Commit Graph

25156 Commits

Author SHA1 Message Date
Isis Lovecruft
9988882c63
rust: Move rand crate into crypto parent crate. 2018-05-15 17:48:57 +00:00
Isis Lovecruft
2ac849da36
rust: Make Rng::new() methods public. 2018-05-15 17:45:09 +00:00
Nick Mathewson
98aff146d3 Merge branch 'maint-0.3.3' 2018-05-15 09:32:45 -04:00
Nick Mathewson
6acbd4c112 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-15 09:32:44 -04:00
Nick Mathewson
4aa3d511b2 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-05-15 09:32:44 -04:00
Nick Mathewson
502d2c0062 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-05-15 09:32:44 -04:00
Karsten Loesing
033e4723f3 Update geoip and geoip6 to the May 1 2018 database. 2018-05-15 15:20:09 +02:00
Nick Mathewson
5eb2d58880 Add a missing return after marking a stream for bad connected cell
Fixes bug 26072; bugfix on 0.2.4.7-alpha.
2018-05-14 15:54:48 -04:00
Nick Mathewson
a394a2dd86 Merge branch 'bug25903_v5_squashed' 2018-05-14 14:25:07 -04:00
Mike Perry
fd504587d5 Bug 25903: Tests 2018-05-14 14:24:58 -04:00
Nick Mathewson
a9ef335c1b Use router_get_my_routerinfo_with_err to implement the old version
Having one function implemented in terms of the other should keep
them from diverging.

follow-up on #25852
2018-05-14 14:12:36 -04:00
Nick Mathewson
d27fd7ff6b Merge remote-tracking branch 'rl1987/bug25852_take2' 2018-05-14 14:05:50 -04:00
Nick Mathewson
aab626405c Merge remote-tracking branch 'catalyst-github/bug25756' 2018-05-11 18:15:43 -04:00
Nick Mathewson
f6c96fd0ca Merge remote-tracking branch 'public/bug25994' 2018-05-11 17:57:59 -04:00
Roger Dingledine
962c2f8776 get rid of whitespace before #ifdef's
i don't know if whitespace is ok to have before preprocessing
directives on all platforms, but anyway we almost never have it,
so now things are more uniform.
2018-05-11 16:27:55 -04:00
David Goulet
51f65c185e control: Mask the event(s) before using ANY_EVENT_IS_INTERESTING()
Before this commit, the control events were never triggered. It was introduced
with commit 0c19ce7bde.

Fixes #26082

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-11 08:58:11 -04:00
Nick Mathewson
9800f4769f Merge remote-tracking branch 'asn-github/bug26078' 2018-05-11 08:20:49 -04:00
George Kadianakis
efe8f17a4d Properly ignore retval of event_del().
Fixes #26078: CID 1435546.
2018-05-11 15:17:52 +03:00
Nick Mathewson
3799f3116b Merge remote-tracking branch 'saper-github/x509_cert_free_crash' 2018-05-11 08:09:26 -04:00
Marcin Cieślak
308eec7532 testing: X509 certificate structure needs to be initialized
We alloc/free X.509 structures in three ways:

1) X509 structure allocated with X509_new() and X509_free()

2) Fake X509 structure allocated with fake_x509_malloc() and fake_x509_free()
   May contain valid pointers inside.

3) Empty X509 structure shell allocated with tor_malloc_zero() and
   freed with tor_free()
2018-05-11 01:44:09 +00:00
Nick Mathewson
75e5b778e1 Merge remote-tracking branch 'public/bug25981' 2018-05-10 19:31:11 -04:00
rl1987
036df13a03 Tweak error handling for #25852 2018-05-10 16:45:57 +03:00
rl1987
8ad97b7dcf Avoid confusion with errno from libc 2018-05-10 16:33:08 +03:00
Nick Mathewson
b343ba9060 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-10 09:22:32 -04:00
Nick Mathewson
7ee67c47fa Merge branch 'maint-0.3.1' into maint-0.3.2 2018-05-10 09:22:32 -04:00
Nick Mathewson
382beb93cb Merge branch 'maint-0.3.3' 2018-05-10 09:22:32 -04:00
Nick Mathewson
2d61a83513 Merge remote-tracking branch 'dgoulet/bug26069_031_01' into maint-0.3.1 2018-05-10 09:22:14 -04:00
Nick Mathewson
f64fa6b19e Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-10 09:19:28 -04:00
Nick Mathewson
15b8c860d3 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-05-10 09:19:28 -04:00
Nick Mathewson
2eff709edb Merge branch 'maint-0.3.3' 2018-05-10 09:19:28 -04:00
Nick Mathewson
ba70439210 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-05-10 09:19:28 -04:00
Nick Mathewson
edb6acf9ce Merge remote-tracking branch 'juga/ticket26007_029_02' into maint-0.2.9 2018-05-10 09:19:09 -04:00
David Goulet
6e99286d45 hs-v3: Add an extra white-space when parsing descriptor
The specification describes the signature token to be right after a newline
(\n) then the token "signature" and then a white-space followed by the encoded
signature.

This commit makes sure that when we parse the signature from the descriptor,
we are always looking for that extra white-space at the end of the token.

It will allow us also to support future fields that might start with
"signature".

Fixes #26069

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-10 09:16:50 -04:00
Nick Mathewson
1eede00a4b Merge branch 'ticket26063_squashed' 2018-05-10 09:13:28 -04:00
rl1987
36f7d0a940 Make _with_err return routerinfo, like old function does 2018-05-10 16:13:16 +03:00
Nick Mathewson
beca6a585c Merge branch 'ticket26064' 2018-05-10 09:05:15 -04:00
Nick Mathewson
8b4cf7771e Enable/disable per-second callback as needed.
There are three cases where this can happen: changes in our
controller events, changes in our DisableNetwork setting, and
changes in our hibernation state.

Closes ticket 26063.
2018-05-10 09:02:44 -04:00
Nick Mathewson
e722bba263 Add a new function to enable/disable the per-second timer as needed
We're about to use this to turn off the per-second timer when the
network is disabled and there aren't any per-second controller
events enabled.
2018-05-10 09:01:56 -04:00
Nick Mathewson
4218511ecd Remove a workaround for ancient libevent versions.
Libevent has accepted a const timeval argument to event_add() for a
very long time now.
2018-05-10 09:01:50 -04:00
Nick Mathewson
80f582ae18 Add functions to enable/disable periodic_event_t objects. 2018-05-10 09:01:27 -04:00
Nick Mathewson
a4a7939ae1 Merge remote-tracking branch 'dgoulet/ticket26062_034_01' 2018-05-10 08:04:03 -04:00
Nick Mathewson
59812789f7 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-10 08:03:04 -04:00
Nick Mathewson
e5acbbd16d Merge branch 'maint-0.3.1' into maint-0.3.2 2018-05-10 08:02:10 -04:00
Nick Mathewson
aa08c19703 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-05-10 08:00:35 -04:00
Mike Perry
1268baee9e Bug 25903: Report new CIRC_BW fields to control port. 2018-05-09 21:23:11 +00:00
Mike Perry
e07e95edd3 Bug 25903: Perform accounting for new CIRC_BW fields.
Two new values in each direction. DELIVERED counts valid end-to-end circuit
data that is accepted by our end and OVERHEAD counts the slack unused data in
each of the relay command cells for those accepted cells.

Control port changes are in the next commit.
2018-05-09 21:23:06 +00:00
Nick Mathewson
d972a8a944 Merge branch 'ticket26016' 2018-05-09 14:04:30 -04:00
Nick Mathewson
f684b48b5b Merge branch 'ticket26009' 2018-05-09 14:01:08 -04:00
Nick Mathewson
0abf09b2ce spelling fix 2018-05-09 14:01:00 -04:00
Nick Mathewson
15ce5a3e5a Fix some clang warnings 2018-05-09 14:01:00 -04:00
Nick Mathewson
c9f07f36bf Mark the 1-per-sec update_current_time() call as redundant.
We still do this time update here, since we do it from all
callbacks, but it is no longer a reason to keep the once-per-second
callback enabled.

Closes ticket 26009.
2018-05-09 14:01:00 -04:00
Nick Mathewson
285e7c98fd Distinguish true clock jumps from idleness
Since we're going to be disabling the second-elapsed callback, we're
going to sometimes have long periods when no events file, and so the
current second is not updated.  Handle that by having a better means
to detect "clock jumps" as opposed to "being idle for a while".
Tolerate far more of the latter.

Part of #26009.
2018-05-09 14:01:00 -04:00
Nick Mathewson
a1a7ebfb8d Give responsibility for waking up from DORMANT to a mainloop event
Closes ticket 26064.
2018-05-09 13:57:00 -04:00
David Goulet
bca8a104b2 Having a ControlPort open doesn't mean we are a client
The any_client_port_set() returns true if the ControlPort is set which is
wrong because we can have that port open but still not behave as a tor client
(like many relays for instance).

Fixes #26062

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-09 12:50:53 -04:00
David Goulet
67a41b6306 Having a ControlPort open doesn't mean we are a client
The options_any_client_port_set() returns true if the ControlPort is set which
is wrong because we can have that port open but still not behave as a tor
client (like many relays for instance).

Fixes #26062

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-09 12:49:34 -04:00
David Goulet
01ffe8e2f4 config: Move any_client_port_set() to config.c
This functions is now used outside of networkstatus.c and makes more sense to
be in config.c.

It is also renamed to options_any_client_port_set() for the config.c
namespace.

No code behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-09 12:36:39 -04:00
Nick Mathewson
fa7847e450 Use net_is_completely_disabled() in connection.c
This fixes the XXXX case that we had before, and also enforces the
rule that we won't open connections when we're in hard hibernation.
2018-05-09 12:26:50 -04:00
Nick Mathewson
7595eae52a Add a new net_is_completely_disabled() function 2018-05-09 12:21:08 -04:00
Nick Mathewson
c0feb698a0 Comment-only fix: annotate we_are_hibernating() usage
Everywhere we use we_are_hibernating(), remind the reader what it
means.

(Also, add an XXXX to note a DisableNetwork usage to change later.)
2018-05-09 12:18:39 -04:00
Nick Mathewson
50328533e3 Add we_are_fully_hibernating() to distinguish hibernation states
We want to tell "shut down" from "shutting down".
2018-05-09 12:11:14 -04:00
Nick Mathewson
0c19ce7bde Give control.c responsibility for its own once-a-second events
Now it has a function that can tell the rest of Tor whether any
once-a-second controller item should fire, and a function to fire
all the once-a-second events.
2018-05-09 12:06:52 -04:00
Nick Mathewson
79b38081e9 Add a macro to simplify control_update_global_event_mask(). 2018-05-09 12:02:19 -04:00
juga0
dbdde76f56 Test read bandwidth measurements with empty file 2018-05-09 15:58:25 +00:00
Nick Mathewson
abde29824c Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-09 11:53:18 -04:00
Nick Mathewson
61d5ce83a1 Merge branch 'maint-0.3.3' 2018-05-09 11:53:18 -04:00
Nick Mathewson
394f102ea6 Merge remote-tracking branch 'asn-github/bug25761_032' into maint-0.3.2 2018-05-09 11:53:15 -04:00
teor
867fe40f91 Stop logging stack contents when reading a zero-length bandwidth file
When directory authorities read a zero-byte bandwidth file, they log
a warning with the contents of an uninitialised buffer. Log a warning
about the empty file instead.

Fixes bug 26007; bugfix on 0.2.2.1-alpha.
2018-05-09 15:19:28 +00:00
Nick Mathewson
9df20f6076 Merge branch 'maint-0.3.3' 2018-05-09 08:25:52 -04:00
Nick Mathewson
a639a67844 Merge branch 'libressl_201805_033' into maint-0.3.3 2018-05-09 08:25:32 -04:00
Nick Mathewson
e6d6347690 Merge remote-tracking branch 'public/bug26005_034' 2018-05-09 08:23:27 -04:00
George Kadianakis
7e8c5e3662 Detect when v3 services get disabled after HUP.
Remove v3 optimization which made Tor not detect disabling services.

This optimization is not so needed because we only call that function after HUP
anyway.

Fixes bug #25761.
2018-05-09 11:25:00 +03:00
George Kadianakis
5dc00c0661 Detect when v2 services get disabled after HUP.
During service configuration, rend_service_prune_list_impl_() sets
rend_service_staging_list to NULL, which blocked pruning after a HUP.

This patch initializes rend_service_staging_list when needed, so that HUP can
detect disabled onion services.

Fixes bug #25761.
2018-05-09 11:25:00 +03:00
Nick Mathewson
01d729cbfe Fix compilation of test_addr.c
This needs to include crypto_rand.h (which it didn't before it was
merged).
2018-05-08 20:20:54 -04:00
Nick Mathewson
a0f051137d Merge branch 'ticket25993_squashed' 2018-05-08 20:09:42 -04:00
Nick Mathewson
24ba5fd748 More unit tests for addressmap_get_virtual_address().
Previously the coverage on this function was mostly accidental,
coming as it did from test_entryconn.c.  These new tests use mocking
to ensure that we actually hit the different failure and retry cases
of addressmap_get_virtual_address(), and make our test coverage a
bit more deterministic.

Closes ticket 25993.
2018-05-08 20:09:33 -04:00
Taylor Yu
de343b4e42 Improve tolerance for dirauths with skewed clocks
Previously, an authority with a clock more than 60 seconds ahead could
cause a client with a correct clock to warn that the client's clock
was behind.  Now the clocks of a majority of directory authorities
have to be ahead of the client before this warning will occur.

Relax the early-consensus check so that a client's clock must be 60
seconds behind the earliest time that a given sufficiently-signed
consensus could possibly be available.

Add a new unit test that calls warn_early_consensus() directly.

Fixes bug 25756; bugfix on 0.2.2.25-alpha.
2018-05-08 17:59:03 -05:00
Taylor Yu
d6948bc776 Deindent warn_early_consensus()
Remove one level of indentation by returning early from the function.
2018-05-08 17:59:03 -05:00
Taylor Yu
0b80a0e500 Factor out warn_early_consensus()
Factor out the early consensus warning code from
networkstatus_set_current_consensus() into a new function
warn_early_consensus().
2018-05-08 17:59:03 -05:00
Taylor Yu
4921670a8c Test early-consensus clock skew warnings 2018-05-08 17:59:03 -05:00
Taylor Yu
be8306c1fb Add expect_no_log_msg_containing() 2018-05-08 17:59:03 -05:00
Taylor Yu
c223377ce6 Make clock_skew_warning() mockable 2018-05-08 17:59:03 -05:00
Taylor Yu
5bd2060054 tests: Add "now" param to construct_consensus()
construct_consensus() in test_routerlist.c created votes using a
timestamp from time().  Tests that called construct_consensus() might
have nondeterministic results if they rely on time() not changing too
much on two successive calls.

Neither existing of the two existing tests that calls
construct_consensus is likely to have a failure due to this problem.
2018-05-08 17:59:03 -05:00
Nick Mathewson
6bfa87d3aa Update rust submodule. 2018-05-08 18:51:31 -04:00
Isis Lovecruft
af182d4ab5
rust: Add crypto crate and implement Rust wrappers for SHA2 code.
* FIXES #24659: https://bugs.torproject.org/24659
2018-05-08 21:03:37 +00:00
Nick Mathewson
3df37d7b6b Merge branch 'bug26004_029_squashed' 2018-05-08 14:26:05 -04:00
Nick Mathewson
a17dc0875a Avoid unsigned integer underflow on empty input. 2018-05-08 14:24:29 -04:00
juga0
dbc80ad19b Allow bandwidth-file lines to have node_id in the last position
Closes ticket 26004.
2018-05-08 14:24:29 -04:00
Nick Mathewson
5edc72a45b Merge remote-tracking branch 'mikeperry/bug25870_rebase' 2018-05-08 14:12:29 -04:00
Nick Mathewson
2a4439adf3 Merge branch 'ticket26008' 2018-05-08 14:09:38 -04:00
Roger Dingledine
c3ae14549d minor cleanups on commit 17daab76
better punctuation and clearer wording
2018-05-08 12:21:24 -04:00
Fernando Fernandez Mancera
827b85e907 Make dh_param_* stuff static again.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-05-08 16:25:40 +02:00
Fernando Fernandez Mancera
ffbf8673b5 Include crypto_dh.h in order to solve dependency issues.
Included crypto_dh.h in some files in order to solve DH module dependency
issues.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-05-08 15:57:31 +02:00
Fernando Fernandez Mancera
f91469c165 Refactor crypto.[ch] into smaller DH module.
Add two new files (crypto_dh.c, crypto_dh.h) as new module of crypto.[ch]. This
new module includes all functions and dependencies related to DH operations.
Those have been removed from crypto.[ch].

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-05-08 15:51:39 +02:00
Fernando Fernandez Mancera
5b7a12d58a Add crypto_log_errors() to crypto_util.[ch]
crypto_log_errors() has been moved to crypto_util.[ch]. It was duplicated in
some files so they have been removed too.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-05-08 15:40:11 +02:00
Nick Mathewson
5ad72bc1f5 Merge remote-tracking branch 'catalyst-github/bug26036' 2018-05-07 14:38:26 -04:00
Nick Mathewson
8b1380cbd0 Don't crash when closing a connection before initializing libevent
Fixes bug 25981; bugfix on 96c5ac338a.  Bug not in any released
version of Tor.
2018-05-07 14:30:30 -04:00
Taylor Yu
9326abe16a Restore sys/random.h inclusion for getentropy()
Code movement for the refactoring for ticket 24658 didn't copy the
inclusion of sys/random.h, which is needed to get a prototype for
getentropy() on macOS 10.12 Sierra.  It also didn't copy the inclusion
of sys/syscall.h, which might prevent the getrandom() syscall from
being properly detected.  Move these inclusions.  Bug not in any
released Tor.
2018-05-07 12:56:12 -05:00
Nick Mathewson
17236a5842 Merge branch 'maint-0.3.3' 2018-05-07 13:33:19 -04:00
Nick Mathewson
46002aa691 Merge remote-tracking branch 'mikeperry/bug25733_029' into maint-0.3.3 2018-05-07 13:33:12 -04:00
Nick Mathewson
2c5841a8b8 Merge remote-tracking branch 'saper/default_nickname' 2018-05-07 13:31:03 -04:00
Nick Mathewson
a1a32b4834 Merge branch 'ticket26014' 2018-05-07 12:07:53 -04:00
Nick Mathewson
fd1d0a7d2e Merge remote-tracking branch 'mikeperry/bug25705_v3_033' 2018-05-07 11:09:25 -04:00
Nick Mathewson
6e3e96d2ff Fix the selection of events to cancel in test_workqueue.c
Our previous algorithm had a nonzero probability of picking no
events to cancel, which is of course incorrect.  The new code uses
Vitter's good old reservoir sampling "algorithm R" from 1985.

Fixes bug 26008; bugfix on 0.2.6.3-alpha.
2018-05-06 21:03:26 -04:00
Nick Mathewson
d14c245a0f Add unit test for ..get_start_of_next_voting_interval().
This functionality was covered only accidentally by our voting-test
code, and as such wasn't actually tested at all.  The tests that
called it made its coverage nondeterministic, depending on what time
of day you ran the tests.

Closes ticket 26014.
2018-05-06 20:42:18 -04:00
rl1987
b00d17aa9e Improve GETCONF exit-policy/* error handling
This will yield different error codes for transient and permament
errors. Furthermore, Tor will give human readable error
messages to controller.
2018-05-05 16:12:00 +02:00
Isis Lovecruft
f36656cada
build: Fix missing include for src/rust/external/crypto_rand.rs file.
* FIXES #26025: https://bugs.torproject.org/26025
2018-05-04 22:23:17 +00:00
Isis Lovecruft
f1864ff4a1
rust: Update Cargo.lock file with changes from #26024. 2018-05-04 20:41:25 +00:00
Isis Lovecruft
36dd2a467f
rust: Update submodule commit for src/ext/rust directory.
* FIXES part of #26024: https://bugs.torproject.org/26024
2018-05-04 20:37:16 +00:00
Isis Lovecruft
b5bd19ea05
Update rand dependency from 0.5.0-pre.0 to 0.5.0-pre.1. 2018-05-04 19:16:42 +00:00
Nick Mathewson
6f8b961a65 I should have tested before I pushed. 2018-05-03 20:16:53 -04:00
Nick Mathewson
08e525c198 Merge remote-tracking branch 'github/ticket25995' 2018-05-03 16:52:09 -04:00
Nick Mathewson
80b9a589bb Merge remote-tracking branch 'dgoulet/ticket25914_034_01' 2018-05-03 16:48:03 -04:00
Nick Mathewson
2f269bfaf1 Add src/rust/rand to include.am 2018-05-03 16:16:09 -04:00
Nick Mathewson
2d07aef3cc Move some includes around to try to fix windows builds 2018-05-03 16:14:38 -04:00
Nick Mathewson
bd153e4640 Update rust dependencies to latest version. 2018-05-03 13:55:55 -04:00
Nick Mathewson
c3b7258370 Merge remote-tracking branch 'isis/bug24660_r1' 2018-05-03 13:50:18 -04:00
Nick Mathewson
48d8fe533e Merge remote-tracking branch 'dgoulet/ticket25990_034_01' 2018-05-03 13:40:10 -04:00
Nick Mathewson
89cafc4afa Use OPENSSL_1_1_API in place of raw OPENSSL_VERSION_NUMBER checks
This is needed for libressl-2.6.4 compatibility, which we broke when
we merged a15b2c57e1 to fix bug 19981.  Fixes bug 26005; bug
not in any released Tor.
2018-05-03 13:33:14 -04:00
Nick Mathewson
b0e5757710 Refactor to remove n_libevent_errors
We cleared this value in second_elapsed_callback.  But what were we
using it for?  For detecting if Libevent returned EINVAL too often!
We already have a way to detect too-frequent events, and that's with
a ratelim_t.  Refactor the code to use that instead.  Closes ticket
26016.
2018-05-03 12:44:00 -04:00
Nick Mathewson
83137275a7 Add update_current_time() calls to periodic and event-driven callbacks
This is part of 26009, where we're going to keep track of the
current time and its jumps without having to do so in
second_elapsed_callback.
2018-05-03 12:02:10 -04:00
Nick Mathewson
1d16b7124f Basic unit tests for update_current_time().
This function is about to get more complicated, so we should track
how it's working.
2018-05-03 12:02:10 -04:00
Nick Mathewson
b0598f2a12 Move the "update the current second" code from second_elapsed_callback
This now happens in a new function, with the intent of having it
invoked from our callbacks.  This is one step on the way to 26009.
2018-05-03 12:02:10 -04:00
Nick Mathewson
5e0316142f Merge remote-tracking branch 'github/ticket25952' 2018-05-03 11:59:53 -04:00
Nick Mathewson
ed636de4cc Merge remote-tracking branch 'github/ticket25951' 2018-05-03 11:59:31 -04:00
Nick Mathewson
be9f0e5f20 Merge remote-tracking branch 'github/ticket25949' 2018-05-03 11:57:09 -04:00
David Goulet
319505d38c hs-v3: Remove extra white-space and clarify comment
From Neel's latest patch on optimizing the hs_circ_service_get_intro_circ()
digest calculation, remove an extra white-space and clarify a comment of the
legacy key digest to inform when to use it.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-03 09:34:50 -04:00
David Goulet
2e8eb1d5e3 Merge remote-tracking branch 'asn/bug23107' 2018-05-03 09:33:42 -04:00
Isis Lovecruft
94dcd38a14
rust: Expose crypto_rand() as an impl of rand_core::RngCore. 2018-05-02 22:12:38 +00:00
Nick Mathewson
eb00eff09d Merge branch 'ticket25997' 2018-05-02 16:03:57 -04:00
David Goulet
1f739e9b06 dirauth: Move authdir_mode_v3() to module
This function must return false if the module is not compiled in. In order to
do that, we move the authdir_mode_v3() function out of router.c and into the
dirauth module new header file named mode.h.

It is always returning false if we don't have the module.

Closes #25990

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-02 13:42:24 -04:00
Nick Mathewson
e386d61c9b Make hs_get_responsible_hsdirs() deterministic.
This test was using the current time to pick the time period number,
and a randomly generated hs key.  Therefore, it sometimes picked an
index that would wrap around the example dht, and sometimes would
not.

The fix here is just to fix the time period and the public key.

Fixes bug 25997; bugfix on 0.3.2.1-alpha.
2018-05-02 10:17:46 -04:00
David Goulet
1ef1ed76d8 dirvote: Fix typo in comment
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-02 09:06:40 -04:00
Nick Mathewson
246765342e Merge branch 'maint-0.3.1' into maint-0.3.2 2018-05-02 08:46:28 -04:00
Nick Mathewson
993e314c6f Merge branch 'maint-0.2.9' into maint-0.3.1 2018-05-02 08:46:28 -04:00
Nick Mathewson
c66b512671 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-02 08:46:28 -04:00
Nick Mathewson
8625f36de1 Merge branch 'maint-0.3.3' 2018-05-02 08:46:28 -04:00
Nick Mathewson
f26d6ead21 Merge branch 'ticket25996' 2018-05-02 08:45:35 -04:00
teor
d465bd27ed
Stop logging stack contents when reading a zero-length bandwidth file
When directory authorities read a zero-byte bandwidth file, they log
a warning with the contents of an uninitialised buffer. Log a warning
about the empty file instead.

Fixes bug 26007; bugfix on 0.2.2.1-alpha.
2018-05-02 22:36:23 +10:00
Nick Mathewson
bf3e899dce Merge branch 'libressl_201805_029' into maint-0.3.3 2018-05-02 08:26:49 -04:00
Nick Mathewson
75f3fbaa3c LibreSSL compatibility fixes.
LibreSSL, despite not having the OpenSSL 1.1 API, does define
OPENSSL_VERSION in crypto.h.  Additionally, it apparently annotates
some functions as returning NULL, so that our unit tests need to be
more careful about checking for NULL so they don't get compilation
warnings.

Closes ticket 26006.
2018-05-02 08:22:05 -04:00
Georg Koppen
da8996d611 Bug 26000: Fix missing ";" 2018-05-02 07:46:05 -04:00
Neel Chauhan
af70d3c459 Optimize legacy intro point digest calculation. 2018-05-02 14:08:28 +03:00
Nick Mathewson
a2b53c1d0b coverage: Repeat the test for avoiding failed intro points
This test, in test_client_pick_intro(), will have different coverage
depending on whether it selects a good intro point the first time or
whether it has to try a few times.  Since it produces the shorter
coverage with P=1/4, repeat this test 64 times so that it only
provides reduced coverage with P=1/2^128.  The performance cost is
negligible.

Closes ticket 25996.  This test was introduced in 0.3.2.1-alpha.
2018-05-01 19:58:39 -04:00
Nick Mathewson
19b53e2645 Use a deterministic PRNG in test_circuit_timeout()
I'd prefer not to do this for randomized tests, but as things stand
with this test, it produces nondeterministic test coverage.

Closes ticket 25995; bugfix on 0.2.2.2-alpha when this test was
introduced.
2018-05-01 19:34:21 -04:00
Nick Mathewson
24299d385d Hold monotonic time constant during channel/outbound_cell test
This change should make it impossible for the monotonic time to roll
over from one EWMA tick to the next during this test, and make it so
that this test never invokes scale_active_circuits() (which it
doesn't test).

(Earlier changes during the 0.3.4 series should make this call even
rarer than it was before, since we fixed #25927 and removed
cached_gettimeofday.  Because this test didn't update
cached_gettimeofday, the chance of rolling over a 10-second interval
was much higher.)

Closes ticket 25994; bugfix on 0.3.3.1-alpha when this test was
introduced.
2018-05-01 18:44:11 -04:00
Nick Mathewson
60fad8d41f Stop using approx_time() in circuitmux_ewma.
It doesn't match with the tick-count code any longer.

Bug not in any released Tor.
2018-05-01 18:28:01 -04:00
Mike Perry
937260af6a Bug 25705: Don't count circuit path failures as build failures.
Also emit a rate limited log message when they happen, since they are likely
correlated with other issues.
2018-05-01 19:47:07 +00:00
Nick Mathewson
5162cf5021 Mark bug cases of addressmap_get_virtual_address as non-covered 2018-05-01 15:28:40 -04:00
Nick Mathewson
5c5392fea7 Merge remote-tracking branch 'github/eliminate_gettimeofday_cached' 2018-05-01 13:27:02 -04:00
Nick Mathewson
b396e4e429 Move unreachable port warnings to a periodic event.
Arguably, the conditions under which these events happen should be a
bit different, but the rules are complex enough here that I've tried
to have this commit be pure refactoring.

Closes ticket 25952.

Finally, before this code goes away, take a moment to look at the
amazing way that we used to try to have an event happen
every N seconds:

      get_uptime() / N != (get_uptime()+seconds_elapsed) / N

Truly, it is a thing of wonder.  I'm glad we didn't start using this
pattern everywhere else.
2018-05-01 13:14:18 -04:00
David Goulet
2b6c13267f dirvote: Make tokens a const in dirvote_parse_sr_commits()
Part of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:45:34 -04:00
David Goulet
5db331e8fc Make find_opt_by_keyword() take a const smartlist
Part of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:45:34 -04:00
David Goulet
70c92c3366 sr: Rename shared_random_common.{c|h} to shared_random_client.{c|h}
No code behavior change.

Pars of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:45:34 -04:00
David Goulet
2d79d0155e vote: Move dirvote_recalculate_timing() to voting_schedule.c
By doing so, it is renamed to voting_schedule_recalculate_timing(). This
required a lot of changes to include voting_schedule.h everywhere that this
function was used.

This effectively now makes voting_schedule.{c|h} not include dirauth/dirvote.h
for that symbol and thus no dependency on the dirauth module anymore.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:45:34 -04:00
David Goulet
e504b1b358 vote: Namespace functions in voting_schedule.c
Rename them from dirvote_* to voting_schedule_*.

No code behavior change.

Part of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:43:23 -04:00
David Goulet
711ff6cdf7 Rename dirvote_common.{c|h} to voting_schedule.{c|h}
No code behavior change.

Part of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:43:23 -04:00
David Goulet
6452fe78c2 dirvote: Make dirvote_get_preferred_voting_intervals() static
This function doesn't need to be public from the dirvote common file (which
will get renamed in future commit) so move it to dirauth/dirvote.c and make it
static.

Part of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:43:23 -04:00
David Goulet
098b7fe25b ns: Move dirvote_get_voter_sig_by_alg() to networkstatus.c
It makes more sense to be in networkstatus.c so move it there and rename it
with the "networkstatus_" prefix.

Part of #25988

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 11:43:23 -04:00
Nick Mathewson
4a559e9960 Refactor to use safe_timer_diff. 2018-05-01 10:56:56 -04:00
Nick Mathewson
a73603653a Reschedule voting callback when any cfg option affecting it changes. 2018-05-01 10:54:54 -04:00
Nick Mathewson
234e317ef1 Ensure that voting is rescheduled whenever the schedule changes. 2018-05-01 10:54:54 -04:00
Nick Mathewson
6868398b69 Move responsibility for voting into a separate periodic callback.
Closes ticket25937.
2018-05-01 10:54:54 -04:00
Nick Mathewson
9870497f9d Update dirvote_act() to return the time of its next action.
This is remarkably simple, given the macros in the last commit.
2018-05-01 10:52:16 -04:00
Nick Mathewson
4f184415cc Start refactoring dirvote_act() towards self-scheduling
This change should have no behavioral effect: it just uses macros to
describe the current control flow.
2018-05-01 10:51:08 -04:00
Nick Mathewson
bbf0b92b1c Fix an assertion failure introduced by #25948
Apparently, we can decide our state is dirty before we create the
event to tell the mainloop that we should save it.  That's not a
problem, except for the assertion failure.
2018-05-01 10:47:44 -04:00
Nick Mathewson
9ece027d60 Merge remote-tracking branch 'ffmancera-1/bug20522' 2018-05-01 10:43:40 -04:00
Nick Mathewson
77b7eb2795 Remove responsibility for flushing log cbs from mainloop
This is now handled as-needed as the control module is flushing its
own callbacks.  Closes ticket 25951.
2018-05-01 10:38:46 -04:00
Nick Mathewson
d018bf199c Merge remote-tracking branch 'dgoulet/ticket25610_034_01-squashed' 2018-05-01 10:29:05 -04:00
Nick Mathewson
0d8604c763 Give queued_events_flush_all() responsibility for flushing log cbs
This requires that when a log cb happens, the event for flushing
queued events is scheduled, so we also add the necessary machinery
to have that happen.

Note that this doesn't actually help with logs from outside the main
thread, but those were already suppressed: see #25987 for a ticket
tracking that issue.
2018-05-01 10:26:04 -04:00
Nick Mathewson
b0224bf728 Add a mechanism for the logging system to report queued callbacks
Sometimes the logging system will queue a log message for later.
When it does this, the callback will either get flushed at the next
safe time, or from the second-elapsed callback.

But we're trying to eliminate the second-elapsed callback, so let's
make a way for the log system to tell its users about this.
2018-05-01 10:18:49 -04:00
David Goulet
d8509b450a vote: Return error when adding vote/signature if no dirauth module
Commit 0f3b765b3c added
tor_assert_nonfatal_unreached() to dirvote_add_vote() and
dirvote_add_signatures() when the dirauth module is disabled.

However, they need to return a value. Furthermore, the dirvote_add_vote()
needs to set the msg_out and status_out so it can be sent back. Else,
uninitialized values would be used.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:15:28 -04:00
David Goulet
15e8ce3937 Move back dirvote_authority_cert_dup to dirvote.c
Originally, it was made public outside of the dirauth module but it is no
longer needed. In doing so, we put it back in dirvote.c and reverted its name
to the original one:

dirvote_authority_cert_dup() --> authority_cert_dup()

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:07:09 -04:00
David Goulet
43bba89656 build: Always compile module support for tests
The --disable-module-* configure option removes code from the final binary but
we still build the unit tests with the disable module(s) so we can actually
test that code path all the time and not forget about it.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:07:09 -04:00
David Goulet
a2ff4975f3 dirvote: Move the vote creation code into dirvote.c
This code is only for dirauth so this commit moves it into the module in
dirvote.c.

No code behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:07:09 -04:00
David Goulet
0f3b765b3c dirvote: Handling adding vote and signature if module is disabled
Both functions are used for directory request but they can only be used if the
running tor instance is a directory authority.

For this reason, make those symbols visible but hard assert() if they are
called when the module is disabled. This would mean we failed to safeguard the
entry point into the module.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:07:09 -04:00
David Goulet
fdc01cb40e dirvote: Move the handling of GET /tor/status-vote to dirauth module
In order to further isolate the dirauth code into its module, this moves the
handling of the directory request GET /tor/status-vote/* into the module.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:07:08 -04:00
David Goulet
6ee6533fd8 dirvote: Free vote commits in the dirauth module
In order to make sr_commit_free() only used by the dirauth module, this
commits moves the commits free from a vote object into the dirvote.c file
which is now only for the module.

The function does nothing if the module is disabled.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-01 10:06:13 -04:00
Nick Mathewson
4cf6b67f5e Merge remote-tracking branch 'neel/b23094' 2018-05-01 08:56:23 -04:00
Nick Mathewson
07b486c17a Merge branch 'bug24734_squashed' 2018-05-01 08:51:32 -04:00
Neel Chauhan
5458ff20a5 Remove the return value from the fascist_firewall_choose_address_* family of functions 2018-05-01 08:51:16 -04:00
Neel Chauhan
ddb2b965de Initialize ap in the fascist_firewall_choose_address_* family of functions to 0 2018-05-01 08:51:15 -04:00
George Kadianakis
e17f436fff Fix memleak found by unittests. 2018-05-01 00:59:27 +00:00
George Kadianakis
627d2fdbf0 Write unittests to check basic vanguard path selection.
Adds two unittests:
- First checks the path selection of basic Tor circs.
- Second checks the path selection of vanguard circs.

There is a TODO on the second unittest that we might want to test sooner than
later, but it's not trivial to do it right now.

To do these unittests we needed the following mods:
- Make some functions STATIC.
- Add some more fields to the big fake network nodes of test_entrynodes.c
- Switch fake node nicknames to base32 (because base64 does not produce valid nicknames).
2018-05-01 00:59:27 +00:00
Mike Perry
289c04b065 Bug 25870: Allow 4th hop of vanguard circuits to be the guard.
This prevents a malicious RP/IP from learning the guard node in the case that
we are using only one (because we aren't using two guards, or because one of
those two guards is temporarily down).

This ensures the "strong" version of Property #6 from
https://lists.torproject.org/pipermail/tor-dev/2018-April/013098.html
(Information about the guard(s) does not leak to the website/RP at all).
2018-05-01 00:59:21 +00:00
Mike Perry
e34bf50604 Bug 25870: Prevent the creation of A - B - A vanguard sub-paths.
These paths are illegal in Tor and relays will reject them.

We do this by using specific nodes in the exclude list (but ignore /16 and
family).
2018-05-01 00:59:10 +00:00
Nick Mathewson
3a2470762d Add a cast to make clang happy. 2018-04-30 17:14:40 -04:00
Nick Mathewson
72124dc1ef Merge branch 'ticket25948_squashed' 2018-04-30 16:46:59 -04:00
Nick Mathewson
987a7f6676 Move responsibility for or_state_save() to a scheduled callback
Closes ticket 25948.
2018-04-30 16:46:52 -04:00
Nick Mathewson
d1a0534649 Make unit tests pass with new dirserver role. 2018-04-30 10:36:00 -04:00
Nick Mathewson
3800d5916f Merge remote-tracking branch 'dgoulet/ticket25900_034_01' 2018-04-30 10:27:22 -04:00
Nick Mathewson
b205061eb1 Describe schedules as TimeInterval, not TimeIntervalCommaList. 2018-04-30 09:47:35 -04:00
Nick Mathewson
6cb467b462 Merge remote-tracking branch 'github/ticket23354' 2018-04-30 09:45:28 -04:00
Nick Mathewson
a9736f1f38 Merge remote-tracking branch 'github/ticket19429_034' 2018-04-30 09:41:33 -04:00
Marcin Cieślak
0c7740b7de Document default value for Nickname 2018-04-29 13:54:56 +00:00
Neel Chauhan
bfe5a739b7 Make hsdir_index in node_t a hsdir_index_t rather than a pointer. 2018-04-28 20:35:30 -04:00
Mike Perry
d634c1ba6b Bug 25870: Allow the last hop in a vanguard circuit to be our guard.
The last hop in vanguard circuits can be an RP/IP/HSDir.

Since vanguard circuits are at least 3 hops (sometimes 4) before this node,
this change will not cause A - B - A paths.
2018-04-28 01:26:50 +03:00
Nick Mathewson
cb0af6157c Move stdbool include to torint.h
It's friday, and this seems like a good idea, and they're egging me
on in IRC.
2018-04-27 15:08:27 -04:00
Nick Mathewson
d6a773f57d Only define X509_get_not{BeforeAfter} if they are not defined
(The originally submitted version of a15b2c57e1 broke
with OpenSSL 1.1.0.)
2018-04-27 12:55:52 -04:00
Nick Mathewson
346c2eb4e6 Merge branch 'bug25843_v2_squashed' 2018-04-27 12:45:07 -04:00
George Kadianakis
d00ed406e0 Introduce torrc option NumPrimaryGuards 2018-04-27 12:44:54 -04:00
David Goulet
2963e65c30 dirvote: Move SR commit parsing into dirauth module
When parsing a vote in routerparse.c, only dirauth extract the commits from
the vote so move all this code into dirvote.c so we can make it specific to
the dirauth module.

If the dirauth module is disabled, the commit parsing does nothing.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
d7e4706f22 ns: Move ns_detached_signatures_free() to networkstatus.c
From dirvote.c to networkstatus.c where it makes more sense both in terms of
namespace and subsystem responsability.

This removes one less dependency on the dirauth module.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
35ff2a3b86 dirvote: Rename authority_cert_dup()
Renamed to follow the file namespace.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
43bee06dd0 dirvote: Rename voter_get_sig_by_algorithm()
In order to follow the public namespace of dirvote.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
26817d9d22 dirvote: Extract shared functions to common file
No code behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
79a1112a49 sr: Static inline functions if no dirauth module
Add static inline dirauth public functions used outside of the dirauth module
so they can be seen by the tor code but simply do nothing.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
bdcf3a3839 sr: Extract shared SR functions
Move most of the shared random functions that are needed outside of the
dirauth module.

At this commit, because dirvote.c hasn't been refactor, it doesn't compile
because some SR functions need a dirvote function.

Furthermore, 5 functions haven't been touched yet because they are dirauth
only but are in used in other C files than the dirauth module ones.

No code behavior change. Only moving code around.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
2115a54b4a mod: Move dirauth specific files to its own module
This is a pretty big commit but it only moves these files to src/or/dirauth:

  dircollate.c dirvote.c shared_random.c shared_random_state.c
  dircollate.h dirvote.h shared_random.h shared_random_state.h

Then many files are modified to change the include line for those header files
that have moved into a new directory.

Without using --disable-module-dirauth, everything builds fine. When using the
flag to disable the module, tor doesn't build due to linking errors. This will
be addressed in the next commit(s).

No code behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
35d86b088d dirvote: Reorganize the dirvote.h file
Remove useless include.

Clearly identify functions that are used by other part of Tor, functions that
are only used by the dirauth subsystem and functions that are exposed for unit
tests.

This will help us in the dirauth modularization effort.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
5e1e906a5c dirvote: Move voting_schedule_t to dirvote.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
d177067860 dirvote: Trim down the public API
Many functions become static to the C file or exposed to the tests within the
PRIVATE define of dirvote.h.

This commit moves a function to the top. No code behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
f0838e7257 config: Make circuit_build_times_disabled() use authdir_mode()
Don't access the AuthoritativeDir options directly. We do this so we can move
authdir_mode() to the dirauth module.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
b27dc1cfb5 mod: Build system changes for dirauth module
Make our build system support a disable dirauth module option. It can only be
disabled explicitly with:

  $ ./configure --disable-module-dirauth

If *not* specified that is enabled, an automake conditional variable is set to
true and a defined value for the C code:

  AM_CONDITIONAL: BUILD_MODULE_DIRAUTH
  AC_DEFINE: HAVE_MODULE_DIRAUTH=1

This introduces the dirauth/ module directory in src/or/ for which .c files
are only compiled if the BUILD_MODULE_DIRAUTH is set.

All the header files are compiled in regardless of the support so we can use
the alternative entry point functions of the dirauth subsystem.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:40:44 -04:00
David Goulet
8b58e1e323 test: Unit test for the HS service event rescan
Because we rescan the main loop event list if the global map of services has
changed, this makes sure it does work.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:16:57 -04:00
David Goulet
f7633c1fca hs: Rescan the main loop event list if the service map changes
Because ADD_ONION/DEL_ONION can modify the global service map (both for v2 and
v3), we need to rescan the event list so we either enable or disable the HS
service main loop event.

Fixees #25939

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:16:57 -04:00
David Goulet
3ab017b10c main: Don't rescan main loop events if not initialized
This is done because it makes our life easier with unit tests. Also, a rescan
on an uninitialized event list will result in a stacktrace.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 11:16:57 -04:00
Nick Mathewson
57f557747d Move responsibility for deferred SIGNEWNYM into a mainloop event
Closes ticket 25949.
2018-04-27 10:45:12 -04:00
Nick Mathewson
9f8b60d74c Move or_state_mark_dirty into statefile.c
Previously it was an inline function in or.h
2018-04-27 10:09:16 -04:00
Nick Mathewson
3a47dfed34 Merge branch 'ticket25376_034_031_squashed' 2018-04-27 09:28:43 -04:00
David Goulet
d6903e9e87 hibernation: Rescan the event list on state change
When we change the hibernation state, rescan the main loop event list because
the new state might affect the events.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 09:28:00 -04:00
David Goulet
05d314f888 main: Add mainloop callback event flags
Implement the ability to set flags per events which influences the set up of
the event.

This commit only adds one flag which is "need network" meaning that the event
is not enabled if tor has disabled the network or if hibernation mode.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-27 09:28:00 -04:00
Nick Mathewson
cc74dc0066 Merge branch 'ticket25933' 2018-04-26 18:40:27 -04:00
Mike Perry
35e7902116 Bug 25733: Avoid assert failure if all circuits time out.
Prior to #23100, we were not counting HS circuit build times in our
calculation of the timeout. This could lead to a condition where our timeout
was set too low, based on non HS circuit build times, and then we would
abandon all HS circuits, storing no valid timeouts in the histogram.

This commit avoids the assert.
2018-04-26 21:28:28 +00:00
Nick Mathewson
302908657f Fix a test assertion failure due to uninitialized mainloop events
Bug not in any released Tor.
2018-04-26 14:39:26 -04:00
David Goulet
9fd319168b test: Add missing geoip_dummy file to EXTRA_DIST
Needed to run tests from the tarball else the geoip unit test would fail by
not finding that file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-26 14:15:24 -04:00
Nick Mathewson
857e210b7d Merge branch 'ticket25931' 2018-04-26 13:52:16 -04:00
Nick Mathewson
ff796ad087 Remove connection_ap_attach_pending() from per-second callback.
In 25374, we created the necessary post-loop event for scheduling
connection_ap_attach_pending as needed.  Before that, we were
already running this event once per mainloop.  There's no reason to
also run it once per second.

Closes ticket 25933.  No changes file, since the relevant change is
already in 25374.  Or possibly in 17590, depending on how you look
at it.
2018-04-26 13:37:13 -04:00
Nick Mathewson
96c5ac338a Move close-and-cleanup functions to a postloop event.
Implements ticket 25932.
2018-04-26 13:15:38 -04:00
Nick Mathewson
8a81a70878 Move consdiffmgr_rescan() into a mainloop event.
The change here was very simple, since there is a flag set whenever
we want to schedule this event.

Closes ticket 25391.
m
2018-04-26 12:20:01 -04:00
Nick Mathewson
9abf541f7f Add a function to compute millisecond time difference quickly.
Our main function, though accurate on all platforms, can be very
slow on 32-bit hosts.  This one is faster on all 32-bit hosts, and
accurate everywhere except apple, where it will typically be off by
1%.  But since 32-bit apple is a relic anyway, I think we should be
fine.
2018-04-26 12:01:48 -04:00
Nick Mathewson
7cbc44eeb1 Remove the "cached gettimeofday" logic.
Previously were using this value to have a cheap highish-resolution
timer.  But we were only using it in one place, and current dogma is
to use monotime_coarse_t for this kind of thing.
2018-04-26 12:01:48 -04:00
Nick Mathewson
5e395ba2c2 Rewrite time-handling in circuitmux_ewma to use monotime_coarse
This part of the code was the only part that used "cached
getttimeofday" feature, which wasn't monotonic, which we updated at
slight expense, and which I'd rather not maintain.
2018-04-26 11:50:58 -04:00
David Goulet
7b09282dc7 Merge remote-tracking branch 'dgoulet/ticket25515_034_01-squashed' 2018-04-26 11:38:15 -04:00
juga0
f4ad30448a Recover newline at the EOF, removed by mistake
in 071236e3e2.
2018-04-26 11:33:22 -04:00
juga0
3d4bbf94c6 tests: Add forgotten empty file required for geoip 2018-04-26 11:33:22 -04:00
juga0
d0ad74e0f6 Add clarification about type of file expected 2018-04-26 11:33:22 -04:00
juga0
96469b82f8 Remove FIXME about comparing num countries,
* remove the fixme since clearing the countries should be other issue
* remove unused variables related to it since that cause travis to fail
2018-04-26 11:33:22 -04:00
Isis Lovecruft
6a28a82998 tests: Fix a couple typos and remove unnecessary inline comments. 2018-04-26 11:33:22 -04:00
Isis Lovecruft
3f967bfbd1 tests: Skip two more geoip_load_file tests on Windows.
* FIXES part of #25515: https://bugs.torproject.org/25515
2018-04-26 11:33:22 -04:00
Nick Mathewson
33cba1195b Remove a blank line that was bothering me. 2018-04-26 09:10:58 -04:00
David Goulet
868e348570 callbacks: Add a DirServer role
The clean_consdiffmgr() callback is only for relays acting as a directory
server, not all relays.

This commit adds a role for only directory server and sets the
clean_consdiffmgr() callback to use it.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-25 14:21:19 -04:00
David Goulet
b6f7e23bbd clean_consdiffmgr() callback is only for directories
Only relevant for directory servers.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-25 14:12:38 -04:00
David Goulet
1a181a476e Remove dead code in networkstatus.c
We can't end up in the removed else {} condition since we first validate the
flavor we get and then we validate the flavor we parse from the given
consensus which means we can only handle the two flavors of the if/elseif
conditions.

Fixes #25914

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-25 09:35:32 -04:00
Nick Mathewson
2748dd0f1c Ignore CircuitPriorityHalflife values under -EPSILON.
Previously, we were ignoring values _over_ EPSILON.  This bug was
also causing a warning at startup because the default value is set
to -1.0.

Fixes bug 25577; bugfix on 6b1dba214d.  Bug not in any released tor.
2018-04-25 09:15:47 -04:00
Nick Mathewson
58f54a3588 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-25 08:01:54 -04:00
Nick Mathewson
a052eea480 Merge branch 'maint-0.3.3' 2018-04-25 08:01:54 -04:00
Nick Mathewson
7c3f87eb4b Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-25 08:01:53 -04:00
Nick Mathewson
bb35405d2a Fix a copy-paste error in the fix for #23693.
Found by coverity; CID 25912; bug not in any released Tor.
2018-04-25 08:00:55 -04:00
Nick Mathewson
ea3c3a10a2 Merge branch 'maint-0.3.3' 2018-04-24 10:37:36 -04:00
Nick Mathewson
7e7b052b2a Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-24 10:37:36 -04:00
Nick Mathewson
9187cdb1cd Merge remote-tracking branch 'dgoulet/bug25901_032_01' into maint-0.3.2 2018-04-24 10:36:17 -04:00
Nick Mathewson
9be7608fda Merge branch 'maint-0.3.3' 2018-04-24 08:51:58 -04:00
Nick Mathewson
6182f60f75 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-24 08:51:55 -04:00
Nick Mathewson
d2951b381b Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-24 08:49:24 -04:00
Nick Mathewson
e888634076 Merge remote-tracking branch 'public/bug23693_031_redux' into maint-0.3.1 2018-04-24 08:49:20 -04:00
David Goulet
b259008c56 hs: Fix memleak in v3 on SIGHUP
Fixes #25901

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 11:09:57 -04:00
Nick Mathewson
192c7c8bf9 Merge remote-tracking branch 'dgoulet/ticket25762_034_05' 2018-04-23 11:02:05 -04:00
David Goulet
665e23c59a test: Add periodic events unit tests
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:57:28 -04:00
David Goulet
87cb9ce900 main: Update periodic events comment based on latest code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:57:28 -04:00
Nick Mathewson
f70fa67da6 main: Use rescan_periodic_events in initialize_periodic_events_cb 2018-04-23 10:57:28 -04:00
David Goulet
4e85f17eec periodic: Add an enable and disable function
Two helper functions to enable an event and disable an event which wraps the
launch and destroy of an event but takes care of the enabled flag.

They are also idempotent that is can be called multiple time on the same event
without effect if the event was already enabled or disabled.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:57:28 -04:00
David Goulet
1d864987cb config: Set up periodic events when options changes
In case we transitionned to a new role in Tor, we need to launch and/or
destroy some periodic events.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:57:28 -04:00
David Goulet
a4fcdc5dec main: Launch periodic events by roles
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:57:28 -04:00
David Goulet
ed89bb3253 main: Specialize the periodic events on a per-role basis
In tor, we have a series of possible "roles" that the tor daemon can be
enabled for. They are:

  Client, Bridge, Relay, Authority (directory or bridge) and Onion service.

They can be combined sometimes. For instance, a Directory Authority is also a
Relay. This adds a "roles" field to a periodic event item object which is used
to know for which roles the event is for.

The next step is to enable the event only if the roles apply. No behavior
change at this commit.

Pars of #25762

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:21:59 -04:00
David Goulet
269cd5dba7 main: Sort alphabetically periodic event callbacks
No behavior change, just to make it easier to find callbacks and for the sake
of our human brain to parse the list properly.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-23 10:21:59 -04:00
Nick Mathewson
3527f4b8a4 Merge remote-tracking branch 'github/lazy_bucket_refill' 2018-04-23 09:47:05 -04:00
Nick Mathewson
e8683bcbb1 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-23 09:24:33 -04:00
Nick Mathewson
1438c6c713 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-23 09:23:31 -04:00
Nick Mathewson
5c3639923f Merge branch 'maint-0.2.9' into maint-0.3.1 2018-04-23 09:23:31 -04:00
Nick Mathewson
c5ffcbb43f Merge branch 'maint-0.3.3' 2018-04-23 09:23:31 -04:00
Nick Mathewson
beb321d8cd Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-23 09:23:31 -04:00
Nick Mathewson
c4be6dfeab Permit the nanosleep system call in the seccomp2 callbox
Fixes bug 24969; bugfix on 0.2.5.1-alpha when the sandbox was introduced.
2018-04-23 09:15:40 -04:00
Nick Mathewson
cd3fc2aa48 Merge remote-tracking branch 'neel/b25511-r4' 2018-04-23 09:13:24 -04:00
Nick Mathewson
915791bc48 Merge branch 'ticket25024_squashed' 2018-04-22 20:53:04 -04:00
Deepesh Pathak
72bfcb37f1 add changes file and update check-typos in makefile 2018-04-22 20:48:48 -04:00
Nick Mathewson
1ba9b7e013 Merge remote-tracking branch 'mikeperry/bug25400_squashed' 2018-04-22 20:39:35 -04:00
Nick Mathewson
0e8ae82a87 Merge branch 'remove_old_consensus_methods_2018_squashed' 2018-04-22 20:01:09 -04:00
Nick Mathewson
2609a8be81 Require MIN_METHOD_FOR_RECOMMENDED_PROTOCOLS
(Remove support for running without this method.)
2018-04-22 20:00:47 -04:00
Nick Mathewson
5f90d28c01 Remove MIN_METHOD_FOR_{SHARED_RANDOM,EXCLUDING_INVALID_NODES}
Also remove client detection for pre-EXCLUDING_INVALID_NODES
consensuses, and a test for that detection.
2018-04-22 20:00:47 -04:00
Nick Mathewson
73c9c16faa Remove MIN_METHOD_FOR_ED25519_ID_VOTING
This also lets us remove the old rsa-based routerstatus collator.
2018-04-22 20:00:47 -04:00
Nick Mathewson
4d6f21bb6b Remove MIN_METHOD_FOR_{PACKAGE_LINES,GUARDFRACTION,ED25519_ID_IN_MD}
Also remove a rest for pre-19 microdesc versions.
2018-04-22 20:00:47 -04:00
Nick Mathewson
caf766991d Remove MIN_METHOD_FOR_ID_HASH_IN_MD and a test for running without it. 2018-04-22 20:00:47 -04:00
Nick Mathewson
93380db833 Remove MIN_METHOD_{FOR_P6_LINES,FOR_NTOR_KEY,TO_CLIP_UNMEASURED_BW}
Also remove a unit test for pre-MIN_METHOD_FOR_NTOR_KEY consensuses.
2018-04-22 20:00:47 -04:00
Nick Mathewson
08373467b1 Remove MIN_METHOD_FOR and MIN_METHOD_FOR_A_LINES
Also, in networkstatus.c, remove client code for recognizing pre-
MIN_METHOD_FOR_A_LINES consensuses, and corresponding unit tests in
test_dir.c.
2018-04-22 20:00:47 -04:00
Nick Mathewson
69347f48e0 Disable consensus methods before 25.
Consensus method 25 is the oldest one supported by any stable
version of 0.2.9, which is our current most-recent LTS.  Thus, by
proposal 290, they should be removed.

This commit does not actually remove the code to implement these
methods: it only makes it so authorities will no longer support
them.  I'll remove the backend code for them in later commits.
2018-04-22 20:00:47 -04:00
Nick Mathewson
6773102c92 Merge branch 'bug25691_033_again_squashed' 2018-04-22 19:44:27 -04:00
Nick Mathewson
0941c8bfe6 control EXTENDCIRCUIT: check node_has_preferred_descriptor().
Suggested by teor during code review for 25691.
2018-04-22 19:43:27 -04:00
Nick Mathewson
f1c1328f85 Repair the legacy_hs/pick_tor2web_rendezvous_node unit test
It tried to pick nodes for which only routerinfo_t items are set,
but without setting UseMicroDescriptors to 0.  This won't work any
more, now that we're strict about using the right descriptor types
due to 25691/25692/25213.
2018-04-22 19:43:07 -04:00
Nick Mathewson
47163780c3 Rename node_has_descriptor() to node_has_any_descriptor()
Changing the name of this function should help keep us from misusing
it when node_has_preferred_descriptor() would be more appropriate.
2018-04-22 19:43:07 -04:00
Nick Mathewson
7915efd1b8 Use router_crn_flags in more places, to pass direct-connect flag
In order to fix 25691 and 25692, we need to pass the "direct_conn"
flag to more places -- particularly when choosing single-hop
tunnels.  The right way to do this involves having a couple more
functions accept router_crn_flags_t, rather than a big list of
boolean arguments.

This commit also makes sure that choose_good_exit_server_general()
honors the direct_conn flag, to fix 25691 and 25692.
2018-04-22 19:42:28 -04:00
Nick Mathewson
388d217c40 Use node_has_preferred_descriptor() in another case
In router_add_running_nodes_to_smartlist(), we had an inline
implementation of the logic from node_has_descriptor(), which should
be changed to node_has_preferred_descriptor().
2018-04-22 19:42:28 -04:00
Nick Mathewson
948dd2c79e Check for "the right descriptor", not just "any descriptor".
This patch adds a new node_has_preferred_descriptor() function, and
replaces most users of node_has_descriptor() with it.  That's an
important change, since as of d1874b4339 (our fix for #25213),
we are willing to say that a node has _some_ descriptor, but not the
_right_ descriptor for a particular use case.

Part of a fix for 25691 and 25692.
2018-04-22 19:42:26 -04:00
Nick Mathewson
c3e40a8361 Allow cpuworkers to exist without onion keys
Now that we allow cpuworkers for dirport-only hosts (to fix 23693),
we need to allow dup_onion_keys() to succeed for them.

The change to construct_ntor_key_map() is for correctness,
but is not strictly necessary.
2018-04-22 17:17:07 -04:00
Nick Mathewson
5102208447 Improve documentation for CONFIG_TYPE_CSV_INTERVAL. 2018-04-22 15:55:09 -04:00
Nick Mathewson
8b6fc47cc3 Fix an absurdly wide line. 2018-04-22 15:55:09 -04:00
Nick Mathewson
ff6f49f033 Rename find_dl_schedule to find_dl_min_delay.
(We no longer need two separate functions here.)
2018-04-22 15:55:09 -04:00
Nick Mathewson
82d1d8b071 Remove extra values from InitialDelay defaults
These options are now ignored.
2018-04-22 15:55:09 -04:00
Nick Mathewson
2f792c041a Add aliases for the old DownloadSchedule options
These will produce a warning, but still work fine.
2018-04-22 15:55:09 -04:00
Nick Mathewson
2d7b5c6fe5 Change the type of "download schedule" from smartlist to int.
This is done as follows:
  * Only one function (find_dl_schedule()) actually returned a
    smartlist. Now it returns an int.

  * The CSV_INTERVAL type has been altered to ignore everything
    after the first comma, and to store the value before the first
    comma in an int.
2018-04-22 15:55:09 -04:00
Nick Mathewson
9aaed729c1 Rename *DownloadSchedule to *DownloadInitialDelay; make them ints
This commit won't compile. It was made with the following perl
scripts:

s/smartlist_t \*(.*)DownloadSchedule;/int $1DownloadInitialDelay;/;
s/\b(\w*)DownloadSchedule\b/$1DownloadInitialDelay/;
2018-04-22 15:55:09 -04:00
Isis Lovecruft
b5013e841c
rust: Remove mirrored PRNG implementation.
Once we need a PRNG, we'll likely want to change the dev-dependency on the rand
crate to be a real dependency, and use rand::SmallRng as our PRNG.
2018-04-20 23:54:48 +00:00
Isis Lovecruft
49639b2826
rust: Expose our (P)RNGs in Rust and provide safe wrappers.
* FIXES #24660: https://bugs.torproject.org/24660
2018-04-20 23:54:47 +00:00
Isis Lovecruft
f17ace1460
crypto: Move declaration of crypto_init_siphash_key() into crypto.h.
On second thought, this is a global initialisation function and
doesn't conceptually have much to do with getting/using randomnesses.
2018-04-18 19:16:35 +00:00
Nick Mathewson
9d27e3f014 Make test_tortls.c build with openssl no_deprecated.
Also for 19981.
2018-04-18 12:32:39 -04:00
Nick Mathewson
a15b2c57e1 Add support for openssl built with "no-deprecated".
Patch from Andrew John Hughes; partial fix for 19981.
2018-04-18 12:31:24 -04:00
Nick Mathewson
bd3f8260a3 Rename some functions to start with a uniform prefix 2018-04-18 11:45:44 -04:00
Nick Mathewson
3bf9974b6c Fix a pointer size error in test_bridges.c
sizeof(ret) is the size of the pointer, not the size of what it
points to.  Fortunately, we already have a function to compare
tor_addr_port_t values for equality.

Bugfix on c2c5b13e5d8a77e; bug not in any released Tor. Found by
clang's scan-build.
2018-04-17 19:45:59 -04:00
Nick Mathewson
1abe0a5769 Add an initialization case to node_get_prim_dirport
Fixes a bug found by scan-build; bugfix on c2fa743806. Bug not in
any released Tor.
2018-04-17 19:43:14 -04:00
Nick Mathewson
31a450a5b6 Add a redundant memset to node_get_pref_ipv6_orport()
For whatever reason, clang's scan-build isn't sure that this
function actually initializes its output.
2018-04-17 19:41:10 -04:00
Nick Mathewson
d67d3dd145 Fix a copy-and-paste error from 6be994fa71
Found by clang's scan-build too.  Bug not in any released Tor.
2018-04-17 19:39:50 -04:00
Nick Mathewson
087ace7009 Fix a compilation warning on clang 2018-04-17 18:41:39 -04:00
Nick Mathewson
47df912f1c Remove the periodic refill event entirely.
Now that we update our buckets on demand before reading or writing,
we no longer need to update them all every TokenBucketRefillInterval
msec.

When a connection runs out of bandwidth, we do need a way to
reenable it, however.  We do this by scheduling a timer to reenable
all blocked connections for TokenBucketRefillInterval msec after a
connection becomes blocked.

(If we were using PerConnBWRate more, it might make sense to have a
per-connection timer, rather than a single timeout. But since
PerConnBWRate is currently (mostly) unused, I'm going to go for the
simpler approach here, since usually whenever one connection has
become blocked on bandwidth, most connections are blocked on
bandwidth.)

Implements ticket 25373.
2018-04-17 18:20:03 -04:00
Nick Mathewson
780d1b44cf Move responsibility for recording read/written bytes
Previously this was done as part of the refill callback, but there's
no real reason to do it like that.  Since we're trying to remove the
refill callback completely, we can do this work as part of
record_num_bytes_transferred_impl(), which already does quite a lot
of this.
2018-04-17 18:06:46 -04:00
Nick Mathewson
31fbbf2377 Fixup timing wheel warnings related to recent WHEEL_BIT change. 2018-04-17 12:45:53 -04:00
Nick Mathewson
a2acb9b9e9 Refill each token bucket at the last instant before reading/writing.
(This patch does not yet eliminate the global refill callback;
fortunately, bucket refilling is idempotent.)
2018-04-17 12:20:06 -04:00
Nick Mathewson
9af4cd6f31 Refactor responsibility for checking global write bucket emptiness
We used to do this 10x per second in connection_buckets_refill();
instead, we now do it when the bucket becomes empty. This change is
part of the work of making connection_buckets_refill() obsolete.

Closes ticket 25828; bugfix on 0.2.3.5-alpha.
2018-04-17 12:12:07 -04:00
Nick Mathewson
b36c450b57 Amend token_bucket_rw_dec to indicate which buckets became empty. 2018-04-17 12:02:49 -04:00
Nick Mathewson
1356d51af6 Rename connection_bucket_refill to connection_bucket_refill_all
Also document its actual behavior
2018-04-17 11:47:31 -04:00
Nick Mathewson
993f5d284d Rename connection_bucket_round_robin -> get_share
There was nothing round_robinish about this function.
2018-04-17 11:42:14 -04:00
Nick Mathewson
488e2b00bf Refactor the "block the connection on bandwidth" logic
Right now, this patch just introduces and exposes some new
functions. Later, these functions will get a little more complexity.
2018-04-17 11:39:16 -04:00
Nick Mathewson
2bf6f1cd39 token bucket: Add parens to rate_per_sec_to_rate_per_step()
Typecasts bind more tightly than division, so we need to do the
division first.
2018-04-17 11:09:55 -04:00
Nick Mathewson
c5bbf72fb8 Merge branch 'maint-0.3.3' 2018-04-17 10:45:58 -04:00
David Goulet
93ff1870ba heartbeat: Log the number of circuits killed because too many cells
We recently merged a circuit cell queue size safeguard. This commit adds the
number of killed circuits that have reached the limit to the DoS heartbeat. It
now looks like this:

  [notice] DoS mitigation since startup: 0 circuits killed with too many
  cells. 0 circuits rejected, 0 marked addresses. 0 connections closed. 0
  single hop clients refused.

Second thing that this patch does. It makes tor always print the DoS
mitigation heartbeat line (for a relay) even though no DoS mitigation have
been enabled. The reason is because we now kill circuits that have too many
cells regardless on if it is enabled or not but also it will give the operator
a chance to learn what is enabled with the heartbeat instead of suddenly
appearing when it is enabled by let say the consensus.

Fixes #25824

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-17 10:44:43 -04:00
Nick Mathewson
c32108ee0f Merge remote-tracking branch 'public/bug24688' 2018-04-17 09:14:44 -04:00
Neel Chauhan
3a6e37f57f Add GETINFO current-time/{local,utc} regression test 2018-04-16 20:37:50 -04:00
Neel Chauhan
ce84de39ef Make tor_gettimeofday() mockable 2018-04-16 20:37:50 -04:00
Neel Chauhan
e72742d693 Add GETINFO current-time/{local,utc} command to ControlPort 2018-04-16 20:37:50 -04:00
Neel Chauhan
9e3e1b8bfb Add format_local_iso_time_nospace() 2018-04-16 20:37:50 -04:00
Mike Perry
f921fd771a Use u32 add helper for CIRC_BW accounting.
There are quite a few other places this could be used, but keeping it simple
for now.
2018-04-16 21:46:31 +00:00
Mike Perry
0e06a9c3e7 Helper function to add u32 without overflow. 2018-04-16 21:46:31 +00:00
Mike Perry
dfa6808f57 Bug 25400: Make CIRC_BW event properly total everything on a circ. 2018-04-16 21:46:12 +00:00
David Goulet
ae4e5b9824 token: Fix uint32_t to uint64_t conversion
Unfortunately, the units passed to
monotime_coarse_stamp_units_to_approx_msec() was always 0 due to a type
conversion.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-16 15:05:41 -04:00
juga0
8be1ac8abe
Add test to check that loading a 2nd file replaces the 1st
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2018-04-16 19:02:57 +00:00
juga0
071236e3e2
Add a test for geoip_load_file() using geoip6
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2018-04-16 19:01:30 +00:00
Nick Mathewson
c7d3de216c Merge branch 'maint-0.3.3' 2018-04-16 13:48:39 -04:00
Nick Mathewson
c5899d5cf3 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-16 13:48:23 -04:00
Nick Mathewson
5e0fbd7006 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-04-16 13:48:23 -04:00
Nick Mathewson
9ef4c05df8 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-16 13:48:23 -04:00
Nick Mathewson
0e13ff4815 Fix an LCOV exclusion pattern in address.c 2018-04-16 13:48:21 -04:00
Nick Mathewson
3463b4e065 Merge branch 'maint-0.3.3' 2018-04-16 10:06:21 -04:00
Nick Mathewson
22845df2a7 Merge remote-tracking branch 'dgoulet/bug25226_033_02' into maint-0.3.3 2018-04-16 10:04:36 -04:00
David Goulet
d064122e70 relay: Implement a circuit cell queue maximum size
This commit introduces the consensus parameter "circ_max_cell_queue_size"
which controls the maximum number of cells a circuit queue should have.

The default value is currently 50000 cells which is above what should be
expected but keeps us a margin of error for padding cells.

Related to this is #9072. Back in 0.2.4.14-alpha, we've removed that limit due
to a Guard discovery attack. Ticket #25226 details why we are putting back the
limit due to the memory pressure issue on relays.

Fixes #25226

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-16 09:59:12 -04:00
Nick Mathewson
197d1992db Remove old tor-fw-helper README from EXTRA_DIST
We removed this file, but didn't take it out of EXTRA_DIST -- thus
breaking "make dist".
2018-04-16 09:52:15 -04:00
Nick Mathewson
3ee4c9b1fa bump to 0.3.3.5-rc-dev 2018-04-15 15:41:03 -04:00
Nick Mathewson
b65024f57d bump to 0.3.3.5-rc 2018-04-14 12:21:36 -04:00
Nick Mathewson
4b58b97c68 32-bit compilation warnings 2018-04-13 17:01:03 -04:00
David Goulet
c2f83746f4 token_bucket: Fix indentation
Both header and code file had some indentation issues after mass renaming.

No code behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-13 16:58:49 -04:00
Nick Mathewson
34c2574aa9 Merge branch 'token_bucket_once_again_squashed' 2018-04-13 16:31:58 -04:00
Nick Mathewson
1b31195b4f Fix "make check-spaces" 2018-04-13 16:31:47 -04:00
Nick Mathewson
003e6595bf Refactor "timestamp" not to be its own type coupled to token buffers
Really, the uint32_t is only an optimization; any kind of unit
should work fine.  Some users might want to use time_t or
monotime_coarse_t or something like that.
2018-04-13 16:31:47 -04:00
Nick Mathewson
2307bef7a2 Move token_bucket_raw_* functions to the start of the module.
(These functions were previously helper functions for
token_bucket_rw_t).
2018-04-13 16:31:47 -04:00
Nick Mathewson
9c405ba595 Never pick a rate of 0.
(The tests caught this one.)
2018-04-13 16:31:47 -04:00
Nick Mathewson
0b40ed5e70 Start re-refactoring the token bucket interface.
Begin by creating a lowest-level triple of the types needed to
implement a token bucket: a configuration, a timestamp, and the raw
bucket itself.

Note that for low-level buckets, the units of the timestamp and the
bucket itself are unspecified: each user can use a different type.

(This patch breaks check-spaces; a later patch will fix it)
2018-04-13 16:31:47 -04:00
Nick Mathewson
c9de30c590 Merge branch 'maint-0.3.3' 2018-04-13 13:05:53 -04:00
Nick Mathewson
61d87dfa15 Merge branch 'postloop_callbacks_2' 2018-04-13 12:12:46 -04:00
Nick Mathewson
4c03af4880 Remove tell_event_loop_to_run_external_code() per review
(This function is no longer used.)
2018-04-13 12:11:22 -04:00
Nick Mathewson
03b96882de Rename token_bucket_t to token_bucket_rw_t.
This is a simple search-and-replace to rename the token bucket type
to indicate that it contains both a read and a write bucket, bundled
with their configuration.  It's preliminary to refactoring the
bucket type.
2018-04-13 10:54:26 -04:00
Nick Mathewson
b152d62cee Merge branch 'token_bucket_refactor_squashed' 2018-04-13 10:47:24 -04:00
Nick Mathewson
62f4d5a265 Add a unit test for post-loop events
This test works by having two post-loop events activate one another
in a tight loop.  If the "post-loop" mechanism didn't work, this
would be enough to starve all other events.
2018-04-13 10:44:15 -04:00
Nick Mathewson
320bd2b3a5 Move connection_ap_attach_pending(0) into a postloop event
This is a second motivating case for our postloop event logic.
2018-04-13 10:44:15 -04:00
Nick Mathewson
5719dfb48f Move the "activate linked connections" logic to a postloop event.
A linked connection_t is one that gets its I/O, not from the
network, but from another connection_t.  When such a connection has
something to write, we want the corresponding connection to run its
read callback ... but not immediately, to avoid infinite recursion
and/or event loop starvation.

Previously we handled this case by activating the read events
outside the event loop.  Now we use the "postloop event" logic.
This lets us simplify do_main_loop_once() a little.
2018-04-13 10:44:15 -04:00
Nick Mathewson
c5a3e2ca44 Generic mechaism for "post-loop" callbacks
We've been labeling some events as happening "outside the event
loop", to avoid Libevent starvation.  This patch provides a cleaner
mechanism to avoid that starvation.

For background, the problem here is that Libevent only scans for new
events once it has run all its active callbacks.  So if the
callbacks keep activating new callbacks, they could potentially
starve Libevent indefinitely and keep it from ever checking for
timed, socket, or signal events.

To solve this, we add the ability to label some events as
"post-loop".  The rule for a "post-loop" event is that any events
_it_ activates can only be run after libevent has re-scanned for new
events at least once.
2018-04-13 10:44:15 -04:00
Nick Mathewson
ad57b1279a Disable load_geoip_file() tests on windows
See bug #25787 for discussion; we should have a better fix here.
2018-04-13 10:42:19 -04:00
Nick Mathewson
787bafc0f9 Increase tolerances for imprecise time. 2018-04-13 10:41:15 -04:00
Nick Mathewson
3f514fe3b1 Accept small hops backward in the monotonic timer. 2018-04-13 10:41:15 -04:00
Nick Mathewson
12f58f2f87 Remove a bunch of int casts; make clang happier. 2018-04-13 10:41:14 -04:00
Nick Mathewson
6be994fa71 Ensure that global buckets are updated on configuration change 2018-04-13 10:41:14 -04:00
Nick Mathewson
a38fd9bc5b Replace the global buckets with token_bucket_t 2018-04-13 10:41:14 -04:00
Nick Mathewson
9fced56ef1 Refactor or_connection token buckets to use token_bucket_t 2018-04-13 10:41:14 -04:00
Nick Mathewson
8a85239746 Add a helper function to decrement read and write at the same time 2018-04-13 10:41:14 -04:00
Nick Mathewson
c376200f6a Add a new token-bucket backend abstraction, with tests
This differs from our previous token bucket abstraction in a few
ways:

  1) It is an abstraction, and not a collection of fields.
  2) It is meant to be used with monotonic timestamps, which should
     produce better results than calling gettimeofday over and over.
2018-04-13 10:41:14 -04:00
Nick Mathewson
d8ef9a2d1e Expose a function that computes stamp units from msec.
(It turns out we can't just expose STAMP_TICKS_PER_SECOND, since
Apple doesn't have that.)
2018-04-13 10:41:08 -04:00
Nick Mathewson
2d6914e391 Refine extend_info_for_node's "enough info" check once again.
In d1874b4339, we adjusted this check so that we insist on
using routerinfos for bridges.  That's almost correct... but if we
have a bridge that is also a regular relay, then we should use
insist on its routerinfo when connecting to it as a bridge
(directly), and be willing to use its microdescriptor when
connecting to it elsewhere in our circuits.

This bug is a likely cause of some (all?) of the (exit_ei == NULL)
failures we've been seeing.

Fixes bug 25691; bugfix on 0.3.3.4-alpha
2018-04-12 16:56:29 -04:00
Nick Mathewson
d3b9b5a3dd Remove windows log_from_handle as unused.
This function was only used by PortForwardingHelper, which was
removed in 9df110cd72.  Its presence caused warnings on windows.
2018-04-12 12:38:46 -04:00
Nick Mathewson
f0887e30dd Merge branch 'maint-0.3.3' 2018-04-12 12:31:41 -04:00
Nick Mathewson
46795a7be6 Attempt to fix 32-bit clang builds, which broke with 31508a0abc
When size_t is 32 bits, the unit tests can't fit anything more than
4GB-1 into a size_t.

Additionally, tt_int_op() uses "long" -- we need tt_u64_op() to
safely test uint64_t values for equality.

Bug caused by tests for #24782 fix; not in any released Tor.
2018-04-12 12:30:36 -04:00
Nick Mathewson
467c882baa Merge branch 'maint-0.3.3' 2018-04-12 12:25:51 -04:00
Nick Mathewson
4aaa4215e7 Attempt to fix 32-bit builds, which broke with 31508a0abc
When size_t is 32 bits, doing "size_t ram; if (ram > 8GB) { ... }"
produces a compile-time warning.

Bug caused by #24782 fix; not in any released Tor.
2018-04-12 12:25:09 -04:00
Nick Mathewson
037fb0c804 Merge branch 'maint-0.3.3' 2018-04-12 11:14:42 -04:00
Alexander Færøy
31508a0abc Use less memory for MaxMemInQueues for machines with more than 8 GB of RAM.
This patch changes the algorithm of compute_real_max_mem_in_queues() to
use 0.4 * RAM iff the system has more than or equal to 8 GB of RAM, but
will continue to use the old value of 0.75 * RAM if the system have less
than * GB of RAM available.

This patch also adds tests for compute_real_max_mem_in_queues().

See: https://bugs.torproject.org/24782
2018-04-12 11:14:16 -04:00
Alexander Færøy
5633a63379 Use STATIC for compute_real_max_mem_in_queues
This patch makes compute_real_max_mem_in_queues use the STATIC macro,
which allows us to test the function.

See: https://bugs.torproject.org/24782
2018-04-12 10:51:48 -04:00
Alexander Færøy
bd42367a1e Make get_total_system_memory mockable.
This patch makes get_total_system_memory mockable, which allows us to
alter the return value of the function in tests.

See: https://bugs.torproject.org/24782
2018-04-12 10:51:45 -04:00
Nick Mathewson
a51630cc9a Merge branch 'maint-0.3.3' 2018-04-11 15:38:00 -04:00
Nick Mathewson
0803d79f55 Merge branch 'bug25581_033_v2_asn_squashed' into maint-0.3.3 2018-04-11 15:37:56 -04:00
Nick Mathewson
8b8630a501 Rename HSLayer{2,3}Nodes to start without an underscore.
The old single-underscore names remain as a deprecated synonym.

Fixes bug 25581; bugfix on 0.3.3.1-alpha.
2018-04-11 15:37:49 -04:00
Nick Mathewson
0c8f901ee7 Merge branch 'maint-0.3.3' 2018-04-11 10:48:46 -04:00
Mike Perry
f9ba0c6546 Bug 24989: Count client hsdir gets towards MaxClientCircuitsPending.
We removed this by breaking them out from general in #13837.
2018-04-11 10:47:06 -04:00
Nick Mathewson
6bdfaa8b24 Merge remote-tracking branch 'isis-github/bug25425_squashed2' 2018-04-10 15:32:26 -04:00
Nick Mathewson
6e467a7a34 Merge remote-tracking branch 'isis-github/bug25409' 2018-04-10 15:27:09 -04:00
Isis Lovecruft
65d6b66e99
config: Obsolete PortForwarding and PortForwardingHelper options.
* FIXES part of #25409: https://bugs.torproject.org/25409
2018-04-10 19:08:59 +00:00
Nick Mathewson
386f8016b7 Fix another crash-on-no-threadpool bug.
This one happens if for some reason you start with DirPort enabled
but server mode turned off entirely.

Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
2018-04-10 14:44:38 -04:00
Nick Mathewson
d3ac47b415 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-10 14:26:32 -04:00
Nick Mathewson
0b1a054d68 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-10 14:26:32 -04:00
Nick Mathewson
ef16a11b90 Merge branch 'maint-0.3.3' 2018-04-10 14:26:32 -04:00
Nick Mathewson
db6902c235 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-04-10 14:26:29 -04:00
Nick Mathewson
10a1969ca3 Merge remote-tracking branch 'ahf-github/bugs/24854_029_2' into maint-0.2.9 2018-04-10 14:25:57 -04:00
Nick Mathewson
16f08de0fd Remove TestingEnableTbEmptyEvent
This option was used for shadow testing previously, but is no longer
used for anything.  It interferes with refactoring our token buckets.
2018-04-10 12:16:21 -04:00
Isis Lovecruft
3ee7a8d3a5
tests: Make tt_finished() macro for tests without tt_*_op() calls. 2018-04-09 19:32:47 +00:00
Isis Lovecruft
c2c5b13e5d
test: Add testing module and some unittests for bridges.c.
This roughly doubles our test coverage of the bridges.c module.

 * ADD new testing module, .../src/test/test_bridges.c.
 * CHANGE a few function declarations from `static` to `STATIC`.
 * CHANGE one function in transports.c, transport_get_by_name(), to be
   mockable.
 * CLOSES #25425: https://bugs.torproject.org/25425
2018-04-09 19:32:46 +00:00
Nick Mathewson
e0809ec5f5 Prefer 32-bit implementation for timing wheels on 32-bit systems.
This might make our timing-wheel code a tiny bit faster there.

Closes ticket 24688.
2018-04-09 15:21:10 -04:00
David Goulet
395fa0258d compat: Fix unchecked return value from event_del()
Explicitly tell the compiler we don't care about it.

Coverity CID 1434156

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-09 14:12:45 -04:00
Nick Mathewson
e58555135a Add a comment explaining why we do a certain redundant check
Closes ticket 25291.
2018-04-09 12:58:17 -04:00
Alexander Færøy
1295044dc8 Lift the list of default directory servers into their own file.
This patch lifts the list of default directory authorities from config.c
into their own auth_dirs.inc file, which is then included in config.c
using the C preprocessor.

Patch by beastr0.

See: https://bugs.torproject.org/24854
2018-04-09 16:00:26 +02:00
Isis Lovecruft
809f6fae84
refactor: Remove unnecessary #include "crypto.h" throughout codebase.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:18 +00:00
Isis Lovecruft
e32fc0806d
refactor: Alphabetise some includes in /src/or/*. 2018-04-06 22:49:17 +00:00
Isis Lovecruft
88190026b3
crypto: Alphabetise some #includes in /src/common/crypto*.
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:15 +00:00
Isis Lovecruft
64e6551b8b
crypto: Remove unnecessary includes from src/common/crypto.[ch]
* FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 22:49:13 +00:00
Isis Lovecruft
fe3aca1491
crypto: Refactor (P)RNG functionality into new crypto_rand module.
* ADD new /src/common/crypto_rand.[ch] module.
 * ADD new /src/common/crypto_util.[ch] module (contains the memwipe()
   function, since all crypto_* modules need this).
 * FIXES part of #24658: https://bugs.torproject.org/24658
2018-04-06 21:45:28 +00:00
Nick Mathewson
2fac948158 Include tor_log rust files in source distribution.
Fixes another case of #25732; bug not in any released Tor.
2018-04-06 16:19:14 -04:00
Nick Mathewson
fb2fe41f6f Merge branch 'maint-0.3.3' 2018-04-06 16:18:47 -04:00
Nick Mathewson
306563ac68 Ship all files needed to build Tor with rust
Fixes bug 25732; bugfix on 0.3.3.2-alpha when strings.rs was
introduced.
2018-04-06 16:18:11 -04:00
Nick Mathewson
98b694bfd5 Merge branch 'isolate_libevent_2_squashed' 2018-04-06 08:50:35 -04:00
Roger Dingledine
0b0e4886cf fix confusing comment
presumably introduced by copy-and-paste mistake
2018-04-05 15:59:37 -04:00
Nick Mathewson
245fdf8ca0 Remove needless event2/thread.h include from test_compat_libevent.c 2018-04-05 12:36:28 -04:00
Nick Mathewson
4225300648 Remove redundant event2/event.h usage from test_scheduler.c
This module doesn't actually need to mock the libevent mainloop at
all: it can just use the regular mainloop that the test environment
sets up.

Part of ticket 23750.
2018-04-05 12:36:28 -04:00
Nick Mathewson
6a5f62f68f Move responsibility for threadpool reply-handler events to workqueue
This change makes cpuworker and test_workqueue no longer need to
include event2/event.h.  Now workqueue.c needs to include it, but
that is at least somewhat logical here.
2018-04-05 12:36:28 -04:00
Nick Mathewson
b3586629c9 Wrap the function we use to run the event loop.
Doing this lets us remove the event2/event.h header from a few more
modules, particularly in the tests.

Part of work on 23750.
2018-04-05 12:36:27 -04:00
Nick Mathewson
39cb04335f Add wrappers for event_base_loopexit and event_base_loopbreak. 2018-04-05 12:36:05 -04:00
Nick Mathewson
f0d2733b46 Revise procmon.c to use periodic_timer_t
This removes its need to use event2/event.h, and thereby fixes
another instance of 23750.
2018-04-05 12:35:11 -04:00
Nick Mathewson
871ff0006d Add an API for a scheduled/manually activated event in the mainloop
Using this API lets us remove event2/event.h usage from half a dozen
modules, to better isolate libevent.  Implements part of ticket
23750.
2018-04-05 12:35:11 -04:00
Nick Mathewson
c6d7e0becf Merge remote-tracking branch 'public/split_relay_crypto' 2018-04-05 12:12:18 -04:00
Fernando Fernandez Mancera
9504fabb02 Enable DISABLE_DISABLING_ED25519.
We are going to stop recommending 0.2.5 so there is no reason to keep the
undef statement anymore.

Fixes #20522.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-04-05 16:19:40 +02:00
Neel Chauhan
f5f9c25546 Switch to use should_record_bridge_info()
Both in geoip_note_client_seen() and options_need_geoip_info(), switch from
accessing the options directly to using the should_record_bridge_info() helper
function.

Fixes #25290

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-05 08:37:39 -04:00
Nick Mathewson
ad8347418f Merge branch 'maint-0.3.3' 2018-04-05 08:22:35 -04:00
Nick Mathewson
78bf564168 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-04-05 08:22:34 -04:00
Nick Mathewson
9b10eb2d7a Merge branch 'maint-0.3.1' into maint-0.3.2 2018-04-05 08:22:34 -04:00
Nick Mathewson
834eef2452 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-04-05 08:22:34 -04:00
Nick Mathewson
b68e636b33 Merge branch 'maint-0.2.5' into maint-0.2.9 2018-04-05 08:22:33 -04:00
Karsten Loesing
1fa396b0a4 Update geoip and geoip6 to the April 3 2018 database. 2018-04-05 10:42:25 +02:00
David Goulet
3d5bf12ac2 relay: Remove max middle cells dead code
Next commit is addressing the circuit queue cell limit so cleanup before doing
anything else.

Part of #25226

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-04-04 11:03:50 -04:00
Nick Mathewson
52846f728d Merge branch 'maint-0.3.3' 2018-04-04 08:57:24 -04:00
Nick Mathewson
ec8ee54129 Merge branch 'bug21394_029_redux' into maint-0.3.3 2018-04-04 08:55:37 -04:00
Dhalgren
06484eb5e1 Bug 21394 touchup: Increase DNS attempts to 3
Also don't give up on a resolver as quickly if multiple are configured.
2018-04-04 08:54:25 -04:00
Neel Chauhan
9df110cd72
Remove PortForwarding options
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2018-04-04 00:19:33 +00:00
Nick Mathewson
218b1746ba Merge remote-tracking branch 'fristonio/ticket-25645' 2018-04-03 19:19:02 -04:00
Deepesh Pathak
2680a8b5b1
ticket(25645): remove unused variable n_possible from channel_get_for_extend() 2018-04-03 09:17:23 +05:30
Isis Lovecruft
c65088cb19
rust: Fix ProtoSet and ProtoEntry to use the same DoS limits as C.
Previously, the limit for MAX_PROTOCOLS_TO_EXPAND was actually being applied
in Rust to the maximum number of version (total, for all subprotocols).
Whereas in C, it was being applied to the number of subprotocols that were
allowed.  This changes the Rust to match C's behaviour.
2018-04-02 19:59:16 +00:00
Isis Lovecruft
4b4e36a413
rust: Port all C protover_all_supported tests to Rust.
The behaviours still do not match, unsurprisingly, but now we know where a
primary difference is: the Rust is validating version ranges more than the C,
so in the C it's possible to call protover_all_supported on a ridiculous
version range like "Sleen=0-4294967294" because the C uses
MAX_PROTOCOLS_TO_EXPAND to count the number of *subprotocols* whereas the Rust
uses it to count the total number of *versions* of all subprotocols.
2018-04-02 19:59:15 +00:00
Isis Lovecruft
6739a69c59
tests: Run all existing protover tests in both languages.
There's now no difference in these tests w.r.t. the C or Rust: both
fail miserably (well, Rust fails with nice descriptive errors, and C
gives you a traceback, because, well, C).
2018-04-02 19:59:14 +00:00
Isis Lovecruft
f769edd148
tests: Make inline comments in test_protover.c more accurate.
The DoS potential is slightly higher in C now due to some differences to the
Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs.

Also, the comment about "failing at the splitting stage" in Rust wasn't true,
since when we split, we ignore empty chunks (e.g. "1--1" parses into
"(1,None),(None,1)" and "None" can't be parsed into an integer).

Finally, the comment about "Rust seems to experience an internal error" is only
true in debug mode, where u32s are bounds-checked at runtime.  In release mode,
code expressing the equivalent of this test will error with
`Err(ProtoverError::Unparseable)` because 4294967295 is too large.
2018-04-02 19:59:13 +00:00
Isis Lovecruft
ad369313f8
protover: Change protover_all_supported() to return only unsupported.
Previously, if "Link=1-5" was supported, and you asked protover_all_supported()
(or protover::all_supported() in Rust) if it supported "Link=3-999", the C
version would return "Link=3-999" and the Rust would return "Link=6-999".  These
both behave the same now, i.e. both return "Link=6-999".
2018-04-02 19:59:12 +00:00
Isis Lovecruft
cd28b4c7f5
rust: Refactor protover::compute_for_old_tor().
During code review and discussion with Chelsea Komlo, she pointed out
that protover::compute_for_old_tor() was a public function whose
return type was `&'static CStr`.  We both agree that C-like parts of
APIs should:

1. not be exposed publicly (to other Rust crates),
2. only be called in the appropriate FFI code,
3. not expose types which are meant for FFI code (e.g. `*mut char`,
   `CString`, `*const c_int`, etc.) to the pure-Rust code of other
   crates.
4. FFI code (e.g. things in `ffi.rs` modules) should _never_ be called
   from pure-Rust, not even from other modules in its own crate
   (i.e. do not call `protover::ffi::*` from anywhere in
   `protover::protoset::*`, etc).

With that in mind, this commit makes the following changes:

 * CHANGE `protover::compute_for_old_tor()` to be
   visible only at the `pub(crate)` level.
 * RENAME `protover::compute_for_old_tor()` to
   `protover::compute_for_old_tor_cstr()` to reflect the last change.
 * ADD a new `protover::compute_for_old_tor()` function wrapper which
   is public and intended for other Rust code to use, which returns a
   `&str`.
2018-04-02 19:59:12 +00:00
Isis Lovecruft
fd127bfbfa
rust: Refactor Rust implementation of protover_is_supported_here().
It was changed to take borrows instead of taking ownership.

 * REFACTOR `protover::ffi::protover_is_supported_here()` to use changed method
   signature on `protover::is_supported_here()`.
2018-04-02 19:36:26 +00:00
Isis Lovecruft
32638ed4a6
rust: Refactor Rust impl of protover_compute_vote().
This includes a subtle difference in behaviour to the previous Rust
implementation, where, for each vote that we're computing over, if a single one
fails to parse, we skip it.  This now matches the current behaviour in the C
implementation.

 * REFACTOR `protover::ffi::protover_compute_vote()` to use
   new types and methods.
2018-04-02 19:36:25 +00:00
Isis Lovecruft
269053a380
rust: Refactor Rust impl of protover_list_supports_protocol_or_later().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol_or_later()` to use
   new types and methods.
2018-04-02 19:36:25 +00:00
Isis Lovecruft
63eeda89ea
rust: Refactor Rust impl of protover_list_supports_protocol().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol()` to use new types
   and methods.
2018-04-02 19:34:26 +00:00
Isis Lovecruft
c7bcca0233
rust: Refactor Rust impl of protover_all_supported().
This includes differences in behaviour to before, which should now more closely
match the C version:

 - If parsing a protover `char*` from C, and the string is not parseable, this
   function will return 1 early, which matches the C behaviour when protocols
   are unparseable.  Previously, we would parse it and its version numbers
   simultaneously, i.e. there was no fail early option, causing us to spend more
   time unnecessarily parsing versions.

 * REFACTOR `protover::ffi::protover_all_supported()` to use new types and
   methods.
2018-04-02 19:34:26 +00:00
Isis Lovecruft
493e565226
rust: Refactor protover tests with new methods; note altered behaviours.
Previously, the rust implementation of protover considered an empty string to be
a valid ProtoEntry, while the C version did not (it must have a "=" character).
Other differences include that unknown protocols must now be parsed as
`protover::UnknownProtocol`s, and hence their entries as
`protover::UnvalidatedProtoEntry`s, whereas before (nearly) all protoentries
could be parsed regardless of how erroneous they might be considered by the C
version.

My apologies for this somewhat messy and difficult to read commit, if any part
is frustrating to the reviewer, please feel free to ask me to split this into
smaller changes (possibly hard to do, since so much changed), or ask me to
comment on a specific line/change and clarify how/when the behaviours differ.

The tests here should more closely match the behaviours exhibited by the C
implementation, but I do not yet personally guarantee they match precisely.

 * REFACTOR unittests in protover::protover.
 * ADD new integration tests for previously untested behaviour.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:34:25 +00:00
Isis Lovecruft
35b86a12e6
rust: Refactor protover::is_supported_here().
This changes `protover::is_supported_here()` to be aware of new datatypes
(e.g. don't call `.0` on things which are no longer tuple structs) and also
changes the method signature to take borrows, making it faster, threadable, and
easier to read (i.e. the caller can know from reading the function signature
that the function won't mutate values passed into it).

 * CHANGE the `protover::is_supported_here()` function to take borrows.
 * REFACTOR the `protover::is_supported_here()` function to be aware of new
   datatypes.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:34:25 +00:00
Isis Lovecruft
2eb1b7f2fd
rust: Add new ProtoverVote type and refactor functions to methods.
This adds a new type for votes upon `protover::ProtoEntry`s (technically, on
`protover::UnvalidatedProtoEntry`s, because the C code does not validate based
upon currently known protocols when voting, in order to maintain
future-compatibility), and converts several functions which would have operated
on this datatype into methods for ease-of-use and readability.

This also fixes a behavioural differentce to the C version of
protover_compute_vote().  The C version of protover_compute_vote() calls
expand_protocol_list() which checks if there would be too many subprotocols *or*
expanded individual version numbers, i.e. more than MAX_PROTOCOLS_TO_EXPAND, and
does this *per vote* (but only in compute_vote(), everywhere else in the C seems
to only care about the number of subprotocols, not the number of individual
versions).  We need to match its behaviour in Rust and ensure we're not allowing
more than it would to get the votes to match.

 * ADD new `protover::ProtoverVote` datatype.
 * REMOVE the `protover::compute_vote()` function and refactor it into an
   equivalent-in-behaviour albeit more memory-efficient voting algorithm based
   on the new underlying `protover::protoset::ProtoSet` datatype, as
   `ProtoverVote::compute()`.
 * REMOVE the `protover::write_vote_to_string()` function, since this
   functionality is now generated by the impl_to_string_for_proto_entry!() macro
   for both `ProtoEntry` and `UnvalidatedProtoEntry` (the latter of which is the
   correct type to return from a voting protocol instance, since the entity
   voting may not know of all protocols being voted upon or known about by other
   voting parties).
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix a difference in compute_vote() behaviour to C version.
2018-04-02 19:34:24 +00:00
Isis Lovecruft
fa15ea104d
rust: Add macro for impl ToString for {Unvalidated}ProtoEntry.
This implements conversions from either a ProtoEntry or an UnvalidatedProtoEntry
into a String, for use in replacing such functions as
`protover::write_vote_to_string()`.

 * ADD macro for implementing ToString trait for ProtoEntry and
   UnvalidatedProtoEntry.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:34:24 +00:00
Isis Lovecruft
3c47d31e1f
rust: Add new protover::UnvalidatedProtoEntry type.
This adds a new protover::UnvalidatedProtoEntry type, which is the
UnknownProtocol variant of a ProtoEntry, and refactors several functions which
should operate on this type into methods.

This also fixes what was previously another difference to the C implementation:
if you asked the C version of protovet_compute_vote() to compute a single vote
containing "Fribble=", it would return NULL.  However, the Rust version would
return "Fribble=" since it didn't check if the versions were empty before
constructing the string of differences.  ("Fribble=" is technically a valid
protover string.)  This is now fixed, and the Rust version in that case will,
analogous to (although safer than) C returning a NULL, return None.

 * REMOVE internal `contains_only_supported_protocols()` function.
 * REMOVE `all_supported()` function and refactor it into
   `UnvalidatedProtoEntry::all_supported()`.
 * REMOVE `parse_protocols_from_string_with_no_validation()` and
   refactor it into the more rusty implementation of
   `impl FromStr for UnvalidatedProtoEntry`.
 * REMOVE `protover_string_supports_protocol()` and refactor it into
   `UnvalidatedProtoEntry::supports_protocol()`.
 * REMOVE `protover_string_supports_protocol_or_later()` and refactor
   it into `UnvalidatedProtoEntry::supports_protocol_or_later()`.
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix another C/Rust different in compute_vote().

This fixes the unittest from the prior commit by checking if the versions are
empty before adding a protocol to a vote.
2018-04-02 19:34:23 +00:00
Isis Lovecruft
54c964332b
rust: Add new protover::ProtoEntry type which uses new datatypes.
This replaces the `protover::SupportedProtocols` (why would you have a type just
for things which are supported?) with a new, more generic type,
`protover::ProtoEntry`, which utilises the new, more memory-efficient datatype
in protover::protoset.

 * REMOVE `get_supported_protocols()` and `SupportedProtocols::tor_supported()`
   (since they were never used separately) and collapse their functionality into
   a single `ProtoEntry::supported()` method.
 * REMOVE `SupportedProtocols::from_proto_entries()` and reimplement its
   functionality as the more rusty `impl FromStr for ProtoEntry`.
 * REMOVE `get_proto_and_vers()` function and refactor it into the more rusty
   `impl FromStr for ProtoEntry`.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:32:36 +00:00
Isis Lovecruft
60daaa68b1
rust: Add new protover::UnknownProtocol type.
* ADD new type, protover::UnknownProtocol, so that we have greater type safety
   and our protover functionality which works with unsanitised protocol names is
   more clearly demarcated.
 * REFACTOR protover::Proto, renaming it protover::Protocol to mirror the new
   protover::UnknownProtocol type name.
 * ADD a utility conversion of `impl From<Protocol> for UnknownProtocol` so that
   we can easily with known protocols and unknown protocols simultaneously
   (e.g. doing comparisons, checking their version numbers), while not allowing
   UnknownProtocols to be accidentally used in functions which should only take
   Protocols.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:27:51 +00:00
Isis Lovecruft
e6625113c9
rust: Implement more memory-efficient protover datatype.
* ADD new protover::protoset module.
 * ADD new protover::protoset::ProtoSet class for holding protover versions.
 * REMOVE protover::Versions type implementation and its method
   `from_version_string()`, and instead implement this behaviour in a more
   rust-like manner as `impl FromStr for ProtoSet`.
 * MOVE the `find_range()` utility function from protover::protover to
   protover::protoset since it's only used internally in the
   implementation of ProtoSet.
 * REMOVE the `contract_protocol_list()` function from protover::protover and
   instead refactor it (reusing nearly the entire thing, with minor superficial,
   i.e. non-behavioural, changes) into a more rusty
   `impl ToString for ProtoSet`.
 * REMOVE the `expand_version_range()` function from protover::protover and
   instead refactor it into a more rusty implementation of
   `impl Into<Vec<Version>> for ProtoSet` using the new error types in
   protover::errors.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:26:26 +00:00
Isis Lovecruft
88204f91df
rust: Implement error types for Rust protover implementation.
This will allow us to do actual error handling intra-crate in a more
rusty manner, e.g. propogating errors in match statements, conversion
between error types, logging messages, etc.

 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:24:32 +00:00
Isis Lovecruft
f2daf82794
rust: Fix ProtoSet and ProtoEntry to use the same DoS limits as C.
Previously, the limit for MAX_PROTOCOLS_TO_EXPAND was actually being applied
in Rust to the maximum number of version (total, for all subprotocols).
Whereas in C, it was being applied to the number of subprotocols that were
allowed.  This changes the Rust to match C's behaviour.
2018-04-02 19:20:40 +00:00
Isis Lovecruft
6eea0dc5f1
rust: Port all C protover_all_supported tests to Rust.
The behaviours still do not match, unsurprisingly, but now we know where a
primary difference is: the Rust is validating version ranges more than the C,
so in the C it's possible to call protover_all_supported on a ridiculous
version range like "Sleen=0-4294967294" because the C uses
MAX_PROTOCOLS_TO_EXPAND to count the number of *subprotocols* whereas the Rust
uses it to count the total number of *versions* of all subprotocols.
2018-04-02 19:20:39 +00:00
Isis Lovecruft
527a239863
tests: Run all existing protover tests in both languages.
There's now no difference in these tests w.r.t. the C or Rust: both
fail miserably (well, Rust fails with nice descriptive errors, and C
gives you a traceback, because, well, C).
2018-04-02 19:20:38 +00:00
Isis Lovecruft
22c65a0e4b
tests: Make inline comments in test_protover.c more accurate.
The DoS potential is slightly higher in C now due to some differences to the
Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs.

Also, the comment about "failing at the splitting stage" in Rust wasn't true,
since when we split, we ignore empty chunks (e.g. "1--1" parses into
"(1,None),(None,1)" and "None" can't be parsed into an integer).

Finally, the comment about "Rust seems to experience an internal error" is only
true in debug mode, where u32s are bounds-checked at runtime.  In release mode,
code expressing the equivalent of this test will error with
`Err(ProtoverError::Unparseable)` because 4294967295 is too large.
2018-04-02 19:20:37 +00:00
Isis Lovecruft
6e353664dd
protover: Change protover_all_supported() to return only unsupported.
Previously, if "Link=1-5" was supported, and you asked protover_all_supported()
(or protover::all_supported() in Rust) if it supported "Link=3-999", the C
version would return "Link=3-999" and the Rust would return "Link=6-999".  These
both behave the same now, i.e. both return "Link=6-999".
2018-04-02 19:20:36 +00:00
Isis Lovecruft
fc2a42cc49
rust: Refactor protover::compute_for_old_tor().
During code review and discussion with Chelsea Komlo, she pointed out
that protover::compute_for_old_tor() was a public function whose
return type was `&'static CStr`.  We both agree that C-like parts of
APIs should:

1. not be exposed publicly (to other Rust crates),
2. only be called in the appropriate FFI code,
3. not expose types which are meant for FFI code (e.g. `*mut char`,
   `CString`, `*const c_int`, etc.) to the pure-Rust code of other
   crates.
4. FFI code (e.g. things in `ffi.rs` modules) should _never_ be called
   from pure-Rust, not even from other modules in its own crate
   (i.e. do not call `protover::ffi::*` from anywhere in
   `protover::protoset::*`, etc).

With that in mind, this commit makes the following changes:

 * CHANGE `protover::compute_for_old_tor()` to be
   visible only at the `pub(crate)` level.
 * RENAME `protover::compute_for_old_tor()` to
   `protover::compute_for_old_tor_cstr()` to reflect the last change.
 * ADD a new `protover::compute_for_old_tor()` function wrapper which
   is public and intended for other Rust code to use, which returns a
   `&str`.
2018-04-02 19:20:36 +00:00
Isis Lovecruft
9766d53cf9
rust: Refactor Rust implementation of protover_is_supported_here().
It was changed to take borrows instead of taking ownership.

 * REFACTOR `protover::ffi::protover_is_supported_here()` to use changed method
   signature on `protover::is_supported_here()`.
2018-04-02 19:20:35 +00:00
Isis Lovecruft
6f252e0986
rust: Refactor Rust impl of protover_compute_vote().
This includes a subtle difference in behaviour to the previous Rust
implementation, where, for each vote that we're computing over, if a single one
fails to parse, we skip it.  This now matches the current behaviour in the C
implementation.

 * REFACTOR `protover::ffi::protover_compute_vote()` to use
   new types and methods.
2018-04-02 19:20:34 +00:00
Isis Lovecruft
0a5494b81d
rust: Refactor Rust impl of protover_list_supports_protocol_or_later().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol_or_later()` to use
   new types and methods.
2018-04-02 19:20:33 +00:00
Isis Lovecruft
52c3ea5045
rust: Refactor Rust impl of protover_list_supports_protocol().
This includes a subtle difference in behaviour, as in 4258f1e18, where we return
(matching the C impl's return behaviour) earlier than before if parsing failed,
saving us computation in parsing the versions into a
protover::protoset::ProtoSet.

 * REFACTOR `protover::ffi::protover_list_supports_protocol()` to use new types
   and methods.
2018-04-02 19:20:32 +00:00
Isis Lovecruft
2f3a7376c0
rust: Refactor Rust impl of protover_all_supported().
This includes differences in behaviour to before, which should now more closely
match the C version:

 - If parsing a protover `char*` from C, and the string is not parseable, this
   function will return 1 early, which matches the C behaviour when protocols
   are unparseable.  Previously, we would parse it and its version numbers
   simultaneously, i.e. there was no fail early option, causing us to spend more
   time unnecessarily parsing versions.

 * REFACTOR `protover::ffi::protover_all_supported()` to use new types and
   methods.
2018-04-02 19:20:31 +00:00
Isis Lovecruft
15e59a1fed
rust: Refactor protover tests with new methods; note altered behaviours.
Previously, the rust implementation of protover considered an empty string to be
a valid ProtoEntry, while the C version did not (it must have a "=" character).
Other differences include that unknown protocols must now be parsed as
`protover::UnknownProtocol`s, and hence their entries as
`protover::UnvalidatedProtoEntry`s, whereas before (nearly) all protoentries
could be parsed regardless of how erroneous they might be considered by the C
version.

My apologies for this somewhat messy and difficult to read commit, if any part
is frustrating to the reviewer, please feel free to ask me to split this into
smaller changes (possibly hard to do, since so much changed), or ask me to
comment on a specific line/change and clarify how/when the behaviours differ.

The tests here should more closely match the behaviours exhibited by the C
implementation, but I do not yet personally guarantee they match precisely.

 * REFACTOR unittests in protover::protover.
 * ADD new integration tests for previously untested behaviour.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:20:31 +00:00
Isis Lovecruft
aa241e99de
rust: Refactor protover::is_supported_here().
This changes `protover::is_supported_here()` to be aware of new datatypes
(e.g. don't call `.0` on things which are no longer tuple structs) and also
changes the method signature to take borrows, making it faster, threadable, and
easier to read (i.e. the caller can know from reading the function signature
that the function won't mutate values passed into it).

 * CHANGE the `protover::is_supported_here()` function to take borrows.
 * REFACTOR the `protover::is_supported_here()` function to be aware of new
   datatypes.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:30 +00:00
Isis Lovecruft
9abbd23df7
rust: Add new ProtoverVote type and refactor functions to methods.
This adds a new type for votes upon `protover::ProtoEntry`s (technically, on
`protover::UnvalidatedProtoEntry`s, because the C code does not validate based
upon currently known protocols when voting, in order to maintain
future-compatibility), and converts several functions which would have operated
on this datatype into methods for ease-of-use and readability.

This also fixes a behavioural differentce to the C version of
protover_compute_vote().  The C version of protover_compute_vote() calls
expand_protocol_list() which checks if there would be too many subprotocols *or*
expanded individual version numbers, i.e. more than MAX_PROTOCOLS_TO_EXPAND, and
does this *per vote* (but only in compute_vote(), everywhere else in the C seems
to only care about the number of subprotocols, not the number of individual
versions).  We need to match its behaviour in Rust and ensure we're not allowing
more than it would to get the votes to match.

 * ADD new `protover::ProtoverVote` datatype.
 * REMOVE the `protover::compute_vote()` function and refactor it into an
   equivalent-in-behaviour albeit more memory-efficient voting algorithm based
   on the new underlying `protover::protoset::ProtoSet` datatype, as
   `ProtoverVote::compute()`.
 * REMOVE the `protover::write_vote_to_string()` function, since this
   functionality is now generated by the impl_to_string_for_proto_entry!() macro
   for both `ProtoEntry` and `UnvalidatedProtoEntry` (the latter of which is the
   correct type to return from a voting protocol instance, since the entity
   voting may not know of all protocols being voted upon or known about by other
   voting parties).
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix a difference in compute_vote() behaviour to C version.
2018-04-02 19:20:29 +00:00
Isis Lovecruft
26bafb3c33
rust: Add macro for impl ToString for {Unvalidated}ProtoEntry.
This implements conversions from either a ProtoEntry or an UnvalidatedProtoEntry
into a String, for use in replacing such functions as
`protover::write_vote_to_string()`.

 * ADD macro for implementing ToString trait for ProtoEntry and
   UnvalidatedProtoEntry.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:28 +00:00
Isis Lovecruft
b786b146ed
rust: Add new protover::UnvalidatedProtoEntry type.
This adds a new protover::UnvalidatedProtoEntry type, which is the
UnknownProtocol variant of a ProtoEntry, and refactors several functions which
should operate on this type into methods.

This also fixes what was previously another difference to the C implementation:
if you asked the C version of protovet_compute_vote() to compute a single vote
containing "Fribble=", it would return NULL.  However, the Rust version would
return "Fribble=" since it didn't check if the versions were empty before
constructing the string of differences.  ("Fribble=" is technically a valid
protover string.)  This is now fixed, and the Rust version in that case will,
analogous to (although safer than) C returning a NULL, return None.

 * REMOVE internal `contains_only_supported_protocols()` function.
 * REMOVE `all_supported()` function and refactor it into
   `UnvalidatedProtoEntry::all_supported()`.
 * REMOVE `parse_protocols_from_string_with_no_validation()` and
   refactor it into the more rusty implementation of
   `impl FromStr for UnvalidatedProtoEntry`.
 * REMOVE `protover_string_supports_protocol()` and refactor it into
   `UnvalidatedProtoEntry::supports_protocol()`.
 * REMOVE `protover_string_supports_protocol_or_later()` and refactor
   it into `UnvalidatedProtoEntry::supports_protocol_or_later()`.
 * FIXES part of #24031: https://bugs.torproject.org/24031

rust: Fix another C/Rust different in compute_vote().

This fixes the unittest from the prior commit by checking if the versions are
empty before adding a protocol to a vote.
2018-04-02 19:20:27 +00:00
Isis Lovecruft
88b2f170e4
rust: Add new protover::ProtoEntry type which uses new datatypes.
This replaces the `protover::SupportedProtocols` (why would you have a type just
for things which are supported?) with a new, more generic type,
`protover::ProtoEntry`, which utilises the new, more memory-efficient datatype
in protover::protoset.

 * REMOVE `get_supported_protocols()` and `SupportedProtocols::tor_supported()`
   (since they were never used separately) and collapse their functionality into
   a single `ProtoEntry::supported()` method.
 * REMOVE `SupportedProtocols::from_proto_entries()` and reimplement its
   functionality as the more rusty `impl FromStr for ProtoEntry`.
 * REMOVE `get_proto_and_vers()` function and refactor it into the more rusty
   `impl FromStr for ProtoEntry`.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:26 +00:00
Isis Lovecruft
811178434e
rust: Add new protover::UnknownProtocol type.
* ADD new type, protover::UnknownProtocol, so that we have greater type safety
   and our protover functionality which works with unsanitised protocol names is
   more clearly demarcated.
 * REFACTOR protover::Proto, renaming it protover::Protocol to mirror the new
   protover::UnknownProtocol type name.
 * ADD a utility conversion of `impl From<Protocol> for UnknownProtocol` so that
   we can easily with known protocols and unknown protocols simultaneously
   (e.g. doing comparisons, checking their version numbers), while not allowing
   UnknownProtocols to be accidentally used in functions which should only take
   Protocols.
 * FIXES part of #24031: https://bugs.torproject.org/24031
2018-04-02 19:20:12 +00:00
Isis Lovecruft
9925d2e687
rust: Implement more memory-efficient protover datatype.
* ADD new protover::protoset module.
 * ADD new protover::protoset::ProtoSet class for holding protover versions.
 * REMOVE protover::Versions type implementation and its method
   `from_version_string()`, and instead implement this behaviour in a more
   rust-like manner as `impl FromStr for ProtoSet`.
 * MOVE the `find_range()` utility function from protover::protover to
   protover::protoset since it's only used internally in the
   implementation of ProtoSet.
 * REMOVE the `contract_protocol_list()` function from protover::protover and
   instead refactor it (reusing nearly the entire thing, with minor superficial,
   i.e. non-behavioural, changes) into a more rusty
   `impl ToString for ProtoSet`.
 * REMOVE the `expand_version_range()` function from protover::protover and
   instead refactor it into a more rusty implementation of
   `impl Into<Vec<Version>> for ProtoSet` using the new error types in
   protover::errors.
 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 19:04:19 +00:00
Isis Lovecruft
b6059297d7
rust: Implement error types for Rust protover implementation.
This will allow us to do actual error handling intra-crate in a more
rusty manner, e.g. propogating errors in match statements, conversion
between error types, logging messages, etc.

 * FIXES part of #24031: https://bugs.torproject.org/24031.
2018-04-02 18:27:39 +00:00
Nick Mathewson
f9e32a2084 Remove an unnecessary event2 include.
The rest, are, unfortunately, necessary for now.
2018-04-02 11:11:34 -04:00
Nick Mathewson
f4bcf3f34c Remove event2/event.h include from compat_libevent.h
Only one module was depending on this include (test_helpers.c), and
it was doing so incorrectly.
2018-04-02 11:11:31 -04:00
Nick Mathewson
3df9545492 Merge branch 'maint-0.3.3' 2018-04-02 08:51:47 -04:00
Roger Dingledine
6190593256 use channel_is_client for create cell counts
When a relay is collecting internal statistics about how many
create cell requests it has seen of each type, accurately count the
requests from relays that temporarily fall out of the consensus.

(To be extra conservative, we were already ignoring requests from clients
in our counts, and we continue ignoring them here.)

Fixes bug 24910; bugfix on 0.2.4.17-rc.
2018-04-02 01:00:31 -04:00
Roger Dingledine
961d2ad597 dir auths no longer vote Guard if they're not voting V2Dir
Directory authorities no longer vote in favor of the Guard flag
for relays that don't advertise directory support.

Starting in Tor 0.3.0.1-alpha, Tor clients have been avoiding using
such relays in the Guard position, leading to increasingly broken load
balancing for the 5%-or-so of Guards that don't advertise directory
support.

Fixes bug 22310; bugfix on 0.3.0.6.
2018-04-02 00:20:01 -04:00
Roger Dingledine
0983c203e5 misc tiny fixes 2018-04-01 23:47:44 -04:00
Taylor Yu
596eed3715 Fix CID 1433643
Add a missing lock acquisition around access to queued_control_events
in control_free_all().  Use the reassign-and-unlock strategy as in
queued_events_flush_all().  Fixes bug 25675.  Coverity found this bug,
but only after we recently added an access to
flush_queued_event_pending.
2018-03-29 17:21:33 -05:00
Nick Mathewson
2c1afc2def Merge branch 'maint-0.3.3' 2018-03-29 14:59:01 -04:00
Nick Mathewson
4f473fadbd Merge branch 'bug25617_029' into maint-0.3.3 2018-03-29 14:58:58 -04:00
Nick Mathewson
2e9e91ebbf bump version to 0.3.3.4-alpha-dev 2018-03-29 11:24:02 -04:00
Nick Mathewson
e35eb9baaa Mark controller-initiated DNS lookups as permitted to do DNS.
Fixes bug 25617; bugfix on 0.2.9.3-alpha.
2018-03-29 09:27:28 -04:00
Nick Mathewson
3fa66f9799 Bump version to 0.3.3.4-alpha 2018-03-29 08:01:37 -04:00
Nick Mathewson
2f872f9762 Merge remote-tracking branch 'hello71/bug25398' 2018-03-28 14:47:05 -04:00
Nick Mathewson
4c0e434f33 Merge remote-tracking branch 'public/bug25512' 2018-03-28 14:45:47 -04:00
Nick Mathewson
cb083b5d3e Merge remote-tracking branch 'asn-github/t-25432' 2018-03-28 14:43:33 -04:00
Nick Mathewson
794a25f8c1 Merge branch 'maint-0.3.3' 2018-03-28 14:23:06 -04:00
Nick Mathewson
e0bbef48bf Merge remote-tracking branch 'dgoulet/bug24767_033_03' into maint-0.3.3 2018-03-28 14:21:04 -04:00
Nick Mathewson
6317aa2cc0 Merge branch 'maint-0.3.3' 2018-03-28 07:50:47 -04:00
Nick Mathewson
d4bf1f6c8e Add a paranoia check in string_is_valid_nonrfc_hostname()
The earlier checks in this function should ensure that components is
always nonempty.  But in case somebody messes with them in the
future, let's add an extra check to make sure we aren't crashing.
2018-03-28 07:48:18 -04:00
Nick Mathewson
b504c854d3 Rename string_is_valid_hostname -> string_is_valid_nonrfc_hostname
Per discussion on 25055.
2018-03-28 07:42:27 -04:00
rl1987
09351c34e9 Don't strlen before checking for NULL 2018-03-28 07:39:03 -04:00
rl1987
a28e350cff Tweak loop condition 2018-03-28 07:39:03 -04:00
rl1987
6b6d003f43 Don't explode on NULL or empty string 2018-03-28 07:39:03 -04:00
rl1987
d891010fdd Allow alphanumeric TLDs in test for now 2018-03-28 07:39:03 -04:00
rl1987
ee1fca727c Simplify hostname validation code 2018-03-28 07:39:03 -04:00
rl1987
dbb7c8e6fd Validate hostnames with punycode TLDs correctly 2018-03-28 07:39:03 -04:00
rl1987
4413e52f9e Improve handling of trailing dot 2018-03-28 07:39:03 -04:00
rl1987
db850fec3a Test TLD validation 2018-03-28 07:39:03 -04:00
rl1987
6335db9fce Refrain from including <ctype.h> 2018-03-28 07:39:03 -04:00
rl1987
12afd8bfed Also test bracket-less IPv6 string validation 2018-03-28 07:39:03 -04:00
rl1987
5986589b48 Call strlen() once 2018-03-28 07:39:03 -04:00
rl1987
b0ba4aa7e9 Fix bracketed IPv6 string validation 2018-03-28 07:39:03 -04:00
rl1987
1af016e96e Do not consider IP strings valid DNS names. Fixes #25055 2018-03-28 07:39:03 -04:00
rl1987
0e453929d2 Allow IPv6 address strings to be used as hostnames in SOCKS5 requests 2018-03-28 07:39:03 -04:00
Nick Mathewson
fa6eaab83e Merge branch 'maint-0.3.3' 2018-03-27 18:25:52 -04:00
Nick Mathewson
5acfc30876 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-27 18:23:53 -04:00
Taylor Yu
471f28a2a8 Fix CID 1430932
Coverity found a null pointer reference in nodelist_add_microdesc().
This is almost certainly impossible assuming that the routerstatus_t
returned by router_get_consensus_status_by_descriptor_digest() always
corresponds to an entry in the nodelist.  Fixes bug 25629.
2018-03-27 16:11:29 -05:00
Taylor Yu
0c13a84c0d Fix CID 1430932
Coverity found a null pointer reference in nodelist_add_microdesc().
This is almost certainly impossible assuming that the routerstatus_t
returned by router_get_consensus_status_by_descriptor_digest() always
corresponds to an entry in the nodelist.  Fixes bug 25629.
2018-03-27 16:08:39 -05:00
Taylor Yu
4bb7d9fd12 Fix CID 1430932
Coverity found a null pointer reference in nodelist_add_microdesc().
This is almost certainly impossible assuming that the routerstatus_t
returned by router_get_consensus_status_by_descriptor_digest() always
corresponds to an entry in the nodelist.  Fixes bug 25629.
2018-03-27 15:29:00 -05:00
George Kadianakis
ab16f1e2a1 test: Add unittest for the OR connection failure cache
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-27 12:43:39 -04:00
David Goulet
f29d158330 relay: Avoid connecting to down relays
If we failed to connect at the TCP level to a relay, note it down and refuse
to connect again for another 60 seconds.

Fixes #24767

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-27 12:42:31 -04:00
Nick Mathewson
979c7e5c83 Merge branch 'maint-0.3.3' 2018-03-27 07:05:15 -04:00
Nick Mathewson
46c2b0ca22 Merge branch 'bug25213_033' into maint-0.3.3 2018-03-27 07:04:33 -04:00
Nick Mathewson
0eed0899cd Merge branch 'bug24658-rm-curve25519-header' into bug24658-merge 2018-03-26 20:12:59 -04:00
Nick Mathewson
d96dc2060a Merge branch 'maint-0.3.3' 2018-03-26 19:47:48 -04:00
Nick Mathewson
841ed9dbb9 Merge remote-tracking branch 'dgoulet/bug24904_033_01' into maint-0.3.3 2018-03-26 19:47:44 -04:00
Nick Mathewson
5278d72f97 Merge branch 'maint-0.3.3' 2018-03-26 10:32:53 -04:00
Nick Mathewson
ca2d9cbb93 Merge branch 'bug24903_029' into maint-0.3.3 2018-03-26 10:32:49 -04:00
Nick Mathewson
068d092749 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-26 10:29:29 -04:00
Nick Mathewson
b5a6c03998 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-26 10:29:29 -04:00
Nick Mathewson
c68bfc556c Merge branch 'maint-0.3.3' 2018-03-26 10:29:29 -04:00
Nick Mathewson
33606405e3 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-26 10:29:29 -04:00
Nick Mathewson
969a38a375 Fix a unit test which was broken by the previous commit
This test was expecting Tor to find and use routerinfos, but hadn't
cleared the UseMicrodescriptors flag.  Part of the fix for 25213.
2018-03-26 09:57:39 -04:00
Nick Mathewson
d1874b4339 Make extend_info_from_node() more picky about node contents
This update is needed to make it consistent with the behavior of
node_awaiting_ipv6(), which doesn't believe in the addresses from
routerinfos unless it actually plans to use those routerinfos.

Fixes bug 25213; bugfix on b66b62fb75 in 0.3.3.1-alpha,
which tightened up the definition of node_awaiting_ipv6().
2018-03-26 09:56:12 -04:00
Nick Mathewson
33a80921a2 When extending a circuit's path length, clear onehop_tunnel.
There was a nonfatal assertion in pathbias_should_count that would
trigger if onehop_tunnel was set, but the desired_path_length was
greater than 1.  This patch fixes that.  Fixes bug 24903; bugfix on
0.2.5.2-alpha.
2018-03-26 09:17:50 -04:00
Nick Mathewson
a9fa483004 Document a requirement for cells to be encrypted. 2018-03-24 13:49:44 -04:00
Nick Mathewson
7db4d0c55f Basic unit tests for relay_crypto.c
These tests handle incoming and outgoing cells on a three-hop
circuit, and make sure that the crypto works end-to-end.  They don't
yet test spec conformance, leaky-pipe, or various error cases.
2018-03-24 13:49:08 -04:00
Nick Mathewson
d749f6b5f6 Merge branch 'maint-0.3.3' 2018-03-23 17:49:29 -04:00
Nick Mathewson
eacfd29112 Fix windows compilation warnings in hs_service.c
These were breaking jenkins builds.  Bugfix on 5804ccc9070dc54;
bug not in any released Tor.
2018-03-23 17:47:56 -04:00
Nick Mathewson
bb9012c818 test: more data on geoip load failure. 2018-03-23 11:48:15 -04:00
Nick Mathewson
3519d0c808 Clear all control.c flags on control_free_all()
Fixes bug 25512.
2018-03-23 11:31:56 -04:00
Nick Mathewson
e263317e07 Merge remote-tracking branch 'fristonio/ticket-24740' 2018-03-23 11:22:58 -04:00
Nick Mathewson
11114c7e83 Merge branch 'maint-0.3.3' 2018-03-23 11:19:19 -04:00
Isis Lovecruft
657d5cbbbc tests: Automatically detect Rust crates to test and also pass --verbose.
* FIXES #25560: https://bugs.torproject.org/25560.
2018-03-23 11:13:04 -04:00
David Goulet
236c92a0a7 chan: Use channel_is_client() in channel_do_open_actions()
Make sure we actually only report client channel to the geoip cache instead of
looking if it is a known relay. Looking if it is a known relay can be
unreliable because they come and go from the consensus.

Fixes #24904

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-23 10:11:37 -04:00
Isis Lovecruft
fae5254783
hs: Fix two typos in an inline comment.
* FIXES #25602: https://bugs.torproject.org/25602
2018-03-22 22:33:34 +00:00
Nick Mathewson
24abcf9771 Merge branch 'bug25399_squashed' 2018-03-22 08:49:43 -04:00
Alex Xu (Hello71)
946ed24ca5 Do not page-align mmap length. #25399 2018-03-22 08:47:37 -04:00
Nick Mathewson
d9ba7db38b Merge remote-tracking branch 'public/geoip_testing' 2018-03-22 08:43:28 -04:00
Nick Mathewson
f8e53a545a Update tor_log to libc 0.2.39 as well. 2018-03-21 17:14:15 -04:00
Nick Mathewson
4e82441e4c Merge branch 'maint-0.3.3' 2018-03-21 17:10:10 -04:00
Nick Mathewson
2b31387410 Update src/ext/rust to latest master for libc update. 2018-03-21 17:09:59 -04:00
Nick Mathewson
03e787e220 Merge branch 'maint-0.3.3' 2018-03-21 17:05:42 -04:00
Isis Lovecruft
00a473733d maint: Update Rust libc dependency from 0.2.22 to 0.2.39.
Requires the update/libc-0.2.39 branch from
https://github.com/isislovecruft/tor-rust-dependencies to be merged
first.
2018-03-21 17:04:28 -04:00
Nick Mathewson
2c36a02bb1 Merge branch 'maint-0.3.3' 2018-03-20 12:55:46 -04:00
Nick Mathewson
b069979142 Merge branch 'bug25306_032_01_squashed_v2' into maint-0.3.3 2018-03-20 12:54:51 -04:00
David Goulet
5804ccc907 hs-v3: BUG() on missing descriptors during rotation
Because of #25306 for which we are unable to reproduce nor understand how it
is possible, this commit removes the asserts() and BUG() on the missing
descriptors instead when rotating them.

This allows us to log more data on error but also to let tor recover
gracefully instead of dying.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-03-20 12:54:05 -04:00
Nick Mathewson
9f93bcd16d Remove sb_poll check: all poll() calls are ok. 2018-03-20 08:30:21 -04:00
Nick Mathewson
070eda5a21 Add the poll() syscall as permitted by the sandbox
Apparently, sometimes getpwnam will call this.

Fixes bug 25513.
2018-03-20 08:23:44 -04:00
Nick Mathewson
56ae6d8766 Merge branch 'maint-0.3.3' 2018-03-20 07:50:46 -04:00
Alexander Færøy
fd36bd8971 Log information on specific compression backends in the OOM handler.
This patch adds some additional logging to circuits_handle_oom() to give
us more information about which specific compression backend that is
using a certain amount of memory.

See: https://bugs.torproject.org/25372
2018-03-20 07:47:19 -04:00
Nick Mathewson
228b655935 Move rust-specific declarations outside of #else block
These declarations need to exist unconditionally, but they were
trapped inside an "#else /* !(defined(HAVE_SYSLOG_H)) */" block.

Fixes a travis regression caused by 23881; bug not in any released tor.
2018-03-19 19:18:23 -04:00
Nick Mathewson
d8893bc93c Merge remote-tracking branch 'isis/bug23881_r1' 2018-03-19 17:20:37 -04:00
Nick Mathewson
910422e8fa Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-19 16:59:49 -04:00
Nick Mathewson
3716611fea Merge branch 'maint-0.3.3' 2018-03-19 16:59:49 -04:00
Isis Lovecruft
66d3120634 tests: Fix HS test against max IP lifetime.
* FIXES part of #25450: https://bugs.torproject.org/25450
2018-03-19 16:59:07 -04:00
Isis Lovecruft
1f8bd93ecb
rust: Fix typo in name of logged function. 2018-03-19 19:23:35 +00:00
Isis Lovecruft
547c62840e
rust: Remove #[no_mangle]s on two constants.
These won't/shouldn't ever be called from C, so there's no reason to
preserve naming.
2018-03-19 19:23:34 +00:00
Neel Chauhan
bc5f79b95c Use tor_asprintf for in have_enough_mem_for_dircache()
(Fixes bug 20887)
2018-03-19 12:38:28 -04:00
Nick Mathewson
b0f0c0f550 Merge remote-tracking branch 'fristonio/ticket-6236' 2018-03-19 06:42:10 -04:00
Nick Mathewson
a324cd9020 Merge branch 'ticket25268_034_01' 2018-03-19 06:01:02 -04:00
Nick Mathewson
92c60b572c Merge branch 'maint-0.3.3' 2018-03-19 05:39:56 -04:00
Gisle Vanem
53914f7dae tests: Fix crash on win32 due to uninitialised mutex in bench.c.
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2018-03-19 05:38:19 -04:00
Nick Mathewson
bcea98a4b4 Merge branch 'maint-0.3.3' 2018-03-19 05:36:06 -04:00
Nick Mathewson
296e429ebc Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-19 05:36:06 -04:00
Nick Mathewson
a0cc7e9492 Merge remote-tracking branch 'isis/bug25450_032' into maint-0.3.2 2018-03-19 05:35:39 -04:00
Nick Mathewson
5ecad6c95d Extract the cryptographic parts of crypt_path_t and or_circuit_t.
Additionally, this change extracts the functions that created and
freed these elements.

These structures had common "forward&reverse stream&digest"
elements, but they were initialized and freed through cpath objects,
and different parts of the code depended on them.  Now all that code
is extacted, and kept in relay_crypto.c
2018-03-17 10:59:15 -04:00
Nick Mathewson
80955be6ec Move relay-crypto functions from relay.[ch] to relay_crypto.[ch]
This should help us improve modularity, and should also make it
easier for people to experiment with other relay crypto strategies
down the road.

This commit is pure function movement.
2018-03-17 10:23:44 -04:00
Nick Mathewson
320dcf65b7 Extract the crypto parts of circuit_package_relay_cell. 2018-03-17 10:16:41 -04:00
Nick Mathewson
2989326054 Rename 'relay_crypt' to 'relay_decrypt_cell'
This function is used upon receiving a cell, and only handles the
decrypting part.  The encryption part is currently handled inside
circuit_package_relay_cell.
2018-03-17 10:05:25 -04:00
Nick Mathewson
becae4c943 Add a test for geoip_load_file(). 2018-03-15 15:21:34 +01:00
Nick Mathewson
1debe57563 On geoip_free_all, reset geoip[6]_digest. 2018-03-15 15:21:23 +01:00
Nick Mathewson
ffb00404b1 Split geoip tests into a separate module. 2018-03-15 15:12:54 +01:00
Nick Mathewson
4e5e973421 Merge remote-tracking branch 'public/restart_reset_bootstrap' 2018-03-14 12:12:37 +01:00
Nick Mathewson
c6d364e8ae Merge branch 'maint-0.3.3' 2018-03-13 10:59:56 -04:00
Nick Mathewson
d60dc27555 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-13 10:59:30 -04:00
Nick Mathewson
950606dcc9 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-13 10:58:03 -04:00
Nick Mathewson
38b7885c90 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-13 10:58:03 -04:00
Nick Mathewson
0e7f15fdb6 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-13 10:58:02 -04:00
Nick Mathewson
67a313f0ec Merge branch 'maint-0.2.5' into maint-0.2.9 2018-03-13 10:58:02 -04:00
Karsten Loesing
3418a3a7f0 Update geoip and geoip6 to the March 8 2018 database. 2018-03-13 10:57:49 -04:00
Mike Perry
578aaa7f12 Bug 25505: Check circuitmux queues before padding. 2018-03-13 13:50:35 +00:00
Nick Mathewson
40154c1f9e Merge branch 'maint-0.3.3' 2018-03-13 10:00:58 +01:00
Nick Mathewson
e9dbd6dd8f Update the documentation in tor_api.h 2018-03-13 10:00:41 +01:00
Isis Lovecruft
0545f64d24
test: Increase time limit for IP creation in an HS test.
This should avoid most intermittent test failures on developer and CI machines,
but there could (and probably should) be a more elegant solution.

Also, this test was testing that the IP was created and its expiration time was
set to a time greater than or equal to `now+INTRO_POINT_LIFETIME_MIN_SECONDS+5`:

    /* Time to expire MUST also be in that range. We add 5 seconds because
     * there could be a gap between setting now and the time taken in
     * service_intro_point_new. On ARM, it can be surprisingly slow... */
    tt_u64_op(ip->time_to_expire, OP_GE,
              now + INTRO_POINT_LIFETIME_MIN_SECONDS + 5);

However, this appears to be a typo, since, according to the comment above it,
adding five seconds was done because the IP creation can be slow on some
systems.  But the five seconds is added to the *minimum* time we're comparing
against, and so it actually functions to make this test *more* likely to fail on
slower systems.  (It should either subtract five seconds, or instead add it to
time_to_expire.)

 * FIXES #25450: https://bugs.torproject.org/25450
2018-03-08 20:50:50 +00:00
Caio Valente
8775c93a99 Refactor: suppress duplicated functions from router.c and encapsulate NODE_DESC_BUF_LEN constant.
Also encapsulates format_node_description().

Closes ticket 25432.
2018-03-06 20:42:32 +01:00
Deepesh Pathak
930b985581
Fix redundant authority certificate fetch
- Fixes #24740
- Fetch certificates only in those cases when consensus are waiting for certs.
2018-03-04 21:13:58 +05:30
Nick Mathewson
699bb803ba Fix a crash bug when testing reachability
Fixes bug 25415; bugfix on 0.3.3.2-alpha.
2018-03-04 10:31:17 -05:00
Nick Mathewson
df9d2de441 Merge remote-tracking branch 'fristonio/ticket4187' 2018-03-03 12:02:30 -05:00
Nick Mathewson
338dbdab93 Merge branch 'maint-0.3.3' 2018-03-03 11:59:27 -05:00
Alexander Færøy
59a7b00384 Update tor.1.txt with the currently available log domains.
See: https://bugs.torproject.org/25378
2018-03-03 11:58:14 -05:00
Nick Mathewson
62482ea279 Merge branch 'maint-0.3.3' 2018-03-03 11:53:05 -05:00
Nick Mathewson
cc7de9ce1d Merge branch 'ticket23814' into maint-0.3.3 2018-03-03 11:53:01 -05:00
Nick Mathewson
aec505a310 bump to 0.3.3.3-alpha-dev 2018-03-03 11:33:56 -05:00
Nick Mathewson
0026d1a673 bump version to 0.3.2.10-dev 2018-03-03 11:33:27 -05:00
Nick Mathewson
0aa794d309 version bump to 0.3.1.10-dev 2018-03-03 11:32:51 -05:00
Nick Mathewson
9eb6f9d3c8 Bump version to 0.2.9.15-dev 2018-03-03 11:32:16 -05:00
Alex Xu (Hello71)
45d3b5fa4c Remove uncompilable tor_mmap_file fallback. #25398 2018-03-02 09:51:53 -05:00
Nick Mathewson
15f6201a5b increment to 0.3.3.3-alpha 2018-03-01 16:44:07 -05:00
Nick Mathewson
1ec386561e version bump to 0.3.2.10 2018-03-01 16:43:35 -05:00
Nick Mathewson
c527a8a9c9 Update to 0.3.1.10 2018-03-01 16:43:01 -05:00
Nick Mathewson
35753c0774 version bump to 0.2.9.15 2018-03-01 16:42:17 -05:00
Nick Mathewson
d22963938f Merge branch 'maint-0.3.3' 2018-03-01 16:10:47 -05:00
Nick Mathewson
f7eff2f8c5 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-03-01 16:10:43 -05:00
Nick Mathewson
d01abb9346 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-03-01 16:07:59 -05:00
Nick Mathewson
d4a758e083 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-03-01 16:07:59 -05:00
Nick Mathewson
c1bb8836ff Protover tests: disable some obsoleted tests
These were meant to demonstrate old behavior, or old rust behavior.

One of them _should_ work in Rust, but won't because of
implementation details.  We'll fix that up later.
2018-03-01 16:05:17 -05:00
Nick Mathewson
c5295cc1be Spec conformance on protover: always reject ranges where lo>hi 2018-03-01 16:05:17 -05:00
Nick Mathewson
1fe0bae508 Forbid UINT32_MAX as a protocol version
The C code and the rust code had different separate integer overflow
bugs here.  That suggests that we're better off just forbidding this
pathological case.

Also, add tests for expected behavior on receiving a bad protocol
list in a consensus.

Fixes another part of 25249.
2018-03-01 16:05:17 -05:00
Nick Mathewson
8b405c609e Forbid "-0" as a protocol version.
Fixes part of 24249; bugfix on 0.2.9.4-alpha.
2018-03-01 16:05:17 -05:00
Nick Mathewson
0953c43c95 Add more of Teor's protover tests.
These are as Teor wrote them; I've disabled the ones that don't pass
yet, with XXXX comments.
2018-03-01 16:05:17 -05:00
Nick Mathewson
d3a1bdbf56 Add some protover vote round-trip tests from Teor.
I've refactored these to be a separate function, to avoid tricky
merge conflicts.

Some of these are disabled with "XXXX" comments; they should get
fixed moving forward.
2018-03-01 16:05:17 -05:00
Nick Mathewson
a83650852d Add another NULL-pointer fix for protover.c.
This one can only be exploited if you can generate a correctly
signed consensus, so it's not as bad as 25074.

Fixes bug 25251; also tracked as TROVE-2018-004.
2018-03-01 16:05:17 -05:00
Nick Mathewson
65f2eec694 Correctly handle NULL returns from parse_protocol_list when voting.
In some cases we had checked for it, but in others we had not.  One
of these cases could have been used to remotely cause
denial-of-service against directory authorities while they attempted
to vote.

Fixes TROVE-2018-001.
2018-03-01 16:05:17 -05:00
Isis Lovecruft
167da4bc81
rust: Remove extra whitespace from a static log/error message. 2018-02-27 20:43:54 +00:00
Deepesh Pathak
130e2ffad7
Remove duplicate code between parse_{c,s}method in transport.c
- Merged common code in function parse_{c,s}method to a single function
- Removed duplicate code in transport.c
- Fixes #6236
2018-02-24 20:27:08 +05:30
Nick Mathewson
fc22bcadb5 Revert 4438ef32's changes to test_address.c
Apparently some versions of the mac sdk care about the ordering of
net/if.h wrt other headers.

Fixes bug 25319; bug not in any released tor.
2018-02-21 09:36:37 -05:00
Isis Lovecruft
7759ac8df2
crypto: Remove crypto_rsa.h from crypto_digest.c.
* ADD include for "crypto_openssl_mgt.h" so that we have OpenSSL
   defined SHA* types and functions.
 * FIXES part of #24658: https://bugs.torproject.org/24658#comment:30
2018-02-20 20:29:54 +00:00
Isis Lovecruft
3e9140e79a
crypto: Remove unnecessary curve25519 header from crypto_digest.h.
* ADD includes for "torint.h" and "container.h" to crypto_digest.h.
 * ADD includes for "crypto_digest.h" to a couple places in which
   crypto_digest_t was then missing.
 * FIXES part of #24658: https://bugs.torproject.org/24658#comment:30
2018-02-20 20:29:54 +00:00
Nick Mathewson
4438ef3288 Remove a bunch of other redundant #includes
Folks have found two in the past week or so; we may as well fix the
others.

Found with:

\#!/usr/bin/python3
import re

def findMulti(fname):
    includes = set()
    with open(fname) as f:
        for line in f:
            m = re.match(r'^\s*#\s*include\s+["<](\S+)[>"]', line)
            if m:
                inc = m.group(1)
                if inc in includes:
                    print("{}: {}".format(fname, inc))
                includes.add(m.group(1))

import sys
for fname in sys.argv[1:]:
    findMulti(fname)
2018-02-20 10:14:15 -05:00
Nick Mathewson
a4ab273a0d Merge remote-tracking branch 'fristonio/ticket-25261' 2018-02-20 10:03:52 -05:00
Nick Mathewson
5199b9b337 Use autoconf to check for optional zstd functionality.
Fixes a bug in our zstd-static code.  Bug not in any released
version of Tor.
2018-02-18 16:19:43 -05:00
Fernando Fernandez Mancera
0fad49e1c4 Move crypto_pk_obsolete_* functions into RSA module.
We moved the crypto_pk_obselete_* functions into crypto_rsa.[ch] because they fit
better with the RSA module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-16 18:23:21 +01:00
Fernando Fernandez Mancera
541b6b2433 Remove useless included files in crypto_rsa.[ch].
Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-16 17:49:58 +01:00
Nick Mathewson
bd71e0a0c8 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-16 09:54:13 -05:00
Nick Mathewson
2bcd264a28 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-16 09:48:11 -05:00
Nick Mathewson
cb92d47dec Merge remote-tracking branch 'dgoulet/ticket24902_029_05' into maint-0.2.9 2018-02-16 09:41:06 -05:00
Nick Mathewson
bbc73c5d1c Whoops. 256 was not big enough. 2018-02-16 09:40:29 -05:00
Nick Mathewson
a34fc1dad2 Allow checkpointing of non-sha1 digests.
This is necessary because apparently v3 rendezvous cpath hops use
sha3, which I had forgotten.

Bugfix on master; bug not in any released Tor.
2018-02-16 09:25:50 -05:00
Roger Dingledine
d21e5cfc24 stop calling channel_mark_client in response to a create_fast
since all it does is produce false positives

this commit should get merged into 0.2.9 and 0.3.0 *and* 0.3.1, even
though the code in the previous commit is already present in 0.3.1. sorry
for the mess.

[Cherry-picked]
2018-02-16 08:46:57 -05:00
Roger Dingledine
2b99350ca4 stop calling channel_mark_client in response to a create_fast
since all it does is produce false positives

this commit should get merged into 0.2.9 and 0.3.0 *and* 0.3.1, even
though the code in the previous commit is already present in 0.3.1. sorry
for the mess.
2018-02-16 08:46:31 -05:00
Roger Dingledine
8d5dcdbda2 backport to make channel_is_client() accurate
This commit takes a piece of commit af8cadf3a9 and a piece of commit
46fe353f25, with the goal of making channel_is_client() be based on what
sort of connection handshake the other side used, rather than seeing
whether the other side ever sent a create_fast cell to us.
2018-02-16 08:39:10 -05:00
Neel Chauhan
c2fa743806 Remove the return value of node_get_prim_orport() and node_get_prim_dirport() 2018-02-16 08:20:33 -05:00
Nick Mathewson
200fc8c640 Compilation workaround for windows, which lacks O_SYNC
Bug not in any released Tor.
2018-02-16 08:16:12 -05:00
Nick Mathewson
5a9ada342f tor_zstd_format_version shouldn't be built when !HAVE_ZSTD
Fixes bug 25276; bugfix not in any released Tor.
2018-02-16 08:06:01 -05:00
Fernando Fernandez Mancera
f9f0dd5b9a Move the pk-digest functions into crypto_rsa.[ch].
We moved the crypto_pk_* digest functions into crypto_rsa.[ch] because they fit
better with the RSA module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-16 12:04:22 +01:00
Nick Mathewson
b56fd17d00 Merge branch 'maint-0.3.3' 2018-02-15 21:05:12 -05:00
Nick Mathewson
d662d4470a Merge remote-tracking branch 'dgoulet/ticket24343_033_01' into maint-0.3.3 2018-02-15 21:05:08 -05:00
Nick Mathewson
d9804691df Merge remote-tracking branch 'ffmancera-1/bug18918' 2018-02-15 21:00:10 -05:00
Nick Mathewson
92a42f795c Merge branch 'bug23909' 2018-02-15 20:56:23 -05:00
Nick Mathewson
8da6bfa5de Merge branch 'bug24914' 2018-02-15 20:53:50 -05:00
Nick Mathewson
4d994e7a9c Fix a stack-protector warning: don't use a variable-length buffer
Instead, define a maximum size, and enforce it with an assertion.
2018-02-15 20:52:01 -05:00
Nick Mathewson
ed1d630f0e Merge branch 'onion_ntor_malloc_less' 2018-02-15 20:40:03 -05:00
Nick Mathewson
28c3f538e5 Documentation fixes suggested by catalyst. 2018-02-15 20:38:08 -05:00
Nick Mathewson
bda1dfb9e0 Merge remote-tracking branch 'isis/bug25185' 2018-02-15 20:35:30 -05:00
Nick Mathewson
acb7a536c2 Merge branch 'maint-0.3.3' 2018-02-15 20:33:00 -05:00
Nick Mathewson
799c82be70 Merge remote-tracking branch 'isis/bug25171' into maint-0.3.3 2018-02-15 20:32:57 -05:00
Nick Mathewson
a1dd8afc16 Merge branch '25162_zstd_static' 2018-02-15 20:28:07 -05:00
Nick Mathewson
066a15af63 This stats_n_seconds_working variable needs to be static now.
(When a variable isn't going to be declared extern in the header, we
require that it be static.)
2018-02-15 20:26:09 -05:00
Nick Mathewson
3ca04aada2 Merge remote-tracking branch 'valentecaio/t-25081' 2018-02-15 20:23:23 -05:00
Nick Mathewson
3d7bf98d13 Merge remote-tracking branch 'valentecaio/t-24714' 2018-02-15 20:19:53 -05:00
Isis Lovecruft
5f7d78ce2a
tests: Remove duplicate included header file in src/test/test.c.
* FIXES #25271: https://bugs.torproject.org/25271
2018-02-16 01:19:12 +00:00
Nick Mathewson
3c8a481599 Merge branch 'bug18105' 2018-02-15 20:17:31 -05:00
Nick Mathewson
3e2b48f8b4 Merge branch 'bug24484_squashed' 2018-02-15 20:13:53 -05:00
Nick Mathewson
4dc228e35b Remove workaround code for systems where free(NULL) is busted.
Add an autoconf test to make sure we won't regret it.

Closes ticket 24484.
2018-02-15 20:13:44 -05:00
Nick Mathewson
cfff582e4d Bump version in master to 0.3.4.0-alpha-dev 2018-02-15 20:11:25 -05:00
Nick Mathewson
5af03c1ef3 rust protover: match the C implementation on empty-str cases
Empty versions lists are permitted; empty keywords are not.
2018-02-15 19:08:52 -05:00
Nick Mathewson
b58a2febe3 Forbid u32::MAX as a protover range element in rust
Part of the 25249 fix to make rust match the C.
2018-02-15 19:07:38 -05:00
Nick Mathewson
f69510ba4b Rust protover compat: forbid more than MAX_VERSIONS_TO_EXPAND in a range
Also correct MAX_VERSIONS_TO_EXPAND to match the C.

NOTE that this patch leads to incorrect behavior: the C code allows
huge ranges; it just doesn't allow votes on them (currently).  For
full compatibility, we'll need to make the rust code store ranges as
ranges natively, possibly using something like the range_map crate.

Still, this patch is smaller than a "proper" fix.

Fixes TROVE-2018-003.
2018-02-15 19:07:25 -05:00
David Goulet
779eded6bb man: Update the CircuitPriorityHalflife entry
The behavior has changed slightly in the previous commits.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:54:48 -05:00
David Goulet
e19cd38f08 cmux: Always use the cmux policy
Remove the checks on cmux->policy since it should always be set.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:54:24 -05:00
David Goulet
c235c32bbc cmux: Remove round-robin circuit policy
Since 0.2.4, tor uses EWMA circuit policy to prioritize. The previous
algorithm, round-robin, hasn't been used since then but was still used as a
fallback.

Now that EWMA is mandatory, remove that code entirely and enforce a cmux
policy to be set.

This is part of a circuitmux cleanup to improve performance and reduce
complexity in the code. We'll be able to address future optimization with this
work.

Closes #25268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:36:39 -05:00
David Goulet
9d68647ba3 cmux: Remove PARANOIA assert functions
The reason to do so is because these functions haven't been used in years so
since 0.2.4, every callsite is NOP.

In future commits, we'll remove the round robin circuit policy which is mostly
validated within those function.

This simplifies the code greatly and remove dead code for which we never had a
configure option in the first place nor an easy way to use them in production.

Part of #25268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 14:02:09 -05:00
David Goulet
9af5b625e8 cmux: Rename cell_ewma_set_scale_factor()
It is rename to something more meaningful that explains what it does exactly
which is sets the EWMA options (currently only one exists). The new name is
cmux_ewma_set_options().

Also, remove a public function from circuitmux_ewma.h that is only used in the
C file. Make it static inline as well.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 13:51:34 -05:00
David Goulet
6b1dba214d cmux: Make EWMA policy mandatory
To achieve this, a default value for the CircuitPriorityHalflife option was
needed. We still look in the options and then the consensus but in case no
value can be found, the default CircuitPriorityHalflifeMsec=30000 is used. It
it the value we've been using since 0.2.4.4-alpha.

This means that EWMA, our only policy, can not be disabled anymore fallbacking
to the round robin algorithm. Unneeded code to control that is removed in this
commit.

Part of #25268

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-15 13:45:21 -05:00
Deepesh Pathak
3553383312
ticket 25261: Removed multiple includes of transports.h in connection.c 2018-02-15 22:28:34 +05:30
Nick Mathewson
f6a230ec95 Merge remote-tracking branch 'mikeperry/bug24769' 2018-02-14 10:03:14 -05:00
Nick Mathewson
9e566f3a72 Merge branch 'tests_rust' 2018-02-13 18:12:01 -05:00
Nick Mathewson
86f461e362 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-13 15:00:43 -05:00
David Goulet
b60ffc5ce0 Merge remote-tracking branch 'dgoulet/bug25223_029_01' into ticket24902_029_05 2018-02-13 13:11:10 -05:00
David Goulet
305e39d0f8 dos: Add extra safety asserts in cc_stats_refill_bucket()
Never allow the function to set a bucket value above the allowed circuit
burst.

Closes #25202

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-13 10:41:21 -05:00
David Goulet
4fe4f8179f dos: Don't set consensus param if we aren't a public relay
We had this safeguard around dos_init() but not when the consensus changes
which can modify consensus parameters and possibly enable the DoS mitigation
even if tor wasn't a public relay.

Fixes #25223

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-13 10:35:41 -05:00
Nick Mathewson
b062730a11 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-13 08:50:59 -05:00
Nick Mathewson
17a923941a Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-13 08:50:58 -05:00
David Goulet
e658dad625 dirserv: Improve returned message when relay is rejected
Explicitly inform the operator of the rejected relay to set a valid email
address in the ContactInfo field and contact bad-relays@ mailing list.

Fixes #25170

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-13 08:47:42 -05:00
Nick Mathewson
ef164346d4 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-13 08:47:06 -05:00
Nick Mathewson
1555946e20 Have tor_addr hashes return a randomized hash for AF_UNSPEC.
We don't expect this to come up very much, but we may as well make
sure that the value isn't predictable (as we do for the other
addresses) in case the issue ever comes up.

Spotted by teor.
2018-02-12 11:14:36 -05:00
Nick Mathewson
99fbbc6c47 Fix a typo in an address_set.c comment. 2018-02-12 11:14:34 -05:00
Nick Mathewson
91109bc813 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-12 08:33:47 -05:00
Nick Mathewson
e91bae66d8 Merge branch 'bug23318-redux_029' into maint-0.2.9 2018-02-12 08:33:03 -05:00
Fernando Fernandez Mancera
3dd2c1d022 Tweaks into router_should_be_dirserver() log msg.
Fixed log message that has been changed in commit 5ea993fa5a.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-12 12:30:52 +01:00
Nick Mathewson
b2c4d4e7fa Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-11 18:11:04 -05:00
Nick Mathewson
84c13336c4 Merge remote-tracking branch 'public/bug24198_029' into maint-0.2.9 2018-02-11 18:10:59 -05:00
Nick Mathewson
8939eaf479 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-11 18:09:35 -05:00
Nick Mathewson
848ba26c18 Merge branch 'ticket24315_029' into maint-0.2.9 2018-02-11 18:07:37 -05:00
Nick Mathewson
684d57fe8a Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-11 17:00:52 -05:00
Nick Mathewson
eccef6ba60 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-11 16:51:56 -05:00
Nick Mathewson
5dc785ceef Merge remote-tracking branch 'public/bug21074_029' into maint-0.2.9 2018-02-11 16:51:53 -05:00
Nick Mathewson
a75ae628c7 Merge remote-tracking branch 'isis/bug25127_redux' 2018-02-11 16:17:41 -05:00
Nick Mathewson
7aa94f7441 fix compilation. 2018-02-11 16:16:58 -05:00
Nick Mathewson
627974b02e Merge branch 'bug25120' 2018-02-11 16:10:58 -05:00
Alexander Færøy
14c47a0b5c Lower log-level in different error conditions in entropy selection.
This patch lowers the log-level from warning to info in the cases where
we are going to attempt another method as entropy source to hopefully
make the user feel less concerned.

See: https://bugs.torproject.org/25120
2018-02-11 16:10:50 -05:00
Nick Mathewson
4de20d1754 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-10 16:09:01 -05:00
Nick Mathewson
1df701c082 Merge branch 'maint-0.3.2' 2018-02-10 16:09:01 -05:00
Nick Mathewson
86583ad78e Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-10 16:09:00 -05:00
Nick Mathewson
320dac4602 Merge branch 'bug24978_029_enable' into maint-0.2.9 2018-02-10 16:08:58 -05:00
Nick Mathewson
791ceb2028 Bump version to 0.3.3.2-alpha-dev 2018-02-10 10:41:23 -05:00
Isis Lovecruft
a4797a7e62
rust: Remove now unused byte_slice_is_c_like() utility. 2018-02-10 02:31:07 +00:00
Isis Lovecruft
081e99c16f
rust: Remove empty_static_cstr() in favour of new cstr!() macro. 2018-02-10 02:19:18 +00:00
Isis Lovecruft
6c77593a57
rust: Use tor_util::strings utils for protover_compute_for_old_tor. 2018-02-10 02:18:55 +00:00
Isis Lovecruft
3c4e006e7e
rust: Use tor_util::strings utils for protover_get_supported_protocols. 2018-02-10 02:15:06 +00:00
Isis Lovecruft
8fff331bb0
rust: Add macro for passing static borrowed strings from Rust to C.
* ADD a new macro, tor_util::string::cstr!() which takes Rust strings,
   concatenates them together, appends a NUL byte, and converts it into a
   std::ffi::CStr for handing to C.
2018-02-10 02:15:06 +00:00
Isis Lovecruft
45c59eff6c
rust: Replace two unwrap()s in FFI code with unwrap_or()s. 2018-02-10 01:21:31 +00:00
Nick Mathewson
9e0d468498 Bump to 0.3.3.2-alpha 2018-02-09 17:25:58 -05:00
Roger Dingledine
99666dc6c4 whitespace and typo cleanups 2018-02-09 17:05:20 -05:00
Nick Mathewson
abdf2a6f7f Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-09 12:08:12 -05:00
David Goulet
1a4fc9cddf test: DoS test to make sure we exclude known relays
Part of #25193

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-09 11:31:01 -05:00
David Goulet
666582a679 dos: Exclude known relays from client connection count
This is to avoid positively identifying Exit relays if tor client connection
comes from them that is reentering the network.

One thing to note is that this is done only in the DoS subsystem but we'll
still add it to the geoip cache as a "client" seen. This is done that way so
to avoid as much as possible changing the current behavior of the geoip client
cache since this is being backported.

Closes #25193

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-09 11:13:04 -05:00
Nick Mathewson
549a450f52 Add a "make test-rust" target to run the rust tests only. 2018-02-08 17:51:57 -05:00
Nick Mathewson
d9826b0a30 Merge remote-tracking branch 'frewsxcv/frewsxcv-protover' 2018-02-08 17:45:17 -05:00
Nick Mathewson
af049657eb Stop claiming that compute_for_old_tor() returns pairs 2018-02-08 17:36:08 -05:00
Nick Mathewson
d8307cb0e9 Remove new unsafe {} use.
Rationale: this helps for performance only, but we don't actually
have any reason to think that the checks here are
performance-critical.  Let's not normalize the use of unsafe {}.
2018-02-08 17:29:50 -05:00
Nick Mathewson
8d142e2322 Merge remote-tracking branch 'isis/bug25127' 2018-02-08 17:16:14 -05:00
David Goulet
112638921b Merge branch 'ticket25183_029_01' into ticket24902_029_05 2018-02-08 16:56:21 -05:00
David Goulet
a445327b80 test: Add unit tests for addressset.c
This also adds one that tests the integration with the nodelist.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-08 16:56:05 -05:00
Nick Mathewson
6892d32921 Add an address_set to the nodelist.
This set is rebuilt whenever a consensus arrives.  In between
consensuses, it is add-only.
2018-02-08 14:40:05 -05:00
Nick Mathewson
0640da4269 Function to add an ipv4 address to an address_set
This is a convenience function, so callers don't need to wrap
the IPv4 address.
2018-02-08 14:38:14 -05:00
Nick Mathewson
46bd2aed91 Add an address-set backend using a bloom filter.
We're going to need this to make our anti-DoS code (see 24902) more
robust.
2018-02-08 14:38:11 -05:00
Nick Mathewson
84bc75b2e7 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-08 10:29:06 -05:00
Nick Mathewson
cce76fbbe2 Merge branch 'maint-0.3.2' 2018-02-08 10:29:06 -05:00
Nick Mathewson
04a8e81fa9 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-02-08 10:29:05 -05:00
Nick Mathewson
0ddc2dc531 Merge branch 'maint-0.2.5' into maint-0.2.9 2018-02-08 10:29:05 -05:00
David Goulet
211fe44e07 dirserv: Improve returned message when relay is rejected
Explicitly inform the operator of the rejected relay to set a valid email
address in the ContactInfo field and contact bad-relays@ mailing list.

Fixes #25170

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-08 09:42:26 -05:00
Karsten Loesing
f1278b7e57 Update geoip and geoip6 to the February 7 2018 database. 2018-02-08 10:32:41 +01:00
Isis Lovecruft
b85436c596
protover: Fix memleak in Rust impl of protover_compute_for_old_tor.
* FIXES #25127: https://bugs.torproject.org/25127
 * ADDS a new module to the Rust tor_util crate for small utilities
   for working with static strings between languages.
 * CHANGES the return type of protover_compute_for_old_tor to point to
   immutable data.
 * CHANGES the code from the previous commit to use the new static
   string utilities.
2018-02-07 22:51:58 +00:00
David Goulet
652d3a5b66 Remove anything related to the old SocksSockets option
At this commit, the SocksSocketsGroupWritable option is renamed to
UnixSocksGroupWritable. A deprecated warning is triggered if the old option is
used and tor will use it properly.

Fixes #24343

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-07 14:05:33 -05:00
Roger Dingledine
bf91da75ab remove blank line between function-comment and function
also be more consistent about punctuation in doxygen comments
2018-02-07 12:51:05 -05:00
Nick Mathewson
12b58ba551 Merge remote-tracking branch 'dgoulet/ticket25163_033_01' 2018-02-07 12:46:27 -05:00
Roger Dingledine
a7440d9c9d more fixes for typos, grammar, whitespace, etc
some of these ought to have been noticed by the "misspell" tool,
so if anybody is debugging it, here are some bug reports :)
2018-02-07 12:22:29 -05:00
Nick Mathewson
78382d557a Merge remote-tracking branch 'dgoulet/bug25113_029_01' 2018-02-07 11:33:14 -05:00
David Goulet
fe3dfe7e38 test: Bump to 10 msec gap in the monotonic test
On slow system, 1 msec between one read and the other was too tight. For
instance, it failed on armel with a 4msec gap:

  https://buildd.debian.org/status/package.php?p=tor&suite=experimental

Increase to 10 msec for now to address slow system. It is important that we
keep this OP_LE test in so we make sure the msec/usec/nsec read aren't
desynchronized by huge gaps. We'll adjust again if we ever encounter a system
that goes slower than 10 msec between calls.

Fixes #25113

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-07 10:50:52 -05:00
Nick Mathewson
86498e5aa5 Fix wide lines from typo-fix patch. 2018-02-07 10:46:05 -05:00
Deepesh Pathak
ca6682f3f8 Fix spelling mistakes corresponding to ticket #23650 2018-02-07 10:41:57 -05:00
George Kadianakis
13f5adc86c Improve doc of primary_guards_up_to_date. 2018-02-07 11:46:30 +02:00
David Goulet
93ebcc2b8f rephist: Stop tracking relay connection status
Remove a series of connection counters that were only used when dumping the
rephist statistics with SIGUSR1 signal.

This reduces the or_history_t structure size.

Closes #25163

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-06 12:56:36 -05:00
David Goulet
199bc37290 rephist: Stop tracking EXTEND attempts
This removes the code that tracks the extend attemps a client makes. We don't
use it and it was only used to provide statistics on a SIGUSR1 from the
rephist dump stats function.

Part of #25163

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-06 12:43:55 -05:00
Nick Mathewson
6961609a1c Merge remote-tracking branch 'dgoulet/bug25116_029_01' 2018-02-06 12:13:41 -05:00
Nick Mathewson
a03488954c Add configure option to control ZSTD_STATIC_LINKING_ONLY 2018-02-06 11:58:05 -05:00
Nick Mathewson
87db5a6b75 Merge remote-tracking branch 'arma/bug22212' 2018-02-06 11:36:13 -05:00
Nick Mathewson
a77a366b87 Warn on zstd header/library version mismatch
If we're going to potentially degrade performance in this case, we
may as well tell people so.
2018-02-06 11:05:07 -05:00
Nick Mathewson
f98cb5d355 Use "static-only" zstd functions to estimate memory usage.
These should provide better and more accurate results when we can
use them; we fall back to the old approach when we can't.
2018-02-06 11:05:07 -05:00
Nick Mathewson
7cb954209d Make zstd unit tests try running with static-only fns disabled
Since we're making it so that unstable zstd apis can be disabled,
we need to test them.  I do this by adding a variant setup/cleanup
function for the tests, and teaching it about a fake compression
method called "x-zstd:nostatic".
2018-02-06 11:05:07 -05:00
Nick Mathewson
358b609e9d Enable (safe) use of zstd static-only APIs
We'll only use these when the compile-time version and the run-time
version of the zstd library match.  Part of ticket 25162.
2018-02-06 11:05:07 -05:00
Nick Mathewson
22a5d3dd2a remove a redundant semicolon 2018-02-06 08:13:11 -05:00
Isis Lovecruft
7ea9e080c5
protover: Fix memleak in Rust implementation.
* FIXES #25127: https://bugs.torproject.org/25127.
2018-02-06 02:56:16 +00:00
Nick Mathewson
b5a8fd1566 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-05 14:00:50 -05:00
David Goulet
7ce8d5513b Make circuit_log_ancient_one_hop_circuits() ignore established service rendezvous
Services can keep rendezvous circuits for a while so don't log them if tor is
a single onion service.

Fixes #25116

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-05 13:46:43 -05:00
David Goulet
f08fa97460 geoip: Make geoip_client_cache_total_allocation() return the counter
The HT_FOREACH() is insanely heavy on the CPU and this is part of the fast
path so make it return the nice memory size counter we added in
4d812e29b9.

Fixes #25148

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-05 13:38:55 -05:00
Nick Mathewson
e3d4154486 Avoid a malloc/free pair for each (server-side) ntor handshake
Closes ticket 25150
2018-02-05 11:53:33 -05:00
Nick Mathewson
f0d7905bc9 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-05 11:38:58 -05:00
Fernando Fernandez Mancera
60b8e088c3 Add crypto_digest.[ch] to include.am
Included crypto_digest.[ch] into include.am in order to solve a compiling
issue. Also EOF line in crypto_digest.c added.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:13:04 +01:00
Fernando Fernandez Mancera
61c7ec29f1 Include crypto_digest.h in order to solve dependency issues.
Included crypto_digest.h in some files in order to solve xof+digest module
dependency issues. Removed crypto.h where it isn't needed anymore.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:04:36 +01:00
Fernando Fernandez Mancera
202d27af71 Add xof functions into crypto_digest.[ch]
Added xof functions and operations into xof+digest module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 17:04:29 +01:00
Fernando Fernandez Mancera
f8b1493681 Refactor crypto.[ch] into smaller xof+digest module.
Add two new files (crypto_digest.c, crypto_digest.h) as new module of
crypto.[ch].  This new module includes all functions and dependencies related
to digest and xof operations. Those have been removed from crypto.[ch].

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-03 15:27:55 +01:00
Deepesh Pathak
1c8f55310f
Rename a verified unverified-consensus to cached-consensus on the disk
- Fixes ticket #4187
- Change the name of a unverified-*consensus to cached-*consensus
on disk when it has been verified.
2018-02-03 06:45:52 +05:30
Nick Mathewson
953c769a86 fuzz: Move init_protocol_warning_severity_level() into global_init()
This is needed so llvm_fuzz will see it too.
2018-02-02 17:42:23 -05:00
David Goulet
78d6cb5870 dos: We can put less token than the current amount
Becasue the circuit creation burst and rate can change at runtime it is
possible that between two refill of a bucket, we end up setting the bucket
value to less than there currently is.

Fixes #25128

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 17:04:12 -05:00
Nick Mathewson
3bed8fdb91 Use tt_u64_op() for uint64_t inputs. 2018-02-02 15:23:55 -05:00
Nick Mathewson
eafa252b26 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-02-02 15:00:35 -05:00
David Goulet
475218c108 Merge branch 'ticket25122_029_02' into ticket24902_029_05 2018-02-02 14:55:01 -05:00
David Goulet
e758d659a0 geoip: Add clientmap_entry_new() function
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 14:48:41 -05:00
David Goulet
4d812e29b9 geoip: Increment and decrement functions for the geoip client cache
These functions protect againts over and underflow. They BUG() in case we
overflow the counter.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 14:48:41 -05:00
David Goulet
51839f4765 geoip: Hook the client history cache into the OOM handler
If the cache is using 20% of our maximum allowed memory, clean 10% of it. Same
behavior as the HS descriptor cache.

Closes #25122

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 14:48:41 -05:00
Nick Mathewson
9e48338a12 Merge branch 'maint-0.3.2' 2018-02-02 12:03:54 -05:00
David Goulet
005e228f80 sched: When releasing a channel, do not BUG() if absent from the pending list
The current code flow makes it that we can release a channel in a PENDING
state but not in the pending list. This happens while the channel is being
processed in the scheduler loop.

Fixes #25125

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-02 12:03:27 -05:00
David Goulet
d40a4e46b6 test: KIST Scheduler unit tests to test the pending list state
This tests many cases of the KIST scheduler with the pending list state by
calling entry point in the scheduler while channels are scheduled or not.

Also, it adds a test for the bug #24700.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-01 17:05:04 -05:00
Nick Mathewson
77634795b0 Merge remote-tracking branch 'dgoulet/bug24700_032_01' into maint-0.3.2 2018-02-01 16:57:57 -05:00
David Goulet
e1a40535ea Merge branch 'bug24700_032_01' into bug24700_033_01 2018-02-01 16:39:04 -05:00
Nick Mathewson
cb5654f300 sched: Use the sched_heap_idx field to double-check our fix for 24700.
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-02-01 16:00:59 -05:00
Alexander Færøy
a2990081d5
Slightly different wording for error cases around entropy source selection.
This patch makes the wording around error cases for selecting an entropy
source in Tor slightly more verbose. We also let the user know when
something goes wrong that we are trying out a fallback method instead.

See: https://bugs.torproject.org/25120
2018-02-01 21:32:32 +01:00
Nick Mathewson
5516d22a26 Merge remote-tracking branch 'teor/bug25070' 2018-02-01 15:28:25 -05:00
Nick Mathewson
31542cc306 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-02-01 15:28:17 -05:00
Nick Mathewson
9773cd0f94 Merge branch 'maint-0.3.2' 2018-02-01 15:28:17 -05:00
Nick Mathewson
9cbc40e376 Merge remote-tracking branch 'teor/bug25070_031' into maint-0.3.1 2018-02-01 15:28:11 -05:00
Nick Mathewson
51377a917e Merge branch 'bug24658-rsa_squashed' 2018-02-01 12:10:07 -05:00
Fernando Fernandez Mancera
bdaf7ebc26 Add crypto_rsa.[ch] to include.am
Included crypto_rsa.[ch] into include.am in order to resolve a compiling issue.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-01 12:09:36 -05:00
Fernando Fernandez Mancera
3812319bb1 Tweaks into functions and variables in crypto_rsa.[ch]
crypto_get_rsa_padding_overhead() and crypto_get_rsa_padding() are
not static inline anymore in order to split the crypto_rsa module
from crypto.[ch].

Also included necessary modules in order to solve dependency issues.

Also made two functions in crypto.c use crypto_pk_asn1_encdoe()
instead of reaching into the crypto_pk_t struct.
2018-02-01 12:08:54 -05:00
Fernando Fernandez Mancera
44a9ed7df2 Remove commented functions in crypto module.
OpenSSL never uses these callbacks anymore so the code is disabled.

Fixes #25097.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-02-01 16:42:30 +01:00
Nick Mathewson
c2757c3774 Remove nodelist_recompute_all_hsdir_indices() as unused.
Closes 25108.
2018-02-01 08:44:47 -05:00
Nick Mathewson
ea8e9f17f5 Revert "Change the sandbox behavior on all failed opens() to EACCES"
This reverts commit 9a06282546.

It appears that I misunderstood how the seccomp2 filter rules
interact.  It appears that `SCMP_ACT_ERRNO()` always takes
precedence over `SCMP_ACT_ALLOW()` -- I had thought instead that
earlier rules would override later ones.  But this change caused bug
25115 (not in any released Tor).
2018-02-01 08:39:38 -05:00
Nick Mathewson
88b146cda5 Merge remote-tracking branch 'dgoulet/bug24469_033_01' 2018-02-01 08:22:44 -05:00
Nick Mathewson
ca85d66217 Merge branch 'maint-0.3.2' 2018-02-01 08:15:09 -05:00
Nick Mathewson
61cb2993dd Merge remote-tracking branch 'dgoulet/bug24975_032_01' into maint-0.3.2 2018-02-01 08:10:34 -05:00
Caio Valente
7884ce76e1 refactor: rename connection_t struct fields.
connection_t.timestamp_lastwritten renamed to
connection_t.timestamp_last_write_allowed

connection_t.timestamp_lastread renamed to
connection_t.timestamp_last_read_allowed

Closes ticket 24714.
2018-02-01 03:12:38 +01:00
Nick Mathewson
d1c2597096 Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-01-31 16:17:04 -05:00
Fernando Fernandez Mancera
33d9889a2b channel_tls_get_remote_addr_method now returns real_addr.
The accurate address of a connection is real_addr, not the addr member.
channel_tls_get_remote_addr_method() now returns real_addr instead.

Fixes #24952; bugfix on 707c1e2 in 0.2.4.11-alpha.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-31 16:12:13 -05:00
David Goulet
fb93c6fc51 circ: Don't cannibalize a circuit if the guard state is unusable
Tor preemptiely builds circuits and they can be cannibalized later in their
lifetime. A Guard node can become unusable (from our guard state) but we can
still have circuits using that node opened. It is important to not pick those
circuits for any usage through the cannibalization process.

Fixes #24469

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 16:10:48 -05:00
Nick Mathewson
8b0b850efa Merge remote-tracking branch 'public/bug16106_02_nm' 2018-01-31 15:51:58 -05:00
Nick Mathewson
946ebd8419 Obsolete the now-unused MaxTries options. 2018-01-31 15:11:47 -05:00
Nick Mathewson
c0024edd26 Remove two vestigial MaxDownloadTries checks from directory.c
These are no longer meaningful, since there's no longer an upper
limit to how many times (in the exponential-backoff world) one can
retry a download.  download_status_is_ready() didn't check these any
more, and neither do we.
2018-01-31 15:08:46 -05:00
Nick Mathewson
b8ff7407a7 remove the max_failures argument from download_status_is_ready. 2018-01-31 15:03:47 -05:00
Nick Mathewson
a846fd267e Merge branch 'bug23954_squashed' 2018-01-31 14:37:48 -05:00
Nick Mathewson
da778f2921 Use thread-safe types to store the LOG_PROTOCOL_WARN severity
Fixes a race condition; resolves 23954.
2018-01-31 14:37:09 -05:00
Nick Mathewson
98dd3757bf Merge branch 'bug25008' 2018-01-31 14:32:24 -05:00
David Goulet
fbc455cbd2 ns: Add a before and after consensus has changed notification
In 0.3.2.1-alpha, we've added notify_networkstatus_changed() in order to have
a way to notify other subsystems that the consensus just changed. The old and
new consensus are passed to it.

Before this patch, this was done _before_ the new consensus was set globally
(thus NOT accessible by getting the latest consensus). The scheduler
notification was assuming that it was set and select_scheduler() is looking at
the latest consensus to get the parameters it might needs. This was very wrong
because at that point it is still the old consensus set globally.

This commit changes the notify_networkstatus_changed() to be the "before"
function and adds an "after" notification from which the scheduler subsystem
is notified.

Fixes #24975
2018-01-31 14:15:02 -05:00
Nick Mathewson
31f2a8771c Look at the correct protocol for supports_v3_rendezvous_point
Fixes bug 25105; bugfix on 0.3.2.1-alpha.

(This is a backport of bbf2d9cf6b for 0.3.2.)
2018-01-31 14:09:47 -05:00
Nick Mathewson
3d937043c2 Fix a failing unit test.
When we stopped looking at the "protocols" variable directly, we
broke the hs_service/build_update_descriptors test, since it didn't
actually update any of the flags.

The fix here is to call summarize_protover_flags() from that test,
and to expose summarize_protover_flags() as "STATIC" from
routerparse.c.
2018-01-31 14:06:37 -05:00
Nick Mathewson
bbf2d9cf6b Look at the correct protocol for supports_v3_rendezvous_point
Fixes bug 25105; bugfix on 0.3.2.1-alpha.
2018-01-31 14:01:49 -05:00
David Goulet
c85f78e74c Revert "ns: Call notify_networkstatus_changed() after the new consensus is set globally"
This reverts commit 3a247ca92a.
2018-01-31 13:59:05 -05:00
Nick Mathewson
144bf015f8 Document remaining cases for protocol support
For each support flag, document which subprotocol version it requires.
2018-01-31 13:50:04 -05:00
Nick Mathewson
0dc1595d03 Merge branch 'maint-0.3.2' 2018-01-31 13:47:01 -05:00
Nick Mathewson
1c39d969b9 Merge remote-tracking branch 'dgoulet/bug24975_032_01' into maint-0.3.2 2018-01-31 13:46:58 -05:00
David Goulet
adaf3e9b89 sched: Avoid adding the same channel twice to the KIST pending list
This is the quick fix that is keeping the channel in PENDING state so if we
ever try to reschedule the same channel, it won't happened.

Fixes #24700

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 13:46:31 -05:00
Nick Mathewson
2294e330bd Merge branch 'maint-0.3.2' 2018-01-31 12:51:45 -05:00
David Goulet
df312b3cf6 hs-v3: Remove a BUG() when storing a descriptor in the client cache
It is possible in normal circumstances that  a client fetches a descriptor
that has a lower revision counter than the one in its cache. This can happen
due to HSDir desync.

Fixes #24976

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 12:51:42 -05:00
Mike Perry
ac1a78b977 Bug 24769: Reduce and parameterize the max number of cbt circs.
Setting the default for this at 10 and the learning timeout to 3 minutes means
we will complete our cbt learning in 30 minutes, which is under the reduced
padding connection timeout window.
2018-01-31 17:21:53 +00:00
Mike Perry
148c2410af Bug 24769: Reduce and parameterize the cbt learning idle timeout.
This is only half of the changes needed. We should also parameterize the
number of concurrent cbt learning circuits in needs_circuits_for_build().
2018-01-31 17:21:53 +00:00
David Goulet
3a247ca92a ns: Call notify_networkstatus_changed() after the new consensus is set globally
In 0.3.2.1-alpha, we've added this function in order to have a way to notify
other subsystems that the consensus just changed. The old consensus and the
new one are passed to it.

Before this patch, this was done _before_ the new consensus was set globally
(thus NOT accessible by getting the latest consensus). The scheduler
notification was assuming that it was set and select_scheduler() is looking at
the latest consensus to get the parameters it might needs. This was very wrong
because at that point it is still the old consensus set globally.

With this commit, notify_networkstatus_changed() has been moved _after_ the
new consensus is set globally. The main obvious reasons is to fix the bug
described above and in #24975. The other reason is that this notify function
doesn't return anything which could be allowing the possibility of refusing to
set the new consensus on error. In other words, the new consensus is set right
after the notification whatever happens.

It does no harm or change in behavior to set the new consensus first and then
notify the subsystems. The two functions currently used are for the control
port using the old and new consensus and sending the diff. The second is the
scheduler that needs the new consensus to be set globally before being called.

Of course, the function has been documented accordinly to clearly state it is
done _after_ the new consensus is set.

Fixes #24975

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 11:21:18 -05:00
Nick Mathewson
1e81aaa62f Merge branch 'maint-0.3.2' 2018-01-31 10:06:49 -05:00
Nick Mathewson
9bfb6fe395 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 10:06:49 -05:00
Nick Mathewson
5fc0437e74 But in most Earth cultures, there are 60s in a minute. 2018-01-31 10:06:43 -05:00
Nick Mathewson
8b162443b9 Merge branch 'maint-0.3.2' 2018-01-31 10:01:13 -05:00
Nick Mathewson
cb90defba6 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 10:01:13 -05:00
Nick Mathewson
86e6cb6409 add a rate-limit. 2018-01-31 10:01:10 -05:00
Nick Mathewson
69e242f845 Merge branch 'maint-0.3.2' 2018-01-31 09:50:24 -05:00
Nick Mathewson
e81896adda Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-31 09:50:24 -05:00
Nick Mathewson
914ec372a9 Merge branch 'bug24927' 2018-01-31 09:47:36 -05:00
Nick Mathewson
80c8689be1 Merge remote-tracking branch 'public/ticket24849_032' 2018-01-31 09:38:24 -05:00
Nick Mathewson
94878cf1ea Merge remote-tracking branch 'dgoulet/ticket24902_029_05' 2018-01-31 09:35:07 -05:00
teor
1f4a73133c test: Add unit tests for overflows and underflows in cc_stats_refill_bucket
Closes #25094.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 09:27:59 -05:00
teor
a09d5f5735 dos: Make sure cc_stats_refill_bucket can't overflow while calculating
Debug log the elapsed time in cc_stats_refill_bucket

Part of #25094.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-31 09:27:59 -05:00
Nick Mathewson
c0447033f5 Merge branch 'maint-0.3.2' 2018-01-31 09:19:55 -05:00
teor
b45ae1b002 test: Remove a redundant round from test_dos_bucket_refill
This round is left over from the tenths of a second code.

Part of #25094.
2018-01-31 09:19:39 -05:00
Roger Dingledine
3d9dcb49eb count flushing as channel activity
Stop adding unneeded channel padding right after we finish flushing
to a connection that has been trying to flush for many seconds.
Instead, treat all partial or complete flushes as activity on the
channel, which will defer the time until we need to add padding.

This fix should resolve confusing and scary log messages like
"Channel padding timeout scheduled 221453ms in the past."

Fixes bug 22212; bugfix on 0.3.1.1-alpha.

I think technically we could resolve bug 22212 by adding a call to
channel_timestamp_active() only in the finished_flushing case. But I added
a call in the flushed_some case too since that seems to more accurately
reflect the notion of "active".
2018-01-31 05:26:06 -05:00
Caio Valente
a4c8531260 refactor: using get_uptime() (and reset_uptime()) consistently.
Using get_uptime() and reset_uptime() instead of
accessing stats_n_seconds_working directly.

stats_n_seconds_working is not extern anymore.

Ticket #25081
2018-01-31 02:36:38 +01:00
Nick Mathewson
d2ae1bfcb3 remove a redundant semicolon 2018-01-30 18:11:16 -05:00
David Goulet
cd81403cc0 Merge branch 'ticket24902_029_05' into ticket24902_033_02 2018-01-30 09:33:12 -05:00
David Goulet
e58a4fc6cf dos: Make circuit rate limit per second, not tenths anymore
Because this touches too many commits at once, it is made into one single
commit.

Remove the use of "tenths" for the circuit rate to simplify things. We can
only refill the buckets at best once every second because of the use of
approx_time() and our token system is set to be 1 token = 1 circuit so make
the rate a flat integer of circuit per second.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
George Kadianakis
c3c2b55dec test: Add unit tests for the DoS subsystem
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
82de4ea900 dos: Clear connection tracked flag if geoip entry is removed
Imagine this scenario. We had 10 connections over the 24h lifetime of a geoip
cache entry. The lifetime of the entry has been reached so it is about to get
freed but 2 connections remain for it. After the free, a third connection
comes in thus making us create a new geoip entry for that address matching the
2 previous ones that are still alive. If they end up being closed, we'll have
a concurrent count desynch from what the reality is.

To mitigate this probably very rare scenario in practice, when we free a geoip
entry and it has a concurrent count above 0, we'll go over all connections
matching the address and clear out the tracked flag. So once they are closed,
we don't try to decrement the count.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
14a8b87852 dos: Add a heartbeat log
Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
36a0ae151f dos: Add the DoSRefuseSingleHopClientRendezvous option
This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client
connection. Its default value is "auto" for which we can turn it on or off
with a consensus parameter. Default value is 0.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:16 -05:00
David Goulet
acf7ea77d8 dos: Add the connection DoS mitigation subsystem
Defend against an address that has reached the concurrent connection count
threshold.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
1bfc91a029 dos: Apply defense for circuit creation DoS
If the client address was detected as malicious, apply a defense which is at
this commit to return a DESTROY cell.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
97abb3543b dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also be
marked as malicious if it is above threshold.

At this commit, no defense is applied, just detection with a circuit creation
token bucket system.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
c05272783d dos: Track new and closed OR client connections
Implement a basic connection tracking that counts the number of concurrent
connections when they open and close.

This commit also adds the circuit creation mitigation data structure that will
be needed at later commit to keep track of the circuit rate.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
51fda85c23 geoip: Remember client stats if DoS mitigation is enabled
Make the geoip cache track client address if the DoS subsystem is enabled.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
David Goulet
64149353dd dos: Initial code of Denial of Service mitigation
This commit introduces the src/or/dos.{c|h} files that contains the code for
the Denial of Service mitigation subsystem. It currently contains basic
functions to initialize and free the subsystem. They are used at this commit.

The torrc options and consensus parameters are defined at this commit and
getters are implemented.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-30 09:18:15 -05:00
teor
8bb79ca4a7
Add unit tests for supported protocols
Prevents future regressions like #25070.
2018-01-30 02:20:30 +11:00
teor
b67f010678
Add Link protocol version 5 to the supported protocols list in protover.rs
And fix the unsupported protover example so it uses a Link protover much
higher than 5.

Part of  #25070, bugfix on 0.3.3.1-alpha, which introduced the protover crate.
2018-01-30 02:18:57 +11:00
teor
a8e5e3a492
Add Link protocol version 5 to the supported protocols list in protover.c
Part of #25070, bugfix on 0.3.1.1-alpha.
2018-01-30 01:56:50 +11:00
teor
7a701f2603
Add Link protocol version 5 to the supported protocols list in protover.c
Part of #25070, bugfix on 0.3.1.1-alpha.
2018-01-30 01:51:03 +11:00
Corey Farwell
124caf28e6 Wrap types in protover.rs.
https://trac.torproject.org/projects/tor/ticket/24030

Introduce new wrapper types:

- `SupportedProtocols`
- `Versions`

Introduce a type alias:

- `Version` (`u32`)
2018-01-29 07:30:51 -05:00
Nick Mathewson
75d4bd3497 Improve log when unable to add sigs to pending consensus
Closes ticket 24849.
2018-01-26 14:19:59 -05:00
Nick Mathewson
ee5c624beb When a tor_cert_T check fails, log the reason why.
Diagnostic attempt for 24972.
2018-01-26 13:55:25 -05:00
Nick Mathewson
0755bcc36a Remove a needless (always-true) check.
Also add an assertion and rename a variable.

Closes ticekt 24927.
2018-01-26 13:35:00 -05:00
Nick Mathewson
9c2bc441f8 If out-of-disk when saving a consensus cache entry, don't BUG.
Just warn instead.

Fixes bug 24859.
2018-01-26 13:14:14 -05:00
Nick Mathewson
aedcb1644d Improve the keypin-loading log message to be a bit less scary. 2018-01-26 12:39:38 -05:00
Nick Mathewson
9a06282546 Change the sandbox behavior on all failed opens() to EACCES
Previously, most disallowed open(O_RDONLY) attempts would EACCES,
but others would fail with a crash.
2018-01-26 12:18:43 -05:00
Nick Mathewson
6ed384b827 Use tor_addr_from_getsockname() in several places
I'm leaving the getsockname code in transproxy alone, since it is
comparatively isolated, rather platform-specific, and hard to test.

Implements 18105.
2018-01-26 12:08:15 -05:00
Nick Mathewson
2a7bfec364 Add a new tor_addr_from_getsockname()
We use this pattern all over, and this should simplify matters a
bit.  Part of 18105.
2018-01-26 12:07:37 -05:00
Fernando Fernandez Mancera
54783b4c22 Refactor crypto.[ch] into smaller RSA module.
Add two new files (crypto_rsa.c, crypto_rsa.h) as new module of crypto.[ch].
This new module includes all functions and dependencies related to RSA
operations. Those have been removed from crypto.[ch].

All new changes related to RSA operations must be done in these files.

Follows #24658

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-26 13:09:52 +01:00
Nick Mathewson
5b55e15707 Remove all the old max_delay logic.
We had tests for it, but it was always INT_MAX.
2018-01-25 16:05:20 -05:00
Nick Mathewson
bf74194f57 fixup! Remove the old ("deterministic") download schedule.
Un-indent a block.

I'm doing this as a separate fixup commit to make review simpler.
2018-01-25 15:52:33 -05:00
Nick Mathewson
e0049ef022 Remove the old ("deterministic") download schedule.
We haven't meant to use it since we introduced the random
exponential schedule.

Closes ticket 23814.
2018-01-25 15:51:13 -05:00
David Goulet
93b826faaa geoip: Add a lookup function for client map entry
The upcoming DoS mitigation subsytem needs to keep information on a per-IP
basis which is also what the geoip clientmap does.

For another subsystem to access that clientmap, this commit adds a lookup
function that returns the entry. For this, the clientmap_entry_t had to be
moved to the header file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-25 15:44:48 -05:00
Nick Mathewson
91c63aae84 In relay_digest_matches(), use stack instead of heap.
We'd been using crypto_digest_dup() and crypto_digest_assign() here,
but they aren't necessary.  Instead we can just use the stack to
store the previous state of the SHA_CTX and avoid a malloc/free pair.

Closes ticket 24914.
2018-01-25 13:59:55 -05:00
Nick Mathewson
b1fc383bdb Bump version to 0.3.3.1-alpha-dev 2018-01-25 13:50:55 -05:00
Nick Mathewson
25a1183fbe bump version to 0.3.3.1-alpha 2018-01-25 11:48:42 -05:00
Fernando Fernandez Mancera
5ea993fa5a Clarify directory and ORPort checking functions.
In order to make the OR and dir checking functions in router.c less confusing
we renamed some functions and splitted consider_testing_reachability() into
router_should_check_reachability() and router_do_reachability_checks(). Also we
improved the documentation.

Fixes #18918.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-24 20:19:24 +01:00
Nick Mathewson
7e504515b3 Always look at the subprotocol versions summary flags
Previously, we wouldn't do this when running with a routerinfo_t in
some cases, leading to many needless calls to the protover module.

This change also cleans up the code in nodelist.c a bit.

Fixes bug 25008; bugfix on 0.2.9.4-alpha.
2018-01-24 13:53:56 -05:00
Nick Mathewson
92496a739a Also cache the protover summary in the routerinfo_t, if we're using that 2018-01-24 13:53:56 -05:00
Nick Mathewson
7792be2d44 Extract code to summarize protocol versions into new function
This will let us put this summary into routerinfo_t too.

No behavior change.
2018-01-24 13:53:55 -05:00
Nick Mathewson
d9fbd34f42 Extract protover summary flags into a new structure
This will let us use them on routerinfo_t as well as on
routerstatus_t, and save some time on relays.

No behavioral changes here.
2018-01-24 13:53:55 -05:00
Nick Mathewson
fd8ee1d7c3 Merge branch 'maint-0.3.2' 2018-01-24 12:09:07 -05:00
Nick Mathewson
2484d1eb35 Fix a memory leak in build_unopened_fourhop
This is a unit-test-only leak, but let's fix it anyway so it doesn't
hide real bugs.

Bug not in any released version of Tor.
2018-01-24 12:08:39 -05:00
Nick Mathewson
6ba2881aec Fix a memory leak in scheduler/loop_kist
Fixes bug 25005.
2018-01-24 12:07:45 -05:00
Taylor Yu
37f26aa470 Add missing static keywords
crypto_openssl_header_version_str and crypto_openssl_version_str in
crypto_openssl_mgt.c should be static.
2018-01-23 16:01:26 -06:00
Nick Mathewson
23473f5e74 openssl_mutexes code belongs in openssl_mgt.c 2018-01-23 14:43:06 -05:00
Nick Mathewson
fa694f5af3 add a missing "compat_openssl.h" 2018-01-23 14:41:46 -05:00
Nick Mathewson
a172f02dfb perhaps this was the missing include? 2018-01-23 14:19:25 -05:00
Nick Mathewson
a34629fa28 Add a missing include for openssl 1.0.2 2018-01-23 14:16:53 -05:00
Nick Mathewson
6f4ee6e5e7 Merge remote-tracking branch 'mikeperry/bug24946' 2018-01-23 14:08:47 -05:00
Nick Mathewson
58f4aee90b Merge remote-tracking branch 'asn/bug24896' 2018-01-23 14:06:27 -05:00
Nick Mathewson
13a2acba3c Merge remote-tracking branch 'ffmancera/bug24658-openssl' 2018-01-23 14:02:45 -05:00
Nick Mathewson
0dbe3ddc33 Make Tor support TLS1.3 ciphers with OpenSSL 1.1.1
Without this patch, not only will TLS1.3 not work with Tor, but
OpenSSL 1.1.1 with TLS1.3 enabled won't build any connections at
all: It requires that either TLS1.3 be disabled, or some TLS1.3
ciphersuites be listed.

Closes ticket 24978.
2018-01-23 09:23:21 -05:00
George Kadianakis
17daab76b8 Add onion service activity information to our heartbeat logs. 2018-01-23 12:31:06 +02:00
Chelsea Holland Komlo
d0184963f9 fixups from code review 2018-01-22 18:33:22 -05:00
Fernando Fernandez Mancera
f2fca51976 Move the openssl namespace back into .c files.
As we're trying not to have all the other modules in Tor, we moved the openssl
namespace includes back into crypto.c and crypto_openssl_mgt.c files.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-01-22 16:48:33 +01:00
Mike Perry
db5b670d85 Bug 24946: Fix a warning message caused by a missed purpose check.
Also fix three other checks (found by inspection of all
CIRCUIT_PURPOSE_C_GENERAL occurrences).
2018-01-20 03:18:31 +00:00
Roger Dingledine
48a51c5f8b oxford comma for-the-win 2018-01-19 18:42:53 -05:00
Nick Mathewson
ef148638a1 Add a "falls through" comment to make gcc happy. 2018-01-19 17:29:36 -05:00
Nick Mathewson
1bcbb1bb0b Merge remote-tracking branch 'mikeperry/bug23101-mergeready-squashed' 2018-01-19 17:28:10 -05:00
Mike Perry
489628a7e4 Bug 23101: Pre-build HS-specific circuits (instead of general).
Prebuilt circs are 4 hops, since only server side HSDIR and intro circs
are 3 hops, and it is OK if those sometimes take longer to build.
2018-01-19 22:21:49 +00:00
Mike Perry
86ee771c28 Add new circuit purposes for hsdir activity.
This lets us control their path len and usage.
2018-01-19 22:21:48 +00:00
Mike Perry
20a3f61105 Implement layer 2 and layer 3 guard pinning via torrc.
Block circuit canibalization when HSRendezvousMiddleNodes is active.
Also make it apply to all HS circuits, not just rends.
2018-01-19 22:21:48 +00:00
Nick Mathewson
edd427a8ba Merge branch 'disable_signal_handlers' 2018-01-19 16:35:24 -05:00
Nick Mathewson
df4d5ebb7d Merge branch 'maint-0.3.2' 2018-01-19 16:30:53 -05:00
Nick Mathewson
b39c50cde8 Merge branch 'maint-0.2.9' into maint-0.3.0
Conflicts:
        src/or/rendservice.c
2018-01-19 16:29:43 -05:00
David Goulet
f870f9c8bc Merge branch 'bug24895_031_02' into bug24895_032_02 2018-01-19 16:26:26 -05:00
David Goulet
f98f7ca898 Merge branch 'bug24895_029_02' into bug24895_031_02 2018-01-19 16:21:55 -05:00
Roger Dingledine
490ae26b24 hs: Use hs_service_max_rdv_failures consensus param, defaulting to 2 2018-01-19 16:13:54 -05:00
Fernando Fernandez Mancera
5cd74b4884 Add crypto_openssl_mgt.[ch] for compiling dependencies.
Included crypto_openssl_mgt.[ch] into the appropiate files in order to resolve
compiling and dependencies issues.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-19 18:56:13 +01:00
Fernando Fernandez Mancera
b3aa7be26c Tweaks into functions and variables in crypto_openssl_mgt.[ch]
Renamed free_openssl() to crypto_openssl_free_all(). Also we made variables and
functions static again.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-19 18:07:49 +01:00
Nick Mathewson
65a27d95e7 Improve documentation for signal code 2018-01-19 10:02:20 -05:00
Nick Mathewson
2c9e0a286c Merge branch 'restart_debug_squashed' 2018-01-19 09:52:14 -05:00
Nick Mathewson
97d9ba2380 Add a mostly disabled feature to debug restarting in-process
For 23847, we want Tor to be able to shut down and then restart in
the same process.  Here's a patch to make the Tor binary do that.
To test it, you need to build with --enable-restart-debugging, and
then you need to set the environment variable TOR_DEBUG_RESTART.
With this option, Tor will then run for 5 seconds, then restart
itself in-process without exiting.  This only happens once.

You can change the 5-second interval using
TOR_DEBUG_RESTART_AFTER_SECONDS.

Implements ticket 24583.
2018-01-19 09:52:05 -05:00
Nick Mathewson
e7907f15f9 Don't call Libevent's event_base_free() on NULL.
It doesn't crash, but it produces a warning.

Fixes bug 24933; bugfix on 322abc030e. Bug
not in any released Tor.
2018-01-19 09:45:10 -05:00
Roger Dingledine
cc5a9e9667 turn MAX_REND_FAILURES into a function
no actual changes in behavior
2018-01-19 02:38:07 -05:00
Roger Dingledine
a15eb9ff43 MAX_REND_FAILURES is 1, but we would try three times
Fix an "off by 2" error in counting rendezvous failures on the onion
service side.

While we thought we would stop the rendezvous attempt after one failed
circuit, we were actually making three circuit attempts before giving up.

Fixes bug 24895; bugfix on 0.0.6.
2018-01-19 02:28:55 -05:00
Fernando Fernandez Mancera
7684949d37 Rename crypto_openssl.[ch] to crypto_openssl_mgt.[ch]
Rename crypto_openssl.[ch] to crypto_openssl_mgt.[ch] because it is possible we
need crypto_openssl.[ch] in the future.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-18 21:13:17 +01:00
Nick Mathewson
44388757c4 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-18 08:13:48 -05:00
Nick Mathewson
c8a27d89b2 Merge branch 'maint-0.3.2' 2018-01-18 08:13:48 -05:00
Nick Mathewson
f406b9df05 Merge branch 'bug24826_031' into maint-0.3.1 2018-01-18 08:13:45 -05:00
Nick Mathewson
77026f8a87 Merge branch 'bug22798_029_squashed' 2018-01-17 13:26:41 -05:00
Nick Mathewson
959af20247 Merge branch 'maint-0.3.2' 2018-01-17 11:13:18 -05:00
Nick Mathewson
4e653ac2ca Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-17 11:12:15 -05:00
Nick Mathewson
86aa7f0a3f Merge branch 'maint-0.3.2' 2018-01-17 10:50:58 -05:00
Nick Mathewson
57eab23ea5 update comment; ignore argument on non-win 2018-01-17 10:40:00 -05:00
Nick Mathewson
1efb84215e Improve Windows performance with SIO_IDEAL_SEND_BACKLOG_QUERY.
Patch written by "Vort" on trac. Addresses ticket 22798.
2018-01-17 10:40:00 -05:00
Nick Mathewson
60dfdd9b15 Merge branch 'bug21074_029' 2018-01-17 09:07:50 -05:00
Nick Mathewson
0bfd5a6597 Add a cast to avoid a signed/unsigned comparison 2018-01-17 09:06:32 -05:00
Nick Mathewson
454d854363 Merge branch 'bug21074_029' 2018-01-16 14:13:39 -05:00
Nick Mathewson
01adeb2471 Merge branch 'stack_em_up' 2018-01-16 13:31:29 -05:00
Nick Mathewson
d8c1c70d7a Repair a crash bug in src/test/bench
This was caused because of the new KeyDirectory and CacheDirectory
options not being set. Bugfix on 0.3.3.0-alpha; not in any released
Tor.
2018-01-16 13:29:11 -05:00
Nick Mathewson
4bb831e087 Improve fragile-hardening performance of consensus_split_lines.
For whatever reason, in my testing, using memchr() here improves
performance over strchr() by a great deal.

Fixes bug 24826; bugfix on 0.3.1.1-alpha.
2018-01-16 12:42:40 -05:00
Nick Mathewson
6b2e856122 Fix a (spurious) scan-build warning in test_introduce1_validation()
Since helper_create_introduce1_cell() checks "cell" for nullness,
scan-build is concerned that test_introduce1_validation()
dereferences it without checking it.  So, add a check.

Not backporting, since this is spurious, _and_ tests-only.
2018-01-16 08:36:34 -05:00
Roger Dingledine
af8cadf3a9 Remove false positives from channel_is_client()
Fix a set of false positives where relays would consider connections
to other relays as being client-only connections (and thus e.g.
deserving different link padding schemes) if those relays fell out
of the consensus briefly.

Now we look only at the initial handshake and whether the connection
authenticated as a relay.

Fixes bug 24898; bugfix on 0.3.1.1-alpha.
2018-01-15 22:33:40 -05:00
Roger Dingledine
7ce335c921 v3 onion services now obey MAX_REND_FAILURES
New-style (v3) onion services now obey the "max rendezvous circuit
attempts" logic.

Previously they would make as many rendezvous circuit attempts as they
could fit in the MAX_REND_TIMEOUT second window before giving up.

Fixes bug 24894; bugfix on 0.3.2.1-alpha.
2018-01-15 16:41:47 -05:00
Nick Mathewson
edc87b263f Merge remote-tracking branch 'ffmancera/bug24861' 2018-01-12 13:29:53 -05:00
Fernando Fernandez Mancera
06368e5310 Fix minGW compatibility issue with zu format specifier.
Define TOR_PRIuSZ as minGW compiler doesn't support zu format specifier for
size_t type.

Fixes #24861 on ac9eebd.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-12 17:44:30 +01:00
Nick Mathewson
4c651b8c04 Note contactinfo and myfamily as required in more places
Includes a sentence from cypherpunks; for ticket 24526.
2018-01-11 20:00:18 -05:00
Nick Mathewson
a3d1c38ea6 Merge branch 'bug24582' 2018-01-11 19:57:57 -05:00
Nick Mathewson
42751e2123 On shutdown, mark openssl as uninitialized.
This causes openssl to get completely reinitialized on startup,
which is probably a good idea.
2018-01-11 13:00:15 -05:00
Nick Mathewson
18ea91ee6b Make the warnings about restarting tor in-process more scary. 2018-01-11 12:46:50 -05:00
Nick Mathewson
05ac3d0458 Merge branch 'restart_nocrash' 2018-01-11 12:45:25 -05:00
Nick Mathewson
751595551a Merge branch 'simplify_transition_allowed' 2018-01-11 12:39:37 -05:00
Nick Mathewson
c349bfec36 Merge branch 'bug24526_squashed' 2018-01-11 12:33:52 -05:00
Nick Mathewson
ac0f819ce5 Note contactinfo and myfamily as required in more places
Includes a sentence from cypherpunks; for ticket 24526.
2018-01-11 12:33:30 -05:00
Nick Mathewson
e8bd806412 Add a blank line per dgoulet review. 2018-01-11 12:29:29 -05:00
Nick Mathewson
d0adf5ae95 Merge branch 'bug24584' 2018-01-11 12:28:29 -05:00
Nick Mathewson
81aec1449b Compute flavor name before dereference, to avoid a STACK warning.
(See 24423)
2018-01-11 11:31:03 -05:00
Nick Mathewson
7a60600411 Merge remote-tracking branch 'ffmancera/github/bug24573' 2018-01-11 08:31:25 -05:00
Nick Mathewson
c8c258a433 Merge branch 'bug24733_squashed_2' 2018-01-10 12:57:23 -05:00
Nick Mathewson
519fa1a3e6 Document the alignment limitation of tor_free() 2018-01-10 12:57:13 -05:00
Nick Mathewson
f71bbd20a4 Extract the raw_free() of ifc_buf into a new function.
Explain the problem more correctly.
2018-01-10 12:57:13 -05:00
teor
54899b404c Stop invoking undefined behaviour by using tor_free() on an unaligned pointer
... in get_interface_addresses_ioctl().

This pointer alignment issue exists on x86_64 macOS, but is unlikely to exist
elsewhere. (i386 macOS only requires 4-byte alignment, and other OSs have
8-byte ints.)

Fixes bug 24733; not in any released version of tor.
2018-01-10 12:57:13 -05:00
Nick Mathewson
ca1d1c382c Merge remote-tracking branch 'ffmancera/github/bug24501' 2018-01-10 12:46:39 -05:00
Nick Mathewson
d8c0c62c7b Remove needless parentheses 2018-01-10 09:39:13 -05:00
Nick Mathewson
4715d81809 Merge remote-tracking branch 'teor/Bug-23966' 2018-01-10 09:38:38 -05:00
Nick Mathewson
34c6034aa7 Increment version to 0.3.2.9-dev 2018-01-09 10:12:25 -05:00
Nick Mathewson
1f7f930f9e Increment version to 0.3.2.9 2018-01-08 11:39:24 -05:00
Nick Mathewson
9ba69be96c Merge branch 'maint-0.3.2'
There was a merge conflict on fallback_dirs.inc, which we resolve in
favor of the newly generated version for #24801.
2018-01-08 11:10:53 -05:00
Nick Mathewson
b85fa0bd5f Merge branch 'maint-0.2.9' into maint-0.3.0 2018-01-08 11:10:36 -05:00
Nick Mathewson
e3ab27001f Merge branch 'maint-0.3.0' into maint-0.3.1 2018-01-08 11:10:36 -05:00
Nick Mathewson
1c5c5f0e50 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-08 11:10:36 -05:00
Nick Mathewson
a42e52dded Add 7 other fallback dirs from teor's tests
These are from "fallback_dirs_2018_01_06_2323_UTC_44aa1adf35_AU.inc"
2018-01-08 11:03:44 -05:00
Nick Mathewson
491c09c19a Update the fallback_dirs.inc file: part 1
This takes the updated fallback_dirs_2018_01_06_CA.inc from
pastly's scan.
2018-01-08 10:57:06 -05:00
Nick Mathewson
d637468128 Merge remote-tracking branch 'arma/bug24555' 2018-01-08 10:45:40 -05:00
Nick Mathewson
748ad2124d Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-08 09:35:55 -05:00
Nick Mathewson
942fa0c4a2 Merge branch 'maint-0.3.2' 2018-01-08 09:35:55 -05:00
Nick Mathewson
a1ce1ab201 Merge branch 'maint-0.3.0' into maint-0.3.1 2018-01-08 09:34:57 -05:00
Nick Mathewson
8042c356f4 Merge branch 'maint-0.2.9' into maint-0.3.0 2018-01-08 09:34:56 -05:00
Nick Mathewson
26e28829da Merge branch 'maint-0.2.5' into maint-0.2.9 2018-01-08 09:34:56 -05:00
Fernando Fernandez Mancera
7353c9496e Add free_openssl() to crypto_openssl module.
Add free_openssl() function to free the memory allocated for OpenSSL version
management variables. It is required since OpenSSL management has been isolated
from the crypto module.

Follows #24658.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-08 15:31:41 +01:00
Fernando Fernandez Mancera
4022277272 Refactor crypto.[ch] into smaller OpenSSL module.
Add two new files (crypto_openssl.c, crypto_openssl.h) as new module of
crypto.[ch]. This new module includes all functions and dependencies related
to OpenSSL management. Those have been removed from crypto.[ch].

All new changes related to OpenSSL management must be done in these files.

Follows #24658

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-08 14:02:17 +01:00
Karsten Loesing
8efbeb0982 Update geoip and geoip6 to the January 5 2018 database. 2018-01-08 11:36:38 +01:00
Roger Dingledine
40cd992abb avoid calling format_iso_time() with TIME_MAX
If we tried to move a descriptor from routerlist->old_routers
back into the current routerlist, we were preparing a buffer with
format_iso_time() on ri->cert_expiration_time, and doing it preemptively
since router_add_to_routerlist() might free ri so we wouldn't be able
to get at it later in the function.

But if the descriptor we're moving doesn't have any ed signature, then
its cert will be marked to expire at TIME_MAX, and handing TIME_MAX
to format_iso_time() generates this log warning:

correct_tm(): Bug: gmtime(9223372036854775807) failed with error Value too large for defined data type: Rounding down to 2037

The fix is to preemptively remember the expiry time, but only prepare
the buffer if we know we're going to need it.

Bugfix on commit a1b0a0b9, which came about as part of a fix for bug
20020, and which is not yet in any released version of Tor (hence no
changes file).
2018-01-07 02:15:18 -05:00
Roger Dingledine
44aa1adf35 make a comment a bit more useful 2018-01-06 15:03:35 -05:00
Roger Dingledine
94ec5af5fe whitespace and typo fixes 2018-01-06 15:02:12 -05:00
Roger Dingledine
4f83d6d6ad Merge branch 'maint-0.3.2' 2018-01-05 18:44:08 -05:00
Roger Dingledine
5f2c7a8567 remove redundant "implement this" from log message 2018-01-05 18:23:07 -05:00
Nick Mathewson
143da73165 Merge remote-tracking branch 'teor/fallback-code-2018-01' 2018-01-05 16:47:28 -05:00
Nick Mathewson
0b6fe3c123 Merge branch 'maint-0.3.2' 2018-01-05 16:41:35 -05:00
Nick Mathewson
48d94e290d Merge branch 'maint-0.3.0' into maint-0.3.1 2018-01-05 16:41:34 -05:00
Nick Mathewson
16fd975a82 Merge branch 'maint-0.2.9' into maint-0.3.0 2018-01-05 16:41:34 -05:00
Nick Mathewson
3618bd6166 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-05 16:41:34 -05:00
Nick Mathewson
c52d4d9e34 Merge branch 'teor_ticket24681_028' into maint-0.2.9 2018-01-05 16:41:31 -05:00
Nick Mathewson
94d5523c7f fix a wide line 2018-01-05 11:28:23 -05:00
Nick Mathewson
2d92f4c19a Don't keep options in a local in run_main_loop_once.
The options value can change between the get_options() and its
second use, based on setconf callbacks in the event loop.
2018-01-05 09:24:34 -05:00
teor
ca1f808d93
Add a timestamp to the header of the current fallback list
This timestamp is based on the time that list was first committed.

Part of 24725.
2018-01-05 13:27:51 +11:00
teor
70490df76a
Remove an incorrect C comment in the current fallback list
Follow-up to #24725
2018-01-05 13:27:43 +11:00
teor
c8c0e9167d
Add delimiters at the end of every fallback entry in the current list
Using this script:
sed -i.bak $'s|^,$|/* ===== */\\\n,|' src/or/fallback_dirs.inc
(Due to embedded newlines, this script only works in bash.)

And manually add a delimiter to the end of the header, and the start of
the fallback list.

This allows us to check that the code compiles, and the unit tests pass.
And it allows downstream users stem and atlas to adapt to the new format.

The upcoming fallback rebuild will automatically generate this new format.

Follow-up to 24725.
2018-01-05 13:27:36 +11:00
teor
20b96cee64
Update the version header in the current fallback file to 2.0.0
The upcoming fallback rebuild will automatically generate this new format.

Follow-up to 24725, due to breaking changes in 24679, 24600, and 22759.
2018-01-05 13:27:25 +11:00
teor
c1be0cfdb4
Add all-zero extrainfo cache flags to the current fallback file
Using this script:
sed -i.bak $'s|^,$|/* extrainfo=0 */\\\n,|' src/or/fallback_dirs.inc
(Due to embedded newlines, this script only works in bash.)

This allows us to check that the code compiles, and the unit tests pass.
And it allows downstream users stem and atlas to adapt to the new format.

The upcoming fallback rebuild will automatically generate this new format,
with actual relay extrainfo cache flags.

Follow-up to 22759.
2018-01-05 13:27:18 +11:00
teor
067617608c
Add blank nicknames to the current fallback file
Using this script:
sed -i.bak $'s|^,$|/* nickname= */\\\n,|' src/or/fallback_dirs.inc
(Due to embedded newlines, this script only works in bash.)

This allows us to check that the code compiles, and the unit tests pass.
And it allows downstream users stem and atlas to adapt to the new format.

The upcoming fallback rebuild will automatically generate this new format,
with actual relay nicknames.

Follow-up to 24600.
2018-01-05 13:27:10 +11:00
teor
384a450a47
Remove weights from the current fallback file
Using this script:
sed -i.bak 's/" weight=10",/,/' src/or/fallback_dirs.inc

This allows us to check that the code compiles, and the unit tests pass.
And it allows downstream users stem and atlas to adapt to the new format.

The upcoming fallback rebuild will automatically generate this new format.

Follow-up to 24679.
2018-01-05 13:27:03 +11:00
teor
0e6fdbea8d
Add a version 1.0.0 header to the current fallback file
The upcoming fallback rebuild will automatically generate this new format,
with version 2.0.0.

Follow-up to 24725.
2018-01-05 13:26:48 +11:00
Nick Mathewson
68ca6d2e19 Don't treat a setrlimit failure as fatal.
Fixes bug 21074; bugfix on 4689243242 in 0.0.9rc5 when we
started doing setrlimit() in the first place.
2018-01-04 13:21:29 -05:00
Nick Mathewson
1dab8bae21 smartlist.rs: The libc::c_char type is not the same as i8.
The code had been using c_char and i8 interchangeably, but it turns
out that c_char is only i8 on platforms where "char" is signed. On
other platforms, c_char is u8.

Fixes bug 24794; bug not on any released Tor.
2018-01-04 12:21:55 -05:00
Nick Mathewson
e0ccec219b Merge remote-tracking branch 'frewsxcv/frewsxcv-protover-heap' 2018-01-04 11:05:53 -05:00
Nick Mathewson
943134e886 Merge remote-tracking branch 'pastly2/ticket24531_033_01' 2018-01-03 11:56:35 -05:00
Nick Mathewson
b56ce79e63 In networkstatus_consensus_has_ipv6 test, use approx_time()
This may (or may not) fix up some reliability issues we've been
seeing with this test on windows.
2018-01-03 10:57:44 -05:00
Nick Mathewson
6b3c07648c Merge branch 'maint-0.3.2' 2018-01-03 10:09:20 -05:00
Nick Mathewson
1bc95633fb Fix some shadowed-global warnings.
These are all about local variables shadowing global
functions. That isn't normally a problem, but at least one
compiler we care about seems to treat this as a case of -Wshadow
violation, so let's fix it.

Fixes bug 24634; bugfix on 0.3.2.1-alpha.
2018-01-03 09:13:00 -05:00
Nick Mathewson
b62b40a572 Merge branch 'maint-0.3.2' 2018-01-03 09:00:00 -05:00
Nick Mathewson
451c852a0f Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-03 09:00:00 -05:00
Nick Mathewson
c1d98c75e3 Merge branch 'maint-0.3.0' into maint-0.3.1 2018-01-03 08:59:59 -05:00
Nick Mathewson
bbc9ff160e Merge branch 'maint-0.2.9' into maint-0.3.0 2018-01-03 08:59:59 -05:00
Nick Mathewson
c9b3f6352f Merge branch 'bug24633_029' into maint-0.2.9 2018-01-03 08:59:52 -05:00
Nick Mathewson
bd9739bae6 Merge branch 'maint-0.3.2' 2018-01-02 14:42:31 -05:00
Nick Mathewson
2aa1767b25 Merge remote-tracking branch 'teor/bug24703_032' into maint-0.3.2 2018-01-02 14:42:27 -05:00
Nick Mathewson
fb5877b972 Merge branch 'maint-0.3.0' into maint-0.3.1 2018-01-02 10:10:28 -05:00
Nick Mathewson
8a7767603a Merge branch 'maint-0.2.9' into maint-0.3.0 2018-01-02 10:10:28 -05:00
Nick Mathewson
bc5ef83f8f Merge branch 'maint-0.3.2' 2018-01-02 10:10:28 -05:00
Nick Mathewson
707076002d Merge branch 'maint-0.3.1' into maint-0.3.2 2018-01-02 10:10:28 -05:00
Nick Mathewson
6e5e4f92ab Merge remote-tracking branch 'teor/bug24736_028' into maint-0.2.9 2018-01-02 10:09:44 -05:00
Nick Mathewson
d53f779853 Merge remote-tracking branch 'teor/ticket24001' 2018-01-02 10:07:13 -05:00
Fernando Fernandez Mancera
525c1c493e Set IPv6 preferences for bridges even if there is no ri.
Tor now sets IPv6 preferences on rewrite_node_address_for_bridge() even if
there is only ri or rs. It always warns about them.

Also Tor now sets the IPv6 address in rs as well as it sets the one in ri.

Fixes #24572 on 9e9edf7 in 0.2.4.5-alpha.
Fixes #24573 on c213f27 in 0.2.8.2-alpha.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2018-01-02 15:28:15 +01:00
teor
d99ccf090f
Stop trying to remove NULL filenames on shutdown
Fixes bug 24762; bugfix on master.
(Not in any released version of Tor.)
2017-12-30 17:19:42 +11:00
ArunaMaurya221B
01efbe3bd3 node_has_curve25519_onion_key() is refactored and duplicate code removed 2017-12-29 20:11:06 +05:30
Corey Farwell
2529319f68 [fixup] this might be an improvement? 2017-12-28 18:17:45 -08:00
Corey Farwell
8ba5805bae Remove unneeded heap allocations in protover.rs. 2017-12-27 22:05:06 -08:00
teor
09b9a35c07
Clear the address when we can't choose a reachable address
When the fascist_firewall_choose_address_ functions don't find a
reachable address, set the returned address to the null address and port.

This is a precautionary measure, because some callers do not check the
return value.

Fixes bug 24736; bugfix on 0.2.8.2-alpha.
2017-12-25 01:55:28 +11:00
teor
53f350182e
Expand comments in node_get_ed25519_id() and put them near the relevant code
And add a changes file.

Follow-up to 24001.
2017-12-24 19:50:47 +11:00
ArunaMaurya221B
5865e56ec0
Conditional check added 2017-12-24 19:43:57 +11:00
teor
30e1371675
Make the default DirAuthorityFallbackRate 0.1
This makes clients on the public tor network prefer to bootstrap off fallback
directory mirrors.

This is a follow-up to 24679, which removed weights from the default fallbacks.

Implements ticket 24681.
2017-12-23 00:01:31 +11:00
Chelsea Holland Komlo
510a91af53 remove unnecessary lifetime 2017-12-22 00:26:52 -05:00
teor
a8e8ce8602
Bump the dates and Tor versions on the sample torrcs 2017-12-22 11:22:48 +11:00
teor
d10c2d6668
Clarify the OutboundBindAddressOR documentation in the sample torrc
Part of 22145
2017-12-22 11:22:10 +11:00
teor
5fb26ba2d8
Document IPv6Exit in the sample torrcs
Sample config-only change.

Implements 24703.
2017-12-22 11:10:30 +11:00
Chelsea Holland Komlo
4cdf0c8899 add testing implementation for tor logging 2017-12-21 19:01:30 -05:00
Chelsea Holland Komlo
d4be1b1e76 allow running protover test with a testing feature flag 2017-12-21 15:29:33 -05:00
Chelsea Holland Komlo
71a5376141 move macro body to inline rust function 2017-12-21 15:29:33 -05:00
Chelsea Holland Komlo
0e032fe9ea fixups from code review 2017-12-21 15:29:33 -05:00
Chelsea Holland Komlo
cd8bcacfe1 cargo fmt fixes 2017-12-21 15:29:33 -05:00
Chelsea Holland Komlo
3dfe8e6522 add minimal rust module for logging to tor's logger
Allows an optional no-op for testing purposes
2017-12-21 15:29:33 -05:00
Nick Mathewson
719db28f54 Add minimal implementations of functions Rust needs for logging 2017-12-21 15:28:29 -05:00
Nick Mathewson
94c59851df Increment version to 0.3.2.8-rc-dev 2017-12-21 14:22:54 -05:00
Nick Mathewson
713a717022 scan-build: Replace some test-assertions with fatal assertions
Using tt_assert in these helpers was implying to scan-build that our
'new' functions might be returning NULL, which in turn would make it
warn about null-pointer use.
2017-12-21 13:26:57 -05:00
Nick Mathewson
1a77799665 Increment version to 0.3.2.8-rc 2017-12-21 12:42:00 -05:00
Nick Mathewson
2b8a06a2ef Merge branch 'maint-0.3.2' 2017-12-21 11:16:00 -05:00
Nick Mathewson
6cd567d797 Merge remote-tracking branch 'dgoulet/bug24671_032_01' into maint-0.3.2 2017-12-21 11:13:33 -05:00
Nick Mathewson
2f0d57db56 Fix a compilation error in the channel tests.
This would only show up on systems like windows where monotime_t and
monotime_coarse_t are different types.
2017-12-21 11:10:30 -05:00
Nick Mathewson
1eeb505e6f In 0.3.3, we use timestamps, not absolute milliseconds. 2017-12-21 10:57:45 -05:00
Nick Mathewson
b8a3602b2a Merge branch 'maint-0.3.2' 2017-12-21 10:54:05 -05:00
Nick Mathewson
84adb9fcca Merge branch 'maint-0.3.1' into maint-0.3.2 2017-12-21 10:50:33 -05:00
Nick Mathewson
08469a338a Merge branch 'maint-0.3.0' into maint-0.3.1 2017-12-21 10:50:06 -05:00
Nick Mathewson
03b4dd92a4 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-12-21 10:49:40 -05:00
Nick Mathewson
79a50afa0e Use monotime_coarse_absolute_msec() in destroy queue
This way it will match the insert queue in 029 and later.
2017-12-21 10:48:37 -05:00
Nick Mathewson
3b08184338 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-12-21 10:43:12 -05:00
Nick Mathewson
7d845976e3 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-12-21 10:43:06 -05:00
Nick Mathewson
9202087760 Merge branch 'bug24666_squashed_025' into maint-0.2.5 2017-12-21 10:40:10 -05:00
Nick Mathewson
cd1f708a7f Move free to end of test function so coverity won't complain. 2017-12-21 10:39:29 -05:00
Nick Mathewson
520cf21793 Move destroy cells into a separate queue type of their own, to save RAM
We've been seeing problems with destroy cells queues taking up a
huge amount of RAM.  We can mitigate this, since while a full packed
destroy cell takes 514 bytes, we only need 5 bytes to remember a
circuit ID and a reason.

Fixes bug 24666. Bugfix on 0.2.5.1-alpha, when destroy cell queues
were introduced.
2017-12-21 10:29:01 -05:00
Nick Mathewson
bcc96c77de Merge branch 'maint-0.3.2' 2017-12-21 10:27:39 -05:00
Nick Mathewson
c38157be9d clarify a comment 2017-12-21 10:27:37 -05:00
Nick Mathewson
d0c5fe257b Merge branch 'maint-0.3.2' 2017-12-21 10:20:35 -05:00
David Goulet
885ba513ff sched: Consider extra_space even if negative in KIST
With extra_space negative, it means that the "notsent" queue is quite large so
we must consider that value with the current computed tcp_space. If we end up
to have negative space, we should not add more data to the kernel since the
notsent queue is just too filled up.

Fixes #24665

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-21 09:32:04 -05:00
Nick Mathewson
5db94adac2 Fix a pair of memory leaks in tor_cleanup()
Spotted by coverity scan as 1426749 and 1426750

Bug not in any released Tor.
2017-12-21 08:50:41 -05:00
Nick Mathewson
bac0bcbba1 type error fix for monotime_coarse_add_msec on windows 2017-12-20 17:45:59 -05:00
David Goulet
fdfa4a5a14 sched: Use lower layer cell limit with KISTLite
Instead of using INT_MAX as a write limit for KISTLite, use the lower layer
limit which is using the specialized num_cells_writeable() of the channel that
will down the line check the connection's outbuf and limit it to 32KB
(OR_CONN_HIGHWATER).

That way we don't take the chance of bloating the connection's outbuf and we
keep the cells in the circuit queue which our OOM handler can take care of,
not the outbuf.

Finally, this commit adds a log_debug() in the update socket information
function of KIST so we can get the socket information in debug.

Fixes #24671

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-20 14:17:18 -05:00
Fernando Fernandez Mancera
ac9eebd636 Add some values to OOM log msg #24501
Exposing cell_queues_get_total_allocation(), buf_get_total_allocation(),
tor_compress_get_total_allocation(), tor_compress_get_total_allocation() when
hit MaxMemInQueues threshold.

Fixes #24501

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2017-12-20 18:31:30 +01:00
Nick Mathewson
5e92646715 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-12-20 12:15:24 -05:00
Nick Mathewson
08ed0d7930 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-12-20 12:15:24 -05:00
Nick Mathewson
7e45720cf4 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-12-20 12:15:24 -05:00
Nick Mathewson
0e790bb40d Merge branch 'maint-0.3.2' 2017-12-20 12:15:24 -05:00
Nick Mathewson
c604a76a53 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-12-20 12:15:23 -05:00
Nick Mathewson
877dd1d6c8 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-12-20 12:15:23 -05:00
Karsten Loesing
428f8a375b Update geoip and geoip6 to the December 6 2017 database. 2017-12-20 17:36:29 +01:00
Nick Mathewson
a499be33b8 Merge branch 'maint-0.3.2' 2017-12-20 11:19:23 -05:00
Nick Mathewson
565ec6100f Merge branch 'stack_again_032' into maint-0.3.2 2017-12-20 11:19:18 -05:00
Nick Mathewson
7ca0a9c4ae Merge remote-tracking branch 'ahf-oniongit/bugs/24605' 2017-12-20 11:16:17 -05:00
Nick Mathewson
c99ec36def expand documentation on tor_remove_file 2017-12-20 10:43:27 -05:00
Nick Mathewson
4b7b305bf0 Remove pre-unlink check tor_remove_file; check errno instead.
This removes a time-of-check/time-of-use issue, though in this case
it would probably be harmless.
2017-12-20 10:42:02 -05:00
Nick Mathewson
18543c2c9b Merge remote-tracking branch 'ffmancera/github/bug23271' 2017-12-20 10:40:32 -05:00
Nick Mathewson
3bc5806339 Merge branch 'maint-0.3.2' 2017-12-20 10:39:38 -05:00
Nick Mathewson
0a1b1430c8 Update the unit tests to reflect the change of 24425 2017-12-20 10:39:19 -05:00
Nick Mathewson
83ced3e7fe Merge branch 'maint-0.3.2' 2017-12-20 09:59:51 -05:00
Nick Mathewson
fc33caadae Merge remote-tracking branch 'dgoulet/ticket24425_032_01' into maint-0.3.2 2017-12-20 09:59:06 -05:00
Nick Mathewson
accd0ea65b Fix the clz32 and clz64 settings on MSVC.
Fixes bug 24633; bugfix on 0.2.9.1-alpha.
2017-12-20 09:37:18 -05:00
Nick Mathewson
28fbfa8712 whitespace fix 2017-12-20 09:17:13 -05:00
Nick Mathewson
69a320ce5d Merge branch 'xfer_time_coarse' 2017-12-20 09:15:30 -05:00
Nick Mathewson
60bf8f6cf6 Improve add_msec test to cover ms->sec rollover
Per mikeperry's suggestion, I'm making sure that the millisecond
part of the time will always roll over in this test.
2017-12-20 09:12:38 -05:00
Nick Mathewson
d43dc120e8 finish documentation on live_consensus_is_missing 2017-12-18 15:01:05 -05:00
Alexander Færøy
d4f4108601
Add MainloopStats option.
This patch adds support for MainloopStats that allow developers to get
main event loop statistics via Tor's heartbeat status messages. The new
status log message will show how many succesful, erroneous, and idle
event loop iterations we have had.

See: https://bugs.torproject.org/24605
2017-12-16 02:41:21 +01:00
Alexander Færøy
e44662a7f9
Fix additional whitespace in config module comment. 2017-12-16 02:22:37 +01:00
Nick Mathewson
93e7b837c8 Use same macros to simplify options_transition_affects_* 2017-12-15 15:33:29 -05:00
Nick Mathewson
376f97aaa1 Simplify the very repetitious options_transition_allowed() 2017-12-15 15:32:46 -05:00
Nick Mathewson
20f802ea3c Add an option to disable signal handler installation.
Closes ticket 24588.
2017-12-15 12:48:29 -05:00
Nick Mathewson
fdd5734875 Remove the unused is_parent==0 option from handle_signals. 2017-12-15 12:45:30 -05:00
Nick Mathewson
a61c36d53a indentation fix 2017-12-15 12:37:15 -05:00
Fernando Fernandez Mancera
61c721f145 Add remove file function and remove ephemeral files.
Adding tor_remove_file(filename) and refactoring tor_cleanup().

Removing CookieAuthFile and ExtORPortCookieAuthFile when tor_cleanup() is
called.

Fixes #23271.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2017-12-15 17:01:22 +01:00
Nick Mathewson
5c4da2cacd bump to 0.3.2.7-rc-dev 2017-12-14 14:12:31 -05:00
Nick Mathewson
93b3c4b844 update to 0.3.2.7-rc 2017-12-13 12:06:37 -05:00
Nick Mathewson
f7e393eb4c Another attempt at fixing the STACK warning in tortls.c
Patch suggestion from catalyst.

Related to 24423
2017-12-13 10:09:10 -05:00
Nick Mathewson
219c969d7b Use monotime_coarse for transfer times and padding times
Using absolute_msec requires a 64-bit division operation every time
we calculate it, which gets expensive on 32-bit architectures.
Instead, just use the lazy "monotime_coarse_get()" operation, and
don't convert to milliseconds until we absolutely must.

In this case, it seemed fine to use a full monotime_coarse_t rather
than a truncated "stamp" as we did to solve this problem for the
timerstamps in buf_t and packed_cell_t: There are vastly more cells
and buffer chunks than there are channels, and using 16 bytes per
channel in the worst case is not a big deal.

There are still more millisecond operations here than strictly
necessary; let's see any divisions show up in profiles.
2017-12-13 09:46:58 -05:00
Nick Mathewson
dd6dec2665 Add a function to add msec to a monotime.
We'll use this for the channel padding logic.
2017-12-13 08:54:29 -05:00
Nick Mathewson
4c877ae874 Add monotime functions for clearing monotonic times
We need this to replace some of our "msec" users with monotime
users.
2017-12-13 08:29:23 -05:00
Nick Mathewson
426110dfa2 Merge branch 'maint-0.3.2' 2017-12-12 19:46:53 -05:00
Nick Mathewson
15b41fa6ae Make sandbox.c compile when libseccomp-dev is installed on arm64
Fixes ticket 24424.  Patch from weasel.
2017-12-12 19:46:03 -05:00
Nick Mathewson
9abef516f6 Merge branch 'maint-0.3.2' 2017-12-12 19:27:14 -05:00
Nick Mathewson
bf89b08930 Merge branch 'bug24367_032_squashed' into maint-0.3.2 2017-12-12 19:17:38 -05:00
teor
19a4abf2a9 Make sure bridges are definitely running before delaying directory fetches
Retry directory downloads when we get our first bridge descriptor
during bootstrap or while reconnecting to the network. Keep retrying
every time we get a bridge descriptor, until we have a reachable bridge.

Stop delaying bridge descriptor fetches when we have cached bridge
descriptors. Instead, only delay bridge descriptor fetches when we
have at least one reachable bridge.

Fixes bug 24367; bugfix on 0.2.0.3-alpha.
2017-12-12 19:17:25 -05:00
teor
6b5c70670b Simplify some conditionals in circuit_get_open_circ_or_launch()
When entry_list_is_constrained() is true, guards_retry_optimistic()
always returns true.

When entry_list_is_constrained() is false,
options->UseBridges is always false,
therefore !options->UseBridges is always true,
therefore (!options->UseBridges || ...) is always true.

Cleanup after #24367.
2017-12-12 19:17:25 -05:00
Nick Mathewson
13455c0f1a Merge branch 'maint-0.3.2' 2017-12-12 09:32:29 -05:00
Nick Mathewson
e622f208a3 Merge remote-tracking branch 'teor/bug23827-v2' 2017-12-12 09:27:03 -05:00
George Kadianakis
b6fd78ea30 hs-v3: Don't lookup an intro point while cleaning it up
Commit e80893e51b made tor call
hs_service_intro_circ_has_closed() when we mark for close a circuit.

When we cleanup intro points, we iterate over the descriptor's map of intro
points and we can possibly mark for close a circuit. This was problematic
because we would MAP_DEL_CURRENT() the intro point then free it and finally
mark for close the circuit which would lookup the intro point that we just
free in the map we are iterating over.

This can't be done and leads to a use-after-free because the intro point will
be returned successfully due to the fact that we are still in the loop
iterating. In other words, MAP_DEL_CURRENT() followed by a digest256map_get()
of the same object should never be done in the same loop.

Fixes #24595

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-12 09:21:25 -05:00
Nick Mathewson
9c604e2bbb Fix compilation: logfile_is_external() must accept const* 2017-12-12 09:21:12 -05:00
Nick Mathewson
6c5a73f87a Merge remote-tracking branch 'ahf-oniongit/bugs/24362' 2017-12-12 09:18:52 -05:00
Alexander Færøy
cbc465a3d1 Simplify explicit conditional checks into an inlined function.
This patch lifts the check for whether a given log file (`logfile_t`) is
an "external logfile" (handled by an external logging system such as
syslog, android's logging subsystem, or as an external C callback
function) into a function on its own.

See: https://bugs.torproject.org/24362
2017-12-12 01:17:57 +00:00
Nick Mathewson
eecfed0cd2 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-12-11 16:56:31 -05:00
Nick Mathewson
f7151387d9 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-12-11 16:56:31 -05:00
Nick Mathewson
cdee62da9e Merge branch 'maint-0.3.0' into maint-0.3.1 2017-12-11 16:56:31 -05:00
Nick Mathewson
da38904efb Merge branch 'maint-0.2.9' into maint-0.3.0 2017-12-11 16:56:31 -05:00
Nick Mathewson
1deda2106b Merge branch 'bug24167_025' into maint-0.2.5 2017-12-11 16:56:28 -05:00
Nick Mathewson
eaaa1108a3 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-12-11 16:54:14 -05:00
Nick Mathewson
04524443d0 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-12-11 16:54:14 -05:00
Nick Mathewson
2ea573ece8 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-12-11 16:54:14 -05:00
Nick Mathewson
bc1ea4f470 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-12-11 16:54:11 -05:00
Nick Mathewson
f5d4bdf305 Merge remote-tracking branch 'public/ticket23856_025_01' into maint-0.2.5 2017-12-11 16:53:02 -05:00
Nick Mathewson
736e7299ce Merge branch 'maint-0.3.0' into maint-0.3.1 2017-12-11 16:51:58 -05:00
Nick Mathewson
7fcb222ab7 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-12-11 16:51:58 -05:00
Nick Mathewson
7e486dd6f7 Merge remote-tracking branch 'public/bug23985_029' into maint-0.2.9 2017-12-11 16:51:54 -05:00
Nick Mathewson
f7b41bcdf0 Merge branch 'bug24086_031' into maint-0.3.1 2017-12-11 16:49:01 -05:00
Nick Mathewson
828333e38c Merge remote-tracking branch 'public/bug24099_031' into maint-0.3.1 2017-12-11 16:48:44 -05:00
Nick Mathewson
d2031f2c60 Merge remote-tracking branch 'public/bug23817_031' into maint-0.3.1 2017-12-11 16:45:54 -05:00
Nick Mathewson
d5400d50e7 Merge branch 'maint-0.3.2' 2017-12-11 16:43:51 -05:00
Nick Mathewson
ae608408e9 Merge remote-tracking branch 'asn/bug23862_031' into maint-0.3.1 2017-12-11 16:43:41 -05:00
Nick Mathewson
c55a054236 Merge remote-tracking branch 'asn/bug23862_030' into maint-0.3.0 2017-12-11 16:41:28 -05:00
Nick Mathewson
418d8bbe92 Merge branch 'stack_fixes_032_v2' into maint-0.3.2 2017-12-11 16:25:04 -05:00
Nick Mathewson
f539d89fd9 Move subtraction in rephist to try to avoid STACK warning
(I do not know why this one is happening)
2017-12-11 16:23:11 -05:00
Nick Mathewson
3da15bcbe8 Stop checking for sandbox:new_element() failures: it can't fail.
(It can't fail because the tor_malloc*() family of functions can
never return NULL)

Found with STACK
2017-12-11 16:06:25 -05:00
Nick Mathewson
472473ec5d transport_new() cannot fail; do not check for it to fail.
(It can't fail because the tor_malloc*() family of functions can
never return NULL)

Found with STACK.
2017-12-11 16:06:00 -05:00
Nick Mathewson
252db6ad26 Merge branch 'maint-0.3.2' 2017-12-11 16:02:10 -05:00
David Goulet
057139d383 sched: Avoid integer overflow when computing tcp_space
In KIST, we could have a small congestion window value than the unacked
packets leading to a integer overflow which leaves the tcp_space value to be
humongous.

This has no security implications but it results in KIST scheduler allowing to
send cells on a potentially saturated connection.

Found by #24423. Fixes #24590.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-11 15:45:19 -05:00
Nick Mathewson
3809036c63 Reset all main.c state at exit
This change is part of 24587.
2017-12-11 14:05:34 -05:00
Nick Mathewson
6033538ac3 In control.c, reset the bootstrapping status on shutdown
Part of #24587
2017-12-11 14:05:09 -05:00
Nick Mathewson
f205dabf7a Stop using event_base_once().
This function leaks memory when the event_base is freed before the
event itself fires.  That's not harmful, but it's annoying when
trying to debug other memory leaks.

Fixes bug 24584; bugfix on 0.2.8.1-alpha.
2017-12-11 12:23:02 -05:00
Nick Mathewson
3b465ebf2e Changes file and tor_api.h tweaks for 24581. 2017-12-11 11:55:41 -05:00
Nick Mathewson
06ffafcb9d Set DH parameters to NULL on shutdown
If we don't do this, we will use freed memory on restart.

Part of 24581.
2017-12-11 11:52:19 -05:00
Nick Mathewson
474ca13d6a Mark libevent unitialized on shutdown.
This is necessary so that we will reinitialize it on startup.
2017-12-11 11:52:19 -05:00
Nick Mathewson
322abc030e On exit, free the event_base and set its pointer to NULL.
When we didn't do this before, we'd have some still-reachable memory
warnings, and we'd find ourselves crashing when we tried to
reinitialize libevent.

Part of 24581 (don't crash when restarting Tor in-process)
2017-12-11 11:52:19 -05:00
Nick Mathewson
e18840f619 Fix the log-severities memory-leak in tor-resolve.c
Also, rename the variable to have a more manageable name, and make
its scope more clear.

Fixes bug 24582; bugfix on 0.2.1.1-alpha.
2017-12-11 11:49:57 -05:00
Nick Mathewson
ea929e8456 Merge remote-tracking branch 'public/feature24427' 2017-12-11 09:59:46 -05:00
Nick Mathewson
c2822bbc63 Fix compilation of 23459 patch.
The free() changes of 23447 had broken the pending 23459 patch.
2017-12-11 09:55:38 -05:00
Nick Mathewson
7803b19c43 Merge remote-tracking branch 'ffmancera/github/bug23459' 2017-12-11 09:53:39 -05:00
Nick Mathewson
030d3d52f5 Merge remote-tracking branch 'teor/comment24575' 2017-12-11 09:46:23 -05:00
Nick Mathewson
98682f689b Merge branch 'maint-0.3.2' 2017-12-11 09:45:17 -05:00
Matt Traudt
265b8e8645 Function declaration whitespace 2017-12-11 09:43:09 -05:00
Matt Traudt
67793b615b One more missed chance to use get_scheduler_state_string 2017-12-11 09:43:09 -05:00
Matt Traudt
667f931177 Make get_scheduler_state_string available to scheduler*.c 2017-12-11 09:43:09 -05:00
Matt Traudt
8797c8fbd3 Remove now-duplicate log_debug lines 2017-12-11 09:43:09 -05:00
Matt Traudt
07898fb2a6 Helper to log chan scheduler_states as strings not ints 2017-12-11 09:43:09 -05:00
Matt Traudt
273325e216 Add all the missed scheduler_state assignments 2017-12-11 09:43:08 -05:00
Matt Traudt
5e7fdb8b3f Fix cosmetic issues around scheduler_set_channel_state
Whitespace issues

Line length

Unused variable
2017-12-11 09:43:04 -05:00
Nick Mathewson
d68abbe358 Merge remote-tracking branch 'dgoulet/bug23603_032_02' into maint-0.3.2 2017-12-11 09:42:12 -05:00
ArunaMaurya221B
ad5cfa3039 Bug:24531 Function to change channel scheduler state for easy debugging added. 2017-12-11 08:46:43 -05:00
ArunaMaurya221B
d77cacb7ab Bug:24531 Add function to change scheduler state and always use it 2017-12-11 08:46:39 -05:00
Alexander Færøy
b0b8f7c30c Add support for Android's logging subsystem.
This patch adds support for Android's logging subsystem in Tor. When
debugging Android applications it is useful to be able to collect
information about the application running on the platform via the
various system services that is available on the platform.

This patch allows you to add "Log notice android" to your torrc and have
Tor send everything above and including the notice severity to Android's
ring buffer which can be inspected using the 'adb logcat' program.

See: https://bugs.torproject.org/24362
2017-12-11 13:22:39 +00:00
Nick Mathewson
58e8094816 Fix compilation with --disable-memory-sentinels
We'd broken this with the recent _free() rewrite.
2017-12-11 08:01:54 -05:00
Alexander Færøy
78a582ed88 Restructure log initilization function to allow multiple backends without arguments.
This patch ensures that we more easily can extend our log backends that
does not take any additional argument other than a single keyword. This
patch is mostly reindentation of some code which is why it is split out
into its own patch.

See: https://bugs.torproject.org/24362
2017-12-11 13:00:48 +00:00
teor
35055cfa7f
Update the comment in options_transition_affects_guards()
It referred to the an old function name.

Fixes #24575, bugfix on 0.3.0.
2017-12-11 03:18:48 +11:00
Nick Mathewson
6f3a862966
Run the download_status_increment test in a forked process.
It messes with global state somehow in a way that makes several of
the entryconn tests fail now.
2017-12-11 00:57:04 +11:00
teor
bbc781885d
fixup! Add networkstatus_consensus_has_ipv6() and unit tests
This is what happens when you don't run:
make check-spaces
make check-changes
2017-12-11 00:53:03 +11:00
teor
b66b62fb75
Stop waiting for microdescs if the consensus supports IPv6 ORPorts
Also make IPv6-only clients wait for microdescs for relays, even if we were
previously using descriptors (or were using them as a bridge) and have
a cached descriptor for them.

But if node_is_a_configured_bridge(), stop waiting for its IPv6 address in
a microdescriptor, because we'll never use it.

Implements #23827.
2017-12-11 00:34:31 +11:00
teor
28d4355a6e
Add networkstatus_consensus_has_ipv6() and unit tests
networkstatus_consensus_has_ipv6() tells us whether the consensus method of
our current consensus supports IPv6 ORPorts in the consensus.

Part of #23827.
2017-12-11 00:34:19 +11:00
Nick Mathewson
241b676638 Fix up test_circuitstats to use the new circuit_free macro 2017-12-08 17:52:45 -05:00
Nick Mathewson
0340c02975 Merge remote-tracking branch 'mikeperry/bug23114_squashed2' 2017-12-08 17:50:34 -05:00
Nick Mathewson
b189c613bb move a macro; fix a build? 2017-12-08 15:11:18 -05:00
Nick Mathewson
5ee0cccd49 Merge branch 'macro_free_v2_squashed' 2017-12-08 14:58:43 -05:00
Nick Mathewson
fa0d24286b Convert remaining function (mostly static) to new free style 2017-12-08 14:47:19 -05:00
Nick Mathewson
17dcce3fe1 Fix wide lines introduced by previous patch. 2017-12-08 14:47:19 -05:00
Nick Mathewson
285632a61b Replace all FREE_AND_NULL* uses to take a type and a free function.
This commit was made mechanically by this perl script:

\#!/usr/bin/perl -w -i -p

next if /^#define FREE_AND_NULL/;
s/\bFREE_AND_NULL\((\w+),/FREE_AND_NULL\(${1}_t, ${1}_free_,/;
s/\bFREE_AND_NULL_UNMATCHED\(/FREE_AND_NULL\(/;
2017-12-08 14:47:19 -05:00
Nick Mathewson
95531ddfbf Let's have only one FREE_AND_NULL variant.
This commit removes the old FREE_AND_NULL, and renames the old
FREE_AND_NULL_UNMATCHED so that it is now called FREE_AND_NULL.

This will break all the FREE_AND_NULL_* users; the next commit will
fix them.
2017-12-08 14:47:19 -05:00
Nick Mathewson
1d348989b0 Make tor_free only evaluate its input once (at least on gcc and clang) 2017-12-08 14:47:19 -05:00
Nick Mathewson
db024adc90 Switch to a safer FREE_AND_NULL implementation
This one only evaluates the input once, so it cannot mess up even if
there are side effects.
2017-12-08 14:47:19 -05:00
Nick Mathewson
176ad729d9 Change the free macro convention in the rest of src/or/*.h 2017-12-08 14:47:19 -05:00
Nick Mathewson
0792cc107e Convert connection_free to a nulling macro. 2017-12-08 14:47:19 -05:00
Nick Mathewson
a48ba072a9 Rename connection_free_ to connection_free_minimal. 2017-12-08 14:47:19 -05:00
Nick Mathewson
b0cc9856ee Update free functions into macros: src/or/ part 1
This covers addressmap.h (no change needed) through confparse.h
2017-12-08 14:47:19 -05:00
Nick Mathewson
c92ac9f5cb Convert the rest of src/common's headers to use FREE_AND_NULL 2017-12-08 14:47:19 -05:00
Nick Mathewson
44010c6fc1 Merge branch 'dgoulet_ticket23709_033_01_squashed' 2017-12-08 14:44:09 -05:00
David Goulet
e96c577ed2 test: Make older GCC happy and thus our oniongit pipeline
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-08 14:43:27 -05:00
David Goulet
6120efd771 chan: Do not re-queue after a fail cell write
Couple things happen in this commit. First, we do not re-queue a cell back in
the circuit queue if the write packed cell failed. Currently, it is close to
impossible to have it failed but just in case, the channel is mark as closed
and we move on.

The second thing is that the channel_write_packed_cell() always took ownership
of the cell whatever the outcome. This means, on success or failure, it needs
to free it.

It turns out that that we were using the wrong free function in one case and
not freeing it in an other possible code path. So, this commit makes sure we
only free it in one place that is at the very end of
channel_write_packed_cell() which is the top layer of the channel abstraction.
This makes also channel_tls_write_packed_cell_method() return a negative value
on error.

Two unit tests had to be fixed (quite trivial) due to a double free of the
packed cell in the test since now we do free it in all cases correctly.

Part of #23709

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-08 14:43:27 -05:00
Fernando Fernandez Mancera
8559827280 Split client-side get_rend_circ into two functions.
Split hs_circuitmap_get_rend_circ_client_side(). One returns only established
circuits (hs_circuitmap_get_established_rend_circ_client_side()) and the other
returns all kinds of circuits.

Fixes #23459

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2017-12-08 18:14:08 +01:00
Nick Mathewson
021fdd39e4 Use mach_approximate_time() for coarse time where available.
This lets us have a coarse-time implementation with reasonable
performance characteristics on OSX and iOS.

Implements 24427.
2017-12-08 09:24:02 -05:00
teor
bb7c5b431d
Move a comment to relay_send_end_cell_from_edge()
It looks like it was left behind in a refactor.

Fixes 24559.
2017-12-08 12:49:33 +11:00
Nick Mathewson
afceb431ed add a missing windows underscore 2017-12-07 15:14:49 -05:00
Nick Mathewson
45b9b2245f Merge branch 'maint-0.3.2' 2017-12-07 08:42:56 -05:00
Nick Mathewson
4b41ffa64d Merge branch 'arthuredelstein_18859+1_031' into maint-0.3.2 2017-12-07 08:42:49 -05:00
Nick Mathewson
c2c0f83c23 Revert accidentally-committed code from 046acf208b 2017-12-07 08:28:57 -05:00
Mike Perry
050bb67974 Add tests for circuitstats.c
These tests primarily test the relaxed and measured behavior of
circuitstats.c, to make sure we did not break it with #23100 or #23114.
2017-12-07 00:04:39 +00:00
Mike Perry
125df07d60 Report close and timeout rates since uptime, not based on data.
Bug #23114 was harder to see because we were just reporting our math,
rather than reporting behavior.
2017-12-07 00:04:39 +00:00
Mike Perry
ed89588c4f Bug #23114: Time out circuits immediately.
This changes the purpose of circuits that are past the timeout to measurement
*as they are built*, ensuring accurate application of the timeout logic.
2017-12-07 00:04:38 +00:00
Mike Perry
b5d4cd1b41 Bug #23100: Count all 3 hop circuits for CBT.
This change causes us to count anything once it reaches 3 hops (but not
after).
2017-12-07 00:04:33 +00:00
Arthur Edelstein
2bd91dbd34 Don't consider a port "handled" by an isolated circuit.
Previously, circuit_stream_is_being_handled incorrectly reported
that (1) an exit port was "handled" by a circuit regardless of
whether the circuit was already isolated in some way, and
(2) that a stream could be "handled" by a circuit even if their
isolation settings were incompatible.

As a result of (1), in Tor Browser, circuit_get_unhandled_ports was
reporting that all ports were handled even though all non-internal
circuits had already been isolated by a SOCKS username+password.

Therefore, circuit_predict_and_launch_new was declining to launch
new exit circuits. Then, when the user visited a new site in Tor
Browser, a stream with new SOCKS credentials would be initiated,
and the stream would have to wait while a new circuit with those
credentials could be built. That wait was making the
time-to-first-byte longer than it needed to be.

Now, clean, not-yet-isolated circuit(s) will be automatically
launched ahead of time and be ready for use whenever a new stream
with new SOCKS credentials (or other isolation criteria) is
initiated.

Fixes bug 18859. Thanks to Nick Mathewson for improvements.
2017-12-06 14:18:41 -08:00
Nick Mathewson
046acf208b Fix a compiler warning 2017-12-06 15:46:54 -05:00
Nick Mathewson
5f518c69aa Merge remote-tracking branch 'public/monotime_coarse_stamps' 2017-12-06 15:43:50 -05:00
Nick Mathewson
c470a6d278 Merge remote-tracking branch 'teor/bug24488' 2017-12-06 14:44:03 -05:00
Nick Mathewson
d4ca18573c Merge remote-tracking branch 'dgoulet/bug24502_032_01' into maint-0.3.2 2017-12-06 14:37:53 -05:00
Nick Mathewson
91f72bbb6c Merge remote-tracking branch 'teor/bug24489' 2017-12-06 14:37:15 -05:00
Nick Mathewson
aa6212a858 Merge remote-tracking branch 'dgoulet/bug24502_032_01' 2017-12-06 14:31:33 -05:00
David Goulet
1a55a5ff06 test: Add a KIST test for a non opened channel
This makes sure that a non opened channel is never put back in the channel
pending list and that its state is consistent with what we expect that is
IDLE.

Test the fixes in #24502.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-06 11:33:01 -05:00
Alexander Færøy
9fa38bd996
Check the return value of hs_parse_address().
This patch adds a check for the return value of `hs_parse_address()` in
`hs_control_hspost_command()`. Since it should not be possible for
`hs_parse_address()` to fail in this context we wrap the error check
with the `BUG()` macro.

See: https://bugs.torproject.org/24543
2017-12-06 14:56:52 +01:00
Nick Mathewson
01700d779c Initialize pk so that older gcc versions don't freak out. 2017-12-05 20:00:49 -05:00
Nick Mathewson
a7a0cebb59 Merge branch 'more_directories_squashed' 2017-12-05 19:49:45 -05:00
Nick Mathewson
a57bcffcc7 Implement the various get_foodir_*() functions. 2017-12-05 19:49:29 -05:00
Nick Mathewson
a9806af261 Create a CacheDirectory and KeyDirectory options.
They work the same as DataDirectory, but default slightly different.

Tor is not actually updated to use them yet.
2017-12-05 19:49:28 -05:00
Nick Mathewson
39a780e85a Clean up a needlessly complex get_datadir_fname use 2017-12-05 19:49:28 -05:00
Nick Mathewson
3907faf2fd New accessors for keydir/cachedir access
This patch is a result of auditing all of our uses of
get_datadir_fname() and its kin, and dividing them into cache vs
keys vs other data.

The new get_keydir_fname() and get_cachedir_fname() functions don't
actually do anything new yet.
2017-12-05 19:49:28 -05:00
Nick Mathewson
7b34ab3e38 Extract common code for creating the keys directory.
This had somehow gotten duplicated between router.c and routerkeys.c
2017-12-05 19:49:28 -05:00
Nick Mathewson
2e872f6b32 Use get_datadir_fname() accessor in networkstatus.c 2017-12-05 19:49:28 -05:00
Nick Mathewson
36779df4c4 Extract the code that creates the datadir into a separate function. 2017-12-05 19:49:28 -05:00
Nick Mathewson
e8a6a6635b Merge branch 'dgoulet_ticket20699_033_01' 2017-12-05 19:43:23 -05:00
David Goulet
c094802697 control: Improve ADD_ONION helper function comments
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
8c02fc15ae control: Don't use void pointer for ADD_ONION secret key
Make this a bit more safe with at least type checking of the pointers
depending on the version.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
9c6560fe29 test: Add HS_DESC v3 unit tests
This introduces the test_hs_control.c file which at this commit contains basic
unit test for the HS_DESC event.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
ace42acff0 control: HSPOST command support for v3
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
475d8d1a3d control: Don't check if Server is an HSDir for HSPOST
This is removed for two reasons. First, HSDir accepts descriptor even though
they don't think they are in fact an HSDir. This is to avoid consensus desync
between client/service and directories.

Second, our malicious HSDir scanner uses the HSPOST command to post on all
relays in order to test them before they could become HSDir. We had to remove
that check from the tor code that the scanner uses.

Thus, this check should not be enforced by the control port for the above use
cases. It is also a bit more complex with v3 support for which not all HSDir
support it so basically irrelevant check.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
683fccba8f hs-v3: Add an handler for the HSPOST command
It is not used yet at this commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
e71c6199dd hs-v3: Add a public function to upload a descriptor to an HSDir
This is groundwork for the HSPOST control port command that needs a way in the
HS subsystem to upload a service descriptor to a specific HSDir.

To do so, we add a public function that takes a series of parameters including
a fully encoded descriptor and initiate a directory request to a specific
routerstatut_t object.

It is for now not used but should be, in future commit, by the HSPOST command.
This commit has no behavior change, only refactoring.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
2c8e97db58 hs-v3: Implement HS_DESC_CONTENT event
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
cc26d4fa21 control: Support HS v3 for CIRC and CIRC_MINOR event
"REND_QUERY=" can now output a v3 address.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
13bb4f60f0 hs-v3: Support HS_DESC UPLOAD failed
When failing to upload a descriptor, signal the control port with a FAILED
event.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
427b247c8d hs-v3: Implement HS_DESC UPLOADED event
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
c7050eaa16 hs-v3: Implement HS_DESC UPLOAD event
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
b71a9b60cc hs-v3: Implement HS_DESC CREATED event
This makes the REPLICA= field optional for the control port event. A v2
service will always pass it and v3 is ignored.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
3b436d495f hs-v3: Implement HS_DESC RECEIVED event
Adds a v3 specific function to handle a received event.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
8365de1da3 hs-v3: Implement HS_DESC FAILED event
A new v3 specific function has been added named
control_event_hsv3_descriptor_failed().

The HS v3 subsystem now uses it.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
743d0b9d91 hs-v3: Implement HS_DESC REQUESTED event
This changes the control_event_hs_descriptor_requested() call to add the hsdir
index optional value. v2 passes NULL all the time.

This commit creates hs_control.{c|h} that contains wrappers for the HS
subsystem to interact with the control port subsystem.

The descriptor REQUESTED event is implemented following proposal 284 extension
for v3.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
e7d606900e control: Rename two HS v2 specific functions
Make control_event_hs_descriptor_received() and
control_event_hs_descriptor_failed() v2 specific because they take a
rend_data_t object and v3 will need to pass a different object.

No behavior change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
beacbbe210 control: Refactor control_event_hs_descriptor_receive_end
First, rename and make that function static because it is internal to
control.c and called by two HS_DESC events.

Second, make it take more basic parameters and thus not a rend_data_t object
so we can still use the function for v3 HS that doesn't use that object.

Third, move the descriptor ID lookup to the two specific events (yes little
code duplication there) because they get a rend_data_t object which won't be
the case for v3.

Finally, through this refactoring, change the pointer check to BUG() and
change some parameter names to reflect what they really are.

No behavior change at this commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
242ddc85c8 control: Refactor HS_DESC events functions to not be v2 specific
This is a naming refactor mostly _except_ for a the events' function that take
a rend_data_t which will require much more refactoring.

No behavior change at this commit, cleanup and renaming stuff to not be only
v2 specific.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
4633a93ca8 hs-v3: Downgrade warning log when an intro circuit has closed
When an intro circuit has closed, do not warn anymore when we can't find the
service. It is possible to hit that condition if the service is removed before
the circuits were fully closed. This happens in the case of deleting an
ephemeral service.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
David Goulet
f0e3331f3c hs-v3: Add ephemeral service support
The functions are now used by the ADD_ONION/DEL_ONION control port command as
well. This commits makes them fully functionnal with hidden service v3.

Part of #20699

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 19:39:46 -05:00
Nick Mathewson
1969d57363 Change our build process to run Cargo from inside the build tree
Instead of using the cwd to specify the location of Cargo.toml, we
use the --manifest-path option to specify its location explicitly.

This works around the bug that isis diagnosed on our jenkins builds.
2017-12-05 14:23:55 -05:00
Nick Mathewson
a798ba6e9b Merge branch 'maint-0.3.2' 2017-12-05 12:10:06 -05:00
Nick Mathewson
779e4b9dcf Tweaks to strings in 24500 2017-12-05 12:09:57 -05:00
Fernando Fernandez Mancera
313360e6e6 Make errno error log more useful for getrandom()
Making errno error log more useful for getrandom() call. Adding if statement to
make difference between ENOSYS and other errors.

Fixes #24500

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2017-12-05 12:05:09 -05:00
David Goulet
68601a85ca test: Add HSv3 unit test for expiring intro point
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 10:55:41 -05:00
David Goulet
e80893e51b hs-v3: Cleanup HS circuits when marking as closed
First, hs_service_intro_circ_has_closed() is now called in circuit_mark_for
close() because the HS subsystem needs to learn when an intro point is
actually not established anymore as soon as possible. There is a time window
between a close and a free.

Second, when we mark for close, we also remove it from the circuitmap because
between the close and the free, a service can launch an new circuit to that
same intro point and thus register it which only succeeds if the intro point
authentication key is not already in the map.

However, we still do a remove from the circuitmap in circuit_free() in order
to also cleanup the circuit if it wasn't marked for close prior to the free.

Fixes #23603

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 10:55:41 -05:00
David Goulet
ba63c4099a hs-v3: Don't cleanup intro point in has_closed()
The hs_service_intro_circ_has_closed() was removing intro point objects if too
many retries.

We shouldn't cleanup those objects in that function at all but rather let
cleanup_intro_points() do its job and clean it properly.

This was causing an issue in #23603.

Furthermore, this moves the logic of remembering failing intro points in the
cleanup_intro_points() function which should really be the only function to
know when to cleanup and thus when an introduction point should be remembered
as a failed one.

Fixes #23603

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-05 10:55:41 -05:00
David Goulet
97702c69b0 sched: Set channel scheduler state to IDLE when not opened
In the KIST main loop, if the channel happens to be not opened, set its state
to IDLE so we can release it properly later on. Prior to this fix, the channel
was in PENDING state, removed from the channel pending list and then kept in
that state because it is not opened.

This bug was introduced in commit dcabf801e5 for
which we made the scheduler loop not consider unopened channel.

This has no consequences on tor except for an annoying but harmless BUG()
warning.

Fixes #24502

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-04 14:48:15 -05:00
Nick Mathewson
0694a6dc01 Don't pass --quiet to cargo for now
Fixes bug 24518.
2017-12-04 14:19:22 -05:00
Nick Mathewson
70b19894ae Merge branch 'maint-0.3.2' 2017-12-04 13:23:52 -05:00
David Goulet
ff6c8cf861 sched: Downgrade warning log to info in KIST
Some platforms don't have good monotonic time support so don't warn when the
diff between the last run of the scheduler time and now is negative. The
scheduler recovers properly from this so no need to be noisy.

Fixes #23696

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-12-04 12:22:02 -05:00
Nick Mathewson
f50d64b62e Merge branch 'bug23826-23828_squashed' 2017-12-04 11:43:11 -05:00
teor
9acfd70f26
Sprinkle some consts in networkstatus_getinfo_by_purpose()
And note where we change the running flag, but probably shouldn't.

Implements ticket 24489.
2017-12-02 21:21:41 +11:00
teor
f1a5000b98
Make set_routerstatus_from_routerinfo() set IPv6 unspecified addresses
When creating a routerstatus (vote) from a routerinfo (descriptor),
set the IPv6 address to the unspecified IPv6 address, and explicitly
initialise the port to zero.

Also clarify the documentation for the function.

Fixes bug 24488; bugfix on 0.2.4.1-alpha.
2017-12-02 21:00:22 +11:00
Nick Mathewson
953a8f8510 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-12-01 12:13:40 -05:00
Nick Mathewson
5c03bb7c0c Merge branch 'maint-0.3.0' into maint-0.3.1 2017-12-01 12:13:40 -05:00
Nick Mathewson
3bca705c54 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-12-01 12:13:40 -05:00
Nick Mathewson
b86c9acac3 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-12-01 12:13:40 -05:00
Nick Mathewson
cf3da63b90 Merge branch 'maint-0.3.2' 2017-12-01 12:13:40 -05:00
Nick Mathewson
f97f301b5b Merge branch 'maint-0.2.5' into maint-0.2.8 2017-12-01 12:13:39 -05:00
Nick Mathewson
461e34bb3d Fix a clang compilation warning in rendservice.c
Fixes bug 24480; bugfix on 0.2.5.16.
2017-12-01 12:13:15 -05:00
Nick Mathewson
998a247123 bump to 0.3.2.6-alpha-dev 2017-12-01 09:34:31 -05:00
Nick Mathewson
a12dbbd882 bump to 0.3.1.9-dev 2017-12-01 09:34:20 -05:00
Nick Mathewson
1983068ba9 bump to 0.3.0.13-dev 2017-12-01 09:34:09 -05:00
Nick Mathewson
73869c99a0 bump to 0.2.9.14-dev 2017-12-01 09:34:00 -05:00
Nick Mathewson
8f858de819 bump to 0.2.8.17-dev 2017-12-01 09:33:51 -05:00
Nick Mathewson
162a087e5f bump to 0.2.5.16-dev 2017-12-01 09:33:41 -05:00
George Kadianakis
1c9f063486 Remove a duplicate call to update_microdesc_downloads()
This call happens before we update our entry guards, so it needs to be
removed for the fix to #23862 to work.
2017-12-01 14:13:22 +02:00
George Kadianakis
210f0c24f0 Update entry guard state whenever we download a consensus.
Update guard state even if we don't have enough dirinfo since that
actually affects the future download of dirinfos.

Fixes #23862 on 0.3.0.1-alpha
2017-12-01 14:09:29 +02:00
George Kadianakis
6bd64e8212 Remove a duplicate call to update_microdesc_downloads()
This call happens before we update our entry guards, so it needs to be
removed for the fix to #23862 to work.
2017-12-01 14:06:32 +02:00
George Kadianakis
8276a0ab85 Update entry guard state whenever we download a consensus.
Update guard state even if we don't have enough dirinfo since that
actually affects the future download of dirinfos.

Fixes #23862 on 0.3.0.1-alpha
2017-12-01 14:06:28 +02:00
Nick Mathewson
424ab08b5a bump to 0.3.2.6-alpha 2017-11-30 12:26:30 -05:00
Nick Mathewson
4ebd436541 version bump to 0.3.1.9 2017-11-30 12:25:48 -05:00
Nick Mathewson
f2ecdeb724 version bump to 0.3.0.13 2017-11-30 12:25:01 -05:00
Nick Mathewson
16c9cfd658 version bump to 0.2.9.14 2017-11-30 12:24:07 -05:00
Nick Mathewson
6ee4472544 version bump to 0.2.8.17 2017-11-30 12:22:32 -05:00
Nick Mathewson
6bda6777c1 bump to 0.2.5.16 2017-11-30 12:19:48 -05:00
Nick Mathewson
cef844d017 Merge branch 'maint-0.3.2' 2017-11-30 12:07:59 -05:00
Nick Mathewson
fd73a168ca Merge branch 'maint-0.3.1' into maint-0.3.2 2017-11-30 12:07:59 -05:00
Nick Mathewson
ee48eb1eb5 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-30 12:07:59 -05:00
Nick Mathewson
5fc0587c04 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-30 12:07:59 -05:00
Nick Mathewson
7e2b012b46 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-11-30 12:07:59 -05:00
Nick Mathewson
ba4a9cf0c0 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-11-30 12:07:59 -05:00
Nick Mathewson
d459c08b7d Merge branch 'trove-2017-012_030' into maint-0.3.0 2017-11-30 12:07:43 -05:00
Nick Mathewson
52d7af631c Merge branch 'trove-2017-010_029' into maint-0.2.9 2017-11-30 12:07:26 -05:00
Nick Mathewson
f49876d66e Merge branch 'trove-2017-012_025' into maint-0.2.5 2017-11-30 12:06:21 -05:00
Nick Mathewson
08ce39fb0f Merge branch 'trove-2017-011_025' into maint-0.2.5 2017-11-30 12:06:17 -05:00
Nick Mathewson
a6a0c7a4ec Merge branch 'trove-2017-009_025' into maint-0.2.5 2017-11-30 12:05:59 -05:00
Nick Mathewson
766d0a2d98 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-30 11:48:12 -05:00
Nick Mathewson
500f04a74e Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-30 11:48:12 -05:00
Nick Mathewson
072e194a15 Merge branch 'bug21394_029' into maint-0.2.9 2017-11-30 11:48:06 -05:00
Nick Mathewson
a1b0a0b9cd Avoid use-after-free error in 20020 fix
CID 1424328; found by coverity; bugfix on 93dbce4ddd98ca9a4ff2f;
bug not in any released Tor.
2017-11-30 11:44:15 -05:00
Nick Mathewson
1c7121be54 Merge branch 'bug24119_squashed' 2017-11-30 08:00:34 -05:00
Alex Xu (Hello71)
f1e8e54964 Simplify channel_rsa_id_group_set_badness, #24119 2017-11-30 08:00:24 -05:00
Nick Mathewson
27f017639f Merge branch 'ticket20020' 2017-11-29 20:24:34 -05:00
Nick Mathewson
20fa6a3883 Merge branch 'maint-0.3.2' 2017-11-29 12:06:14 -05:00
Nick Mathewson
f0007f2b8d Merge branch 'bug24050_029_squashed' into maint-0.3.2 2017-11-29 12:05:49 -05:00
Nick Mathewson
eb1976202e Fix unit tests for 24050. 2017-11-29 12:05:36 -05:00
Nick Mathewson
6a9c3d6e3a Merge branch 'maint-0.3.2' 2017-11-29 12:02:44 -05:00
Nick Mathewson
9b44bb49b4 Merge branch 'bug24050_029_squashed' into maint-0.3.2 2017-11-29 12:02:07 -05:00
Nick Mathewson
a94c486102 Make the cache_ipv4_answers default become 0 again, for real.
Fortunately, use_cached_ipv4_answers was already 0, so we wouldn't
actually use this info, but it's best not to have it.

Fixes bug 24050; bugfix on 0.2.6.3-alpha
2017-11-29 12:01:45 -05:00
David Goulet
7bb269548d hs-v3: Bump hsdir_spread_store from 3 to 4
Per the analysis in
https://trac.torproject.org/projects/tor/ticket/23170#comment:17, this will
greatly improve service reachability.

Closes #24425

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-29 09:19:02 -05:00
David Goulet
6ab07419c8 Use local descriptor object to exclude self in path selection
TROVE-2017-12. Severity: Medium

When choosing a random node for a circuit, directly use our router
descriptor to exclude ourself instead of the one in the global
descriptor list. That list could be empty because tor could be
downloading them which could lead to not excluding ourself.

Closes #21534
2017-11-28 19:14:10 -05:00
David Goulet
91cee3c9e7 Guard: Don't pick ourselves as a possible Guard
TROVE-2017-12. Severity: Medium

Thankfully, tor will close any circuits that we try to extend to
ourselves so this is not problematic but annoying.

Part of #21534.
2017-11-28 19:12:56 -05:00
David Goulet
3030741b5d hs-v2: Remove any expiring intro from the retry list
TROVE-2017-13. Severity: High.

In the unlikely case that a hidden service could be missing intro circuit(s),
that it didn't have enough directory information to open new circuits and that
an intro point was about to expire, a use-after-free is possible because of
the intro point object being both in the retry list and expiring list at the
same time.

The intro object would get freed after the circuit failed to open and then
access a second time when cleaned up from the expiring list.

Fixes #24313
2017-11-28 18:41:29 -05:00
Nick Mathewson
1880a6a88e Avoid asking for passphrase on junky PEM input
Fixes bug 24246 and TROVE-2017-011.

This bug is so old, it's in Matej's code.  Seems to have been
introduced with e01522bbed.
2017-11-27 15:25:03 -05:00
Nick Mathewson
2c0487ecfb Handle NULL input to protover_compute_for_old_tor()
Fixes bug 24245; bugfix on 0.2.9.4-alpha. TROVE-2017-010.
2017-11-27 15:16:30 -05:00
Nick Mathewson
2834cc9c18 Fix length of replaycache-checked data.
This is a regression; we should have been checking only the
public-key encrypted portion.  Fixes bug 24244, TROVE-2017-009, and
CVE-2017-8819.
2017-11-27 15:12:19 -05:00
Nick Mathewson
b230860608 Merge branch 'maint-0.3.2' 2017-11-27 10:04:16 -05:00
Nick Mathewson
ef54610442 Merge branch 'ticket23856_025_01' into maint-0.3.2 2017-11-27 10:02:03 -05:00
David Goulet
8be50ca3ea relay: Change bandwidth stats interval to 24 hours
Going from 4 hours to 24 hours in order to try reduce the efficiency of guard
discovery attacks.

Closes #23856

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-27 10:00:40 -05:00
Nick Mathewson
9c37e8c8d1 Fix unit tests that depended on monotonic msec. 2017-11-27 09:43:15 -05:00
Nick Mathewson
c3c0a05f51 Add a new notion of "stamps" to be a fast 32-bit monotonic timestamp
The goal here is to replace our use of msec-based timestamps with
something less precise, but easier to calculate.  We're doing this
because calculating lots of msec-based timestamps requires lots of
64/32 division operations, which can be inefficient on 32-bit
platforms.

We make sure that these stamps can be calculated using only the
coarse monotonic timer and 32-bit bitwise operations.
2017-11-27 09:43:15 -05:00
Nick Mathewson
b1c4ab0bec Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-27 09:09:34 -05:00
Nick Mathewson
703ab95e9f Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-27 09:09:34 -05:00
Nick Mathewson
30b3229252 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-11-27 09:09:34 -05:00
Nick Mathewson
722c64fc23 Merge branch 'maint-0.3.2' 2017-11-27 09:09:34 -05:00
Nick Mathewson
4bb287aa39 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-11-27 09:09:34 -05:00
Sebastian Hahn
25c90230be Add bastet's ipv6 address
Implements ticket 24394
2017-11-27 09:09:16 -05:00
Alex Xu (Hello71)
2cda005ac4 Add fast paths to channel_rsa_id_group_set_badness, #24119 2017-11-24 12:42:51 -05:00
David Goulet
428ee55e51 doc: Update channel.c top comments from latest
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
04762be612 test: Cleanup unused code in test_channel.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
d443a5258f test: Add unit test for channel_listener_t
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
8c5ed4f150 test: Add unit test for channel_get_for_extend()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
36f1fb3be3 test: Add unit test for channel_check_for_duplicates()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
47aaaf4403 test: Add channel state unit test
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
3ed0b28a01 test: Fix memleak of channel cmux
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
08d0c39b91 test: Fix channel dumpstats test
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
bd7823b29b test: Fix channel lifecycle and lifecycle_2
They were broken due to previous commit. Fixes are trivial.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
fa8c98985b test: Add outbound channel cell test
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
636eec32bf test: Improve the inbound channel cell test
First, that test was broken from the previous commit because the
channel_queue_cell() has been removed. This now tests the
channel_process_cell() directly.

Second, it wasn't testing much except if the channel subsystem actually went
through the cell handler. This commit adds more checks on the state of a
channel going from open, receiving a cell and closing.

Third, this and the id_map unit test are working, not the others so they've
been marked as not working and future commit will improve and fix those.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
1dc4f96d9c channel: Remove nickname attribute from channel_t
This was never set thus never could have been used. Get rid of it to simplify
the code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
163477b11e channel: Remove dead code
This removed code that was either never reached or irrelevant after the
incoming/outgoing queue removal such as the "timestamp_drained".

Lots of things are also removed from channel.h that do not exists anymore or
not used.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:50:13 -05:00
David Goulet
0e7b23535c channel: Add and cleanup comments
No code nor behavior change, only documentation.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:47:37 -05:00
David Goulet
56833bf449 channel: Requeue cell to circuit if channnel failed
If the channel layer failed to write a cell from the circuit queue, requeue it
so it can be retried on the same channel later.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:47:21 -05:00
David Goulet
6d1ea7766b channel: Remove unused write cell functions
The channel_write_cell() and channel_write_var_cell() can't be possibly called
nor are used by tor. We only write on the connection outbuf packed cell coming
from the scheduler that takes them from the circuit queue.

This makes channel_write_packed_cell() the only usable function. It is
simplify and now returns a code value. The reason for this is that in the next
commit(s), we'll re-queue the cell onto the circuit queue if the write fails.

Finally, channel unit tests are being removed with this commit because they do
not match the new semantic. They will be re-written in future commits.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:46:15 -05:00
David Goulet
e1c29a769c channel: Remove everything related to queue size
The channel subsystem was doing a whole lot to track and try to predict the
channel queue size but they are gone due to previous commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:44:46 -05:00
David Goulet
46a0709261 channel: Remove incoming/outgoing queue
For the rationale, see ticket #23709.

This is a pretty massive commit. Those queues were everywhere in channel.c and
it turns out that it was used by lots of dead code.

The channel subsystem *never* handles variable size cell (var_cell_t) or
unpacked cells (cell_t). The variable ones are only handled in channeltls and
outbound cells are always packed from the circuit queue so this commit removes
code related to variable and unpacked cells.

However, inbound cells are unpacked (cell_t), that is untouched and is handled
via channel_process_cell() function.

In order to make the commit compile, test have been modified but not passing
at this commit. Also, many tests have been removed but better improved ones
get added in future commits.

This commit also adds a XXX: which indicates that the handling process of
outbound cells isn't fully working. This as well is fixed in a future commit.

Finally, at this commit, more dead code remains, it will be cleanup in future
commits.

Fixes #23709

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 15:37:59 -05:00
David Goulet
d165f0fd30 relay: Improve comment in append_cell_to_circuit_queue()
This function is part of the tor fast path so this commit adds more
documentation to it as it is critical.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 09:41:10 -05:00
David Goulet
bf242ebe6c relay: Remove dead code
append_cell_to_circuit_queue() had code disabled from commit
2a95f31716

This code is 4+ years old related to bug #9072 so if we ever want to revisit
it, lets inspect/revert this commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-22 09:41:10 -05:00
Nick Mathewson
a7e777ab8e bump to 0.3.2.5-alpha-dev 2017-11-22 08:34:02 -05:00
Nick Mathewson
bf882b0373 re-run ./scripts/maint/annotate_ifdef_directives 2017-11-21 14:07:43 -05:00
Nick Mathewson
5da0a73838 Merge branch 'ticket23953_033_squashed' 2017-11-21 14:06:57 -05:00
Nick Mathewson
25f882a9cf Use stdatomic.h for atomic_counter_t where available.
Closes ticket 23953.
2017-11-21 14:06:48 -05:00
Nick Mathewson
8b3580255d Merge remote-tracking branch 'teor/bug24372' 2017-11-21 13:57:48 -05:00
Nick Mathewson
1cc344b277 Merge remote-tracking branch 'teor/bug23760_nc' 2017-11-21 13:56:57 -05:00
Nick Mathewson
5da6120e88 bump version to 0.3.2.5-alpha 2017-11-21 12:54:11 -05:00
Nick Mathewson
517032b8ce Merge branch 'maint-0.3.2' 2017-11-21 12:41:39 -05:00
Nick Mathewson
ba94dc28e8 Merge branches 'bug24099_031' and 'bug24086_031' into maint-0.3.2 2017-11-21 12:37:46 -05:00
Nick Mathewson
ea13a47791 add an explanatory comment about the error codes 2017-11-21 12:36:32 -05:00
teor
03b18f6288
Fix a confusing comment about tie-breaking in compute_routerstatus_consensus()
Closes bug 24372.
2017-11-22 02:27:28 +11:00
Neel Chauhan
83b8034a98
Introduce node_get_curve25519_onion_key() in extend_info_from_node() 2017-11-22 02:20:54 +11:00
teor
d7833c9d27
Avoid crashing if we call num_usable_bridges() when bridges are not enabled
This applies the changes in 23524 to num_usable_bridges(), because it has
replaced any_bridge_descriptors_known().

The original changes file still applies.
2017-11-22 02:01:51 +11:00
teor
690f646bf8
Stop checking cached bridge descriptors for usable bridges
Stop checking for bridge descriptors when we actually want to know if
any bridges are usable. This avoids potential bootstrapping issues.
Fixes bug 24367; bugfix on 0.2.0.3-alpha.

Stop stalling when bridges are changed at runtime. Stop stalling when
old bridge descriptors are cached, but they are not in use.
Fixes bug 24367; bugfix on 23347 in 0.3.2.1-alpha.
2017-11-22 02:00:34 +11:00
Nick Mathewson
b1ab360eca Merge branch 'maint-0.3.2' 2017-11-20 14:35:26 -05:00
Nick Mathewson
da82e0b579 Merge branch 'bug23817_031' into maint-0.3.2 2017-11-20 14:29:50 -05:00
George Kadianakis
69f93f806c Check number of usable guards when applying md restrictions.
We used to check whether we have enough filtered guards (guard set when
torrc is applied) but that's not good enough, since that might be bad in
some cases where many guards are not reachable (might cause overblocking
and hence reacahbility issues).

We now check if we have enough reachable filtered guards before applying
md restrictions which should prevent overblocking.
2017-11-20 14:28:56 -05:00
Nick Mathewson
729f9a286c Merge branch 'maint-0.3.2' 2017-11-20 13:22:10 -05:00
Nick Mathewson
846df5b3cd Merge remote-tracking branches 'public/ticket24315_029' and 'public/bug24198_029' into maint-0.3.2 2017-11-20 13:20:25 -05:00
Nick Mathewson
68c21860e3 Add another assertion to check for 24086 root causes
In cdm_diff_ht_set_status(), we shouldn't have been allowing the
status CDM_DIFF_PRESENT to be set if there wasn't actually a handle.
2017-11-20 11:06:31 -05:00
Nick Mathewson
3bb29dd707 Correctly handle partial success in consensus diff calculation.
Previously, if store_multiple() reported a partial success, we would
store all the handles it gave us as if they had succeeded.  But it's
possible for the diff to be only partially successful -- for
example, if LZMA failed but the other compressors succeeded.

Fixes bug 24086; bugfix on 0.3.1.1-alpha.
2017-11-20 11:04:37 -05:00
David Goulet
5d180309ea hs: Rename rend_service_add_ephemeral_status_t
Move it to hs_common.h and rename it "hs_service_add_ephemeral_status_t". It
will be shared between v2 and v3 services.

Part of #20699

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 11:02:30 -05:00
David Goulet
49f21b6ba3 control: Support HSv3 interface for ADD_ONION
At this commit, the key handling and generation is supported for a v3 service
(ED25519-V3). However, the service creation is not yet implemented. This only
adds the interface and code to deal with the new ED25519-V3 key type.

Tests have been updated for RSA key type but nothing yet for ED25519-v3.

Part of #20699

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 11:02:30 -05:00
David Goulet
660de600a0 control: Implement GETINFO hs/service/desc/id/<ADDR> for HSv3
Part of #20699

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 11:02:30 -05:00
David Goulet
0a3b295448 hs-v3: Add a lookup service current descriptor function
This will be used by the control port command "GETINFO
hs/service/desc/id/<ADDR>" which returns the encoded current descriptor for
the given onion address.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 11:02:30 -05:00
David Goulet
e1d8e611c8 control: Implement GETINFO hs/client/desc/id/<ADDR> for HSv3
Part of #20699

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 11:02:30 -05:00
David Goulet
05766eae30 hs-v3: Add an encoded descriptor client cache lookup function
This commit adds hs_cache_lookup_encoded_as_client() function that returns the
encoded descriptor for a given service public key. This will be needed by the
"GETINFO hs/client/desc/id/<ADDR>" control port command.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 11:02:30 -05:00
Nick Mathewson
c8ee12b2e8 Recover better from empty/invalid storagedir files
If we can't read a file because of an FS issue, we say "we can't
read that" and move on.  But if we can't read it because it's empty,
because it has no labels, or because its labels are misformatted, we
should remove it.

Fixes bug 24099; bugfix on 0.3.1.1-alpha.
2017-11-20 10:14:41 -05:00
Nick Mathewson
cabcb752d7 In storagedir, take more care with errno on empty or mislabeled file
Required for 24099 fix -- we won't be able to act based on errno
unless we can trust it.
2017-11-20 10:10:13 -05:00
Nick Mathewson
04812e59df Merge branch 'maint-0.3.2' 2017-11-20 08:39:39 -05:00
Nick Mathewson
e0f7a2dbd4 Merge branch 'bug23681_029_01_squashed' into maint-0.3.2 2017-11-20 08:39:34 -05:00
David Goulet
981bb60575 circuit: Don't timeout opened C_INTRODUCING circuit
A circuit with purpose C_INTRODUCING means that its state is opened but the
INTRODUCE1 cell hasn't been sent yet. We shouldn't consider that circuit when
looking for timing out "building circuit". We have to wait on the rendezvous
circuit to be opened before sending that cell so the intro circuit needs to be
kept alive for at least that period of time.

This patch makes that the purpose C_INTRODUCING is ignored in the
circuit_expire_building() which means that we let the circuit idle timeout
take care of it if we end up never using it.

Fixes #23681

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-20 08:33:44 -05:00
Nick Mathewson
7358559524 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-18 11:02:42 -05:00
Nick Mathewson
2d849716df Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-18 11:02:08 -05:00
Nick Mathewson
53c3174ee4 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-11-18 11:01:43 -05:00
Nick Mathewson
d388f9d879 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-11-18 11:01:33 -05:00
Nick Mathewson
43e0472fcf Move an assertion to make scan-build happy again. 2017-11-18 10:51:23 -05:00
Nick Mathewson
7813b0e0ed Merge branch 'maint-0.3.2' 2017-11-18 10:27:29 -05:00
Nick Mathewson
d45bf0c65c Add an extra check in test_entrynodes
This check makes it so we can reach "done" without setting "conn",
and so the "if (conn)" check will not be redundant, and so coverity
won't complain.  Fixes CID 1422205.  Not actually a bug.
2017-11-18 10:26:45 -05:00
Nick Mathewson
b9bce4288e Merge branch 'maint-0.3.2' 2017-11-18 10:23:52 -05:00
Nick Mathewson
a5b8b55c1c Fix memory leak in unit test for bridge distribution config.
Also, check for the actual message, and fix some string confusion,
while we're at it.

Fixes bug 24345; bugfix on 0.3.2.3-alpha.
2017-11-18 10:22:14 -05:00
Nick Mathewson
2f086888b1 Make all the crypto free() functions macros that clear their targets 2017-11-17 12:01:30 -05:00
Nick Mathewson
94db8f32e4 Make all the free() functions from container.h clear their targets 2017-11-17 12:01:19 -05:00
Nick Mathewson
c1bdb80aba Add a macro to call a free_ function and clear a variable 2017-11-17 11:45:47 -05:00
Nick Mathewson
fcdec00685 Merge branch 'maint-0.3.2' 2017-11-17 09:59:26 -05:00
Nick Mathewson
3a5ca47d8f Fix a clang unitialized-var warning 2017-11-17 09:57:52 -05:00
George Kadianakis
7e52947d57 Intoduce unittest for skipping outdated dirservers. 2017-11-17 09:57:46 -05:00
Nick Mathewson
9fbc835f10 Fix a wide comment 2017-11-17 09:57:15 -05:00
Nick Mathewson
2cee26b164 Merge branch 'bug23817_031' into maint-0.3.2 2017-11-17 09:56:53 -05:00
Nick Mathewson
96b69942a5 Make should_set_md_dirserver_restriction() look at num filtered guards
This seems closer to what the code intended.
2017-11-17 09:52:41 -05:00
George Kadianakis
c400ffc2e8 Skip dirserver restrictions in small networks. 2017-11-17 09:52:41 -05:00
George Kadianakis
f61e3090fb Introduce new guard restriction and use it to skip outdated dirs. 2017-11-17 09:52:40 -05:00
George Kadianakis
7fc64f02a3 Introduce cache for outdated microdesc dirservers.
We gonna use this cache to avoid dirservers without outdated md info.
2017-11-17 09:52:40 -05:00
Nick Mathewson
94dce246ee Merge branch 'maint-0.3.2' 2017-11-17 09:26:11 -05:00
Matt Traudt
b98614f1af Only log about lost KIST support once 2017-11-17 09:25:47 -05:00
Nick Mathewson
cfacd44240 Merge branch 'maint-0.3.2' 2017-11-17 09:23:07 -05:00
Nick Mathewson
85778dc92d Merge remote-tracking branch 'dgoulet/bug23861_032_01' into maint-0.3.2 2017-11-17 09:23:04 -05:00
Neel Chauhan
eb793c31cf Add error message for exit_node in hs_circ_send_introduce1() 2017-11-17 08:42:07 -05:00
Neel Chauhan
b8addf9746 Use memset() on intro1_data in hs_circ_send_introduce1() 2017-11-17 08:42:07 -05:00
Neel Chauhan
27d34f36e0 Add smartlist_add() to get_lspecs_from_node) 2017-11-17 08:42:07 -05:00
Nick Mathewson
368dc1003e Merge branch 'maint-0.3.2' 2017-11-17 08:35:56 -05:00
Nick Mathewson
3a364309ac Merge branch 'bug24167_025' into maint-0.3.2 2017-11-17 08:35:52 -05:00
Nick Mathewson
4ef70ff389 Merge branch 'maint-0.3.2' 2017-11-17 08:35:04 -05:00
Nick Mathewson
0571015819 Merge branch 'ticket24097_032' into maint-0.3.2 2017-11-17 08:35:01 -05:00
Nick Mathewson
4b56df9874 Merge branch 'maint-0.3.2' 2017-11-17 08:34:23 -05:00
Nick Mathewson
2d3904aba6 Check the libc version to decide whether to allow openat. 2017-11-16 14:06:38 -05:00
Nick Mathewson
d2d6a1b082 Make our seccomp2 sandbox handle Glibc 2.26
There are three changes here:
  * We need to allow epoll_pwait.
  * We need to allow PF_NETLINK sockets to be opened with SOCK_CLOEXEC.
  * We need to use openat() instead of open().

Note that this fix is not complete, since the openat() change is
turned off.  The next commit will make the openat() change happen
when we're running glibc 2.26 or later.

Fix for 24315.
2017-11-16 13:56:22 -05:00
Nick Mathewson
7461cd3067 Permit kill(pid, 0) in the seccomp2 sandbox.
We don't want to allow general signals to be sent, but there's no
problem sending a kill(0) to probe whether a process is there.

Fixes bug 24198; bugfix on 0.2.5.1-alpha when the seccomp2 sandbox
was introduced.
2017-11-16 12:44:47 -05:00
Nick Mathewson
95238eb917 Fix a traceback when closing a blocked connection "immediately".
When we close a connection via connection_close_immediately, we kill
its events immediately. But if it had been blocked on bandwidth
read/write, we could try to re-add its (nonexistent) events later
from connection_bucket_refill -- if we got to that callback before
we swept the marked connections.

Fixes bug 24167.  Fortunately, this hasn't been a crash bug since we
introduced connection_check_event in 0.2.9.10, and backported it.

This is a bugfix on commit 89d422914a, I believe, which
appeared in Tor 0.1.0.1-rc.
2017-11-16 12:05:56 -05:00
David Goulet
380a95116a relay: Avoid extra LOG_NOTICE for every new descriptor batch
Commit 56c5e282a7 suppressed that same log
statement in directory_info_has_arrived() for microdescriptors so do the same
for the descriptors. As the commit says, we already have the bootstrap
progress for this.

Fixes #23861

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-16 10:57:05 -05:00
Nick Mathewson
2a98fcb848 Downgrade evdns warnings about weird replies.
evdns is allowed to give us unrecognized object types; it is allowed
to give us non-IPv4 answer types, and it is (even) allowed to give
us empty answers without an error.

Closes ticket 24097.
2017-11-16 09:30:19 -05:00
Nick Mathewson
93dbce4ddd Log a better message if a router we're re-adding is expired.
Addresses ticket 20020.
2017-11-16 08:35:06 -05:00
Nick Mathewson
ef55a7a69a Tweak the message when we re-enable CBT.
Implements ticket 20963.
2017-11-15 14:42:59 -05:00
Nick Mathewson
ceeacc734d Merge branch 'maint-0.3.2' 2017-11-15 14:25:25 -05:00
Nick Mathewson
ae8683621a Merge remote-tracking branch 'asn/bug23662_032' into maint-0.3.2 2017-11-15 14:25:20 -05:00
Nick Mathewson
6aeabd454e Reindent the body of get_data_directory()
I don't know why it wasn't indented properly, but we may as well fix
it now.
2017-11-14 15:56:25 -05:00
Nick Mathewson
192be00691 Make the DataDirectory option immutable.
By convention, the torrc options that the user sets are
unchangeable.  If we need to change them, we should be using a copy
that's stored in another field

To avoid trouble, I'm keeping DataDirectory as the name for the
field that the rest of Tor uses, and using DataDirectory_option for
the confparse-controlled field.

This commit also modernizes some older string handling code in the
DataDirectory normalization function.
2017-11-14 15:54:36 -05:00
Nick Mathewson
bf8a7201ce Remove remove_file_if_very_old() -- nothing calls it. 2017-11-14 15:33:58 -05:00
Nick Mathewson
702a13c9d3 Merge branch 'maint-0.3.2' 2017-11-14 14:45:11 -05:00
Nick Mathewson
6dc784bdb3 Merge remote-tracking branch 'dgoulet/bug24230_032_01' into maint-0.3.2 2017-11-14 14:45:07 -05:00
George Kadianakis
c4a56ed5c2 Silence a warning about failed descriptor uploads.
Due to #23662 this can happen under natural causes and does not disturb
the functionality of the service. This is a simple 0.3.2 fix for now,
and we plan to fix this properly in 0.3.3.
2017-11-14 17:16:33 +02:00
Nick Mathewson
9f2efd02a1 Minimal implementation of bridge-distribution-request
Just advertise the line when we're a bridge, using "any" if we're
published or "none" if we aren't.

This is done in lieu of a full backport of #18329.
2017-11-13 20:44:51 -05:00
Nick Mathewson
1d5e693b63 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-13 20:36:04 -05:00
Nick Mathewson
50fbede459 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-13 20:36:04 -05:00
Nick Mathewson
1b9bb2c847 Merge branch 'bug22895_027' into maint-0.2.9 2017-11-13 20:35:59 -05:00
Nick Mathewson
fea5c8a015 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-13 12:57:58 -05:00
Nick Mathewson
543fd89fb7 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-11-13 12:57:58 -05:00
Nick Mathewson
800797e7f3 Merge branch 'bug23291_028' into maint-0.2.8 2017-11-13 12:57:55 -05:00
Nick Mathewson
0c6d05cdd4 Merge branch 'maint-0.3.2' 2017-11-13 12:27:44 -05:00
Nick Mathewson
d0b75b5ade Merge branch 'maint-0.3.1' into maint-0.3.2 2017-11-13 12:27:36 -05:00
David Goulet
7df28ce299 hs-v3: Fix consensus param "hsdir-interval" name
The dir-spec.txt specifies it to be "hsdir_interval" (underscore).

Fixes #24262

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-13 11:48:56 -05:00
Nick Mathewson
0b4e59b7c6 Merge remote-tracking branch 'sebastian/bug24137' 2017-11-13 11:32:35 -05:00
Nick Mathewson
3300a6e93a Merge remote-tracking branch 'arma/ticket23637' into maint-0.3.2 2017-11-13 11:20:20 -05:00
Nick Mathewson
16bdb9e365 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-13 11:18:02 -05:00
Nick Mathewson
91188540af Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-13 11:18:02 -05:00
Nick Mathewson
ab415ae950 Merge remote-tracking branch 'teor/bug23470-029' into maint-0.2.9 2017-11-13 11:17:58 -05:00
Nick Mathewson
9092e9019a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-13 11:15:50 -05:00
Nick Mathewson
666653758d Merge branch 'bug8185_025' into maint-0.2.9 2017-11-13 11:15:47 -05:00
Nick Mathewson
0fc2b7f82e Merge branch 'bug8185_031' into maint-0.3.1 2017-11-13 11:15:40 -05:00
Nick Mathewson
ece63105d9 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-13 11:13:22 -05:00
Nick Mathewson
c928fb988a Merge branch 'ticket21953_029' into maint-0.2.9 2017-11-13 11:13:18 -05:00
Nick Mathewson
fdefda95bc Add corresponding rust-c coupling comments to C 2017-11-13 10:03:46 -05:00
Nick Mathewson
edf3d6b7ee Merge remote-tracking branch 'chelseakomlo/24032-cargo-rust-sync' 2017-11-13 09:59:10 -05:00
Nick Mathewson
a5ef2b619d Make node_get_curve25519_onion_key() return a const ptr 2017-11-12 17:07:16 -05:00
Nick Mathewson
f92736517b Merge branch 'bug23577_squashed' 2017-11-12 17:05:39 -05:00
Neel Chauhan
fb718e9912 Make setup_introduce1_data() take a node_t instead of an extend_info_t
Clients add rendezvous point IPv6 addresses to introduce cell link specifiers,
when the node has a valid IPv6 address.

Also check the node's IPv4 address is valid before adding any link specifiers.

Implements #23577.
2017-11-12 17:05:25 -05:00
Neel Chauhan
0ee50a414c Introduce node_get_curve25519_onion_key() 2017-11-12 17:05:25 -05:00
Chelsea Holland Komlo
1c50331b9a annotate where C and Rust need to stay in sync 2017-11-11 23:19:34 -05:00
Nick Mathewson
11eaf208c0 Merge branch 'bug24247_032' 2017-11-11 14:46:33 -05:00
Nick Mathewson
a7ca71cf6b Fix mock_crypto_pk_public_checksig__nocheck() to handle short RSA keys
This function -- a mock replacement used only for fuzzing -- would
have a buffer overflow if it got an RSA key whose modulus was under
20 bytes long.

Fortunately, Tor itself does not appear to have a bug here.

Fixes bug 24247; bugfix on 0.3.0.3-alpha when fuzzing was
introduced.  Found by OSS-Fuzz; this is OSS-Fuzz issue 4177.
2017-11-11 14:44:45 -05:00
Nick Mathewson
ef92511577 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-11-11 12:23:34 -05:00
Nick Mathewson
512dfa15ed Merge branch 'maint-0.3.1' into maint-0.3.2 2017-11-11 12:23:34 -05:00
Nick Mathewson
f8707e4f6c Merge branch 'maint-0.3.2' 2017-11-11 12:23:34 -05:00
Nick Mathewson
9666c620d5 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-11-11 12:23:33 -05:00
Nick Mathewson
c9b76a12f5 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-11-11 12:23:33 -05:00
Nick Mathewson
5348c8996f Merge branch 'maint-0.2.9' into maint-0.3.0 2017-11-11 12:23:33 -05:00
David Goulet
42ce6f78c8 control: Fix wrong Action on failure to upload an HS descriptor
On failure to upload, the HS_DESC event would report "UPLOAD_FAILED" as the
Action but it should have reported "FAILED" according to the spec.

Fixes #24230

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-10 15:31:31 -05:00
Karsten Loesing
6f8c32b7de Update geoip and geoip6 to the November 6 2017 database. 2017-11-10 10:14:09 +01:00
Nick Mathewson
039a776367 slight improvement to rust idiomicity 2017-11-09 09:48:52 -05:00
Nick Mathewson
c80bb04542 Rust implementation of protocol_list_supports_protocol_or_later() 2017-11-09 09:42:09 -05:00
Nick Mathewson
6ea3db6fa7 Fix unit test behavior: we need to be in STATE_LIVE. 2017-11-09 09:30:43 -05:00
Nick Mathewson
552218437c Merge branch 'ticket12062_squashed' 2017-11-09 09:20:55 -05:00
Nick Mathewson
0c6eabf088 Audit all of the "is the network turned off" checks.
DisableNetwork is a subset of net_is_disabled(), which is (now) a
subset of should_delay_dir_fetches().

Some of these changes are redundant with others higher or lower in
the call stack.  The ones that I think are behavior-relevant are
listed in the changes file.  I've also added comments in a few
places where the behavior is subtle.

Fixes bug 12062; bugfix on various versions.
2017-11-09 09:19:42 -05:00
Nick Mathewson
0626031564 Merge branch 'ticket20895' 2017-11-09 09:17:53 -05:00
Nick Mathewson
59c1016aba Merge branch 'maint-0.3.2' 2017-11-09 08:17:46 -05:00
Nick Mathewson
aa1d90b40c Merge branch 'bug23985_029' into maint-0.3.2 2017-11-09 08:15:46 -05:00
Nick Mathewson
ce3d5da0d2 Merge branch 'maint-0.3.2' 2017-11-09 08:02:36 -05:00
Nick Mathewson
40c64f45f0 Re-remove AllowDotExit deprecation.
This was accidentally reintroduced in 5a46074e55.  It should be
harmless, though: the option is obsolete, so calling it deprecated
is redundant.
2017-11-09 07:58:27 -05:00
Nick Mathewson
c8859582a2 bump to 0.3.2.4-alpha-dev 2017-11-08 16:44:53 -05:00
Nick Mathewson
7556636ac2 Merge branch 'maint-0.3.2' 2017-11-08 14:59:18 -05:00
David Goulet
fa70aabb62 dirauth: Recalculate voting schedule at first vote
Commit e67f4441eb introduced a safeguard against
using an uninitialized voting schedule object. However, the dirvote_act() code
was looking roughly at the same thing to know if it had to compute the timings
before voting with this condition:

  if (!voting_schedule.voting_starts) {
    ...
    dirvote_recalculate_timing(options, now);
  }

The sr_init() function is called very early and goes through the safeguard
thus the voting schedule is always initilized before the first vote.

That first vote is a crucial one because we need to have our voting schedule
aligned to the "now" time we are about to use for voting. Then, the schedule
is updated when we publish our consensus or/and when we set a new consensus.
From that point on, we only want to update the voting schedule through that
code flow.

This "created_on_demand" is indicating that the timings have been recalculated
on demand by another subsystem so if it is flagged, we know that we need to
ignore its values before voting.

Fixes #24186

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-08 14:46:49 -05:00
Nick Mathewson
90fb57ec18 Merge branch 'maint-0.3.2' 2017-11-08 13:26:50 -05:00
Nick Mathewson
0dc55fb247 Don't delay descriptor fetches when missing info needed for circuits
When we have fewer than 15 descriptors to fetch, we will delay the
fetch for a little while.  That's fine, if we can go ahead and build
circuits... but if not, it's a poor choice indeed.

Fixes bug 23985; bugfix on 0.1.1.11-alpha.

In 0.3.0.3-alpha, when we made primary guard descriptors necessary
for circuit building, this situation got worse.
2017-11-08 13:22:16 -05:00
Nick Mathewson
31a907881e downgrade severity for get_voting_schedule() 2017-11-08 11:50:57 -05:00
Nick Mathewson
d1a1d95c41 Merge branch 'maint-0.3.2' 2017-11-08 11:02:51 -05:00
Nick Mathewson
02f05f2de2 Merge remote-tracking branch 'dgoulet/bug23751_032_01' into maint-0.3.2 2017-11-08 10:56:33 -05:00
Nick Mathewson
c74a817e83 Merge branch 'bug23318-redux_029' into maint-0.3.2 2017-11-08 10:47:22 -05:00
teor
6e4ebd41bb Stop calculating total twice in frac_nodes_with_descriptors()
Cleanup after 23318.
2017-11-08 10:45:18 -05:00
teor
4f944cc4cc Check arguments and initialise variables in compute_weighted_bandwidths()
Cleanup after 23318.
2017-11-08 10:45:18 -05:00
teor
fcaa4ab824 Actually log the total bandwidth in compute_weighted_bandwidths()
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
2017-11-08 10:45:18 -05:00
teor
14b0bba06e Use node counts in networks with all zero-bandwidths
When calculating the fraction of nodes that have descriptors, and all
all nodes in the network have zero bandwidths, count the number of nodes
instead.

Fixes bug 23318; bugfix on 0.2.4.10-alpha.
2017-11-08 10:45:18 -05:00
Nick Mathewson
3c03e237ab Remove an erroneous 0.5 in compute_weighted_bandwidths()
Back in 0.2.4.3-alpha (e106812a77), when we switched from using
double to using uint64 for selecting by bandwidth, I got the math
wrong: I should have used llround(x), or (uint64_t)(x+0.5), but
instead I wrote llround(x+0.5).  That means we would always round
up, rather than rounding to the closest integer

Fixes bug 23318; bugfix on 0.2.4.3-alpha.
2017-11-08 10:45:18 -05:00
David Goulet
dcabf801e5 sched: Ignore closed channel after flushing cells
The flush cells process can close a channel if the connection write fails but
still return that it flushed at least one cell. This is due because the error
is not propagated up the call stack so there is no way of knowing if the flush
actually was successful or not.

Because this would require an important refactoring touching multiple
subsystems, this patch is a bandaid to avoid the KIST scheduler to handle
closed channel in its loop.

Bandaid on #23751.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-08 09:44:39 -05:00
Nick Mathewson
c2c1fa6b95 Merge branch 'maint-0.3.2' 2017-11-08 08:13:14 -05:00
Nick Mathewson
e5a83062ed Merge branch 'bug23816_029_squashed' into maint-0.3.2 2017-11-08 08:11:22 -05:00
Nick Mathewson
cb29687e93 Replace our random-exponential-delay algorithm.
This patch has implementations of the "decorrelated" and "full"
algorithms from https://www.awsarchitectureblog.com/2015/03/backoff.html
2017-11-08 07:56:16 -05:00
Nick Mathewson
b780e84f25 Merge branch 'maint-0.3.2' 2017-11-07 20:36:04 -05:00
Nick Mathewson
3dc61a5d71 Revert "Remove an erroneous 0.5 in compute_weighted_bandwidths()"
This reverts commit 01e984870a.
2017-11-07 20:35:19 -05:00
Nick Mathewson
ea5ea5f554 Merge branch 'maint-0.3.2' 2017-11-07 14:01:10 -05:00
Nick Mathewson
c58471325a Merge remote-tracking branch 'dgoulet/bug24161_032_01' into maint-0.3.2 2017-11-07 14:00:18 -05:00
Nick Mathewson
c7d1d1ad2e Bump to 0.3.2.4-alpha 2017-11-07 13:22:27 -05:00
David Goulet
e67f4441eb Add a safe guard to avoid using a zeroed voting schedule
dirvote_get_next_valid_after_time() is the only public function that uses the
voting schedule outside of the dirvote subsystem so if it is zeroed,
recalculate its timing if we can that is if a consensus exists.

Part of #24161

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-07 11:14:45 -05:00
David Goulet
8171d9f50f Recalculate voting schedule first when getting a new consensus
Because the HS and SR subsystems can use the voting schedule early (with the
changes in #23623 making the SR subsystem using the static voting schedule
object), we need to recalculate the schedule very early when setting the new
consensus.

Fixes #24161

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-07 11:08:12 -05:00
Nick Mathewson
c6c4a421fd Merge branch 'maint-0.3.2' 2017-11-07 09:58:53 -05:00
Nick Mathewson
9d848ca58a Merge remote-tracking branch 'asn/ticket23623_032_01' into maint-0.3.2 2017-11-07 09:58:42 -05:00
Nick Mathewson
0227aab1b7 Merge branch 'maint-0.3.2' 2017-11-06 13:01:56 -05:00
Nick Mathewson
7d767706ef Merge branch 'bug24150_032_squashed' into maint-0.3.2 2017-11-06 12:59:23 -05:00
Nick Mathewson
5240afa713 Fix a memory leak on decryption non-failure of v3 hsdesc
If it decrypts something that turns out to start with a NUL byte,
then decrypt_desc_layer() will return 0 to indicate the length of
its result.  But 0 also indicates an error, which causes the result
not to be freed by decrypt_desc_layer()'s callers.

Since we're trying to stabilize 0.3.2.x, I've opted for the simpler
possible fix here and made it so that an empty decrypted string will
also count as an error.

Fixes bug 24150 and OSS-Fuzz issue 3994.

The original bug was present but unreachable in 0.3.1.1-alpha. I'm
calling this a bugfix on 0.3.2.1-alpha since that's the first version
where you could actually try to decrypt these descriptors.
2017-11-06 12:59:11 -05:00
Nick Mathewson
02a4c641da Merge branch 'maint-0.3.2' 2017-11-06 10:16:19 -05:00
Nick Mathewson
bebdd91058 Fix a 32-bit formatting warning 2017-11-06 10:16:10 -05:00
Nick Mathewson
7097c4a37a Merge remote-tracking branch 'dgoulet/bug24053_033_01' 2017-11-06 10:04:22 -05:00
Nick Mathewson
3beb3dac2d Merge branch 'maint-0.3.2' 2017-11-06 09:49:06 -05:00
Nick Mathewson
c80293706f Merge remote-tracking branch 'public/bug23318_029' into maint-0.3.2 2017-11-06 09:48:51 -05:00
Nick Mathewson
f755f9b9e6 Merge branch 'maint-0.3.2' 2017-11-05 14:41:53 -05:00
Nick Mathewson
9f3d9c68ab Merge branch 'bug21394_029' into maint-0.3.2 2017-11-05 14:39:37 -05:00
Sebastian Hahn
9827574308 Fix DNS resolution on busy exit relays
Thanks to Dhalgren who analyzed this issue two years ago and found a
solution!
2017-11-05 14:36:32 -05:00
Nick Mathewson
9f650b24e9 Merge branch 'maint-0.3.2' 2017-11-05 14:09:21 -05:00
Alex Xu (Hello71)
a72e13a669 Fix rust welcome message typo. 2017-11-05 13:58:51 -05:00
Sebastian Hahn
d3fee8b823 ClientDNSRejectInternalAddresses in non-default networks
Once again allow the flag to be set, unless the default network is used.
Thanks to nickm for a suggestion for the workaround to a test failure.
2017-11-04 18:31:02 +01:00
Sebastian Hahn
e491c05f96 Undo deprecation of ClientDNSRejectInternalAddresses 2017-11-04 18:31:00 +01:00
Sebastian Hahn
5a46074e55 Revert "Make ClientDNSRejectInternalAddresses testing-only."
This reverts commit 27fa4a98d2.
2017-11-04 18:30:59 +01:00
Sebastian Hahn
e24df58245 fixup! Allow bootstrapping networks to have Exit flags 2017-11-04 04:18:32 +01:00
Sebastian Hahn
4d6b679318 Allow bootstrapping networks to have Exit flags
Relevant for non-test networks
2017-11-03 23:07:30 +01:00
Nick Mathewson
cceb43c5e3 Merge branch 'maint-0.3.2' 2017-11-02 10:34:08 -04:00
David Goulet
0386280487 nodelist: Downgrade warning to protocol warning
The node_get_ed25519_id() warning can actually be triggered by a relay flagged
with NoEdConsensus so instead of triggering a warning on all relays of the
network, downgrade it to protocol warning.

Fixes #24025

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-02 10:33:57 -04:00
Nick Mathewson
65d22dc2f2 Merge branch 'maint-0.3.2' 2017-11-02 10:32:18 -04:00
Nick Mathewson
cb42c62c9e Merge branch 'dgoulet_ticket23753_032_02_squashed' into maint-0.3.2 2017-11-02 10:30:42 -04:00
David Goulet
6dc591a024 sched: Rate limit scheduler_bug_occurred()
Just in case we end up hitting a SCHED_BUG() multiple times, rate limit the
log warning.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-02 10:30:33 -04:00
Matt Traudt
52050bb2c6 sched: Add another SCHED_BUG() callsite 2017-11-02 10:30:33 -04:00
David Goulet
3931a6f264 sched: Use SCHED_BUG() macro in scheduler
When a BUG() occurs, this macro will print extra information about the state
of the scheduler and the given channel if any. This will help us greatly to
fix future bugs in the scheduler especially when they occur rarely.

Fixes #23753

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-02 10:30:33 -04:00
Nick Mathewson
f865993653 Merge branch 'maint-0.3.2' 2017-11-02 10:26:30 -04:00
teor
27ea6fcd31 Test that IPv6-only clients can use microdescriptors
When running "make test-network-all", test that IPv6-only clients can use
microdescriptors. IPv6-only microdescriptor client support was fixed in
tor 0.3.0.1-alpha.

Requires chutney master 61c28b9 or later.

Closes ticket 24109.
2017-11-02 10:25:49 -04:00
Nick Mathewson
a46dcc0709 Merge branch 'maint-0.3.2' 2017-11-02 10:22:35 -04:00
Nick Mathewson
6a9a118f90 Tweak a comment for a minor but important distinction 2017-11-02 10:22:32 -04:00
Nick Mathewson
3aab8307a5 Merge branch 'ticket23820_032_01_squashed' into maint-0.3.2 2017-11-02 10:19:29 -04:00
teor
176bfe1bed Don't run IPv6-only v3 single onion service tests using chutney
Part of #23820.
2017-11-02 10:19:05 -04:00
teor
cc072b6fbf Stop users configuring IPv6-only v3 single onion services
They are not yet implemented: they will upload descriptors, but won't be
able to rendezvous, because IPv6 addresses in link specifiers are ignored.

Part of #23820.
2017-11-02 10:19:05 -04:00
teor
a4f34c1106 Improve v3 onion service logging for intro and rend points
Diagnostics for #23820.
2017-11-02 10:19:05 -04:00
teor
77ed99b1a7 Remove buggy IPv6 and ed25519 handling from get_lspecs_from_extend_info()
The previous version of this function had the following issues:
* it didn't check if the extend_info contained an IPv6 address,
* it didn't check if the ed25519 identity key was valid.
But we can't add IPv6 support in a bugfix release.

Instead, BUG() if the address is an IPv6 address, so we always put IPv4
addresses in link specifiers. And ignore missing ed25519 identifiers,
rather than generating an all-zero link specifier.

This supports v3 hidden services on IPv4, dual-stack, and IPv6, and
v3 single onion services on IPv4 only.

Part of 23820, bugfix on 0.3.2.1-alpha.
2017-11-02 10:19:05 -04:00
Nick Mathewson
a321f8f4af Merge branch 'buf_for_stringbuffer_squashed' 2017-11-02 10:01:30 -04:00
Nick Mathewson
8993159f3d Refactor geoip_get_dirreq_history to use buf_t 2017-11-02 10:00:32 -04:00
Nick Mathewson
3b30015143 Refactor connection_write_to_buf_impl_(); add one that takes a buf_t 2017-11-02 10:00:32 -04:00
Nick Mathewson
095e15f8ac Add a zero-copy buffer move implementation. 2017-11-02 10:00:32 -04:00
Nick Mathewson
5240d02a11 Refactor write_http_response_header_impl() to use buf_t 2017-11-02 10:00:32 -04:00
Nick Mathewson
d5ba4851bd Add buf_t API helpers for using buffers to construct outputs. 2017-11-02 10:00:32 -04:00
Roger Dingledine
7700b99fe6 easy typos while reviewing commits 2017-11-01 16:44:09 -04:00
Sebastian Hahn
acdd349dee rename {,TOR_}RUST_DEPENDENCIES 2017-11-01 13:45:15 -04:00
Nick Mathewson
cd606d5ad3 Merge remote-tracking branch 'public/owning_control_fd' 2017-11-01 13:28:31 -04:00
Nick Mathewson
ef25f957e7 Merge branch 'tor_api_squashed' 2017-11-01 13:22:16 -04:00
Nick Mathewson
221f5238ae tor_runner.c: Add a circumlocution and a caveat. 2017-11-01 13:22:09 -04:00
Nick Mathewson
8c49194505 Add more usage notes on tor_api.h 2017-11-01 13:22:09 -04:00
Nick Mathewson
8b313bd4ad Explain purpose, usage, and status of tor_runner.c 2017-11-01 13:22:09 -04:00
Nick Mathewson
e8682c8594 Add a small library to emulate tor_run_main() with exec() 2017-11-01 13:22:09 -04:00
Nick Mathewson
fa02ea102e Add a public tor_api.h with an implementation in tor_api.c
The main effect of this change is to commit to an extensible
long-term API.

Closes ticket 23684.
2017-11-01 13:22:09 -04:00
David Goulet
198ede5314 test: Fix SR initialization in routerlist test
Fixes #24053

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-01 11:39:52 -04:00
Roger Dingledine
9635843342 trivial comment fixes
done while i was trying to debug nearby code
2017-10-31 23:09:00 -04:00
David Goulet
bd631a649b test: Fix voting schedule for hs_service.c
Part of #23623

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-31 14:49:31 -04:00
David Goulet
814f4c6967 test: Fix voting schedule for hs_common.c
Part of #23623

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-31 14:49:19 -04:00
David Goulet
19d32fd0d6 test: Fix voting schedule for shared random
Part of #23623

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-31 14:48:50 -04:00
Nick Mathewson
43cbcd3896 Merge branch 'maint-0.3.2' 2017-10-31 14:31:55 -04:00
Nick Mathewson
0627512368 Merge branch 'bug24082_032' into maint-0.3.2 2017-10-31 14:31:21 -04:00
Nick Mathewson
f9aed40156 Merge branch 'maint-0.3.2' 2017-10-31 14:18:52 -04:00
Nick Mathewson
c3ea1ccf04 double newline 2017-10-31 14:18:48 -04:00
David Goulet
33da5d7672 test: Initialize the voting schedule in test_dir.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-31 14:07:41 -04:00
Nick Mathewson
2b6f246652 Merge branch 'maint-0.3.2' 2017-10-31 14:04:34 -04:00
Nick Mathewson
8dffc46748 Merge branch 'hsdescv3_fuzz_more' into maint-0.3.2 2017-10-31 14:04:31 -04:00
Nick Mathewson
b76a161e01 Merge branch 'fix-torrcd-sandbox-22605v2' 2017-10-31 13:58:33 -04:00
Nick Mathewson
00e781142b Don't give "exitrelay may become 0 when no policy" warning on ReducedExitPolicy 2017-10-31 13:25:41 -04:00
Nick Mathewson
6e2f8de62d Fix: when BridgeRelay is set, you do not get any exit policy. 2017-10-31 13:25:41 -04:00
Neel Chauhan
b70e11ef6b Add code for letting user select Reduced Exit Policy 2017-10-31 13:25:41 -04:00
Nick Mathewson
4700ba6c3d Merge branch 'maint-0.3.2' 2017-10-31 12:19:42 -04:00
Nick Mathewson
3d93ec3ef4 Merge branch 'bug23762_032_02_squashed' into maint-0.3.2 2017-10-31 12:14:21 -04:00
David Goulet
5dbcd48f0e hs-v3: Attempt descriptor refetch when dirinfo changes
When the directory information changes, callback to the HS client subsystem so
it can check if any pending SOCKS connections are waiting for a descriptor. If
yes, attempt a refetch for those.

Fixes #23762

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-31 12:14:11 -04:00
Nick Mathewson
c9ad172dd4 Merge branch 'bug23571_033_squashed' 2017-10-31 11:59:18 -04:00
teor
e9f57e193d Consistently use braced blocks in hibernate_go_dormant() 2017-10-31 11:58:34 -04:00
teor
e57604183c When hibernating, close connections normally and allow them to flush
Bugfix on 7267 in 0.2.4.7-alpha
2017-10-31 11:58:34 -04:00
Nick Mathewson
5a21b27083 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-31 11:43:14 -04:00
Nick Mathewson
f2e23d38ab Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-31 11:43:14 -04:00
Nick Mathewson
7c59c751b0 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-10-31 11:43:14 -04:00
Nick Mathewson
cf98ca715c Merge branch 'maint-0.3.2' 2017-10-31 11:43:14 -04:00
Nick Mathewson
04d4786cc4 Merge remote-tracking branch 'public/bug23693_029' into maint-0.2.9 2017-10-31 11:43:07 -04:00
David Goulet
ce99ebf25d Make tor recalculate voting schedule even if not a dirauth
Because the HS subsystem needs the voting schedule to compute time period, we
need all tor type to do that.

Part of #23623

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-31 09:55:24 -04:00
Nick Mathewson
5dce134fbb Initialize the mock options in the fuzzing code
Fixes bug 24082; bugfix on 0.3.0.3-alpha.  Found by Brian Carpenter.
2017-10-30 17:05:26 -04:00
Nick Mathewson
332d6bf901 Merge branch 'maint-0.3.2' 2017-10-30 11:07:44 -04:00
Nick Mathewson
5bee5fbac7 Merge remote-tracking branch 'public/bug23774_032' into maint-0.3.2 2017-10-30 11:07:26 -04:00
Nick Mathewson
7515eefb70 remove errant ; 2017-10-27 17:58:50 -04:00
Nick Mathewson
26e0909e51 In the hsdescv3 fuzzer, replace the decryption function.
The new decryption function performs no decryption, skips the salt,
and doesn't check the mac.  This allows us to fuzz the
hs_descriptor.c code using unencrypted descriptor test, and exercise
more of the code.

Related to 21509.
2017-10-27 14:28:02 -04:00
Nick Mathewson
5e52beceb0 Only prototype rust_welcome_string() when it exists. 2017-10-27 13:03:24 -04:00
Nick Mathewson
69502942b0 [rust] Avoid a clone in contract_protocol_list() 2017-10-27 13:02:14 -04:00
Nick Mathewson
12f58b42a8 Allow test_rust.sh to run from outside the makefile
(This is just a matter of making sure that we handle the case where
abs_top_builddir is not set)
2017-10-27 12:54:52 -04:00
Nick Mathewson
6e08807b54 Add a build-rust alias to just rebuild the rust code. 2017-10-27 12:52:07 -04:00
Nick Mathewson
1e66ab363a [rust] Add "unsafe" to the testing-mode tor_malloc_ wrapper.
This change lets us remove the allow(unused_unsafe) directive
from allocate_and_copy_string().
2017-10-27 12:49:51 -04:00
Nick Mathewson
3a364529a4 Make distcleancheck pass with --enable-rust 2017-10-27 12:35:13 -04:00
Nick Mathewson
d5eea977be bump to 0.3.2.3-alpha-dev. 2017-10-27 12:33:13 -04:00
Nick Mathewson
2153814ba8 Include rust files in 'make dist' 2017-10-27 12:19:31 -04:00
Nick Mathewson
7f764bcba8 repair "make distcheck" 2017-10-27 11:59:15 -04:00
Nick Mathewson
f803c1bb17 declare shutdown_did_not_work_callback() with ATTR_NORETURN 2017-10-27 11:51:42 -04:00
Nick Mathewson
79e7c0af0e Add a comment about removing the failsafe event loop exit code 2017-10-27 11:15:43 -04:00
Nick Mathewson
0a10335d2e Clarify doc on tell_event_loop_to_run_external_code() 2017-10-27 11:14:37 -04:00
Nick Mathewson
30a681553f Merge remote-tracking branch 'public/exit_carefully' 2017-10-27 11:13:05 -04:00
Nick Mathewson
fa78546dbc Make sure all C files have copyright/license notices 2017-10-27 10:59:36 -04:00
Nick Mathewson
f5e9e2748f Merge branch 'protover-rust-impl_squashed' 2017-10-27 10:05:30 -04:00
Nick Mathewson
2ca8fcb892 Add missing copyright/license statements on all .rs files
(Yes, I have Chelsea's permission.)
2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
6be75bd61d cargo fmt; fix line length warnings 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
90daad999e remove experimental rust features
allow unsafe on function that calls C
2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
7999d0bf6b update tor_allocate and add tests 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
7d126b9db9 remove unused include.am for rust modules 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
cd2a036959 refactor smartlist for readability
limit scoping of unsafe, and other cleanup
2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
91bca5c31b move to allocating c strings from rust 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
76bbdfbfa9 add tor allocator for rust 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
d14a83f74f remove unneeded dependencies, remove types where unnecessary 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
0c4d535972 refactor build infrastructure for single rust binary 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
be583a34a3 use tor allocator for string allocation in rust 2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
0c04b54d4d minimize scope for unsafe
update documentation

missing check for null
2017-10-27 10:02:08 -04:00
Chelsea Holland Komlo
d1820c1516 rust implementation of protover 2017-10-27 10:02:08 -04:00
David Goulet
7ee0a2b9aa sr: Don't use a dynamic voting schedule
The exposed get_voting_schedule() allocates and return a new object everytime
it is called leading to an awful lot of memory allocation when getting the
start time of the current round which is done for each node in the consensus.

Closes #23623

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-27 09:23:37 -04:00
David Goulet
60164f057c dirvote: Move code. No behavior change
Needed for next commit to address #23623.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-27 09:23:18 -04:00
Nick Mathewson
fb88527195 update to 0.3.2.3-alpha 2017-10-27 08:59:07 -04:00
Nick Mathewson
a0f8c01004 Merge branch 'maint-0.3.2' 2017-10-27 08:05:04 -04:00
David Goulet
e598c6f6de hs-v3: Check the ed25519 key when picking intro point
If the intro point supports ed25519 link authentication, make sure we don't
have a zeroed key which would lead to a failure to extend to it.

We already check for an empty key if the intro point does not support it so
this makes the check on the key more consistent and symmetric.

Fixes #24002

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-26 14:54:20 -04:00
Nick Mathewson
4af1653e0f Merge branch 'maint-0.3.2' 2017-10-26 10:43:05 -04:00
David Goulet
c4ef21ff5e fuzzing: Make hsdescv3 use the decoding API correctly
Fixes #21509

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-26 09:52:15 -04:00
David Goulet
4d2de821ce Revert "Temporarily disable compilation of the v3 hs fuzzing code"
This reverts commit 5ef656e7d1.
2017-10-26 09:41:47 -04:00
George Kadianakis
42a47c0e7d Remove a duplicate call to update_microdesc_downloads()
This call happens before we update our entry guards, so it needs to be
removed for the fix to #23862 to work.
2017-10-26 13:36:04 +03:00
George Kadianakis
cbc70437a7 Update entry guard state whenever we download a consensus.
Update guard state even if we don't have enough dirinfo since that
actually affects the future download of dirinfos.

Fixes #23862 on 0.3.0.1-alpha
2017-10-26 13:36:04 +03:00
teor
b4aa8fc3d9
Remove buggy IPv6 support from pick_intro_point() and service_intro_point_new()
The previous version of these functions had the following issues:
* they can't supply both the IPv4 and IPv6 addresses in link specifiers,
* they try to fall back to a 3-hop path when the address for a direct
  connection is unreachable, but this isn't supported by
  launch_rendezvous_point_circuit(), so it fails.
But we can't fix these things in a bugfix release.

Instead, always put IPv4 addresses in link specifiers.
And if a v3 single onion service can't reach any intro points, fail.

This supports v3 hidden services on IPv4, dual-stack, and IPv6, and
v3 single onion services on IPv4 only.

Part of 23820, bugfix on 0.3.2.1-alpha.
2017-10-26 17:02:46 +11:00
teor
20b0e9e07d
Remove buggy IPv6 support from hs_get_extend_info_from_lspecs()
The previous version of this function has the following issues:
* it doesn't choose between IPv4 and IPv6 addresses correctly, and
* it doesn't fall back to a 3-hop path when the address for a direct
  connection is unreachable.
But we can't fix these things in a bugfix release.

Instead, treat IPv6 addresses like any other unrecognised link specifier
and ignore them. If there is no IPv4 address, return NULL.

This supports v3 hidden services on IPv4, dual-stack, and IPv6, and
v3 single onion services on IPv4 only.

Part of 23820, bugfix on 0.3.2.1-alpha.
2017-10-26 14:38:06 +11:00
George Kadianakis
1a6814c096 Fix offending unittest and add changes file for #23862. 2017-10-25 20:22:52 +03:00
George Kadianakis
dfd3ed5bdc Remove a duplicate call to update_microdesc_downloads()
This call happens before we update our entry guards, so it needs to be
removed for the fix to #23862 to work.
2017-10-25 20:22:52 +03:00
George Kadianakis
10c5eae3fa Update entry guard state whenever we download a consensus.
Update guard state even if we don't have enough dirinfo since that
actually affects the future download of dirinfos.

Fixes #23862 on 0.3.0.1-alpha
2017-10-25 20:22:52 +03:00
George Kadianakis
8c8d3b90f7 Add a unittest that reveals the offending case of #23862. 2017-10-25 20:22:52 +03:00
Nick Mathewson
c7a1a987d6 Merge branch 'maint-0.3.2' 2017-10-25 12:25:41 -04:00
David Goulet
9592797cf3 hs-v2: Copy needed information between service on prunning
Turns out that when reloading a tor configured with hidden service(s), we
weren't copying all the needed information between the old service object to
the new one.

For instance, the desc_is_dirty timestamp wasn't which could lead to the
service uploading its desriptor much later than it would need to.

The replaycache wasn't also moved over and some intro point information as
well.

Fixes #23790

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-25 11:21:28 -04:00
Nick Mathewson
f68c1b1406 bump to 0.3.1.8-dev 2017-10-25 09:28:05 -04:00
Nick Mathewson
4edbbee2fd bump to 0.3.0.12-dev 2017-10-25 09:27:50 -04:00
Nick Mathewson
46091a88ca bump to 0.2.9.13-dev 2017-10-25 09:27:23 -04:00
Nick Mathewson
9969b0dfda bump to 0.2.8.16-dev 2017-10-25 09:27:07 -04:00
Nick Mathewson
82f8b27ff5 bump to 0.2.5.15-dev 2017-10-25 09:26:53 -04:00
Nick Mathewson
e5c341eb7c Merge branch 'maint-0.3.2' 2017-10-24 19:43:13 -04:00
Nick Mathewson
3498183807 Turn a comment into a doxygen comment.
Crediting this * to teor, in penance for mis-crediting his x removal
to Isis.  The balance is restored.
2017-10-24 19:42:18 -04:00
Nick Mathewson
e7126a1030 Merge remote-tracking branch 'catalyst-oniongit/bug20532_031' into maint-0.3.2 2017-10-24 19:41:26 -04:00
Nick Mathewson
8d908b961f Merge branch 'maint-0.3.2' 2017-10-24 19:37:11 -04:00
Nick Mathewson
8cc57bccfe Isis has been noticing typos. 2017-10-24 19:37:09 -04:00
Nick Mathewson
b95ef19a77 Merge branch 'feature18329_029_squashed' into maint-0.3.2 2017-10-24 19:35:32 -04:00
Nick Mathewson
594cf92498 Merge branch 'feature18329_029_squashed' into maint-0.3.2 2017-10-24 19:35:28 -04:00
Nick Mathewson
f3af74ccf5 Updates to fix check-spaces/check-changes warnings 2017-10-24 19:35:16 -04:00
Nick Mathewson
44e8aaa9aa Adjust test to allow hyphens too. 2017-10-24 19:33:38 -04:00
Isis Lovecruft
02cde0d939 test: Add unittest for descriptors with BridgeDistribution option. 2017-10-24 19:26:24 -04:00
Isis Lovecruft
b0e10f23ba doc: Improve documentation for check_bridge_distribution_setting(). 2017-10-24 19:26:24 -04:00
Nick Mathewson
613b18f0af Always set bridge-distribution-request on bridges' descriptors.
Also, warn the user if the BridgeDistribution option is
unrecognized, and reject the value if it is invalid.
2017-10-24 19:26:24 -04:00
Roger Dingledine
ebab521525 Add new BridgeDistribution config option
Bridge relays can use it to add a "bridge-distribution-request" line
to their bridge descriptor, which tells BridgeDB how they'd like their
bridge address to be given out.

Implements tickets 18329.
2017-10-24 19:26:24 -04:00
Taylor Yu
9b60acd4d4 Rewrite bridge addresses earlier
Call rewrite_node_address_for_bridge() in
launch_direct_bridge_descriptor_fetch() in case there's an existing
node_t for it.
2017-10-24 17:35:17 -05:00
Nick Mathewson
649000662d Merge remote-tracking branch 'arma/ticket23637' 2017-10-24 12:52:41 -04:00
Nick Mathewson
5325e7ccab bump version in the other places :/ 2017-10-24 09:11:17 -04:00
Nick Mathewson
552b620280 bump version in the other places :/ 2017-10-24 09:11:07 -04:00
Nick Mathewson
cbb41ddfef bump to 0.3.1.8 2017-10-24 09:09:50 -04:00
Nick Mathewson
743eee4930 bump to 0.2.5.15 2017-10-24 09:09:00 -04:00
Nick Mathewson
abbd6a36fc Merge branch 'maint-0.3.2' 2017-10-24 08:25:29 -04:00
Nick Mathewson
0d4addfc73 Merge branch 'bug23952_032' into maint-0.3.2 2017-10-24 08:24:12 -04:00
Nick Mathewson
f0a6ea0bfd Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-23 15:55:48 -04:00
Nick Mathewson
f7707c9031 Merge branch 'maint-0.3.2' 2017-10-23 15:55:48 -04:00
Nick Mathewson
b1d6cf2508 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-10-23 15:55:48 -04:00
Nick Mathewson
9ae4ffc076 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 15:55:08 -04:00
Nick Mathewson
b1bd1bf19f Merge remote-tracking branch 'teor/bug23874-029' into maint-0.2.9 2017-10-23 15:53:45 -04:00
Nick Mathewson
48ee85e0c6 Have LOG_PROTOCOL_WARN call its own function
Also, make the function that implements LOG_PROTOCOL_WARN use a
cached value of the desired loglevel, rather than calling
get_options().
2017-10-23 12:22:26 -04:00
Nick Mathewson
af33fdd7c1 Remove the length limit from write_http_status_line
Fixes bug 23908; bugfix on 0.3.1.6-rc when we made the keypin
failure message really long.

Backport from 0.3.2's 771fb7e7ba,
where arma said "get rid of the scary 256-byte-buf landmine".
2017-10-23 09:21:22 -04:00
Nick Mathewson
fcd5c3144a Merge branch 'maint-0.2.8' into maint-0.2.9 2017-10-23 09:11:10 -04:00
Nick Mathewson
eac4c374e4 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 09:11:10 -04:00
Nick Mathewson
49e8352f16 Merge branch 'maint-0.3.2' 2017-10-23 09:11:10 -04:00
Nick Mathewson
6a7aa47357 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-10-23 09:11:10 -04:00
Nick Mathewson
85115796bb Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-23 09:11:10 -04:00
Nick Mathewson
a5f5bda462 Adjust test, now that there are 9 dirauths again 2017-10-23 09:11:07 -04:00
Nick Mathewson
1db5081ba1 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-10-23 09:06:34 -04:00
Nick Mathewson
c93ecb8189 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 09:06:34 -04:00
Nick Mathewson
d99c6b7252 Merge branch 'maint-0.3.2' 2017-10-23 09:06:34 -04:00
Nick Mathewson
009141c6a8 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-10-23 09:06:34 -04:00
Nick Mathewson
23e3d57e12 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-23 09:06:34 -04:00
Nick Mathewson
8cc147aa83 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-10-23 09:04:56 -04:00
David Goulet
15a699462d dirauth: Add bastet to the default authorities
Fixes #23910

Based on a patch by dgoulet; backported to 0.2.5
2017-10-23 09:03:36 -04:00
Nick Mathewson
97046436b2 Merge branch 'maint-0.3.2' 2017-10-23 08:59:12 -04:00
Nick Mathewson
c958fda6e2 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-10-23 08:59:11 -04:00
Nick Mathewson
783e458c07 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 08:59:11 -04:00
Nick Mathewson
b8dedaee74 Merge branch 'maint-0.3.1' into maint-0.3.2 2017-10-23 08:59:11 -04:00
Nick Mathewson
df57d1e0c0 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-23 08:59:11 -04:00
Nick Mathewson
9a1b385462 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-10-23 08:58:28 -04:00
Nick Mathewson
132e2f69b1 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-10-23 08:53:25 -04:00
Nick Mathewson
74e8fd22c9 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 08:53:25 -04:00
Nick Mathewson
b68de63eb6 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-23 08:53:25 -04:00
Nick Mathewson
6f87a85897 Merge remote-tracking branch 'public/bug23690_028' into maint-0.2.8 2017-10-23 08:53:14 -04:00
Nick Mathewson
35574d4a9a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 08:47:58 -04:00
Nick Mathewson
fcaf3335b4 Merge remote-tracking branch 'public/bug23081_025' into maint-0.2.9 2017-10-23 08:47:52 -04:00
Nick Mathewson
d29e4c0597 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-23 08:46:29 -04:00
Nick Mathewson
68dea082e7 Merge remote-tracking branch 'public/bug22349_029' into maint-0.2.9 2017-10-23 08:46:26 -04:00
Nick Mathewson
a62f59f000 Mark "previously validated foo could not be set" blocks as unreachable. 2017-10-20 19:28:12 -04:00
Nick Mathewson
c4a07b261b Add unit tests for cases of starting with bogus keygen arguments
In particular, this tests that we give an appropriate warning when
we are told to use some keygen argument, but --keygen is not specified.
2017-10-20 19:27:48 -04:00
Nick Mathewson
3c99b810a4 Exit more carefully when options_act() fails.
Also, annotate options_act() with places where we should be
pre-validating values.
2017-10-20 11:39:17 -04:00
Nick Mathewson
1df43aff41 Return instead of exiting in options_init_from_torrc() 2017-10-20 11:39:17 -04:00
Nick Mathewson
853e73e815 Return from instead of exit()ing when ed25519 key check fails. 2017-10-20 11:39:17 -04:00
Nick Mathewson
c247a2df6b On locking failure, return -1 instead of exit()ing.
This is safe, since the only caller (options_act) will check the
return value, and propagate failure.
2017-10-20 11:39:17 -04:00
Nick Mathewson
9bafc3b1ef Replace most bad exits in main.c, hibernate.c
This should make most of the reasons that we hibernate cleaner.
2017-10-20 11:39:17 -04:00
Nick Mathewson
c82cc8acb5 Add a failsafe to kill tor if the new exit code doesn't work.
It _should_ work, and I don't see a reason that it wouldn't, but
just in case, add a 10 second timer to make tor die with an
assertion failure if it's supposed to exit but it doesn't.
2017-10-20 11:39:17 -04:00
Nick Mathewson
f0c3b62381 Expose a new function to make the event loop exit once and for all.
Instead of calling tor_cleanup(), exit(x), we can now call
tor_shutdown_event_loop_and_exit.
2017-10-20 11:39:17 -04:00
Nick Mathewson
78cbced45c Rename "tell_event_loop_to_finish" to "...run_external_code"
This function was never about 'finishing' the event loop, but rather
about making sure that the code outside the event loop would be run
at least once.
2017-10-20 09:59:48 -04:00
Nick Mathewson
35746a9ee7 Comment-only change: annotate exit() calls.
Sometimes when we call exit(), it's because the process is
completely hopeless: openssl has a broken AES-CTR implementation, or
the clock is in the 1960s, or something like that.

But sometimes, we should return cleanly from tor_main() instead, so
that embedders can keep embedding us and start another Tor process.

I've gone through all the exit() and _exit() calls to annotate them
with "exit ok" or "XXXX bad exit" -- the next step will be to fix
the bad exit()s.

First step towards 23848.
2017-10-19 13:42:28 -04:00
Nick Mathewson
0956242158 Mark some unreachable code in compat_winthreads.c as unreachable 2017-10-19 13:21:48 -04:00
Nick Mathewson
72b5e4a2db Move tor_git_revision into a new module.
At first, we put the tor_git_revision constant in tor_main.c, so
that we wouldn't have to recompile config.o every time the git
revision changed.  But putting it there had unintended side effect
of forcing every program that wanted to link libor.a (including
test, test-slow, the fuzzers, the benchmarks, etc) to declare their
own tor_git_revision instance.

That's not very nice, especially since we want to start supporting
others who want to link against Tor (see 23846).

So, create a new git_revision.c file that only contains this
constant, and remove the duplicated boilerplate from everywhere
else.

Part of implementing ticket 23845.
2017-10-18 13:49:35 -04:00
Nick Mathewson
f1bf9bf819 Add __OwningControllerFD to allow controllers without controlports
This feature should help programs that want to launch and manage a
Tor process, as well as programs that want to launch and manage a
Tor instance in a separate thread.  Right now, they have to open a
controlport, and then connect to it, with attendant authentication
issues.  This feature allows them to just start with an
authenticated connection.

Bug 23900.
2017-10-18 13:36:53 -04:00
Nick Mathewson
f0daaf8d60 Expose connection_init_accepted_conn. 2017-10-18 12:55:09 -04:00
Nick Mathewson
4eb5753bd2 New function for Tor to treat itself as the "owner" of a socket
Our socket accounting functions assumed that we'd never be asked to
close a socket that we didn't open ourselves.  But now we want to
support taking control sockets that we inherit -- so we need a way
of taking ownership of them, so we don't freak out later on when we
close them.
2017-10-18 12:17:44 -04:00
Nick Mathewson
5bcd8dc5c4 Make the mark_socket_open() no-op treat the socket as used.
This is preliminary for extracting the "take socket ownership" code
into its own function.
2017-10-18 12:13:26 -04:00
Nick Mathewson
5d219ecf98 Update Longclaw's IP address; fixes 23592. 2017-10-17 14:00:30 -04:00
Nick Mathewson
8652f3e9e8 Fix memory leak when freeing socket_table in KIST. 2017-10-17 13:40:31 -04:00
Nick Mathewson
d8604b8729 Merge branch 'teor_bug23813_squashed' 2017-10-15 20:36:23 -04:00
teor
eaf9c0f25a Describe what router_reset_descriptor_download_failures() actually does
Comment-only change.

Part of #23813.
2017-10-15 20:36:18 -04:00
teor
5bca66be49
Clear the address when node_get_prim_orport() returns early
Fixes bug 23874; bugfix on 0.2.8.2-alpha.
2017-10-15 16:48:36 -04:00
teor
67eeee0c71
Add a new consensus method that removes IPv6 address lines from microdescs
Implements #23828.
2017-10-15 12:31:39 -04:00
teor
56dbba3207
Add a consensus method for IPv6 address lines in the microdesc consensus
Implements #23826.
2017-10-15 12:31:06 -04:00
teor
b8d4588c90
Add a consensus_method argument to routerstatus_format_entry()
And pass ROUTERSTATUS_FORMAT_NO_CONSENSUS_METHOD when it's not applicable.

Preparation for #23826.
2017-10-15 12:09:52 -04:00
teor
305f947671
Improve the comment on networkstatus_compute_consensus() 2017-10-15 12:08:55 -04:00
Nick Mathewson
e00f12ec6c bump version on master to 0.3.3.0-alpha-dev 2017-10-15 11:57:06 -04:00
Nick Mathewson
bdf60fc7ce Merge branch 'maint-0.3.0' into maint-0.3.1 2017-10-05 11:03:36 -04:00
Nick Mathewson
0cd7c1af37 Merge branch 'maint-0.3.1' 2017-10-05 11:03:36 -04:00
Nick Mathewson
2984d99165 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-10-05 11:03:35 -04:00
Nick Mathewson
d6bdec1595 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-10-05 11:03:35 -04:00
Nick Mathewson
ad7db10770 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-10-05 11:03:35 -04:00
Karsten Loesing
b9d9b16b76 Update geoip and geoip6 to the October 4 2017 database. 2017-10-05 16:56:14 +02:00
David Goulet
469ee6e6fe hs-v3: Refactor client refetch function
Create a function that tells us if we can fetch or not the descriptor for the
given service key.

No behavior change. Mostly moving code but with a slight change so the
function can properly work by returning a boolean and also a possible fetch
status code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-04 15:50:22 -04:00
Taylor Yu
44e4a96bb5 Don't expect permission failure if running as root
Skip test_config_include_no_permission() when running as root, because
it will get an unexpected success from config_get_lines_include().
This affects some continuous integration setups.  Fixes bug 23758.
2017-10-04 08:42:05 -05:00
David Goulet
2e8de0de3b sched: Implement SCHED_BUG()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-03 14:43:09 -04:00
cathugger
9d90f9829c hs-v3: Always generate the public key file on disk
Fixes #23748

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-03 11:19:10 -04:00
Nick Mathewson
1e7e36da4b Merge branch 'bug23672_032_01_squashed' 2017-10-03 10:56:52 -04:00
David Goulet
30d2e0b71e test: Add an HS v3 descriptor fetch unit test
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-03 10:56:46 -04:00
David Goulet
c232b6b59c hs-v3: Close pending SOCKS connection on descriptor fetch error
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-10-03 10:56:46 -04:00
Nick Mathewson
783a44b2cd Merge remote-tracking branch 'asn/bug23670' 2017-10-03 09:05:16 -04:00
George Kadianakis
f7306b16ec entrynodes: Better naming for dir info check functions. 2017-10-03 15:55:19 +03:00
Nick Mathewson
a6c62cbd13 Merge branch 'bug23678_032' 2017-10-03 08:18:08 -04:00
Nick Mathewson
f923aeee1b Follow-up on 23678: fix socks/wrong_protocol test 2017-10-03 08:17:41 -04:00
Nick Mathewson
f2e820c45f torcert.c: mark some lines unreachable by tests
These are related to handling of failures on functions which can't
fail.
2017-10-03 08:07:36 -04:00
Nick Mathewson
bb7288b2c3 Make the fp_pair_map tests cover {get,set}_by_digests 2017-10-03 08:07:36 -04:00
George Kadianakis
5352785d0c entrynodes: Error msg for missing guard descs is now more informative. 2017-10-03 14:41:20 +03:00
George Kadianakis
f2231306ba entrynodes: Move guard dirinfo check below path dirinfo check.
We do that because we want to use the path fraction dirinfo data in case
we are missing primary guard dirinfo.
2017-10-03 14:41:18 +03:00
George Kadianakis
c9729853a5 entrynodes: Be specific about how many primary descriptors we miss. 2017-10-03 14:39:34 +03:00
Nick Mathewson
d0cae9fbc5 bump master to 0.3.2.2-alpha-dev 2017-10-02 19:19:51 -04:00
Alexander Færøy
c61508f9aa
Bump version to 0.3.2.2-alpha.
Signed-off-by: Isis Lovecruft <isis@torproject.org>
2017-10-02 19:23:32 +00:00
Nick Mathewson
ad4dcd7d1a Fix our "not an HTTP Proxy" message in light of HTTPTunnelPort
When we added HTTPTunnelPort, the answer that we give when you try
to use your SOCKSPort as an HTTP proxy became wrong.  Now we explain
that Tor sorta _is_ an HTTP proxy, but a SOCKSPort isn't.

I have left the status line the same, in case anything is depending
on it.  I have removed the extra padding for Internet Explorer,
since the message is well over 512 bytes without it.

Fixes bug 23678; bugfix on 0.3.2.1-alpha.
2017-10-02 12:53:13 -04:00
Nick Mathewson
c50c98ba6a Make changes in server_mode() affect workers; fix a crash.
Without this fix, changes from client to bridge don't trigger
transition_affects_workers(), so we would never have actually
initialized the cpuworkers.

Fixes bug 23693.  Bugfix on 3bcdb26267 0.2.6.3-alpha, which
fixed bug 14901 in the general case, but not on the case where
public_server_mode() did not change.
2017-10-02 11:11:30 -04:00
Nick Mathewson
dddae36f5e Merge remote-tracking branch 'dgoulet/ticket23696_032_01' 2017-09-29 17:46:50 -04:00
Nick Mathewson
ca2e7eabc2 Merge branches 'bug8185_031' and 'bug8185_diagnostic_032' 2017-09-29 17:26:40 -04:00
David Goulet
070064de89 sched: Always initialize scheduler_last_run to now
Because our monotonic time interface doesn't play well with value set to 0,
always initialize to now() the scheduler_last_run at init() of the KIST
scheduler.

Fixes #23696

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-29 14:07:55 -04:00
Matt Traudt
3ef7e6f187 sched: Don't get KIST stuck in an infinite loop
When a channel is scheduled and flush cells returns 0 that is no cells to
flush, we flag it back in waiting for cells so it doesn't get stuck in a
possible infinite loop.

It has been observed on moria1 where a closed channel end up in the scheduler
where the flush process returned 0 cells but it was ultimately kept in the
scheduling loop forever. We suspect that this is due to a more deeper problem
in tor where the channel_more_to_flush() is actually looking at the wrong
queue and was returning 1 for an empty channel thus putting the channel in the
"Case 4" of the scheduler which is to go back in pending state thus
re-considered at the next iteration.

This is a fix that allows the KIST scheduler to recover properly from a not
entirelly diagnosed problem in tor.

Fixes #23676

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-29 11:06:31 -04:00
Nick Mathewson
fc6c0b46fb Merge branch 'bug23690_additional_032' 2017-09-29 10:29:40 -04:00
Nick Mathewson
b0ddaac074 Make some assertions nonfatal to help prevent bug23690 recurrence. 2017-09-29 10:29:33 -04:00
Nick Mathewson
8ccefa7b7a Merge branch 'bug23690_028' 2017-09-29 10:28:33 -04:00
Nick Mathewson
f7222e6d8c Clear outbuf_flushlen when we clear a connection's outbuf
When we added single_conn_free_bytes(), we cleared the outbuf on a
connection without setting outbuf_flushlen() to 0.  This could cause
an assertion failure later on in flush_buf().

Fixes bug 23690; bugfix on 0.2.6.1-alpha.
2017-09-29 10:00:14 -04:00
Nick Mathewson
1a5746f8e1 Merge branch 'bug8185_025' into bug8185_031 2017-09-29 09:37:01 -04:00
Nick Mathewson
d256d4c0a6 Don't package cells onto marked circuits.
This caused a BUG log when we noticed that the circuit had no
channel.  The likeliest culprit for exposing that behavior is
d769cab3e5, where we made circuit_mark_for_close() NULL out
the n_chan and p_chan fields of the circuit.

Fixes bug 8185; bugfix on 0.2.5.4-alpha, I think.
2017-09-29 09:33:47 -04:00
Nick Mathewson
1b6ccb52ea Log more information when bug8185 is about to trigger.
My current theory is that this is just a marked circuit that hasn't
closed yet, but let's gather more information in case that theory is
wrong.

Diagnostic for 8185.
2017-09-29 09:24:01 -04:00
Nick Mathewson
4e6374c26b Merge remote-tracking branch 'catalyst-oniongit/bug23691' 2017-09-28 19:07:23 -04:00
Taylor Yu
2ae1b7e2db Fix leak in test_util.c
AddressSanitizer found a leak in test_util_decompress_dos_impl().
Fixes bug #23691.
2017-09-28 17:53:38 -05:00
Alexander Færøy
8d6940814a
Better error handling when trying to compress/decompress into empty buffer.
This patch ensures that we return TOR_COMPRESS_BUFFER_FULL in case we
have a input bytes left to process, but are out of output buffer or in
case we need to finish where the compression implementation might need
to write an epilogue.

See: https://bugs.torproject.org/23551
2017-09-28 20:17:41 +02:00
Alexander Færøy
c2fac2c6b0
Enable disabled test that was disabled due to bug #23551
See: https://bugs.torproject.org/23551
2017-09-28 18:58:15 +02:00
Alexander Færøy
44dc4b73ec
Better error handling when trying to compress/decompress into empty buffer.
This patch ensures that we return TOR_COMPRESS_BUFFER_FULL in case we
have a input bytes left to process, but are out of output buffer or in
case we need to finish where the compression implementation might need
to write an epilogue.

See: https://bugs.torproject.org/23551
2017-09-28 18:58:15 +02:00
Alexander Færøy
c3b7f9d762
Fix whitespace issue in compress.c 2017-09-28 18:58:15 +02:00
Alexander Færøy
a196fdb622
Fix typo in buffers.c. 2017-09-28 18:58:09 +02:00
Nick Mathewson
3a073c463d Improve unit test coverage for compression code.
These tests try uncompressing garbage, verify that we won't
make compression bombs, and verify that we won't uncompress
compression bombs.
2017-09-28 12:20:02 -04:00
Nick Mathewson
14614a592e Fix spelling: compressing, not compresing 2017-09-28 12:17:34 -04:00
Nick Mathewson
f71ff0cabc Unit test for case where %included dir exists but is unreadable 2017-09-28 09:49:30 -04:00
Nick Mathewson
5b6f2713cd unit test for config_lines_dup_and_filter 2017-09-28 09:40:17 -04:00
Nick Mathewson
55873107d0 Correct docs for config_lines_dup_and_filter 2017-09-28 09:40:04 -04:00
Nick Mathewson
a64d79ca4c Move around some LCOV_EXCLs in src/common
Apparently, my compiler now generates coverage markers for
label-only lines, so we need to exclude those too if they are meant
to be unreachable.
2017-09-28 09:25:17 -04:00
Nick Mathewson
99e52711bb Add unit test for buf_get_line(). 2017-09-28 08:35:30 -04:00
Nick Mathewson
01d67a9071 Note an unreachable (?) section in buffers.c 2017-09-28 08:35:24 -04:00
Nick Mathewson
f21102c069 Let's get 100% coverage for proto_http while we're at it.
There was some coverage before, but it was mostly accidental.
2017-09-27 21:45:55 -04:00
Nick Mathewson
57f04a482e Test more error cases of our socks code.
Coverage is now respectable. :)
2017-09-27 19:37:36 -04:00
Nick Mathewson
6882e711d0 Add unit tests for SOCKS functions that parse server responses
We use these when we're acting as a SOCKS client, but we'd never
actually written tests for them :/
2017-09-27 18:55:14 -04:00
Nick Mathewson
5418aa84ee socks5 unit tests: add check for ipv6 address type. 2017-09-27 11:23:09 -04:00
Nick Mathewson
04f7873bab Socks tests for bad socks5 username/passwd auth. 2017-09-27 11:16:29 -04:00
Nick Mathewson
14124f82df Mark some tests in parse_socks.c as unreachable (BUG, LCOV)
These tests aren't reachable, given their actual arguments.  I'm
going to mark them as BUG(), and as unreachable with LCOV.
2017-09-27 11:16:20 -04:00
Nick Mathewson
5427365907 testing: test many possible truncated SOCKS commands
Many of the 'truncated command' paths in fetch_from_buf_socks() were
not reached by the tests.  This new unit test tries to check them
exhaustively.
2017-09-27 10:54:56 -04:00
David Goulet
cf75c1af66 hs-v3: Don't fetch descriptor if we have a pending request
If 6 SOCKS requests are opened at once, it would have triggered 6 fetches
which ultimately poke all 6 HSDir. We don't want that, if we have multiple
SOCKS requests for the same service, do one fetch only.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-27 09:24:35 -04:00
George Kadianakis
178a2bbcff prop224: Fix one last instance of get_time_period_num() with now.
When purging last HSDir requests, we used time(NULL) for computing the
service blinded key but in all other places in our codebase we actually
use the consensus times. That can cause wrong behavior if the consensus
is in a different time period than time(NULL).

This commit is required for proper purging of HSDir requests.
2017-09-27 09:24:35 -04:00
George Kadianakis
6051375cca prop224: Update some function docs with the right retval. 2017-09-27 09:24:35 -04:00
Nick Mathewson
a57f495c1a Move ext_or_command tests to test_proto_misc.c
No other code changes.
2017-09-27 09:11:15 -04:00
Nick Mathewson
b8b016940d Add unit tests for var_cell and control0 proto functions. 2017-09-27 09:09:00 -04:00
Taylor Yu
8f8a4c0ced Eat redundant semicolons 2017-09-26 15:12:34 -04:00
David Goulet
40ab25db62 hs-v3: Don't non fatal assert if we can't get the intro extend info
Fixes #23159.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-26 13:55:51 -04:00
Nick Mathewson
6beeb10070 Merge branch 'typecheck4' 2017-09-26 12:26:01 -04:00
Nick Mathewson
49d2346b80 Type bug in shared_random_state -- make sure Version is int.
The confparse field has type UINT, which corresponds to an int
type.  We had uint32_t.

This shouldn't cause trouble in practice, since int happens to
4-bytes wide on every platform where an authority is running.  It's
still wrong, though.
2017-09-26 12:25:34 -04:00
Nick Mathewson
a5b18dfba9 Make the TransProxyType field non-const
The correct type for a STRING confparse value is char *, not const
char *.
2017-09-26 12:25:07 -04:00
Nick Mathewson
4d11a468b2 Correct two state-file variable types.
These should have been int, but we had listed them as unsigned.
That's an easy mistake to make, since "int" corresponds with either
INT or UINT in the configuration file.

This bug cannot have actually caused a problem in practice, since we
check those fields' values on load, and ensure that they are in
range 0..INT32_MAX.
2017-09-26 12:25:01 -04:00
Nick Mathewson
eb54a856a2 Add test to make sure all confparse variables are well-typed
New approach, suggested by Taylor: During testing builds, we
initialize a union member of an appropriate pointer type with the
address of the member field we're trying to test, so we can make
sure that the compiler doesn't warn.

My earlier approach invoked undefined behavior.
2017-09-26 12:24:04 -04:00
Nick Mathewson
1f3db0514e Merge remote-tracking branch 'asn/ticket23645_032_01' 2017-09-26 08:55:59 -04:00
David Goulet
648d5ea67e hs: Improve logging
Also demote a log message that can occur under natural causes
(if the circuit subsystem is missing descriptors/consensus etc.).
The HS subsystem will naturally retry to connect to intro points,
so no need to make that log user-facing.
2017-09-26 13:55:44 +03:00
David Goulet
4190f602bd circuit: Log n_circ_id and global identifier of HS circuits
So we can track them more easily in the logs and match any open/close/free
with those identifiers.

Part of #23645

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-25 16:21:04 -04:00
David Goulet
767b1815e9 circuit: Log circuit identifiers when cannibalizing
This removes the "nickname" of the cannibalized circuit last hop as it is
useless. It now logs the n_circ_id and global identifier so we can match it
with other logging statement.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-25 16:08:11 -04:00
David Goulet
fb4a82c485 circuit: Keep a copy of n_circ_id for logging
Prior to the log statement, the circuit n_circ_id value is zeroed so keep a
copy so we can log it at the end.

Part of #23645

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-25 16:04:30 -04:00
David Goulet
de54e14312 circuit: Closing reason are signed values
Part of #23645

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-25 16:01:12 -04:00
Nick Mathewson
45530ed729 Merge branch 'bug22109' 2017-09-25 14:32:04 -04:00
Nick Mathewson
81c4793232 Make testing rend1_payload variables static
This fixes a clang warning.
2017-09-25 13:26:43 -04:00
Nick Mathewson
90e8d1f58f Merge branch 'bug23539_032_01_squashed' 2017-09-25 11:12:56 -04:00
Nick Mathewson
581e2c8b2c Whitespace fix. 2017-09-25 11:12:45 -04:00
Matt Traudt
7bbc29b0f2 sched: make interval a plain int; initialize with macro 2017-09-25 11:11:30 -04:00
David Goulet
ef2a449cce sched: Make KISTSchedRunInterval non negative
Fixes #23539.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-25 11:11:30 -04:00
Nick Mathewson
777e828ef3 Merge remote-tracking branch 'asn/ticket23420_032_01' 2017-09-25 09:24:36 -04:00
George Kadianakis
03b3f5486a prop224: Add test for parsing RENDEZVOUS1 cell.
Just making sure that added padding does not screw up cell parsing.
2017-09-25 15:00:06 +03:00
Roger Dingledine
8dff23eb34 Assign Exit flag only for ports 80 and 443
Make the "Exit" flag assignment only depend on whether the exit
policy allows connections to ports 80 and 443. Previously relays
would get the Exit flag if they allowed connections to one of
these ports and also port 6667.

Resolves ticket 23637.
2017-09-24 19:27:07 -04:00
Roger Dingledine
a1f31c0671 fix typo 2017-09-22 17:26:29 -04:00
Nick Mathewson
01e984870a Remove an erroneous 0.5 in compute_weighted_bandwidths()
Back in 0.2.4.3-alpha (e106812a77), when we switched from using
double to using uint64 for selecting by bandwidth, I got the math
wrong: I should have used llround(x), or (uint64_t)(x+0.5), but
instead I wrote llround(x+0.5).  That means we would always round
up, rather than rounding to the closest integer

Fixes bug 23318; bugfix on 0.2.4.3-alpha.
2017-09-22 15:29:15 -04:00
Nick Mathewson
22e2c3bf7d Fix check-spaces and a weird copyright. 2017-09-22 12:20:26 -04:00
Nick Mathewson
230a336798 Use setup_full_capture_of_logs for 21800
setup_capture_of_logs() doesn't actually suppress warnings :p
2017-09-22 10:22:47 -04:00
Nick Mathewson
ac3fdb74c2 Remove unused chosen_scheduler_type variable. 2017-09-22 09:56:54 -04:00
Nick Mathewson
122eab78d9 Merge remote-tracking branch 'pastly/bug23552_032_03' 2017-09-22 09:54:41 -04:00
David Goulet
dc5c9af6c3 hs: Avoid possible double circuit close on error
Fixes #23610

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-22 09:09:13 -04:00
Nick Mathewson
91467e04b1 Merge branch 'bug22805_v2_squashed' 2017-09-22 08:58:17 -04:00
Nick Mathewson
95a7e7e925 Stop using CREATE_FAST as a signifier of clienthood.
Relays send it, and we may as well let them.  Part of our fix for
22805.
2017-09-22 08:57:45 -04:00
Nick Mathewson
ceb49c1c5f Use channel_is_client() accessor in channelpadding.c.
Also, allow channel_is_client() to take a const channel.
2017-09-22 08:55:53 -04:00
Nick Mathewson
d1e0e486e9 Stop clearing the is_client flag on channel directly 2017-09-22 08:55:53 -04:00
Nick Mathewson
66aff2d8f3 Remove or_circuit_t.is_first_hop; use channel_is_client() instead
The is_first_hop field should have been called used_create_fast,
but everywhere that we wanted to check it, we should have been
checking channel_is_client() instead.
2017-09-22 08:55:53 -04:00
Matt Traudt
88b317ef28 sched: move code to respect comments
The diff is confusing, but were two static scheduler functions that
needed moving to static comment block.

No code change. Thanks dgoulet for original commit
2017-09-22 08:52:27 -04:00
Matt Traudt
22699e3f16 sched: only log when scheduler type changes
Closes 23552. Thanks dgoulet for original impl
2017-09-22 08:51:22 -04:00
Nick Mathewson
512c57cff9 test_util: capture the log in the correct place. 2017-09-22 08:51:03 -04:00
Nick Mathewson
00d7b60557 Merge branch 'bug21800' 2017-09-21 17:39:54 -04:00
Nick Mathewson
bb9b8e65bb Merge remote-tracking branch 'pastly/bug23581_032_03' 2017-09-21 17:33:10 -04:00
Nick Mathewson
33d44dc4ac Capture "Result does not fit in tor_timegm()" warnings in util tests
Fixes bug 21800; bugfix on 0.2.9.x
2017-09-21 15:32:16 -04:00
David Goulet
7f3dc8327a hs: Avoid possible double circuit close on error
Fixes #23610

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-21 14:38:43 -04:00
David Goulet
1749e07891 hs: Improve comments for when we change timestamps
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-21 14:24:36 -04:00
David Goulet
c20d4db7bf sched: Hard exit if we can't select a scheduler
Fixes #23581

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-21 14:18:42 -04:00
David Goulet
6045bdd4a0 hs: Avoid possible double circuit close on error
Fixes #23610

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-21 13:13:53 -04:00
Nick Mathewson
4c7a89a226 Merge remote-tracking branch 'catalyst-oniongit/bug23607' 2017-09-21 10:58:06 -04:00
Nick Mathewson
c7b7cf8e18 Merge branch 'maint-0.3.1' 2017-09-21 10:39:10 -04:00
Mike Perry
d70a793cfc Bug 23608: Mock time for all channelpadding tests. 2017-09-21 10:36:57 -04:00
Taylor Yu
ad814cad41 Avoid assertion failure for state file clock skew
The clock_skew_warning() refactoring allowed calls from
or_state_load() to control_event_bootstrap_problem() to occur prior
bootstrap phase 0, causing an assertion failure.  Initialize the
bootstrap status prior to calling clock_skew_warning() from
or_state_load().
2017-09-20 18:54:37 -05:00
Taylor Yu
1c017edac3 Use correct sign for state file clock skew
or_state_load() was using an incorrect sign convention when calling
clock_skew_warning() to warn about state file clock skew.  This caused
the wording of the warning to be incorrect about the direction of the
skew.
2017-09-20 18:50:39 -05:00
Nick Mathewson
ac8e26a415 Use correct name for authtype 3 in a comment. 2017-09-20 15:46:21 -04:00
David Goulet
9b4513c5d1 hs: Log the intro point when we clean it up
When we remove an intro point from the service list, log info about it and
some useful data.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-20 13:08:16 -04:00
David Goulet
317dabc57f circuit: Log n_circ_id and global identifier
When we can, log the n circuit id and global identifier for origin circuit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-20 12:52:53 -04:00
Nick Mathewson
2998350122 Merge branch 'bug23080' 2017-09-20 12:12:02 -04:00
Nick Mathewson
f9155ff416 Unit test to make sure that our platform string is parseable
Closes 22109.
2017-09-20 10:10:02 -04:00
Nick Mathewson
ff0aabc35d Merge branch 'maint-0.3.1' 2017-09-20 09:45:07 -04:00
Andreas Stieger
427c2cc9e8 in zstd compression, fix 32 bit build
format '%lu' expects argument of type 'long unsigned int', but argument ... has type 'size_t'

Closes ticket 23568.
2017-09-20 09:43:08 -04:00
Nick Mathewson
427ae164f3 Fix a comment that misunderstood is_canonical
is_canonical doesn't mean "am I connected to the one true address of
this relay"; it means "does this relay tell me that the address I'm
connected to belong to it."  The point is to prevent TCP-based MITM,
not to prevent the relay from multi-homing.

Related to 22890.
2017-09-20 09:41:01 -04:00
Nick Mathewson
c4e8548c59 Warn on ExtORPort USERADDR that is missing or 0.
Diagnoses violations on #23080.
2017-09-20 08:50:49 -04:00
Nick Mathewson
9e0587f806 Merge remote-tracking branch 'dgoulet/ticket23305_032_01' 2017-09-20 08:36:11 -04:00
Nick Mathewson
2c93be80d9 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-09-20 08:32:55 -04:00
Nick Mathewson
746410fb24 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-20 08:32:55 -04:00
Nick Mathewson
654820ec1c Merge branch 'maint-0.3.0' into maint-0.3.1 2017-09-20 08:32:55 -04:00
Nick Mathewson
a8f4f5742e Merge branch 'maint-0.3.1' 2017-09-20 08:32:55 -04:00
teor
8e52c46581
Remove longclaw's IPv6 address, as it will soon change
Authority IPv6 addresses were originally added in 0.2.8.1-alpha.

This leaves 3/8 directory authorities with IPv6 addresses, but there
are also 52 fallback directory mirrors with IPv6 addresses.

Resolves 19760.
2017-09-20 14:48:53 +10:00
Matt Traudt
4a3b61a5b3 sched: reorder code to fit comment bodies; comment typos
Closes 23560
2017-09-19 20:13:28 -04:00
Roger Dingledine
1c956ccd5f fix typos/etc found while starting to look at scheduler 2017-09-19 19:55:57 -04:00
Nick Mathewson
6628c95e54 Merge remote-tracking branch 'pastly2/bug23566_032_01' 2017-09-19 19:35:46 -04:00
Matt Traudt
951b9f1fa5 tests: fix transproxy tests on BSD systems 2017-09-19 19:20:55 -04:00
Matt Traudt
a8c54ce581 sched: Allow the new sched to react to new cons 2017-09-19 19:07:48 -04:00
Nick Mathewson
ac73913d40 Merge branch 'bug23583_029' 2017-09-19 14:12:29 -04:00
Nick Mathewson
10ea3343b5 Avoid integer error in TEST_BITOPS tests
If "1" is not 64 bits wide already, then "1 << i" will not actually
work.

This bug only affects the TEST_BITOPS code, and shouldn't matter for
the actual use of the timeout code (except if/when it causes this
test to fail).

Reported by dcb314@hotmail.com.  Fix for bug 23583.  Not adding a
changes file, since this code is never compiled into Tor.
2017-09-19 13:58:35 -04:00
David Goulet
5dea4b565f Add a BASE32_DIGEST_LEN define
Use this value instead of hardcoded values of 32 everywhere. This also
addresses the use of REND_DESC_ID_V2_LEN_BASE32 in
hs_lookup_last_hid_serv_request() for the HSDir encoded identity digest length
which is accurate but semantically wrong.

Fixes #23305.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-19 12:33:04 -04:00
David Goulet
a3f5a24669 hs: Pad RENDEZVOUS1 v3 cell to match length of v2
RENDEZVOUS1 cell is 84 bytes long in v3 and 168 bytes long in v2 so this
commit pads with random bytes the v3 cells up to 168 bytes so they all look
alike at the rendezvous point.

Closes #23420

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-19 09:13:28 -04:00
Nick Mathewson
84d587bed8 Merge remote-tracking branch 'teor/minor-comments' 2017-09-19 08:24:49 -04:00
teor
e77ece3b31
Avoid a compilation warning on macOS in scheduler_ev_add()
This warning is caused by a different tv_usec data type on macOS
compared to the system on which the patch was developed.

Fixes 23575 on 0.3.2.1-alpha.
2017-09-19 16:32:47 +10:00
teor
429d88ad6a
Improve comments around connection_or_client_used() 2017-09-19 14:30:27 +10:00
teor
228d782229
Improve comments formatting in connection.c 2017-09-19 14:30:09 +10:00
Nick Mathewson
6afc924d7e Correct what-is-deprecated-when comments 2017-09-18 15:11:33 -04:00
Nick Mathewson
94a88eaa45 Merge remote-tracking branch 'public/ticket19704' 2017-09-18 15:02:16 -04:00
Nick Mathewson
32858610c7 bump to 0.3.2.1.-alpha-dev 2017-09-18 14:40:13 -04:00
Nick Mathewson
0e85b71066 bump to 0.3.1.7-dev 2017-09-18 14:40:04 -04:00
Nick Mathewson
e78347fcc2 bump to 0.3.0.11-dev 2017-09-18 14:39:55 -04:00
Nick Mathewson
a57f1ff7ab bump to 0.2.9.12-dev 2017-09-18 14:39:46 -04:00
Nick Mathewson
0a72d1c8f1 bump to 0.2.8.15-dev 2017-09-18 14:39:40 -04:00
Nick Mathewson
290274dbb5 Add a cast so that 32-bit compilation goes without errors 2017-09-18 12:44:26 -04:00
Nick Mathewson
a23a168f24 Merge remote-tracking branch 'dgoulet/bug23558_032_01' 2017-09-18 11:02:37 -04:00
David Goulet
c7af923567 sched: BUG() on event_add() and log_warn next_run
It is highly unlikely to happen but if so, we need to know and why. The
warning with the next_run values could help.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-18 10:58:38 -04:00
David Goulet
77cc97cf0a sched: Don't cast to int32_t the monotime_diff_msec() result
When the KIST schedule() is called, it computes a diff value between the last
scheduler run and the current monotonic time. If tha value is below the run
interval, the libevent even is updated else the event is run.

It turned out that casting to int32_t the returned int64_t value for the very
first scheduler run (which is set to 0) was creating an overflow on the 32 bit
value leading to adding the event with a gigantic usec value. The scheduler
was simply never running for a while.

First of all, a BUG() is added for a diff value < 0 because if the time is
really monotonic, we should never have a now time that is lower than the last
scheduler run time. And we will try to recover with a diff value to 0.

Second, the diff value is changed to int64_t so we avoid this "bootstrap
overflow" and future casting overflow problems.

Fixes #23558

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-18 10:55:54 -04:00
Nick Mathewson
aaf0fa6d11 Merge branch 'maint-0.3.1' 2017-09-18 10:48:31 -04:00
Nick Mathewson
63ae9ea316 Make hs_ntor_ref.py work with python3 2017-09-18 10:48:28 -04:00
Nick Mathewson
d9dccb00cc Bump to 0.3.2.1-alpha 2017-09-18 10:30:41 -04:00
Nick Mathewson
c7d0096f9d Merge branch 'maint-0.3.1' 2017-09-18 09:42:30 -04:00
Nick Mathewson
23c4592ee9 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-09-18 09:40:40 -04:00
Nick Mathewson
314652dc16 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-09-18 09:39:46 -04:00
Nick Mathewson
09ea89764a Fix log-uninitialized-stack bug in rend_service_intro_established.
Fixes bug 23490; bugfix on 0.2.7.2-alpha.

TROVE-2017-008
CVE-2017-0380
2017-09-18 09:32:41 -04:00
Nick Mathewson
4a2cbea6ce Fix log-uninitialized-stack bug in rend_service_intro_established.
Fixes bug 23490; bugfix on 0.2.7.2-alpha.

TROVE-2017-008
CVE-2017-0380
2017-09-18 09:27:07 -04:00
Nick Mathewson
dd8eeabfd1 Fix memory leak in tor-gencert.c
This was introduced in 4ff170d7b1, and is probably
unreachable, but coverity complained about it (CID 1417761). Bug not
in any released Tor, so no changes file.
2017-09-17 20:42:28 -04:00
Nick Mathewson
4519b7b469 kist_no_kernel_support is unused when we didn't detect it.
So, remove it.
2017-09-15 16:44:05 -04:00
Nick Mathewson
f4af1919ab Replace accumulated C ;;s with ;s
I don't know where these came from.
2017-09-15 16:43:17 -04:00
Nick Mathewson
76c33f7ff4 Merge branch 'scan-build-032' 2017-09-15 16:40:11 -04:00
Nick Mathewson
c1deabd3b0 Run our #else/#endif annotator on our source code. 2017-09-15 16:24:44 -04:00
Nick Mathewson
7a597718bb Split some long #if lines to make the #endif annotator happy 2017-09-15 16:24:21 -04:00
Nick Mathewson
639766dbc3 Merge branch 'maint-0.3.1'
Resolve conflict with 23532 code.
2017-09-15 14:40:35 -04:00
Nick Mathewson
a01e4a1a95 kist: Cast, then do operations on int32.
Otherwise integer overflows can happen.  Remember, doing a i32xi32
multiply doesn't actually produce a 64-bit output.  You need to do
i64xi32 or i64xi64.

Coverity found this as CID 1417753
2017-09-15 14:30:19 -04:00
Nick Mathewson
9201e4c74b Merge branch 'bug23487_029' 2017-09-15 14:27:58 -04:00
Nick Mathewson
75659fd548 Use different variable names for pw_uid usages
Catalyst points out that using pw_uid for two different purposes
here is likely to be confusing.
2017-09-15 14:26:59 -04:00
Nick Mathewson
03e102c1bb Make netinet/tcp include conditional too: windows lacks it. 2017-09-15 14:08:51 -04:00
Nick Mathewson
44fa866621 fix some 32-bit warnings about printf arguments 2017-09-15 14:02:08 -04:00
Nick Mathewson
37302e64a4 Merge branch 'remove_allow_dotexit_v2' 2017-09-15 12:10:47 -04:00
Nick Mathewson
f02fd6c3af Remove AllowDotExit.
It's been deprecated since 0.2.9.2-alpha.  Closes ticket 23426.
2017-09-15 12:09:33 -04:00
Nick Mathewson
fea2d84ce3 wrap a wide comment 2017-09-15 12:03:08 -04:00
Nick Mathewson
0f4f40b70f Merge remote-tracking branch 'dgoulet/ticket12541_032_02' 2017-09-15 12:00:50 -04:00
Nick Mathewson
962b0b849b Merge remote-tracking branch 'dgoulet/ticket19254_032_01' 2017-09-15 11:52:10 -04:00
Matt Traudt
ae9e6b547d sched: add comment about how we determine if a socket should write 2017-09-15 11:40:59 -04:00
Matt Traudt
501c58187d sched: add more per-socket limit documentation; int fix 2017-09-15 11:40:59 -04:00
David Goulet
513d642a66 sched: Revert IF_BUG_ONCE() to tor_assert()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
1033e14a69 sched: Define SCHEDULER_KIST_PRIVATE for more encapsulation
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
c910610701 sched: Improve logging if KIST is disabled
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
0d0b677b64 test: Fix unit tests with latest scheduler changes
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
734dbfa590 sched: Make the scheduler object static
Each type of scheduler implements its own static scheduler_t object and
returns a reference to it.

This commit also makes it a const pointer that is it can only change inside
the scheduler type subsystem but not outside for extra protection.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
bd34a0d30f sched: Compare channel pointer in the socket table
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
e0984b8a51 sched: Make the outbuf table local to run()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
ba08f8a4ed sched: Make check-spaces happy
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
3d2d8d6841 sched: Extra careful in channel_outbuf_length()
In case we don't have a connection object in the channel, just be careful and
recover.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
14cd8bdd4b sched: Don't expose the global scheduler libevent object
Instead, add wrappers to do the needed action the different scheduler needs
with the libevent object.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
84d18f70f3 sched: Always call on_channel_free() regardless of state
A channel can bounce in the scheduler and bounce out with the IDLE state which
means that if it came in the scheduler once, it has socket information that
needs to be freed from the global hash table.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
7cc9621d11 sched: Add Schedulers torrc option
This option is a list of possible scheduler type tor can use ordered by
priority. Its default value is "KIST,KISTLite,Vanilla" which means that KIST
will be used first and if unavailable will fallback to KISTLite and so on.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
Matt Traudt
6ff8c86ac6 sched: change most asserts to non-fatal BUGs 2017-09-15 11:40:59 -04:00
Matt Traudt
4bc97c6431 sched: revisist compatibility on non-linux systems
Wrap things in HAVE_KIST_SUPPORT until Tor compiles and tests cleanly on
my OS X machine.
2017-09-15 11:40:59 -04:00
Matt Traudt
8ccb2c106a sched: rename scheduler to the_scheduler 2017-09-15 11:40:59 -04:00
Matt Traudt
7f1d643083 sched: validate KIST sched options 2017-09-15 11:40:59 -04:00
Matt Traudt
61fc9c41ad sched: switch to monotonic time; add/fix comments, style, and logs msgs 2017-09-15 11:40:59 -04:00
David Goulet
6e598bbcd8 sched: Add sandbox support for KIST
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
a06f2a0509 sched: Fallback to naive approach if no runtime KIST support
It is possible that tor was compiled with KIST support but the running kernel
has no support for it. In that case, fallback to a naive approach and flag
that we have no kernel support.

At this commit, if the kernel support is disabled, there are no ways to come
back from it other than restarting tor with a kernel that supporst KIST.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
David Goulet
8424c4f35b sched: Detect KIST support at compile time
Add a detection for the KIST scheduler in our build system and set
HAVE_KIST_SUPPORT if available.

Adapt the should use kist function with this new compile option.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
Matt Traudt
dde358667d sched: Implement the KIST scheduler
Closes #12541

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
Matt Traudt
2034e0d1d4 sched: Groundwork before KIST implementation
- HT_FOREACH_FN defined in an additional place because nickm did that
  in an old kist prototype
- Make channel_more_to_flush mockable for future sched tests
- Add empty scheduler_{vanilla,kist}.c files and put in include.am

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
Matt Traudt
b2c56eacdd sched: Remove vanilla sched options that will be going away
- massive change to src/tgest/test_options.c since the sched options
  were added all over the place in it
- removing the sched options caused some tests to pass/fail in new ways
  so I assumed current behavior is correct and made them pass again
   - ex: "ConnLimit must be greater" lines
   - ex: "Authoritative directory servers must" line
- remove test_options_validate__scheduler in prep for new sched tests

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 11:40:59 -04:00
Nick Mathewson
e88fb4f4f8 Merge remote-tracking branch 'catalyst-oniongit/bug23532' 2017-09-15 11:17:18 -04:00
Taylor Yu
e31a7be161 Make NETINFO clock skew detection work on clients
An unnecessary routerlist check in the NETINFO clock skew detection in
channel_tls_process_netinfo_cell() was preventing clients from
reporting NETINFO clock skew to controllers.
2017-09-15 09:49:53 -05:00
Taylor Yu
37fed742d1 Refactor channeltls.c lightly
Refactor some repetitive deep indirections in several functions in
channeltls.c into local variables.
2017-09-15 09:49:53 -05:00
Nick Mathewson
e05414d241 Fix several places where md-using relays would get wrong behavior.
This patch replaces a few calls to router_get_by_id_digest ("do we
have a routerinfo?") with connection_or_digest_is_known_relay ("do
we know this relay to be in the consensus, or have been there some
time recently?").

Found while doing the 21585 audit; fixes bug 23533.  Bugfix on
0.3.0.1-alpha.
2017-09-15 09:35:59 -04:00
Nick Mathewson
b440560b8b bump to 0.3.1.7 2017-09-15 09:33:32 -04:00
Nick Mathewson
2c9f8badbd repair test_key_expiration.sh 2017-09-15 09:04:22 -04:00
Nick Mathewson
a213a32b7c Merge remote-tracking branch 'dgoulet/ticket23310_032_02' 2017-09-15 09:01:22 -04:00
Nick Mathewson
7facfc728e Merge branch 'bug23488' 2017-09-15 08:58:20 -04:00
David Goulet
21564c93ce test: Make check-spaces happy
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 08:34:56 -04:00
David Goulet
44ee5037ea fixup! test: Add HS v3 client-side test for picking intro points
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 08:34:30 -04:00
Nick Mathewson
123337bbc9 Merge remote-tracking branch 'teor/ticket23528' 2017-09-15 08:15:36 -04:00
Nick Mathewson
72391fce23 Merge remote-tracking branch 'teor/bug23524' 2017-09-15 08:13:45 -04:00
George Kadianakis
5cc80692b8 prop224: Fix memleak in client_get_random_intro().
The memleak was occuring because of the way ExcludeNodes is handled in
that function. Basically, we were putting excluded intro points extend
infos in a special variable which was never freed. Also, if there were
multiple excluded intro points then that variable was overwritten
everytime leaking more memory. This commit should fix both issues.
2017-09-15 12:46:26 +03:00
George Kadianakis
e9b4624cc5 test: Add HS v3 client-side test for picking intro points
This commit adds a pretty advanced test for the client-side making sure that
picking intro is done properly.

This unittest also reveals a memleak on the client_pick_intro() function which
is fixed by the subsequent commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 12:46:26 +03:00
George Kadianakis
29aa400908 test: Improve HS v3 helper for building intro points.
Valid intro points need both legacy key and ipv4.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 12:46:26 +03:00
David Goulet
75ec72f24d test: Unit test for the hs indexes
Using a test vector in python, test both hs_build_hsdir_index() and
hs_build_hs_index().

This commit also adds the hs_build_address.py to EXTRA_DIST which was missing.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-15 12:46:26 +03:00
George Kadianakis
715a8ea81c prop224 test: Enrich the client_service_hsdir_set_sync() test.
Do two major improvements:

a) Make the client pick 6 HSDirs instead of just 1 and make sure they
   all match the service's HSDirs.

b) Test two additional missing scenarios borrowed from the
   test_reachability() test.
2017-09-15 12:46:26 +03:00
teor
42e7d0ea14
Explain the restrictions on divisor in round*_to_next_multiple_of
Closes 23528.
2017-09-15 16:06:17 +10:00
teor
6e87c0b23e
Avoid an instance of the bug warning in any_bridge_descriptors_known()
Part of 23524.
2017-09-15 14:17:41 +10:00
teor
61b5d05358
Make control port download status next attempts consistent
Make download status next attempts reported over the control port
consistent with the time used by tor. This issue only occurs if a
download status has not been reset before  it is queried over the
control port.

Fixes 23525, not in any released version of tor.
2017-09-15 14:11:34 +10:00
teor
033691212a
Make an assert into a BUG warning in the bridge code
If future code asks if there are any running bridges, without checking
if bridges are enabled, log a BUG warning rather than crashing.

Fixes 23524 on 0.3.0.1-alpha
2017-09-15 14:02:22 +10:00
teor
d60e7df2da
Explain where bridge download statuses are initialised
And why we can't initialise them on config

Comment-only change, follow-up to 23347.
2017-09-15 13:50:29 +10:00
Nick Mathewson
d6568bad5e Merge branch 'bug23499' 2017-09-14 17:18:38 -04:00
Nick Mathewson
348b225bd8 version bump: 0.3.0.11 2017-09-14 13:20:52 -04:00
Nick Mathewson
3c6d4fe046 version bump: 0.2.9.12 2017-09-14 13:20:29 -04:00
Nick Mathewson
26f68dfcef version bump: 0.2.8.15 2017-09-14 13:20:14 -04:00
Nick Mathewson
471e0096ad Merge branch 'maint-0.3.0' into maint-0.3.1 2017-09-14 10:15:38 -04:00
Nick Mathewson
fecad31f10 Merge branch 'maint-0.3.1' 2017-09-14 10:15:38 -04:00
Martin Kepplinger
a971018f6d entrynodes.c: fix syntax error around BUG() statement
Fix those misplaced brackets.

Signed-off-by: Martin Kepplinger <martink@posteo.de>
2017-09-14 10:14:44 -04:00
Nick Mathewson
72b802001c Merge remote-tracking branch 'catalyst-oniongit/skew' 2017-09-14 09:49:11 -04:00
Taylor Yu
c0195ccb79 Refactor clock skew handling in networkstatus.c
Move the consensus clock skew handling in
networkstatus_set_current_consensus() to clock_skew_warning().
2017-09-14 08:25:27 -05:00
Taylor Yu
449bb2351e Make trusted clock skew a bootstrap warning
Make clock skew events based on trusted sources produce a bootstrap
warning so controllers can more easily alert users about clock skew
problems.
2017-09-14 08:25:27 -05:00
Taylor Yu
818332e7f1 Refactor control_event_bootstrap_problem
Change the contract of control_event_bootstrap_problem() to be more
general and to take a connection_t.  New function
control_event_bootstrap_prob_or() has the specific or_connection_t
funcionality previously used.
2017-09-14 08:25:27 -05:00
Nick Mathewson
fde18fed60 Merge branch 'bug23019_squashed' 2017-09-14 09:13:28 -04:00
George Kadianakis
0ac2afad0d prop224 client-side: Start validating onion address pubkeys.
Fix the test_build_address() test and its test vectors python script.
They were both using a bogus pubkey for building an HS address which
does not validate anymore.

Also fix a few more unittests that were using bogus onion addresses
and were failing the validation. I replaced the bogus address with
the one generated from the test vector script.
2017-09-14 09:13:11 -04:00
Nick Mathewson
63af663b8c Remove a download_status_reset() call that led to a crash -- see 23347 2017-09-14 08:47:11 -04:00
Nick Mathewson
98c103d91d Rename write_http_status_line, since it does more now. 2017-09-14 08:39:08 -04:00
Nick Mathewson
2385e3f667 Make missing reason_phrase into a BUG(). 2017-09-14 08:34:58 -04:00
Nick Mathewson
3de63fe4b1 Merge branch 'maint-0.3.1' 2017-09-14 07:58:11 -04:00
Nick Mathewson
6fc47062af Merge remote-tracking branch 'mikeperry/bug23077' into maint-0.3.1 2017-09-14 07:57:14 -04:00
Roger Dingledine
771fb7e7ba get rid of the scary 256-byte-buf landmine 2017-09-14 03:04:20 -04:00
Roger Dingledine
eb429232ef Make dir servers include a "Date:" http header more often
Directory servers now include a "Date:" http header for response
codes other than 200. Clients starting with a skewed clock and a
recent consensus were getting "304 Not modified" responses from
directory authorities, so without a Date header the client would
never hear about a wrong clock.

Fixes bug 23499; bugfix on 0.0.8rc1.
2017-09-14 03:02:37 -04:00
Roger Dingledine
dcd0aea85e get rid of a case where we might log a NULL as %s
this doesn't happen in our current code, and now it can't
2017-09-13 22:43:31 -04:00
Roger Dingledine
3247518f22 fix a copy-pasta issue from long ago 2017-09-13 22:28:06 -04:00
Mike Perry
361014255f Bug 23077: Make channelpadding tests use mocked time. 2017-09-14 01:18:30 +00:00
Nick Mathewson
00bf4ed592 Merge branch 'bug23466_squashed' 2017-09-13 14:54:56 -04:00
George Kadianakis
6b794c7ed0 prop224 test: Test client desc expiration in tests.
We enrich the test_client_cache() test in two ways:

a) We check that transitioning time periods also cleans up expired
   descriptors in client memory.

b) We test hs_cache_lookup_as_client() instead of
   lookup_v3_desc_as_client(). The former is a higher level function
   which calls the latter and allows us to test deeper into the
   subsystem.
2017-09-13 14:54:49 -04:00
George Kadianakis
cf8a2b1567 prop224: Set stricter expiration time of cached client descriptors.
In #23466 we discovered that cached descriptors can stay around on the
client-side for up to 72 hours. In reality we only want those descs to
get cached for the duration of the current time period, since after that
TP is gone the client needs to compute a new blinded key to use for the HS.

In this commit we start using the consensus time (if available) when
cleaning up cached client descriptor entries. That makes sense because
the client uses consensus time anyway for connecting to hidden
services (e.g. computing blinded keys and time periods).

If no recent consensus is available, we consider descriptors to be
expired since we will want to fetch new ones when we get a live
consensus to avoid the Roger bug. If we didn't do that, when Roger
desuspends his laptop there would be a race between Tor fetching a new
consensus, and Tor connecting to the HS which would still cause
reachability issues.

We also turned a rev counter check into a BUG, since we should never
receive a descriptor with a strictly smaller rev counter than the one we
already have, except if there is a bug or if the HSDir wants to mess
with us. In any case, let's turn this into a BUG so that we can detect
and debug such cases easily.
2017-09-13 14:54:49 -04:00
Nick Mathewson
dcaf971a01 Merge remote-tracking branch 'teor/bug23470-029' 2017-09-13 09:20:19 -04:00
Nick Mathewson
4ff170d7b1 Fix warnings about passing uninitialized buffers into functions
Most of these buffers were never actually inspected, but it's still
bad style.
2017-09-12 21:32:42 -04:00
Nick Mathewson
491b6de168 Do not cast junk to an ed25519 key in test. 2017-09-12 21:32:42 -04:00
Nick Mathewson
7a4f4c35fa Fix unit test that likes to cast integers to void* 2017-09-12 21:32:42 -04:00
Nick Mathewson
f2f729e26b Clear up dead-assignment warnings from scan-build 2017-09-12 21:32:34 -04:00
teor
c86013291b
Stop relays calling directory_fetches_from_authorities on dir downloads
This change refactors find_dl_schedule() to only call dependent functions
as needed. In particular, directory_fetches_from_authorities() only needs
to be called on clients.

Stopping spurious directory_fetches_from_authorities() calls on every
download on public relays has the following impacts:
* fewer address resolution attempts, particularly those mentioned in 21789
* fewer descriptor rebuilds
* fewer log messages, particularly those limited in 20610

Fixes 23470 in 0.2.8.1-alpha.
The original bug was introduced in commit 35bbf2e as part of prop210.
2017-09-13 09:46:17 +10:00
Nick Mathewson
c3892a582f exit with nonzero status if certificate expiration dump fails
Fixes bug 23488.

Bugfix on b2a7e8df900eabe41d6e866f; bug not in any released Tor.
2017-09-12 19:05:33 -04:00
Nick Mathewson
db00f24d8b Return the actual number of hops in cpath_get_n_hops()
Bug not in any version of tor.

Found with clang's scan-build.
2017-09-12 19:03:04 -04:00
Nick Mathewson
a4847ffa91 clang scan-build: Fix "dead increment" warnings.
For the most part, these indicated a spot where the code could have
been better.
2017-09-12 19:03:04 -04:00
Nick Mathewson
0f58e17313 clang scan-build: Fix "dereference of null pointer" warnings
These warnings are all in the tests, and happen because something
that one part of the code checks for null-ness is later
dereferenced.
2017-09-12 19:03:04 -04:00
Daniel Pinto
ade9baaf9b Fix memory leak when options_init_from_string returns error #22605 2017-09-12 23:07:06 +01:00
Nick Mathewson
7ee486c15f Log correctly on owner/user mismatch.
Found with clang's scan-build while looking at dead assignments.

Fixes bug 23487; bugfix on 1135405c8c in 0.2.9.1-alpha
2017-09-12 17:37:25 -04:00
Nick Mathewson
dedafe95fe Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-12 17:09:47 -04:00
Nick Mathewson
eb078a3bd5 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-09-12 17:09:47 -04:00
Nick Mathewson
3092c8bb3e Merge branch 'maint-0.3.1' 2017-09-12 17:09:47 -04:00
Nick Mathewson
6ff6738963 Remove redundant items from testing_tor_network_defaults
These items were listed in testing_tor_network_defaults, but had the
same defaults as with the regular settings.

Closes ticket 22532.
2017-09-12 16:23:37 -04:00
Nick Mathewson
de6f121b59 Deprecate ReachableDirAddresses and ClientPreferIPv6DirPort
Closes ticket 19704.
2017-09-12 16:12:15 -04:00
Nick Mathewson
d9e2db1efd Avoid sscanf() warnings from openbsd in the unit tests
OpenBSD doesn't like tricks where you use a too-wide sscanf argument
for a too-narrow array, even when you know the input string
statically.  The fix here is just to use bigger buffers.

Fixes 15582; bugfix on a3dafd3f58 in 0.2.6.2-alpha.
2017-09-12 16:01:12 -04:00
David Goulet
6b4eace248 hs-v3: Stall SOCKS connection when no live consensus available
Fixes #23481

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-12 21:34:26 +03:00
George Kadianakis
f13ca360c9 prop224: Improve docs in time period funcs. 2017-09-12 21:17:35 +03:00
Nick Mathewson
d71a00e91f Merge remote-tracking branch 'dgoulet/ticket23480_032_01' 2017-09-12 11:20:27 -04:00
Nick Mathewson
6c5c74e11e Merge remote-tracking branch 'asn/bug23457_032_01' 2017-09-12 11:10:48 -04:00
David Goulet
98953b1fc2 hs-v3: Rate limit some log statements
Also fix an indentation issue.

Closes #23480

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-12 11:03:13 -04:00
David Goulet
184bd22586 hs: Fix digest256 to base64 issue in a log statement
Part of #23480.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-12 11:03:13 -04:00
Nick Mathewson
26d462c1f0 Merge branch 'ticket21031' 2017-09-12 10:43:34 -04:00
Nick Mathewson
4027bd2e96 Merge branch 'bug23347_squashed' 2017-09-12 10:38:35 -04:00
teor
1b5e34badb Add a missing bridge download status reset
17750 made unused download schedules automatically reset.
But we should make that explicit.
2017-09-12 10:38:25 -04:00
teor
93a8ed3b83 Make clients wait to refresh bridges when they have a recent descriptor
But when clients are just starting, make them try each bridge a few times
before giving up on it.

These changes make the bridge download schedules more explicit: before
17750, they relied on undocumented behaviour and specific schedule
entries. (And between 17750 and this fix, they were broken.)

Fixes 23347, not in any released version of tor.
2017-09-12 10:38:25 -04:00
teor
6370fb77c5 Refactor bridge download statuses to increment on attempt
We were always incrementing bridge download statuses on each attempt,
but we were using the "increment on failure" functions to do it.
And we never incremented them on failure.

No behaviour change.
2017-09-12 10:38:25 -04:00
teor
97249c4f5e Make bridge clients download bridge descriptors immediately
The download schedule tells Tor to wait 15 minutes before downloading
bridge descriptors. But 17750 made Tor ignore that and start immediately.
Since we fixed 17750, Tor waits 15 minutes for bridge client bootstrap,
like the schedule says.

This fixes the download schedule to start immediately, and to try each
bridge 3 times in the first 30 seconds. This should make bridge bootstraps
more reliable.

Fixes 23347.
2017-09-12 10:38:25 -04:00
Nick Mathewson
8eef7fc845 Merge branch 'maint-0.3.1' 2017-09-12 10:30:54 -04:00
Nick Mathewson
befddf6d2a Merge branch 'ticket17857_squashed' into maint-0.3.1 2017-09-12 10:29:00 -04:00
Mike Perry
6d221c8f37 Ticket #17857: Apply padding off-switch to existing connections. 2017-09-12 10:28:45 -04:00
Nick Mathewson
035fe2d208 Remove named_map and unnamed_map from networkstatus.c 2017-09-12 09:56:42 -04:00
Neel Chauhan
42b5e3cbb7 Remove networkstatus_nickname_is_unnamed() 2017-09-12 09:52:07 -04:00
Nick Mathewson
2bfc490c1e Merge remote-tracking branch 'teor/ticket22437' 2017-09-12 09:30:33 -04:00
Nick Mathewson
0729ba2868 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-12 09:23:57 -04:00
Nick Mathewson
bac160b4e0 One more implicit fallthrough warning to fix on GCC 7 2017-09-12 09:22:50 -04:00
Nick Mathewson
5bb4e0c88d Whoops -- options_trial_assign() was calling get_options() in #22281
So, move the get_options() call.
2017-09-12 08:40:13 -04:00
teor
d7d8d2c20e
Add v3 hidden service support to make test-network-all
Requires chutney master 50f64ea or later.

Implements ticket 22437.
2017-09-12 17:08:28 +10:00
David Goulet
7150214baf hs-v3: Cancel active descriptor directory connections before uploading
It is possible that two descriptor upload requests are launched in a very
short time frame which can lead to the second request finishing before the
first one and where that first one will make the HSDir send back a 400
malformed descriptor leading to a warning.

To avoid such, cancel all active directory connections for the specific
descriptor we are about to upload.

Note that this race is still possible on the HSDir side which triggers a log
info to be printed out but that is fine.

Fixes #23457

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-12 01:32:04 +03:00
Nick Mathewson
6e4967ef03 Merge remote-tracking branch 'dgoulet/ticket23462_032_01' 2017-09-11 17:57:31 -04:00
Nick Mathewson
2b26815e09 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-11 17:49:18 -04:00
Andreas Stieger
6cd5a80275 Fix GCC 7 -Wimplicit-fallthrough warnings
Add magic comments recognized by default -Wimplicit-fallthrough=3
or break, as required.
2017-09-11 17:47:04 -04:00
Andreas Stieger
b81a2e8f46 Fix GCC 7 -Wimplicit-fallthrough warnings (32 bit)
Add magic comments recognized by default -Wimplicit-fallthrough=3
Follow-up to e5f464, fixes Ticket 22446 for 32 bit.

[nick notes: Backport from 0.3.1.3-alpha.]
2017-09-11 17:45:07 -04:00
Nick Mathewson
b719fa7efe downgrade warning for #23465 2017-09-11 16:50:43 -04:00
Nick Mathewson
c5a5597572 spelling 2017-09-11 16:48:27 -04:00
Nick Mathewson
2a1ddd78da Merge remote-tracking branch 'dgoulet/bug23455_032_01' 2017-09-11 16:32:40 -04:00
Nick Mathewson
c894e9d3d4 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-11 16:29:10 -04:00
Nick Mathewson
6a49e3360b Fix mixed-sign comparison warning in fix for 22797. 2017-09-11 16:29:06 -04:00
Nick Mathewson
a25d97e530 Merge branch 'teor-bug22797-025' into maint-0.2.9 2017-09-11 16:28:59 -04:00
Nick Mathewson
b9ecb522fc Merge branch 'ticket22281_squashed' 2017-09-11 16:23:24 -04:00
Nick Mathewson
c4cb969a2a Taboo the get_options() function while options are validating
When option validation or transition is happening, there are no
"current options" -- only "old options" and "maybe new options".
Looking at get_options() is likely a mistake, so have a nonfatal
assertion let us know if we do that.

Closes 22281.
2017-09-11 16:23:16 -04:00
Nick Mathewson
fca590a63f Merge branch 'ticket23304_032_01_squashed' 2017-09-11 16:13:55 -04:00
David Goulet
00967cd2a8 prop224: Log undecodable descriptor when SafeLogging is off
Closes #23304

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-11 16:13:46 -04:00
David Goulet
84bb5cb1f1 circuit: Add a log info when marking for close
Closes #23462

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-11 16:10:18 -04:00
David Goulet
59072d2027 test: Fix memleaks
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-11 14:39:24 -04:00
Nick Mathewson
52c40330c8 Merge branch 'maint-0.3.1' 2017-09-11 13:49:20 -04:00
Nick Mathewson
72ea4a8f08 Extract the important parts of the run-pending-timers function.
Our unit tests will need this, so that they can simulate advancing
time without getting libevent involved.
2017-09-11 13:48:39 -04:00
David Goulet
b71f4ecb8d hs: Handled REND_JOINED circuit when getting an INTRODUCE_ACK
Because we can get a RENDEZVOUS2 cell before the INTRODUCE_ACK, we need to
correctly handle the circuit purpose REND_JOINED that is not change its
purpose when we get an INTRODUCE_ACK and simply close the intro circuit
normally.

Fixes #23455

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-11 13:38:58 -04:00
Nick Mathewson
3124c921e7 Split the behavior of node_supports_ed25519_link_authentication().
Before, this function meant "can we connect to this node and
authenticate it using its ed25519 key?"  Now it can additionally
mean, "when somebody else connects to this node, do we expect that
they can authenticate using the node's ed25519 key"?

This change lets us future-proof our link authentication a bit.

Closes ticket 20895.  No backport needed, since ed25519 link
authentication support has not been in any LTS release yet, and
existing releases with it should be obsolete before any releases
without support for linkauth=3 are released.
2017-09-11 10:00:11 -04:00
Nick Mathewson
362bc880b1 Add a function to check for support for "protocol X or later"
Also, add unit tests for this new function and for the regular
"does this list include support for protocol X" code.
2017-09-11 09:50:31 -04:00
Nick Mathewson
2df7f1d59d Merge branch 'ed25519_lookup' 2017-09-08 12:18:22 -04:00
Nick Mathewson
ca19a95d54 Merge remote-tracking branch 'dgoulet/ticket23355_032_01' 2017-09-08 12:13:48 -04:00
Nick Mathewson
2264172fb3 Merge remote-tracking branch 'asn/bug23387_squashed' 2017-09-08 12:09:02 -04:00
George Kadianakis
0307e7e0e7 test: Test that client picks the right HSDir for service.
This test is important because it tests that upload_descriptor_to_all()
is in synch with pick_hsdir_v3(). That's not the case for the
reachability test which just compares the responsible hsdir sets.
2017-09-08 19:07:00 +03:00
George Kadianakis
e0371935a1 prop224: Pick the right hsdir index based on descriptor.
There was a bug in upload_descriptor_to_all() where we picked between
first and second hsdir index based on which time segment we are. That's
not right and instead we should be uploading our two descriptors using a
different hsdir index every time. That is, upload first descriptor using
first hsdir index, and upload second descriptor using second hdsir index.

Also simplify stuff in pick_hdsir_v3() since that's only used to fetch
descriptors and hence we can just always use the fetch hsdir index.
2017-09-08 19:07:00 +03:00
George Kadianakis
e7bdb9eedc prop224: hs_time_between_tp_and_srv() -> hs_in_period_between_tp_and_srv()
Conflicts:
	src/or/nodelist.c
2017-09-08 19:07:00 +03:00
George Kadianakis
eb81a8e69c prop224: 'is_new_tp' -> 'use_second_hdsir_index' in hs_get_responsible_hsdirs() 2017-09-08 19:07:00 +03:00
David Goulet
6c6ba07517 test: Improve our rotation and build descriptor tests
Because of the latest changes on when we rotate, longer lifetime of
descriptors and no more overlap period, the tests needed to be improved to
test more functionnalities.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-08 19:07:00 +03:00
David Goulet
f2c93f9943 test: Fix use out of scope and consensus timings
First, this fixes #23372.

Second, the consensus timings for the build descriptor have been changed to
the current test can pass. More extensive tests of descriptor rotation are
coming in a commit near you because the rotation and time period logic has
been changed.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-08 19:07:00 +03:00
David Goulet
87585ebd2d test: Add an HS v3 reachability unit test
This is a large and important unit test for the hidden service version
3! It tests the service reachability for a client using different
consensus timings and makes sure that the computed hashring is the same
on both side so it is actually reachable.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-08 19:07:00 +03:00
David Goulet
4d38731e93 prop224: Make client and service pick same HSDir
With the latest change on how we use the HSDir index, the client and service
need to pick their responsible HSDir differently that is depending on if they
are before or after a new time period.

The overlap mode is active function has been renamed for this and test added.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-08 19:07:00 +03:00
David Goulet
cd07af60c9 prop224: Expand the overlap period concept to be a full SRV protocol run
Because of #23387, we've realized that there is one scenario that makes
the client unable to reach the service because of a desynch in the time
period used. The scenario is as follows:

  +------------------------------------------------------------------+
  |                                                                  |
  | 00:00      12:00       00:00       12:00       00:00       12:00 |
  | SRV#1      TP#1        SRV#2       TP#2        SRV#3       TP#3  |
  |                                                                  |
  |  $==========|-----------$===========|-----------$===========|    |
  |                                    ^ ^                           |
  |                                    C S                           |
  +------------------------------------------------------------------+

In this scenario the HS has a newer consensus than the client, and the
HS just moved to the next TP but the client is still stuck on the old
one. However, the service is not in any sort of overlap mode so it
doesn't cover the old TP anymore, so the client is unable to fetch a
descriptor.

We've decided to solve this by extending the concept of overlap period
to be permanent so that the service always publishes two descriptors and
aims to cover clients with both older and newer consensuses. See the
spec patch in #23387 for more details.
2017-09-08 19:07:00 +03:00
David Goulet
b586de78e3 prop224: Use fetch and store HSDir indexes.
Based on our #23387 findings, it seems like to maintain 24/7
reachability we need to employ different logic when computing hsdir
indices for fetching vs storing. That's to guarantee that the client
will always fetch the current descriptor, while the service will always
publish two descriptors aiming to cover all possible edge cases.

For more details see the next commit and the spec branch.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-08 19:06:56 +03:00
Nick Mathewson
926914a09c Merge remote-tracking branch 'dgoulet/bug23429_032_01' 2017-09-08 09:01:39 -04:00
Nick Mathewson
c151f46445 Merge branch 'ticket20119' 2017-09-08 08:56:53 -04:00
Nick Mathewson
f5092e711f Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-08 08:24:47 -04:00
Nick Mathewson
7a83cf75dc Merge branch 'maint-0.3.0' into maint-0.3.1 2017-09-08 08:24:47 -04:00
Nick Mathewson
ad3f0953e6 Merge branch 'maint-0.3.1' 2017-09-08 08:24:47 -04:00
Nick Mathewson
3cace828a9 Merge branch 'bug22644_029' into maint-0.2.9 2017-09-08 08:24:36 -04:00
Nick Mathewson
eebfe4f539 Merge branch 'ticket22731' 2017-09-08 08:11:11 -04:00
Nick Mathewson
1b1eeb0fb9 Merge branch 'feature23237' 2017-09-08 08:10:15 -04:00
Nick Mathewson
22e6880296 Merge branch 'ticket22377' 2017-09-08 08:06:44 -04:00
Nick Mathewson
a9d4df9a08 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-09-07 15:18:01 -04:00
Nick Mathewson
54fb1d0f7f Merge branch 'maint-0.3.0' into maint-0.3.1 2017-09-07 15:18:01 -04:00
Nick Mathewson
36104e55e4 Merge branch 'maint-0.3.1' 2017-09-07 15:18:01 -04:00
Nick Mathewson
bcf2b413c3 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-09-07 15:18:00 -04:00
Nick Mathewson
08592c95fa Merge branch 'maint-0.2.8' into maint-0.2.9 2017-09-07 15:18:00 -04:00
Karsten Loesing
09618ffe38 Update geoip and geoip6 to the September 6 2017 database. 2017-09-07 21:06:16 +02:00
David Goulet
fa87aa00c4 hs: Do not assert on rend_data while iterating over circuits
The pruning process and the deleting ephemeral service function iterates over
all circuits and were asserting on rend_data for a matching circuit. This is
not good because now we have v3 circuits without a rend_data.

Fixes #23429

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-07 14:24:49 -04:00
Matt Traudt
91c7bebfa2 consensus: Add a generic notification function on new consensus
Some groundwork for the KIST scheduler implementation.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-07 11:49:38 -04:00
David Goulet
72c7f81459 prop224: When computing hsdir index and time period, use valid_after time
Use the valid_after time from the consensus to get the time period number else
we might get out of sync with the overlap period that uses valid_after.

Make it an optional feature since some functions require passing a
specific time (like hs_get_start_time_of_next_time_period()).

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-07 18:16:07 +03:00
Nick Mathewson
27fa4a98d2 Make ClientDNSRejectInternalAddresses testing-only.
Undeprecate it;
rename it to TestingClientDNSRejectInternalAddresses;
add the old name as an alias;
reject configurations where it is set but TestingTorNetwork is not;
change the documentation accordingly.

Closes tickets 21031 and 21522.
2017-09-07 10:03:31 -04:00
Nick Mathewson
1502bf03fd Add a module comment to util_bug.h
Closes ticket 22824.
2017-09-07 09:31:30 -04:00
Nick Mathewson
12dad5ebf7 Fix crashes on empty +HSPOST and +POSTDESCRIPTOR commands
Fixes bug 22644; bugfix on 0.2.7.1-alpha and 0.2.0.1-alpha
respectively.
2017-09-07 09:20:00 -04:00
Nick Mathewson
1e079ec30d Merge branch 'maint-0.3.1' 2017-09-07 08:51:16 -04:00
Nick Mathewson
9c404602a0 Add a stack trace to the warning at issue with 23105.
With luck, this will help us diagnose 23105 and fix it.

I also added a stack trace to the warning right before it, since why
not.
2017-09-07 08:49:11 -04:00
Nick Mathewson
ae7cb3349e Merge branch 'bug23361_032_01_squashed2' 2017-09-07 08:35:35 -04:00
David Goulet
c527cde82f prop224: Pick rendezvous point of protover HSRend=2
Version 3 hidden service needs rendezvous point that have the protocol version
HSRend >= 2 else the rendezvous cells are rejected.

Fixes #23361

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-07 08:35:28 -04:00
Nick Mathewson
ab18e5e5fc Better error on failure to load seccomp2 sandbox
There are two reasons this is likeliest to happen -- no kernel
support, and some bug in Tor.  We'll ask people to check the former
before they report. Closes 23090.
2017-09-06 14:23:47 -04:00
Nick Mathewson
9261f612ad Merge remote-tracking branch 'dgoulet/bug23123_032_01' 2017-09-06 14:17:43 -04:00
Nick Mathewson
1098893e4f Exit when we can't write to a configured pid file
This is probably what the user wants, according to 20119.
2017-09-06 11:50:22 -04:00
Nick Mathewson
6fea44c673 Reject torrc if RunAsDaemon is given with relative paths.
The chdir() call in RunAsDaemon makes the behavior here surprising,
and either way of trying to resolve the surprise seems sure to
startle a significant fraction of users.  Instead, let's refuse to
guess, and refuse these configurations.

Closes ticket 22731.
2017-09-06 11:39:11 -04:00
Nick Mathewson
342712b9ef Make url-canonicalizer canonicalize correctly. 2017-09-05 15:02:16 -04:00
Nick Mathewson
4e02d02076 Fix an erroneous ! 2017-09-05 14:55:13 -04:00
Nick Mathewson
4ce60dab00 Resolve inconsistencies between buf refactor and HTTP connect 2017-09-05 14:41:35 -04:00
Nick Mathewson
73b0e2e6fd Merge branch 'http_tunnel_squashed' 2017-09-05 14:34:29 -04:00
Nick Mathewson
ad9190404b Add a fuzzer for HTTP CONNECT 2017-09-05 14:34:09 -04:00
Nick Mathewson
53e4272b65 Add stream isolation support for HTTP CONNECT tunnels
I'm doing this using the Proxy-Authorization: header to support
clients that understand it, and with a new tor-specific header that
makes more sense for our use.
2017-09-05 14:34:09 -04:00
Nick Mathewson
4b30ae1581 Add support for HTTP Connect tunnels 2017-09-05 14:34:09 -04:00
Nick Mathewson
eda79c2f78 Export http-command parsing functions. 2017-09-05 14:34:09 -04:00
Nick Mathewson
c0b9f594b6 Make preferred_chunk_size nonstatic, and add a prefix to it 2017-09-05 14:17:18 -04:00
Nick Mathewson
6ec5059723 Refactor buffer APIs to put a buf_t first.
By convention, a function that frobs a foo_t should be called
foo_frob, and it should have a foo_t * as its first argument.  But
for many of the buf_t functions, the buf_t was the final argument,
which is silly.
2017-09-05 13:57:51 -04:00
Nick Mathewson
d61da9e61f Repair wide lines from previous commit. 2017-09-05 13:57:51 -04:00
Nick Mathewson
4a7e90adc5 Repair buffer API so everything starts with buf_.
Our convention is that functions which manipulate a type T should be
named T_foo.  But the buffer functions were super old, and followed
all kinds of conventions.  Now they're uniform.

Here's the perl I used to do this:

\#!/usr/bin/perl -w -i -p

s/read_to_buf\(/buf_read_from_socket\(/;
s/flush_buf\(/buf_flush_to_socket\(/;
s/read_to_buf_tls\(/buf_read_from_tls\(/;
s/flush_buf_tls\(/buf_flush_to_tls\(/;
s/write_to_buf\(/buf_add\(/;
s/write_to_buf_compress\(/buf_add_compress\(/;
s/move_buf_to_buf\(/buf_move_to_buf\(/;
s/peek_from_buf\(/buf_peek\(/;
s/fetch_from_buf\(/buf_get_bytes\(/;
s/fetch_from_buf_line\(/buf_get_line\(/;
s/fetch_from_buf_line\(/buf_get_line\(/;
s/buf_remove_from_front\(/buf_drain\(/;
s/peek_buf_startswith\(/buf_peek_startswith\(/;
s/assert_buf_ok\(/buf_assert_ok\(/;
2017-09-05 13:57:51 -04:00
Nick Mathewson
336aa21e37 Move buffers.c and buffers_tls.c into src/common
These are no longer tor-specific, so they can be part of the
infrastructure.
2017-09-05 13:57:51 -04:00
Nick Mathewson
150089cbd7 Move the tls parts of buffers.c into buffers_tls.c 2017-09-05 13:57:51 -04:00
Nick Mathewson
5921b465e7 Make buffers.c independent of or.h
Also, put ext_or function in new module; it had accidentally gotten
into proto_socks.c
2017-09-05 13:57:51 -04:00
Nick Mathewson
f28e314b0d Make buf_pullup() expose the pulled-up data.
This lets us drop the testing-only function buf_get_first_chunk_data(),
and lets us implement proto_http and proto_socks without looking at
buf_t internals.
2017-09-05 13:57:51 -04:00
Nick Mathewson
cddac959e7 Replace buf->datalen usage in proto_*.c with buf_datalen() call.
This lets us remove BUFFERS_PRIVATE from two of the modules.
2017-09-05 13:57:51 -04:00
Nick Mathewson
234c5015f1 Move protocol-specific functions out of buffers.c
This commit does not change the implementation of any function: it
only moves code and adds new includes as necessary.  Part of #23149.
2017-09-05 13:57:51 -04:00
Nick Mathewson
fd0a894d28 Bump to 0.3.1.6-rc-dev 2017-09-05 10:20:34 -04:00
David Goulet
7eaf055b28 test: Fix memory leak in hs_descriptor/decode_bad_signature
Fixes #23319

Cherry-picked from master; bug not in any released Tor.
2017-09-05 09:26:21 -04:00
Nick Mathewson
2d55620a9e Bump version to 0.3.1.6-rc 2017-09-05 08:30:52 -04:00
Nick Mathewson
56df123933 Merge branch 'bug23331_032_01_squashed' 2017-09-05 08:24:28 -04:00
David Goulet
9e900d1db7 hs: Don't enter the HS v3 subsystem without a live consensus
The service needs the latest SRV and set of relays for the best accurate
hashring to upload its descriptor to so it needs a live consensus thus don't
do anything until we have it.

Fixes #23331

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-05 08:24:22 -04:00
Nick Mathewson
42394053c9 Merge branch 'maint-0.3.1' 2017-09-04 15:48:12 -04:00
Nick Mathewson
4d97efd4d1 Merge branch 'bug22752_031_simple' into maint-0.3.1 2017-09-04 15:48:01 -04:00
Nick Mathewson
33989cd002 Merge remote-tracking branch 'dgoulet/bug23366_032_01' 2017-09-04 12:48:26 -04:00
Nick Mathewson
834e1f8085 Merge remote-tracking branch 'asn/bug23346' 2017-09-04 12:30:51 -04:00
Nick Mathewson
109cfebca5 Merge remote-tracking branch 'dgoulet/bug23327_032_01' 2017-09-04 12:24:05 -04:00
Nick Mathewson
85688dc33d Merge branch 'bug23360_032_01' 2017-09-04 12:11:43 -04:00
David Goulet
8c41196254 hs: Remove dead code and uneeded feature
When merging #20657, somehow hs_service_dir_info_changed() became unused
leading to not use the re-upload to HSDir when we were missing information
feature.

Turns out that it is not possible to pick an HSDir with a missing descriptor
because in order to compute the HSDir index, the descriptor is mandatory to
have so we can know its position on the hashring.

This commit removes that dead feature and fix the
hs_service_dir_info_changed() not being used.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-04 12:11:31 -04:00
Nick Mathewson
e72dec18a9 Merge remote-tracking branch 'asn/ticket23056_v2' 2017-09-04 12:09:03 -04:00
Nick Mathewson
948be49ce0 22752: Improve comments to explain why we're doing this fix.
Based on questions and comments from dgoulet, I've tried to fill
in the reasoning about why these functions work in the way that they
do, so that it will be easier for future programmers to understand
why this code exists and works the way it does.
2017-09-04 11:54:49 -04:00
Nick Mathewson
e2e13e7c8a Merge branch 'maint-0.3.1' 2017-09-04 11:40:02 -04:00
Nick Mathewson
a7aeb6f58f Merge remote-tracking branch 'public/bug23275_031' into maint-0.3.1 2017-09-04 11:39:28 -04:00
David Goulet
a52a32c855 hs: Set rendezvous circuit timestamp_dirty all the time
We used to check if it was set to 0 which is what unused circuit have but when
the rendezvous circuit was cannibalized, the timestamp_dirty is not 0 but we
still need to reset it so we can actually use it without having the chance of
expiring the next second (or very soon).

Fixes #23123

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-31 11:40:22 -04:00
David Goulet
651629cbdf config: Make parse_outbound_addresses() return failures
The function was never returning an error code on failure to parse the
OutboundAddress* options.

In the process, it was making our test_options_validate__outbound_addresses()
not test the right thing.

Fixes #23366

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-31 08:29:09 -04:00
Daniel Pinto
23147dd168 Adds files included by torrc and defaults to sandbox filter #22605 2017-08-30 18:20:07 +01:00
David Goulet
22295759af prop224: Purge client state on NEWNYM
Closes #23355

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-30 09:15:54 -04:00
George Kadianakis
b9f849bdee prop224: Clear list of prev hsdirs before we upload all descs.
This fixes a serious bug in our hsdir set change logic:

We used to add nodes in the list of previous hsdirs everytime we
uploaded to a new hsdir and we only cleared the list when we built a new
descriptor. This means that our prev_hsdirs list could end up with 7
hsdirs, if for some reason we ended up uploading our desc to 7 hsdirs
before rebuilding our descriptor (e.g. this can happen if the set of
hsdirs changed).

After our previous hdsir set had 7 nodes, then our old algorithm would
always think that the set has changed since it was comparing a smartlist
with 7 elements against a smartlist with 6 elements.

This commit fixes this bug, by clearning the prev_hsdirs list before we
upload to all hsdirs. This makes sure that our prev_hsdirs list always
contains the latest hsdirs!
2017-08-30 15:42:25 +03:00
George Kadianakis
1dc21b8790 prop224: Simplify HSDir set change algo.
Our logic for detecting hsdir set changes was needlessly compicated: we
had to sort smartlists and compare them.

Instead, we can simplify things by employing the following logic:
"We should reupload our descriptor if the latest HSDir set contains
nodes that were not previously there"
2017-08-30 15:30:22 +03:00
George Kadianakis
d3cefddfc5 prop224 test: Improve desc_reupload_logic() test with more nodes. 2017-08-30 15:29:30 +03:00
George Kadianakis
ac9066660e prop224 test: Simplify interface for adding nodes to hash ring.
We want to have tests with big hash rings so let's make it an one-liner
to add nodes.
2017-08-30 15:29:30 +03:00
David Goulet
0850ae5049 hs: Implement an HS client free all function
Called from main.c, the function for now purges the hidden service directory
request cache.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-29 16:02:13 -04:00
Nick Mathewson
da159c45e2 On windows, allow many entries in conscache directories
Since we can't be sure that we can unlink enough files on windows
here, let's let the number of permitted entries grow huge if it
really must.

We do this by letting the storagedir hold lots of entries, but still
trying to keep the number of entries under the configured limit.  We
also have to tell consdiffmgr not to freak out if it can't actually
remove enough entries.

Part of a fix for bug 22752
2017-08-29 13:03:36 -04:00
Nick Mathewson
5e97b34daa On windows, don't force-unlink active conscache objects.
Part of a fix for bug 22752: We can't unlink these because Windows
doesn't allow you to unlink an in-use file.
2017-08-29 13:02:02 -04:00
Nick Mathewson
209bfe715c Merge branch 'maint-0.3.1' 2017-08-29 11:11:12 -04:00
Nick Mathewson
6307a759ed Merge remote-tracking branch 'dgoulet/bug22159_031_01' into maint-0.3.1 2017-08-29 11:11:09 -04:00
Nick Mathewson
5e08cf350b Add test_hs_descriptor.inc to include.am to unbreak distcheck. 2017-08-29 10:57:13 -04:00
Nick Mathewson
3cf8da02f7 Merge remote-tracking branch 'asn/bug23343' 2017-08-28 15:49:11 -04:00
David Goulet
6507ecb7e8 hs: Fix the intro circuit max retry
Some parentheses were missing making the rend_max_intro_circs_per_period()
return a lower value than it was suppose to.

The calculation is that a service at most will open a number of intro points
that it wants which is 3 by default or HiddenServiceNumIntroductionPoints. Two
extra are launched for performance reason. Finally, this can happen twice for
two descriptors for the current and next time period.

From:
  2 * n_intro_wanted + 2

...which resulted in 8 for 3 intro points, this commit fixes it to:

  (n_intro_wanted + 2) * 2

... resulting in 12 possible intro point circuit which is the correct maximum
intro circuit allowed per period.

Last, this commit rate limits the the log message if we ever go above that
limit else over a INTRO_CIRC_RETRY_PERIOD, we can print it often!

Fixes #22159

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-28 14:43:42 -04:00
Nick Mathewson
5ef656e7d1 Temporarily disable compilation of the v3 hs fuzzing code
Turns out, it wasn't up-to-date with the latest v3 hs API :(
2017-08-28 14:12:56 -04:00
Nick Mathewson
f53d405084 Fix compilation. 2017-08-28 14:00:00 -04:00
Nick Mathewson
18bc7fa70b Merge remote-tracking branch 'haxxpop/fuzzing-hsv3' 2017-08-28 13:46:24 -04:00
George Kadianakis
e94f68e301 fixup! prop224: Fix length check when purging hidserv requests.
Improve doc based on david's comments.
2017-08-28 19:55:26 +03:00
Nick Mathewson
63fc23f826 Merge branch 'ticket22348_031' into maint-0.3.1 2017-08-28 11:44:18 -04:00
Nick Mathewson
c107aae3c2 Merge branch 'ticket22348_031' 2017-08-28 11:43:55 -04:00
Nick Mathewson
ab166fe68f Try to improve the keypinning-failure message even more 2017-08-28 11:35:30 -04:00
Nick Mathewson
4b4b3afb56 Merge branch 'bug22802_squashed' 2017-08-28 10:23:05 -04:00
Nick Mathewson
b88d00fea3 Don't fall back to _atoi64
We only did this on windows when building with MSVC 6 and earlier,
which is now considered a screamingly bad idea.
2017-08-28 10:21:29 -04:00
Nick Mathewson
e37c1df9cd Don't use "0" as a "base" argument to tor_parse_*().
Telling these functions to autodetect the numeric base has lead to
trouble in the past.

Fixes bug 22469. Bugfix on 0.2.2.various.
2017-08-28 10:21:29 -04:00
Nick Mathewson
5b8956df3b In test_establish_intro_wrong_purpose, use tt_i64_op on ssize_t
Since ssize_t is signed and might be 64 bits, we should use
tt_i64_op to make sure it's positive.  Otherwise, if it is negative,
and we use tt_u64_op, we'll be treating it as a uint64_t, and we
won't detect negative values.

This fixes CID 1416338 and 1416339.  Bug not in any released Tor.
2017-08-28 10:11:49 -04:00
Nick Mathewson
8de4a80125 Fix unlikely memory leak introduced in 418f3d6298
This is CID 1416880; bug not in any released Tor.
2017-08-28 10:08:52 -04:00
Nick Mathewson
b27c029266 Merge remote-tracking branch 'asn/bug23335' 2017-08-28 10:05:21 -04:00
George Kadianakis
93a0a4a422 prop224: Fix length check when purging hidserv requests.
That check was wrong:

a) We should be making sure that the size of `key` is big enough before
   proceeding, since that's the buffer that we would overread with the
   tor_memeq() below.

   The old check used to check that `req_key_str` is big enough which is
   not right, since we won't read deep into that buffer.

   The new check makes sure that `key` has enough size to survive the
   tor_memeq(), and if not it moves to the next element of the strmap.

b) That check shouldn't be a BUG since that strmap contains
   variable-sized elements and we should not be bugging out if we happen
   to compare a small sized element (v2) to a bigger one (v3).
2017-08-28 16:34:16 +03:00
George Kadianakis
d4f1b566e1 prop224: Add test that exposes the #23343 bug. 2017-08-28 16:34:13 +03:00
George Kadianakis
b1cb16867e Fix compilation warning on old clangs. 2017-08-28 15:00:09 +03:00
George Kadianakis
ad56a342b4 Silence some leftover warnings. 2017-08-28 14:54:36 +03:00
David Goulet
e8c584176b hs: Note the connection attempt if descriptor is unusable
This way, we can clear off the directory requests from our cache and thus
allow the next client to query those HSDir again at the next SOCKS connection.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-25 13:39:40 -04:00
David Goulet
11443bb74c hs: Implement note_connection_attempt_succeeded()
v3 client now cleans up the HSDir request cache when a connection to a service
was successful.

Closes #23308

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-25 13:23:55 -04:00
Nick Mathewson
96aed28f14 New GETINFO target to check if geoip is loaded
Closes ticket 23237.
2017-08-25 12:25:05 -04:00
Nick Mathewson
b91dce9454 Merge branch 'maint-0.3.1' 2017-08-25 11:39:38 -04:00
Nick Mathewson
6069c829f9 Merge branch 'bug19418_029' into maint-0.3.1 2017-08-25 11:38:24 -04:00
Nick Mathewson
0de3147bf1 fix wide lines 2017-08-25 11:34:42 -04:00
Nick Mathewson
82b581f3fc Merge remote-tracking branch 'asn/bug23309_v2' 2017-08-25 11:31:53 -04:00
George Kadianakis
6d48e75685 prop224: Better missing hsdir index logs.
Seems like hsdir index bugs are around to haunt us. Let's improve the
log messages to make debugging easier.
2017-08-25 17:18:05 +03:00
George Kadianakis
ea5af8f442 prop224: When HUPing, move HS state from old to new service.
We used to not copy the state which means that after HUP we would forget
if we are in overlap mode or not. That caused bugs where the service
would enter overlap mode twice, and rotate its descs twice, causing all
sorts of bugs.
2017-08-25 17:18:05 +03:00
George Kadianakis
409ecbec52 prop224: Be more careful to not overwrite descriptors in HUP. 2017-08-25 17:18:05 +03:00
George Kadianakis
17fd2c8a51 prop224: Move function move_descriptors() around.
We want to use some static functions so move it below them.
2017-08-25 17:18:05 +03:00
David Goulet
a9fb97e91a prop224: Don't move intro points but rather descriptors
Apart from the fact that a newly allocated service doesn't have descriptors
thus the move condition can never be true, the service needs the descriptor
signing key to cross-certify the authentication key of each intro point so we
need to move the descriptors between services and not only the intro points.

Fixes #23056

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-25 17:18:05 +03:00
David Goulet
2549b3e923 sandbox: Fix double free when initializing HSv3 filenames
Don't free a reference that has been stolen.

Fixes #23329

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-25 09:28:10 -04:00
George Kadianakis
e07b677bd9 prop224: Move service_desc_hsdirs_changed() and make it static.
That function could be static but needed to be moved to the top.
2017-08-25 14:41:06 +03:00
George Kadianakis
c980be9511 prop224: Refactor descriptor reupload logic.
We refactor the descriptor reupload logic to be similar to the v2 logic
where we update a global 'consider_republishing_rend_descriptors' flag
and then we use that to check for hash ring changes during the global
hidden service callbacks.

This fixes bugs where we would inspect the hash ring immediately as we
receive new dirinfo (e.g. consensus) but before running the hidden
service housekeeping events. That was leaving us in an inconsistent
state wrt hsdir indices and causing bugs all around.
2017-08-25 14:41:06 +03:00
George Kadianakis
8b8e39e04b prop224: Refactor descriptor rotation logic.
The problem was that when we went from overlap mode to non-overlap mode,
we were not wiping the 'desc_next' descriptor and instead we left it on
the service. This meant that all functions that iterated service
descriptors were also inspecting the useless 'desc_next' descriptor that
should have been deleted.

This commit refactors rotate_all_descriptors() so that it rotates
descriptor both when entering overlap mode and also when leaving it.
2017-08-25 14:41:06 +03:00
Nick Mathewson
408ed52e3d Remove the AUTHDIR_NEWDESCS feature: nobody is using it any more
If somebody asks for it, log a warning.

Closes ticket 22377.
2017-08-24 16:53:35 -04:00
David Goulet
dfaa5c65f9 test: Fix memory leak in hs_descriptor/decode_bad_signature
Fixes #23319

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 16:21:44 -04:00
Nick Mathewson
a007c02df0 Re-run trunnel. Cosmetic changes only. 2017-08-24 16:13:01 -04:00
Alexander Færøy
77b92c2214 Ensure that make check-spaces is happy.
The `test-operator-cleanup` patch, and related coccinelle patches,
don't do any checks for line length. This patch fixes the line
length issues caused by the previous commits.
2017-08-24 16:09:41 -04:00
Nick Mathewson
011d94fb11 apply ahf's test_assert_null.cocci 2017-08-24 15:55:27 -04:00
Nick Mathewson
047790a253 apply ahf's test_assert_int.cocci 2017-08-24 15:49:59 -04:00
Nick Mathewson
0b36208fd8 apply ahf's test_assert_zero.cocci 2017-08-24 15:34:34 -04:00
Nick Mathewson
067a4422fe Apply ahf's ceil_div.cocci patch. 2017-08-24 15:33:27 -04:00
Nick Mathewson
e884248118 Fix a needless line-continuation in aes.c
coccinelle was getting confused
2017-08-24 15:32:30 -04:00
Nick Mathewson
1d0f7b7ccd Apply test-operator-cleanup to src/common too. 2017-08-24 15:26:57 -04:00
Alexander Færøy
c4744a01cc Fix operator usage in src/test/*.c
This patch fixes the operator usage in src/test/*.c to use the symbolic
operators instead of the normal C comparison operators.

This patch was generated using:

    ./scripts/coccinelle/test-operator-cleanup src/test/*.[ch]
2017-08-24 15:24:34 -04:00
Nick Mathewson
91c6bc160b Merge remote-tracking branch 'dgoulet/ticket17242_032_03-squashed' 2017-08-24 15:12:16 -04:00
George Kadianakis
dc0264f659 Silence some spammy log messages. 2017-08-24 13:03:29 -04:00
David Goulet
e546ac6b32 circuit: Consider v3 hidden service circuit in circuit_expire_building()
For a ready v3 rendezvous circuit, consider it so we don't expire.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:29 -04:00
David Goulet
a112562544 hs: Update intro circuit timestamp when re-extending
A client can re-extend up to 3 intro points on the same circuit. This happens
when we get NACKed by the intro point for which we choose a new intro and
re-extend the circuit to it.

That process can be arbitrarly long so reset the dirty timestamp of the
circuit everytime we choose to re-extend so we get a bit more time to actually
do our introduction.

This is a client circuit so it is short live once opened thus giving us a bit
more time to complete the introduction is ok.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:29 -04:00
David Goulet
1077e9894c circuit: Avoid needless log info in circuit_get_best()
When looking for an introduction circuit in circuit_get_best(), we log an info
message if we are about to launch a new intro circuit in parallel. However,
the condition was considering marked for close circuit leading to the function
triggering the log info even though there is actually no valid intro circuit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:29 -04:00
David Goulet
dca105d588 prop224: Register RP circuit when it opens
Only register the RP circuit when it opens and not when we send the INTRODUCE1
cell else, when re-extending to a new IP, we would register the same RP
circuit with the same cookie twice leading to the circuit being closed.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:29 -04:00
David Goulet
954f663831 prop224: Try to recover from a bad intro circuit
Changed the assert_intro_circ_ok() to an almost non fatal function so tor can
recover properly. We keep the anonymity assert because if that is not right,
we have much deeper problems and client should stop sending bytes to the
network immediately.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
5f94c4a0f1 prop224: Refactor how we use connection_ap_handle_onion
Simply directly return its returned value.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
98efb646fc hs: Remove unused rend_client_rendezvous_acked()
This function has been replaced by hs_client_receive_rendezvous_acked(() doing
the same exact thing for both v2 and v3 service.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
a16627db1f prop224: Add a function to find an intro point by legacy ID
The client needs to find the right intro point object from the circuit
identity digest it is opened to. This new function does that.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
7c543412fc prop224: Add a function to clear INTRO data
New function named hs_cell_introduce1_data_clear() is introduced to clear off
an hs_cell_introduce1_data_t object.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
cb462b95b7 prop224: Rename hs_desc_encode_lspec()
Give it a name that shows the transition from a descriptor link spec to a
trunnel link spec.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
61009d40d1 hs: Stub link_specifier_t in hs_descriptor.h
Avoid including a huge trunnel interface everytime we include hs_descriptor.h

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
e046e6fb48 prop224: Update OOM counters when storing a client descriptor cache object
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
68887fdc5d prop224: Update OOM counters when freeing a client descriptor cache object
When we free a client descriptor cache object, tell the OOM handler.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
47672ec1c7 prop224: Check decoded descriptor matches the expected blinded key
When a client decodes a descriptor, make sure it matches the expected blinded
key which is derived from the hidden service identity key.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
520fcdf2f3 test: Fix broken HS upload descriptor test
We can't trigger a valid upload because it would require us to MOCK a long
list of functions ultimately not really testing the upload because we aren't
on a running network.

Signed-off-by: David Goulet <dgoulet@torproject.org>

Conflicts:
	src/test/test_hs_service.c
2017-08-24 13:03:28 -04:00
David Goulet
31da3898e7 prop224: Add directory_request_fetch_set_hs_ident()
Needed by the client when fetching a descriptor. This function checks the
directory purpose and hard assert if it is not for fetching.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
a64ef7d6c5 prop224: Implement hs_client_any_intro_points_usable()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
14b858c4ce prop224: Use the intro point state cache
This commit makes the client use the intro point state cache. It notes down
when we get a NACK from the intro point and then uses that cache to decide if
it should either close the circuits or re-extend to a new intro point.

This also introduces a very useful function that checks if an intro point is
usable that is query the state cache and checks a series of requirement.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
2671399e67 prop224: Add a client intro point state cache
This cache keeps track of the state of intro points which is needed when we
have failures when using them. It is similar to the failure cache of the
legacy system.

At this commit, it is unused but initialized, cleanup and freed.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
88b843608a prop224: Move and refactor rend_client_reextend_intro_circuit()
This moves it to hs_client.c so it can be used by both system (legacy and
prop224). For now, only the legacy system uses it.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
88f64eee68 hs: Update the IP failure cache only if legacy
Don't assert() on rend_data when closing circuits to report an IP failure. The
prop224 code doesn't have yet the support for this.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
379ad6f6eb prop224: Use the client-side circuitmap in hs_client.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
3152c583af prop224: Add client-side rend circuit support to HS circuitmap
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
e67f8623f9 hs: Only note a connection attempt with a valid rend_data
For now, prop224 doesn't have a mechanism to note down connection attempts so
we only do it for legacy system using rend_data.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
9af3116306 prop224: Handle RENDEZVOUS2 cell
The client can now handle RENDEZVOUS2 cell when they arrive. This consolidate
both hidden service version in one function.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
ee15c16742 prop224: Parse RENDEZVOUS2 cell
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
2f1b3d647f trunnel: Add RENDEZVOUS2 cell definition
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
fca2f64e2f prop224: Handle INTRODUCE_ACK cell
The client is now able to handle an INTRODUCE_ACK cell and do the appropriate
actions.

An intro point failure cache is missing and a way to close all intro point
that were launched in parallel. Some notes are in the comment for that.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
cb336a7062 prop224: Parse INTRODUCE_ACK cell
Add a function to parse an INTRODUCE_ACK cell in hs_cell.c. Furthermore, add
an enum that lists all possible expected status code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
e7c06e6947 prop224: Make client send INTRODUCE1 cell
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
abb840bf64 prop224: Client function to pick intro point
From an edge connection object, add a function that randomly pick an
introduction point for the requested service.

This follows the code design of rend_client_get_random_intro() and returns an
extend_info_t object ready to be used to extend to.

At this commit, it is not used yet.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
c38144bb0f prop224: Client callback when descriptor has arrived
When a descriptor fetch has completed and it has been successfully stored in
the client cache, this callback will take appropriate actions to attach
streams and/or launch neede circuits to connect to the service.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
89eb96c19a prop224: Handle client RENDEZVOUS_ESTABLISHED cell
Client now handles a RENDEZVOUS_ESTABLISHED cell when it arrives on the
rendezvous circuit. This new function applies for both the legacy system and
prop224.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
b91693f7c3 prop224: Build ESTABLISH_RENDEZVOUS cell and logic
Add a function to build the cell.

Add a the logic to send the cell when the rendezvous circuit opens.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
6eb125d14b prop224: Client has opened circuit logic
Make a single entry point for the entire HS subsystem when a client circuit
opens (every HS version).

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
d599325b5e prop224: Build INTRODUCE1 cell and send logic
Add a function in hs_cell.{c|h} for a client to build an INTRODUCE1 cell using
an object that contains all the needed keys to do so.

Add an entry point in hs_client.c that allows a tor client to send an
INTRODUCE1 cell on a given introduction circuit.

It includes the building of the cell, sending it and the setup of the
rendezvous circuit with the circuit identifier.

The entry point function is still unused at this commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
8a552bf49b prop224: Make lspecs to extend info public
The hs circuit file had this function that takes a list of link specifiers and
return a newly allocated extend info object. Make it public so the client side
can also use it to be able to extend to introduction point.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
8e2854372d prop224: Helper function to assert on invalid client intro circuit
Put all the possible assert() we can do on a client introduction circuit in
one helper function to make sure it is valid and usable.

It is disabled for now so gcc doesn't complain that we have a unused function.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
b13ee8e4ae hs: Move link specifier encoding to a function
This commit only moves code into a function. The client code will need a way
to take a bunch of descriptor link specifier object and encode them into link
specifiers objects.

Make this a public function so it can be used outside of hs_descriptor.c.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
6222eae8ca conn: Add a function to return a list of connection by state
This will be useful to the hidden service subsystem that needs to go over all
connections of a certain state to attach them to a hidden service circuit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
6eb9de1b8c test: Add tests for fetching descs and handling SOCKS conns.
- Add tests that ensure that SOCKS requests for v2/v3 addresses get
  intercepted and handled.

- Add test that stores and lookups an HS descriptor in the client-side cache.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
79ff2e014f hs: Fix comment of the get max size descriptor function
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
b2a820958e prop224: Rename hs_client_note_connection_attempt_succeeded()
This is a static function so don't polute the hs_client_ namespace.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
David Goulet
343af1a9cf prop224: Add the dir purpose HAS_FETCHED
Once a descriptor has been successfully downloaded from an HSDir, we flag the
directory connection to "has fetched descriptor" so the connection subsystem
doesn't trigger a new fetch on success.

Same has DIR_PURPOSE_HAS_FETCHED_RENDDESC_V2 but for prop224.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
f93b77a18c prop224: Add client code to handle fetched HS descriptors.
This code handles received HS descriptors by storing them in the
client-side HS cache.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
ebacf4dd6e prop224: Introduce v2/v3 HS desc fetch retry functionality.
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
776e796d96 prop224: Connect to v3 services in connection_ap_handle_onion().
Recognize and handle v3 addresses.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
c754864cfd prop224: Add code that launches v3 HS desc fetches.
Entry point is hs_client_refetch_v3_renddesc().

Will be used in subsequent commits.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
0f6633abb2 prop224: Refactor pick_hsdir() to be used by both v2 and v3.
Also refactor rendclient.c to use the new hs_pick_hdsir() func.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
5c9cd912ee prop224: Refactor rendclient.c to use the new hsdir_req code.
- Also add tests for the hidserv_req subsystem.
- Introduce purge_v2_hidserv_req() wrapper to simplify v2 code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
15c9b7e891 prop224: Fix hidserv request code to work for both v2 and v3.
See documentation of `last_hid_serv_requests_` for how it works. strmaps are
cool!

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
912c11761c prop224: Move some rendclient.c code to hs_common.c
Specifically move the pick_hsdir() function and all the HSDir request tracking
code. We plan to use all that code both for v2 and v3.

This commit only moves code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:27 -04:00
George Kadianakis
7aef3ec0fd prop224: Add client-side HS descriptor cache.
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:27 -04:00
Nick Mathewson
b5c5086aba Merge branch 'bug23106_032' 2017-08-24 09:45:03 -04:00
Nick Mathewson
35a29e81ae Merge branch 'bug19281_025' 2017-08-24 09:27:26 -04:00
Nick Mathewson
d37e8b407a Merge branch 'feature22976_squashed' 2017-08-24 09:23:43 -04:00
Nick Mathewson
a0bb1ff6ab Also disable spawning on Sandbox.
This isn't a functional change, but it makes our logic more clear,
and catches bugs earlier.
2017-08-24 09:23:32 -04:00
Nick Mathewson
f4f828640f Merge branch 'bug22779_031' 2017-08-24 09:18:39 -04:00
Nick Mathewson
18f3f1ffa3 add parenthesis to make cast work right. 2017-08-23 13:12:58 -04:00
Nick Mathewson
ee73c1848e Add test_hs_descriptor.inc to include.am to unbreak distcheck. 2017-08-23 13:08:59 -04:00
Nick Mathewson
86ee35ad5b Don't do expensive consensus stuff when not a cache.
This includes generating and storing compressed consensuses, and
consensus diffs.  Fixes bug 23275; bugfix on 0.3.1.1-alpha.
2017-08-23 10:22:51 -04:00
Nick Mathewson
80d3887360 Refactor node lookup APIs to take flags
Right now there's a single warn_if_unnamed flag for
router_get_consensus_status_by_nickname() and
node_get_by_nickname(), that is nearly always 1.  I've turned it
into an 'unsigned' bitfield, and inverted its sense.  I've added the
flags argument to node_get_by_hex_id() too, though it does nothing
there right now.

I've removed the router_get_consensus_status_by_nickname() function,
since it was only used in once place.

This patch changes the warning behavior of GETINFO ns/name/<name>,
since all other name lookups from the controller currently warn.

Later I'm going to add more flags, for ed25519 support.
2017-08-22 19:13:40 -04:00
Nick Mathewson
d7a3e336ee Remove some support for nickname-based hexdigests
We once used $X=N to mean "A relay with RSA ID digest X with the
Named flag and the nickname N."  But authorities no longer assign
the Named flag.
2017-08-22 18:47:57 -04:00
Nick Mathewson
40887b4d2e Unit tests for maintaining ed25519->node map. 2017-08-22 16:12:58 -04:00
Ties Stuij
2e99f839e9 22839: Build tor with rust enabled on win
- make tor_util static library name configurable
- fix Rust libary dependency order for Windows
2017-08-21 15:08:24 -04:00
Nick Mathewson
8f8a061b0c Merge branch 'maint-0.3.1' 2017-08-21 15:08:17 -04:00
Nick Mathewson
10b2428224 Merge branch 'bug23291_028' into maint-0.3.1 2017-08-21 15:06:39 -04:00
Ties Stuij
7ba873ca2d 22839: fix check_heap_buffer buffer size in test-memwipe 2017-08-21 15:03:54 -04:00
Nick Mathewson
6f3208670a Merge branch 'maint-0.3.1' 2017-08-21 14:20:38 -04:00
Nick Mathewson
6be0e28670 whitespace fixes 2017-08-21 14:18:41 -04:00
George Kadianakis
1491c0d024 Fix triggerable BUG() when decoding hsv3 descriptors.
Also improve the unittest to make sure it catches the right error.
2017-08-21 19:16:45 +03:00
George Kadianakis
45732a1a13 Add unittest for #23233.
This will fail currently since the bug is not fixed yet.
2017-08-21 19:16:30 +03:00
George Kadianakis
5d89ea1e6c prop224: Decouple the HS part of connection_ap_handshake_rewrite_and_attach().
We will need to edit this function, and it's already pretty huge. Let's make
it a bit smaller.

This commit moves code, fixes a 80 char line and add two lines at the start to
make it compile. Trivial change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-19 16:42:26 +03:00
George Kadianakis
bce18a7642 prop224: Refactor parse_extended_hostname() to parse v3 addrs.
We need this func so that we recognize SOCKS conns to v3 addresses.

- Also rename rend_valid_service_id() to rend_valid_v2_service_id()

- Also move parse_extended_hostname() tests to their own unittest, and
  add a v3 address to the test as well.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-19 16:42:26 +03:00
George Kadianakis
3e593f09ad prop224: Recompute all HSDir indices when we enter overlap mode.
When we enter overlap mode we start using the next hsdir index of
relays. However, we only compute the next hsdir index of relays when we
receive a consensus or their descriptor. This means that there is a
window of time between entering the overlap period and fetching the
consensus where relays have their next hsdir index uninitialized. This
patch fixes this by recomputing all hsdir indices when we first enter
the overlap period.
2017-08-19 16:29:23 +03:00
George Kadianakis
7823c98a38 prop224: Improve descriptor reupload logic.
We want to reupload our descriptor if its set of responsible HSDirs
changed to minimize reachability issues.

This patch adds a callback everytime we get new dirinfo which checks if
the hash ring changed and reuploads descriptor if needed.
2017-08-19 16:28:48 +03:00
George Kadianakis
26c85fcc86 test: Improve get_responsible_hsdirs test. 2017-08-19 16:28:48 +03:00
George Kadianakis
1f7b8012ae prop224: Only upload descriptor if we have good hash ring and SRV.
Make sure we have a live consensus (for SRV) and enough descriptors (for
hash ring).

Also fix unittests that broke.
2017-08-19 16:28:47 +03:00
George Kadianakis
43343ec019 prop224: Improve our checks for unset HSDir index.
We used to not check next hsdir index.
2017-08-19 16:28:43 +03:00
David Goulet
5750f18bc7 sr: Log voting schedule at debug level
Because the HS subsystem calls it every second, change the log level to debug
so it doesn't spam the info log.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-19 16:20:07 +03:00
Suphanat Chunhapanya
97347b1109 Fuzz outer layer of hsv3 descriptor
The code in fuzz_hsdescv3.c fuzzes the unencrypted layer of the hsv3
descriptor. We need to fuzz the encrypted layer later.
2017-08-13 17:50:51 +07:00
Suphanat Chunhapanya
c860282fc0 Mock rsa_ed25519_crosscert_check
This commit just mocks the rsa_ed25519_crosscert_check to be used later
in the fuzzer.
2017-08-13 16:15:40 +07:00
David Goulet
257f50b22f Make Windows happy for time_t printf format
Our Windows compiler treats "time_t" as long long int but Linux likes it
long int so cast those to make Windows happy.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-11 15:08:45 -04:00
David Goulet
598bf986b6 test: Fix typing issues found by clang
Partially fix #23224.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-11 14:59:28 -04:00
David Goulet
9df4261407 test: Fix memory leak in test_hs_common.c
Partially fixes #23223

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-11 14:46:27 -04:00
David Goulet
60c7da71ab test: Fix hs common test for Windows
Use the PATH_SEPARATOR for a path comparaison so it works with Windows as
well.

Partially fix #23223

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-11 14:42:20 -04:00
Nick Mathewson
efbd4a33f4 Raise MIN_DL_PER_REQUEST to 32
This change should improve overhead for downloading small numbers of
descriptors and microdescriptors by improving compression
performance and lowering directory request overhead.

Closes ticket 23220.
2017-08-11 13:54:01 -04:00
Nick Mathewson
a368cadf95 Merge branch 'bug18982' 2017-08-11 12:11:42 -04:00
Nick Mathewson
c3a0cdeaab Add # to "hop N" messages to disambiguate from old messages. 2017-08-11 12:11:27 -04:00
Nick Mathewson
6247f5a5ba Merge branch 'maint-0.3.1' 2017-08-11 11:51:06 -04:00
Nick Mathewson
133e1e870b Merge remote-tracking branch 'dgoulet/bug23091_032_01' 2017-08-11 09:39:57 -04:00
Nick Mathewson
92b1dfd50e In node_get_ed25519_id, detect and warn on inconsistent IDs.
This shouldn't actually be possible, but it's worth checking for.
2017-08-09 15:00:32 -04:00
Nick Mathewson
fed3a08d8c Support the ed25519 map in nodelist_assert_ok() 2017-08-09 14:00:30 -04:00
Nick Mathewson
fc212458a6 Set formerly-unused fields of a stack-allocated routerinfo 2017-08-09 13:49:34 -04:00
Nick Mathewson
3cddd6570c Add a hashtable mapping to nodes from ed25519 ids 2017-08-09 13:45:03 -04:00
Nick Mathewson
b4963da987 Treat a bad tor_spawn_background() as a BUG().
The contract is that, if may_spawn_background_process() is 0, you're
not even allowed to try to spawn a process.
2017-08-09 10:58:07 -04:00
Nick Mathewson
5fa8d05bfa Block managed proxies at a higher point 2017-08-09 10:58:07 -04:00
Nick Mathewson
801aa5d03b Block the port-forwarding helper at a higher point 2017-08-09 10:58:07 -04:00
Nick Mathewson
eb43401bfb Add a 'NoExec' option that causes tor_spawn_background() to fail
Core of an implementation for 22976.
2017-08-09 10:45:48 -04:00
Nick Mathewson
94352368db Remove the #if 0ed code that was supposed to let the sandbox allow exec 2017-08-09 10:36:45 -04:00
Nick Mathewson
418f3d6298 Make sure we always wind up checking i2d_*'s output.
The biggest offender here was sometimes not checking the output of
crypto_pk_get_digest.

Fixes bug 19418.  Reported by Guido Vranken.
2017-08-09 09:24:16 -04:00
Nick Mathewson
6f7d548bc4 Make write_escaped_data more robust to large inputs.
The old implementation would fail with super-long inputs. We never
gave it any, but still, it's nicer to dtrt here.

Reported by Guido Vranken. Fixes bug 19281.
2017-08-09 09:02:12 -04:00
Nick Mathewson
d2713b4ddc fix another 32-bit warning 2017-08-09 08:32:39 -04:00
Nick Mathewson
a3685ba0c5 Fix a warning on 32-bit clang 2017-08-09 08:31:44 -04:00
George Kadianakis
21e5146529 prop224: Fix coverity warnings from #20657 merge.
- Fix various ssize_t/size_t confusions in the tests.

- Fix a weird memset argument:
  "bad_memset: Argument -16 in memset loses precision in
  memset(&desc_two->blinded_kp.pubkey.pubkey, -16, 32UL)."

- Fix check_after_deref instance in check_state_line_for_service_rev_counter():
  "check_after_deref: Null-checking items suggests that it may be null,
  but it has already been dereferenced on all paths leading to the
  check."
2017-08-09 13:49:12 +03:00
Nick Mathewson
8e84968ffb Re-run trunnel. 2017-08-08 20:34:39 -04:00
Nick Mathewson
34e4122025 Merge branch 'ticket20657_nickm_bugfixes_squashed' 2017-08-08 20:31:57 -04:00
Nick Mathewson
2f17743d6f Put comment in the trunnel file, so it wont go away. 2017-08-08 20:31:47 -04:00
George Kadianakis
686891d67e prop224: Add XXX about opaqueness of link_specifier_t. 2017-08-08 20:29:35 -04:00
George Kadianakis
5c4f4acedb prop224: Function to inc/decrement num rendezvous stream
Add a common function for both legacy and prop224 hidden service to increment
and decrement the rendezvous stream counter on an origin circuit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:35 -04:00
David Goulet
400ba2f636 prop224: Always note down the use of internal circuit
Also, this removes all the callsite of this rephist in the hs subsystem

Fixes #23097

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:35 -04:00
George Kadianakis
0a0bbfe96f Add note about handling INTRODUCE2 cells.
Also fix a check-spaces instance.
2017-08-08 20:29:35 -04:00
George Kadianakis
ff249ee4a6 Start caching disaster SRV values.
Also add some unittests.
2017-08-08 20:29:35 -04:00
George Kadianakis
101ce6da01 Fix the build_hs_index() function.
Also add a unittest for hs_get_responsible_hsdirs() which was used to
find and fix the bug.
2017-08-08 20:29:35 -04:00
George Kadianakis
8bac50d755 prop224: Improve comments and tests for ed25519 keys in IPs/RPs.
Also make sure we are not gonna advertise the ed25519 key of an intro
point that doesn't support it.
2017-08-08 20:29:35 -04:00
George Kadianakis
273638288d Improve docs on rendezvous circ relaunch. 2017-08-08 20:29:35 -04:00
George Kadianakis
827bd0e882 Increase HS desc cert lifetime.
We used to have a small HS desc cert lifetime but those certs can stick
around for 36 hours if they get initialized in the beginning of overlap
period.

[warn] Bug: Non-fatal assertion !(hs_desc_encode_descriptor(desc->desc, &desc->signing_kp, &encoded_desc) < 0) failed in
upload_descriptor_to_hsdir at src/or/hs_service.c:1886. Stack trace: (on Tor 0.3.2.0-alpha-dev b4a14555597fb9b3)
2017-08-08 20:29:35 -04:00
George Kadianakis
bd3213b17e prop224 tests: Better HS time period tests. 2017-08-08 20:29:35 -04:00
George Kadianakis
e70341deb7 prop224 tests: Better HS address tests. 2017-08-08 20:29:35 -04:00
George Kadianakis
4a1b57e9b0 prop224 tests: Improve SRV protocol tests. 2017-08-08 20:29:35 -04:00
George Kadianakis
0bf8587858 Do more type checking when setting HS idents.
I repurposed the old directory_request_set_hs_ident() into a new
directory_request_upload_set_hs_ident() which is only used for the
upload purpose and so it can assert on the dir_purpose.

When coding the client-side we can make a second function for fetch.
2017-08-08 20:29:35 -04:00
George Kadianakis
fe0c40c9b3 Fix broken intro point unittest.
The structure was not zeroed out, and left some boolean fields
uninitialized.
2017-08-08 20:29:35 -04:00
George Kadianakis
471489ca03 Extract intro point onion key even with multiple types. 2017-08-08 20:29:34 -04:00
George Kadianakis
a464d49aeb prop224 tests: test_gen_establish_intro_cell() check cell contents. 2017-08-08 20:29:34 -04:00
George Kadianakis
c62da5cf95 Improve code based on Nick review:
- Fix some more crazy ternary ops.
- Fix the order of disaster SRV computation.
- Whitespace fixes.
- Remove a redundant warn.
- Better docs.
2017-08-08 20:29:34 -04:00
George Kadianakis
4ad4467fa1 Don't double hash the ed25519 blind key parameter.
We used to do:
   h = H(BLIND_STRING | H(A | s | B | N )
when we should be doing:
   h = H(BLIND_STRING | A | s | B | N)

Change the logic so that hs_common.c does the hashing, and our ed25519
libraries just receive the hashed parameter ready-made. That's easier
than doing the hashing on the ed25519 libraries, since that means we
would have to pass them a variable-length param (depending on whether
's' is set or not).

Also fix the ed25519 test vectors since they were also double hashing.
2017-08-08 20:29:34 -04:00
George Kadianakis
b89d2fa1db Don't set HSDir index if we don't have a live consensus.
We also had to alter the SRV functions to take a consensus as optional
input, since we might be setting our HSDir index using a consensus that
is currently being processed and won't be returned by the
networkstatus_get_live_consensus() function.

This change has two results:

a) It makes sure we are using a fresh consensus with the right SRV value
   when we are calculating the HSDir hash ring.

b) It ensures that we will not use the sr_get_current/previous()
   functions when we don't have a consensus which would have falsely
   triggered the disaster SRV logic.
2017-08-08 20:29:34 -04:00
George Kadianakis
440eaa9b22 Correctly assign HSDir flags based on protocol list
In Nick's words:

"We want to always return false if the platform is a Tor version, and it
is not as new as 0.3.0.8 -- but if the platform is not a Tor version, or
if the version is as new as 0.3.0.8, then we want to obey the protocol
list.

That way, other implementations of our protocol won't have to claim any
particular Tor version, and future versions of Tor will have the freedom
to drop this protocol in the distant future."
2017-08-08 20:29:34 -04:00
George Kadianakis
a561a10da7 Fix small easy bugs all around
- Fix log message format string.
- Do extra circuit purpose check.
- wipe memory in a clear function
- Make sure we don't double add intro points in our list
- Make sure we don't double close intro circuits.
- s/tt_u64_op/tt_i64_op/
2017-08-08 20:29:34 -04:00
George Kadianakis
2c6f2e9be9 Constify functions that can be constified. 2017-08-08 20:29:34 -04:00
George Kadianakis
5ca9b830ea Improve documentation all around the codebase. 2017-08-08 20:29:34 -04:00
George Kadianakis
f106af3c41 Make ed25519 id keys optional for IPs and RPs. 2017-08-08 20:29:34 -04:00
George Kadianakis
d88984a137 Improve setting hsdir index procedure.
- Fix memleak.
2017-08-08 20:29:34 -04:00
George Kadianakis
706392e6b5 Make HidServRevCounter be a LINELIST as it should. 2017-08-08 20:29:34 -04:00
George Kadianakis
3ce69a58ce Rename some free() functions that are actually clear(). 2017-08-08 20:29:34 -04:00
George Kadianakis
3bc52dae89 Validate intro point limits to avoid asserts. 2017-08-08 20:29:34 -04:00
George Kadianakis
7c507a1f7f Relax assertions: turn them to BUGs and non-fatal asserts. 2017-08-08 20:29:34 -04:00
George Kadianakis
e42c55626a prop224: Don't use nodes as HSDirs if they don't have an HSDir index. 2017-08-08 20:29:34 -04:00
George Kadianakis
74981d1f13 memwipe interesting unused memory 2017-08-08 20:29:34 -04:00
George Kadianakis
29b3dd1c05 Fix 32-bit bug when writing address to descriptor.
We used to sizeof() a pointer. Let's just use asprintf to avoid having
to be smart.
2017-08-08 20:29:34 -04:00
George Kadianakis
434112df4b Fix ternary operator abuse. 2017-08-08 20:29:34 -04:00
George Kadianakis
1397ac11d6 Use htonll() when INT_8 is used.
Also prepend period_length to any period_num, as specified by the spec.
2017-08-08 20:29:34 -04:00
David Goulet
708789025d prop224: Remove INTRODUCE2 legacy handling
Turns out that introduction points don't care about the INTRODUCE2 cell
format as long as the top field is LEGACY_KEY_ID as expected. So let's
use a single INTRODUCE format regardless of the introduction point being
legacy or not.

This also removes the polymorphic void* situation.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
George Kadianakis
ec0da9a6f1 test: Unbreak test_upload_descriptors()
To upload the descriptor we needed a state file to write the rev counters in,
but that test did not have a state file initialized.

Also fix the typo in its func name.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
George Kadianakis
b47139d758 test: Unit tests for the revision counter state file codethe
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
George Kadianakis
6f046b2191 prop224: Use state file to save/load revision counters
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
George Kadianakis
2e5a2d64bd prop224: Refactor the overlap function to not use absolute time.
We consider to be in overlap mode when we are in the period of time between a
fresh SRV and the beginning of the new time period (in the normal network this
is between 00:00 and 12:00 UTC). This commit edits that function to use the
above semantic logic instead of absolute times.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
George Kadianakis
6c00bd1f10 prop224: Make prop224 time periods smaller in testnets.
It used to be that time periods were 24 hours long even on chutney,
which made testing harder. With this commit, time periods have the same
length as a full SRV protocol run, which means that they will change
every 4 minutes in a 10-second voting interval chutney network!
2017-08-08 20:29:34 -04:00
George Kadianakis
cf58451a8b prop224: Refactor hs_get_time_period_num() to not use absolute time.
Instead use the SRV protocol duration to calculate the rotation offset
that was previously hardcoded to 12 hours.
2017-08-08 20:29:34 -04:00
George Kadianakis
2cd5f9a2fc prop224: Compute start time of next time period. 2017-08-08 20:29:34 -04:00
George Kadianakis
0b22b7fce3 SR: Calculate current SRV phase/run duration.
This is also needed to make the HS desc overlap mode function
independent of absolute hours.
2017-08-08 20:29:34 -04:00
George Kadianakis
2af254096f SR: Compute the start time of the current protocol run.
This function will be used to make the HS desc overlap function be
independent of absolute times.
2017-08-08 20:29:34 -04:00
David Goulet
85c80adf4a prop224: HSDir v3 support is >= 0.3.0.8
Because of bug #22447, we have to select nodes that are at least this version.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
2cae4f4100 prop224: Move get_intro_circuit() to hs_circuit.c
Make this function public so we can use it both in hs_circuit.c and
hs_service.c to avoid code duplication.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
6c3d525c36 prop224: Make circuit prediction aware of v3 services
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
713eb08bc9 prop224: Add service rendezvous circuit relaunch
This introduces a callback to relaunch a service rendezvous circuit when a
previous one failed to build or expired.

It unifies the legacy function rend_service_relaunch_rendezvous() with one for
specific to prop224. There is now only one entry point for that which is
hs_circ_retry_service_rendezvous_point() supporting both legacy and prop224
circuits.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
1b403a8382 prop224: Different intro point timings with TestingNetwork
Change the timing for intro point's lifetime and maximum amount of circuit we
are allowed to launch in a TestingNetwork. This is particurlarly useful for
chutney testing to test intro point rotation.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
15864a1b70 prop224: Add a circuit has closed callback
When the circuit is about to be freed which has been marked close before, for
introduction circuit we now call this has_closed() callback so we can cleanup
any introduction point that have retried to many times or at least flag them
that their circuit is not established anymore.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
4a8cf17897 hs: Rename num_rend_services()
Renamed to rend_num_services() so it is consistent with the legacy naming.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
George Kadianakis
a6b6227b21 test: Fix prop224 HS descriptor to use subcredential
We used to use NULL subcredential which is a terrible terrible idea.  Refactor
HS unittests to use subcredentials.

Also add some non-fatal asserts to make sure that we always use subcredentials
when decoding/encoding descs.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
b547c54239 test: Add unit test coverage of hs_service.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
559ffd7179 test: Refactor HS tests to use the new ESTABLISH_INTRO cell code
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
8ffb49422b test: Add test_hs_common unit tests
Move tests from test_hs_service.c to this file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
6061f5e2bd test: Add test_hs_ntor unit tests
Move the ntor test from test_hs_service.c to this file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:34 -04:00
David Goulet
472835d6e9 test: Add test_hs_cell unit tests
Move ESTABLISH_INTRO tests from test_hs_service.c to this new file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
30b5c6a95e prop224: Link rendezvous circuit to edge connection
This commit refactors the handle_hs_exit_conn() function introduced at a prior
commit that connects the rendezvous circuit to the edge connection used to
connect to the service virtual port requested in a BEGIN cell.

The refactor adds the support for prop224 adding the
hs_service_set_conn_addr_port() function that has the same purpose has
rend_service_set_connection_addr_port() from the legacy code.

The rend_service_set_connection_addr_port() has also been a bit refactored so
the common code can be shared between the two HS subsystems (legacy and
prop224).

In terms of functionallity, nothing has changed, we still close the circuits
in case of failure for the same reasons as the legacy system currently does.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
7163ce7f62 hs: Refactor the service exit connection code
This commit simply moves the code from the if condition of a rendezvous
circuit to a function to handle such a connection. No code was modified
_except_ the use or rh.stream_id changed to n_stream->stream_id so we don't
have to pass the cell header to the function.

This is groundwork for prop224 support which will break down the
handle_hs_exit_conn() depending on the version of hidden service the circuit
and edge connection is for.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
5d2506d70c prop224: Sandbox support for service
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
848e701f55 prop224: Make the number of extra intro point a consensus param
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
f0e02e3a14 prop224: Make intro point min/max lifetime a consensus param
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
670cecaf66 prop224: Make INTRODUCE2 min/max a consensus param
Introduction point are rotated either if we get X amounts of INTRODUCE2 cells
on it or a time based expiration. This commit adds two consensus parameters
which are the min and max value bounding the random value X.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
feed375f19 prop224: Implement a service intro point failure cache
Imagine a Tor network where you have only 8 nodes available due to some
reasons. And your hidden service wants 8 introduction points. Everything is
fine but then a node goes down bringing the network to 7. The service will
retry 3 times that node and then give up but keep it in a failure cache for 5
minutes (INTRO_CIRC_RETRY_PERIOD) so it doesn't retry it non stop and exhaust
the maximum number of circuit retry.

In the real public network today, this is unlikely to happen unless the
ExcludeNodes list is extremely restrictive.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
ac848777f9 prop224: Upload service descriptors
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
bce0c6caad prop224: Directory function to upload descriptor
This commit adds a directory command function to make an upload directory
request for a service descriptor.

It is not used yet, just the groundwork.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
0bcc9ad58d prop224: Add a responsible HSDir function
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
06909cafef prop224: Add hsdir consensus parameters
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
267bc7bc3b prop224: Build hsdir index for node_t
This hsdir index value is used to give an index value to all node_t (relays)
that supports HSDir v3. An index value is then computed using the blinded key
to know where to fetch/upload the service descriptor from/to.

To avoid computing that index value everytime the client/service needs it, we
do that everytime we get a new consensus which then doesn't change until the
next one. The downside is that we need to sort them once we need to compute
the set of responsible HSDir.

Finally, the "hs_index" function is also added but not used. It will be used
in later commits to compute which node_t is a responsible HSDir for the
service we want to fetch/upload the descriptor.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
77b279c35c prop224: Add service replay cache
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
27dd1a716c prop224: Support INTRODUCE2 cell replay cache
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
100386e659 prop224: Support legacy INTRODUCE2 cell
Also rename some function to follow a bit more the naming convention in that
file.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
dfa6301aed prop224: Handle service RENDEZVOUS1 cell
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
acc7c4ee95 prop224: Establish rendezvous circuit for service
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
5e710368b3 prop224: Handle service INTRODUCE2 cell
At this commit, launching rendezvous circuit is not implemented, only a
placeholder.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
faadbafba3 prop224: Add helper function to lookup HS objects
Add this helper function that can lookup and return all the needed object from
a circuit identifier. It is a pattern we do often so make it nicer and avoid
duplicating it everywhere.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
79e8d113d5 prop224: Handle service INTRO_ESTABLISHED cell
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
d765cf30b5 prop224: Circuit has opened and ESTABLISH_INTRO cell
Add the entry point from the circuit subsystem of "circuit has opened" which
is for all type of hidden service circuits. For the introduction point, this
commit actually adds the support for handling those circuits when opened and
sending ESTABLISH_INTRO on a circuit.

Rendevzou point circuit aren't supported yet at this commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
6a21ac7f98 prop224: Introduction circuit creation
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
00a02a3a59 prop224: Service v3 descriptor creation and logic
This commit adds the functionality for a service to build its descriptor.
Also, a global call to build all descriptors for all services is added to the
service scheduled events.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
c4ba4d4cc8 prop224: Implement subcredential creation
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
George Kadianakis
f53b72baf7 prop224: Add descriptor overlap mode function
The function has been added but not used except for the unit tests.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
0f104ddce5 prop224: Scheduled events for service
Add the main loop entry point to the HS service subsystem. It is run every
second and make sure that all services are in their quiescent state after that
which means valid descriptors, all needed circuits opened and latest
descriptors have been uploaded.

For now, only v2 is supported and placeholders for v3 actions for that main
loop callback.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
9052530bdd prop224: API for the creation of blinded keys
Add a function for both the client and service side that is building a blinded
key from a keypair (service) and from a public key (client). Those two
functions uses the current time period information to build the key.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
44e3255c4d hs: Implement constructor for hs_desc_intro_point_t
Add a new and free function for hs_desc_intro_point_t so the service can use
them to setup those objects properly.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
Nick Mathewson
72832086e2 Use a single free-and-exit strategy in config_process_include.
This avoids a double-free when a pointer already freed with
tor_free(config_line) is freed again in the cleanup-and-exit code.

Fixes bug 23155.
2017-08-08 20:08:43 -04:00
Nick Mathewson
649104fdb9 Remove a needless memwipe.
The interior of ctx here is already wiped by
crypto_digest_free(). This memwipe call only wiped the pointer
itself, which isn't sensitive.
2017-08-08 19:58:19 -04:00
Nick Mathewson
b08a2dc954 Merge branch 'maint-0.3.1' 2017-08-08 19:29:10 -04:00
Nick Mathewson
a47b8fcf92 Merge branch 'bug23139' into maint-0.3.1 2017-08-08 19:29:05 -04:00
Nick Mathewson
48a57f9815 Merge branch 'maint-0.3.1' 2017-08-08 10:10:52 -04:00
Nick Mathewson
7465ea4ad9 Remove some LCOV_EXCL stuff that I think may be testable after all.
This is partial revert on 22286.

Also, tweak some log messages to be distinct.
2017-08-08 10:08:06 -04:00
Nick Mathewson
6121ca16bc Merge remote-tracking branch 'ahf/bugs/22286' into maint-0.3.1 2017-08-08 10:03:08 -04:00
Nick Mathewson
3af4aafbcb Fix a memory leak in consdiffmgr.c
Fixes bug 23139; bugfix on 0.3.1.1-alpha.
2017-08-08 09:13:45 -04:00
Roger Dingledine
2032b9b1b1 fix typo in comment 2017-08-07 00:22:27 -04:00
Nick Mathewson
ce07b4dd91 Fix memory leak of "torrcd" in test_config_include_folder_order()
Bugfix on 0265ced02b7a652c5941cb2c14ee1e0de0b1d90e; bug not in any
released Tor.
2017-08-04 13:50:27 -04:00
Nick Mathewson
89407bedf8 Tweak usage of get_current_working_dir() for tor_malloc() paranoia.
We assume that tor_free() is not required to be compatible with
the platform malloc(), so we need to use a strdup here.
2017-08-04 12:26:35 -04:00
cypherpunks
bfe740f065 Refactor retrieving the current working directory
The GNU C Library (glibc) offers an function which allocates the
necessary memory automatically [0]. When it is available, we use that.

Otherwise we depend upon the `getcwd` function which requires a
preallocated buffer (and its size). This function was used incorrectly
by depending on the initial buffer size being big enough and otherwise
failing to return the current working directory. The proper way of
getting the current working directory requires a loop which doubles the
buffer size if `getcwd` requires it. This code was copied from [1] with
modifications to fit the context.

[0] https://www.gnu.org/software/hurd/hurd/porting/guidelines.html
[1] http://pubs.opengroup.org/onlinepubs/9699919799/functions/getcwd.html
2017-08-04 12:22:53 -04:00
cypherpunks
0265ced02b Remove usage of the PATH_MAX variable
GNU Hurd does not define the PATH_MAX variable. Using the variable on
this platform results in compilation errors.

Closes #23098.
2017-08-04 12:22:53 -04:00
Nick Mathewson
3b646bf887 Fix ntohs() that should have been htons()
Fixes bug 23106; bugfix on 0.2.4.8-alpha.

Fortunately, we only support big-endian and little-endian platforms,
and on both of those, hton*() and ntoh*() behave the same.  And if
we did start to support middle endian systems (haha, no), most of
_those_ have hton*(x) == ntoh*(x) too.
2017-08-04 12:17:53 -04:00
Nick Mathewson
32b4fd5be9 Handle CMD_KEY_EXPIRATION in ntmain.c switch statement
This fixes a compilation warning on windows.

Bug not in any released Tor.
2017-08-04 12:00:51 -04:00
Isis Lovecruft
b2a7e8df90
routerkeys: Add cmdline option for learning signing key expiration.
* CLOSES #17639.
 * ADDS new --key-expiration commandline option which prints when the
   signing key expires.
2017-08-03 22:20:02 +00:00
Nick Mathewson
96cf608b2e Merge branch 'bug22885_squashed' 2017-08-03 09:33:40 -04:00
Nick Mathewson
7f32920648 Don't send missing X-Desc-Gen-Reason on startup
Since we start with desc_clean_since = 0, we should have been
starting with non-null desc_dirty_reason.

Fixes bug 22884; bugfix on 0.2.3.4-alpha when X-Desc-Gen-Reason was
added.
2017-08-03 09:33:33 -04:00
Nick Mathewson
1168e21b45 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-08-03 09:14:12 -04:00
Nick Mathewson
40c7871f46 Merge branch 'maint-0.3.1' 2017-08-03 09:14:12 -04:00
Nick Mathewson
b548371f76 Merge remote-tracking branch 'dgoulet/bug23078_030_01' into maint-0.3.0 2017-08-03 09:12:23 -04:00
Nick Mathewson
17073d7234 Merge branch 'maint-0.3.1' 2017-08-03 09:11:03 -04:00
Nick Mathewson
b13bf65062 Merge branch 'bug23081_025' into maint-0.3.1 2017-08-03 09:10:58 -04:00
Nick Mathewson
3e68db02c4 In ntmain, call set_main_thread() before running the loop.
Patch from Vort; fixes bug 23081; bugfix on fd992deeea in
0.2.1.16-rc when set_main_thread() was introduced.

See the changes file for a list of all the symptoms this bug has
been causing when running Tor as a Windows Service.
2017-08-03 09:09:08 -04:00
Neel Chauhan
5ee6ca8da2 Switch to offsetof() 2017-08-03 08:56:35 -04:00
Nick Mathewson
02fcb29d11 Merge branch 'maint-0.3.1' 2017-08-03 08:44:32 -04:00
Nick Mathewson
93b28972c1 Merge branch 'maint-0.2.5' into maint-0.2.8 2017-08-03 08:44:31 -04:00
Nick Mathewson
9696021593 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-08-03 08:44:31 -04:00
Nick Mathewson
f33c96610f Merge branch 'maint-0.2.9' into maint-0.3.0 2017-08-03 08:44:31 -04:00
Nick Mathewson
e220e6e437 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-08-03 08:44:31 -04:00
Karsten Loesing
1280de42a4 Update geoip and geoip6 to the August 3 2017 database. 2017-08-03 10:00:54 +02:00
David Goulet
5b03c7ba6d Fix check_expired_networkstatus_callback() if condition
The condition was always true meaning that we would reconsider updating our
directory information every 2 minutes.

If valid_until is 6am today, then now - 24h == 1pm yesterday which means that
"valid_until < (now - 24h)" is false. But at 6:01am tomorrow, "valid_until <
(now - 24h)" becomes true which is that point that we shouldn't trust the
consensus anymore.

Fixes #23091

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-02 13:28:45 -04:00
Nick Mathewson
c4c5077af2 Merge branch 'maint-0.3.1' 2017-08-02 12:51:46 -04:00
Nick Mathewson
a9a8d53dec Merge branch 'bug23071_031' into maint-0.3.1 2017-08-02 12:51:42 -04:00
Nick Mathewson
ee849ee8b6 Make the hs_ntor_ref logic more correct when there is no sha3 module 2017-08-02 12:44:46 -04:00
Nick Mathewson
8925e84beb version bump to 0.3.0.10-dev 2017-08-02 12:28:34 -04:00
Nick Mathewson
4f7955d5de Bump to 0.3.0.10 2017-08-01 14:38:49 -04:00
David Goulet
ff9c529667 hs: Cleanup logging statement in hs_intropoint.c
One log statement was a warning and has been forgotten. It is triggered for a
successful attempt at introducting from a client.

It has been reported here:
https://lists.torproject.org/pipermail/tor-relays/2017-August/012689.html

Three other log_warn() statement changed to protocol warning because they are
errors that basically can come from the network and thus triggered by anyone.

Fixes #23078.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-01 14:15:47 -04:00
Nick Mathewson
9c294d29ea bump to 0.3.1.5-alpha-dev 2017-08-01 12:08:30 -04:00
Nick Mathewson
58e1c6dd86 Merge remote-tracking branch 'public/bug19769_19025_029' into maint-0.2.9 2017-08-01 11:30:29 -04:00
Nick Mathewson
8500f0e4e1 Merge remote-tracking branch 'public/bug20059_024_v2' into maint-0.2.9 2017-08-01 11:28:36 -04:00
Nick Mathewson
84c4a2bc3f Merge remote-tracking branch 'public/bug20270_029' into maint-0.3.0 2017-08-01 11:24:02 -04:00
Nick Mathewson
7c68b2f1a5 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-08-01 11:23:00 -04:00
Nick Mathewson
2b94b0ea72 Merge remote-tracking branch 'public/bug22245_024' into maint-0.2.9 2017-08-01 11:22:42 -04:00
Nick Mathewson
1d48712c28 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-08-01 11:21:19 -04:00
Nick Mathewson
f6ecda8400 Merge remote-tracking branch 'public/bug18100_029' into maint-0.2.9 2017-08-01 11:21:14 -04:00
Nick Mathewson
4a19498edc Merge branch 'maint-0.3.0' into maint-0.3.1 2017-08-01 11:19:30 -04:00
Nick Mathewson
64e5600103 Merge branch 'maint-0.3.1' 2017-08-01 11:19:30 -04:00
Nick Mathewson
9d24a352c0 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-08-01 11:19:30 -04:00
Nick Mathewson
0e7558ab64 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-08-01 11:19:29 -04:00
Nick Mathewson
925ef048a9 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-08-01 11:19:29 -04:00
Nick Mathewson
a48ae2aa67 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-08-01 11:19:29 -04:00
Nick Mathewson
6862eada65 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-08-01 11:19:29 -04:00
Nick Mathewson
0bfd1c318c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-08-01 11:19:28 -04:00
Nick Mathewson
ec99f038fa Improve the keypin failure message
Closes the human-factors part of ticket 22348.
2017-07-31 20:40:23 -04:00
Nick Mathewson
df3bdc6bde Clean up choose_good_entry_server() doc; add assertion
We used to allow state==NULL here, but we no longer do.

Fixes bug 22779.
2017-07-31 20:35:58 -04:00
Nick Mathewson
8b5b7d470f Fix the hs_ntor integration tests to work with the pysha3 module
The sha3 module should still work.  Fixes bug 23071; bugfix on
0.3.1.1-alpha.
2017-07-31 20:28:42 -04:00
Nick Mathewson
572f23a96e Now that "base -1" is a bug, tell our unit tests to expect bug warnings
Bugfix on accb734c5fc45481231b837; bug not in any released Tor.
2017-07-31 14:30:04 -04:00
Nick Mathewson
2cb8c8d99f Bump to 0.3.1.5-alpha 2017-07-31 14:29:33 -04:00
Nick Mathewson
769a94d9ce Bug 23055: cast, then multiply when doing u32*u32->u64.
No backport, since this bug won't trigger until people make
certificates expiring after the Y2106 deadline.

CID 1415728
2017-07-28 10:33:51 -04:00
Nick Mathewson
accb734c5f Turn base < 0 into a BUG() in our long-parse functions. 2017-07-28 10:26:06 -04:00
Nick Mathewson
decb927685 Add an assertion to try to please coverity.
Coverity, for some reason, thought that weight_scale might be 0,
leading to a divide-by-zero error.
2017-07-28 10:17:57 -04:00
Nick Mathewson
602c52cad4 Coverity deadcode shenanigans on BUG() macro.
We don't actually want Coverity to complain when a BUG() check can
never fail, since such checks can prevent us from introducing bugs
later on.

Closes ticket 23054. Closes CID 1415720, 1415724.
2017-07-28 10:02:38 -04:00
Nick Mathewson
5f0fa480dd Merge branch 'maint-0.3.1' 2017-07-28 09:54:39 -04:00
Nick Mathewson
eb677c5870 Fix an unreachable memory leak in the unit tests
This is CID 1415726.
2017-07-28 09:52:34 -04:00
Nick Mathewson
6252e04a37 Merge branch 'maint-0.3.1' 2017-07-28 09:50:26 -04:00
Nick Mathewson
911e2dc530 Merge branch 'bug23053_029' into maint-0.3.1 2017-07-28 09:50:16 -04:00
Nick Mathewson
9a0f38a349 Fix a small memory leak when parsing unix: ports twice
Fixes bug 23053; CID 1415725.
2017-07-28 09:49:42 -04:00
Nick Mathewson
baf53300d7 Merge branch 'maint-0.3.1' 2017-07-27 20:33:01 -04:00
Nick Mathewson
af3079a492 Try to work around a compile warning in workqueue.c 2017-07-27 20:32:59 -04:00
Nick Mathewson
15ed1c0c83 Merge branch 'maint-0.3.1' 2017-07-27 16:30:52 -04:00
Nick Mathewson
ba334c00da Merge branch 'multi-priority_squashed' into maint-0.3.1 2017-07-27 16:29:34 -04:00
Nick Mathewson
fdd8156ea3 Fix the cpuworker.c documentation to mention all the kinds of work 2017-07-27 16:28:59 -04:00
Nick Mathewson
f5a852de91 Note that threadpool_queue_work...() can't actually return NULL 2017-07-27 16:28:59 -04:00
Nick Mathewson
250c88014d Always start with one additional worker thread
Now that half the threads are permissive and half are strict, we
need to make sure we have at least two threads, so that we'll
have at least one of each kind.
2017-07-27 16:28:59 -04:00
Nick Mathewson
0ae0b5aa41 Queue consensus diffs at LOW priority.
Fixes bug 22883.
2017-07-27 16:28:59 -04:00
Nick Mathewson
bddea78ded Fix a pair of stale comments in workqueue.c
These comments said that each thread had a separate queue, but we
haven't been using that design for some while.
2017-07-27 16:28:59 -04:00
Nick Mathewson
efadebf7c3 Make the chance for priority inversion thread-specific
Instead of choosing a lower-priority job with a 1/37 chance, have
the chance be 1/37 for half the threads, and 1/2147483647 for the
other half.  This way if there are very slow jobs of low priority,
they shouldn't be able to grab all the threads when there is better
work to do.
2017-07-27 16:28:59 -04:00
Nick Mathewson
10e0bff4ca Add support for multi-priority workqueues
Each piece of queued work now has an associated priority value; each
priority goes on a separate queue.

With probability (N-1)/N, the workers will take work from the highest
priority nonempty queue.  Otherwise, they'll look for work in a
queue of lower priority.  This behavior is meant to prevent
starvation for lower-priority tasks.
2017-07-27 16:28:05 -04:00
Nick Mathewson
c2844d5377 Merge branch 'bug22895_027' 2017-07-27 11:27:07 -04:00
cypherpunks
89c0a00a9a Remove unused variables in donna's SSE2 code
Fixes unused-const-variable warnings with GCC on 32-bit x86 systems.

Closes #22895.
2017-07-27 11:26:13 -04:00
Nick Mathewson
ced2dd5f92 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-27 08:23:37 -04:00
Nick Mathewson
b387dd364f Merge branch 'maint-0.3.1' 2017-07-27 08:23:37 -04:00
Nick Mathewson
ad35e595e5 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-27 08:23:36 -04:00
Nick Mathewson
24ddf5862e Merge remote-tracking branch 'public/bug20247_029' into maint-0.2.9 2017-07-27 08:23:34 -04:00
Nick Mathewson
8d3c3f039d Merge branch 'maint-0.3.1' 2017-07-26 12:58:22 -04:00
Nick Mathewson
431c8d09ee Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-26 12:58:22 -04:00
Nick Mathewson
18734d3b25 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-26 12:58:22 -04:00
Nick Mathewson
32b9edeb91 Fix build warnings from Coverity related to our BUG macro
In the Linux kernel, the BUG() macro causes an instant panic.  Our
BUG() macro is different, however: it generates a nonfatal assertion
failure, and is usable as an expression.

Additionally, this patch tells util_bug.h to make all assertion
failures into fatal conditions when we're building with a static
analysis tool, so that the analysis tool can look for instances
where they're reachable.

Fixes bug 23030.
2017-07-26 12:57:49 -04:00
Nick Mathewson
8b5b3b5fb4 Merge branch 'maint-0.3.1' 2017-07-26 12:54:41 -04:00
Nick Mathewson
30a98c765f Merge branch 'bug22927_031' into maint-0.3.1 2017-07-26 12:54:37 -04:00
Nick Mathewson
3c017e823b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-26 12:53:38 -04:00
Nick Mathewson
5141360099 Merge branch 'maint-0.3.1' 2017-07-26 12:53:38 -04:00
Nick Mathewson
d068f3359f Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-26 12:53:38 -04:00
Nick Mathewson
6d3c5b8fb5 Merge branch 'bug22915_029_2' into maint-0.2.9 2017-07-26 12:53:13 -04:00
Nick Mathewson
fca1934c88 Suppress clang4-specific -Wdouble-promotion warnings
Wow, it sure seems like some compilers can't implement isnan() and
friends in a way that pleases themselves!

Fixes bug 22915. Bug trigged by 0.2.8.1-alpha and later; caused by
clang 4.
2017-07-26 12:53:00 -04:00
Nick Mathewson
b9ad49844b This caused my attempt to fix hs_config/valid_service_v2 to fail
_again_.

Third time's the charm?
2017-07-25 13:24:41 -04:00
David Goulet
c9927ce4d5 prop224: Add onion key to service descriptor intro point
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-25 13:11:40 -04:00
David Goulet
78e2bc4000 prop224: Add the introduction point onion key to descriptor
A prop224 descriptor was missing the onion key for an introduction point which
is needed to extend to it by the client.

Closes #22979

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-25 13:11:40 -04:00
David Goulet
b8ceab9bb3 prop224: Helper to dup a link_specifier_t object
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-25 13:11:40 -04:00
David Goulet
2b9575a9c0 prop224: Update hs identifier circuit
Remove the legacy intro point key because both service and client only uses
the ed25519 key even though the intro point chosen is a legacy one.

This also adds the CLIENT_PK key that is needed for the ntor handshake.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-25 13:11:40 -04:00
David Goulet
3e537c6fe4 trunnel: Add prop224 RENDEZVOUS1 cell definition
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-25 13:11:40 -04:00
Roger Dingledine
bb66a48541 fix wordo in comment 2017-07-25 11:14:39 -04:00
Nick Mathewson
a4217cc52f Fix remaining cases of hs_config failures without af_unix 2017-07-24 15:58:11 -04:00
Nick Mathewson
661e317697 Fix hs_config unit test on systems without unix sockets
Bugfix on 418059dd96f5f427eceffff1daeb2a2f6c4adbeb; jenkins found
this.
2017-07-24 15:13:23 -04:00
Nick Mathewson
6c8c973191 Rename the hybrid_encrypt/decrypt functions; label them as dangerous
We need to keep these around for TAP and old-style hidden services,
but they're obsolete, and we shouldn't encourage anyone to use them.
So I've added "obsolete" to their names, and a comment explaining
what the problem is.

Closes ticket 23026.
2017-07-24 14:34:53 -04:00
Nick Mathewson
db1664e593 Improve comment about why we disable TLS compression.
Closes bug 22964.  Based on Teor's replacement there, but tries
to put the comment in a more logical place, and explain why we're
actually disabling compression in the first place.
2017-07-24 14:17:16 -04:00
David Goulet
10331081c7 test: Remove buggy unit test in test_hs_service
There isn't much of a point of this buggy test afterall to add twice the same
service object but with a different key which ultinately can end up failing
the test because 1/N_BUCKETS of probability that we end up to put the service
in the same bucket.

Fixes #23023

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-24 11:33:52 -04:00
Roger Dingledine
ec5b30ca0b fix whitespace issue 2017-07-23 00:57:10 -04:00
Nick Mathewson
2ae51ed5e2 Fix zstd 1.3.0 trouble: Be more respectful of its state machine
In zstd 1.3.0, once you have called ZSTD_endStream and been told
that your putput buffer is full, it really doesn't want you to call
ZSTD_compressStream again.  ZSTD 1.2.0 didn't seem to mind about
this.

This patch fixes the issue by making sure never to call
ZSTD_endStream if there's any more data on the input buffer to
process, by flushing even when we're about to call "endStream", and
by never calling "compress" or "flush" after "endStream".
2017-07-14 16:31:29 -04:00
Nick Mathewson
0ccdf2f31e Merge branch 'bug17750_029_squashed' 2017-07-14 15:07:09 -04:00
Nick Mathewson
b7566d465f Fix a signed integer overflow in dir/download_status_random_backoff
Fix for 22924. Bugfix on 0.2.9.1-alpha when the test was introducd
-- though it couldn't actually overflow until we fixed 17750.

Additionally, this only seems to overflow on 32-bit, and only when
the compiler doesn't re-order the (possibly dead) assignment out of
the way.  We ran into it on a 32-bit ubuntu trusty builder.
2017-07-14 15:05:30 -04:00
Nick Mathewson
9a1338d9df Fix 32-bit warnings in hs_common.c 2017-07-14 11:33:12 -04:00
Nick Mathewson
f5d2f79aca Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-14 09:11:14 -04:00
Nick Mathewson
52c1754ff6 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-14 09:11:14 -04:00
Nick Mathewson
d0816a040d Merge branch 'maint-0.3.1' 2017-07-14 09:11:14 -04:00
Nick Mathewson
3a7d757140 Merge branch 'bug22916_027' into maint-0.2.9 2017-07-14 09:11:08 -04:00
Nick Mathewson
bbc75faed1 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-14 09:06:44 -04:00
Nick Mathewson
ce5d8c92dd Merge branch 'maint-0.3.1' 2017-07-14 09:06:44 -04:00
Nick Mathewson
c1afbbe8fe Merge branch 'bug22803_030' into maint-0.3.0 2017-07-14 09:06:33 -04:00
Nick Mathewson
3cec1783b7 Fix compiler warnings with openssl-scrypt/libscrypt test on clang
Clang didn't like that we were passing uint64_t values to an API
that wanted uint32_t.  GCC has either not cared, or has figured out
that the values in question were safe to cast to uint32_t.

Fixes bug22916; bugfix on 0.2.7.2-alpha.
2017-07-13 17:49:48 -04:00
Nick Mathewson
ef4ea864ea Merge remote-tracking branch 'dgoulet/ticket21979_032_04' 2017-07-13 17:23:37 -04:00
David Goulet
965e3a6628 prop224: Fix clang warnings
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 17:18:11 -04:00
Nick Mathewson
62d241ad22 Merge remote-tracking branch 'isis/bug19476' 2017-07-13 16:58:45 -04:00
Nick Mathewson
66a564fad8 Merge branch 'maint-0.3.1' 2017-07-13 16:55:06 -04:00
Nick Mathewson
66258f8878 Merge branch 'fewer-diffs' into maint-0.3.1 2017-07-13 16:55:02 -04:00
Nick Mathewson
ec29cae8d7 Merge branch 'maint-0.3.1' 2017-07-13 16:52:20 -04:00
Nick Mathewson
1ea155b28f Merge branch 'bug22520_031' into maint-0.3.1 2017-07-13 16:52:16 -04:00
Nick Mathewson
c73b35d428 Merge branch 'maint-0.3.1' 2017-07-13 16:51:18 -04:00
Nick Mathewson
e6d2059751 Merge remote-tracking branch 'isis/bug22830_0.3.1' into maint-0.3.1 2017-07-13 16:51:09 -04:00
David Goulet
5d64ceb12d prop224: Move service version into config object
It makes more sense to have the version in the configuration object of the
service because it is afterall a torrc option (HiddenServiceVersion).

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
3eeebd1b0c prop224: Use the service config object when configuring
Both configuration function now takes the service config object instead of the
service itself.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
f64689f3f0 prop224: Don't use char * for binary data
It turns out that some char * sneaked in our hs_common.c code. Replace those
by uint8_t *.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
1b048fbfaa prop224: Add a clear configuration function
The added function frees any allocated pointers in a service configuration
object and reset all values to 0.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
750c684fff prop224: Don't use an array of config handlers
As per nickm suggestion, an array of config handlers will not play well with
our callgraph tool.

Instead, we'll go with a switch case on the version which has a good side
effect of allowing us to control what we pass to the function intead of a fix
set of parameters.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
e9dd4ed16d prop224: Detect duplicate configuration options
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
cfa6f8358b prop224: Use a common function to parse uint64_t
Add a helper function to parse uint64_t and also does logging so we can reduce
the amount of duplicate code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
28f6431399 Revert "fixup! prop224: Add hs_config.{c|h} with a refactoring"
This reverts commit e2497e2ba038133026a475f0f93c9054187b2a1d.
2017-07-13 16:50:09 -04:00
David Goulet
09b12c4094 test: Add v3 service load keys and accessors
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
418059dd96 test: Add v3 service config and registration test
This tests our hs_config.c API to properly load v3 services and register them
to the global map. It does NOT test the service object validity, that will be
the hs service unit test later on.

At this commit, we have 100% code coverage of hs_config.c.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
87f6f96f47 hs: Add rend_service_init()
Initialize both the global and staging service lists.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:09 -04:00
David Goulet
f76f873199 prop224: Add a function to check for invalid opts
Every hidden service option don't apply to every version so this new function
makes sure we don't have for instance an option that is only for v2 in a v3
configured service.

This works using an exclude lists for a specific version. Right now, there is
only one option that is not allowed in v3. The rest is common.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:50:08 -04:00
David Goulet
138e03c488 prop224: Load and/or generate v3 service keys
Try to load or/and generate service keys for v3. This write both the public
and private key file to disk along with the hostname file containing the onion
address.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:44 -04:00
David Goulet
f3899acdbf prop224: Service address creation/validation
This also adds unit test and a small python script generating a deterministic
test vector that a unit test tries to match.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:44 -04:00
David Goulet
c086a59ea1 prop224: Configure v3 service from options
This commit adds the support in the HS subsystem for loading a service from a
set of or_options_t and put them in a staging list.

To achieve this, service accessors have been created and a global hash map
containing service object indexed by master public key. However, this is not
used for now. It's ground work for registration process.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:44 -04:00
David Goulet
93774dcb54 test: Add HS v2 service configuration unit tests
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:08 -04:00
David Goulet
74193b9321 hs: Use v3 maximum intro points value when decoding v3
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:08 -04:00
David Goulet
765ed5dac1 prop224: Add a init/free_all function for the whole subsystem
Introduces hs_init() located in hs_common.c which initialize the entire HS v3
subsystem. This is done _prior_ to the options being loaded because we need to
allocate global data structure before we load the configuration.

The hs_free_all() is added to release everything from tor_free_all().

Note that both functions do NOT handle v2 service subsystem but does handle
the common interface that both v2 and v3 needs such as the cache and
circuitmap.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:08 -04:00
David Goulet
02e2edeb33 prop224: Add hs_config.{c|h} with a refactoring
Add the hs_config.{c|h} files contains everything that the HS subsystem needs
to load and configure services. Ultimately, it should also contain client
functions such as client authorization.

This comes with a big refactoring of rend_config_services() which has now
changed to only configure a single service and it is stripped down of the
common directives which are now part of the generic handler.

This is ground work for prop224 of course but only touches version 2 services
and add XXX note for version 3.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:08 -04:00
David Goulet
b03853b65f prop224: Initial import of hs_service_t
This object is the foundation of proposal 224 service work. It will change
and be adapted as it's being used more and more in the codebase. So, this
version is just a basic skeleton one that *will* change.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:07 -04:00
Isis Lovecruft
c59ba01550
rephist: Remove unused crypto_pk statistics.
These statistics were largely ununsed, and kept track of statistical information
on things like how many time we had done TLS or how many signatures we had
verified.  This information is largely not useful, and would only be logged
after receiving a SIGUSR1 signal (but only if the logging severity level was
less than LOG_INFO).

 * FIXES #19871.
 * REMOVES note_crypto_pk_op(), dump_pk_op(), and pk_op_counts from
   src/or/rephist.c.
 * REMOVES every external call to these functions.
2017-07-13 20:24:48 +00:00
Chelsea H. Komlo
eb355e031e
use CARGO_HOME instead of HOME when building with rust 2017-07-13 18:12:35 +00:00
Nick Mathewson
abb9a5bdda New configuration option MaxConsensusAgeForDiffs
Relay operators (especially bridge operators) can use this to lower
or raise the number of consensuses that they're willing to hold for
diff generation purposes.

This enables a workaround for bug 22883.
2017-07-12 13:15:16 -04:00
Nick Mathewson
3aba8490ba Merge branch 'maint-0.3.1' 2017-07-12 10:16:06 -04:00
Nick Mathewson
5636b160d4 Merge branch 'bug22349_029' into maint-0.3.1 2017-07-12 10:15:49 -04:00
Nick Mathewson
4984d6242a Merge branch 'maint-0.3.1' 2017-07-12 09:24:01 -04:00
Nick Mathewson
e111cfcd54 Restore openssl and libscrypt includes in test_crypto_slow.c
This reverts part of commit 706c44a6ce.

It was a mistake to remove these includes: they were needed on
systems where we have openssl 1.1.0 *and* libscrypt, and where we
were validating the one against the other.

Fixes bug 22892; bugfix on 0.3.1.1-alpha.
2017-07-12 09:23:15 -04:00
Isis Lovecruft
9de12397cf
If writing a heartbeat message fails, retry after MIN_HEARTBEAT_PERIOD.
* FIXES #19476.
2017-07-12 03:08:04 +00:00
cypherpunks
f516c9ca99
Use the return value for choosing intervals 2017-07-12 03:08:02 +00:00
Nick Mathewson
7b2364035a Merge branch 'maint-0.3.1' 2017-07-10 15:27:16 -04:00
Matt Traudt
1ff98a7e89 Make consdiff tests pass on OS X too 2017-07-10 15:27:01 -04:00
Nick Mathewson
db71d42868 Avoid double-typedef errors on freebsd. 2017-07-10 09:28:50 -04:00
David Goulet
b50f39fb6f prop224: Add common intropoint object
Groundwork for more prop224 service and client code. This object contains
common data that both client and service uses.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-07 15:38:20 -04:00
Nick Mathewson
948158df33 Merge branch 'bug17750_029_squashed' 2017-07-07 13:28:22 -04:00
teor
527c0735f1 Comment that failure schedules always use exponential backoff 2017-07-07 13:18:04 -04:00
teor
32f0cbc0f6 Refactor exponential backoff multipliers into macros
There are only so many times you can type "4".
2017-07-07 13:18:04 -04:00
teor
f30d355903 Add regression tests for 17750 and 20534 2017-07-07 13:18:04 -04:00
teor
344f5a71c5 Use download_status_get_next_attempt_at() more often
This guards against future occurrences of 17750.
2017-07-07 13:18:04 -04:00
teor
f813b05202 Give correct bounds in next_random_exponential_delay() comment 2017-07-07 13:18:04 -04:00
teor
c21cfd28f4 Make clients try fallbacks before authorities
Make clients wait for 6 seconds before trying to download their
consensus from an authority.

Fixes bug 17750, bugfix on 0.2.8.1-alpha.
2017-07-07 13:18:04 -04:00
Nick Mathewson
63ceadb485 Use LANG_ENGLISH in windows error messages
This change prevents us from generating corrupt messages when we
are confused about codepage settings, and makes Windows errors
consistent with the rest of our logs.

Fixes bug 22520; bugfix on 0.1.2.8-alpha.  Patch from "Vort".
2017-07-07 13:12:45 -04:00
Nick Mathewson
8e8abbbbee Fix the expected bug warning in dir/param_voting_lookup tests 2017-07-07 13:06:02 -04:00
Nick Mathewson
eb01f35149 Merge branch 'bug21495' 2017-07-07 13:03:36 -04:00
Nick Mathewson
c7d2a67274 Fix a couple of clang warnings 2017-07-07 11:32:15 -04:00
Nick Mathewson
c387cc5022 Merge branch 'ticket21859_032_01_squashed' 2017-07-07 11:17:53 -04:00
Nick Mathewson
6a64563b1d Fix wide lines 2017-07-07 11:15:27 -04:00
Nick Mathewson
ec3e046986 Use LD_BUG, not LOG_PROTOCOL_WARN, for bad-purpose cases. 2017-07-07 11:14:47 -04:00
George Kadianakis
f35f52e869 Hide crypto_digest_t again and use an accessor for tests. 2017-07-07 11:12:27 -04:00
George Kadianakis
70d08f764d Explicit length checks in create_rend_cpath().
Had to also edit hs_ntor_circuit_key_expansion() to make it happen.
2017-07-07 11:12:27 -04:00
George Kadianakis
c4d17faf81 Explicit length checks in circuit_init_cpath_crypto(). 2017-07-07 11:12:27 -04:00
George Kadianakis
2432499705 Rename get_rend_cpath() to create_rend_cpath().
based on Nick's review.
2017-07-07 11:12:27 -04:00
George Kadianakis
b490ae68c7 Rename rend_circuit_validate_purpose() based on Nick's review. 2017-07-07 11:12:27 -04:00
George Kadianakis
fee95dabcf Turn some warnings into bugs and non-fatal asserts. 2017-07-07 11:12:26 -04:00
George Kadianakis
91da032e9c Improve docs based on Nick's review. 2017-07-07 11:12:26 -04:00
George Kadianakis
9bccc04f8d test: Add service-side unittests for e2e rendezvous circuits. 2017-07-07 11:12:26 -04:00
George Kadianakis
173dd486e3 test: Add client-side unittests for e2e rend circuits. 2017-07-07 11:12:26 -04:00
George Kadianakis
dc3a2037f5 test: Move some test code to test helpers.
Move code to create connection streams and rend_data structures to
test_helpers so that we can use them from the e2e rendezvous circuit
unittests.
2017-07-07 11:12:26 -04:00
George Kadianakis
43a73f6eb6 test: Crypto groundwork for e2e circuit unittests.
- Move some crypto structures so that they are visible by tests.

- Introduce a func to count number of hops in cpath which will be used
  by the tests.

- Mark a function as mockable.
2017-07-07 11:12:26 -04:00
George Kadianakis
9ff5613a34 test: Introduce hs_client_note_connection_attempt_succeeded().
This commit paves the way for the e2e circuit unittests.

Add a stub for the prop224 equivalent of rend_client_note_connection_attempt_ended().

That function was needed for tests, since the legacy function would get
called when we attach streams and our client-side tests would crash with
assert failures on rend_data.

This also introduces hs_client.[ch] to the codebase.
2017-07-07 11:12:26 -04:00
David Goulet
0cb66fc900 prop224: Introduce e2e rendezvous circuit code.
This commit adds most of the work of #21859. It introduces hs_circuit.c
functions that can handle the setup of e2e circuits for prop224 hidden
services, and also for legacy hidden service clients. Entry points are:

		prop224 circuits: hs_circuit_setup_e2e_rend_circ()
		legacy client-side circuits: hs_circuit_setup_e2e_rend_circ_legacy_client()

This commit swaps the old rendclient code to use the new API.

I didn't try to accomodate the legacy service-side code in this API, since
that's too tangled up and it would mess up the new API considerably IMO (all
this service_pending_final_cpath_ref stuff is complicated and I didn't want to
change it).

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-07 11:12:26 -04:00
George Kadianakis
0b2018a4d0 Refactor legacy code to support hs_ident along with rend_data.
The legacy HS circuit code uses rend_data to match between circuits and
streams. We refactor some of that code so that it understands hs_ident
as well which is used for prop224.
2017-07-07 11:12:26 -04:00
George Kadianakis
83249015c2 Refactor circuit_init_cpath_crypto() to do prop224 rend circuits.
circuit_init_cpath_crypto() is responsible for creating the cpath of legacy
SHA1/AES128 circuits currently. We want to use it for prop224 circuits, so we
refactor it to create circuits with SHA3-256 and AES256 as well.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-07 11:12:26 -04:00
George Kadianakis
ba928e1ac8 Refactor the HS ntor key expansion to fit the e2e circuit API.
We want to use the circuit_init_cpath_crypto() function to setup our
cpath, and that function accepts a key array as input. So let's make our
HS ntor key expansion function also return a key array as output,
instead of a struct.

Also, we actually don't need KH from the key expansion, so the key
expansion output can be one DIGEST256_LEN shorter. See here for more
info: https://trac.torproject.org/projects/tor/ticket/22052#comment:3
2017-07-07 11:12:26 -04:00
David Goulet
f8dc1164ba prop224: Add connection and circuit identifier object
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-07 11:12:26 -04:00
Nick Mathewson
67b6ba6f2f Avoid a scan_build warning in dirvote_get_intermediate_param_value
Fixes bug 21495.
2017-07-07 11:08:28 -04:00
Nick Mathewson
ed0fb21834 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-07-07 10:56:31 -04:00
Nick Mathewson
66c85cd881 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-07 10:56:31 -04:00
Nick Mathewson
ae756f251f mingw fix: avoid "unused var" warning.
This is a backport of 19615bce64 to
fix bug 22838.
2017-07-07 10:54:24 -04:00
Karsten Loesing
b6acfa491e Update geoip and geoip6 to the July 4 2017 database. 2017-07-07 16:27:54 +02:00
Nick Mathewson
86eb63deb4 Merge remote-tracking branch 'public/bug19648' 2017-07-06 09:32:22 -04:00
Nick Mathewson
139799cdce Merge branch 'bug20488_029_squashed' 2017-07-06 09:29:03 -04:00
Nick Mathewson
41fe94ef15 Improve warning message to stop implying nickname reg is a thing.
Closing ticket 20488.
2017-07-06 09:28:31 -04:00
Nick Mathewson
68a2c75ab7 Merge branch 'maint-0.3.1' 2017-07-05 17:37:14 -04:00
Nick Mathewson
9919638e98 Fix a wide line from 22207 2017-07-05 17:37:06 -04:00
Nick Mathewson
93bd60e5b0 Merge branch 'maint-0.3.1' 2017-07-05 17:00:46 -04:00
Nick Mathewson
2251667ff2 Merge remote-tracking branch 'karsten/task-22207' into maint-0.3.1 2017-07-05 17:00:43 -04:00
Nick Mathewson
55777b3ff9 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-05 16:11:48 -04:00
Nick Mathewson
0dc7d68bb5 Merge branch 'maint-0.3.1' 2017-07-05 16:11:48 -04:00
Nick Mathewson
15b13578e8 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-05 16:11:48 -04:00
Nick Mathewson
dfc0614840 Only disable -Wfloat-conversion on mingw when it exists.
The 22081 fix disabled -Wfloat-conversion, but -Wfloat-conversion
didn't exist in every relevant mingw; it was added in GCC 4.9.x some
time, if the documentation can be trusted.

Bug not in any released version of tor.
2017-07-05 16:10:45 -04:00
Nick Mathewson
a85ee62e74 Make the strings from #1667 static. 2017-07-05 15:59:17 -04:00
Nick Mathewson
13024c7932 Merge branch 'maint-0.3.1' 2017-07-05 15:57:09 -04:00
Nick Mathewson
9383fa3851 Fix mixed-sign comparison warning in fix for 22797. 2017-07-05 15:56:57 -04:00
Nick Mathewson
759154b1ad Fix unit test memory leak in certs_ok_ed25519.
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
2017-07-05 15:42:25 -04:00
Nick Mathewson
546f5b364b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-05 13:43:31 -04:00
Nick Mathewson
15fddaffd5 Merge branch 'maint-0.3.1' 2017-07-05 13:43:31 -04:00
Nick Mathewson
5434b2451e Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-05 13:43:31 -04:00
Nick Mathewson
32c0066e4b Merge branch 'maint-0.2.8' into maint-0.2.9 2017-07-05 13:43:21 -04:00
Nick Mathewson
5ff0f1ab9e Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-07-05 13:42:47 -04:00
Nick Mathewson
6cd6d488dc Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-07-05 13:42:37 -04:00
Nick Mathewson
f6420bceec Merge branch 'maint-0.2.5' into maint-0.2.6 2017-07-05 13:42:32 -04:00
Nick Mathewson
ff8c230d7c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-05 13:42:26 -04:00
Nick Mathewson
16d2bce893 Allow setsockopt(IPV6_V6ONLY) in sandbox.
Fixes bug 20247.  We started setting V6ONLY in 0.2.3.13-alpha and
added the sandbox on 0.2.5.1-alpha.
2017-07-05 13:09:21 -04:00
Nick Mathewson
8bc70a2ad2 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-07-05 11:19:03 -04:00
Nick Mathewson
d4f08c74fe Merge branch 'maint-0.3.1' 2017-07-05 11:19:03 -04:00
Nick Mathewson
0f97f963e3 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-07-05 11:19:03 -04:00
Nick Mathewson
bb97f680e7 Merge branch 'bug22801_028' into maint-0.2.9 2017-07-05 11:18:59 -04:00
Nick Mathewson
e04cc7e27f Merge branch 'maint-0.3.1' 2017-07-05 11:16:51 -04:00
Nick Mathewson
e88aa98451 Merge branch 'teor-bug22797-025' into maint-0.3.1 2017-07-05 11:16:30 -04:00
teor
878e0d45a5 Always allow extra file descriptors when setting the connection maximum
When setting the maximum number of connections allowed by the OS,
always allow some extra file descriptors for other files.

Fixes bug 22797; bugfix on 0.2.0.10-alpha.
2017-07-05 11:15:10 -04:00
Donncha O'Cearbhaill
2be4f793e6 Add a timestamp field to the CIRC_BW and STREAM_BW events
Closes ticket 19254.
2017-07-05 11:14:56 -04:00
Nick Mathewson
cd77ea782e Merge branch 'neena-fix-1667' 2017-07-05 11:01:36 -04:00
Nick Mathewson
03b6cfd591 Extract "not an HTTP proxy" messages. 2017-07-05 11:01:17 -04:00
Nick Mathewson
46e83477c1 Merge branch 'bug15554_032_01_squashed' 2017-07-05 10:15:24 -04:00
George Kadianakis
17bd118b4c Add test that parses a hardcoded v2 descriptor. 2017-07-05 10:14:26 -04:00
Nick Mathewson
13ccca69f1 Merge branch 'onionskin_refactor_2' 2017-07-05 10:01:48 -04:00
cypherpunks
c79e286386 Use the proper syscall in sandbox error messages
Fixes #22750.
2017-07-05 09:56:28 -04:00
Nick Mathewson
3402b14089 Merge remote-tracking branch 'asn/ticket22727_032_02' 2017-07-05 09:49:12 -04:00
Nick Mathewson
b6c8530fc3 Merge remote-tracking branch 'dgoulet/ticket22726_032_02' 2017-07-05 09:36:31 -04:00
Roger Dingledine
943d284752 CREATE_FAST is for when you don't know the onion key
it isn't (anymore) for when you think you can get away with saving some
crypto operations.
2017-07-03 17:20:52 -04:00
Roger Dingledine
69fba1f2cd better comments and mild refactoring 2017-07-03 17:13:08 -04:00
Nick Mathewson
9b44e2e50e Document the new functions from the refactor 2017-07-03 16:54:41 -04:00
Nick Mathewson
2814b86875 Reindent the functions split from circuit_send_next_onion_skin().
This is a whitespace change only.
2017-07-03 16:54:41 -04:00
Nick Mathewson
935f84bd40 Split circuit_send_next_onion_skin() into its three main cases.
This commit is designed to have a very small diff.  Therefore,
the indentation is wrong.  The next commit will fix that.
2017-07-03 16:54:41 -04:00
Nick Mathewson
bb3f74e66b Fix assertion failure related to openbsd strtol().
Fixes bug 22789; bugfix on 0.2.3.8-alpha.
2017-07-03 11:22:27 -04:00
Nick Mathewson
5361032219 Fix -Wfloat-conversion C warnings on mingw in clamp_double_to_int64.
We just have to suppress these warnings: Mingw's math.h uses gcc's
__builtin_choose_expr() facility to declare isnan, isfinite, and
signbit.  But as implemented in at least some versions of gcc,
__builtin_choose_expr() can generate type warnings even from
branches that are not taken.

Fixes bug 22801; bugfix on 0.2.8.1-alpha.
2017-07-03 10:59:31 -04:00
Roger Dingledine
0fe7c42e0e general formatting / whitespace / typo fixes 2017-07-01 17:56:06 -04:00
Nick Mathewson
83dc072e67 Bump version to 0.3.1.4-alpha-dev 2017-06-29 18:45:49 -04:00
Nick Mathewson
d9427c00df bump to 0.3.0.9-dev 2017-06-29 18:44:43 -04:00
Nick Mathewson
a53573559f Bump 0.3.1 to 0.3.1.4-alpha 2017-06-29 16:36:50 -04:00
Nick Mathewson
98ffb2e722 Update maint-0.3.0 to 0.3.0.9 2017-06-29 16:35:40 -04:00
Nick Mathewson
71b9f4f0bb Merge branch 'maint-0.3.1' 2017-06-29 15:57:49 -04:00
Nick Mathewson
1712dc98b0 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-06-29 15:57:48 -04:00
Nick Mathewson
52c4440c48 Merge branch 'trove-2017-006' into maint-0.3.0 2017-06-29 15:57:42 -04:00
Nick Mathewson
3781678a3c Merge branch 'maint-0.3.1' 2017-06-29 11:38:06 -04:00
Nick Mathewson
31a08ba26f Merge remote-tracking branch 'public/bug22670_031' into maint-0.3.1 2017-06-29 11:34:06 -04:00
Nick Mathewson
2c718c1a12 Merge branch 'maint-0.3.1' 2017-06-29 10:43:50 -04:00
Nick Mathewson
bb5968cae1 Merge branch 'ticket22684' 2017-06-29 10:16:15 -04:00
Nick Mathewson
88666d0482 Adjust unit tests to account for fix to bug 22753.
Our mock network put all the guards on the same IPv4 address, which
doesn't fly when we start applying EnforceDistinctSubnets.  So in
this commit, I disable EnforceDistinctSubnets when running the old
guard_restriction_t test.

This commit also adds a regression test for #22753.
2017-06-29 10:11:21 -04:00
Nick Mathewson
665baf5ed5 Consider the exit family when applying guard restrictions.
When the new path selection logic went into place, I accidentally
dropped the code that considered the _family_ of the exit node when
deciding if the guard was usable, and we didn't catch that during
code review.

This patch makes the guard_restriction_t code consider the exit
family as well, and adds some (hopefully redundant) checks for the
case where we lack a node_t for a guard but we have a bridge_info_t
for it.

Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-006
and CVE-2017-0377.
2017-06-29 09:57:00 -04:00
Nick Mathewson
a088a08eeb Log real error message when unable to remove a storagedir file
Attempts to help diagnose 22752.
2017-06-28 14:24:27 -04:00
Nick Mathewson
de5f0d8ba7 Replace crash on missing handle in consdiffmgr with nonfatal assert
Attempts to mitigate 22752.
2017-06-28 14:21:21 -04:00
Nick Mathewson
4c21d4ef7a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-28 14:03:23 -04:00
Nick Mathewson
ec9c6d7723 Merge remote-tracking branch 'teor/bug21507-029' into maint-0.2.9 2017-06-28 14:03:20 -04:00
Nick Mathewson
4060253749 Merge remote-tracking branch 'teor/bug21576_029_v2' into maint-0.2.9 2017-06-28 13:57:54 -04:00
Nick Mathewson
75c6fdd286 whitespace fix 2017-06-28 13:53:52 -04:00
Nick Mathewson
e84127d99e Merge remote-tracking branch 'asn/bug21969_bridges_030' into maint-0.3.0 2017-06-28 13:48:52 -04:00
Nick Mathewson
01404d7c52 Merge branch 'maint-0.3.1' 2017-06-28 12:25:09 -04:00
George Kadianakis
551ad20c43 nodelist: Make HSv3 protover magic numbers a bit more readable. 2017-06-28 18:32:32 +03:00
Alexander Færøy
c239b2fc9c Fix crash in LZMA module when the Sandbox is enabled.
This patch fixes a crash in our LZMA module where liblzma will allocate
slightly more data than it is allowed to by its limit, which leads to a
crash.

See: https://bugs.torproject.org/22751
2017-06-28 10:00:24 -04:00
George Kadianakis
f85c1874ad ed25519: Add tests blinding bad ed25519 pubkeys. 2017-06-28 16:02:21 +03:00
George Kadianakis
0269e4ffba ed25519: Also check that retval in the ref10 implementation. 2017-06-28 14:58:22 +03:00
George Kadianakis
0d9873ac0d ed25519: Check retval of unpack_negative_vartime in donna. 2017-06-28 14:58:22 +03:00
Nick Mathewson
559195ea82 Merge branch 'maint-0.3.1' 2017-06-27 18:28:38 -04:00
Alexander Færøy
0a4af86335 Return "304 not modified" if a client already have the most recent consensus.
This makes our directory code check if a client is trying to fetch a
document that matches a digest from our latest consensus document.

See: https://bugs.torproject.org/22702
2017-06-27 18:25:48 -04:00
Alexander Færøy
07f2940b45 Set published_out for consensus cache entries in spooled_resource_estimate_size().
This patch ensures that the published_out output parameter is set to the
current consensus cache entry's "valid after" field.

See: https://bugs.torproject.org/22702
2017-06-27 18:25:48 -04:00
Nick Mathewson
733ce556ad Merge branch 'asn_bug22006_final_squashed' 2017-06-27 18:21:46 -04:00
Nick Mathewson
3f94041589 no newlines in log messages. 2017-06-27 18:21:35 -04:00
Nick Mathewson
c0f0351e06 whitespace fix 2017-06-27 17:22:53 -04:00
Nick Mathewson
7fff6cfead Merge branch 'asn_bug22006_final_squashed' 2017-06-27 17:19:08 -04:00
George Kadianakis
a155035d20 ed25519: Dirauths validate router ed25519 pubkeys before pinning. 2017-06-27 17:17:58 -04:00
George Kadianakis
e8eee3a50e ed25519: Add unittests for ed25519 pubkey validation. 2017-06-27 17:17:58 -04:00
George Kadianakis
559658ff1c ed25519: Add func that checks for torsion component in pubkeys.
See https://lists.torproject.org/pipermail/tor-dev/2017-April/012213.html .
2017-06-27 17:17:58 -04:00
Nick Mathewson
f367453cb5 Mark descriptors as undownloadable when dirserv_add_() rejects them
As of ac2f6b608a in 0.2.1.19-alpha,
Sebastian fixed bug 888 by marking descriptors as "impossible" by
digest if they got rejected during the
router_load_routers_from_string() phase. This fix stopped clients
and relays from downloading the same thing over and over.

But we never made the same change for descriptors rejected during
dirserv_add_{descriptor,extrainfo}.  Instead, we tried to notice in
advance that we'd reject them with dirserv_would_reject().

This notice-in-advance check stopped working once we added
key-pinning and didn't make a corresponding key-pinning change to
dirserv_would_reject() [since a routerstatus_t doesn't include an
ed25519 key].

So as a fix, let's make the dirserv_add_*() functions mark digests
as undownloadable when they are rejected.

Fixes bug 22349; I am calling this a fix on 0.2.1.19-alpha, though
you could also argue for it being a fix on 0.2.7.2-alpha.
2017-06-27 12:01:46 -04:00
Nick Mathewson
3483f7c003 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-27 11:04:44 -04:00
Nick Mathewson
9a0fd2dbb1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-27 11:04:44 -04:00
Nick Mathewson
3de27618e6 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-27 11:04:44 -04:00
Nick Mathewson
ccae991662 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-27 11:04:44 -04:00
Nick Mathewson
a242d194c7 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-27 11:04:44 -04:00
Nick Mathewson
711160a46f Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-27 11:04:44 -04:00
Nick Mathewson
32eba3d6aa Merge branch 'maint-0.3.0' into maint-0.3.1 2017-06-27 11:04:44 -04:00
Nick Mathewson
0576f9f433 Merge branch 'maint-0.3.1' 2017-06-27 11:04:44 -04:00
Nick Mathewson
8d2978b13c Fix an errant memset() into the middle of a struct in cell_pack().
This mistake causes two possible bugs. I believe they are both
harmless IRL.

BUG 1: memory stomping

When we call the memset, we are overwriting two 0 bytes past the end
of packed_cell_t.body. But I think that's harmless in practice,
because the definition of packed_cell_t is:

// ...
typedef struct packed_cell_t {
  TOR_SIMPLEQ_ENTRY(packed_cell_t) next;
  char body[CELL_MAX_NETWORK_SIZE];
  uint32_t inserted_time;
} packed_cell_t;

So we will overwrite either two bytes of inserted_time, or two bytes
of padding, depending on how the platform handles alignment.

If we're overwriting padding, that's safe.

If we are overwriting the inserted_time field, that's also safe: In
every case where we call cell_pack() from connection_or.c, we ignore
the inserted_time field. When we call cell_pack() from relay.c, we
don't set or use inserted_time until right after we have called
cell_pack(). SO I believe we're safe in that case too.

BUG 2: memory exposure

The original reason for this memset was to avoid the possibility of
accidentally leaking uninitialized ram to the network. Now
remember, if wide_circ_ids is false on a connection, we shouldn't
actually be sending more than 512 bytes of packed_cell_t.body, so
these two bytes can only leak to the network if there is another bug
somewhere else in the code that sends more data than is correct.

Fortunately, in relay.c, where we allocate packed_cell_t in
packed_cell_new() , we allocate it with tor_malloc_zero(), which
clears the RAM, right before we call cell_pack. So those
packed_cell_t.body bytes can't leak any information.

That leaves the two calls to cell_pack() in connection_or.c, which
use stack-alocated packed_cell_t instances.

In or_handshake_state_record_cell(), we pass the cell's contents to
crypto_digest_add_bytes(). When we do so, we get the number of
bytes to pass using the same setting of wide_circ_ids as we passed
to cell_pack(). So I believe that's safe.

In connection_or_write_cell_to_buf(), we also use the same setting
of wide_circ_ids in both calls. So I believe that's safe too.

I introduced this bug with 1c0e87f6d8
back in 0.2.4.11-alpha; it is bug 22737 and CID 1401591
2017-06-27 10:47:20 -04:00
Nick Mathewson
22f441d4ee Merge branch 'maint-0.3.1' 2017-06-27 10:32:50 -04:00
Nick Mathewson
fd16dd2608 Merge branch 'bug22719_031' into maint-0.3.1 2017-06-27 10:31:33 -04:00
David Goulet
c17a04376d nodelist: Add functions to check for HS v3 support
This introduces node_supports_v3_hsdir() and node_supports_ed25519_hs_intro()
that checks the routerstatus_t of a node and if not present, checks the
routerinfo_t.

This is groundwork for proposal 224 service implementation in #20657.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-27 10:24:15 -04:00
David Goulet
82dee76740 hs: Ignore unparseable v3 introduction point
It is possible that at some point in time a client will encounter unknown or
new fields for an introduction point in a descriptor so let them ignore it for
forward compatibility.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-27 10:19:57 -04:00
Nick Mathewson
f6df433b91 Merge branch 'maint-0.3.1' 2017-06-26 14:30:21 -04:00
Nick Mathewson
32596016a2 Merge branch 'bug22105_031' into maint-0.3.1 2017-06-26 14:30:17 -04:00
Nick Mathewson
c29a559e7b Merge branch 'maint-0.3.1' 2017-06-26 14:15:21 -04:00
Nick Mathewson
d72cfb259d Patch for 22720 from huyvq: exit(1) more often
See changes file for full details.
2017-06-26 14:14:56 -04:00
Nick Mathewson
06414b9922 Merge branch 'maint-0.3.1' 2017-06-26 11:39:43 -04:00
Nick Mathewson
8f59661dba Merge branch 'bug22212_squashed' into maint-0.3.1 2017-06-26 11:27:09 -04:00
Mike Perry
0592ee45fc Demote a log message due to libevent delays.
This is a side-effect of being single-threaded. The worst cases of this are
actually Bug #16585.
2017-06-26 11:26:59 -04:00
Nick Mathewson
82a68be69a Merge branch 'maint-0.3.1' 2017-06-26 10:32:57 -04:00
Nick Mathewson
0c7c49483f Fix a coverity warning about a no-op assert with-64 bit size_t
This is CID 1403400
2017-06-26 10:31:13 -04:00
Nick Mathewson
b546d8bc2b Try a little harder to make sure we never call tor_compress_process wrong. 2017-06-26 09:39:59 -04:00
Nick Mathewson
acbe16a9a2 Log even more to try to debug 22719 2017-06-24 13:40:02 -04:00
Nick Mathewson
6caf924605 Add an additional log message to try to diagnose #22719 2017-06-24 11:27:46 -04:00
Mike Perry
79e2e4d3cb Ticket #17857: Padding off-switch for single hop connections
This doesn't apply to currently active connections.. yet...
2017-06-23 16:53:39 -04:00
Nick Mathewson
89d0261eb5 Merge remote-tracking branch 'isis/bug4019' 2017-06-23 14:38:20 -04:00
Nick Mathewson
80360ed9fa Merge branch 'bug3056_squashed' 2017-06-23 09:28:27 -04:00
Nick Mathewson
96fab4aaa6 Improve clarity, safety, and rate of dns spoofing log msg
Closes ticket 3056.
2017-06-23 09:28:17 -04:00
Nick Mathewson
90046a09dd Merge branch 'maint-0.3.1' 2017-06-22 10:56:08 -04:00
Nick Mathewson
2c49a9852d Merge branch 'maint-0.3.0' into maint-0.3.1 2017-06-22 10:56:08 -04:00
Nick Mathewson
bdd267e74d Combine our "don't do this if no consensus" entryguards checks
Suggested by asn on 22400 review.
2017-06-22 09:28:30 -04:00
Nick Mathewson
34ecfeb479 whitespace fix 2017-06-22 08:16:48 -04:00
Nick Mathewson
b9d8c8b126 Merge remote-tracking branch 'rl1987/bug22461' 2017-06-22 08:11:36 -04:00
Nick Mathewson
dc9ec519b5 Merge remote-tracking branch 'public/bug7890' 2017-06-22 08:04:12 -04:00
Isis Lovecruft
28344b74ba
config: Fix duplicate error message for nonlocal SocksPorts.
If `validate_only` is true, then just validate the configuration without warning
about it.  This way, we only emit warnings when the listener is actually opened.
(Otherwise, every time we parse the config we will might re-warn and we would
need to keep state; whereas the listeners are only opened once.)

 * FIXES #4019.
2017-06-22 00:28:31 +00:00
Roger Dingledine
005500e14d make assign_onionskin_to_cpuworker failure case more clear
now it looks like the other time we call it
2017-06-21 17:42:10 -04:00
Nick Mathewson
3a8a92fddd Merge branch 'callgraph_reduction_v2' 2017-06-21 16:47:55 -04:00
Nick Mathewson
5dcc6bef1e Add GETINFO targets to determine whether md/desc fetching is enabled
Closes ticket 22684.
2017-06-21 16:45:31 -04:00
Nick Mathewson
1c0a2335cd Extract channel_do_open_actions() from non-open _change_state cases
This reduces the size of the largest SCC in the callgraph by 30
functions, from 58 to 28.
2017-06-21 14:03:00 -04:00
Nick Mathewson
5d3f484f4a Merge branch 'maint-0.3.1' 2017-06-21 13:54:07 -04:00
Nick Mathewson
784b29a2bf Merge branch 'bug22356_029' into maint-0.3.1 2017-06-21 13:54:02 -04:00
Nick Mathewson
35d6313500 Call it a BUG to use -1 in authdir_mode_handles_descs 2017-06-21 13:49:17 -04:00
huyvq
ad97714f22 Remove obsolete authdir_mode_any_nonhidserv()
- Replace it with authdir_mode()
2017-06-21 13:49:17 -04:00
huyvq
18cd1993ca Convert authdir_mode_handles_descs() to alternative wrappers
-authdir_mode_handles_descs(options, ROUTER_PURPOSE_BRIDGE) to authdir_mode_bridge(options).

- authdir_mode_handles_descs(options, ROUTER_PURPOSE_GENERAL) to authdir_mode_v3(options).
2017-06-21 13:49:17 -04:00
huyvq
d92b999757 Convert authdir_mode_handles_descs(options, -1) with authdir_mode(options) 2017-06-21 13:49:17 -04:00
huyvq
0471c905a1 Remove obsolete authdir_mode_any_main() 2017-06-21 13:49:17 -04:00
Kevin Butler
0a96d11539 Better error message for GETINFO desc/(id|name) whenever microdescriptors are in use. Fixes #5847. 2017-06-21 12:19:01 -04:00
Nick Mathewson
6595f55020 unit tests for peek_buf_startswith() 2017-06-21 11:20:33 -04:00
Nick Mathewson
ed4bc55450 Replace peek_buf_startswith() with a safe version
It's not okay to assume that the data in a buf_t is contiguous in
the first chunk.
2017-06-21 11:10:58 -04:00
Nick Mathewson
acf65544bb Fix compilation on 1667 code. 2017-06-21 10:35:35 -04:00
Ravi Chandra Padmala
417d778652 Respond meaningfully to HTTP requests on the control port. Fix #1667
(Squashed with bufferevents portions removed, by nickm)
2017-06-21 10:34:26 -04:00
Nick Mathewson
884c0ffe3b Merge branch 'maint-0.3.1' 2017-06-20 20:29:00 -04:00
Nick Mathewson
e51e7bd38b Merge branch 'bug22502_redux_031' into maint-0.3.1 2017-06-20 20:27:48 -04:00
Nick Mathewson
c999e84436 Merge branch 'bug22672_031' into maint-0.3.1 2017-06-20 20:26:45 -04:00
Nick Mathewson
a9a76aa6ae Merge branch 'maint-0.3.1' 2017-06-20 13:35:44 -04:00
Nick Mathewson
392e5457b8 Merge remote-tracking branch 'argonblue/bug22638' into maint-0.3.1 2017-06-20 13:35:38 -04:00
Nick Mathewson
9328bd524e Enforce the rule that COMPRESS_OK means progress was made.
If COMPRESS_OK occurs but data is neither consumed nor generated,
treat it as a BUG and a COMPRESS_ERROR.

This change is meant to prevent infinite loops in the case where
we've made a mistake in one of our compression backends.

Closes ticket 22672.
2017-06-20 12:26:57 -04:00
Nick Mathewson
945256188a mingw/windows printf lacks %zd ; use %lu and casts instead
(This approach can lose accuracy, but it's only in debug-level messages.)

Fixes windows compilation. Bugfix on recent compress.c changes; bug
not in any released Tor.
2017-06-20 12:12:55 -04:00
Nick Mathewson
5537e1fc45 If we successfully decompress an HTTP body, return immediately.
This prevents us from calling
allowed_anonymous_connection_compression_method() on the unused
guessed method (if any), and rejecting something that was already
safe to use.
2017-06-20 12:08:12 -04:00
Nick Mathewson
d8cd68caf1 If a _guessed_ compression method fails, it is never PROTOCOL_WARN.
Rationale: When use a guessed compression method, we already gave a
PROTOCOL_WARN when our guess differed from the declared method,
AND we gave a PROTOCOL_WARN when the declared method failed.  It is
not a protocol problem that the guessed method failed too; it's just
a recovery attempt that failed.
2017-06-20 12:08:11 -04:00
Nick Mathewson
7b3161f008 It should be a PROTOCOL_WARN when we have an incorrect content-encoding.
Rationale: The server did not obey the protocol, and its
content-encoding got munged. That's what PROTOCOL_WARN is for.
2017-06-20 12:08:11 -04:00
Nick Mathewson
9018da06c7 Short-circuit the no-decompression-needed case, for clarity
This commit is mostly just deindentation.
2017-06-20 11:46:54 -04:00
Nick Mathewson
c0e9698fca Extract "decompress" portion of connection_dir_client_reached_eof() 2017-06-20 11:43:37 -04:00
Taylor Yu
25edb41e6f Fix compress_none.c header comment
The Doxygen \file markup for compress_none.c had the wrong filename.
Fixes #22638.
2017-06-20 11:27:17 -04:00
Nick Mathewson
782eb02b79 Send the correct content-encoding when serving cached_dir_t objects
A cached_dir_t object (for now) is always compressed with
DEFLATE_METHOD, but in handle_get_status_vote() to we were using the
general compression-negotiation code decide what compression to
claim we were using.

This was one of the reasons behind 22502.

Fixes bug 22669; bugfix on 0.3.1.1-alpha
2017-06-20 11:26:51 -04:00
Nick Mathewson
eb632afb17 Correct the fix to bug 22629 to permit trailing non-garbage
This change makes it so that we can decompress concatenated zstd
outputs.
2017-06-20 10:24:22 -04:00
Nick Mathewson
94a1b8b66c Add a unit test for decompressing concatenated inputs. 2017-06-20 10:21:35 -04:00
Nick Mathewson
2341368515 Merge branch 'maint-0.3.1' 2017-06-20 10:06:19 -04:00
Nick Mathewson
1c0459f19a Merge remote-tracking branch 'teor/bug22502' into maint-0.3.1 2017-06-20 10:04:16 -04:00
Nick Mathewson
32e486de97 Don't expand guard sample set unless consensus is "reasonably live"
Fixes what I think is the main root cause of 22400. Bugfix on
0.3.0.1-alpha.
2017-06-19 15:48:47 -04:00
Nick Mathewson
1721487bea Remove hardwired libfuzzer path; closes 22105. 2017-06-19 15:35:46 -04:00
Nick Mathewson
e3efc076c5 Downgrade "assign_to_cpuworker failed" to INFO.
Closes ticket 22356
2017-06-19 15:24:33 -04:00
Nick Mathewson
e01e4e0146 Merge branch 'ticket20575_031_01_squashed' 2017-06-19 14:16:21 -04:00
Nick Mathewson
0379439fe8 refer to the correct version 2017-06-19 14:15:04 -04:00
David Goulet
3f807ec058 config: Deprecate HTTPProxy option
Move the HTTPProxy option to the deprecated list so for now it will only warn
users but feature is still in the code which will be removed in a future
stable version.

Fixes #20575

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-19 14:14:17 -04:00
Nick Mathewson
bf95d678e8 Remove an XXXX RD comment that neither Roger or I understand. Closes 22420 2017-06-19 14:06:07 -04:00
Nick Mathewson
f6946d7a82 Merge remote-tracking branch 'arma/ticket22420' 2017-06-19 14:03:57 -04:00
Nick Mathewson
eff5e29404 Merge branch 'maint-0.3.0' into maint-0.3.1 2017-06-19 13:52:19 -04:00
Nick Mathewson
71c701927a Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-19 13:52:19 -04:00
Nick Mathewson
32948ebc54 Merge branch 'maint-0.3.1' 2017-06-19 13:52:19 -04:00
Nick Mathewson
a3139c9750 Bump master to 0.3.2.0-alpha-dev. For 0.3.1, use maint-0.3.1 2017-06-19 11:57:44 -04:00
Nick Mathewson
59f29970fa Permit the fchmod system call.
Fixes bug 22516; bugfix on 0.2.5.4-alpha.
2017-06-16 14:03:02 -04:00
teor
7d535ea9d3
Add extra logging during compression and decompression
This helps diagnose failures.

Part of #22502.
2017-06-16 09:48:18 +10:00
teor
cbaf0c049c
Return TOR_COMPRESS_BUFFER_FULL when zstd has additional input
Fixes #22628.
2017-06-16 09:47:32 +10:00
teor
617e1da636
Remove a redundant conditional in tor_zstd_compress_process
Part of #22502
2017-06-16 09:46:46 +10:00
teor
7605bd528e
Move a comment to the right place in tor_zstd_compress_process
Part of #22502
2017-06-16 09:45:58 +10:00
teor
952c9073ad
Check for trailing input garbage in tor_compress_impl() when decompressing
Fixes #22629.
2017-06-16 09:41:29 +10:00
teor
8e1b37a4aa
Check if tor_compress_new() returns NULL in tor_compress_impl()
Partial fix to 22626.
2017-06-16 09:38:18 +10:00
Karsten Loesing
5b5e20a478 Add "fingerprint" line to bridge network status.
Implements #22207.
2017-06-11 10:21:36 +02:00
Nick Mathewson
493d9cd17b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-09 09:58:46 -04:00
Nick Mathewson
cd7d006e08 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-09 09:58:46 -04:00
Nick Mathewson
3f40d9ec20 Merge branch 'maint-0.3.0' 2017-06-09 09:58:46 -04:00
Nick Mathewson
307be8d4a7 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-09 09:58:45 -04:00
Nick Mathewson
24ee8595bf Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-09 09:58:45 -04:00
Nick Mathewson
3913f959e3 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-09 09:58:45 -04:00
Nick Mathewson
325c507a09 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-09 09:58:45 -04:00
Karsten Loesing
104e8fa751 Update geoip and geoip6 to the June 8 2017 database. 2017-06-09 15:47:49 +02:00
Nick Mathewson
6e7551c50d Add -dev to version number. 2017-06-08 14:05:32 -04:00
Nick Mathewson
90758b2606 Add -dev to version number. 2017-06-08 14:05:29 -04:00
Nick Mathewson
5e554215dd Add -dev to version number. 2017-06-08 14:05:27 -04:00
Nick Mathewson
5c47b92747 Add -dev to version number. 2017-06-08 14:05:22 -04:00
Nick Mathewson
44c8cb986d Add -dev to version number. 2017-06-08 14:05:18 -04:00
Nick Mathewson
95a88f7283 Add -dev to version number. 2017-06-08 14:05:16 -04:00
Nick Mathewson
f3804f5999 Add -dev to version number. 2017-06-08 14:05:13 -04:00
Nick Mathewson
ec3ce773ad Add -dev to version number. 2017-06-08 14:05:08 -04:00
Nick Mathewson
792931d53d Bump to 0.2.8.14 2017-06-08 09:27:54 -04:00
Nick Mathewson
2efe0275bc Bump to 0.2.7.8 2017-06-08 09:27:34 -04:00
Nick Mathewson
0de4620375 Bump to 0.2.6.12 2017-06-08 09:26:20 -04:00
Nick Mathewson
fa73f59ad3 bump to 0.2.5.14 2017-06-08 09:26:00 -04:00
Nick Mathewson
8e439a66f3 Bump to 0.2.4.29 2017-06-08 09:25:31 -04:00
Nick Mathewson
b533220249 bump to 0.2.9.11 2017-06-08 09:24:38 -04:00
Nick Mathewson
a0664fd0c3 bump to 0.3.0.8 2017-06-08 09:24:28 -04:00
Nick Mathewson
78d4200abe Bump to 0.3.1.3-alpha. 2017-06-08 09:24:16 -04:00
Nick Mathewson
d15d09a968 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-08 09:21:15 -04:00
Nick Mathewson
c1646d6e89 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-08 09:21:15 -04:00
Nick Mathewson
40bccc2004 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-08 09:21:15 -04:00
Nick Mathewson
dec7998f5c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-08 09:21:15 -04:00
Nick Mathewson
987c7cae70 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-08 09:21:15 -04:00
Nick Mathewson
53011e3e54 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-08 09:21:15 -04:00
Nick Mathewson
83135d75a3 Merge branch 'maint-0.3.0' 2017-06-08 09:21:15 -04:00
David Goulet
56a7c5bc15 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
On an hidden service rendezvous circuit, a BEGIN_DIR could be sent
(maliciously) which would trigger a tor_assert() because
connection_edge_process_relay_cell() thought that the circuit is an
or_circuit_t but is an origin circuit in reality.

Fixes #22494

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-08 09:21:10 -04:00
Nick Mathewson
9acca04025 Merge branch 'maint-0.3.0' 2017-06-08 09:17:32 -04:00
David Goulet
79b59a2dfc TROVE-2017-004: Fix assertion failure in relay_send_end_cell_from_edge_
This fixes an assertion failure in relay_send_end_cell_from_edge_() when an
origin circuit and a cpath_layer = NULL were passed.

A service rendezvous circuit could do such a thing when a malformed BEGIN cell
is received but shouldn't in the first place because the service needs to send
an END cell on the circuit for which it can not do without a cpath_layer.

Fixes #22493

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-08 09:14:10 -04:00
Nick Mathewson
9ab45d621c Merge branch 'maint-0.3.0' 2017-06-06 11:34:11 -04:00
Nick Mathewson
68c3df69de Repair the unit test behavior of my fix for 22508.
Apparently, the unit tests relied on being able to make ed->x509
link certs even when they hadn't set any server flags in the
options.  So instead of making "client" mean "never generate an
ed->x509 cert", we'll have it mean "it's okay not to generate an
ed->x509 cert".

(Going with a minimal fix here, since this is supposed to be a
stable version.)
2017-06-06 11:32:01 -04:00
Nick Mathewson
14ffcc003d Merge branch 'maint-0.3.0' 2017-06-06 09:32:45 -04:00
Nick Mathewson
4ed0f0d62f Make generate_ed_link_cert() a no-op on clients.
Fixes bug 22508; bug not in any released Tor.
2017-06-06 09:32:11 -04:00
Nick Mathewson
5343d2b03c Merge branch 'maint-0.3.0' 2017-06-05 16:35:40 -04:00
Nick Mathewson
ac1ddd5e5b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-05 16:35:40 -04:00
Nick Mathewson
d561da10dd Rename "link" variable to avoid shadowing warning. 2017-06-05 16:35:37 -04:00
Nick Mathewson
e3b1573be6 Merge branch 'maint-0.3.0' 2017-06-05 15:52:06 -04:00
Nick Mathewson
91f49bc0f0 Fix unit tests to work after own_link_cert assertion
The assert_nonfatal() I had added was triggered by some of the code
that tested the pre-ed case of CERTS cell generation.
2017-06-05 15:51:11 -04:00
Nick Mathewson
d5acdadaef Merge branch 'bug22460_030_01' into maint-0.3.0 2017-06-05 15:44:36 -04:00
Nick Mathewson
d1c1dc229e Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-05 15:44:12 -04:00
Nick Mathewson
9fea00928c Merge branch 'bug22460_case2_029_01_squashed' into maint-0.2.9 2017-06-05 15:28:13 -04:00
Nick Mathewson
ec84fc1d8e Improve documentation on get_{peer,own}_certificate()
Make it clear that we're returning a newly allocated copy.
2017-06-05 15:27:33 -04:00
Nick Mathewson
8e9392c267 Repair link_handshake unit tests to mock tor_tls_get_own_cert()
The tests previously assumed that the link handshake code would be
calling get_my_certs() -- when I changed it to call get_own_cert()
instead for the (case 2) 22460 fix, the tests failed, since the tls
connection wasn't really there.

This change makes us start mocking out the tor_tls_get_own_cert()
function too.

It also corrects the behavior of the mock_get_peer_cert() function
-- it should have been returning a newly allocated copy.
2017-06-05 15:27:33 -04:00
Nick Mathewson
39b7e89c28 Test prerequisites: function to dup a cert, make get_own_cert mockable. 2017-06-05 15:27:33 -04:00
Nick Mathewson
50facb40bb On v3 link handshake, send the correct link certificate
Previously we'd send the _current_ link certificate, which would
cause a handshaking failure when the TLS context rotated.
2017-06-05 15:27:33 -04:00
Nick Mathewson
2e5220cb8b Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-05 14:38:54 -04:00
Nick Mathewson
4ee48cb434 Fix C89 warning (since Tor 0.2.4-5 still care about that.) 2017-06-05 14:38:38 -04:00
Nick Mathewson
db2f18b1f9 Merge branch 'maint-0.3.0' 2017-06-05 12:02:47 -04:00
Nick Mathewson
578a4392e9 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-06-05 12:02:26 -04:00
Nick Mathewson
d75be189df Merge branch 'maint-0.2.8' into maint-0.2.9 2017-06-05 12:02:15 -04:00
Nick Mathewson
33fcc0f61d Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-06-05 12:01:17 -04:00
Nick Mathewson
3f2d1f7f07 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-06-05 12:00:41 -04:00
Nick Mathewson
9ea3d0877a Merge branch 'maint-0.2.5' into maint-0.2.6 2017-06-05 12:00:27 -04:00
Nick Mathewson
1a540b5792 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-05 12:00:08 -04:00
Nick Mathewson
e3ebae4804 Fix undefined behavior in geoip_parse_entry().
Fixes bug 22490; bugfix on 6a241ff3ff in 0.2.4.6-alpha.

Found by teor using clang-5.0's AddressSanitizer stack-use-after-scope.
2017-06-05 10:09:39 -04:00
Nick Mathewson
26d9fffae4 Merge branch 'bug22466_diagnostic_030' 2017-06-05 09:52:09 -04:00
Nick Mathewson
be741d7e63 Merge branch 'maint-0.3.0' 2017-06-05 09:51:57 -04:00
Nick Mathewson
e5bdfd66cf Make code more clear about own_link_cert safety
It's okay to call add_ed25519_cert with a NULL argument: so,
document that.  Also, add a tor_assert_nonfatal() to catch any case
where we have failed to set own_link_cert when conn_in_server_mode.
2017-06-05 09:35:55 -04:00
rl1987
f8c98759e5 Use string_is_valid_hostname in SOCKS4 request parsing codepath 2017-06-04 13:22:45 +02:00
rl1987
7f05f89663 Don't reject SOCKS5 requests that contain IP strings 2017-06-04 13:14:55 +02:00
rl1987
9e2f780923 Refrain from needless SOCKS5 warning 2017-06-03 18:04:47 +02:00
Nick Mathewson
41ed9e978b Regenerate RSA->ed25519 identity crosscertificate as needed 2017-06-01 10:04:52 -04:00
Nick Mathewson
f2068ef862 Use tor_assert_nonfatal() to try to detect #22466 2017-06-01 09:42:32 -04:00
Nick Mathewson
34a6755b94 Fix ed25519 link certificate race on tls context rotation
Whenever we rotate our TLS context, we change our Ed25519
Signing->Link certificate.  But if we've already started a TLS
connection, then we've already sent the old X509 link certificate,
so the new Ed25519 Signing->Link certificate won't match it.

To fix this, we now store a copy of the Signing->Link certificate
when we initialize the handshake state, and send that certificate
as part of our CERTS cell.

Fixes one case of bug22460; bugfix on 0.3.0.1-alpha.
2017-06-01 09:26:24 -04:00
Nick Mathewson
a9be768959 Bugfix: Regenerate more certificates when appropriate
Previously we could sometimes change our signing key, but not
regenerate the certificates (signing->link and signing->auth) that
were signed with it.  Also, we would regularly replace our TLS x.509
link certificate (by rotating our TLS context) but not replace our
signing->link ed25519 certificate.  In both cases, the resulting
inconsistency would make other relays reject our link handshakes.

Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha.
2017-05-31 18:45:35 -04:00
Andreas Stieger
1763aa058b Fix GCC 7 -Wimplicit-fallthrough warnings (32 bit)
Add magic comments recognized by default -Wimplicit-fallthrough=3
Follow-up to e5f464, fixes Ticket 22446 for 32 bit.
2017-05-31 09:30:35 -04:00
Nick Mathewson
9d59769db7 Improve error message when all permitted Exits are down
The old "No specified non-excluded exit routers seem to be running"
message was somewhat confusing.

Fix for 7890.
2017-05-30 10:59:04 -04:00
David Goulet
5b33d95a3d hs: Correctly validate v3 descriptor encrypted length
The encrypted_data_length_is_valid() function wasn't validating correctly the
length of the encrypted data of a v3 descriptor. The side effect of this is
that an HSDir was rejecting the descriptor and ultimately not storing it.

Fixes #22447

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-30 10:27:42 -04:00
Nick Mathewson
671c5dcde3 Merge remote-tracking branch 'public/bug6298' 2017-05-30 10:27:37 -04:00
Nick Mathewson
0fbe1a2c6f Merge remote-tracking branch 'teor/bug22424' 2017-05-30 08:50:45 -04:00
Nick Mathewson
184d889f8a Merge remote-tracking branch 'jigsaw/fix-22417-without-3-star' 2017-05-30 08:47:14 -04:00
Nick Mathewson
f9615f9d77 Merge remote-tracking branch 'teor/bug22421' 2017-05-30 08:42:20 -04:00
Andreas Stieger
e5f4642db3 Fix GCC 7 -Wimplicit-fallthrough warnings
Add magic comments recognized by default -Wimplicit-fallthrough=3
or break, as required.
2017-05-30 08:33:27 -04:00
Roger Dingledine
d1580ad49b remove obsolete comment
we should have taken out this comment with commit aadff6274
during ticket 16480.
2017-05-30 02:42:32 -04:00
Daniel Pinto
94d321120e Replace 3-star pointer with 2-star pointer 2017-05-28 20:24:48 +01:00
teor
79725289e1
If we do underflow the know usage of a storage, recalculate it
Fixes bug #22424 on 0.3.1.1-alpha.
2017-05-28 22:34:43 +10:00
teor
69b234a0a8
Refactor storage usage reductions into a static function
No behaviour change.

Part of #22424.
2017-05-28 22:28:43 +10:00
teor
334fe6bb6b
Don't underflow usage when it is unknown and a file is removed
Part of #22424.
2017-05-28 22:16:00 +10:00
teor
9e36b0beb9
Always check for usage underflow when removing a file in storage.c
Part of #22424.
2017-05-28 22:12:09 +10:00
teor
f6841ae263
Fix comment typos in storage.c 2017-05-28 22:11:22 +10:00
teor
25ea8be9de
Update the client bootstrap comment in config.c for exponential backoff
This brings the description up to date with the exponential backoff
code introduced in 0.2.9.1-alpha.

Fixes bug #22421.
2017-05-28 21:01:08 +10:00
Daniel Pinto
f8ccf8d9a9 Fix crash with %include
Fixes crash when including a folder that contains a non-empty file
without any values followed by any other non-empty file.
2017-05-28 09:53:14 +01:00
Roger Dingledine
084b64ba2e simplify because relay_crypt_one_payload can't fail 2017-05-28 01:51:22 -04:00
Nick Mathewson
6fcaf83c98 Cleanup MOCK_IMPL (etc) to be findable with etags
A fair number of our mock_impl declarations were messed up so that
even our special AM_ETAGSFLAGS couldn't find them.

This should be a whitespace-only patch.
2017-05-26 14:07:06 -04:00
Nick Mathewson
159a8061cf Mock tor_addr_lookup() during part of addr/basic test.
If this function isn't mocked, then our unit tests break on stupid
networks where localhost is broken or absent. Fixes bug 6298; bugfix
on 0.0.9pre2.
2017-05-26 13:53:32 -04:00
Nick Mathewson
5742e4fd8e bump version to 0.3.1.2-alpha-dev 2017-05-26 10:23:53 -04:00
Nick Mathewson
2550ac7bb1 update version to 0.3.1.2-alpha 2017-05-26 08:58:08 -04:00
Nick Mathewson
ab9976b724 Merge remote-tracking branch 'arma/bug22368' 2017-05-25 08:54:51 -04:00
Roger Dingledine
657297a9f8 Merge branch 'maint-0.3.0' 2017-05-25 00:28:11 -04:00
Roger Dingledine
83439e78cc Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-25 00:27:27 -04:00
teor
ec61ae59a5 Stop leaking keypin-rejected routerinfos on directory authorities
When directory authorities reject a router descriptor due to keypinning,
free the router descriptor rather than leaking the memory.

Fixes bug 22370; bugfix on 0.2.7.2-alpha.
2017-05-25 00:09:40 -04:00
Roger Dingledine
5f74749fba get rid of some dead code (leftover from commit fa04fe1) 2017-05-24 23:37:00 -04:00
Roger Dingledine
d22d565331 add copy of MyFamily element to the descriptor, not the element itself
If we add the element itself, we will later free it when we free the
descriptor, and the next time we go to look at MyFamily, things will
go badly.

Fixes the rest of bug 22368; bugfix on 0.3.1.1-alpha.
2017-05-24 23:37:00 -04:00
Roger Dingledine
a7e75ff796 don't free the values in options->MyFamily when we make a descriptor
If we free them here, we will still attempt to access the freed memory
later on, and also we will double-free when we are freeing the config.

Fixes part of bug 22368.
2017-05-24 23:32:32 -04:00
Nick Mathewson
511c900686 Merge branch 'master' of git-rw.torproject.org:/tor 2017-05-24 10:25:00 -04:00
Nick Mathewson
b80a35e683 Improve the message we log on unexpected dirauth status code
It's still not great, but should be less confusing what's wrong
here.

Closes ticket 1121.
2017-05-24 09:08:59 -04:00
Roger Dingledine
cabad0b6c7 remove unused node_get_published_on function
in retrospect, we should have removed this with commit 1289474d
as part of #11742, which was the last caller of it.
2017-05-24 00:43:44 -04:00
Nick Mathewson
994595ae5d Don't say "downloading 1 descriptor, 4 at a time"
Fixes bug 19648, bugfix on 0.1.1.8-alpha.
2017-05-23 09:47:11 -04:00
teor
af98b862a5
Fix comments of functions that return tor_snprintf
No code changes needed: in the places where we actually check the
return value of these functions, we handle it correctly.
2017-05-23 18:44:45 +10:00
Roger Dingledine
4e3ea6d5c8 fix minor grammar error in comment 2017-05-22 20:06:38 -04:00
Nick Mathewson
d9b1471303 Merge remote-tracking branch 'ahf/bugs/22305' 2017-05-22 11:57:03 -04:00
Alexander Færøy
9604980733 Log a warning if we receive a disallowed compression method for an anonymous connection.
See: https://bugs.torproject.org/22305
2017-05-22 15:52:41 +00:00
Nick Mathewson
281f06a094 bump to 0.3.1.1-alpha 2017-05-22 11:52:19 -04:00
Nick Mathewson
9a50c73104 Merge remote-tracking branch 'ahf/bugs/22305' 2017-05-22 10:57:26 -04:00
Alexander Færøy
5a0eab68e1 Ensure that only GZip and Zlib compression is handled for anonymous connections.
See: https://bugs.torproject.org/22305
2017-05-22 14:45:12 +00:00
Alexander Færøy
2b26ac1390 Refactor error path handling in connection_dir_client_reached_eof().
This patch lifts the return value, rv, variable to the beginning of the
function, adds a 'done' label for clean-up and function exit and makes
the rest of the function use the rv value + goto done; instead of
cleaning up in multiple places.

See: https://bugs.torproject.org/22305
2017-05-22 14:42:18 +00:00
Nick Mathewson
cfe0a45750 Fix a compilation warning about duplicate typedef 2017-05-22 10:39:43 -04:00
Nick Mathewson
e5a929fef8 Raise common code for creating circuit_guard_state_t
This will help if we ever need to add more fields or change the
semantics of existing fields.
2017-05-22 09:13:18 -04:00
Nick Mathewson
b2e9a107b7 Merge remote-tracking branch 'asn/bug21969_bridges' 2017-05-22 09:09:16 -04:00
George Kadianakis
52498b8183 Set guard state on bridge descriptor fetches.
We used to not set the guard state in launch_direct_bridge_descriptor_fetch().
So when a bridge descriptor fetch failed, the guard subsystem would never
learn about the fail (and hence the guard's reachability state would not
be updated).
2017-05-22 15:57:33 +03:00
George Kadianakis
6009c89165 Set guard state on bridge descriptor fetches.
We used to not set the guard state in launch_direct_bridge_descriptor_fetch().
So when a bridge descriptor fetch failed, the guard subsystem would never
learn about the fail (and hence the guard's reachability state would not
be updated).
2017-05-22 15:56:32 +03:00
George Kadianakis
e102ad60d0 Refactor directory_initiate_command() so that it accepts guard_state. 2017-05-22 15:45:46 +03:00
Alexander Færøy
26795da900 Don't add "Accept-Encoding" header if directory connection is anonymous.
See: https://bugs.torproject.org/22305
2017-05-22 12:36:27 +00:00
Nick Mathewson
90894c87a5 Merge branch 'maint-0.3.0' 2017-05-22 08:32:18 -04:00
Nick Mathewson
5c52d3c2c0 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-22 08:32:07 -04:00
Roger Dingledine
6e5486b11a dir auths reject 0.2.9.x for x<5, due to bug 20499
Directory authorities now reject relays running versions
0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
suffer from bug 20499 and don't keep their consensus cache
up-to-date.

Resolves ticket 20509.
2017-05-22 08:31:39 -04:00
Roger Dingledine
0698a0beca fix two typos in comments
closes ticket 22322
2017-05-22 01:43:52 -04:00
Roger Dingledine
a18b41cc77 fix typo in comment 2017-05-19 22:14:56 -04:00
Nick Mathewson
09b3cb0d72 Whoops; I broke check-spaces. 2017-05-19 16:02:58 -04:00
Nick Mathewson
13034e1574 Try another approach to fixing the bug in the #1922 test.
This isn't elegant, but it seems to be the best way around all of
the issues involved in escaping and quoting that we've gotten into
over the years.
2017-05-19 15:50:29 -04:00
Nick Mathewson
19615bce64 mingw fix: avoid "unused var" warning. 2017-05-19 15:50:12 -04:00
Nick Mathewson
8cb08f716d fix a coverity resource leak warning 2017-05-19 15:20:57 -04:00
Nick Mathewson
4e6b13a38a Fix uninitialized-variable warning on options_init_from_string(). 2017-05-19 15:18:27 -04:00
Nick Mathewson
d950ad0dfd Remove call to get_unquoted_path in config_process_include()
parse_config_line_from_str_verbose() already looks for strings
that are surrounded by quotes, and processes them with
unescape_string().  So things were getting decoded twice, which was
(in turn) playing havoc with backslashes on Windows.
2017-05-19 14:09:51 -04:00
Nick Mathewson
3628efe29c Try to fix windows config/include_path_syntax test
It was trying to do %include "foo\", which won't work.  It has to be
%include "foo\\".
2017-05-19 09:55:22 -04:00
Nick Mathewson
dcfed8c1c8 tt_* macros can "goto done;" so define any freeable things before them. 2017-05-19 08:55:14 -04:00
Nick Mathewson
ff1af5550a strlen() returns size_t 2017-05-19 08:54:56 -04:00
Nick Mathewson
69ef94820b Merge branch 'add_rust_squashed' 2017-05-19 08:47:18 -04:00
Sebastian Hahn
70c067102b Allow Rust build using locally supplied crates or crates.io
This adds a couple of configure commands to control whether we're
requiring all dependencies to be available locally (default) or not
(--enable-cargo-online-mode). When building from a tarball, we require
the RUST_DEPENDENCIES variable to point to the local repository of
crates. This also adds src/ext/rust as a git submodule that contains
such a local repository for easy setup.
2017-05-19 08:47:11 -04:00
Sebastian Hahn
d6f9a4f11a cargo-online-mode configure argument
Passing --enable-cargo-online-mode during configure allows cargo to make
network requests while building Tor or running tests. If this flag is
not supplied, the dependencies need to be available in the form of a
local mirror.
2017-05-19 08:47:11 -04:00
Sebastian Hahn
ed15511ac3 Add rustfmt.toml 2017-05-19 08:47:11 -04:00
Sebastian Hahn
f0516ed348 Run cargo test during make check 2017-05-19 08:47:11 -04:00
Sebastian Hahn
f8ef7c65d1 Add some Rust utility functions and print support
This gives an indication in the log that Tor was built with Rust
support, as well as laying some groundwork for further string-returning
APIs to be converted to Rust
2017-05-19 08:47:10 -04:00
Nick Mathewson
92d335b3dc Merge remote-tracking branch 'jigsaw/torrc-dir-fix-1922_squashed2' 2017-05-19 08:46:13 -04:00
Nick Mathewson
d34fa32ece Merge branch 'ticket21953_029' 2017-05-19 06:49:04 -04:00
Nick Mathewson
15cc41e664 Define HeapEnableTerminationOnCorruption if the headers don't.
MSDN says that it's always going to be 1, and they're usually pretty
accurate about that.

Fixes a bug in 21953.
2017-05-19 06:46:49 -04:00
Roger Dingledine
553cd7f0c5 fix typo 2017-05-19 02:06:44 -04:00
Daniel Pinto
ba3a5f82f1 Add support for %include funcionality on torrc #1922
config_get_lines is now split into two functions:
 - config_get_lines which is the same as before we had %include
 - config_get_lines_include which actually processes %include
2017-05-18 23:44:16 +01:00
Nick Mathewson
d1340bd5ac bump to 0.3.0.7-dev 2017-05-18 12:28:28 -04:00
Nick Mathewson
b214c2c095 Merge branch 'maint-0.3.0' 2017-05-18 10:06:27 -04:00
Nick Mathewson
935cd77f62 Merge branch 'bug22252_029' into maint-0.3.0 2017-05-18 10:06:06 -04:00
Alexander Færøy
fcf836d239 Add coverage markers in Zstd + LZMA compression backends.
See: https://bugs.torproject.org/22286
2017-05-17 13:23:54 +00:00
Alexander Færøy
77511aed6c Fix whitespace issue.
See: https://bugs.torproject.org/22286
2017-05-17 13:23:46 +00:00
Alexander Færøy
d74467e858 Check that tor_compress_state_size() returns a value larger than zero.
See: https://bugs.torproject.org/22286
2017-05-17 13:23:33 +00:00
Daniel Pinto
e04da2828d Fixed error on BASEXX_NOPAD LEN and BUFSIZE macros #21872 2017-05-17 00:22:11 +01:00
Alexander Færøy
3772fdf756 Ensure that each compression backend returns a provider version identifier. 2017-05-16 19:08:18 +00:00
Nick Mathewson
2ba58f275c Fix crash when starting with LearnCircuitBuildTimeout 0.
Before we've set our options, we can neither call get_options() nor
networkstatus_get_latest_consensus().

Fixes bug 22252; bugfix on 4d9d2553ba
in 0.2.9.3-alpha.
2017-05-16 11:20:12 -04:00
Nick Mathewson
bbeba2412e Fix resource leak in parse_consensus_request()
We were allocating diff_hash_in_url on some URLs, but not freeing it.

Fixes CID 1409669.  Bug not in any released Tor.
2017-05-16 10:47:41 -04:00
Nick Mathewson
2ca827104d Report deleted consensuses as NOT_FOUND rather than AVAILABLE
This bug happened because of a bogus pointer check in
consdiffmgr_find_consensus(), not in any released Tor.

Fixes CID 1409670.  Good catch, Coverity!
2017-05-16 10:44:24 -04:00
Nick Mathewson
d29f494ec2 Merge branch 'maint-0.3.0' 2017-05-16 08:39:36 -04:00
Nick Mathewson
492f8a7c44 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-16 08:39:22 -04:00
Nick Mathewson
a7bcab2639 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-05-16 08:38:59 -04:00
teor
5b45d73293
Update fallback directory mirrors in May 2017
Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
December 2016 (of which ~126 were still functional), with a list of
151 fallbacks (32 new, 119 existing, 58 removed) generated in May 2017.

Resolves ticket 21564.
2017-05-16 19:02:42 +10:00
Nick Mathewson
8324631dd9 bump version to 0.3.0.7 2017-05-15 18:25:07 -04:00
Nick Mathewson
a546487287 Merge branch 'maint-0.3.0' 2017-05-15 18:24:38 -04:00
Nick Mathewson
294d80044d remove a variable I missed 2017-05-15 18:16:58 -04:00
Nick Mathewson
d3279d4304 Do not try to uncompress an empty spool 2017-05-15 18:13:38 -04:00
Nick Mathewson
460b923026 fix a memory leak 2017-05-15 18:13:20 -04:00
Nick Mathewson
e1b3c1bbec Test fix: always set address in new_dir_conn() 2017-05-15 18:00:38 -04:00
Nick Mathewson
f9d8ade912 Dircache protocol version 2 adds support for diffs 2017-05-15 17:53:36 -04:00
Nick Mathewson
da6b00443c Try not to mess up caches with the X-Or-Diff-From-Consensus header 2017-05-15 17:53:15 -04:00
Nick Mathewson
4531fdbbff Split consensus-request parsing into a separate function
This ought to make the control flow a tiny bit more readable.
2017-05-15 17:51:53 -04:00
Nick Mathewson
eb3c8d376d Prop140, continued: accept "diff/<HASH>" in URLs, per proposal. 2017-05-15 17:42:17 -04:00
Nick Mathewson
afef059795 Merge remote-tracking branch 'public/prop140_aftermath_cfg' 2017-05-15 17:26:47 -04:00
Nick Mathewson
dae1242532 Merge branch 'ahf_bugs_21667_2_squashed' 2017-05-15 17:22:12 -04:00
Alexander Færøy
9e3f304113 Fix dir_handle_get/... test-cases for prop#278 support.
See: https://bugs.torproject.org/21667
2017-05-15 17:21:55 -04:00
Nick Mathewson
65d9408448 dir_handle_get: repair two test cases, note the fixes for 3 others 2017-05-15 17:21:55 -04:00
Alexander Færøy
008194035f Handle non-compressed requests gracefully.
This patch makes us use FALLBACK_COMPRESS_METHOD to try to fetch an
object from the consensus diff manager in case no mutually supported
result was found. This object, if found, is then decompressed using the
spooling system to the client.

See: https://bugs.torproject.org/21667
2017-05-15 17:21:55 -04:00
Alexander Færøy
8d730af0f7 Remove old consensus fetching code from handle_get_current_consensus().
This patch removes the calls to spooled_resource_new() when trying to
download the consensus. All calls should now be going through the
consdiff manager.

See: https://bugs.torproject.org/21667
2017-05-15 17:21:55 -04:00
Alexander Færøy
fade313ba3 Fix too wide line from make check-spaces.
See: https://bugs.torproject.org/21667
2017-05-15 17:21:55 -04:00
Alexander Færøy
ae33deb91d Check for best consensus when no consensusdiff was found.
This patch ensures that we use the current consensus in the case where
no consensus diff was found or a consensus diff wasn't requested.

See: https://bugs.torproject.org/21667
2017-05-15 17:21:55 -04:00
Nick Mathewson
7591518d16 Copy valid/fresh-until and signatories values into diffs. 2017-05-15 17:21:55 -04:00
Nick Mathewson
fd1190581d Store fresh/valid-until and signatories values on all consensus objects. 2017-05-15 17:21:55 -04:00
Nick Mathewson
dcc533fb13 Implement functions to expose valid/fresh-until and voters
These still won't do anything till I get the values to be filled in.

Also, I changed the API a little (with corresponding changes in
directory.c) to match things that it's easier to store.
2017-05-15 17:21:55 -04:00
Nick Mathewson
2f06345db3 Move stub accessor functions a level higher, to consdiffmgr 2017-05-15 17:21:55 -04:00
Alexander Færøy
ef2a62b2ff Fetch the current consensus from the conscache subsystem.
This patch changes handle_get_current_consensus() to make it read the
current consensus document from the consensus caching subsystem.

See: https://bugs.torproject.org/21667
2017-05-15 17:21:55 -04:00
Nick Mathewson
3b8888c544 Initialize the HS cache at startup
Failure to do this caused an assertion failure with #22246 . This
assertion failure can be triggered remotely, so we're tracking it as
medium-severity TROVE-2017-002.
2017-05-15 13:49:29 -04:00
Nick Mathewson
71a21256b0 Merge branch 'bug22245_024' 2017-05-15 11:46:55 -04:00
Nick Mathewson
85f75d617c Add hs_test_helpers.h to noinst_HEADERS 2017-05-15 11:45:20 -04:00
Nick Mathewson
a6514b8a20 Fix a logic error in hibernate.c
Closes bug 22245; bugfix on 0.0.9rc1, when bandwidth accounting was
first introduced.

Found by Andrey Karpov and reported at https://www.viva64.com/en/b/0507/
2017-05-15 11:43:18 -04:00
Nick Mathewson
0e348720fc Fix assertion to actually have a chance of failing
This assertion can only fail if we mess up some of our other code,
but let's try to get it right.

Closes 22244.
2017-05-15 11:27:12 -04:00
Nick Mathewson
1ec45bb546 Merge branch 'bug18100_029' 2017-05-15 11:19:44 -04:00
Nick Mathewson
4473271c66 Fix the TRPOXY typo in connection_edge.c
Also add a get_options() call so it compiles.

Fixes bug 18100; bugfix on 0.2.6.3-alpha. Patch from "d4fq0fQAgoJ".
2017-05-15 11:16:50 -04:00
Nick Mathewson
d3a39cf8d0 Merge remote-tracking branch 'public/bug20270_029' 2017-05-15 10:45:20 -04:00
Alexander Færøy
363f4b8db5
Add stub functions for querying metadata about the consensus. 2017-05-13 01:05:15 +02:00
Alexander Færøy
64116ab97f
Fix tautological constant out-of-range comparison warnings. 2017-05-12 17:59:29 +02:00
Alexander Færøy
a1e8ef0076
Fix DoubleNL warning from make check-spaces. 2017-05-12 17:57:11 +02:00
Nick Mathewson
077d3085ec
actually enable background compresion for consensuses 2017-05-12 17:45:55 +02:00
Nick Mathewson
db370bb8a8
Test fix: expect old consensuses to be deleted if not deflate-compressed 2017-05-12 17:45:44 +02:00
Nick Mathewson
30dfb36148
consdiffmgr: Reload latest consensus entries on start. 2017-05-12 17:45:33 +02:00
Nick Mathewson
8100305e71
consdiffmgr: expose cached consensuses 2017-05-12 17:45:24 +02:00
Nick Mathewson
7b0dcf5c4a
Cleanup logic: only retain zlib-compressed consensuses
Now that we're making a bunch of these with consdiffmgr, we should
throw out all but one when we get a newer consensus.
2017-05-12 17:45:15 +02:00
Nick Mathewson
151cd121a2
consdiffmgr: compress incoming consensuses in the background
Also, compress them in several ways.

This breaks the unit tests; subsequent commits will make them pass
again.
2017-05-12 17:45:07 +02:00
Nick Mathewson
6da31ec484
consdiffmgr: Extract the code for compressing and storing
We're going to use this for consensuses too.
2017-05-12 17:44:55 +02:00
Alexander Færøy
7a3efe25d9
Use different preferences for compression methods when streaming.
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
141f6e3211
Add client_meth_pref array to define client compression preference.
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
59d17ca2bb
Fix indentation when using the ternary operator in handle_get_status_vote().
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
ef187bc280
Use compression_method_get_human_name() in connection_dir_client_reached_eof()
This patch refactors connection_dir_client_reached_eof() to use
compression_method_get_human_name() to set description1 and
description2 variables.

See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
3a05687c6d
Add API for getting human readable descriptions of a compress_method_t
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
f8218b5ada
Use compression_method_get_by_name() instead of explicit checks.
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
cf2f7a1bea
Decide compression method in the various handle_* functions().
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
a3a31fa120
Send "Accept-Encoding" to directory servers.
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
6305637197
Use tor_compress_supports_method() instead of constants.
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
61b6de5906
Handle Zstandard and LZMA in our check for correct guessed compression.
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
fbef257c43
Handle x-zstd and x-tor-lzma in parse_http_response().
See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Alexander Færøy
ca632144e5
Use dir_compressed(_len) instead of dir_z(_len).
This patch renames `dir_z` to `dir_compressed` and `dir_z_len` to
`dir_compressed_len`.

See: https://bugs.torproject.org/21667
2017-05-12 17:18:45 +02:00
Nick Mathewson
4410271446 Merge branch 'ticket21953_029' 2017-05-12 08:40:30 -04:00
Nick Mathewson
503f101d2b Enable some windows hardening features
One (HeapEnableTerminationOnCorruption) is on-by-default since win8;
the other (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) supposedly only
affects ATL, which (we think) we don't use.  Still, these are good
hygiene. Closes ticket 21953.
2017-05-11 16:39:02 -04:00
Taylor Yu
61a367cadd Untangle cleanup logic in test_hs_intropoint.c
Cleanup logic in test_intro_point_registration() invoked tt_assert()
in a way that could cause it to jump backward into the cleanup code if
the assertion failed, causing Coverity to see a double free (CID
1397192).  Move the tt_assert() calls into a helper function having
the well-defined task of testing hs_circuitmap_free_all().
Fixes #22231.
2017-05-11 13:06:45 -04:00
Nick Mathewson
9905659573 Merge remote-tracking branch 'arma/cleanup22213' 2017-05-11 09:20:12 -04:00
Nick Mathewson
6390a0c3b6 Merge branch 'ticket21871_031_03_squashed' 2017-05-11 08:33:32 -04:00
David Goulet
ae1d4cfdad prop224: Change encryption keys descriptor encoding
A descriptor only contains the curve25519 public key in the enc-key field so
the private key should not be in that data structure. The service data
structures will have access to the full keypair (#20657).

Furthermore, ticket #21871 has highlighted an issue in the proposal 224 about
the encryption key and legacy key being mutually exclusive. This is very wrong
and this commit fixes the code to follow the change to the proposal of that
ticket.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-11 08:33:26 -04:00
Nick Mathewson
dc9274dec3 Merge remote-tracking branch 'argonblue/bug22177' 2017-05-11 07:41:21 -04:00
Nick Mathewson
38003f4350 Merge remote-tracking branch 'argonblue/bug22221' 2017-05-11 07:25:22 -04:00
Roger Dingledine
8f1ddf0cd2 Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value
We already have a way to return a 400 response code along with a
personalized message response for the uploader.

Resolves ticket 22213.
2017-05-10 20:03:07 -04:00
Roger Dingledine
466e27feae simplify functions now that they don't use options param 2017-05-10 17:57:35 -04:00
Roger Dingledine
2330a3713d Merge branch 'maint-0.3.0' 2017-05-10 17:36:34 -04:00
Roger Dingledine
716d48581d resolve now-unused parameter from #21642 fix 2017-05-10 17:35:36 -04:00
Taylor Yu
3156392e9b Test config line parsing errors
Add tests for lower-level syntax errors in config file lines.
Fixes #22177.
2017-05-10 16:51:40 -04:00
Nick Mathewson
1a497dcd1e Merge branch 'maint-0.3.0' 2017-05-10 16:28:07 -04:00
Nick Mathewson
a868b84599 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-10 16:27:15 -04:00
Nick Mathewson
8f5da804da Merge branch 'prop275_minimal_029' into maint-0.2.9 2017-05-10 16:26:45 -04:00
Taylor Yu
2bf4263800 Resurrect dead code in test_channelpadding.c
A for-loop in test_channelpadding_timers() would never run because it
was trying to increment a counter up to CHANNELS_TO_TEST/3 after an
earlier block already incremented it to CHANNELS_TO_TEST/2.

Fixes #22221, CID 1405983.
2017-05-10 13:57:18 -04:00
Nick Mathewson
ee3ccd2fac #22211 Fix a comment in routerparse.c 2017-05-10 11:16:07 -04:00
Nick Mathewson
d76cffda60 Merge remote-tracking branch 'public/my-family-list-fix-4498' 2017-05-10 11:12:24 -04:00
Nick Mathewson
8266d193a6 Restore wget behavior when fetching compressed objects
We do this by treating the presence of .z as meaning ZLIB_METHOD,
even if Accept-Encoding does not include deflate.

This fixes bug 22206; bug not in any released tor.
2017-05-10 11:09:52 -04:00
Nick Mathewson
5dab99d6a8 Fix compilation on libevent2-only systems
Patch from rubiate; fixes bug 22219.  Remember, we don't support
libevent1 any more.
2017-05-10 11:08:49 -04:00
Nick Mathewson
95fa7d1cf8 In channelpadding tests that touch libevent, call event_reinit().
This is necessary to avoid crashes and test failures on kevent-based
systems.

Fixes bug 22209; bug not in any released Tor.
2017-05-10 11:01:13 -04:00
Roger Dingledine
0266c4ac81 add an XXX with a minor bug in dirserv_add_multiple_descriptors 2017-05-10 03:11:29 -04:00
Nick Mathewson
9f5b71a7ca Add a check and a cast in rephist.c to fix a warning 2017-05-09 11:13:22 -04:00
Nick Mathewson
b2cb3c33ac Tidy or_options_t by removing obsolete options.
Nothing was setting or inspecting these fields, and they were marked
as OBSOLETE() in config.c -- but somehow we still had them in the
or_options_t structure.  Ouch.
2017-05-09 10:40:24 -04:00
Nick Mathewson
2a1013948d Merge branch 'dgoulet_ticket22060_031_01_squashed' 2017-05-09 10:32:21 -04:00
David Goulet
b867295ffd config: Parse ports at the start of options_validate()
There was a bug that got exposed with the removal of ORListenAddress. Within
server_mode(), we now only check ORPort_set which is set in parse_ports().

However, options_validate() is using server_mode() at the start to check if we
need to look at the uname but then the ORPort_set is unset at that point
because the port parsing was done just after. This commit fixes that.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
7f95ef6e66 config: Remove {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
039e2a24da config: Remove TLSECGroup option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
8aedc589ed config: Remove WarnUnsafeSocks option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
60cf5ac297 config: Remove CloseHSServiceRendCircuitsImmediatelyOnTimeout option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
87e9dc48d1 config: Remove CloseHSClientCircuitsImmediatelyOnTimeout option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
bc34654ba2 config: Remove FastFirstHopPK option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
09bc858dd5 config: Remove ExcludeSingleHopRelays option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
d52a1e2faa config: Remove AllowSingleHopExits option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
fea72571df config: Remove AllowSingleHopCircuits option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:52 -04:00
David Goulet
2b9823b310 config: Remove AllowInvalidNodes option
Deprecated in 0.2.9.2-alpha, this commits changes it as OBSOLETE() and cleans
up the code associated with it.

Partially fixes #22060

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:51 -04:00
David Goulet
0958e3b208 test: Remove HS decode valid intro point test
The descriptor fields can't be validated properly during encoding because they
are signed by a descriptor signing key that we don't have in the unit test.

Removing the test case for now but ultimately we need an independent
implementation that can encode descriptor and test our decoding functions with
that.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:37 -04:00
David Goulet
0cc18ef64c test: Move duplicate HS test code and unify it
Create the hs_test_helpers.{c|h} files that contains helper functions to
create introduction point, descriptor and compare descriptor.

Used by both the hs cache and hs descriptor tests. Unify them to avoid code
duplication.

Also, this commit fixes the usage of the signing key that was wrongly used
when creating a cross signed certificate.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-09 10:30:37 -04:00
Nick Mathewson
ff7e8531ec Report common reasons for rejecting a relay before uncommon ones
"You're running 0.2.2; upgrade!" is more sensible than "You have no
ntor key!"

Closes ticket 20270; bugfix on 0.2.9.3-alpha.
2017-05-09 10:28:51 -04:00
Nick Mathewson
2f714d60a4 Minor cleanups in test_config.
Use a more standard indentation style for the end block; remove
redundant if() around tor_free.
2017-05-09 08:20:14 -04:00
Nick Mathewson
b8abedfeee Split MyFamily into user-specified version and normalized version
This change prevents a no-longer-supported behavior where we change
options that would later be written back to torrc with a SAVECONF.

Also, use the "Pointer to final pointer" trick to build the
normalized list, to avoid special-casing the first element.
2017-05-09 08:19:26 -04:00
Nick Mathewson
674c1d2594 Fix an implicit conversion warning 2017-05-09 07:26:14 -04:00
Nick Mathewson
7751df61ca Fix a warning about a shadowed global 2017-05-09 07:25:52 -04:00
Nick Mathewson
ef2248d09b Fix a warning about an extraneous semicolon 2017-05-09 07:25:34 -04:00
Nick Mathewson
2e4f3b36bd clang-i386: use house style for public-when-testing variables
This fixes a warning from jenkins.
2017-05-08 15:38:05 -04:00
Nick Mathewson
4d6c79d1de Fix some clang-i386 warnings in master. 2017-05-08 15:34:37 -04:00
Nick Mathewson
fb97f76e71 whitespace fixes 2017-05-08 13:57:08 -04:00
Nick Mathewson
4d30dde156 Merge branch 'netflow_padding-v6-rebased2-squashed' 2017-05-08 13:54:59 -04:00
Mike Perry
9f8e462c89 Fix some channelpadding test issues.
asan was finding an alignment issue with a cast, so set the field in the
trunnel struct and then encode it instead. Also, enable log capture and
verification.
2017-05-08 13:49:23 -04:00
Mike Perry
02a5835c27 Fix issues from dgoulet's code review.
https://gitlab.com/dgoulet/tor/merge_requests/24
2017-05-08 13:49:23 -04:00
Mike Perry
687a85950a Cache netflow-related consensus parameters.
Checking all of these parameter lists for every single connection every second
seems like it could be an expensive waste.

Updating globally cached versions when there is a new consensus will still
allow us to apply consensus parameter updates to all existing connections
immediately.
2017-05-08 13:49:23 -04:00
Mike Perry
ae4d8c9c74 Fix a breakage in test_options.c.
IMO, these tests should be calling options_init() to properly set everything
to default values, but when that is done, about a dozen tests fail. Setting
the one default value that broke the tests for my branch. Sorry for being
lame.
2017-05-08 13:49:22 -04:00
Mike Perry
20a3d4efac Remove a PredictedPortsRelevantTime test.
The option was deprecated by bug #17592.
2017-05-08 13:49:22 -04:00
Mike Perry
76c9330f9d Bug 17604: Converge on only one long-lived TLS conn between relays.
Accomplished via the following:

1. Use NETINFO cells to determine if both peers will agree on canonical
   status. Prefer connections where they agree to those where they do not.
2. Alter channel_is_better() to prefer older orconns in the case of multiple
   canonical connections, and use the orconn with more circuits on it in case
   of age ties.

Also perform some hourly accounting on how many of these types of connections
there are and log it at info or notice level.
2017-05-08 13:49:22 -04:00
Mike Perry
d5a151a067 Bug 17592: Clean up connection timeout logic.
This unifies CircuitIdleTimeout and PredictedCircsRelevanceTime into a single
option, and randomizes it.

It also gives us control over the default value as well as relay-to-relay
connection lifespan through the consensus.

Conflicts:
	src/or/circuituse.c
	src/or/config.c
	src/or/main.c
	src/test/testing_common.c
2017-05-08 13:49:22 -04:00
Mike Perry
b0e92634d8 Netflow record collapsing defense.
This defense will cause Cisco, Juniper, Fortinet, and other routers operating
in the default configuration to collapse netflow records that would normally
be split due to the 15 second flow idle timeout.

Collapsing these records should greatly reduce the utility of default netflow
data for correlation attacks, since all client-side records should become 30
minute chunks of total bytes sent/received, rather than creating multiple
separate records for every webpage load/ssh command interaction/XMPP chat/whatever
else happens to be inactive for more than 15 seconds.

The defense adds consensus parameters to govern the range of timeout values
for sending padding packets, as well as for keeping connections open.

The defense only sends padding when connections are otherwise inactive, and it
does not pad connections used solely for directory traffic at all. By default
it also doesn't pad inter-relay connections.

Statistics on the total padding in the last 24 hours are exported to the
extra-info descriptors.
2017-05-08 13:49:21 -04:00
Nick Mathewson
35025ee51f Merge branch 'maint-0.3.0' 2017-05-08 13:40:41 -04:00
Nick Mathewson
d792d2a14d Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-08 13:40:26 -04:00
Nick Mathewson
0df22e8f5f Merge branch 'bug21943_029' into maint-0.2.9 2017-05-08 13:40:14 -04:00
Nick Mathewson
03fdf232bf Merge remote-tracking branch 'ahf/coverity/1405875' 2017-05-08 08:19:13 -04:00
Nick Mathewson
300f8e6f0a Merge branch 'maint-0.3.0' 2017-05-08 08:07:49 -04:00
Nick Mathewson
f5876917aa Merge branch 'maint-0.2.9' into maint-0.3.0 2017-05-08 08:07:38 -04:00
Nick Mathewson
5ff0b519ec Merge branch 'maint-0.2.8' into maint-0.2.9 2017-05-08 08:07:32 -04:00
Nick Mathewson
dc34cd7a04 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-05-08 08:07:19 -04:00
Nick Mathewson
71dd1d716a Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-05-08 08:07:11 -04:00
Nick Mathewson
159ddf6dde Merge branch 'maint-0.2.5' into maint-0.2.6 2017-05-08 08:07:04 -04:00
Nick Mathewson
68d6720452 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-05-08 08:06:59 -04:00
Karsten Loesing
5207e41ffe Update geoip and geoip6 to the May 2 2017 database. 2017-05-08 10:09:42 +02:00
Nick Mathewson
9decf86711 Merge remote-tracking branch 'dgoulet/ticket21978_031_02' 2017-05-05 16:32:25 -04:00
Alexander Færøy
7344a4fdc6
Remove dead code in test_options_validate_impl().
Dead branch found by Coverity in CID #1405875.
2017-05-05 17:07:18 +02:00
Nick Mathewson
c276c10d3b Turn consdiffmgr.cache_max_age_hours into a parameter 2017-05-05 09:11:06 -04:00
Nick Mathewson
c985592874 prop140 clients now only try to get diffs from recent consensuses
Rationale: If it's a year old, the relay won't have a diff to it.

This is as specified in prop140
2017-05-05 09:11:06 -04:00
Alexander Færøy
60e97953ef
Fix memory leak found in CID #1405876. 2017-05-05 11:35:12 +02:00
Nick Mathewson
c6fe65fcaf Grammar fix in a log message 2017-05-04 08:58:06 -04:00
Nick Mathewson
baf489fc08 Fix: our directory.c code expects header constants to end with a : 2017-05-04 08:57:34 -04:00
Nick Mathewson
6beb7028d8 Do not BUG on missing sha3-as-signed field
This can happen if you've been running an earlier alpha on your
relay.  Instead, just ignore the entry.
2017-05-04 08:50:21 -04:00
Nick Mathewson
e1d31f2a2f Update the consdiff directory code based on #22143 fixes
These are mostly just identifier renames, except for one place in
routerparse.c where we switch to using a correct hash.
2017-05-04 08:49:02 -04:00
Nick Mathewson
a8eccb6363 Turn DEFAULT_IF_MODIFIED_SINCE_DELAY into a const 2017-05-04 08:37:41 -04:00
Nick Mathewson
c12d2cb2dc Request (and try to use) consensus diffs. 2017-05-04 08:37:41 -04:00
Nick Mathewson
912b0641e9 Generate X-Or-Diff-From-Consensus headers correctly. 2017-05-04 08:37:41 -04:00
Nick Mathewson
94ae99067f Remove excess indentation from previous commit.
Review this with 'diff -b' to confirm
2017-05-04 08:37:41 -04:00
Nick Mathewson
afa39cef6c Extract the consensus-only part of directory_get_from_dirserver
Right now it just sets an if-modified-since header, but it's about
to get even bigger.

This patch avoids changing indentation; the next patch will be
whitespace fixes.
2017-05-04 08:37:41 -04:00
Nick Mathewson
57710c1587 New function to add additional headers to a directory request 2017-05-04 08:37:41 -04:00
Nick Mathewson
112286338b Store the sha3 of a networkstatus as part of the networkstatus_t
Also store it in the cached_dir_t.
2017-05-04 08:37:41 -04:00
Nick Mathewson
0418357ffd Serve consensus diffs on request. 2017-05-04 08:37:41 -04:00
Nick Mathewson
e5f82969ca Support writing Content-Encoding headers other than deflate
Right now this only sends "deflate" or "identity", but there's more
to come.
2017-05-04 08:37:41 -04:00
Nick Mathewson
e051c47e98 Remove old unused indentation from handle_get_current_consensus
This commit removes a pair of meaningless braces, and changes
whitespace only.
2017-05-04 08:37:41 -04:00
Nick Mathewson
a32083bd03 Add consensus_cache_entry spooling support to spooled_resource_t 2017-05-04 08:37:41 -04:00
Nick Mathewson
24ba1864d8 Merge branch 'ticket22143_squashed' 2017-05-04 08:36:59 -04:00
Nick Mathewson
df2bcaeb4a Add a test for $ with non-delete commands. 2017-05-04 08:36:50 -04:00
Nick Mathewson
87f6979a03 Remove some unused digests from test_consdiffmgr.c
These were unused before I started working on #22143 -- I just found
them while I was lookinging for digests to update.
2017-05-04 08:36:50 -04:00
Nick Mathewson
3af9704e45 bug#22143/prop#140: in consdiffmgr, store and use digest-as-signed
We need to index diffs by the digest-as-signed of their source
consensus, so that we can find them even from consensuses whose
signatures are encoded differently.
2017-05-04 08:36:50 -04:00
Nick Mathewson
c8baa9b783 bug#22143/prop#140: Use <n>,$d commands in diffs to remove signatures
In this patch I add support for "delete through end of file" in our
ed diff handler, and generate our diffs so that they remove
everything after in the consensus after the signatures begin.
2017-05-04 08:36:50 -04:00
Taylor Yu
38a13b91a8 Fix additional leaks in #22103 tests
test_options_validate_impl() incorrectly executed subsequent phases of
config parsing and validation after an expected error.  This caused
msg to leak when those later phases (which would likely produce errors
as well) overwrote it.
2017-05-03 13:47:06 -04:00
Nick Mathewson
5acddbbbf7 bug#22143/prop#140: identify input diffs by their digest-as-signed
See may 3 changes to prop140 for more background.
2017-05-03 13:09:08 -04:00
Nick Mathewson
77d9dd39c3 Merge remote-tracking branch 'argonblue/bug22103_fixtest' 2017-05-03 09:33:37 -04:00
David Goulet
90b840af60 control: Fix NULL pointer access in HS desc event
This was introduced 90562fc23a adding a code
path where we pass a NULL pointer for the HSDir fingerprint to the control
event subsystem. The HS desc failed function wasn't handling properly that
pointer for a NULL value.

Two unit tests are also added in this commit to make sure we handle properly
the case of a NULL hsdir fingerprint and a NULL content as well.

Fixes #22138

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-03 09:26:17 -04:00
Taylor Yu
7b64f1773d Fix memory management for #22103 tests
Code movement in the commit introducings tests for #22103 uncovered a
latent memory management bug.

Refactor the log message checking from test_options_checkmsgs() into a
helper test_options_checklog().  This avoids a memory leak (and
possible double-free) in a test failure condition.

Don't reuse variables (especially pointers to allocated memory!) for
multiple unrelated purposes.

Fixes CID 1405778.
2017-05-03 08:59:29 -04:00
Nick Mathewson
e0b1fd4d3d Merge branch 'refactor_dir_client_handler' 2017-05-02 20:42:00 -04:00
Nick Mathewson
7bc9f93abb Merge branch 'teor_connection-with-client-v2_squashed' 2017-05-02 19:18:04 -04:00
teor
f9af7e8bd0 Accurately identify client connections by their lack of peer authentication
This means that we bail out earlier if asked to extend to a client.

Follow-up to 21407.
Fixes bug 21406; bugfix on 0.2.4.23.
2017-05-02 19:17:56 -04:00
Taylor Yu
a91f948cca Add tests for #22103
Also factor out the error message comparisions from
test_options_validate_impl() into a separate function so it can check
for error messages in different phases of config parsing.
2017-05-02 16:13:14 -04:00
Taylor Yu
5494087ed7 Delete useless checks in confparse.c
config_parse_interval() and config_parse_msec_interval() were checking
whether the variable "ok" (a pointer to an int) was null, rather than
derefencing it.  Both functions are static, and all existing callers
pass a valid pointer to those static functions.  The callers do check
the variables (also confusingly named "ok") whose addresses they pass
as the "ok" arguments, so even if the pointer check were corrected to
be a dereference, it would be redundant.

Fixes #22103.
2017-05-02 16:12:30 -04:00
Nick Mathewson
e0c937f316 Reindent the just-extracted directory response handler functions 2017-05-02 13:11:44 -04:00
Nick Mathewson
db86b9194d Break connection_dir_client_reached_eof() into smaller functions
This was a >630-line function, which doesn't make anybody happy.  It
was also mostly composed of a bunch of if-statements that handled
different directory responses differently depending on the original
purpose of the directory connection.  The logical refactoring here
is to move the body of each switch statement into a separate handler
function, and to invoke those functions from a separate switch
statement.

This commit leaves whitespace mostly untouched, for ease of review.
I'll reindent in the next commit.
2017-05-02 13:06:25 -04:00
Nick Mathewson
fd437f2a02 Remove special-casing for NO_METHOD in consdiffmgr.c 2017-05-02 08:37:57 -04:00
Nick Mathewson
584ab1f29b Merge branch 'compress_none_v2_squashed' 2017-05-02 08:33:35 -04:00
Nick Mathewson
3836d9481f Add unit tests for the NO_METHOD compressor
These required some special-casing, since some of the assumption
about real compression algorithms don't actually hold for the
identity transform.  Specifically, we had assumed:

  - compression functions typically change the lengths of their
    inputs.
  - decompression functions can detect truncated inputs
  - compression functions have detectable headers

None of those is true for the identity transformation.
2017-05-02 08:31:32 -04:00
Nick Mathewson
1bc21111d8 Treat the identity transformation as another kind of compression.
This will allow us to treat NO_METHOD as a real compression method,
and to simplify code that currently does

   if (compressing) {
      compress
   } else {
      copy
   }
2017-05-02 08:31:32 -04:00
Nick Mathewson
465448e659 Merge branch 'dgoulet_bug22042_031_01_squashed' 2017-05-01 16:08:23 -04:00
David Goulet
aadb99e5f9 control: Fix comment of control_event_hs_descriptor_content
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-01 15:50:38 -04:00
David Goulet
90562fc23a hs: Trigger control event when client can't pick HSDir
Inform the control port with an HS_DESC failed event when the client is unable
to pick an HSDir. It's followed by an empty HS_DESC_CONTENT event. In order to
achieve that, some control port code had to be modified to accept a NULL HSDir
identity digest.

This commit also adds a trigger of a failed event when we are unable to
base64-decode the descriptor cookie.

Fixes #22042

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-05-01 15:50:38 -04:00
Nick Mathewson
c486ef57a3 Rename x-lzma to x-tor-lzma
We shouldn't call it lzma, because we are imposing a limit on the
memory needed for decoding.
2017-05-01 15:31:28 -04:00
Nick Mathewson
4837421d7c Merge remote-tracking branch 'ahf/bugs/21665' 2017-05-01 14:22:49 -04:00
Sebastian Hahn
915fa39d0f Add --enable-rust configure switch
Introduce a way to optionally enable Rust integration for our builds. No
actual Rust code is added yet and specifying the flag has no effect
other than failing the build if rustc and cargo are unavailable.
2017-04-29 08:55:57 +02:00
Nick Mathewson
b8f7488e94 Fix a brazen memleak in consdiffmgr_add_consensus() 2017-04-28 15:41:52 -04:00
Nick Mathewson
531835f561 Increase MALLOC_MP_LIM to 16MB
Increase the maximum allowed size passed to mprotect(PROT_WRITE)
from 1MB to 16MB. This was necessary with the glibc allocator
in order to allow worker threads to allocate more memory --
which in turn is necessary because of our new use of worker
threads for compression.

Closes ticket #22096. Found while working on #21648.
2017-04-28 10:55:10 -04:00
Nick Mathewson
00a12337ff Merge branches 'consdiffmgr_orig_squashed' and 'actually_compute_diffs_squashed' 2017-04-27 21:43:06 -04:00
Nick Mathewson
1e1581a24e Pre-compress consensus diffs with supported consensus methods. 2017-04-27 21:40:46 -04:00
Nick Mathewson
a1172b6774 Store archived consensuses compressed on disk.
I'm just using gzip compression now, for performance.
2017-04-27 21:40:46 -04:00
Nick Mathewson
7a0964279f Functionality to ensure there is space to add files to cache. 2017-04-27 21:40:13 -04:00
Nick Mathewson
920475f293 New force-delete option on consensus_cache_delete_pending()
If we're out of file space in the storage directory, we'll need to
get rid of old files fast.
2017-04-27 21:40:13 -04:00
Nick Mathewson
466e914088 Lower the file limit in consdiffmgr, to support seccomp2 2017-04-27 21:40:13 -04:00
Nick Mathewson
ab73bda060 Pass incoming consensus documents to the consdiffmgr code 2017-04-27 21:40:12 -04:00
Nick Mathewson
16d6ab6640 Fix use-after-free bug in storage_dir sandbox code. 2017-04-27 21:40:12 -04:00
Nick Mathewson
7b8d48a6cb Clean the consdiffmgr cache and launch new diffs as needed. 2017-04-27 21:40:12 -04:00
Nick Mathewson
fba8d7b222 Initialize consdiffmgr when running as (or becoming) a server. 2017-04-27 21:40:12 -04:00
Alexander Færøy
0672b33f1e
Enforce 16 MB upper bound of memory usage in LZMA decoder.
This patch changes two things in our LZMA compression backend:

- We lower the preset values for all `compression_level_t` values to
  ensure that we can run the LZMA decoder with less than 65 MB of memory
  available. This seems to have a small impact on the real world usage
  and fits well with our needs.

- We set the upper bound of memory usage for the LZMA decoder to 16 MB.

See: https://bugs.torproject.org/21665
2017-04-27 20:09:20 +02:00
Alexander Færøy
e5122b91a9
Only compare the first 3 bytes when trying to detect LZMA compression.
This patch changes the logic in `detect_compression_method()` to only
use the 3 first bytes when checking if a given input is LZMA encoded.
2017-04-27 20:07:08 +02:00
Nick Mathewson
480dab4f2f Use a cast to try to avoid a tautalogical comparison warning 2017-04-27 11:58:26 -04:00
Nick Mathewson
10a4f9cd07 Merge branch 'parse_accept_encoding' 2017-04-27 11:31:31 -04:00
Nick Mathewson
2903c329aa Move the "supported compression bitmask" into compress.[ch] 2017-04-27 11:30:51 -04:00
Nick Mathewson
49deb1e1b8 Document and test nul-terminating behavior of tor_uncompress()
We added this as a safety feature, but there are a few places in the
code that actually depend on it.
2017-04-27 10:59:48 -04:00
Nick Mathewson
199e61feb5 whitespace fix 2017-04-27 10:55:39 -04:00
Nick Mathewson
ba9f235e17 Re-enable the partial-input test for zstd.
There were two issues here: first, zstd didn't exhibit the right
behavior unless it got a very large input.  That's fine.

The second issue was a genuine bug, fixed by 39cfaba9e2.
2017-04-27 10:43:38 -04:00
Nick Mathewson
39cfaba9e2 Fix handling of "final" flag in zstd decompression
We were returning "DONE" on truncated input streams, which was not
what we wanted.
2017-04-27 10:42:05 -04:00
Nick Mathewson
166aa8d741 Have a separate entry point for each compresion test 2017-04-27 10:25:52 -04:00
Nick Mathewson
36e62ae7e2 Merge remote-tracking branch 'ahf/bugs/22085' 2017-04-27 10:12:48 -04:00
Nick Mathewson
33a2fd065d Merge branch 'dirreq' 2017-04-27 10:08:32 -04:00
Alexander Færøy
e0a3819dcc
Test support for multiple compression backends in the buffer code.
This patch refactors the buffer compression tests to support multiple
comprssion backends.

See: https://bugs.torproject.org/22085
2017-04-27 15:51:14 +02:00
Alexander Færøy
22e6ad6f26
Clean up mentions of 'zlib' and rename the mentions to 'compressed'.
This patch cleans up in various places where 'zlib' is mentioned.
2017-04-27 15:51:14 +02:00
Alexander Færøy
7bececbd69
Refactor compression tests into a single test.
This patch refactors our compression tests such that deflate, gzip,
lzma, and zstd are all tested using the same code.

Additionally we use run-time checks to see if the given compression
method is supported instead of using HAVE_LZMA and HAVE_ZSTD.

See: https://bugs.torproject.org/22085
2017-04-27 15:51:14 +02:00
Nick Mathewson
b4fe0a6a03 Improve control flow in authority_certs_fetch_resource_impl 2017-04-27 09:30:08 -04:00
Nick Mathewson
52316f9969 Include UPLOAD_RENDDESC_V2 in PURPOSE_IS_UPLOAD
This was only used in one place before, and it's safe to update it.
2017-04-27 09:27:00 -04:00
Nick Mathewson
7ae7e3c2d8 bump to 0.3.0.6-dev 2017-04-26 15:37:27 -04:00
Nick Mathewson
7fb9586953 Fix compilation when lzma or zstd is absent 2017-04-26 15:00:40 -04:00
Nick Mathewson
4038202f89 Avoid a warning from the use of floating-point in zstd
Replace "(preset - 0.5) * 1mb" with "preset * 1mb - 0.5 mb", to
avoid warning about converting double to size_t.
2017-04-26 14:21:45 -04:00
Nick Mathewson
be0557f759 Merge remote-tracking branch 'ahf/bugs/22066' 2017-04-26 14:20:01 -04:00
Alexander Færøy
e42c204f67
Approximate memory usage needed for the Zstandard backend.
This patch adds support for measuring the approximated memory usage by
the individual `tor_zstd_compress_state_t` object instances.

See: https://bugs.torproject.org/22066
2017-04-26 19:54:18 +02:00
Alexander Færøy
2aa28e7cb7
Better documentation for tor_uncompress().
This patch fixes the documentation string for `tor_uncompress()` to
ensure that it does not explicitly mention zlib or gzip since we now
support multiple compression backends.
2017-04-26 19:54:18 +02:00
Alexander Færøy
341824687a
Approximate memory usage needed for the LZMA backend.
This patch adds support for measuring the approximated memory usage by
the individual `tor_lzma_compress_state_t` object instances.

The LZMA library provides the functions `lzma_easy_encoder_memusage()`
and `lzma_easy_decoder_memusage()` which is used to find the estimated
usage in bytes.

See: https://bugs.torproject.org/22066
2017-04-26 19:54:18 +02:00
Nick Mathewson
31b79f02ab Bump version to 0.3.0.6 2017-04-26 13:30:39 -04:00
Nick Mathewson
99e943998d Add getpid() to the seccomp2 sandbox.
We hadn't needed this before, because most getpid() callers on Linux
were looking at the vDSO version of getpid().  I don't know why at
least one version of OpenSSL seems to be ignoring the vDSO, but this
change should fix it.

Fixes bug 21943; bugfix on 0.2.5.1-alpha when the sandbox was
introduced.
2017-04-26 12:56:06 -04:00
Sebastian Hahn
71c8974af0 Fix coverity cid 1405509
Locking in the init function is not necessary, but coverity gets
confused about it. So let's trick it.
2017-04-26 08:48:24 +02:00
Sebastian Hahn
ee478bdf38 Fix coverity cid 1405510
This is a false positive, but let's appease coverity.
2017-04-26 08:45:38 +02:00
Alexander Færøy
08d86e8408
Store compression overhead from tor_compress_state_t.
The `tor_compress_state_t` data-type is used as a wrapper around the
more specialized state-types used by the various compression backends.
This patch ensures that the overhead of this "thin" wrapper type is
included in the value returned by `tor_compress_get_total_allocation()`.

See: https://bugs.torproject.org/22066
2017-04-26 02:56:21 +02:00
Alexander Færøy
fac8ac0e4a
Remove unused header from the Zstandard compression backend.
Since we stopped looking at Zstandard error codes there is no need to
include the zstd_errors.h header file anymore.
2017-04-26 02:54:34 +02:00
Nick Mathewson
24f7059704 Configure sandbox using consdiffmgr; free cdm on exit. 2017-04-25 19:52:34 -04:00
Nick Mathewson
65ff0f8267 Bitmask out the compression methods that we do not support 2017-04-25 19:07:17 -04:00
Nick Mathewson
fec3050ea9 Tests for parse_accept_encoding 2017-04-25 19:01:05 -04:00
Nick Mathewson
fd48b757d3 Parse recognized entries from the Accept-Encoding header. 2017-04-25 19:01:05 -04:00
Nick Mathewson
2655a72d89 Use x-lzma, not x-lzma2, as the identifier 2017-04-25 19:00:52 -04:00
Nick Mathewson
9e081a44a9 Teach consdiffmgr to remember two digests: one compressed, one not. 2017-04-25 16:49:47 -04:00
Nick Mathewson
0274ea749a Function to convert compression methods to/from strings. 2017-04-25 16:47:46 -04:00
Alexander Færøy
236cf49670
Add stub function for libor-trace.
OS X's ar(1) doesn't allow us to create an archive with no object files.
This patch adds a stub file with a stub function in it to make OS X
happy again.
2017-04-25 18:02:19 +02:00
Nick Mathewson
43db91bd87 Teach cov-exclude to detect runaway LCOV_EXCL_START lines
Also, fix two instances of runaway LCOV_EXCL_START lines.
2017-04-25 10:59:19 -04:00
Nick Mathewson
7a37cbbea3 Whitespace fixes. 2017-04-25 10:54:34 -04:00
Nick Mathewson
49868340f7 Merge branch 'unified_compress_squashed' 2017-04-25 10:51:13 -04:00
Nick Mathewson
49a5b50b31 zlib: Turn UINT_MAX overrun into an error, not an assert. 2017-04-25 10:50:50 -04:00
Nick Mathewson
4b01b45ec1 Add a "best compression" flag. 2017-04-25 10:50:50 -04:00
Nick Mathewson
880fb3e3a9 Combine all *compress/*uncompress backend function into one
Since we have a streaming API for each compression backend, we don't
need a non-streaming API for each: we can build a common
non-streaming API at the front-end.
2017-04-25 10:50:50 -04:00
Nick Mathewson
232c9e14a8 Merge branch 'atomic_counters' 2017-04-25 10:46:23 -04:00
Nick Mathewson
ec7c512d27 Merge remote-tracking branch 'dgoulet/bug21293_031_01' 2017-04-25 10:43:53 -04:00
David Goulet
cb8ac1f331 trace: Add a basic event-tracing infrastructure.
This commit adds the src/trace directory containing the basics for our tracing
subsystem. It is not used in the code base. The "src/trace/debug.h" file
contains an example on how we can map our tor trace events to log_debug().

The tracing subsystem can only be enabled by tracing framework at compile
time. This commit introduces the "--enable-tracing-debug" option that will
make all "tor_trace()" function be maped to "log_debug()".

Closes #13802

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-25 10:37:31 -04:00
Nick Mathewson
4266ec766a Use atomic counters for compressor allocation. 2017-04-25 10:29:07 -04:00
David Goulet
368b091329 relay: Change LD_BUG log to LD_PROTOCOL_WARN
That log statement can be triggered if somebody on the Internet behaves badly
which is possible with buggy implementation for instance.

Fixes #21293

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-25 09:27:34 -04:00
Alexander Færøy
91dd4a00f7
Rename shadowing variable in compress_zlib.c.
This patch renames the `compress` parameter of the
`tor_zlib_compress_new()` function to `_compress` to avoid shadowing the
`compress()` function in zlib.h.
2017-04-25 14:56:55 +02:00
Nick Mathewson
ba405f86bf Merge branch 'ahf_prop278_21662_squashed' 2017-04-25 08:12:59 -04:00
Alexander Færøy
2210b330e7 Fix newlines in compression headers.
See: https://bugs.torproject.org/21662
2017-04-25 08:11:32 -04:00
Alexander Færøy
cf912259ba Remove tor_compress_memory_level().
This patch splits up `tor_compress_memory_level()` into static functions
in the individual compression backends, which allows us to tune the
values per compression backend rather than globally.

See: https://bugs.torproject.org/21662
2017-04-25 08:11:32 -04:00
Alexander Færøy
69a41e8bc6 Use switch-statement in tor_{compress,uncompress}.
Use a switch-statement in `tor_compress()` and `tor_uncompress()` for
the given `compress_method_t` parameter. This allows us to have the
compiler detect if we forgot add a handler in these functions for a
newly added enumeration value.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:10 -04:00
Alexander Færøy
c2d1d949de Use tor_compress_supports_method() before printing library versions.
This patch ensures that Tor checks if a given compression method is
supported before printing the version string when calling `tor
--library-versions`.

Additionally, we use the `tor_compress_supports_method()` to check if a
given version is supported for Tor's start-up version string, but here
we print "N/A" if a given compression method is unavailable.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:10 -04:00
Alexander Færøy
6b905b38bb Add API entry-point for getting compression method version numbers.
This patch adds `tor_compress_version_str()` and
`tor_compress_header_version_str()` to get the version strings of the
different compression schema providers. Both functions returns `NULL` in
case a given `compress_method_t` is unknown or unsupported.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:10 -04:00
Alexander Færøy
1c77d8690c Add function to check if a given compression method is supported.
This patch adds support for checking if a given `compress_method_t` is
supported by the currently running Tor instance using
`tor_compress_supports_method()`.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
04682d302a Add tor_compress_get_total_allocation() function.
This patch adds the `tor_compress_get_total_allocation()` which returns
an approximate number of bytes currently in use by all the different
compression backends.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
be4dc54634 Display LZMA and Zstandard versions when starting Tor.
See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
2fa7b722ce Show liblzma and libzstd versions in tor --library-versions.
See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
380736d045 Add Zstandard support.
See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
ce1feae9d9 Add --enable-zstd to our configure script.
This patch adds support for enabling support for Zstandard to our configure
script. By default, the --enable-zstd option is set to "auto" which means if
libzstd is available we'll build Tor with Zstandard support.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
bf1c07cb07 Add LZMA support.
See: https://bugs.torproject.org/21662
2017-04-25 08:10:06 -04:00
Alexander Færøy
157af1d26e Add --enable-lzma to our configure script.
This patch adds support for enabling support for LZMA to our configure
script. By default, the --enable-lzma option is set to "auto" which
means if liblzma is available we'll build Tor with LZMA support.

See: https://bugs.torproject.org/21662
2017-04-25 08:06:02 -04:00
Alexander Færøy
c171af0487 Use a switch-statement when checking for compression method.
This patch changes the way `tor_compress_new()`,
`tor_compress_process()`, and `tor_compress_free()` handles different
compression methods. This should give us compiler warnings in case an
additional compression method is added, but the developer forgets to add
handlers in the three aforementioned functions.

See https://bugs.torproject.org/21663
2017-04-25 08:06:01 -04:00
Alexander Færøy
300ac49685 Add compress_zlib.obj to src/common/Makefile.nmake.
See https://bugs.torproject.org/21663
2017-04-25 08:06:01 -04:00
Alexander Færøy
04583df452 Rename the torgzip module to compress.
See https://bugs.torproject.org/21663
2017-04-25 08:06:01 -04:00
Alexander Færøy
9d5bc1a935 Move zlib compression code into its own module.
This patch refactors the `torgzip` module to allow us to extend a common
compression API to support multiple compression backends.

Additionally we move the gzip/zlib code into its own module under the
name `compress_zlib`.

See https://bugs.torproject.org/21664
2017-04-25 08:06:01 -04:00
Nick Mathewson
db95a6e171 Fix implicit conversion warnings in the period_num tests 2017-04-24 15:38:16 -04:00
David Goulet
6f27843d57 hs: Refactor rend_add_service()
Remove duplicate code that validates a service object which is now in
rend_validate_service().

Add some comments on why we nullify a service in the code path of
rend_config_services().

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-24 14:51:34 -04:00
David Goulet
ed7c0170c4 hs: Add rend_validate_service() function
This new function validates a service object and is used everytime a service
is successfully loaded from the configuration file.

It is currently copying the validation that rend_add_service() also does which
means both functions validate. It will be decoupled in the next commit.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-24 14:39:54 -04:00
Nick Mathewson
4cefda85e4 Merge remote-tracking branch 'dgoulet/ticket21980_031_01' 2017-04-24 12:42:11 -04:00
Nick Mathewson
d949589c09 Fix some leaks in the consdiffmgr tests 2017-04-24 11:45:13 -04:00
Nick Mathewson
e55c1412c1 Fix a signed/unsigned comparison warning on 32-bit 2017-04-24 11:41:11 -04:00
Nick Mathewson
b7567a6282 Merge branch 'consdiffmgr_squashed' 2017-04-24 11:02:22 -04:00
Nick Mathewson
eb14faa0c1 Remove a checklist item that was already tested
The item referred to the cdm_ht_set_status() case where the item was
not already in the hashtable.  But that already happens naturally
when we scan the directory on startup... and we already have a test
for that.
2017-04-24 11:01:40 -04:00
Nick Mathewson
af86895581 consdiffmgr test: do not launch a diff task that is already pending 2017-04-24 11:01:40 -04:00
Nick Mathewson
2e9e2d023b consdiffmgr: tests for consdiffmgr_validate() 2017-04-24 11:01:40 -04:00
Nick Mathewson
6cc21aa89c consdiffmgr: add tests for cdm_entry_get_sha3_value 2017-04-24 11:01:40 -04:00
Nick Mathewson
bb38657b77 consdiffmgr test: add a test for updating ht on clean/rescan.
This brings us back up to ~94% coverage
2017-04-24 11:01:40 -04:00
Nick Mathewson
de0142cd9d Expand diff-management test to cover reloading items from disk 2017-04-24 11:01:40 -04:00
Nick Mathewson
43d683e0ad Fix reference leak & handle leak in consensus_diff_worker_replyfn
Found by previous test.
2017-04-24 11:01:40 -04:00
Nick Mathewson
831e656baa consdiffmgr tests: add tests to validate diff lookup/application
This commit adds some helper functions to look up the diff from one
consensus and to make sure that applying it leads to another.  Then
we add them throughout the existing test cases.  Doing this turned
up a reference-leaking bug in consensus_diff_worker_replyfn.
2017-04-24 11:01:40 -04:00
Nick Mathewson
605bcfbf71 consdiffmgr: Enable in-progress test that was not previously working
Also, add a list of additional tests to write.
2017-04-24 11:01:40 -04:00
Nick Mathewson
7ca86b9cd6 Add a hashtable to consdiffmgr to keep track of diff status
In several places in the old code, we had problems that only an
in-memory index of diff status could solve, including:
   * Remembering which diffs were in-progress, so that we didn't
     re-launch them.
   * Remembering which diffs had failed, so that we didn't try to
     recompute them over and over.
   * Having a fast way to look up the diff from a given consensus to
     the latest consensus of a given flavor.

This patch adds a hashtable mapping from (flavor, source diff), to
solve the problem.  It maps to a cache entry handle, rather than to
a cache entry directly, so that it doesn't affect the reference
counts of the cache entries, and so that we don't otherwise need to
worry about lifetime management.
2017-04-24 11:01:40 -04:00
Nick Mathewson
69a212ff3d Consdiffmgr: extract "get a sha3 digest" function.
I'll be using this a lot in the hashtable tweaks here.
2017-04-24 11:01:40 -04:00
Nick Mathewson
655f1c8e01 consdiffmgr: function to re-validate stored sha3 digests at startup 2017-04-24 11:00:28 -04:00
Nick Mathewson
6c86e63029 Consdiffmgr: use aggressive-release flag on consensuses
This conscache flag tells conscache that it should munmap the
document as soon as reasonably possible, since its usage pattern is
expected to not have a lot of time-locality.
2017-04-24 10:59:25 -04:00
Nick Mathewson
82bb8afb60 Add handle support to consensus_cache_entry_t
This will allow us to have weak references to cache entries.
2017-04-24 10:59:25 -04:00
Nick Mathewson
5726fec9c2 Consdiffmgr test: Make sure that diffs are removable
A diff is removable as soon as it no longer takes you to the most
recent consensus of the appropriate flavor.
2017-04-24 10:59:25 -04:00
Nick Mathewson
35f6b678ab Test the easiest cases of consdiffmgr_cleanup.
One more to go: deleting the old diffs.
2017-04-24 10:59:25 -04:00
Nick Mathewson
1fade37287 consdiffmgr non-test: check for initialization failure
Unfortunately, this test doesn't work, so I've left it
defined-out. There is currently no way in our unit tests to catch a
fatal assertion failure.
2017-04-24 10:59:25 -04:00
Nick Mathewson
d418f28cb5 consdiffmgr test: survive failures to compute a diff. 2017-04-24 10:59:25 -04:00
Nick Mathewson
b9c2f135bd Another consdiffmgr test: only generate the diffs that are needed
This test makes sure that we only generate the diffs we actually
want, rather than regenerating all the diffs every time anything
changes.
2017-04-24 10:59:25 -04:00
Nick Mathewson
7fc37d41b4 Unit tests for consdiffmgr module
Initial tests. These just try adding a few consensuses, looking
them up, and making sure that consensus diffs are generated in a
more or less reasonable-looking way.  It's enough for 87% coverage,
but it leaves out a lot of functionality.
2017-04-24 10:59:25 -04:00
Nick Mathewson
fe584f4012 Make cpuworker_queue_work function mockable.
I'll be using this in the unit tests for consdiffmgr.
2017-04-24 10:59:25 -04:00
Nick Mathewson
bc91808c47 Add a "Consensus diff manager" module.
This module's job is to remember old consensus documents, to
calculate their diffs on demand, and to .

There are some incomplete points in this code; I've marked them with
"XXXX". I intend to fix them in separate commits, since I believe
doing it in separate commits will make the branch easier to review.
2017-04-24 10:59:24 -04:00
George Kadianakis
39b5dca720 ed25519: Add python code to test our ed25519 validation.
See
https://lists.torproject.org/pipermail/tor-dev/2017-April/012213.html .
2017-04-24 16:34:53 +03:00
Nick Mathewson
9ba10d714a Merge branch 'consdiff_numeric_squashed' 2017-04-24 09:33:55 -04:00
Sebastian Hahn
a16de7a7cf consdiff: Reject ranges with non-numeric chars
Fixes bug #21964
2017-04-24 09:33:48 -04:00
Nick Mathewson
8ff2a8c0e2 Merge remote-tracking branch 'dgoulet/bug22032_031_01' 2017-04-24 09:30:30 -04:00
Taylor Yu
7bc636fdc9 Add regression test for #22304 2017-04-24 09:20:59 -04:00
Nick Mathewson
8b89faf424 Merge branch 'maint-0.3.0' 2017-04-24 09:20:43 -04:00
Nick Mathewson
ae374e0a56 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-04-24 09:20:26 -04:00
David Goulet
4a9f689430 control: Wrong check on base16_decode return value
The GETINFO extra-info/digest/<digest> broke in commit 568dc27a19 that
refactored the base16_decode() API to return the decoded length.
Unfortunately, that if() condition should have checked for the correct length
instead of an error which broke the command in tor-0.2.9.1-alpha.

Fixes #22034

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-24 09:20:13 -04:00
Nick Mathewson
91553417c7 Fix a comment that held the remaining reference to the old api. 2017-04-21 16:39:05 -04:00
Nick Mathewson
d8ff01b2b4 Refactor directory_command_should_use_begindir to use directory_request_t 2017-04-21 15:55:23 -04:00
Nick Mathewson
2a99bf008d move the definition of directory_command_should_use_begindir 2017-04-21 15:54:50 -04:00
Nick Mathewson
cc677e88d4 Refactor directory_send_command to take a directory_request_t 2017-04-21 15:49:10 -04:00
Nick Mathewson
900d36e3b1 Rename, revise, and document directory_request_is_dir_specified. 2017-04-21 15:42:09 -04:00
Nick Mathewson
d7fab36037 Make directory_request_set_guard_state static. 2017-04-21 15:42:09 -04:00
Nick Mathewson
81045e19eb Document the new directory_request_t API and add some assertions 2017-04-21 15:42:03 -04:00
Nick Mathewson
3327e675fd Remove old directory_initiate_command_*() functions. 2017-04-21 15:14:52 -04:00
Nick Mathewson
8aadd60eac Replace remaining directory_initiate_command_* instances 2017-04-21 15:08:28 -04:00
Nick Mathewson
4e393f5318 Make launch_direct_bridge_descriptor_fetch use dirreqs. 2017-04-21 14:47:14 -04:00
Nick Mathewson
4ae65bb5d3 Refactor directory_get_from_dirserver to use request API. 2017-04-21 14:40:48 -04:00
Nick Mathewson
eee733be33 Refactor directory_post_to_dirservers to use requests 2017-04-21 14:35:42 -04:00
Nick Mathewson
c300fd7e65 Have directory_get_from_all_authorities use requests. 2017-04-21 14:31:35 -04:00
Nick Mathewson
a55bd00b0f continue refactoring directory API: remove initiate_command_rend
This commit mainly moves the responsibility for directory request
construction one level higher.  It also allows a directory request
to contain a pointer to a routerstatus, which will get turned into
the correct contact information at the last minute.
2017-04-21 14:18:06 -04:00
David Goulet
74f7657e56 hs: Fix a spurious warn in rend_log_intro_limit
We do dump HS stats now at log info everytime the intro circuit creation retry
period limit has been reached. However, the log was upgraded to warning if we
actually were over the elapsed time (plus an extra slop).

It is actually something that will happen in tor in normal case. For instance,
if the network goes down for 10 minutes then back up again making
have_completed_a_circuit() return false which results in never updating that
retry period marker for a service.

Fixes #22032

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-21 11:09:34 -04:00
Nick Mathewson
b7dd3518b9 missing smartlist_free in new consdiff test 2017-04-18 22:56:34 -04:00
Nick Mathewson
afe1af7de6 Merge remote-tracking branch 'asn/bug21971' 2017-04-18 21:38:28 -04:00
Nick Mathewson
eeb266c139 Merge remote-tracking branches 'sebastian/consdiff_add' and 'sebastian/consdiff_newline' 2017-04-18 21:31:53 -04:00
George Kadianakis
e1a59ade95 prop224: Add time period functions and unittests
This will be used by the build blinded key functions.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-18 11:03:15 -04:00
Alexander Færøy
e6c6606a17
Expose tor_compress_is_compression_bomb() as part of the public compression API.
This patch exposes the old `is_compression_bomb()` function as a public
API as part of the compression module.

See https://bugs.torproject.org/21663
2017-04-18 03:12:19 +02:00
Alexander Færøy
6b5172bcf2
Expose tor_compress_memory_level() as a public function in the compression module.
This patch makes the internal `get_memlevel()` a part of the public
compression API as `tor_compress_memory_level()`.

See https://bugs.torproject.org/21663
2017-04-18 02:23:25 +02:00
Alexander Færøy
b8c9f229d7
Rename write_to_buf_zlib() to write_to_buf_compress().
See https://bugs.torproject.org/21663
2017-04-18 01:23:39 +02:00
Alexander Færøy
40ed68290e
Rename zlib_state to compress_state in the test_buffers.
See https://bugs.torproject.org/21663
2017-04-18 01:12:01 +02:00
Alexander Færøy
4b9349192d
Rename zlib_state to compress_state in dir_connection_t.
This patch renames the `zlib_state` field in `dir_connection_t` to
`compress_state`.

See https://bugs.torproject.org/21663
2017-04-18 01:10:25 +02:00
George Kadianakis
0c39cefc52 prop224 tests: Remove useless NULL check before circuit_free().
Addresses coverity issue CID 1405130.
2017-04-17 16:36:55 +03:00
George Kadianakis
a3ce303432 prop224 tests: Don't use tt_size_op to compare ssize_t.
Addresses coverity CID 1405129.
2017-04-17 16:23:58 +03:00
Alexander Færøy
3c4459bcbf
Refactor the streaming compression code.
This patch refactors our streaming compression code to allow us to
extend it with non-zlib/non-gzip based compression schemas.

See https://bugs.torproject.org/21663
2017-04-17 14:57:37 +02:00
Alexander Færøy
44cb86adbe
Rename tor_gzip_{compress,uncompress} to tor_{compress,uncompress}.
To allow us to use the API name `tor_compress` and `tor_uncompress` as
the main entry-point for all compression/uncompression and not just gzip
and zlib.

See https://bugs.torproject.org/21663
2017-04-17 14:29:10 +02:00
Alexander Færøy
e8b025dfc3
Rename zlib_compression_level_t to compression_level_t.
See https://bugs.torproject.org/21663
2017-04-17 14:22:13 +02:00
Alexander Færøy
7460b9755a
Remove unused function is_gzip_supported().
This patch removes the unused `is_gzip_supported()` and changes the
documentation string around the `compress_method_t` enumeration to
explicitly state that both `ZLIB_METHOD` and `GZIP_METHOD` are both
always supported.

Zlib version 1.2.0 was released on the 9'th of March, 2003 according to
their ChangeLog.

See https://bugs.torproject.org/21663
2017-04-17 14:11:35 +02:00
Alexander Færøy
4b834e0d5e
Fix whitespace in test_util_gzip() around OP_*`.
See https://bugs.torproject.org/21663
2017-04-17 14:07:23 +02:00
Alexander Færøy
a8821d8366
Use tt_int_op() over tt_assert() and do explicit NULL checks in test_util_gzip().
This patch changes some of the tt_assert() usage in test_util_gzip() to
use tt_int_op() to get better error messages upon failure.

Additionally we move to use explicit NULL checks.

See https://bugs.torproject.org/21663
2017-04-17 14:02:16 +02:00
Sebastian Hahn
5a7e39c0cb Fix diff generation with line added at start
The consdiff generation logic would skip over lines added at the start of the
second file, and generate a diff that it would the immediately refuse because
it couldn't be used to reproduce the second file from the first. Fixes #21996.
2017-04-17 10:10:46 +02:00
Sebastian Hahn
459643502b Don't accept ranges for add commands in consdiff
Fixes ticket #21963
2017-04-17 06:49:27 +02:00
Nick Mathewson
91a6fbcf77 Begin work to turn "directory request" into an object
This patch adds the object type, and makes all of the functions
that used to feed into directory_initiate_command_rend() feed into
that type instead.
2017-04-16 18:45:48 -04:00
Nick Mathewson
b022ea32a6 Expand cpuworker API to allow other work types 2017-04-15 11:21:33 -04:00
Nick Mathewson
222122450c Add a config_line_prepend() function 2017-04-15 11:21:32 -04:00
Nick Mathewson
06ecb9432f conscache.c: do not match entries that are slated for removal. 2017-04-15 11:21:32 -04:00
Daniel Pinto
fa04fe1674 MyFamily config string is now a list. #4998 2017-04-14 13:04:37 +01:00
Nick Mathewson
b081a7ed21 Merge branch 'ticket21891_031_01_squashed' 2017-04-13 16:43:13 -04:00
David Goulet
0565f5a3bb hs: Make the service list pruning function public
The reason for making the temporary list public is to keep it encapsulated in
the rendservice subsystem so the prop224 code does not have direct access to
it and can only affect it through the rendservice pruning function.

It also has been modified to not take list as arguments but rather use the
global lists (main and temporary ones) because prop224 code will call it to
actually prune the rendservice's lists. The function does the needed rotation
of pointers between those lists and then prune if needed.

In order to make the unit test work and not completely horrible, there is a
"impl_" version of the function that doesn't free memory, it simply moves
pointers around. It is directly used in the unit test and two setter functions
for those lists' pointer have been added only for unit test.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-13 16:25:49 -04:00
Nick Mathewson
ba89520593 fix wide lines 2017-04-13 14:36:57 -04:00
Nick Mathewson
902672eac6 Merge branch 'ticket21889_031_01_squashed' 2017-04-13 14:23:59 -04:00
George Kadianakis
f02868bb53 hs: Add service-side circuitmap API.
Now we have separate getters and setters for service-side and relay-side. I
took this approach over adding arguments to the already existing methods to
have more explicit type-checking, and also because some functions would grow
too large and dirty.

This commit also fixes every callsite to use the new function names which
modifies the legacy HS (v2) and the prop224 (v3) code.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-13 14:23:51 -04:00
Nick Mathewson
63e39b291e Merge remote-tracking branch 'dgoulet/bug21155_031_02' 2017-04-13 09:56:14 -04:00
Nick Mathewson
28ec2d9c2c Merge remote-tracking branch 'dgoulet/ticket21919_031_01' 2017-04-13 09:38:59 -04:00
Nick Mathewson
755c88a474 Merge branch 'asn/prop224-ntor-v2-squashed' 2017-04-13 09:22:34 -04:00
George Kadianakis
ea5901bf1c prop224: Add Python integration tests for HS ntor.
This test is identical to the ./src/test/test_ntor.sh integration test.
2017-04-13 09:22:19 -04:00
George Kadianakis
18ee145cda prop224: Add basic HS ntor unittest.
The test checks that introduce1/rendezvous1 key material is generated
correctly both for client-side and service-side.
2017-04-13 09:22:19 -04:00
George Kadianakis
50b0bc5bfe prop224: Add module that performs the HS ntor handshake.
and also does the key expansion.
2017-04-13 09:22:19 -04:00
David Goulet
bf68c78e94 hs: Make check-spaces happy after rename
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-12 07:53:05 -04:00
David Goulet
6bacc3c7a8 hs: Change trunnel prop224 cell's namespace
One of the goals of this change is to have trunnel API/ABI being more explicit
so we namespace them with "trn_*". Furthermore, we can now create
hs_cells.[ch] without having to confuse it with trunnel which used to be
"hs_cell_*" before that change.

Here are the perl line that were used for this rename:

  perl -i -pe 's/cell_extension/trn_cell_extension/g;' src/*/*.[ch]
  perl -i -pe 's/cell_extension/trn_cell_extension/g;' src/trunnel/hs/*.trunnel
  perl -i -pe 's/hs_cell_/trn_cell_/g;' src/*/*.[ch]
  perl -i -pe 's/hs_cell_/trn_cell_/g;' src/trunnel/hs/*.trunnel

  And then "./scripts/codegen/run_trunnel.sh" with trunnel commit id
  613fb1b98e58504e2b84ef56b1602b6380629043.

Fixes #21919

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-11 13:46:41 -04:00
David Goulet
e5fc02c81c config: Warn if EntryNodes and HiddenService are used together
Pinning EntryNodes along with hidden services can be possibly harmful (for
instance #14917 and #21155) so at the very least warn the operator if this is
the case.

Fixes #21155

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-10 13:22:36 -04:00
Nick Mathewson
01fc93ffef Merge remote-tracking branch 'dgoulet/bug16706_031_01' 2017-04-10 12:12:14 -04:00
Nick Mathewson
f5258045c4 Fix some no-longer-reasonable unit tests for base64_decode()
These tests tried to use ridiculously large buffer sizes to check
the sanity-checking in the code; but since the sanity-checking
changed, these need to change too.
2017-04-10 12:08:31 -04:00
Taylor Yu
26dd4d92cf Remove SR_COMMIT_LEN workaround
Now that base64_decode() checks the destination buffer length against
the actual number of bytes as they're produced, shared_random.c no
longer needs the "SR_COMMIT_LEN+2" workaround.
2017-04-07 18:19:15 -04:00
Taylor Yu
2b38bb28b4 Remove base64_decode_nopad()
Remove base64_decode_nopad() because it is redundant now that
base64_decode() correctly handles both padded and unpadded base64
encodings with "right-sized" output buffers.
2017-04-07 18:18:23 -04:00
Taylor Yu
00ffefb41b Test odd-sized base64 decodes
Test base64_decode() with odd sized decoded lengths, including
unpadded encodings and padded encodings with "right-sized" output
buffers.  Convert calls to base64_decode_nopad() to base64_decode()
because base64_decode_nopad() is redundant.
2017-04-07 18:16:45 -04:00
Taylor Yu
f15818f280 Make base64_decode() check actual decoded length
base64_decode() was applying an overly conservative check on the
output buffer length that could incorrectly produce an error if the
input encoding contained padding or newlines.  Fix this by checking
the output buffer length against the actual decoded length produced
during decoding.
2017-04-07 18:13:22 -04:00
Nick Mathewson
05ef3b959d Merge branch 'maint-0.3.0' 2017-04-07 14:03:40 -04:00
Nick Mathewson
f1613b53c5 Merge remote-tracking branch 'public/bug21894_029' into maint-0.3.0 2017-04-07 14:03:25 -04:00
Nick Mathewson
f0fa7dcdf0 Merge branch 'ticket21842_squashed' 2017-04-07 13:21:15 -04:00
Nick Mathewson
7b60f0129a Remove tor-checkkey as obsolete
CVE-2008-0166 is long gone, and we no longer need a helper tool to
dump out public key moduli so folks can detect it.

Closes ticket 21842.
2017-04-07 13:21:07 -04:00
Nick Mathewson
506b4bfaba Merge remote-tracking branch 'dgoulet/ticket21893_031_01' 2017-04-07 11:04:06 -04:00
Nick Mathewson
4812441d34 Never read off the end of a buffer in base32_encode()
When we "fixed" #18280 in 4e4a7d2b0c
in 0291 it appears that we introduced a bug: The base32_encode
function can read off the end of the input buffer, if the input
buffer size modulo 5 is not equal to 0 or 3.

This is not completely horrible, for two reasons:
   * The extra bits that are read are never actually used: so this
     is only a crash when asan is enabled, in the worst case.  Not a
     data leak.

   * The input sizes passed to base32_encode are only ever multiples
      of 5. They are all either DIGEST_LEN (20), REND_SERVICE_ID_LEN
      (10), sizeof(rand_bytes) in addressmap.c (10), or an input in
      crypto.c that is forced to a multiple of 5.

So this bug can't actually trigger in today's Tor.

Closes bug 21894; bugfix on 0.2.9.1-alpha.
2017-04-07 10:47:16 -04:00
Nick Mathewson
d33c3627f4 Comment fix. (Catalyst spotted this) 2017-04-07 10:00:08 -04:00
Nick Mathewson
61f1838cdc Merge branch 'isolate_openssl' 2017-04-07 09:58:21 -04:00
Nick Mathewson
f5cc8da7e0 Use DIGEST512_LEN macro in crypto_hash_sha512.h in ref10 2017-04-07 09:58:04 -04:00
Nick Mathewson
1e54bdd48a Make the warnings about terminating nuls a bit stronger
It looks like 32_encoded_size/64_encode_size APIs are inconsistent
not only in the number of "d"s they have, but also in whether they
count the terminating NUL.  Taylor noted this in 86477f4e3f,
but I think we should note the inconsistently more loudly in order
to avoid trouble.

(I ran into trouble with this when writing 30b13fd82e243713c6a0d.)
2017-04-07 09:51:08 -04:00
Nick Mathewson
2c86380bde Merge remote-tracking branch 'argonblue/baseXXlen' 2017-04-07 09:48:18 -04:00
Nick Mathewson
30b13fd82e Add test for expected output from encode{,d}_length functions 2017-04-07 09:47:29 -04:00
David Goulet
dff50001ec prop224: Flag router with HSIntro/HSDir using protover
Note down in the routerstatus_t of a node if the router supports the HSIntro=4
version for the ed25519 authentication key and HSDir=2 version for the v3
descriptor supports.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-07 09:44:52 -04:00
David Goulet
e7b7e99cc7 hs: Move common defines to hs_common.h
Some of those defines will be used by the v3 HS protocol so move them to a
common header out of rendservice.c. This is also ground work for prop224
service implementation.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-07 09:22:58 -04:00
David Goulet
c716702625 hs: Remove redundant define of ed25519 auth key type
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-07 09:22:55 -04:00
David Goulet
419c0c0788 hs: Move service check private dir to hs_common.c
Another building blocks for prop224 service work. This also makes the function
takes specific argument instead of the or_option_t object.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-07 09:22:52 -04:00
George Kadianakis
037ce360bd hs: Refactor circuitmap to use circuit_t instead of or_circuit_t. 2017-04-07 09:11:09 -04:00
Taylor Yu
681812ea40 Use macros for base64 lengths in shared_random.h
Fixes #19564.
2017-04-06 17:43:17 -04:00
Taylor Yu
86477f4e3f Use baseXX length macros in baseXX_encode()
Use the new baseXX length macros to clean up the length checks in the
baseXX_encode() functions.
2017-04-06 17:43:16 -04:00
Taylor Yu
e7f40baade Add macros for baseXX encoding lengths 2017-04-06 15:43:55 -04:00
Taylor Yu
c5adab0258 Make CEIL_DIV() slightly more overflow-safe 2017-04-06 13:54:46 -04:00
Nick Mathewson
9d34a1e052 Merge branch 'storage_labeled_squashed' 2017-04-06 11:49:00 -04:00
Nick Mathewson
5567a80caa Explain config_line_find() behavior on duplicates. 2017-04-06 11:48:41 -04:00
Nick Mathewson
89b673f24b Add an assertion to config_line_append(). 2017-04-06 11:48:41 -04:00
Nick Mathewson
95a4f2d525 Additional unit tests to improve conscache coverage 2017-04-06 11:48:41 -04:00
Nick Mathewson
2b5b6025bd Tests for cleanup and reference counting on conscache 2017-04-06 11:48:41 -04:00
Nick Mathewson
73e9bc914f Tests for simple cases of conscache code. 2017-04-06 11:48:41 -04:00
Nick Mathewson
4404dc5756 Add a 'consensus cache' type on top of storagedir.
Every file in the cache is labeled.  The labels are held in memory;
the bodies are mapped on demand.
2017-04-06 11:48:41 -04:00
Nick Mathewson
5f8860a16f Unit tests for labelled storagedir entries 2017-04-06 11:48:41 -04:00
Nick Mathewson
37bb3b31fa Add some "labeled storagedir" abstractions.
These add a tiny bit of structure on top of the regular storagedir
abstractions in order to store key-value lists at the head of each
document.
2017-04-06 11:48:40 -04:00
Nick Mathewson
4c2ad48568 Merge branch 'maint-0.3.0' 2017-04-06 08:32:12 -04:00
Nick Mathewson
a5b50ef25b Merge branch 'maint-0.2.9' into maint-0.3.0 2017-04-06 08:32:04 -04:00
Nick Mathewson
7d7770f735 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-04-06 08:31:54 -04:00
Nick Mathewson
91c6b18ca0 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-04-06 08:31:32 -04:00
Nick Mathewson
44bc8821b1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-04-06 08:31:23 -04:00
Nick Mathewson
21d776738c Merge branch 'maint-0.2.5' into maint-0.2.6 2017-04-06 08:31:18 -04:00
Nick Mathewson
a8a860e1da Merge branch 'maint-0.2.4' into maint-0.2.5 2017-04-06 08:31:12 -04:00
Karsten Loesing
9d7933296c Update geoip and geoip6 to the April 4 2017 database. 2017-04-06 10:52:39 +02:00
David Goulet
0fdad78fe1 cell: Do not warn on hidden service invalid port
When a client tried to connect to an invalid port of an hidden service, a
warning was printed:

  [warn] connection_edge_process_relay_cell (at origin) failed.

This is because the connection subsystem wants to close the circuit because
the port can't be found and then returns a negative reason to achieve that.
However, that specific situation triggered a warning. This commit prevents it
for the specific case of an invalid hidden service port.

Fixes #16706

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-05 16:28:37 -04:00
Nick Mathewson
06fe8a14c4 bump to 0.3.0.5-rc-dev 2017-04-05 10:03:09 -04:00
Nick Mathewson
b6f22524ee Move config line parsing function to confline.c 2017-04-04 11:11:01 -04:00
Nick Mathewson
c2947dbb86 Move config_line_t functions from confparse.c into common.
I'm doing this to storagedir to used config_line_t.
2017-04-04 11:11:01 -04:00
Nick Mathewson
321c1c453e Merge branch 'maint-0.3.0' 2017-04-04 09:43:23 -04:00
David Goulet
7519584347 hs: Expose hs_service.c functions for unit tests
In order to avoid src/or/hs_service.o to contain no symbols and thus making
clang throw a warning, the functions are now exposed not just to unit tests.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-04-04 09:41:14 -04:00
Taylor Yu
b1c7e5d8c0 Capture expected log in test_circuitbuild.c
Capture the warning for the unhandled circuit purpose test case, both
to clean up the test log and to confirm that it gets logged.
2017-04-03 15:24:59 -04:00
Nick Mathewson
67c88fd10d Merge branch 'bug13790_rebased' 2017-04-03 11:58:37 -04:00
Taylor Yu
f0a57df55c Test unhandled purpose in route_len_for_purpose()
Check that route_len_for_purpose() (helper for new_route_len())
correctly fails a non-fatal bug assertion if it encounters an
unhandled circuit purpose when it is called with exit node info.
2017-04-03 11:58:11 -04:00
Taylor Yu
ceedcfe9f2 Refactor and comment new_route_len()
Add a new helper function route_len_for_purpose(), which explicitly
lists all of the known circuit purposes for a circuit with a chosen
exit node (unlike previously, where the default route length for a
chosen exit was DEFAULT_ROUTE_LEN + 1 except for two purposes).  Add a
non-fatal assertion for unhandled purposes that conservatively returns
DEFAULT_ROUTE_LEN + 1.

Add copious comments documenting which circuits need an extra hop and
why.

Thanks to nickm and dgoulet for providing background information.
2017-04-03 11:58:11 -04:00
Taylor Yu
1e8e8a4e94 Add tests for new_route_len() 2017-04-03 11:58:11 -04:00
Nick Mathewson
6ec3228220 version bump 2017-04-03 09:36:42 -04:00
Nick Mathewson
a06c465333 Merge remote-tracking branch 'teor/bug21596_030' into maint-0.3.0 2017-04-03 09:28:33 -04:00
Nick Mathewson
5d8061cd01 Merge remote-tracking branch 'public/bug21415_testfix_030' into maint-0.3.0 2017-04-03 09:27:40 -04:00
Nick Mathewson
28f9b68e87 Move "change cert expiration and re-sign" fn into tortls.c
This lets test_link_handshake stop including openssl headers.
2017-03-31 10:04:45 -04:00
Nick Mathewson
5ca0d6daf0 Mark many private tortls.h APIs as openssl-only.
This change lets us remove the openssl/ssl.h include from
test_link_handshake.c.
2017-03-31 10:04:45 -04:00
Nick Mathewson
a8b9aba912 Change many tortls.h declarations of private APIs to use structs
This change makes it so those those APIs will not require prior
inclusion of openssl headers.  I've left some APIs alone-- those
will change to be extra-private.
2017-03-31 10:04:45 -04:00
Nick Mathewson
706c44a6ce Remove some now-needless openssl includes from src/test.
It would appear that these includes weren't actually used.
2017-03-31 10:04:44 -04:00
Nick Mathewson
a4964466a5 Remove openssl/evp.h dependency from test_crypto.c 2017-03-31 10:04:44 -04:00
Nick Mathewson
1a14e5be91 Remove crypto/rand include from test_crypto.c
Create a new test_crypto_openssl to test openssl-only crypto.c
functionality.
2017-03-31 10:04:44 -04:00
Nick Mathewson
38fb651f0d Make our ed25519 implementations no longer use openssl directly. 2017-03-31 10:04:44 -04:00
Nick Mathewson
3fc4f81de3 Make crypto_ed25519.c no longer depend on openssl
Now it calls through our own crypto API.
2017-03-31 10:04:44 -04:00
Nick Mathewson
e7506c03cf Isolate dmalloc/openssl bridge code to crypto.c
This makes it so main.c, and the rest of src/or, no longer need to
include any openssl headers.
2017-03-31 10:04:44 -04:00
Nick Mathewson
04f1ddaa2a Fix utimbuf initialization in storagedir/cleaning test 2017-03-29 09:10:35 +02:00
Nick Mathewson
fc02b8cf7a Fix another 32-bit warning in the spooling code 2017-03-29 09:07:51 +02:00
Nick Mathewson
be778a65df Fix i386 compilation from spooling patch. I seem to be good at breaking that. 2017-03-28 21:41:59 +02:00
Nick Mathewson
208c2a5c74 Merge branch 'spooling_squashed' 2017-03-28 19:55:18 +02:00
Nick Mathewson
003a7fe2a3 Add nonfatal asserts for return val of dirserv_flushed_some 2017-03-28 19:55:04 +02:00
Nick Mathewson
436b975e21 Improve documentation for connection_dirserv_flushed_some. 2017-03-28 19:55:03 +02:00
Nick Mathewson
8aa69a1b69 Refactor the directory spool implementation
The old implementation had duplicated code in a bunch of places, and
it interspersed spool-management with resource management.  The new
implementation should make it easier to add new resource types and
maintain the spooling code.

Closing ticket 21651.
2017-03-28 19:55:03 +02:00
Nick Mathewson
4d5b46aad9 Merge remote-tracking branch 'origin/maint-0.3.0' 2017-03-27 15:44:31 +02:00
George Kadianakis
ef4c10fb42 Fix max sampled size logic when in bridge mode.
When calculating max sampled size, Tor would only count the number of
bridges in torrc, without considering that our state file might already
have sampled bridges in it. This caused problems when people swap
bridges, since the following error would trigger:

         [warn] Not expanding the guard sample any further; just hit the
                maximum sample threshold of 1
2017-03-27 15:39:26 +02:00
Nick Mathewson
e79f90c7f0 Storagedir test fix: save strings in binary mode to preserve length 2017-03-27 15:27:52 +02:00
Nick Mathewson
10888dcac6 Merge remote-tracking branch 'ahf/bugs/21757' 2017-03-27 15:02:48 +02:00
Nick Mathewson
61e8ee1117 Merge remote-tracking branch 'jigsaw52/fix_leak_21788' 2017-03-27 11:01:01 +02:00
Nick Mathewson
1d617e3ed0 Check and cast st_size to size_t in storagedir code
This prevents an i386 compilation warning and fixes bug 21828. Bug not
in any released Tor.
2017-03-27 10:40:15 +02:00
Nick Mathewson
0895808023 Merge remote-tracking branch 'origin/maint-0.3.0' 2017-03-26 12:30:45 +02:00
Nick Mathewson
a5130de432 Tweak test_entrynodes comment 2017-03-26 12:30:00 +02:00
Nick Mathewson
4f6025498d Use update_approx_time() to run a test 100 days in the past.
Fixes bug21799.
2017-03-23 10:44:43 +01:00
Daniel Pinto
e843481bf5 Fix very small memory leak #21788
Leak caused by clean_up_backtrace_handler not being called
on shutdown.
2017-03-20 01:03:05 +00:00
Nick Mathewson
58680d0429 Merge branch 'ahf_bugs_21641_squashed' 2017-03-17 11:16:24 -04:00
Alexander Færøy
946ccf3e4d Check onion key consensus parameters every hour.
This patch changes the way we decide when to check for whether it's time
to rotate and/or expiry our onion keys. Due to proposal #274 we can now
have the keys rotate at different frequencies than before and we thus
do the check once an hour when our Tor daemon is running in server mode.

This should allow us to quickly notice if the network consensus
parameter have changed while we are running instead of having to wait
until the current parameters timeout value have passed.

See: See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
853b54dea4 Add periodic timer for expiring old onion keys.
This patch adds a new timer that is executed when it is time to expire
our current set of old onion keys. Because of proposal #274 this can no
longer be assumed to be at the same time we rotate our onion keys since
they will be updated less frequently.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
d88f10cdf2 Add API to query the current onion key grace period.
This patch adds an API to get the current grace period, in days, defined
as the consensus parameter "onion-key-grace-period-days".

As per proposal #274 the values for "onion-key-grace-period-days" is a
default value of 7 days, a minimum value of 1 day, and a maximum value
defined by other consensus parameter "onion-key-rotation-days" also
defined in days.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
23ae5b655b Make MIN_ONION_KEY_LIFETIME a consensus parameter defined value.
This patch turns `MIN_ONION_KEY_LIFETIME` into a new function
`get_onion_key_lifetime()` which gets its value from a network consensus
parameter named "onion-key-rotation-days". This allows us to tune the
value at a later point in time with no code modifications.

We also bump the default onion key lifetime from 7 to 28 days as per
proposal #274.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
a28be68cf2
Split strings at newline in tor_get_lines_from_handle().
This patch fixes a regression described in bug #21757 that first
appeared after commit 6e78ede73f which was an attempt to fix bug #21654.

When switching from buffered I/O to direct file descriptor I/O our
output strings from get_string_from_pipe() might contain newline
characters (\n). In this patch we modify tor_get_lines_from_handle() to
ensure that the function splits the newly read string at the newline
character and thus might return multiple lines from a single call to
get_string_from_pipe().

Additionally, we add a test case to test_util_string_from_pipe() to
ensure that get_string_from_pipe() correctly returns multiple lines in a
single call.

See: https://bugs.torproject.org/21757
See: https://bugs.torproject.org/21654
2017-03-17 04:27:12 +01:00
Nick Mathewson
6657fe1e54 Generate src/test/fuzz/include.am from a script
It was very error-prone to maintain this by hand.
2017-03-16 17:14:10 -04:00
Nick Mathewson
45d008c4aa Merge branch 'storagedir_squashed' 2017-03-16 16:03:13 -04:00
Nick Mathewson
ee253e392a Define a "storagedir" abstraction to hold numerous similar files
We could use one of these for holding "junk" descriptors and
unparseable things -- but we'll _need_ it for having cached
consensuses and diffs between them.
2017-03-16 16:01:59 -04:00
Nick Mathewson
877468c781 Now, resolve a new 64-bit warning in compat_threads.c 2017-03-16 15:34:57 -04:00
Nick Mathewson
eca9b3424d consdiff: Fix 32-bit compilation.
Thanks, jenkins!
2017-03-16 15:14:16 -04:00
Nick Mathewson
4a4f1e44af Merge branch 'prop140_21643_diff_only_squashed' 2017-03-16 14:58:43 -04:00
Nick Mathewson
643c9078c9 Switch ed-command parsing to use tor_parse_long. 2017-03-16 14:42:56 -04:00
Nick Mathewson
672e2a5461 Consdiff: extract router ID hash iteration functions
There was a frequent block of code that did "find the next router
line, see if we've hit the end of the list, get the ID hash from the
line, and enforce well-ordering."  Per Ahf's review, I'm extracting
it to its own function.
2017-03-16 14:42:56 -04:00
Nick Mathewson
83049cebc0 Make CONSENSUS_LINE_MAX_LEN a real define 2017-03-16 14:42:56 -04:00
Nick Mathewson
5e81436428 Remove a couple of {\n\n instances 2017-03-16 14:42:56 -04:00
Nick Mathewson
e84276124b Use a better for X outside of base64_compare_table. 2017-03-16 14:42:56 -04:00
Nick Mathewson
91e3250bf1 Reindent a few labels. 2017-03-16 14:42:56 -04:00
Nick Mathewson
d8c129a11a Avoid all needless memory copies when computing consensus diffs.
Previously, we operated on smartlists of NUL-terminated strings,
which required us to copy both inputs to produce the NUL-terminated
strings.  Then we copied parts of _those_ inputs to produce an
output smartlist of NUL-terminated strings.  And finally, we
concatenated everything into a final resulting string.

This implementation, instead, uses a pointer-and-extent pattern to
represent each line as a pointer into the original inputs and a
length.  These line objects are then added by reference into the
output. No actual bytes are copied from the original strings until
we finally concatenate the final result together.

Bookkeeping structures and newly allocated strings (like ed
commands) are allocated inside a memarea, to avoid needless mallocs
or complicated should-I-free-this-or-not bookkeeping.

In my measurements, this improves CPU performance by something like
18%.  The memory savings should be much, much higher.
2017-03-16 14:42:56 -04:00
Nick Mathewson
52fa6bb947 Swap memory allocation strategy for lists of lines for diffs
Now we use a single allocation block for all the lines, rather than
calling strdup on them one at a time.  This should help performance
a tiny bit.
2017-03-16 14:42:56 -04:00
Nick Mathewson
b36e311eab Fill in the missing documentation on the new functions 2017-03-16 14:42:56 -04:00
Nick Mathewson
12d428aaff Prop140: Fix a crash bug.
Found while fuzzing: this could occur if we tried to copy a
nonexistent "line 0" while applying a diff.
2017-03-16 14:42:56 -04:00
Nick Mathewson
dd92579b63 Add fuzzers for consensus diff backend code
This takes two fuzzers: one which generates a diff and makes sure it
works, and one which applies a diff.

So far, they won't crash, but there's a bug in my
string-manipulation code someplace that I'm having to work around,
related to the case where you have a blank line at the end of a
file, or where you diff a file with itself.
2017-03-16 14:42:55 -04:00
Nick Mathewson
653c6d129e Make consensus diff sha3 operations mockable.
(We'll want this for fuzzing)
2017-03-16 14:40:33 -04:00
Nick Mathewson
6a36e5ff3b String-based API for consensus diffs.
Also, add very strict split/join functions, and totally forbid
nonempty files that end with somethig besides a newline.  This
change is necessary to ensure that diff/apply are actually reliable
inverse operations.
2017-03-16 14:39:54 -04:00
Nick Mathewson
eff9fbd17d Fix an abstraction violation.
Don't alias the insides of smartlist_t; that way lies madness.
2017-03-16 14:38:29 -04:00
Nick Mathewson
69b3e11e59 Use "const" in consdiff.[ch] 2017-03-16 14:38:29 -04:00
Nick Mathewson
3647751c2a prop140: Use sha3-256, not sha2-256
This is a protocol update from recent prop140 changes.

Also, per #21673, we need to check the entire document, including
signatures.
2017-03-16 14:38:29 -04:00
Nick Mathewson
d6594bfa8c Add a couple more cases to reach 100% coverage. 2017-03-16 14:38:29 -04:00
Nick Mathewson
c86e77ac20 Cover two more failing cases with unit tests 2017-03-16 14:38:29 -04:00
Nick Mathewson
e1418c09fc Fix an unreachable memory leak.
Also add a missing newline.
2017-03-16 14:38:29 -04:00
Nick Mathewson
f193b666cd Remove digest[12]_hex 2017-03-16 14:38:29 -04:00
Nick Mathewson
c6046f4db8 Tweak&test log messages on apply_diff 2017-03-16 14:38:29 -04:00
Nick Mathewson
5766eed38f Fixes when applying diffs: Allow 2-line diffs, fix bogus free
The 2-line diff changs is needed to make the unit tests actually
test the cases that they thought they were testing.

The bogus free was found while testing those cases
2017-03-16 14:38:29 -04:00
Nick Mathewson
ab1fd85c99 Mark some warnings as bugs, and as (hopefully) unreachable. 2017-03-16 14:38:28 -04:00
Nick Mathewson
bb536a2e73 Check for expected warnings in apply_ed_diff 2017-03-16 14:38:28 -04:00
Nick Mathewson
06017f35e8 Fix some logging on failed apply_ed_diff 2017-03-16 14:38:28 -04:00
Nick Mathewson
97620cf18f No need to end a log message with newline. 2017-03-16 14:38:28 -04:00
Nick Mathewson
05901f2c6d test operator cleanup 2017-03-16 14:38:28 -04:00
Nick Mathewson
687df259c6 Enforce correct log messages on diff generation failure tests 2017-03-16 14:38:28 -04:00
Nick Mathewson
ccb789fe34 Test two more base64cmp cases. 2017-03-16 14:38:28 -04:00
Nick Mathewson
360d043ac7 Use "STATIC" to export consdiff fns for testing
Previously test_consdiff.c just did #include "consdiff.c", which is
not great style, and messes up coverage testing.
2017-03-16 14:38:28 -04:00
Daniel Martí
590ffdb2c9 Consensus diff backend from Daniel Martí GSOC project.
(This commit was extracted by nickm based on the final outcome of
the project, taking only the changes in the files touched by this
commit from the consdiff_rebased branch.  The directory-system
changes are going to get worked on separately.)
2017-03-16 14:38:28 -04:00
Nick Mathewson
7505f452c8 Run the copyright update script. 2017-03-15 16:13:17 -04:00
Nick Mathewson
c64adaaf90 Merge branch 'bug21540_029_v2' 2017-03-15 12:17:15 -04:00
Nick Mathewson
44514058b9 Correctly handle fd-drain errors on windows workqueues
Windows doesn't let you check the socket error for a socket with
WSAGetLastError() and getsockopt(SO_ERROR).  But
getsockopt(SO_ERROR) clears the error on the socket, so you can't
call it more than once per error.

When we introduced recv_ni to help drain alert sockets, back in
0.2.6.3-alpha, we had the failure path for recv_ni call getsockopt()
twice, though: once to check for EINTR and one to check for EAGAIN.
Of course, we never got the eagain, so we treated it as an error,
and warned about: "No error".

The fix here is to have these functions return -errno on failure.

Fixes bug 21540; bugfix on 0.2.6.3-alpha.
2017-03-15 12:16:17 -04:00
Nick Mathewson
3b2d6da453 Merge branch 'maint-0.3.0' 2017-03-15 11:09:22 -04:00
Nick Mathewson
567a56ae2e Merge branch 'bug20059_024_v2' into maint-0.3.0 2017-03-15 11:07:38 -04:00
Nick Mathewson
ec5fe41209 Avoid a double-mark bug when makring a pending circuit as "too old"
Fixes bug 20059; bugfix on 0.1.0.1-rc.
2017-03-15 11:05:37 -04:00
Nick Mathewson
6004dd2162 Merge branch 'deprecate_getinfo_network_status' 2017-03-15 11:01:26 -04:00
Nick Mathewson
a783c5cbae Merge remote-tracking branch 'public/feature21496' 2017-03-15 10:59:30 -04:00
Nick Mathewson
9014dc111a Improve keccak-tiny performance by 15% on LE intel
The 64-bit load and store code was generating pretty bad output with
my compiler, so I extracted the code from csiphash and used that instead.

Close ticket 21737
2017-03-14 14:20:15 -04:00
teor
c34411d9cb Log info about intro point limits when they are reached and reset
Depends on 21594, part of 21622.
2017-03-14 11:54:08 -04:00
teor
c99d0e742a Log more info when a service descriptor has the wrong number of intro points
Depends on 21598, part of 21622.
2017-03-14 11:53:34 -04:00
teor
d0927b6646 Create function to log service introduction point creation limits
Depends on 21594, part of 21622.

(Resolved merge conflict in static function declarations.
2017-03-14 11:53:34 -04:00
Nick Mathewson
c000c7d118 Create logfiles in mode 0640
Patch from toralf; closes 21729.
2017-03-14 11:36:53 -04:00
Nick Mathewson
236e1f31d9 Fix some compilation warnings in {test_,}hs_descriptor.c
Nothing big: just some const char[]s that should have been static,
and some integer truncation warnings.

Warnings not in any released Tor.
2017-03-13 22:36:47 -04:00
Nick Mathewson
dc37ea8b98 Add a null statement to prevent some SMARTLIST_FOREACH() bugs.
So we require that SMARTLIST_FOREACH_END() have the name of the loop
variable in it.  But right now the only enforcement for that is to
clear the variable at the end of the loop, which is really not
sufficient: I spent 45 minutes earlier today debugging an issue
where I had said:
   SMARTLIST_FOREACH_BEGIN(spool, spooled_resource_t *, spooled) {
     ...
   } SMARTLIST_FOREACH_END(spool);

This patch makes it so that ONLY loop variables can be used, by
referring to the _sl_idx variable.
2017-03-13 16:43:30 -04:00
Nick Mathewson
d9cd4b7072 Merge branch 'maint-0.3.0' 2017-03-13 16:22:54 -04:00
Nick Mathewson
e2cd600da6 Merge remote-tracking branch 'public/bug21682_030' into maint-0.3.0 2017-03-13 16:22:40 -04:00
Nick Mathewson
43dd9bf0fc Merge remote-tracking branch 'asn/bug21334_v3' 2017-03-13 16:18:55 -04:00
George Kadianakis
61f318b1b0 prop224: Rename padding size def to something less confusing.
People felt it could refer to the descriptor header section instead of
the plaintext of the superencrypted section.
2017-03-13 15:58:28 +02:00
George Kadianakis
e6b03151fb prop224: Add unittests for decode_superencrypted(). 2017-03-13 15:55:21 +02:00
George Kadianakis
163596d9c2 prop224: Move some utility crypto funcs to the top of the file. 2017-03-13 15:55:21 +02:00
George Kadianakis
1f421d8d47 prop224: Fix the HS descriptor unittests.
- HS descriptors are now bigger than 10kb.
- encrypted_data_length_is_valid() is not that strict now.
2017-03-13 15:55:21 +02:00
George Kadianakis
d0fe199269 prop224: Implement decoding of superencrypted HS descriptor.
[Consider starting review from desc_decrypt_all() ]
2017-03-13 15:55:20 +02:00
George Kadianakis
b2e37b87a7 prop224: Implement encoding of superencrypted HS descriptor.
Also, relaxed the checks of encrypted_data_length_is_valid() since now
only one encrypted section has padding requirements and we don't
actually care to check that all the padding is there.

Consider starting code review from function encode_superencrypted_data().
2017-03-13 15:55:20 +02:00
George Kadianakis
bb602f6197 prop224: Prepare for superencrypted HS descriptors.
- Refactor our HS desc crypto funcs to be able to differentiate between
  the superencrypted layer and the encrypted layer so that different
  crypto constants and padding is used in each layer.

- Introduce some string constants.

- Add some comments.
2017-03-13 15:49:14 +02:00
Nick Mathewson
8587f663ee Remove DIR_SPOOL_CACHED_DIR: Nothing uses it. 2017-03-13 08:02:25 -04:00
Nick Mathewson
16b64fcfe1 Mark GETINFO network-status as deprecated with a warning
control-spec has marked it deprecated for a long time.

Closes ticket 21703.
2017-03-10 12:05:50 -05:00
Alexander Færøy
85dccce35d
Make MAX_DIR_PERIOD independent of MIN_ONION_KEY_LIFETIME.
As part of the work for proposal #274 we are going to remove the need
for MIN_ONION_KEY_LIFETIME and turn it into a dynamic value defined by a
consensus parameter.

See: https://bugs.torproject.org/21641
2017-03-10 13:04:43 +01:00
Nick Mathewson
118d7018d0 Merge branch 'bug21415_testfix_030' 2017-03-09 09:25:19 -05:00
George Kadianakis
6cab0f8ad7 Fix failing bridges+ipv6-min integration test.
The bridges+ipv6-min integration test has a client with bridges:
    Bridge 127.0.0.1:5003
    Bridge [::1]:5003
which got stuck in guard_selection_have_enough_dir_info_to_build_circuits()
because it couldn't find the descriptor of both bridges.

Specifically, the guard_has_descriptor() function could not find the
node_t of the [::1] bridge, because the [::1] bridge had no identity
digest assigned to it.

After further examination, it seems that during fetching the descriptor
for our bridges, we used the CERTS cell to fill the identity digest of
127.0.0.1:5003 properly. However, when we received a CERTS cell from
[::1]:5003 we actually ignored its identity digest because the
learned_router_identity() function was using
get_configured_bridge_by_addr_port_digest() which was returning the
127.0.0.1 bridge instead of the [::1] bridge (because it prioritizes
digest matching over addrport matching).

The fix replaces get_configured_bridge_by_addr_port_digest() with the
recent get_configured_bridge_by_exact_addr_port_digest() function. It
also relaxes the constraints of the
get_configured_bridge_by_exact_addr_port_digest() function by making it
return bridges whose identity digest is not yet known.

By using the _exact_() function, learned_router_identity() actually
fills in the identity digest of the [::1] bridge, which then allows
guard_has_descriptor() to find the right node_t and verify that the
descriptor is there.

FWIW, in the bridges+ipv6-min test both 127.0.0.1 and [::1] bridges
correspond to the same node_t, which I guess makes sense given that it's
actually the same underlying bridge.
2017-03-09 09:19:19 -05:00
George Kadianakis
41324b5ae1 Revert "Restore correct behavior of 0.3.0.4-rc with bridges+ipv6-min"
This reverts commit 5298ab5917.
2017-03-09 09:19:12 -05:00
Nick Mathewson
85782e111a Merge remote-tracking branch 'ahf/bugs/21654' 2017-03-09 08:36:46 -05:00
Alexander Færøy
02fc0a5ecf
Remove fgets() compatbility function and related tests.
This patch removes the `tor_fgets()` wrapper around `fgets(3)` since it
is no longer needed. The function was created due to inconsistency
between the returned values of `fgets(3)` on different versions of Unix
when using `fgets(3)` on non-blocking file descriptors, but with the
recent changes in bug #21654 we switch from unbuffered to direct I/O on
non-blocking file descriptors in our utility module.

We continue to use `fgets(3)` directly in the geoip and dirserv module
since this usage is considered safe.

This patch also removes the test-case that was created to detect
differences in the implementation of `fgets(3)` as well as the changes
file since these changes was not included in any releases yet.

See: https://bugs.torproject.org/21654
2017-03-09 00:10:18 +01:00
Alexander Færøy
02ef06516e
Use less-than instead of not-equal-to for comparison in read loops.
This patch changes a number of read loops in the util module to use
less-than comparison instead of not-equal-to comparison. We do this in
the case that we have a bug elsewhere that might cause `numread` to
become larger than `count` and thus become an infinite loop.
2017-03-09 00:10:17 +01:00
Alexander Færøy
0e5c7dc45b
Add test case for get_string_from_pipe().
This patch adds a test case for the get_string_from_pipe() function
found in the utility module.

See: See: https://bugs.torproject.org/21654
2017-03-09 00:10:17 +01:00
Alexander Færøy
6e78ede73f
Remove buffered I/O stream usage in process_handle_t.
This patch removes the buffered I/O stream usage in process_handle_t and
its related utility functions. This simplifies the code and avoids racy
code where we used buffered I/O on non-blocking file descriptors.

See: https://bugs.torproject.org/21654
2017-03-09 00:10:17 +01:00
Nick Mathewson
a9b046cef7 Merge branch 'maint-0.3.0' 2017-03-08 10:12:44 -05:00
Nick Mathewson
ded2c8c689 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-03-08 10:12:27 -05:00
Nick Mathewson
d642ceb8df Merge branch 'maint-0.2.8' into maint-0.2.9 2017-03-08 10:12:06 -05:00
Nick Mathewson
2cfecec9c7 Merge branch 'maint-0.2.7-redux' into maint-0.2.8 2017-03-08 10:11:23 -05:00
Nick Mathewson
25c28bc2d9 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-03-08 10:11:05 -05:00
Nick Mathewson
ecc73c3c03 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-03-08 10:10:44 -05:00
Nick Mathewson
933a1e7997 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-03-08 10:10:29 -05:00
Nick Mathewson
27058bd8cb Fix a memory leak in config_get_assigned_option()
This was introducd in 4d83999213 in 0.3.0.3-alpha.  This is bug
21682.
2017-03-08 10:06:48 -05:00
Karsten Loesing
4488c319dd Update geoip and geoip6 to the March 7 2017 database. 2017-03-08 09:41:35 +01:00
Alexander Færøy
86de065aee
Use read(2) instead of fgets(3) when reading process output.
This patch modifies `tor_read_all_handle()` to use read(2) instead of
fgets(3) when reading the stdout from the child process. This should
eliminate the race condition that can be triggered in the 'slow/util/*'
tests on slower machines running OpenBSD, FreeBSD and HardenedBSD.

See: https://bugs.torproject.org/21654
2017-03-08 02:08:44 +01:00
Nick Mathewson
ad19f1507a Merge branch 'maint-0.3.0' 2017-03-07 08:08:28 -05:00
Nick Mathewson
552bc39c32 Merge branch 'bug21594_030_squashed' into maint-0.3.0 2017-03-07 08:05:16 -05:00
teor
93ede051c2 Remove delay in hidden service introduction point checks
Make hidden services with 8 to 10 introduction points check for failed
circuits immediately after startup. Previously, they would wait for 5
minutes before performing their first checks.

Fixes bug 21594; bugfix on commit 190aac0eab in Tor 0.2.3.9-alpha.
Reported by alecmuffett.
2017-03-07 08:04:57 -05:00
Nick Mathewson
85cf6dcba3 Stop declining to download microdescs with future published times.
This change is the only one necessary to allow future versions of
the microdescriptor consensus to replace every 'published' date with
e.g. 2038-01-01 00:00:00; this will save 50-75% in compressed
microdescriptor diff size, which is quite significant.

This commit is a minimal change for 0.2.9; future series will
reduce the use of the 'published' date even more.

Implements part of ticket 21642; implements part of proposal 275.
2017-03-06 15:37:01 -05:00
Nick Mathewson
88b91d7753 Merge remote-tracking branch 'ahf/bugs/20988' 2017-03-06 12:04:58 -05:00
Nick Mathewson
2c8d2cab13 Merge remote-tracking branch 'teor/bug19699' 2017-03-06 11:52:17 -05:00
Nick Mathewson
5203cd2f11 Check for NULL as input to extrainfo_parse_entry_from_string()
We hope this will make the clangalyzer less worried about this function.

Closes ticket 21496.
2017-03-06 11:31:11 -05:00
Nick Mathewson
0a54e5d148 Fix a function name in a comment. Closes 21580 2017-03-06 11:27:50 -05:00
Nick Mathewson
00d1093daf Merge branch 'feature21598_squashed' 2017-03-04 23:22:46 -05:00
teor
f24638aa49 Log a message when a hidden service has fewer intro points than expected
Closes ticket 21598.
2017-03-04 23:22:34 -05:00
Nick Mathewson
958ec0f5f8 Merge branch 'bug21599_squashed' 2017-03-04 23:16:29 -05:00
teor
684778e705 Simplify hidden service descriptor creation
Use an existing flag to check if an introduction point is established.

Cleanup after 21596.

Fixes bug 21599; bugfix on 0.2.7.2-alpha.
2017-03-04 23:15:55 -05:00
Nick Mathewson
fe17955661 Merge remote-tracking branch 'teor/bug21596_030' 2017-03-04 23:10:40 -05:00
Nick Mathewson
3a1cba7d90 Merge branch 'maint-0.3.0' 2017-03-04 20:24:02 -05:00
Nick Mathewson
333d5d0f2a Merge remote-tracking branch 'teor/bug21576_029_v2' into maint-0.3.0 2017-03-04 20:23:38 -05:00
teor
3e2d06bd3d
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:57:58 +11:00
teor
e0486c9371
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:34:45 +11:00
teor
4b5cdb2c30
Fix a crash when a connection tries to open just after it has been unlinked
Fixes bug 21576; bugfix on Tor 0.2.9.3-alpha.
Reported by alecmuffett.
2017-03-02 11:10:30 +11:00
Nick Mathewson
528dcd113c Bump to 0.3.0.4-rc-dev 2017-03-01 15:38:36 -05:00
Alexander Færøy
ae91e64fa8
Reset buf after each succesful test to avoid artifacts.
This patch resets `buf` in test_util_fgets_eagain() after each succesful
ivocation to avoid stray artifacts left in the buffer by erroneous
tor_fgets() calls.
2017-03-01 21:26:27 +01:00
Alexander Færøy
3dca5a6e71
Use tor_fgets() instead of fgets().
This patch changes our use of fgets() to tor_fgets() for more consistent
error handling across different versions of the C library.
2017-03-01 21:26:27 +01:00
Alexander Færøy
498287b3c3
Add compatibility function for fgets(3).
This patch adds the `tor_fgets()` function to our compatibility layer.

`tor_fgets()` adds an additional check for whether the error-bit have
been enabled for the given file stream, if that is the case and `errno`
is set to `EAGAIN` we make sure that we always return NULL.

Unfortunately `fgets(3)` behaves differently on different versions of
the C library.

See: https://bugs.torproject.org/21416
See: https://bugs.torproject.org/20988
2017-03-01 21:26:26 +01:00
Nick Mathewson
7d3883d084 Merge branch 'maint-0.3.0' 2017-03-01 15:11:23 -05:00
Nick Mathewson
5298ab5917 Restore correct behavior of 0.3.0.4-rc with bridges+ipv6-min
In that chutney test, the bridge client is configured to connect to
the same bridge at 127.0.0.1:5003 _and_ at [::1]:5003, with no
change in transports.

That meant, I think, that the descriptor is only assigned to the
first bridge when it arrives, and never the second.
2017-03-01 15:02:16 -05:00
Nick Mathewson
a0a4f8ae5d Merge remote-tracking branch 'asn/bug21586' 2017-03-01 09:21:34 -05:00
George Kadianakis
931948ac6a Prevent SRV assert when called from misconfigured bridge auth. 2017-03-01 15:56:29 +02:00
Nick Mathewson
d8fa6f9ddb Merge branch 'maint-0.3.0' 2017-03-01 08:54:58 -05:00
George Kadianakis
18a98206ed Improve descriptor checks in the new guard algorithm.
- Make sure we check at least two guards for descriptor before making
  circuits. We typically use the first primary guard for circuits, but
  it can also happen that we use the second primary guard (e.g. if we
  pick our first primary guard as an exit), so we should make sure we
  have descriptors for both of them.

- Remove BUG() from the guard_has_descriptor() check since we now know
  that this can happen in rare but legitimate situations as well, and we
  should just move to the next guard in that case.
2017-03-01 08:46:53 -05:00
Nick Mathewson
75492598b2 Bump to 0.2.9.10-dev 2017-03-01 08:18:54 -05:00
Nick Mathewson
39d0e0cd0b Merge branch 'maint-0.3.0' 2017-03-01 07:52:51 -05:00
teor
9340035873
Remove the unused field or_connection_t.is_connection_with_client
To discover if a connection is from a tor client, use:
channel_is_client(TLS_CHAN_TO_BASE(or_connection_t.chan))

Part of 21406.
2017-03-01 16:22:37 +11:00
teor
d784236822
Make test-network.sh always call chutney's test-network.sh
Previously, this only worked on systems which had bash installed, due to
some bash-specific code in the script.

Fixes bug 19699; follow-up to 21581.
2017-03-01 13:28:30 +11:00
teor
778d704908
Remove the space before the interpreter name in test-network.sh
Apparently some unixes don't like this.
Part of #21581.
2017-03-01 12:29:52 +11:00
teor
f2ca22f940
Remove the space before the interpreter name in test-network.sh
Apparently some unixes don't like this.
Part of #21581.
2017-03-01 12:28:16 +11:00
Nick Mathewson
8e3d929df7 Merge branch 'maint-0.3.0' 2017-02-28 20:14:06 -05:00
teor
004ec8dc58
Restore support for test-network.sh on BSD and other systems without bash
(But use bash if it's available.)
This is a workaround until we remove bash-specific code in 19699.

Fixes bug 21581; bugfix on 21562, not in any released version of tor.
2017-03-01 11:40:54 +11:00
Nick Mathewson
1cd7a697f1 Merge remote-tracking branch 'teor/bug21510' 2017-02-28 11:43:58 -05:00
Nick Mathewson
aa50758777 Merge remote-tracking branch 'teor/test21470-029' 2017-02-28 11:31:07 -05:00
Nick Mathewson
ef610467fa Merge remote-tracking branch 'teor/bug21507-029' 2017-02-28 11:19:24 -05:00
Nick Mathewson
242f9b3ffb Merge remote-tracking branch 'public/bug21407' 2017-02-28 11:17:30 -05:00
Nick Mathewson
58908b6540 bump version to 0.3.0.4-rc 2017-02-28 10:40:08 -05:00
Nick Mathewson
b049a5b398 bump version to 0.2.9.10 2017-02-28 10:38:55 -05:00
Nick Mathewson
f2a657c22b bump version to 0.2.8.13 2017-02-28 10:34:33 -05:00
Nick Mathewson
b5526bef38 Bump version to 0.2.7.7 2017-02-28 10:27:20 -05:00
Nick Mathewson
57e778f882 bump to 0.2.6.11 2017-02-28 10:26:24 -05:00
Nick Mathewson
884b3717a9 Bump version to 0.2.5.13 2017-02-28 10:23:20 -05:00
Nick Mathewson
4bab288a82 Bump to 0.2.4.28 2017-02-28 10:20:46 -05:00
Nick Mathewson
8112800138 Merge branch 'maint-0.3.0' 2017-02-28 08:28:55 -05:00
Nick Mathewson
3a60214f32 Merge remote-tracking branch 'public/bug21007_case2_030' into maint-0.3.0 2017-02-28 08:28:46 -05:00
Nick Mathewson
928235506b Merge branch 'maint-0.3.0' 2017-02-28 08:20:09 -05:00
Nick Mathewson
16f337e763 Merge branch 'bug21027_v2_squashed' into maint-0.3.0 2017-02-28 08:16:43 -05:00
Nick Mathewson
1582adabbb Change approach to preventing duplicate guards.
Previously I'd made a bad assumption in the implementation of
prop271 in 0.3.0.1-alpha: I'd assumed that there couldn't be two
guards with the same identity.  That's true for non-bridges, but in
the bridge case, we allow two bridges to have the same ID if they
have different addr:port combinations -- in order to have the same
bridge ID running multiple PTs.

Fortunately, this assumption wasn't deeply ingrained: we stop
enforcing the "one guard per ID" rule in the bridge case, and
instead enforce "one guard per <id,addr,port>".

We also needed to tweak our implementation of
get_bridge_info_for_guard, since it made the same incorrect
assumption.

Fixes bug 21027; bugfix on 0.3.0.1-alpha.
2017-02-28 08:16:33 -05:00
Nick Mathewson
c0aa7ac5ac Merge branch 'disable_memory_sentinels_squashed' 2017-02-27 16:25:25 -05:00
Nick Mathewson
b923c4dc9f Code to disable memory sentinels for fuzzing
This feature makes it possible to turn off memory sentinels (like
those used for safety in buffers.c and memarea.c) when fuzzing, so
that we can catch bugs that they would otherwise prevent.
2017-02-27 16:25:10 -05:00
Nick Mathewson
4808540d5c Merge branch 'maint-0.3.0' 2017-02-27 11:36:56 -05:00
Nick Mathewson
eef8bd4d3c Merge remote-tracking branch 'teor/feature21570-030' into maint-0.3.0 2017-02-27 11:36:39 -05:00
Nick Mathewson
b6a9be0415 Merge branch 'maint-0.3.0' 2017-02-27 11:25:46 -05:00
Nick Mathewson
c51919b0da Merge branch 'bug21369_check_029_squashed' into maint-0.3.0 2017-02-27 11:25:34 -05:00
Nick Mathewson
90283f0db3 Merge branch 'maint-0.3.0' 2017-02-27 11:23:02 -05:00
Nick Mathewson
6747c62386 Merge branch 'bug21420_029_squashed' into maint-0.3.0 2017-02-27 11:20:39 -05:00
Nick Mathewson
f6e5a658df Revise the logic for picking the start time for link certs
Since 0.2.4.11-alpha (in 0196647970) we've tried to randomize
the start time to up to some time in the past.  But unfortunately we
allowed the start time to be in the future as well, which isn't
really legit.

The new behavior lets the start time be be up to
MAX(cert_lifetime-2days, 0) in the past, but never in the future.

Fixes bug 21420; bugfix on 0.2.4.11-alpha.
2017-02-27 11:19:54 -05:00
Nick Mathewson
1421f75331 Merge branch 'maint-0.3.0' 2017-02-27 11:03:25 -05:00
Nick Mathewson
2b3518b81f Merge remote-tracking branch 'teor/bug20711' into maint-0.3.0 2017-02-27 11:00:02 -05:00
Nick Mathewson
65b012c90b Fix a wide line 2017-02-27 10:58:26 -05:00
Nick Mathewson
135a0c2054 Fix a "directive within macro arguments" warning 2017-02-27 10:58:19 -05:00
Nick Mathewson
0e7d2882f9 Merge remote-tracking branch 'ahf/bugs/21206' 2017-02-27 10:53:12 -05:00
teor
73879aa5b6
Use bash in src/test/test-network.sh
This ensures we reliably call chutney's newer tools/test-network.sh when
available.

Fixes bug 21562; bugfix on tor-0.2.9.1-alpha.
2017-02-28 02:13:56 +11:00
teor
1ebcd22e80
Reserve a test-network.sh exit status of 2 for unknown arguments
Part of 21570.
2017-02-28 02:02:32 +11:00
Nick Mathewson
074f248463 Add one other BUG check to try to fix/solve 21369.
Teor thinks that this connection_dirserv_add_dir_bytes_to_outbuf()
might be the problem, if the "remaining" calculation underflows.  So
I'm adding a couple of checks there, and improving the casts.
2017-02-27 10:01:27 -05:00
Nick Mathewson
ee5471f9aa Try to check for (and prevent) buffer size INT_MAX overflow better.
Possible fix or diagnostic for 21369.
2017-02-27 10:01:27 -05:00
teor
39a4c5624b
Add a quiet mode to test-network.sh
Requires the equivalent chutney changes in 21571.

Part of 21570.
2017-02-28 01:45:30 +11:00
Nick Mathewson
02aaa7f9ed Merge branch 'maint-0.3.0' 2017-02-24 11:37:41 -05:00
Nick Mathewson
619771f60b Whitespace fix. 2017-02-24 11:37:33 -05:00
Nick Mathewson
d73755e36e Merge branch 'maint-0.3.0' 2017-02-24 11:37:04 -05:00
David Goulet
4ed10e5053 hs: Fix bad use of sizeof() when encoding ESTABLISH_INTRO legacy cell
When encoding a legacy ESTABLISH_INTRO cell, we were using the sizeof() on a
pointer instead of using the real size of the destination buffer leading to an
overflow passing an enormous value to the signing digest function.
Fortunately, that value was only used to make sure the destination buffer
length was big enough for the key size and in this case it always was because
of the overflow.

Fixes #21553

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-24 11:36:36 -05:00
Nick Mathewson
5e08fc8557 Also allow C_MEASURE_TIMEOUT circuits to lack guard state.
Fixes a case of 21007; bugfix on 0.3.0.1-alpha when prop271 was
implemented. Found by toralf.
2017-02-24 11:12:21 -05:00
George Kadianakis
f8ac4bb9fd prop224: Rename desc->encrypted_blob to desc->superencrypted_blob 2017-02-24 16:37:24 +02:00
George Kadianakis
6d71eda263 prop224: Rename auth_required HS desc field to intro_auth_required.
And remove "password" type from the list of intro auths.
2017-02-24 16:37:24 +02:00
Nick Mathewson
515e1f663a Add an O(1) map from channel->global_identifier to channel 2017-02-21 20:58:25 -05:00
teor
7a65abf566
Make display of captured unit test log messages consistent
There was a missing space and an extra colon.

Fixes bug 21510; bugfix on 0.2.9.3-alpha.
2017-02-19 23:09:50 +11:00
teor
590bfe3d6d
Reject versions that have non-numeric prefixes
Unit tests #21507.
Part of #21470.
2017-02-19 22:47:47 +11:00
teor
6d0b1a8997
Add unit tests that ensure out of range versions are rejected
Unit tests for #21278.
Part of #21470.
2017-02-19 22:46:42 +11:00
teor
b3e139581b
Add unit tests for version parsing integer size inconsistencies
Unit tests for #21450.
Part of #21470.
2017-02-19 22:45:25 +11:00
teor
e34a209df1
Add unit tests for current tor version git tags
Related to #21470
2017-02-19 22:44:07 +11:00
teor
3c39dab433
Add unit tests for the current range of tor version status tags
Related to #21470.
2017-02-19 22:42:44 +11:00
teor
57154e71aa
Reject Tor versions that contain non-numeric prefixes
strto* and _atoi64 accept +, -, and various whitespace before numeric
characters. And permitted whitespace is different between POSIX and Windows.

Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.
2017-02-19 22:38:06 +11:00
Nick Mathewson
aec45bc0b1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-02-17 17:10:47 -05:00
Nick Mathewson
efa5bbaba0 Merge branch 'maint-0.3.0' 2017-02-17 11:47:49 -05:00
Nick Mathewson
823fb68a14 Remove a redundant check in ..transition_affects_guards()
scan-build found that we we checking UseEntryGuards twice.

Fixes bug 21492.
2017-02-17 11:47:25 -05:00
Nick Mathewson
9b1d99018b Merge branch 'maint-0.3.0' 2017-02-17 11:33:04 -05:00
Nick Mathewson
5dbbd6bc39 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-02-17 11:32:45 -05:00
Nick Mathewson
67cec7578c Check for micro < 0, rather than checking "minor" twice.
Bug found with clang scan-build.  Fixes bug on f63e06d3dc.
Bug not present in any released Tor.
2017-02-17 11:31:39 -05:00
Nick Mathewson
d3f0f10efd Fix memleak in test_getinfo_helper_onion.
Fix on fc58c37e33. Not in any released tor
2017-02-17 10:08:31 -05:00
Nick Mathewson
d004b9222e The UseCreateFast consensus parameter now defaults to 0.
You can still override it with FastFirstHopPK.  But that's
deprecated.

Closes ticket 21407.
2017-02-16 15:30:26 -05:00
Alexander Færøy
3848d23643 Save number of sent/received RELAY_DATA cells for directory connections.
This patch makes us store the number of sent and received RELAY_DATA
cells used for directory connections. We log the numbers after we have
received an EOF in connection_dir_client_reached_eof() from the
directory server.
2017-02-16 15:11:53 +00:00
Nick Mathewson
31be66ea5a Merge remote-tracking branch 'meejah/ticket-21329-onions-current' 2017-02-16 09:40:56 -05:00
Nick Mathewson
832d4636f5 Bump master to 0.3.1.0-alpha-dev 2017-02-15 14:36:56 -05:00
David Goulet
3336f26e60 hs: Avoid a strlen(NULL) if descriptor is not found in cache
Instead of returning 404 error code, this led to a NULL pointer being used and
thus a crash of tor.

Fixes #21471

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-15 10:27:41 -05:00
Nick Mathewson
d633c4757c Merge branch 'maint-0.2.9' 2017-02-15 08:19:51 -05:00
Nick Mathewson
fea93abecd whoops; make 21450 compile 2017-02-15 08:19:37 -05:00
Nick Mathewson
39af9fc2b7 Merge branch 'bug21447' 2017-02-15 08:08:25 -05:00
Nick Mathewson
62f98ad485 Merge branch 'maint-0.2.9' 2017-02-15 07:58:15 -05:00
Nick Mathewson
cb6b3b7cad Limit version numbers to 0...INT32_MAX.
Closes 21450; patch from teor.
2017-02-15 07:57:34 -05:00
Nick Mathewson
76d79d597a Merge branch 'maint-0.2.9' 2017-02-15 07:48:42 -05:00
Nick Mathewson
5d88267bf4 Merge branch 'bug21278_extra_029' into maint-0.2.9 2017-02-15 07:48:30 -05:00
Nick Mathewson
ec6b5a098d Merge branch 'bug21278_redux_029_squashed' into maint-0.2.9 2017-02-15 07:48:18 -05:00
Nick Mathewson
eeb743588a Merge branch 'maint-0.2.8' into maint-0.2.9 2017-02-15 07:48:10 -05:00
Nick Mathewson
1ebdae6171 Merge branch 'maint-0.2.7' into maint-0.2.8 2017-02-15 07:47:28 -05:00
Nick Mathewson
ed806843dc Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-15 07:47:21 -05:00
Nick Mathewson
3781f24b80 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-15 07:47:12 -05:00
Nick Mathewson
a452b71395 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-15 07:47:04 -05:00
Roger Dingledine
3c4da8a130 give tor_version_parse_platform some function documentation 2017-02-15 07:46:34 -05:00
Nick Mathewson
02e05bd74d When examining descriptors as a dirserver, reject ones with bad versions
This is an extra fix for bug 21278: it ensures that these
descriptors and platforms will never be listed in a legit consensus.
2017-02-15 07:46:34 -05:00
Nick Mathewson
f63e06d3dc Extract the part of tor_version_as_new_as that extracts platform
Also add a "strict" mode to reject negative inputs.
2017-02-15 07:46:34 -05:00
Nick Mathewson
dec7dc3d82 Merge remote-tracking branch 'dgoulet/ticket20656_030_01' 2017-02-14 19:15:10 -05:00
Nick Mathewson
7e469c1002 Merge branch 'bug20894_029_v3' 2017-02-14 19:10:20 -05:00
Nick Mathewson
491348cb8c Rename make fuzz to make test-fuzz-corpora 2017-02-14 18:04:10 -05:00
Nick Mathewson
4c1ecd7583 fixup! Don't atoi off the end of a buffer chunk.
Use STATIC.
2017-02-14 16:45:18 -05:00
Nick Mathewson
c4f2faf301 Don't atoi off the end of a buffer chunk.
Fixes bug 20894; bugfix on 0.2.0.16-alpha.

We already applied a workaround for this as 20834, so no need to
freak out (unless you didn't apply 20384 yet).
2017-02-14 16:38:47 -05:00
Nick Mathewson
a0ef3cf088 Prevent int underflow in dirvote.c compare_vote_rs_.
This should be "impossible" without making a SHA1 collision, but
let's not keep the assumption that SHA1 collisions are super-hard.

This prevents another case related to 21278.  There should be no
behavioral change unless -ftrapv is on.
2017-02-14 16:31:23 -05:00
Nick Mathewson
1afc2ed956 Fix policies.c instance of the "if (r=(a-b)) return r" pattern
I think this one probably can't underflow, since the input ranges
are small.  But let's not tempt fate.

This patch also replaces the "cmp" functions here with just "eq"
functions, since nothing actually checked for anything besides 0 and
nonzero.

Related to 21278.
2017-02-14 16:31:11 -05:00
Nick Mathewson
194e31057f Avoid integer underflow in tor_version_compare.
Fix for TROVE-2017-001 and bug 21278.

(Note: Instead of handling signed ints "correctly", we keep the old
behavior, except for the part where we would crash with -ftrapv.)
2017-02-14 16:10:27 -05:00
David Goulet
3f005c0433 protover: Add new version for prop224 for HSIntro/HSDir
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-14 10:51:18 -05:00
Nick Mathewson
f5995692da Replace entry_guard_get_by_id_digest_for_guard_selection impl.
We already implemented this whole function somewhere else; no need
to have the same code twice.
2017-02-14 10:28:54 -05:00
Nick Mathewson
dca8ae5cfa Merge remote-tracking branch 'dgoulet/bug21116_030_01' 2017-02-13 15:56:01 -05:00
Nick Mathewson
d9827e4729 Merge branch 'maint-0.2.9' 2017-02-13 14:41:43 -05:00
Nick Mathewson
a86f95df5c Merge branch 'maint-0.2.8' into maint-0.2.9 2017-02-13 14:38:03 -05:00
Nick Mathewson
9b90d515a9 Merge branch 'maint-0.2.7' into maint-0.2.8 2017-02-13 14:37:55 -05:00
Nick Mathewson
75fe218b16 Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-13 14:37:49 -05:00
Nick Mathewson
43c18b1b7a Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-13 14:37:42 -05:00
Nick Mathewson
124062e843 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-13 14:37:01 -05:00
Karsten Loesing
f6016058b4 Update geoip and geoip6 to the February 8 2017 database. 2017-02-12 15:56:31 +01:00
Alexander Færøy
89334a040d Remove unused variable in directory_command_should_use_begindir()
This patch removes the unused router_purpose variable in
directory_command_should_use_begindir().
2017-02-10 23:01:52 +00:00
Alexander Færøy
a0ee5777b0 Change RELAY_BEGINDIR to RELAY_BEGIN_DIR in comments.
This is a purely cosmetic patch that changes RELAY_BEGINDIR in various
comments to RELAY_BEGIN_DIR, which should make it easier to grep for the
symbols.
2017-02-09 16:48:11 +00:00
Nick Mathewson
2670844b2b whoops, removed a semicolon :( 2017-02-09 10:59:48 -05:00
Nick Mathewson
f594bdb3ad One more prop271 XXX. 2017-02-09 10:52:47 -05:00
Nick Mathewson
14c2a1f403 Update some more XXXXprop271 comments to refer to actual tickets or to be up-to-date 2017-02-09 10:48:28 -05:00
Nick Mathewson
3919f4f529 Remove an XXXprop271 comment: turns out we didn't need a tristate 2017-02-09 10:30:20 -05:00
Nick Mathewson
d15273e9f5 Change "prop271" in XXXXs about guard Ed identity to refer to #20872. 2017-02-09 10:29:02 -05:00
Nick Mathewson
fe76741021 Remove a suggestion in an XXX271 comment; it is now 21424. 2017-02-09 10:25:32 -05:00
Nick Mathewson
41f880c396 Remove an XXXprop271 comment that has been replaced by #21423 2017-02-09 10:13:54 -05:00
Nick Mathewson
875e5ee3f7 Revise an XXXprop271 comment -- it has been superseded by #21422 2017-02-09 10:11:44 -05:00
Nick Mathewson
58208457a6 Remove an XXXprop271 comment -- it has been replaced by #21421 2017-02-09 10:07:56 -05:00
Nick Mathewson
f263cf954a Remove a redundant XXX271 comment 2017-02-09 09:57:39 -05:00
David Goulet
e129393e40 test: Add missing socket errno in test_util.c
According to 21116, it seems to be needed for Wheezy Raspbian build. Also,
manpage of socket(2) does confirm that this errno value should be catched as
well in case of no support from the OS of IPv4 or/and IPv6.

Fixes #21116

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-08 09:00:48 -05:00
Alexander Færøy
56bbaed0dc Log response size in connection_dir_client_reached_eof()
This patch ensures that we log the size of the inbuf when a directory
client have reached EOF on the connection.

See: https://bugs.torproject.org/21206
2017-02-07 16:11:01 +00:00
Alexander Færøy
bf37ca07fc Be explicit about body size in log messages.
This patch makes the log-statements in `connection_dir_client_reached_eof`
more explicit by writing "body size" instead of just "size" which could
be confused as being the size of the entire response, which would
include HTTP status-line and headers.

See: https://bugs.torproject.org/21206
2017-02-07 16:08:56 +00:00
Nick Mathewson
4bce2072ac Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-07 10:39:03 -05:00
Nick Mathewson
8a1f0876ed Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-02-07 10:38:05 -05:00
Nick Mathewson
f2a30413a3 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 10:37:53 -05:00
Nick Mathewson
2ce4330249 Merge remote-tracking branch 'public/bug18710_025' into maint-0.2.5 2017-02-07 10:37:43 -05:00
Nick Mathewson
c056d19323 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 10:37:31 -05:00
Nick Mathewson
3f5a710958 Revert "Revert "Add hidserv-stats filname to our sandbox filter""
This reverts commit 5446cb8d3d.

The underlying revert was done in 0.2.6, since we aren't backporting
seccomp2 loosening fixes to 0.2.6.  But the fix (for 17354) already
went out in 0.2.7.4-rc, so we shouldn't revert it in 0.2.7.
2017-02-07 10:13:20 -05:00
Alexander Færøy
06e15c8b7c Add debug log statement when sending a directory command.
This patch adds a debug log statement when sending a request to a
directory server. The information logged includes: the payload size (if
available), the total size of the request, the address and port of the
directory server, and the purpose of the directory connection.

See: https://bugs.torproject.org/21206
2017-02-07 15:04:59 +00:00
Nick Mathewson
5b60bd84f2 Bump the version to 0.2.7.6-dev again 2017-02-07 09:59:54 -05:00
Nick Mathewson
e91bb84a91 Merge branch 'maint-0.2.6' into maint-0.2.7-redux
maint-0.2.7-redux is an attempt to try to re-create a plausible
maint-0.2.7 branch.  I've started from the tor-0.2.7.6, and then I
merged maint-0.2.6 into the branch.

This has produced 2 conflicts: one related to the
rendcommon->rendcache move, and one to the authority refactoring.
2017-02-07 09:59:12 -05:00
Nick Mathewson
85a2487f97 Disable a log_backtrace (which 0.2.4 does not have) in 16248 fix 2017-02-07 09:49:23 -05:00
Nick Mathewson
cfeb1db2fb Add comments to connection_check_event(). 2017-02-07 09:48:24 -05:00
Nick Mathewson
457d38a6e9 Change behavior on missing/present event to warn instead of asserting.
Add a changes file.
2017-02-07 09:48:19 -05:00
Nick Mathewson
650c03127a If we start/stop reading on a dnsserv connection, don't assert.
Fixes bug 16248. Patch from cypherpunks.  Bugfix on 0.2.0.1-alpha.
2017-02-07 09:48:13 -05:00
Nick Mathewson
5446cb8d3d Revert "Add hidserv-stats filname to our sandbox filter"
Reverting this in 0.2.6 only -- we're no backporting
seccomp2-loosening fixes to 0.2.6.

This reverts commit 2ec5e24c58.
2017-02-07 09:28:50 -05:00
junglefowl
c4920a60c6 Do not truncate too long hostnames
If a hostname is supplied to tor-resolve which is too long, it will be
silently truncated, resulting in a different hostname lookup:

$ tor-resolve $(python -c 'print("google.com" + "m" * 256)')

If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
which overflows in this case and leads to the hostname "google.com".
As this one is a valid hostname, it returns an address instead of giving
an error due to the invalid supplied hostname.
2017-02-07 09:27:00 -05:00
Nick Mathewson
9379984128 Merge branch 'teor_bug21357-v2_029' into maint-0.2.9 2017-02-07 09:24:08 -05:00
Nick Mathewson
dff390dcc7 Merge branch 'bug21108_029' into maint-0.2.9 2017-02-07 09:22:31 -05:00
Nick Mathewson
c6f2ae514e Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 09:18:54 -05:00
Nick Mathewson
b9ef21cf56 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 09:17:59 -05:00
Nick Mathewson
e4a42242ea Backport the tonga->bifroest move to 0.2.4.
This is a backport of 19728 and 19690
2017-02-07 09:15:21 -05:00
Nick Mathewson
115cefdeee Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-07 08:55:07 -05:00
Nick Mathewson
e6965f78b8 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 08:54:54 -05:00
Nick Mathewson
6b37512dc7 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 08:54:47 -05:00
Nick Mathewson
d6eae78e29 Merge remote-tracking branch 'public/bug19152_024_v2' into maint-0.2.4 2017-02-07 08:47:11 -05:00
Nick Mathewson
8936c50d83 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 08:39:07 -05:00
Nick Mathewson
05ec055c41 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 08:38:59 -05:00
Nick Mathewson
51675f97d3 Merge remote-tracking branch 'public/bug17404_024' into maint-0.2.4 2017-02-07 08:37:07 -05:00
Nick Mathewson
332543baed Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 08:34:08 -05:00
Nick Mathewson
6cb8c0fd4e Refine the memwipe() arguments check for 18089 a little more.
We still silently ignore
     memwipe(NULL, ch, 0);
and
     memwipe(ptr, ch, 0);  /* for ptr != NULL */

But we now assert on:
     memwipe(NULL, ch, 30);
2017-02-07 08:33:51 -05:00
teor (Tim Wilson-Brown)
fb7d1f41b4 Make memwipe() do nothing when passed a NULL pointer or zero size
Check size argument to memwipe() for underflow.

Closes bug #18089. Reported by "gk", patch by "teor".
Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352),
commit 49dd5ef3 on 7 Nov 2012.
2017-02-07 08:33:39 -05:00
John Brooks
053e11f397 Fix out-of-bounds read in INTRODUCE2 client auth
The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.
2017-02-07 08:31:37 -05:00
Nick Mathewson
54ec335434 Bump to 0.3.0.3-alpha-dev 2017-02-03 13:58:50 -05:00
Nick Mathewson
39606aece5 Fix "make distcheck".
I had forgotten to include the fuzz_static_testcases.sh script in
EXTRA_DIST.
2017-02-03 12:04:08 -05:00
Nick Mathewson
80a5beae62 Bump version to 0.3.0.3-alpha 2017-02-03 11:33:11 -05:00
Nick Mathewson
19e25d5cab Prevention: never die from extend_info_from_node() failure.
Bug 21242 occurred because we asserted that extend_info_from_node()
had succeeded...even though we already had the code to handle such a
failure.  We fixed that in 93b39c5162.

But there were four other cases in our code where we called
extend_info_from_node() and either tor_assert()ed that it returned
non-NULL, or [in one case] silently assumed that it returned
non-NULL. That's not such a great idea.  This patch makes those
cases check for a bug of this kind instead.

Fixes bug 21372; bugfix on 0.2.3.1-alpha when
extend_info_from_node() was introduced.
2017-02-03 10:35:07 -05:00
Nick Mathewson
9d5a9feb40 Merge branch 'dgoulet/bug21302_030_01_squashed' 2017-02-03 09:54:24 -05:00
David Goulet
eea763400f hs: Remove intro point expiring node if no circuit
Once a second, we go over all services and consider the validity of the intro
points. Now, also try to remove expiring nodes that have no more circuit
associated to them. This is possible if we moved an intro point object
previously to that list and the circuit actually timed out or was closed by
the introduction point itself.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-03 09:54:07 -05:00
David Goulet
8573d99470 hs: Fix an underflow in rend_service_intro_has_opened()
In rend_service_intro_has_opened(), this is subject to a possible underflow
because of how the if() casts the results. In the case where the expiring
nodes list length is bigger than the number of IP circuits, we end up in the
following situation where the result will be cast to an unsigned int. For
instance, "5 - 6" is actually a BIG number.

Ultimately leading to closing IP circuits in a non stop loop.

Partially fixes #21302.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-03 09:54:06 -05:00
cypherpunks
27df23abb6 Use the standard OpenBSD preprocessor definition 2017-02-03 09:37:39 -05:00
Nick Mathewson
0f79fb51e5 dirauth: Fix for calling routers unreachable for wrong ed25519
Previously the dirserv_orconn_tls_done() function would skip routers
when they advertised an ed25519 key but didn't present it during the
link handshake.  But that covers all versions between 0.2.7.2-alpha
and 0.2.9.x inclusive!

Fixes bug 21107; bugfix on 0.3.0.1-alpha.
2017-02-02 10:37:25 -05:00
Nick Mathewson
d732409402 In dirserv_single_reachability_test, node can be const. 2017-02-02 09:36:36 -05:00
Nick Mathewson
96dce88d80 Merge remote-tracking branch 'dgoulet/bug21294_030_02' 2017-02-02 09:07:20 -05:00
David Goulet
5f6d53cefa test: Fix test after log message changed in #21294
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-02 09:03:14 -05:00
Nick Mathewson
6777cd0a84 Merge remote-tracking branch 'public/bug21356_029' 2017-02-02 09:03:13 -05:00
Nick Mathewson
b11f00c153 Merge branch 'bug21294_030_01_squashed' 2017-02-02 08:48:20 -05:00
David Goulet
83df359214 config: Stop recommending Tor2web if in non anonymous mode
Because we don't allow client functionalities in non anonymous mode,
recommending Tor2web is a bad idea.

If a user wants to use Tor2web as a client (losing all anonymity), it should
run a second tor, not use it with a single onion service tor.

Fixes #21294.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-02 08:47:59 -05:00
Nick Mathewson
fc3e742b5b Merge remote-tracking branch 'ahf/ahf/bugs/21266' 2017-02-02 08:40:05 -05:00
Nick Mathewson
2d2ab29ce8 Merge remote-tracking branch 'asn/bug21052' 2017-02-01 15:53:16 -05:00
Alexander Færøy
7eb7af08d9 Add checks for expected log messages in test_hs_intropoint.
This patch adds checks for expected log messages for failure cases of
different ill-formed ESTABLISH_INTRO cell's.

See: https://bugs.torproject.org/21266
2017-02-01 19:01:07 +00:00
David Goulet
cc0342a2ae hs: Fix possible integer underflow with IP nodes
In rend_consider_services_intro_points(), we had a possible interger underflow
which could lead to creating a very large number of intro points. We had a
safe guard against that *except* if the expiring_nodes list was not empty
which is realistic thing.

This commit removes the check on the expiring nodes length being zero. It's
not because we have an empty list of expiring nodes that we don't want to open
new IPs. Prior to this check, we remove invalid IP nodes from the main list of
a service so it should be the only thing to look at when deciding if we need
to create new IP(s) or not.

Partially fixes #21302.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-01 11:07:09 -05:00
Nick Mathewson
77788fa537 Fix a memory-leak in fuzz_vrs.c 2017-02-01 10:57:01 -05:00
Nick Mathewson
24551d64ad Merge branch 'maint-0.2.9' 2017-02-01 10:39:59 -05:00
rubiate
e9ec818c28 Support LibreSSL with opaque structures
Determining if OpenSSL structures are opaque now uses an autoconf check
instead of comparing the version number. Some definitions have been
moved to their own check as assumptions which were true for OpenSSL
with opaque structures did not hold for LibreSSL. Closes ticket 21359.
2017-02-01 10:30:49 -05:00
Nick Mathewson
f1530d0e5a Merge branch 'teor_bug21357-v2_029' 2017-02-01 09:39:25 -05:00
teor
408c53b7a7 Scale IPv6 address counts in policy_summary_reject to avoid overflow
This disregards anything smaller than an IPv6 /64, and rejects ports that
are rejected on an IPv6 /16 or larger.

Adjust existing unit tests, and add more to cover exceptional cases.

No IPv4 behaviour changes.

Fixes bug 21357
2017-02-01 09:39:06 -05:00
teor
4667a40ca9 Fix IPv6 support in policy_summary_reject and policy_summary_accept
This interim fix results in too many IPv6 rejections.

No behaviour change for IPv4 counts, except for overflow fixes that
would require 4 billion redundant 0.0.0.0/0 policy entries to trigger.

Part of 21357
2017-02-01 09:39:06 -05:00
teor
82850d0da6 Refactor policy_summary_reject to prepare for IPv6 changes
No behaviour change, apart from non-fatal assertions

Part of 21357
2017-02-01 09:39:06 -05:00
teor
7e7b3d3df3 Add unit tests for IPv6 address summaries and IPv4 netblock rejection
These tests currently fail due to bug 21357
2017-02-01 09:39:06 -05:00
teor
e95b8f7df9 Fix write_short_policy usage comment 2017-02-01 09:39:05 -05:00
Nick Mathewson
c3b6354412 fix a wide line 2017-02-01 09:35:29 -05:00
Nick Mathewson
222f2fe469 Merge branch 'bug21150_030_01_squashed' 2017-02-01 09:30:02 -05:00
David Goulet
51b562c605 Use an internal variable for HiddenServiceStatistics
Stop modifying the value of our torrc option HiddenServiceStatistics just
because we're not a bridge or relay. This bug was causing Tor Browser users to
write "HiddenServiceStatistics 0" in their torrc files as if they had chosen
to change the config.

Fixes #21150

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-01 09:29:53 -05:00
Nick Mathewson
78011bb7ba Merge branch 'bug21242' 2017-02-01 09:09:58 -05:00
Nick Mathewson
2e93bffa1d Merge remote-tracking branch 'public/bug21129' 2017-02-01 09:01:44 -05:00
Nick Mathewson
f8885b76ef Merge remote-tracking branch 'public/bug21128' 2017-02-01 09:01:28 -05:00
Nick Mathewson
a5aec6ac37 Merge branch 'bug21108_029' 2017-01-31 18:51:26 -05:00
Roger Dingledine
6ff7850f26 be explicit in clear_status_flags_on_sybil that we leave BadExit alone 2017-01-31 18:50:16 -05:00
Nick Mathewson
35d8270942 When marking guard state instances on a channel, don't mark NULL
It's okay for guard_state to be null: we might have a fallback
circuit, or we might not be using guards.

Fixes bug 211228; bugfix on 0.3.0.1-alpha
2017-01-31 14:44:14 -05:00
Nick Mathewson
0f0d4356b2 Don't try to use confirmed_idx in remove_guard_from_...lists()
Since we can call this function more than once before we update all
the confirmed_idx fields, we can't rely on all the relays having an
accurate confirmed_idx.

Fixes bug 21129; bugfix on 0.3.0.1-alpha
2017-01-31 14:34:32 -05:00
Nick Mathewson
a47c133c86 Do not clear is_bad_exit on sybil.
But do clear is_v2_dir.

Fixes bug 21108 -- bugfix on d95e7c7d67 in
0.2.0.13-alpha.
2017-01-31 14:12:14 -05:00
Nick Mathewson
d183ec231b Call monotime_init() earlier.
We need to call it before nt_service_parse_options(), since
nt_service_parse_options() can call back into nt_service_main(),
which calls do_main_loop().

Fixes bug 21356; bugfix on 0.2.9.1-alpha.
2017-01-31 13:02:49 -05:00
Nick Mathewson
746d959100 Don't build circuits till primary guards have descriptors
In addition to not wanting to build circuits until we can see most
of the paths in the network, and in addition to not wanting to build
circuits until we have a consensus ... we shouldn't build circuits
till all of our (in-use) primary guards have descriptors that we can
use for them.

This is another bug 21242 fix.
2017-01-31 12:31:43 -05:00
Nick Mathewson
02da24f8e5 Don't (usually) return any guards that are missing descriptors.
Actually, it's _fine_ to use a descriptorless guard for fetching
directory info -- we just shouldn't use it when building circuits.
Fortunately, we already have a "usage" flag that we can use here.

Partial fix for bug 21242.
2017-01-31 12:30:33 -05:00
Nick Mathewson
26957a127a entry_guard_pick_for_circuit(): TRAFFIC guards must have descriptors
This relates to the 21242 fix -- entry_guard_pick_for_circuit()
should never yield nodes without descriptors when the node is going
to be used for traffic, since we won't be able to extend through
them.
2017-01-31 11:47:09 -05:00
Nick Mathewson
93b39c5162 Downgrade assertion to nonfatal for #21242
This assertion triggered in the (error) case where we got a result
from guards_choose_guard() without a descriptor.  That's not
supposed to be possible, but it's not worth crashing over.
2017-01-31 11:35:57 -05:00
Nick Mathewson
09a00a2f82 Merge remote-tracking branch 'public/bug21300' 2017-01-31 11:09:04 -05:00
Nick Mathewson
cccd3f1dae entrynodes: Remove "split these functions" XXXXs
They now have a ticket: #21349.
2017-01-30 10:49:40 -05:00
Nick Mathewson
ed4a3dfef2 Remove XXXXprop271 comments from test_entrynodes.c
These commments were complaints about how I didn't like some aspects
of prop271.  They have been superseded by ticket 20832.
2017-01-30 10:43:53 -05:00
Nick Mathewson
7d0df8bad8 Remove a couple of stale comments from entrynodes.h 2017-01-30 10:38:24 -05:00
Nick Mathewson
fe04bdcdbb GUARD_WAIT is now specified too 2017-01-30 10:33:17 -05:00
Nick Mathewson
ead934e61e Remove prop271 "spec deviation" comments -- the spec has been updated
In some cases, replace those comments with better ones.
2017-01-30 10:30:09 -05:00
Nick Mathewson
4d83999213 Make "GETCONF SocksPort" work again
I broke "GETCONF *Port" in 20956, when I made SocksPort a
subordinate option of the virtual option SocksPortLines, so that I
could make SocksPort and __SocksPort provide qthe same
functionality.  The problem was that you can't pass a subordinate
option to GETCONF.

So, this patch fixes that by letting you fetch subordinate options.

It won't always be meaningful to consider these options
out-of-context, but that can be the controller-user's
responsibility to check.

Closes ticket 21300.
2017-01-30 10:09:47 -05:00
Nick Mathewson
088cc3604b Don't use %zu in fuzz-http: windows doesn't like it. 2017-01-30 09:09:42 -05:00
Nick Mathewson
558c04f5b1 Merge branch 'combined-fuzzing-v4' 2017-01-30 08:40:46 -05:00
Nick Mathewson
d71fc47438 Update documentation and testing integration for fuzzing 2017-01-30 08:37:27 -05:00
Nick Mathewson
2202ad7ab0 Fix a pair of compilation errors. 2017-01-30 08:37:27 -05:00
Nick Mathewson
1d8e9e8c69 Fix memory leak on zero-length input on fuzz_http.c 2017-01-30 08:37:27 -05:00
Nick Mathewson
143235873b Memory leak on bogus ed key in microdesc 2017-01-30 08:37:26 -05:00
Nick Mathewson
34fd636870 memory leak in fuzz_vrs 2017-01-30 08:37:26 -05:00
Nick Mathewson
a092bcdd4f Fix a memory leak found while fuzzing 2017-01-30 08:37:26 -05:00
Nick Mathewson
09d01466b2 actually build .as for fuzzing 2017-01-30 08:37:26 -05:00
Nick Mathewson
1c7862bfb4 missing backslash 2017-01-30 08:37:26 -05:00
Nick Mathewson
f547352637 differently build oss fuzzers 2017-01-30 08:37:26 -05:00
Nick Mathewson
cf71f8ad32 More oss-fuzz fixes 2017-01-30 08:37:25 -05:00
Nick Mathewson
92679d90d5 Try to refactor OSS fuzzers into static libraries. 2017-01-30 08:37:25 -05:00
Nick Mathewson
1b244a64e4 libfuzzer tweaks per recommendations 2017-01-30 08:37:25 -05:00
Nick Mathewson
024fa9d4d7 routerstatus fuzzing 2017-01-30 08:37:25 -05:00
Nick Mathewson
eb414a08a9 Add libfuzzer support. 2017-01-30 08:37:25 -05:00
Nick Mathewson
b1567cf500 Three more fuzzers: consensus, hsdesc, intro points 2017-01-30 08:37:24 -05:00
Nick Mathewson
83e9918107 Tools for working with directories of fuzzed stuff. 2017-01-30 08:37:24 -05:00
Nick Mathewson
301eff0e90 fuzzing: Add copyright notices and whitespace fixes 2017-01-30 08:37:24 -05:00
Nick Mathewson
4afb155db2 Add microdesc format fuzzer. 2017-01-30 08:37:24 -05:00
Nick Mathewson
3c74855934 Addition to test cases: make sure fuzzer binaries allow known cases
This isn't fuzzing per se, so much as replaying the highlights of
past fuzzer runs.
2017-01-30 08:37:24 -05:00
Nick Mathewson
81e44c2257 Add extrainfo fuzzer 2017-01-30 08:37:24 -05:00
Nick Mathewson
44fa14c0e2 Try to tweak fuzzing.md to correspond to my changes 2017-01-30 08:37:24 -05:00
teor
0fb1156e9f Add a script for running multiple fuzzing sessions on multiple cores 2017-01-30 08:37:23 -05:00
teor
416e2f6b28 Guide fuzzing by adding standard tor GET and POST testcases 2017-01-30 08:37:23 -05:00
Nick Mathewson
56b61d1831 Add more tweaks from teor's http fuzzing code.
Move option-manipulation code to fuzzing_common.
2017-01-30 08:37:23 -05:00
teor
584d723e04 Restrict fuzzing to the directory headers 2017-01-30 08:37:23 -05:00
Nick Mathewson
949e9827d6 Add a descriptor fuzzing dictionary. 2017-01-30 08:37:23 -05:00
Nick Mathewson
ca657074b9 Fuzzing: initialize siphash key, don't init_logging twice. 2017-01-30 08:37:23 -05:00
Nick Mathewson
0666928c5c Replace signature-checking and digest-checking while fuzzing 2017-01-30 08:37:22 -05:00
Nick Mathewson
e2aeaeb76c Make a bunch of signature/digest-checking functions mockable 2017-01-30 08:37:22 -05:00
meejah
fc58c37e33 Ticket #21329: GETINFO onions/current returns empty list
If there are no ephemeral or detached onion services, then
"GETINFO onions/current" or "GETINFO onions/detached" should
return an empty list instead of an error
2017-01-28 13:59:29 -07:00
Nick Mathewson
67eb6470d7 Merge branches 'server_ciphers' and 'ciphers.inc' 2017-01-27 16:45:18 -05:00
Daniel Kahn Gillmor
e1337b4252 client: set IPv6Traffic to on by default
See:
  https://trac.torproject.org/projects/tor/ticket/21269
  https://bugs.debian.org/851798

Closes #21269

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-27 09:12:32 -05:00
Nick Mathewson
795582169a Bulletproof conn_get_outbound_address() a little. 2017-01-27 08:12:14 -05:00
Nick Mathewson
782c52658c Remove an impossible comparison. 2017-01-27 08:08:08 -05:00
Nick Mathewson
81c78ec755 Outbindbindaddress variants for Exit and OR.
Allow separation of exit and relay traffic to different source IP
addresses (Ticket #17975). Written by Michael Sonntag.
2017-01-27 08:05:29 -05:00
Nick Mathewson
ad382049ed Fix a signed/unsigned comparison warning 2017-01-25 13:23:08 -05:00
junglefowl
373d9aff7a Fail if file is too large to mmap.
If tor_mmap_file is called with a file which is larger than SIZE_MAX,
only a small part of the file will be memory-mapped due to integer
truncation.

This can only realistically happen on 32 bit architectures with large
file support.
2017-01-25 13:21:44 -05:00
junglefowl
d5a95e1ea1 Do not truncate too long hostnames
If a hostname is supplied to tor-resolve which is too long, it will be
silently truncated, resulting in a different hostname lookup:

$ tor-resolve $(python -c 'print("google.com" + "m" * 256)')

If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
which overflows in this case and leads to the hostname "google.com".
As this one is a valid hostname, it returns an address instead of giving
an error due to the invalid supplied hostname.
2017-01-25 13:13:25 -05:00
Nick Mathewson
363be43df3 Re-run gen_server_ciphers 2017-01-24 15:30:35 -05:00
Nick Mathewson
4f1dc34e36 Regenerate ciphers.inc 2017-01-24 15:05:35 -05:00
Nick Mathewson
12efa1f1cc Add a unit test for dropguards 2017-01-24 09:18:56 -05:00
Nick Mathewson
818b44cc7c Repair the (deprecated, ugly) DROPGUARDS controller function.
This actually is much easier to write now that guard_selection_t is
first-class.
2017-01-24 09:18:56 -05:00
Nick Mathewson
fae4d3d925 Merge remote-tracking branch 'asn/remove_legacy_guards' 2017-01-24 09:01:25 -05:00
George Kadianakis
b047d97b28 Remove some more remnants of legacy guard selection. 2017-01-24 13:35:57 +02:00
Nick Mathewson
d95d988946 Merge branch 'feature_20956_029' 2017-01-23 16:07:15 -05:00
Nick Mathewson
83307fc267 Add __SocksPort etc variants for non-persistent use
Implements feature 20956.
2017-01-23 16:06:51 -05:00
Nick Mathewson
c4cc11a9df Bump to 0.3.0.2-alpha-dev 2017-01-23 14:38:10 -05:00
Nick Mathewson
0d4d9b6d88 Bump version to 0.2.9.9-dev 2017-01-23 14:34:08 -05:00
Nick Mathewson
beaeee25ae version bump (0.3.0.2-alpha) 2017-01-23 08:20:46 -05:00
Nick Mathewson
698df98837 version bump 2017-01-23 08:19:48 -05:00
David Goulet
96c7ddbc7e circuit: Change close reasons from uint16_t to int
When marking for close a circuit, the reason value, a integer, was assigned to
a uint16_t converting any negative reasons (internal) to the wrong value. On
the HS side, this was causing the client to flag introduction points to be
unreachable as the internal reason was wrongfully converted to a positive
16bit value leading to flag 2 out of 3 intro points to be unreachable.

Fixes #20307 and partially fixes #21056

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-22 19:02:01 -05:00
Nick Mathewson
e52f49aa80 Merge remote-tracking branch 'public/ticket18319' 2017-01-21 14:44:00 -05:00
Nick Mathewson
9023d7361d Fix return type in test_hs_intropoint.c
In trunnel, {struct}_encoded_len() can return negative values.

Coverity caught this as 1398957.
2017-01-19 08:26:55 -05:00
teor
d35ca518b4 Remove extra newline from proxy_prepare_for_restart definition 2017-01-19 08:12:26 -05:00
Nick Mathewson
85a17ee2e7 whitespace fixes 2017-01-18 17:14:42 -05:00
Nick Mathewson
88e4ffab9e Merge remote-tracking branch 'dgoulet/ticket20029_030_06-resquash' 2017-01-18 17:13:36 -05:00
George Kadianakis
d6c14915cd Improve a few comments.
- Also remove LCOV marks from blocks of code that can be reachable by tests
  if we mock relay_send_command_from_edge().

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:59:16 -05:00
David Goulet
50cfc98340 prop224: Add unit tests for INTRODUCE1 support
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:54 -05:00
David Goulet
5208085be1 hs: Rename rend_mid_introduce() with legacy semantic
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:34 -05:00
David Goulet
db77a38da2 hs: Remove useless code in rend_mid_introduce()
With the previous commit, we validate the circuit _before_ calling
rend_mid_introduce() which handles the INTRODUCE1 payload.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:34 -05:00
David Goulet
9d7505a62a prop224: Rename hs_intro_circuit_is_suitable()
Adds a better semantic and it also follows the same interface for the
INTRODUCE1 API which is circuit_is_suitable_for_introduce1().

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:34 -05:00
David Goulet
e1497744c8 prop224: Add INTRODUCE1 cell relay support
Closes #20029

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:33 -05:00
Nick Mathewson
d5d7c3e638 Remove argument from guards_choose_dirguard 2017-01-18 15:58:19 -05:00
Nick Mathewson
3efe8bb8ac Remove some now-spurious blocks and indentation. 2017-01-18 15:45:02 -05:00
Nick Mathewson
5b97d7e110 Remove PDS_FOR_GUARD 2017-01-18 15:42:28 -05:00
Nick Mathewson
6d03e36fd0 Remove GS_TYPE_LEGACY 2017-01-18 15:37:01 -05:00
Nick Mathewson
a31a5581ee Remove UseDeprecatedGuardAlgorithm. 2017-01-18 15:33:26 -05:00
Nick Mathewson
472b277207 Remove the (no longer compiled) code for legacy guard selection.
Part of 20830.
2017-01-18 15:27:10 -05:00
Nick Mathewson
e167a0e17d Merge remote-tracking branch 'dgoulet/bug21062_030_01' 2017-01-18 15:11:36 -05:00
Nick Mathewson
31dd7dec9a Merge branch 'bug20684_030_01' 2017-01-18 15:08:42 -05:00
Nick Mathewson
e0e729d4b5 put units in constant names for DIRCACHE_MEN_MEM* 2017-01-18 15:08:10 -05:00
Nick Mathewson
9d47f4d298 Fix a memory leak in bench.c 2017-01-18 14:29:52 -05:00
Neel Chauhan
426ceb41ef Rename DIRCACHE_MIN_BANDWIDTH and DIRCACHE_MIN_MB_BANDWIDTH
Renamed to DIRCACHE_MIN_MEM and DIRCACHE_MIN_MB_MEM.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 13:15:54 -05:00
David Goulet
0069d14753 circuit: Make circuit_build_times_disabled take an or_options_t
That way, when we are parsing the options and LearnCircuitBuildTimeout is set
to 0, we don't assert trying to get the options list with get_options().

Fixes #21062

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 12:53:01 -05:00
Nick Mathewson
fa00f2dce5 Merge branch 'ahf_bugs_17847_2_squashed' 2017-01-18 11:04:58 -05:00
Alexander Færøy
46ef32ba22 Refactor duplicated extrainfo checks into a common macro.
This patch refactors duplicated code, to check if a given router
supports fetching the extra-info document, into a common macro called
SKIP_MISSING_TRUSTED_EXTRAINFO.
2017-01-18 11:04:49 -05:00
Alexander Færøy
0ff9ea2afd Generalize router_is_already_dir_fetching_{rs,ds}.
This patch generalizes the two functions
router_is_already_dir_fetching_rs and router_is_already_dir_fetching_ds
into a single function, router_is_already_dir_fetching_, by lifting the
passing of the IPv4 & IPv6 addresses and the directory port number to
the caller.
2017-01-18 11:04:49 -05:00
Nick Mathewson
b6dce6cfec Merge remote-tracking branch 'asn/bug21142' 2017-01-18 10:44:35 -05:00
Nick Mathewson
9469aaaa82 Handle __NonSavedOptions correctly inside LINELIST_V blocks. 2017-01-18 10:25:10 -05:00
Nick Mathewson
3dd738d5f9 Simplify the VPORT() macro in config.c
It's always called with the same arguments, and there wouldn't be
much point to calling it differently.
2017-01-18 10:07:55 -05:00
Nick Mathewson
69cb6f34cb Merge remote-tracking branch 'dgoulet/bug19953_030_01' 2017-01-18 09:10:46 -05:00
Nick Mathewson
4334a4b784 Merge remote-tracking branch 'dgoulet/bug21033_030_01' 2017-01-18 09:08:16 -05:00
Nick Mathewson
e69afb853d Merge branch 'bug19769_19025_029' 2017-01-18 09:02:48 -05:00
Philipp Winter
eae68fa2d2 Initialise DNS TTL for A and AAAA records.
So far, the TTLs for both A and AAAA records were not initialised,
resulting in exit relays sending back the value 60 to Tor clients.  This
also impacts exit relays' DNS cache -- the expiry time for all domains
is set to 60.

This fixes <https://bugs.torproject.org/19025>.
2017-01-18 08:57:09 -05:00
Nick Mathewson
a969ae8e21 test_cfmt_connected_cells: use TTL value that's above the new min.
Related to 19769.
2017-01-18 08:56:34 -05:00
Nick Mathewson
609065f165 DefecTor countermeasure: change server- and client-side DNS TTL clipping
The server-side clipping now clamps to one of two values, both
for what to report, and how long to cache.

Additionally, we move some defines to dns.h, and give them better
names.
2017-01-18 08:55:57 -05:00
David Goulet
1636777dc8 hs: Allow from 0 to MAX introduction points
An operator couldn't set the number of introduction point below the default
value which is 3. With this commit, from 0 to the hardcoded maximum is now
allowed.

Closes #21033

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-17 14:58:50 -05:00
David Goulet
e16148a582 relay: Honor DataDirectoryGroupReadable at key init
Our config code is checking correctly at DataDirectoryGroupReadable but then
when we initialize the keys, we ignored that option ending up at setting back
the DataDirectory to 0700 instead of 0750. Patch by "redfish".

Fixes #19953

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-17 14:40:01 -05:00
Nick Mathewson
92c3926479 Fix a double-free in rend_config_services()
Found by coverity scan; CID 1398917
2017-01-17 11:35:26 -05:00
George Kadianakis
def7115fe4 prop271: Move new funcs to top, to avoid compiler warnings. 2017-01-17 14:35:38 +02:00
George Kadianakis
2938fd3b85 prop271: When we exhaust all guards, mark all of them for retry.
In the past, when we exhausted all guards in our sampled set, we just
waited there till we mark a guard for retry again (usually takes 10 mins
for a primary guard, 1 hour for a non-primary guard). This patch marks
all guards as maybe-reachable when we exhaust all guards (this can
happen when network is down for some time).
2017-01-17 14:35:38 +02:00
George Kadianakis
1bc440eda4 Correctly maintain circuits in circuits_pending_other_guards(). 2017-01-17 13:26:59 +02:00
Nick Mathewson
111c66b2f0 Merge remote-tracking branch 'public/ticket20921' 2017-01-16 12:59:39 -05:00
Neel Chauhan
9e5512b48d Disallow setting UseBridges to 1 and UseEntryGuards to 0 2017-01-14 14:55:23 -05:00
Nick Mathewson
fc2656004a Merge remote-tracking branch 'dgoulet/bug20307_030_01' 2017-01-13 16:56:56 -05:00
Nick Mathewson
94e8f60901 Merge branch 'ipv6-only-client_squashed' 2017-01-13 16:49:48 -05:00
teor
2debcc869f Remove redundant boolean expression from firewall_is_fascist_impl()
Let A = UseBridges
Let B = ClientUseIPv4

Then firewall_is_fascist_impl expands and simplifies to:
B || (!(A || ...) && A)
B || (!A && ... && A)
B || 0
B
2017-01-13 16:49:33 -05:00
teor
0417dae580 When IPv6 addresses have not been downloaded, use hard-coded address info
The microdesc consensus does not contain any IPv6 addresses.
When a client has a microdesc consensus but no microdescriptor, make it
use the hard-coded IPv6 address for the node (if available).

(Hard-coded addresses can come from authorities, fallback directories,
or configured bridges.)

If there is no hard-coded address, log a BUG message, and fail the
connection attempt. (All existing code checks for a hard-coded address
before choosing a node address.)

Fixes 20996, fix on b167e82 from 19608 in 0.2.8.5-alpha.
2017-01-13 16:49:33 -05:00
teor
5227ff4aad Remove redundant options checks for IPv6 preference conflicts
It is no longer possible for the IPv6 preference options to differ from the
IPv6 usage: preferring IPv6 implies possibly using IPv6.

Also remove the corresponding unit test warning message checks.
(But keep the unit tests themselves - they now run without warnings.)
2017-01-13 16:49:27 -05:00
Nick Mathewson
3e45b12f38 Merge remote-tracking branch 'dgoulet/bug21054_030_01' 2017-01-13 16:45:55 -05:00
Nick Mathewson
ac75c33991 fix wide lines 2017-01-13 16:35:35 -05:00
Nick Mathewson
dafdbc2e9f Merge remote-tracking branch 'dgoulet/bug20992_030_01' 2017-01-13 16:32:58 -05:00
Nick Mathewson
5762d6489d Merge branch 'bug21019_030_01_squashed' 2017-01-13 12:11:00 -05:00
David Goulet
fb8dad5ceb hs: Log if service can't connect to application
In order to help an HS operator knowing if the application configured behind
it is not working properly, add a log at warning level for the connection
refused or timeout case. This log will only be printed if a client connection
fails and is rate limited.

Closes #21019

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-13 12:10:53 -05:00
Nick Mathewson
7844c5ddd7 Have circuit_get_global_origin_circuit_list() return the right list. Bug 21118 2017-01-12 13:18:09 -05:00
Nick Mathewson
2e656d19e5 comment fix from pastly 2017-01-11 15:12:59 -05:00
Nick Mathewson
f1d622e2b2 repair whitespace. 2017-01-11 14:59:19 -05:00
Nick Mathewson
62c6d5fe16 Merge remote-tracking branch 'dgoulet/ticket19925_030_01' 2017-01-11 14:33:55 -05:00
Nick Mathewson
ac3b559e93 Merge branch 'bug20569_030_02_squashed' 2017-01-11 12:52:52 -05:00
David Goulet
870b5e2227 hs: Use AES-256 for v3 descriptor
That key size is taken from proposal 224 thus specified in the protocol.

Closes #20569

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-11 12:52:34 -05:00
Nick Mathewson
7892683e7e Merge remote-tracking branch 'asn/bug20852_v1' 2017-01-11 10:14:50 -05:00
Nick Mathewson
8f893fbca9 Merge remote-tracking branch 'public/bug20974' 2017-01-11 09:51:58 -05:00
Nick Mathewson
2db858ef61 Merge remote-tracking branch 'jryans/dependant-corrected' 2017-01-11 09:28:54 -05:00
Nick Mathewson
b9054c6ee4 Merge branch 'bug20987_squashed' 2017-01-11 09:21:09 -05:00
Nick Mathewson
3a3e88dbd4 Fix memory leak when failing to configure hidden services.
In 8a0ea3ee43 we added a
temp_service_list local variable to rend_config_services, but we
didn't add a corresponding "free" for it to all of the exit paths.

Fixes bug 20987; bugfix on 0.3.0.1-alpha.
2017-01-11 09:20:23 -05:00
Nick Mathewson
4f1a5da473 Merge remote-tracking branch 'public/ticket21037' 2017-01-11 09:17:21 -05:00
Nick Mathewson
730cc16b72 Merge remote-tracking branch 'teor/bug21123' 2017-01-11 09:15:04 -05:00
Nick Mathewson
c7936b86c2 Merge branch 'maint-0.2.9' 2017-01-11 09:13:53 -05:00
Nick Mathewson
0809690b48 Merge branch 'maint-0.2.8' into maint-0.2.9 2017-01-11 09:13:34 -05:00
Nick Mathewson
c77ace69bb Merge branch 'maint-0.2.7' into maint-0.2.8 2017-01-11 09:13:15 -05:00
Nick Mathewson
8c91cbb6ca Merge branch 'maint-0.2.6' into maint-0.2.7 2017-01-11 09:12:51 -05:00
Nick Mathewson
54771bcaba Merge branch 'maint-0.2.5' into maint-0.2.6 2017-01-11 09:12:21 -05:00
Nick Mathewson
34fdd510ef Merge branch 'maint-0.2.4' into maint-0.2.5 2017-01-11 09:11:58 -05:00
David Goulet
c0a0c19725 test: Add ESTABLISH_INTRO unit tests
This commit adds 3 unit tests which validates a wrong signature length, a
wrong authentication key length and a wrong MAC in the cell.

Closes #20992

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-10 09:24:21 -05:00
David Goulet
8a33abcd65 control: Add GETINFO command for the shared random values
Add the "sr/current" and "sr/previous" keys for the GETINFO command in order
to get through the control port the shared random values from the consensus.

Closes #19925

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-09 11:33:05 -05:00
George Kadianakis
e1d7661412 Max HS descriptor size is now 50kb and also consensus param. 2017-01-09 15:02:56 +02:00
Chelsea H. Komlo
655ffeadd5 comment fixups 2017-01-08 13:14:56 -05:00
Nick Mathewson
f4ebbf7567 fixup! Fix unit test failures in response to DNS hijacking. 2017-01-04 09:03:41 -05:00
Karsten Loesing
3833f67dd2 Update geoip and geoip6 to the January 4 2017 database. 2017-01-04 10:19:52 +01:00
Nick Mathewson
c4a6b56cc1 Fix unit test failures in response to DNS hijacking.
Some DNS NXDOMAIN hijackers hijack truly ridiculous domains, like
"invalid-stuff!!" or "1.2.3.4.5".  This would provoke unit test
failures where we used addresses like that to force
tor_addr_lookup() to fail.  The fix, for testing, is to mock
tor_addr_lookup() with a variant that always fails when it gets
a name with a !.

Fixes bugs 20862 and 20863.
2017-01-03 10:17:00 -05:00
Nick Mathewson
f23ec14d62 Make tor_addr_lookup() mockable. 2017-01-03 10:11:15 -05:00
teor
518ef61975
Clarify the message logged when a remote relay is unexpectedly missing a port
(Users were confusing this with a local port.)

Fixes bug 20711; bugfix on 0.2.8.2-alpha.
2017-01-03 16:56:32 +11:00
teor
18f47bbb73
Allow relays to use directory mirrors without a DirPort
These relays need to be contacted over their ORPorts using a begindir
connection, and relays try not to use begindir connections.

Fixes bug 20711; bugfix on 0.2.8.2-alpha.
2017-01-03 16:52:56 +11:00
teor
c83463ef74
Remove a rendundant check for PidFile changes at runtime
This check is already performed regardless of whether the sandbox is active.

Fixes bug 21123; bugfix on commit 2ae47d3 in 0.2.5.4-alpha.
2017-01-03 15:03:34 +11:00
Nick Mathewson
ef0559c3e3 Extract global_origin_circuit_list manipulation code into new fns.
Closes ticket 20921.
2017-01-02 13:12:06 -05:00
Nick Mathewson
6aac6c6bee Make ed25519_fmt() log 0-valued keys more nicely.
Because <unset> makes more sense than AAAAAAAAAAAAAAAAAAA...

(I have indeed verified that ed25519_fmt() is only used for
logging. This patch also clarifies the intention that ed25519_fmt()
is only for logging.

Closes ticket 21037.
2017-01-02 12:31:15 -05:00
Nick Mathewson
97ed2ce085 Unindent long-misindented blocks.
We switched these to be "if (1) " a while back, so we could keep
the indentation and avoid merge conflicts.  But it's nice to clean
up from time to time.
2017-01-02 12:16:57 -05:00
Nick Mathewson
26651d7fdb Fix some dubious indentation 2017-01-02 12:13:11 -05:00
Nick Mathewson
b317813485 Make GETINFO entry-guards work again with prop271
This is not a great solution, but it's as close to
backward-compatible as possible.  A better GETINFO API should expose
more information.
2017-01-02 10:10:03 -05:00
Nick Mathewson
9d37449fb0 Move entry-guard-is-up notification later into dirguard path.
Previously we were marking directory guards up in
..._process_inbuf(), but that's wrong: we call that function on
close as well as on success.  Instead, we're marking the dirguard up
only after we parse the HTTP headers. Closes 20974.
2017-01-02 09:56:06 -05:00
J. Ryan Stinnett
58172be657 Use the correct spelling for "Dependent" in the control protocol.
Fixes #18146.
2016-12-29 22:32:42 -06:00
Nick Mathewson
1a45398ffa Fix double-free on test failure
Found by coverity scan; CID 1398167.
2016-12-27 10:20:13 -05:00
Nick Mathewson
0a0e513d42 Merge remote-tracking branch 'dgoulet/bug20991_030_01' 2016-12-23 10:56:36 -05:00
cypherpunks
04f21f0322 Remove abort handler from the backtrace generator
The abort handler masks the exit status of the backtrace generator by
capturing the abort signal from the backtrace handler and exiting with
zero. Because the output of the backtrace generator is meant to be piped
to `bt_test.py`, its exit status is unimportant and is currently
ignored.

The abort handler calls `exit(3)` which is not asynchronous-signal-safe
and calling it in this context is undefined behavior [0].

Closes ticket 21026.

[0] https://www.securecoding.cert.org/confluence/x/34At
2016-12-23 10:54:17 -05:00
Nick Mathewson
40ce7a83c4 whitespace fix 2016-12-23 10:46:14 -05:00
Nick Mathewson
0087fe36c1 Merge remote-tracking branch 'dgoulet/bug20572_030_01' 2016-12-23 10:03:35 -05:00
Nick Mathewson
fda7f00321 Note memset as redundant; see 20764. 2016-12-23 09:59:41 -05:00
Nick Mathewson
cea1a4e19d This is no longer inline. 2016-12-23 09:50:44 -05:00
Hans Jerry Illikainen
a23fd15786 Fix unreachable heap corruption in base64_decode()
Give size_mul_check() external linkage and use it in base64_decode() to
avoid a potential integer wrap.

Closes #19222
2016-12-23 09:47:09 -05:00
Nick Mathewson
9fb2bf2f3f Merge remote-tracking branch 'dgoulet/bug19899_030_01' 2016-12-23 08:28:05 -05:00
George Kadianakis
7456677a50 Make outter (plaintext) layer of HS desc conform to prop224.
This basically means changing the 'encrypted' field to 'superencrypted'.
2016-12-23 15:07:21 +02:00
Nick Mathewson
a6eaa121e4 Merge branch 'maint-0.2.9' 2016-12-23 08:06:19 -05:00
David Goulet
955d4b7abd circuit: Change close reasons from uint16_t to int
When marking for close a circuit, the reason value, a integer, was assigned to
a uint16_t converting any negative reasons (internal) to the wrong value. On
the HS side, this was causing the client to flag introduction points to be
unreachable as the internal reason was wrongfully converted to a positive
16bit value leading to flag 2 out of 3 intro points to be unreachable.

Fixes #20307 and partially fixes #21056

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-22 12:37:42 -05:00
David Goulet
2d1fa58fb4 test: Add unit test for prune_services_on_reload()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-21 15:00:19 -05:00
David Goulet
36b5ca2c8b hs: Move and improve the service pruning code
First, this commit moves the code used to prune the service list when
reloading Tor (HUP signal for instance) to a function from
rend_config_services().

Second, fix bug #21054, improve the code by using the newly added
circuit_get_next_service_intro_circ() function instead of poking at the global
list directly and add _many_ more comments.

Fixes #21054.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-21 15:00:19 -05:00
David Goulet
8a05e1a5d2 circuit: Add a function to get the next service intro circuit
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-21 15:00:19 -05:00
Nick Mathewson
a757f76967 Withstand failures in CLOCK_MONOTONIC_COARSE
This came up on #21035, where somebody tried to build on a linux
system with kernel headers including CLOCK_MONOTONIC_COARSE, then
run on a kernel that didn't support it.

I've adopted a belt-and-suspenders approach here: we detect failures
at initialization time, and we also detect (loudly) failures later on.

Fixes bug 21035; bugfix on 0.2.9.1-alpha when we started using
monotonic time.
2016-12-21 08:17:26 -05:00
Nick Mathewson
2673b4b7a8 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-12-20 18:23:19 -05:00
Nick Mathewson
b6227edae1 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
This helps protect against bugs where any part of a buf_t's memory
is passed to a function that expects a NUL-terminated input.

It also closes TROVE-2016-10-001 (aka bug 20384).
2016-12-20 18:22:53 -05:00
Nick Mathewson
39ef343523 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
This helps protect against bugs where any part of a buf_t's memory
is passed to a function that expects a NUL-terminated input.
2016-12-20 18:20:01 -05:00
Nick Mathewson
8f857c23b7 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
This helps protect against bugs where any part of a buf_t's memory
is passed to a function that expects a NUL-terminated input.
2016-12-20 18:18:53 -05:00
Nick Mathewson
a9c8a5ff18 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-12-20 18:14:21 -05:00
Nick Mathewson
b18bde23cf Merge branch 'maint-0.2.5' into maint-0.2.6 2016-12-20 18:11:25 -05:00
Nick Mathewson
db58d4d16f Merge branch 'maint-0.2.4' into maint-0.2.5 2016-12-20 18:11:08 -05:00
Nick Mathewson
60769e710f Port fuzz_http to use fuzzing_common.
Move common logic from fuzz_http to fuzzing_common.
2016-12-19 15:34:56 -05:00
teor
a967d568dc Add a fuzzer for the http used in our directory protocol
(Teor wrote the code, nick extracted it.  It won't compile yet.)
2016-12-19 15:34:56 -05:00
Nick Mathewson
b96c70d668 Fuzzing: Add an initial fuzzing tool, for descriptors.
This will need some refactoring and mocking.
2016-12-19 15:34:55 -05:00
teor
fca91a7793 for fuzzing: Add a function to make a buf with given contents
(Teor wrote the code, nick extracted it into a smaller patch.)
2016-12-19 15:02:08 -05:00
teor
02068c6391 For fuzzing: Expose directory_handle_command.
(Nick extracted this patch from a larger patch by Teor.)
2016-12-19 15:02:08 -05:00
Nick Mathewson
9bf89f80ce bump to 0.3.0.1-alpha-dev 2016-12-19 14:24:38 -05:00
Nick Mathewson
6a7cb21e13 Bump to 0.3.0.1-alpha 2016-12-19 13:14:24 -05:00
Nick Mathewson
c468df3961 Don't warn about absent guard state when none expected.
Self-testing circuits don't use guards, and nobody uses guards when
UseEntryGuards is disabled.

Fixes bug 21007; bug not in any released Tor.
2016-12-19 12:24:30 -05:00
Nick Mathewson
897d3c6d13 Bump to 0.2.9.8-dev 2016-12-19 10:13:01 -05:00
Nick Mathewson
f62c74cc72 Bump to 0.2.8.12-dev 2016-12-19 10:12:11 -05:00
Nick Mathewson
24318fbda9 Bump to 0.2.9.8 2016-12-19 08:08:44 -05:00
Nick Mathewson
b838e1f927 Bump to 0.2.8.12 2016-12-19 08:07:30 -05:00
Nick Mathewson
f9f1e3c94b Merge branch 'maint-0.2.9' 2016-12-19 08:03:17 -05:00
Nick Mathewson
de65647461 Merge branch 'maint-0.2.8' into maint-0.2.9 2016-12-19 07:58:43 -05:00
Nick Mathewson
c11de4c45f Merge branch 'bug21018_024' into maint-0.2.8 2016-12-19 07:58:21 -05:00
Nick Mathewson
2dc5226644 Merge branch 'maint-0.2.9' 2016-12-19 07:31:19 -05:00
Nick Mathewson
169a93fff2 Merge branch 'maint-0.2.8' into maint-0.2.9 2016-12-19 07:30:42 -05:00
Nick Mathewson
e0306320b5 Merge remote-tracking branch 'teor/new-fallbacks-028-20161219' into maint-0.2.8 2016-12-19 07:27:39 -05:00
teor
4181e812c7
Update the fallback directory mirror list in December 2016
Replace the 81 remaining fallbacks of the 100 originally introduced
in Tor 0.2.8.3-alpha in March 2016, with a list of 177 fallbacks
(123 new, 54 existing, 27 removed) generated in December 2016.

Resolves ticket 20170.
2016-12-19 15:44:20 +11:00
Nick Mathewson
0fb3058ece Make log message warn about detected attempts to exploit 21018. 2016-12-18 20:17:28 -05:00
Nick Mathewson
d978216dea Fix parsing bug with unecognized token at EOS
In get_token(), we could read one byte past the end of the
region. This is only a big problem in the case where the region
itself is (a) potentially hostile, and (b) not explicitly
nul-terminated.

This patch fixes the underlying bug, and also makes sure that the
one remaining case of not-NUL-terminated potentially hostile data
gets NUL-terminated.

Fix for bug 21018, TROVE-2016-12-002, and CVE-2016-1254
2016-12-18 20:17:24 -05:00
Nick Mathewson
ae89d9745d Revert ticket 20982 changes.
They broke stem, and breaking application compatibility is usually a
bad idea.

This reverts commit 6e10130e18,
commit 78a13df158, and
commit 62f52a888a.

We might re-apply this later, if all the downstream tools can handle
it, and it turns out to be useful for some reason.
2016-12-18 10:04:36 -05:00
Roger Dingledine
51ee549a90 fix typos and trivial syntax problems 2016-12-18 04:06:02 -05:00
Roger Dingledine
f3d056ab16 clarify debug-level log while initializing entropy
I got confused when I saw my Tor saying it was opening a file
that doesn't exist. It turns out it isn't opening it, it's just
calling open() on it and then moving on when it's not there.
2016-12-18 03:48:31 -05:00
Nick Mathewson
ff08be56ac Fix another pointless stack-protector warning.
This is the same as we fixed in 39f4554687.
2016-12-16 14:06:25 -05:00
Nick Mathewson
762b799545 Rename 'remove' -> 'rmv' to avoid shadowing a libc global 2016-12-16 14:04:57 -05:00
J. Ryan Stinnett
19cf074f4d hs: Remove private keys from hs_desc_plaintext_data_t.
Since both the client and service will use that data structure to store the
descriptor decoded data, only the public keys are common to both.

Fixes #20572.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:48:33 -05:00
Nick Mathewson
698ed75e1a Resolve some coverity complaints in test_entrynodes.c 2016-12-16 12:23:46 -05:00
David Goulet
e76b072def test: fix the generate ESTABLISH_INTRO v3 cell
The "sig_len" fields was moved below the "end_sig_fields" in the trunnel
specification so when signing the cell content, the function generating such a
cell needed to be adjust.

Closes #20991

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
David Goulet
db0e926849 hs: Remove a useless cast in verify_establish_intro_cell()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
David Goulet
b0ccb6bfa5 hs: Add an extra safety check on ESTABLISH_INTRO sig len
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
David Goulet
e043b96887 trunnel: Move ESTABLISH_INTRO cell sig_len after the end_sig_fields
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
Nick Mathewson
23c09b6bc2 Resolve a division-by-zero complaint from coverity. CID 1397272 2016-12-16 12:21:02 -05:00
Nick Mathewson
2a00110e5b Revert "Stop checking whether environ is declared."
This reverts commit 954eeda619.

Apparently, OpenBSD is what expects you to declare environ
yourself.  So 19142 is a wontfix.
2016-12-16 12:16:52 -05:00
Nick Mathewson
79a24750ba Fix broken entrynodes/retry_unreachable test
I broke this with 20292ec497 when I
changed the primary guard retry schedule.
2016-12-16 11:49:07 -05:00
Nick Mathewson
c52c47ae6f Disable the legacy guard algorithm. Code isn't removed yet.
(Keeping the code around in case I broke Tor in some unexpected
way.)
2016-12-16 11:42:34 -05:00
Nick Mathewson
990a863d7c Merge branch 'ticket20831_v2' 2016-12-16 11:40:19 -05:00
Nick Mathewson
506bd6d47c Make NumDirectoryGuards work with the new guard algorithm.
Now that we support NumEntryGuards, NumDirectoryGuards is pretty
easy to put back in.
2016-12-16 11:34:31 -05:00
Nick Mathewson
d9200d853d Make NumEntryGuards work as expected again.
Further, add a "guard-n-primary-guards-to-use" parameter, defaulting
to 1, for NumEntryGuards to override.
2016-12-16 11:34:31 -05:00
Nick Mathewson
deb8bcadce 271: Algorithm tweak to allow multiple entry guards.
Previously, we had NumEntryGuards kind of hardwired to 1.  Now we
have the code (but not the configuarability) to choose randomly from
among the first N primary guards that would work, where N defaults
to 1.

Part of 20831 support for making NumEntryGuards work again.
2016-12-16 11:34:31 -05:00
Nick Mathewson
385602e982 Respect GuardLifetime in prop271 code.
It overrides both the GUARD_LIFETIME and the
GUARD_CONFIRMED_MIN_LIFETIME options.
2016-12-16 11:34:31 -05:00
Nick Mathewson
3902a18a69 Remove UseDirectoryGuards
It is obsoleted in an always-on direction by prop271.
2016-12-16 11:32:51 -05:00
Nick Mathewson
988b0afbd6 Merge branch 'ticket20826_v2' 2016-12-16 11:29:02 -05:00
Nick Mathewson
e044b4f8ce Support restrictive ENTRYNODES configurations correctly.
Since we already had a separate function for getting the universe of
possible guards, all we had to do was tweak it to handle very the
GS_TYPE_RESTRICTED case.
2016-12-16 11:28:27 -05:00
Nick Mathewson
4ec9751c14 guard->nickname is never NULL. 2016-12-16 11:25:59 -05:00
Nick Mathewson
2cee38f76a Merge branch 'prop271_030_v1_squashed' 2016-12-16 11:20:59 -05:00
Nick Mathewson
20292ec497 Per suggestion, increase the retry frequency for primary guards. 2016-12-16 11:06:22 -05:00
Nick Mathewson
fc7751a989 Rewrite state transition logic in entry_guards_note_success()
asn found while testing that this function can be reached with
GUARD_STATE_COMPLETE circuits; I believe this happens when
cannibalization occurs.

The added complexity of handling one more state made it reasonable
to turn the main logic here into a switch statement.
2016-12-16 11:06:22 -05:00
Nick Mathewson
2e2f3a4d99 Add a separate, non-fractional, limit to the sampled guard set size.
Letting the maximum sample size grow proportionally to the number of
guards defeats its purpose to a certain extent.  Noted by asn during
code review.

Fixes bug 20920; bug not in any released (or merged) version of Tor.
2016-12-16 11:06:22 -05:00
Nick Mathewson
e50d85b90c Clean check for live consensus when updating the guard sample.
The valid_until check was redundant.
2016-12-16 11:06:22 -05:00
Nick Mathewson
b7088e5b5a Move a TODO comment into doxygen comments. 2016-12-16 11:06:22 -05:00
George Kadianakis
50783d0123 Easy code fixes.
- Correctly maintain the previous guard selection in choose_guard_selection().
- Print bridge identifier instead of nothing in entry_guard_describe()._
2016-12-16 11:06:22 -05:00
George Kadianakis
7ab2678074 Trivial documentation improvements. 2016-12-16 11:06:22 -05:00
Nick Mathewson
6867950432 Wrap all of the legacy guard code, and its users, in #ifdefs
This will make it easier to see what we remove down the line.
2016-12-16 11:06:22 -05:00
Nick Mathewson
2b4bfe62ee Fix a signed/unsigned warning on 32-bit 2016-12-16 11:06:21 -05:00
Nick Mathewson
72dc2ae319 Tests for choosing which guard_selection to use 2016-12-16 11:06:21 -05:00
Nick Mathewson
d9f010db84 Update node-selection tests to consider restrictions 2016-12-16 11:06:21 -05:00
Nick Mathewson
7361e1b499 Tests for restricted-circuit cases of upgrade_waiting_circuits() 2016-12-16 11:06:21 -05:00
Nick Mathewson
52e196bab5 Don't make $hexid nicknames persistent.
(That's asking for trouble, and also totally completely redundant.)
2016-12-16 11:06:21 -05:00
Nick Mathewson
79d3e94f8b prop271: Tests for the highlevel or_state_t encode/decode functions 2016-12-16 11:06:20 -05:00
Nick Mathewson
171981f8a0 Add a test for entry_guard_state_should_expire() 2016-12-16 11:06:20 -05:00
Nick Mathewson
217590ad05 Extract guard_selection_infer_type into its own function. 2016-12-16 11:06:20 -05:00
Nick Mathewson
13315812e8 Repair unit test for tiny-network case.
The test assumed that the old rules about handling small max_sample
were in effect, and didn't actually handle that case very well
anyway.
2016-12-16 11:06:20 -05:00
Nick Mathewson
2c8c58ab2f Another tweak for guard restrictions: don't let complete circs block
If a complete circuit C2 doesn't obey the restrictions of C1, then
C2 cannot block C1.

The patch here is a little big-ish, since we can no longer look
through all the complete circuits and all the waiting circuits on a
single pass: we have to find the best waiting circuit first.
2016-12-16 11:06:20 -05:00
Nick Mathewson
87f9b42179 Implement support for per-circuit guard restrictions.
This is an important thing I hadn't considered when writing prop271:
sometimes you have to restrict what guard you use for a particular
circuit.  Most frequently, that would be because you plan to use a
certain node as your exit, and so you can't choose that for your
guard.

This change means that the upgrade-waiting-circuits algorithm needs
a slight tweak too: circuit A cannot block circuit B from upgrading
if circuit B needs to follow a restriction that circuit A does not
follow.
2016-12-16 11:06:20 -05:00
Nick Mathewson
17c3faa2e3 guards_choose_dirguard(): replace one XXXX with another.
I had been asking myself, "hey, doesn't the new code need to look at
this "info" parameter? The old code did!"  But it turns out that the
old code hasn't, since 05f7336624.

So instead of "support this!" the comment now says "we can remove
this!"
2016-12-16 11:06:20 -05:00
Nick Mathewson
9d065ecc3d Fix a magic number in get_max_sample_size 2016-12-16 11:06:20 -05:00
Nick Mathewson
1e9cd5d2bb Note a couple of XXX-prop271s as spec deviations. 2016-12-16 11:06:19 -05:00
Nick Mathewson
f4e64c04f4 Remove some resolved "XXXX prop271" comments. 2016-12-16 11:06:19 -05:00
Nick Mathewson
6c3f555a8c Re-enable some disabled tests about switching guard_selections 2016-12-16 11:06:19 -05:00
Nick Mathewson
80fa404625 Fix for small test networks: don't refuse to have any sampled guards.
Don't restrict the sample size if the network size is less than 20
guards.  Maybe we'll think of a better rule later on?
2016-12-16 11:06:19 -05:00
Nick Mathewson
eac8b3f758 Remove a few unused arguments. 2016-12-16 11:06:19 -05:00
Nick Mathewson
84bfa895d7 Change return value of entry_guard_succeeded to an enum.
George pointed out that (-1,0,1) for (never usable, maybe usable
later, usable right now) was a pretty rotten convention that made
the code harder to read.
2016-12-16 11:06:19 -05:00
Nick Mathewson
46619ec914 Note some large functions that could be split.
George Kadianakis pointed these out.
2016-12-16 11:06:19 -05:00
Nick Mathewson
3bcbbea350 More progress on bridge implementation with prop271 guards
Here we handle most (all?) of the remaining tasks, and fix some
bugs, in the prop271 bridge implementation.

  * We record bridge identities as we learn them.
  * We only call deprecated functions from bridges.c when the
    deprecated guard algorithm is in use.
  * We update any_bridge_descriptors_known() and
    num_bridges_usable() to work correctly with the new backend
    code. (Previously, they called into the guard selection logic.
  * We update bridge directory fetches to work with the new
    guard code.
  * We remove some erroneous assertions where we assumed that we'd
    never load a guard that wasn't for the current selection.

Also, we fix a couple of typos.
2016-12-16 11:06:18 -05:00
Nick Mathewson
82fa71610d Implement bridge backends for sampling, filtering guards.
Still missing is functionality for picking bridges when we don't
know a descriptor for them yet, and functionality for learning a
bridge ID.

Everything else remains (basically) the same. Neat!
2016-12-16 11:06:18 -05:00
Nick Mathewson
53f248f6c9 Add some needed accessors/inspectors for bridge/guard convergence 2016-12-16 11:06:18 -05:00
Nick Mathewson
1d52ac4d3f Lay down some infrastructure for bridges in the New Guard Order.
This includes:
  * making bridge_info_t exposed but opaque
  * allowing guards where we don't know an identity
  * making it possible to learn the identity of a guard
  * creating a guard that lacks a node_t
  * remembering a guard's address and port.
  * Looking up a guard by address and port.
  * Only enforcing the rule that we need a live consensus to update
    the "listed" status for guards when we are not using bridges.
2016-12-16 11:06:18 -05:00
Nick Mathewson
89f5f149df Remove guard_selection argument from status-reporting functions
This prevents us from mixing up multiple guard_selections
2016-12-16 11:06:18 -05:00
Nick Mathewson
6dcbc24a4e Add a backpointer from entry_guard_t to guard_selection_t
This is safe, because no entry_guard_t ever outlives its
guard_selection_t.

I want this because now that multiple guard selections can be active
during one tor session, we should make sure that any information we
register about guards is with respect to the selection that they came
from.
2016-12-16 11:06:18 -05:00
Nick Mathewson
404e9e5611 Have multiple guard contexts we can switch between.
Currently, this code doesn't actually have the contexts behave
differently, (except for the legacy context), but it does switch
back and forth between them nicely.
2016-12-16 11:06:18 -05:00
Nick Mathewson
08d3ca2e56 More entry guard tests: for cancel, and for upgrade. 2016-12-16 11:06:17 -05:00
Nick Mathewson
fcb50f1839 Test for entry_guard_has_higher_priority(). 2016-12-16 11:06:17 -05:00
Nick Mathewson
c6d218c44b Unit tests for entry_guard_{pick_for_circuit,succeeded,failed} 2016-12-16 11:06:17 -05:00
Nick Mathewson
9493711077 Mark confirmed guards primary as appropriate.
If a guard becomes primary as a result of confirming it, consider
the circuit through that guard as a primary circuit.

Also, note open questions on behavior when confirming nonprimary guards
2016-12-16 11:06:17 -05:00
Nick Mathewson
d2af9826fd Turn #defines for prop271 into networkstatus params
Some of these will get torrc options to override them too; this
is just the mechanical conversion.

Also, add documentation for a couple of undocumented (but now used)
parameters.
2016-12-16 11:06:17 -05:00
Nick Mathewson
039bd01767 Add a wrapper for a common networkstatus param pattern
We frequently want to check a networkstatus parameter only when it
isn't overridden from the torrc file.
2016-12-16 11:06:16 -05:00
Nick Mathewson
2ea5aa7182 Expire circuits that have been WAITING_FOR_BETTER_GUARD too long
(This is required by 3.9 in prop271, but is better done as a
separate function IMO)
2016-12-16 11:06:16 -05:00
Nick Mathewson
e56bc1e5de Move the 'dirty' flag for the guards to a global again
It makes more sense to have a single dirty flag, since we always
regenerate the whole state file when we save it.
2016-12-16 11:06:16 -05:00
Nick Mathewson
bce0f79252 Mark some more BUG lines as unreachable. 2016-12-16 11:06:16 -05:00
Nick Mathewson
9cad2628dd Test no-consensus case for filter. 2016-12-16 11:06:16 -05:00
Nick Mathewson
a7bc73935b Test get_guard_selection_by_name 2016-12-16 11:06:15 -05:00
Nick Mathewson
526b0e2ce2 Avoid division-by-zero in pathbias_check_*_success_count 2016-12-16 11:06:15 -05:00
Nick Mathewson
ac67819396 Make sure primary-guards are up-to-date when we inspect them.
(Plus some magic to prevent and detect recursive invocation of
entry_guards_update_primary(), since that can cause some pretty
tricky misbehavior.)
2016-12-16 11:06:15 -05:00
Nick Mathewson
f71be74340 When freeing a guard state, cancel it if its state is unknown
We don't want a guard to stay "pending" forever if the
circuit_guard_state_t for it is freed before it succeeds or fails.
2016-12-16 11:06:15 -05:00
Nick Mathewson
897626953b Rebuild the guard lists as appropriate on torrc change.
(Also, prepare to tie guard changes into the mark-all-old-circuits
logic.)
2016-12-16 11:06:15 -05:00
cypherpunks
62f52a888a Remove the version prefix from version numbers 2016-12-16 10:41:36 -05:00
cypherpunks
78a13df158 Remove the trailing dot from version numbers 2016-12-16 10:41:36 -05:00
Nick Mathewson
df6c475e59 Merge remote-tracking branch 'public/ticket19142' 2016-12-16 10:27:27 -05:00
teor
2e2d22d29a
Make fascist_firewall_use_ipv6() check ORPort & DirPort IP preferences
This makes clients try harder to find an IPv6 address when searching for
a directory server.

Required for #19608.
2016-12-16 22:30:55 +11:00
David Goulet
cacfd82c8d cell: Add a control cell ID for semantic
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-15 11:44:02 -05:00
Nick Mathewson
92139b0077 Fix a lovely heisenbug in rend_cache/store_v2_desc_as_client
Act I.

    "                    But that I am forbid
     To tell the secrets of my prison-house,
     I could a tale unfold..."

Here's the bug: sometimes, rend_cache/store_v2_desc_as_client would
say:

"Dec 15 08:31:26.147 [warn] rend_cache_store_v2_desc_as_client():
   Bug: Couldn't decode base32 [scrubbed] for descriptor id. (on Tor
   0.3.0.0-alpha-dev 4098bfa260)"

When we merged ade5005853 back in 0.2.8.1-alpha, we added that
test: it mangles the hidden service ID for a hidden service, and
ensures that when the descriptor ID doesn't match the descriptor's
key, we don't store the descriptor.

How did it mangle the descriptor ID?  By doing
     desc_id_base32[0]++;

So, if the hidden service ID started with z or 7, we'd wind up with an
invalid base32 string, and get the warning.  And if it started with
any other character, we wouldn't.

That there is part 1 of the bug: in 2/32 cases, we'd get a BUG
warning.  But we wouldn't display it, since warnings weren't shown
from the unit tests.

Act II.

    "Our indiscretion sometime serves us well,
     When our deep plots do pall"

Part two: in 0.2.9.3-alpha, for part of #19999, we turned on BUG
warnings in the unit tests, so that we'd actually start seeing them.
At this point we also began to consider each BUG warning that made
it through the unit tests to be an actual bug.  So before this
point, we wouldn't actually notice anything happening in those 2/32
cases.

So, at this point it was a nice random _visible_ bug.

Act III.

   "Our thoughts are ours, their ends none of our own"

In acbb60cd63, which was part of my prop220 work, I
changed how RSA key generation worked in the unit tests.  While
previously we'd use pre-made RSA keys in some cases, this change
made us use a set of pregenerated RSA keys for _all_ 1024 or 2048
keys, and to return them in a rotation when Tor tried to generate a
key.

And now we had the heisenbug: anything that affected the number of
pregenerated keys that we had yielded before reaching
rend_cache/store_v2_desc_as_client would make us return a different
key, which would give us a different base32 ID, which would make the
bug occur, or not.  So as we added or removed test cases, the bug
might or might not happen.

So yeah.  Don't mangle a base32 ID like that.  Do it this way instead.
2016-12-15 08:42:03 -05:00
Nick Mathewson
4098bfa260 Fix double-typedef of or_circuit_t. 2016-12-14 16:46:54 -05:00
Nick Mathewson
a8ac2a62cb Fix a few clang warnings. 2016-12-14 16:01:27 -05:00
Nick Mathewson
81360c4a5f whitespace fixes 2016-12-14 15:41:08 -05:00
Nick Mathewson
a675ef8eea Fix a "make check" regression in --list-fingerprint. 2016-12-14 15:39:31 -05:00
Nick Mathewson
c838d34921 Merge branch 'dgoulet_ticket19043_030_03_squashed' 2016-12-14 15:28:28 -05:00
David Goulet
a4eb17ed89 prop224: Use LOG_PROTOCOL_WARN instead of log_warn(LD_PROTOCOL, ...) in hs_intropoint.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-14 15:19:10 -05:00
David Goulet
118691cd47 crypto: Change crypto_mac_sha3_256 to use the key length in the construction
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-14 15:18:40 -05:00
George Kadianakis
297213825b prop224: Add unittests handling v3 ESTABLISH_INTRO cells.
Test for both v2 and v3 ESTABLISH_INTRO handling.
2016-12-14 15:18:40 -05:00
George Kadianakis
12dfe56b1c prop224: Use new HS functions in old HS code.
This is needed to make old code unittestable.
2016-12-14 15:18:40 -05:00
George Kadianakis
d7be1fd519 prop224: Introduce the new introduction point code.
(pun not intended)

Now our code supports both legacy and prop224 ESTABLISH_INTRO cells :)

hs_intro_received_establish_intro() is the new entry point.
2016-12-14 15:18:36 -05:00
George Kadianakis
c4c90d56b5 prop224: Add code that generates ESTABLISH_INTRO cells.
Currently unused. It will only be used for creating ESTABLISH_INTRO
cells in unittests :)
2016-12-14 15:17:58 -05:00
George Kadianakis
9192e5928c prop224 prepwork: Use of HS circuitmap in existing HS code.
The new HS circuitmap API replaces old public functions as follows:
   circuit_clear_rend_token -> hs_circuitmap_remove_circuit
   circuit_get_rendezvous -> hs_circuitmap_get_rend_circ
   circuit_get_intro_point -> hs_circuitmap_get_intro_circ_v2
   circuit_set_rendezvous_cookie -> hs_circuitmap_register_rend_circ
   circuit_set_intro_point_digest -> hs_circuitmap_register_intro_circ_v2

This commit also removes the old rendinfo code that is now unused.
It also fixes the broken rendinfo unittests.
2016-12-14 15:17:58 -05:00
George Kadianakis
2b9abbef2e prop224 prepwork: Introduce HS circuitmap subsystem.
The HS circuitmap is a hash table that maps introduction and rendezvous
tokens to specific circuits such that given a token it's easy to find
the corresponding circuit. It supports rend circuits and v2/v3 intro
circuits.

It will be used by the prop224 ESTABLISH_INTRO code to register and
lookup v3 introduction circuits.

The next commit after this removes the old code and fixes the unittests.
Please consult both commits while reviewing functionality differences
between the old and new code. Let me know if you want this rebased
differently :)

WRT architectural differences, this commit removes the rendinfo pointer
from or_circuit_t. It then adds an hs_token_t pointer and a hashtable
node for the HS circuitmap. IIUC, this adds another pointer to the
weight of or_circuit_t. Let me know if you don't like this, or if you
have suggestions on improving it.
2016-12-14 15:17:58 -05:00
George Kadianakis
e17cc3f0a6 prop224 prepwork: Finish decoupling old ESTABLISH_INTRO creation logic. 2016-12-14 15:17:57 -05:00
George Kadianakis
b5b34e62f7 prpo224 prepwork: Decouple legacy ESTABLISH_INTRO creation logic.
This commit only moves code.
2016-12-14 15:17:57 -05:00
George Kadianakis
b9010c8bf5 prop224 prepwork: Introduce HMAC-SHA3 function. 2016-12-14 15:17:57 -05:00
Nick Mathewson
963e70673a Merge remote-tracking branch 'teor/fix-frac-paths-comment' 2016-12-13 20:30:51 -05:00
teor
e2537a5982
Clarify a comment in compute_frac_paths_available 2016-12-14 10:25:01 +11:00
Nick Mathewson
55d02c004c Remove AuthDirMaxServersPerAuthAddr
Back when Roger had do do most of our testing on the moria host, we
needed a higher limit for the number of relays running on a single
IP address when that limit was shared with an authority. Nowadays,
the idea is pretty obsolete.

Also remove the router_addr_is_trusted_dir() function, which served
no other purpose.

Closes ticket 20960.
2016-12-13 13:09:27 -05:00
Nick Mathewson
56b11905e5 Remove a little dead code from routerparse.c
In c35fad2bde, merged in
0.2.4.7-alpha, we removed the code to parse v1 directory
objects. When we did so, we removed everything that could set the
CST_CHECK_AUTHORITY flag for check_signature_token().

So in this code, we remove the flag itself, the code to handle the
flag, and a function that only existed to handle the flag.
2016-12-13 09:36:59 -05:00
Nick Mathewson
0dd48bfe5a Change the default of AuthDirPinKeys to 1.
Closes ticket 18319.
2016-12-13 08:54:38 -05:00
Nick Mathewson
954eeda619 Stop checking whether environ is declared.
There seems to be pretty good evidence that it's always declared,
and that checking for it is pointless.

Closes ticket 19142.
2016-12-12 10:55:10 -05:00
Nick Mathewson
54069b97d3 whitespace fix 2016-12-12 09:51:49 -05:00
Nick Mathewson
1bd562f1c4 Merge branch 'people-to-node-type' 2016-12-12 09:50:31 -05:00
J. Ryan Stinnett
d5df9fa235 Replace "people" with the appropriate network component in comments
Fixes #18145.
2016-12-12 09:50:21 -05:00
Nick Mathewson
b659ffe9ac Merge remote-tracking branch 'jryans/log-severity' 2016-12-12 09:46:07 -05:00
Nick Mathewson
1ad96ed9cd Merge remote-tracking branch 'rubiate/ticket20511' 2016-12-12 09:20:56 -05:00
Nick Mathewson
8384f4d26f version bump: 0.2.9.7-rc-dev 2016-12-12 08:24:37 -05:00
Nick Mathewson
8143c30a5c helper_compare_hs_desc: coverity memleak complaints
This test helper had a memory leak on failure, which Coverity Scan
doesn't like.  Closes CID 1375996 and 1375997. Not in any released
Tor.
2016-12-12 08:10:05 -05:00
Nick Mathewson
cf6da1e4c2 Bump version 0.2.9.7-rc 2016-12-11 21:39:50 -05:00
Nick Mathewson
7601edc29a Merge remote-tracking branch 'dgoulet/bug20936_030_01' 2016-12-11 21:19:03 -05:00
Nick Mathewson
3e4a1ed7bb Merge branch 'maint-0.2.9' 2016-12-11 20:40:12 -05:00
Nick Mathewson
87c000d19e Merge remote-tracking branch 'dgoulet/bug20938_029_01' into maint-0.2.9 2016-12-11 20:40:01 -05:00
David Goulet
f3c040e33e test: fix memory leak in single onion poisoning
Closes #20938

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-09 12:59:40 -05:00
David Goulet
d01a6c07ae test: Fix memory leak in test_circuituse.c
Circuit object wasn't freed correctly. Also, the cpath build state object
needed to be zeroed else we were freeing garbage pointers.

Closes #20936

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-09 10:20:14 -05:00
Nick Mathewson
a40d212383 Downgrade a harmless bug warning to info.
Makes 19926 less annoying in 0.2.9.  In 0.3.0, we should actually
fix this.
2016-12-09 08:43:09 -05:00
Nick Mathewson
f2445fc608 Merge branch 'maint-0.2.9' 2016-12-09 08:34:30 -05:00
Nick Mathewson
adaf6a422a Merge branch 'maint-0.2.8' into maint-0.2.9 2016-12-09 08:34:24 -05:00
Nick Mathewson
56a2b8dc6e Merge branch 'maint-0.2.7' into maint-0.2.8 2016-12-09 08:34:18 -05:00
Nick Mathewson
b49369badd Merge branch 'maint-0.2.6' into maint-0.2.7 2016-12-09 08:34:12 -05:00
Nick Mathewson
3d9f8ff6a5 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-12-09 08:34:06 -05:00
Nick Mathewson
3d2d3f2b62 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-12-09 08:33:57 -05:00
Nick Mathewson
a3b8286b0e Merge branch 'maint-0.2.9' 2016-12-09 08:30:55 -05:00
David Goulet
9bb3bcbc41 router: Fix memory leak in signed_descriptor_move()
The signed_descriptor_move() was not releasing memory inside the destination
object before overwriting it with the source object. This commit adds a reset
function that free that memory inside a signed descriptor object and zero it.

Closes #20715.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-09 08:30:46 -05:00
Karsten Loesing
9db47e7921 Update geoip and geoip6 to the December 7 2016 database. 2016-12-09 10:23:36 +01:00
Nick Mathewson
39f4554687 Fix a completely stupid stack-protector warning in test_channels.c
This was breaking the build on debian precise, since it thought that
using a 'const int' to dimension an array made that array
variable-size, and made us not get protection.

Bug not in any released version of Tor.

I will insist that this one wasn't my fault.

        "Variables won't. Constants aren't." -- Osborn's Law
2016-12-08 17:50:01 -05:00
Nick Mathewson
bc68eedd79 Update to trunnel 1.5.1 2016-12-08 16:59:25 -05:00
Nick Mathewson
e1f00c5f86 whitespace cleanups 2016-12-08 16:53:29 -05:00
Nick Mathewson
e93234af70 Merge branch 'feature15056_v1_squashed' 2016-12-08 16:49:24 -05:00
Nick Mathewson
236e8b605e Adding some assertions to onion.c 2016-12-08 16:48:01 -05:00
Nick Mathewson
d0b76f5099 Fix comment on connection_or_client_learned_peer_id(). 2016-12-08 16:48:01 -05:00
Nick Mathewson
5eef00eb04 Tiny cleanup of chan handling when setting connection ID digests 2016-12-08 16:48:01 -05:00
Nick Mathewson
9bf9e34a01 Use connection_or_clear_identity in connection_or_clear_identity_map. 2016-12-08 16:48:01 -05:00
Nick Mathewson
937aef48ee Add an ed25519_copy; use it in a couple of places dgoulet suggested. 2016-12-08 16:48:01 -05:00
Nick Mathewson
835b04819a Add some unit testing for ed25519 IDs in extend2 cells. 2016-12-08 16:48:00 -05:00
Nick Mathewson
921ac5c548 Unit tests for channel identity map code 2016-12-08 16:48:00 -05:00
Nick Mathewson
cd741cc595 Canonicity update for ed25519.
If a node can prove its Ed25519 identity, don't consider connections
to it canonical unless they match both identities.

Includes link handshake changes needed to avoid crashing with bug
warnings, since the tests now reach more parts of the code.

Closes ticket 20355
2016-12-08 16:48:00 -05:00
Nick Mathewson
424ae9e18b helper to test a node for matching an ed25519 ID. 2016-12-08 16:48:00 -05:00
Nick Mathewson
3b1e04fe45 Teach channel_rsa_id_group_set_badness_() about Ed25519
(Only run the connection_or_group_set_badness_() function on groups
of channels that have the same RSA and Ed25519 identities.)

There's a possible opportunity here where we might want to set a
channel to "bad" if it has no ed25519 identity and some other
channel has some.  Also there's an opportunity to add a warning if
we ever have an Ed mismatch on open connections with the same RSA
ID.
2016-12-08 16:48:00 -05:00
Nick Mathewson
5ada249579 Enforce directionality in connection_or_set_identity_digest().
This function has never gotten testing for the case where an
identity had been set, and then got set to something else.  Rather
than make it handle those cases, we forbid them.
2016-12-08 16:47:59 -05:00
Nick Mathewson
68acf8f12e Tell channel_set_identity_digest() that ed keys can be NULL 2016-12-08 16:47:59 -05:00
Nick Mathewson
e0ab293837 Add a few more debug/info-level logs for ed25519 link handshake stuff 2016-12-08 16:47:59 -05:00
Nick Mathewson
3d7e485402 Add an option to disable dirauth ed25519 link key checks.
If there is some horrible bug in our ed25519 link authentication
code that causes us to label every single ed25519-having node as
non-running, we'll be glad we had this.  Otherwise we can remove it
later.
2016-12-08 16:47:59 -05:00
Nick Mathewson
7daf152172 Enforce Ed25519 identities (client-side)
This patch makes two absolutely critical changes:
  - If an ed25519 identity is not as expected when creating a channel,
    we call that channel unsuccessful and close it.
  - When a client creating a channel or an extend cell for a circuit, we
    only include the ed25519 identity if we believe that the node on
    the other side supports ed25519 link authentication (from
    #15055).  Otherwise we will insist on nodes without the right
    link protocol authenticating themselves.
  - When deciding to extend to another relay, we only upgrade the
    extend to extend by ed25519 ID when we know the ed25519 ID _and_
    we know that the other side can authenticate.

This patch also tells directory servers, when probing nodes, to
try to check their ed25519 identities too (if they can authenticate
by ed25519 identity).

Also, handle the case where we connect by RSA Id, and learn the
ED25519 ID for the node in doing so.
2016-12-08 16:47:58 -05:00
Nick Mathewson
2cdd24ddd6 Helper function for logging ed25519 public keys. 2016-12-08 16:47:58 -05:00
Nick Mathewson
ae6b73e847 Dirauth: Don't treat a router as reachable if the Ed25519 key didn't match 2016-12-08 16:47:58 -05:00
Nick Mathewson
88252b2d76 Comment-only: note some places where we want to propagate Ed25519 info
This is not for 15056, since it's about UI, and not about circuit
extension.
2016-12-08 16:47:58 -05:00
Nick Mathewson
9e840e6c7d Add ExtendByEd25519ID consensus parameter/torrc option
I need to be able to turn on Ed25519 support in client generation
of  extend cells so I can test it, but leave it off-by-default until
enough clients support it for us to turn it on for a bunch at once.

This is part of #15056 / prop#220.
2016-12-08 16:47:58 -05:00
Nick Mathewson
6788418f28 Propagate Ed25519 identities downwards into more functions.
Actually set ed25519 identities on channels when we set a channel's
identity.
2016-12-08 16:47:58 -05:00
Nick Mathewson
af3af49408 Add a function to check whether a given ed id key is ours 2016-12-08 16:47:58 -05:00
Nick Mathewson
c837786868 Teach circuit_extend() more about Ed25519 identities.
- forbid extending to the previous hop by Ed25519 ID.
- If we know the Ed25519 ID for the next hop and the client doesn't,
  insist on the one from the consensus.
2016-12-08 16:47:57 -05:00
Nick Mathewson
6aa239df36 Rename connection_or_remove_from_identity_map 2016-12-08 16:47:57 -05:00
Nick Mathewson
cdce221e68 Remove orconn_identity_map.
It is no longer needed; look up channels by identity instead.
2016-12-08 16:47:57 -05:00
Nick Mathewson
a20c8a81d7 Migrate main data loop for set_bad_connections to use channel structures
This was the last user of our or_connections-by-ID map.  It also had
a tendency to be O(N) in cases that only had to be O(1).
2016-12-08 16:47:57 -05:00
Nick Mathewson
bfff729728 Add a bunch of work-in-progress comments for 15056 planning 2016-12-08 16:47:57 -05:00
Nick Mathewson
ef5158b2d2 When attempting to find a channel by ID, consider Ed ID.
Right now, there's only a mechanism to look for a channel where the
RSA ID matches *and* the ED ID matches. We can add a separate map
later if we want.
2016-12-08 16:47:56 -05:00
Nick Mathewson
d47c52b384 Bump to 0.2.8.11-dev 2016-12-08 11:02:49 -05:00
Nick Mathewson
9c899dad31 Merge remote-tracking branch 'origin/maint-0.2.8' into maint-0.2.8 2016-12-08 09:07:28 -05:00
Nick Mathewson
4732e150e8 Bump to 0.2.8.11 2016-12-08 09:04:37 -05:00
Nick Mathewson
85538498b6 Merge branch 'maint-0.2.9' 2016-12-08 07:49:56 -05:00
cypherpunks
9fe6ffa588 Use the correct preprocessor macro for Linux
Also combine all of the checks into one if-tree as only one of them
should actually succeed.
2016-12-08 07:48:19 -05:00
Nick Mathewson
10baf2c684 Backport the other sierra fix in 20865.
They added clock_gettime(), but with tv_nsec as a long, whereas
tv_usec is a __darwin_suseconds_t (a.k.a. 'int').  Now, why would
they do that? Are they preparing for a world where there are more
than 2 billion nanoseconds per second?  Are they planning for having
int be less than 32 bits again?  Or are they just not paying
attention to the Darwin API?

Also, they forgot to mark clock_gettime() as Sierra-only, so even
if we fixed the issue here, we'd still be stick with portability
breakage like we were for 0.2.9.

So, just disable clock_gettime() on apple.
2016-12-07 18:24:28 -05:00
Nick Mathewson
b658893590 Merge branch 'bug19960_2' 2016-12-07 15:23:14 -05:00
Nick Mathewson
53d4e89626 Netbsd doesn't have ipfw, only the regular pf transport stuff.
Attempted fix for 19960.

Also, fixes a typo.
2016-12-07 15:22:44 -05:00
Nick Mathewson
ab013719e5 Merge branch 'maint-0.2.9' 2016-12-07 11:26:02 -05:00
Nick Mathewson
e7ade23f97 Increase verbosity on options/validate__transproxy
This is an attempt to figure out what's up with #19960
2016-12-07 11:24:58 -05:00
Nick Mathewson
1d45438ef0 Capture warning in dir/purpose_needs_anonymity_returns_true_by_default 2016-12-07 11:19:49 -05:00
Nick Mathewson
2499ea359a Merge branch 'maint-0.2.9' 2016-12-07 11:14:56 -05:00
Nick Mathewson
0815f96416 Fix a BUG() warning from next_random_exponential_delay().
Fixes 20875; this code is as suggested by teor on the ticket.  Thanks!
2016-12-07 11:13:11 -05:00
Nick Mathewson
b0a842913a Merge branch 'maint-0.2.9' 2016-12-07 11:09:27 -05:00
Nick Mathewson
fce425e3ff Increase tolerances in util/monotonic_time tests
This is an attempt to fix #19974.
2016-12-07 11:08:54 -05:00
Nick Mathewson
129cee1c75 Merge branch 'maint-0.2.9' 2016-12-07 10:52:28 -05:00
Nick Mathewson
d6ca36defa Merge branch 'bug20710_025' into maint-0.2.9 2016-12-07 10:52:12 -05:00
J. Ryan Stinnett
9b2b799d82 Accept non-space whitespace characters in log severity syntax.
Adds a test_config_parse_log_severity unit test to verify behavior.

Fixes #19965.
2016-12-06 11:11:43 -10:00
Nick Mathewson
41adfd6fa3 Fix a couple more crypto_digest() calls to be explicit < 0 2016-12-05 10:31:31 -05:00
Nick Mathewson
daeb633825 whitespace fix 2016-12-05 10:31:10 -05:00
Nick Mathewson
f92630941a Merge remote-tracking branch 'chelseakomlo/20717_hashing_api_bug' 2016-12-05 10:27:16 -05:00
Nick Mathewson
cc34ba1cec Merge branch 'getentropy_028' into maint-0.2.8 2016-12-05 10:06:16 -05:00
Nick Mathewson
714aeedc52 20865: Don't use getentropy() on OSX Sierra.
Tor 0.2.9 has a broader range of fixes and workarounds here, but for
0.2.8, we're just going to maintain the existing behavior.

(The alternative would be to backport both
1eba088054 and
16fcbd21c9 , but the latter is kind of
a subtle kludge in the configure.ac script, and I'm not a fan of
backporting that kind of thing.)
2016-12-05 10:02:33 -05:00
Nick Mathewson
5923418eff Merge remote-tracking branch 'jryans/service_is_ephemeral' 2016-12-05 08:57:00 -05:00
Nick Mathewson
f96f4c0e42 Merge remote-tracking branch 'chelseakomlo/circuituse' 2016-12-05 08:25:22 -05:00
Nick Mathewson
0ded72322c Merge branch 'maint-0.2.9' 2016-12-05 08:21:46 -05:00
J. Ryan Stinnett
cf2f36b8b4 Test for .git as readable instead of a dir to support worktrees
Fixes #20492.
2016-12-05 08:21:17 -05:00
Nick Mathewson
8230cf7ea6 Merge remote-tracking branch 'jryans/local-hostname' 2016-12-05 08:17:01 -05:00
Nick Mathewson
f7e8bd640a Merge branch 'maint-0.2.9' 2016-12-05 08:13:14 -05:00
Nick Mathewson
2a365413eb Always Use EVP_aes_*_ctr() with openssl 1.1
(OpenSSL 1.1 makes EVP_CIPHER_CTX opaque, _and_ adds acceleration
for counter mode on more architectures.  So it won't work if we try
the older approach, and it might help if we try the newer one.)

Fixes bug 20588.
2016-12-05 07:54:22 -05:00
J. Ryan Stinnett
63d3ba96f9 Use rend_service_is_ephemeral for all service checks in rendservice.c
Fixes #20853.
2016-12-04 14:35:09 -06:00
J. Ryan Stinnett
7ffa95abd9 Clarify that ClientRejectInternalAddresses also rejects mDNS *.local hosts
Fixes #17070.
2016-12-03 21:10:40 -06:00
teor
8a0ea3ee43
Use a temporary service list when validating and adding hidden services
This resolves two issues:
* the checks in rend_add_services were only being performed when adding
  the service, and not when the service was validated,
  (this meant that duplicate checks were not being performed, and some SETCONF
  commands appeared to succeed when they actually failed), and
* if one service failed while services were being added, then the service
  list would be left in an inconsistent state (tor dies when this happens,
  but the code is cleaner now).

Fixes #20860.
2016-12-03 09:10:46 +11:00
teor
93c62f5ac1
Add a missing rend_service_free in rend_service_add 2016-12-03 08:24:47 +11:00
teor
0446188674
Clarify the function documentation for rend_get_service_list_mutable
Comment-only change
2016-12-03 08:23:01 +11:00
teor
e8ce57e6e8
Move a comment in test_single_onion_poisoning 2016-12-03 06:30:58 +11:00
teor
8d42aab3f6
Add a missing return value check in test_single_onion_poisoning 2016-12-03 06:30:06 +11:00
teor
fdd368d656
Remove a double-free in test_single_onion_poisoning
We were freeing both dir{1,2} directly, and service_{1,2}->directory via
rend_service_free, even though they are the same pointer.
2016-12-03 06:27:32 +11:00
teor
c100c5c69b
Refactor poison_dir allocation and free in test_single_onion_poisoning
This pattern is much less error-prone when future changes are made.
2016-12-03 06:25:46 +11:00
Nick Mathewson
e6facbfe7a Add accessor for inspecting timer callbacks. 2016-12-02 12:15:07 -05:00
Nick Mathewson
ca4a0ae0b1 Merge branch 'maint-0.2.9' 2016-12-02 12:10:39 -05:00
David Goulet
907cd8a0cf protover: Fix old tor hardcoded version check
When computing old Tor protocol line version in protover, we were looking at
0.2.7.5 twice instead of the specific case for 0.2.9.1-alpha.

Fixes #20810

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-02 12:09:08 -05:00
Nick Mathewson
ed4213fa08 Merge remote-tracking branch 'teor/bug20667' 2016-12-02 12:07:10 -05:00
Nick Mathewson
d7ec1708b1 Merge branch 'maint-0.2.9' 2016-12-02 12:00:53 -05:00
Nick Mathewson
8b93cbc16d Merge branch 'bug20716_026' into maint-0.2.9 2016-12-02 12:00:46 -05:00
Nick Mathewson
cf762c663d Bump to 0.2.9.6-rc-dev 2016-12-02 11:20:23 -05:00
Nick Mathewson
1122137fa0 Bump to 0.2.8.10-dev 2016-12-02 11:19:53 -05:00
Nick Mathewson
e317a9cb7c Merge branch 'bug20599_030_v4' 2016-12-02 07:47:32 -05:00