When we updated main.c to use the same entry points as tor_api.h, we
didn't update ntmain.c. This led to bugs as the two got out of
sync.
There are two calls that we drop in this patch: first, I drop the
call to set_main_thread(), since that's redundant with the init
function in compat_winthreads.c (but see #32884). Second, I drop
the check for CMD_RUN_TOR: I'll add that back with a subsequent
commit.
Closes ticket 32883.
Allow calls to dup() which was introduced in commit a22fbab986.
From a security perspective, I don't think this should impact the
security of the sandbox significantly. As far as I can tell, there
is nothing an adversary can do with a duplicated FD that can't be
done with the original.
We stopped looking at this option in 85cf6dcba3, back when we
implemented the minimal pieces of prop275. Since then, we've had
code to validate and adjust this option, and to give it a different
value in testing networks, but the option hasn't actually done
anything.
We can safely mark it as OBSOLETE, since doing so does not make any
old configuration get rejected.
Closes ticket 32807.
With v3, the "pending_final_cpath" of a circuit is always NULL which means
that for v3, established client rendezvous circuit waiting for the intro point
to ACK, will always end up timing out quickly.
This can increase the delays to which you connect to a service since in order
to succeed, the rendezvous circuit needs to fully established
(CIRCUIT_PURPOSE_C_REND_JOINED) within the cutoff of the introduction circuit
as well which is these days around 2-3 seconds.
Fixes#32021
Signed-off-by: David Goulet <dgoulet@torproject.org>
Add a check-practracker-unit-test target, and run it as part of
"make check".
Add the practracker unit tests to scripts/git/pre-commit.git-hook.
Part of 32609.
Require C99 standards-conforming code in Travis CI, but allow GNU gcc
extensions. Also activates clang's -Wtypedef-redefinition warnings.
Builds some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Python 2 will be end-of-life as of 1 Jan 2020, so we can finally
stop supporting it. As a first step, we should make our configure
script stop accepting python 2 as something acceptable to run our
tests with.
Closes ticket 32608.
In #26913 we solved a bug where CacheDirectoryGroupReadable would
override DataDirectoryGroupReadable when the two directories are the
same. We never did the same for KeyDirectory, though, because
that's a rare setting.
Now that I'm testing this code, though, fixing this issue seems
fine. Fixes bug #27992; bugfix on 0.3.3.1-alpha.
When we added the $FILTER for Windows newlines, we made
the pipeline always exit successfully, even if tor failed.
Fixes bug 32468; bugfix on 0.4.2.1-alpha.
When a SOCKS5 client sends a RESOLVE_PTR request, it must include
either an IPv4 or IPv6 address. In the past this was required to be a
binary address (address types 1 or 4), but since the refactoring of
SOCKS5 support in Tor 0.3.5.1-alpha, strings (address type 3) are also
allowed if they represent an IPv4 or IPv6 literal.
However, when a binary IPv6 address is provided,
parse_socks5_client_request converts it into a string enclosed in
brackets. This doesn't match what string_is_valid_ipv6_address
expects, so this would fail with the error "socks5 received
RESOLVE_PTR command with hostname type. Rejecting."
By replacing string_is_valid_ipv4_address/string_is_valid_ipv6_address
with tor_addr_parse, we accept strings both with and without brackets.
This fixes the handling of binary addresses, and also improves
symmetry with CONNECT and RESOLVE requests.
Fixes bug 32315.
Install the mingw OpenSSL package in Appveyor. This makes sure that
the OpenSSL headers and libraries match in Tor's Appveyor builds.
(This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
It no longer warns, and is now defined in terms of an "IGNORE" type.
(The "IGNORE" type is the same as "OBSOLETE", except that it is not
reported as obsolete. It should be useful for disabled modules.)
Closes ticket 32404.
We still interpret "AccelName" as turning on the "HardwareAccel"
feature, but we no longer modify the user's options here.
Fixes bug 32382; bugfix on 0.2.2.1-alpha when we added openssl
engine support.
When the relay module is disabled, make "ClientOnly 1" and
"DirCache 0" by default. (But keep "ClientOnly 0" and
"DirCache 1" as the defaults for the unit tests.)
And run "make autostyle".
Part of ticket 32410.
Doing so caused us to crash in some unusual circumstances, such as
using --verify-config to verify a configuration that failed during
the options_act() stage.
Fixes bug 32407; bugfix on 0.3.3.1-alpha.
test_parseconf.sh now supports:
* {error,expected}{,_lzma,_nss,_zstd}{,_no_dirauth,_no_relay_dirauth}
Or any combination of two or more optional libraries.
Closes ticket 32397.
This check was accidentally disabled by a bad find command.
Fixes bug 32402; bugfix on 0.4.2.1-alpha.
Obviously correct changes to already reviewed code.
Up till now, we have warned about all missing documentation, which
meant that we could never make doxygen warnings fatal. This has led
to our doxygen output getting full of errors several times in the
past.
This commit changes our approach to doxygen warnings: missing
documentation warnings are only on when the user asks for them with
--enable-missing-doc-warnings. When that option is not present,
doxygen respects the --enable-fatal-warnings flag.
Closes ticket 32385.
The current pkg-config setup has no sense of whether it is cross-compiling,
so it will detect things on the build system that are not present or are
wrong for the host system. This forces the cross-compiling build to only
look for pkg-config .pc files in --prefix.
A version of this has been the setup for many years with the Android builds.
Fixes#32191
Signed-off-by: Hans-Christoph Steiner <hans@eds.org>
When picking an intro point from the service descriptor, the client failed to
lookup the failure cache.
It made an HS v2 client re-pick bad intro points for which we already know it
won't work in the first place.
Based on Neel Chauhan original patch.
Fixes#25568
Signed-off-by: David Goulet <dgoulet@torproject.org>
Before, when parsing memunits, if overflow occured it failed silently.
Use nowrap u64 math to detect overflow, compare to INT64_MAX and if
greater tell user and fail accordingly.
15000000.5 TB fails double check as it a greater floating number than
(double)INT64_MAX
8388608.1 TB passes double check because it falls in the same value as
(double)INT64_MAX (which is 2^63), but will fail the int check because
(uint64_t)d, which is 2^63, is strictly greater than 2^63-1 (INT64_MAX).
Fixes#30920
Signed-off-by: José M. Guisado <guigom@riseup.net>
Before inspecting the p_chan, we must check if the circuit is marked for close
because if it is the case, the channels are nullified from the circuit.
Several valid cases can mark the circuit for close of the directory
connection.
Fixes#31958
Signed-off-by: David Goulet <dgoulet@torproject.org>
hs_client_purge_state() and hs_cache_clean_as_client() can remove a descriptor
from the client cache with a NEWNYM or simply when the descriptor expires.
Which means that for an INTRO circuit being established during that time, once
it opens, we lookup the descriptor to get the IP object but hey surprised, no
more descriptor.
The approach here is minimalist that is accept the race and close the circuit
since we can not continue. Before that, the circuit would stay opened and the
client wait the SockTimeout.
Fixers #28970.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Only use the HS circuit map to know if an introduction circuit is established
or not. No need for a flag to keep state of something we already have in the
circuit map. Furthermore, the circuit map gets cleaned up properly so it will
always have the "latest truth".
This commit also removes a unit test that was testing specifically that flag
but now we rely solely on the HS circuit map which is also tested few lines
below the removed test.
Fixes#32094
Signed-off-by: David Goulet <dgoulet@torproject.org>
Our minimum version is now 0.2.9.5-alpha. Series 0.3.0, 0.3.1,
0.3.2, 0.3.3, and 0.3.4 are now rejected.
Also, extract this version-checking code into a new function, so we
can test it.
Closes ticket 31549.
Also reject 0.3.5.0 through 0.3.5.6-rc as unstable.
Make clear in the man page, in both the bandwidth section and the
accountingmax section, that Tor counts in powers of two, not
powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
bytes.
Resolves ticket 32106.
Conflicts:
src/feature/dirparse/authcert_parse.c
src/feature/dirparse/ns_parse.c
src/feature/hs/hs_service.c
src/lib/conf/conftesting.h
src/lib/log/log.h
src/lib/thread/threads.h
src/test/test_options.c
These conflicts were mostly related to autostyle improvements, with
one or two due to doxygen fixes.
Relays now respect their AccountingMax bandwidth again. When relays
entered "soft" hibernation (which typically starts when we've hit
90% of our AccountingMax), we had stopped checking whether we should
enter hard hibernation. Soft hibernation refuses new connections and
new circuits, but the existing circuits can continue, meaning that
relays could have exceeded their configured AccountingMax.
This commit rolls back some of the cpu-saving fixes, where we tried
to avoid calling so many of our events while we're off the network.
That's because PERIODIC_EVENT_FLAG_NEED_NET checks net_is_disabled(),
which returns true even if we're only in soft hibernation.
Fixes bug 32108; bugfix on 0.4.0.1-alpha.
Create an optional relay module, which can be disabled using the
--disable-module-relay configure option. When it is set, also disable
the dirauth module.
Add a minimal implemention, which disables the relay and dircache modes
in tor.
Closes ticket 32123.
* actually sleep when tor has not logged anything
* log at debug level when waiting for tor to log something
* backslash-replace bad UTF-8 characters in logs
* format control messages as ASCII: tor does not accept UTF-8 control commands
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
This patch removes an overly strict tor_assert() and an ignorable BUG()
expression. Both of these would trigger if a PT was unable to configure
itself during startup. The easy way to trigger this is to configure an
obfs4 bridge where you make the obfs4 process try to bind on a port
number under 1024.
See: https://bugs.torproject.org/31091
This patch removes a call to tor_assert_unreached() after execve()
failed. This assertion leads to the child process emitting a stack trace
on its standard output, which makes the error harder for the user to
demystify, since they think it is an internal error in Tor instead of
"just" being a "no such file or directory" error.
The process will now instead output "Error from child process: X" where
X is the stringified version of the errno value.
See: https://bugs.torproject.org/31810
This patch removes a call to tor_assert_unreached() after execve()
failed. This assertion leads to the child process emitting a stack trace
on its standard output, which makes the error harder for the user to
demystify, since they think it is an internal error in Tor instead of
"just" being a "no such file or directory" error.
The process will now instead output "Error from child process: X" where
X is the stringified version of the errno value.
See: https://bugs.torproject.org/31810
When tearing down all periodic events during shutdown, disable them first so
their enable flag is updated.
This allows the tor_api.h to relaunch tor properly after a clean shutdown.
Fixes#32058
Signed-off-by: David Goulet <dgoulet@torproject.org>
Running doxygen with latex gave us all manner of unicode issues,
slowed down the "make doxygen" target by a lot, and added several
latex dependencies... all to produce a 4000-page reference manual
which is probably not what anybody wanted.
Closes ticket 32099.
Found by coverity CID 1454769.
There were a second possible leak that is also fixed in this commit.
Fixes#32063
Signed-off-by: David Goulet <dgoulet@torproject.org>
Code adapted from Rob's proposed patch in #30344.
Also add a comment in connection_mark_for_close_internal_() on why we should
not be adding extra code there without a very good reason.
When considering introduction point of a service's descriptor, do not remove
an intro point that has an established or pending circuit.
Fixes#31652
Signed-off-by: David Goulet <dgoulet@torproject.org>
When encoding introduction points, we were not checking if that intro points
had an established circuit.
When botting up, the service will pick, by default, 3 + 2 intro points and the
first 3 that establish, we use them and upload the descriptor.
However, the intro point is removed from the service descriptor list only when
the circuit has opened and we see that we have already enough intro points, it
is then removed.
But it is possible that the service establishes 3 intro points successfully
before the other(s) have even opened yet.
This lead to the service encoding extra intro points in the descriptor even
though the circuit is not opened or might never establish (#31561).
Fixes#31548
Signed-off-by: David Goulet <dgoulet@torproject.org>
These tests all invoke the hostname resolver in one way or another,
and therefore potentially block if our DNS server is missing,
absent, or extremely slow. Closes ticket 31841.
Our minimum version is now 0.2.9.5-alpha. Series 0.3.0, 0.3.1,
0.3.2, 0.3.3, and 0.3.4 are now rejected.
Also, extract this version-checking code into a new function, so we
can test it.
Closes ticket 31549.
Also reject 0.3.5.0 through 0.3.5.6-rc as unstable.
When pkg-config is not installed, or a library that depends on
pkg-config is not found, tell the user what to do to fix the
problem.
Fixes bug 31922; bugfix on 0.3.1.1-alpha.