fixes bug 31451; bugfix on 0.4.1.4-rc.