Commit Graph

7683 Commits

Author SHA1 Message Date
Nick Mathewson
a8190b09a3 Cache the parsed value of SafeLogging as an enum. 2009-12-12 01:12:47 -05:00
Sebastian Hahn
3807db001d *_free functions now accept NULL
Some *_free functions threw asserts when passed NULL. Now all of them
accept NULL as input and perform no action when called that way.

This gains us consistence for our free functions, and allows some
code simplifications where an explicit null check is no longer necessary.
2009-12-12 03:29:44 +01:00
Sebastian Hahn
28b29e0fd7 Fix typo in a comment 2009-12-12 02:53:27 +01:00
Sebastian Hahn
f258647433 Allow SafeLogging to exclude client related information 2009-12-12 02:26:11 +01:00
Nick Mathewson
b51a33e527 Merge commit 'origin/maint-0.2.1' 2009-12-04 14:31:17 -05:00
Martin Peck
3a2d677fa7 Improved workaround for disabled OpenSSL renegotiation.
It turns out that OpenSSL 0.9.8m is likely to take a completely
different approach for reenabling renegotiation than OpenSSL 0.9.8l
did, so we need to work with both. :p   Fixes bug 1158.

(patch by coderman; commit message by nickm)
2009-12-04 14:25:08 -05:00
Karsten Loesing
16fbb2f745 Minor fix to buffer stats.
Do not segfault when writing buffer stats when we haven't observed a
single circuit to report about.  This is a minor bug that would only show
up in testing environments with no traffic and with reduced stats
intervals.
2009-12-03 10:51:51 +01:00
Roger Dingledine
cee9a28d1e Merge commit 'origin/maint-0.2.1' 2009-11-23 10:16:38 -05:00
Roger Dingledine
a89f51c936 fix race condition that can cause crashes at client or exit relay
Avoid crashing if the client is trying to upload many bytes and the
circuit gets torn down at the same time, or if the flip side
happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
2009-11-23 10:13:50 -05:00
Roger Dingledine
403f99eaa4 add a minimum for CircuitStreamTimeout, plus a man page
plus some other unrelated touchups that have been sitting in my
sandbox
2009-11-22 07:15:30 -05:00
Roger Dingledine
7f3f88bed3 New config option "CircuitStreamTimeout"
New config option "CircuitStreamTimeout" to override our internal
timeout schedule for how many seconds until we detach a stream from
a circuit and try a new circuit. If your network is particularly
slow, you might want to set this to a number like 60.
2009-11-21 23:36:36 -05:00
Roger Dingledine
fdd58f3bd5 If somebody tries to overflow my dirport, don't log his IP by default.
aka Fix an instance where a Tor directory mirror might accidentally
log the IP address of a misbehaving Tor client. Bugfix on
0.1.0.1-rc.
2009-11-21 23:09:24 -05:00
Roger Dingledine
4f8b36a1e2 clobber connections with different number than we clobber circuits 2009-11-21 23:02:10 -05:00
Roger Dingledine
7b6b931ccc stop assuming that our downcasts have a struct offset of 0
shouldn't actually change anything, but who knows.
2009-11-21 22:59:18 -05:00
Roger Dingledine
01a9cc0413 bump to 0.2.2.6-alpha-dev 2009-11-21 22:57:05 -05:00
Nick Mathewson
2b1bb233b3 Use the same mlockall checks with tor_set_max_memlock 2009-11-20 14:45:29 -05:00
Nick Mathewson
444eff6286 Fix compilation on OSX 10.3.
On this OSX version, there is a stub mlockall() function
that doesn't work, *and* the declaration for it is hidden by
an '#ifdef _P1003_1B_VISIBLE'.  This would make autoconf
successfully find the function, but our code fail to build
when no declaration was found.

This patch adds an additional test for the declaration.
2009-11-20 13:28:16 -05:00
Roger Dingledine
1ee580407c bump to 0.2.2.6-alpha 2009-11-19 14:16:11 -05:00
Nick Mathewson
9be682942c Not everybody likes debugging printfs as much as I 2009-11-18 11:26:44 -05:00
Nick Mathewson
e722ffa605 Do not report a partially-successful detached signature add as failed.
Also, regenerate the detached-signature document whenever any signatures are
successfully added.
2009-11-17 14:24:59 -05:00
Roger Dingledine
2ebd22152e only complain when rejecting a descriptor if it has contact info 2009-11-17 07:39:15 -05:00
Jacob Appelbaum
6f1fe7e941 Fix compilation with with bionic libc.
This fixes bug 1147:

 bionic doesn't have an actual implementation of mlockall();
 mlockall() is merely in the headers but not actually in the library.
 This prevents Tor compilation with the bionic libc for Android handsets.
2009-11-14 16:45:14 -05:00
Roger Dingledine
22f674fcb8 Fix a memory leak on directory authorities during voting
Fix a memory leak on directory authorities during voting that was
introduced in 0.2.2.1-alpha. Found via valgrind.
2009-11-12 01:31:26 -05:00
Nick Mathewson
69c0147ea6 Fix building from a separate build directory. 2009-11-08 00:38:46 -05:00
Nick Mathewson
0a58567ce3 Merge commit 'origin/maint-0.2.1'
Conflicts:
	src/common/tortls.c
2009-11-06 15:24:52 -05:00
Nick Mathewson
ce0a89e262 Make Tor work with OpenSSL 0.9.8l
To fix a major security problem related to incorrect use of
SSL/TLS renegotiation, OpenSSL has turned off renegotiation by
default.  We are not affected by this security problem, however,
since we do renegotiation right.  (Specifically, we never treat a
renegotiated credential as authenticating previous communication.)
Nevertheless, OpenSSL's new behavior requires us to explicitly
turn renegotiation back on in order to get our protocol working
again.

Amusingly, this is not so simple as "set the flag when you create
the SSL object" , since calling connect or accept seems to clear
the flags.

For belt-and-suspenders purposes, we clear the flag once the Tor
handshake is done.  There's no way to exploit a second handshake
either, but we might as well not allow it.
2009-11-05 18:13:08 -05:00
Nick Mathewson
eb1faf8a0a Fix a URL in a log message. 2009-11-04 11:39:10 -05:00
Sebastian Hahn
f1b7295b27 Disallow command line keywords with more than two dashes as prefix.
This might help fix cid 422, where coverity fails to notice that
argv strings are null-escaped.
2009-10-27 17:50:24 +01:00
Sebastian Hahn
b0e8c33617 Make it more obvious for coverity that cid 404 is not dead code 2009-10-27 14:19:32 +01:00
Jacob Appelbaum
2aac39a779 Implement DisableAllSwap to avoid putting secret info in page files.
This commit implements a new config option: 'DisableAllSwap'
This option probably only works properly when Tor is started as root.
We added two new functions: tor_mlockall() and tor_set_max_memlock().
tor_mlockall() attempts to mlock() all current and all future memory pages.
For tor_mlockall() to work properly we set the process rlimits for memory to
RLIM_INFINITY (and beyond) inside of tor_set_max_memlock().
We behave differently from mlockall() by only allowing tor_mlockall() to be
called one single time. All other calls will result in a return code of 1.
It is not possible to change DisableAllSwap while running.
A sample configuration item was added to the torrc.complete.in config file.
A new item in the man page for DisableAllSwap was added.
Thanks to Moxie Marlinspike and Chris Palmer for their feedback on this patch.

Please note that we make no guarantees about the quality of your OS and its
mlock/mlockall implementation. It is possible that this will do nothing at all.
It is also possible that you can ulimit the mlock properties of a given user
such that root is not required. This has not been extensively tested and is
unsupported. I have included some comments for possible ways we can handle
this on win32.
2009-10-27 04:28:40 -04:00
Karsten Loesing
56c2385157 Fix bug 1113.
Bridges do not use the default exit policy, but reject *:* by default.
2009-10-27 01:03:41 -07:00
Roger Dingledine
8c34e79263 Merge commit 'karsten/log-1092' 2009-10-27 02:26:58 -04:00
Karsten Loesing
c8b27a8e9e Improve log statement when publishing v2 hs desc. 2009-10-26 23:09:10 -07:00
Karsten Loesing
19ddee5582 Fix bug 1042.
If your relay can't keep up with the number of incoming create cells, it
would log one warning per failure into your logs. Limit warnings to 1 per
minute.
2009-10-26 22:49:43 -07:00
Sebastian Hahn
70abd843fd crypto_cipher_set_key cannot fail
In 5e4d53d535 we made it so that
crypto_cipher_set_key cannot fail. The call will now
always succeed, to returning a boolean for success/failure makes
no sense.
2009-10-27 04:31:23 +01:00
Nick Mathewson
54973a45a6 Fix an apparently bogus check; fortunately, it seems to be untriggered. 2009-10-26 23:14:53 -04:00
Nick Mathewson
311315e077 Fix an accidentally removed free in 385853a282, and repair a check. 2009-10-26 23:13:29 -04:00
Roger Dingledine
ad525685f6 Merge commit 'karsten/fix-1066-3' 2009-10-26 22:45:12 -04:00
Nick Mathewson
385853a282 Fix/annotate deadcode for CID 402,403 2009-10-26 22:40:41 -04:00
Nick Mathewson
134ac8059b Fix the very noisy unit test memory leak of CID 420-421.
On any failing case in test_util_config_line, we would leak a couple
of strings.
2009-10-26 22:40:41 -04:00
Nick Mathewson
caa141617f Fix dead code found by Coverity (CID 419).
This was left over from an early draft of the microdescriptor code; it
began to populate the signatures array of a networkstatus vote, even
though there's no actual need to do that for a vote.
2009-10-26 22:40:41 -04:00
Nick Mathewson
98cd8c5d16 Fix a very stupid coverity complaint (CID 416).
In its zeal to keep me from saying memset(x, '0', sizeof(x)), Coverity
disallows memset(x, 48, sizeof(x)).  Fine.  I'll choose a different
magic number, see if I care!
2009-10-26 22:40:41 -04:00
Nick Mathewson
5e4d53d535 Remove checks for array existence. (CID 410..415)
In C, the code "char x[10]; if (x) {...}" always takes the true branch of
the if statement.  Coverity notices this now.

In some cases, we were testing arrays to make sure that an operation
we wanted to do would suceed.  Those cases are now always-true.

In some cases, we were testing arrays to see if something was _set_.
Those caes are now tests for strlen(s), or tests for
!tor_mem_is_zero(d,len).
2009-10-26 22:40:41 -04:00
Nick Mathewson
cec698d29e Fix CID 409: check return value of base64_encode in tests 2009-10-26 22:40:41 -04:00
Nick Mathewson
a457cd91fa Clarification to suppress Coverity CID 405.
Every or conn has an outbuf, but coverity has no way of knowing that.
Add an assert to ease its conscience.
2009-10-26 22:40:40 -04:00
Nick Mathewson
8519d36633 Merge commit 'origin/maint-0.2.1' 2009-10-26 22:40:24 -04:00
Karsten Loesing
4256a96461 Fix bug 1066.
If all authorities restart at once right before a consensus vote, nobody
will vote about "Running", and clients will get a consensus with no usable
relays. Instead, authorities refuse to build a consensus if this happens.
2009-10-26 19:27:54 -07:00
Nick Mathewson
5c73da7faa Fix two memory leaks found by Coverity (CIDs 417-418)
The first happens on an error case when a controller wants an
impossible directory object.  The second happens when we can't write
our fingerprint file.
2009-10-26 22:12:40 -04:00
Nick Mathewson
8bada1ef67 Add missing break statements for Coverity CIDs #406,407.
The code for these was super-wrong, but will only break things when we
reset an option on a platform where sizeof(time_t) is different from
sizeof(int).
2009-10-26 21:35:26 -04:00
Nick Mathewson
071521e02f Merge commit 'origin/maint-0.2.1'
Conflicts:
	ChangeLog
2009-10-26 20:15:03 -04:00
Nick Mathewson
56048637a5 Only send the if_modified_since header for a v3 consensus.
Spotted by xmux; bugfix on 0.2.0.10-alpha.
(Bug introduced by 20b10859)
2009-10-26 20:14:11 -04:00
Karsten Loesing
d2b4b49ff0 Reduce log level for someone else sending us weak DH keys.
See task 1114. The most plausible explanation for someone sending us weak
DH keys is that they experiment with their Tor code or implement a new Tor
client. Usually, we don't care about such events, especially not on warn
level. If we really care about someone not following the Tor protocol, we
can set ProtocolWarnings to 1.
2009-10-25 23:47:05 -07:00
Roger Dingledine
fa23430496 clean up the XXX comments around bug 1038 2009-10-26 01:32:27 -04:00
Nick Mathewson
afc76a4e71 Fix two bugs found by Coverity scan.
One was a simple buffer overrun; the other was a high-speed pointer
collision.  Both were introduced by my microdescs branch.
2009-10-19 23:19:42 -04:00
Nick Mathewson
f629687053 Merge branch 'microdesc' 2009-10-19 00:45:47 -04:00
Nick Mathewson
465d4e1cd1 Document some formerly undocumented functions. 2009-10-19 00:30:52 -04:00
Sebastian Hahn
740806c453 Fix compile with warnings problems on Snow Leopard 2009-10-19 01:30:46 +02:00
Nick Mathewson
bb22d8fc45 Add functions to serve microdescs and flavored consensuses. 2009-10-18 18:46:12 -04:00
Nick Mathewson
200c39b66c Document the microdescriptor code better. 2009-10-18 18:46:12 -04:00
Nick Mathewson
d61b5df9c1 Fix various bugs in microdescriptor caching. 2009-10-18 18:46:07 -04:00
Nick Mathewson
e26a79ca8a Make start_writing_to_stdio_file() respect O_BINARY. 2009-10-15 15:17:13 -04:00
Nick Mathewson
851a980065 Actually remember all the consensus types when we are done generating them. 2009-10-15 15:17:13 -04:00
Nick Mathewson
a19981725d Parse detached signatures and microdesc networkstatuses correctly. 2009-10-15 15:17:13 -04:00
Nick Mathewson
3471057486 Implement signatures for microdesc consensuses right.
This means we need to handle the existence of multiple flavors of signature
in a detached signatures document, generate them correctly, and so on.
2009-10-15 15:17:13 -04:00
Nick Mathewson
d9c71816b1 Generate all the flavors of consensuses when building consensuses. 2009-10-15 15:17:13 -04:00
Nick Mathewson
5576a3a094 Parse detached signature documents with multiple flavors and algorithms. 2009-10-15 15:17:13 -04:00
Nick Mathewson
3b2fc659a8 Refactor consensus signature storage for multiple digests and flavors.
This patch introduces a new type called document_signature_t to represent the
signature of a consensus document.  Now, each consensus document can have up
to one document signature per voter per digest algorithm.  Also, each
detached-signatures document can have up to one signature per <voter,
algorithm, flavor>.
2009-10-15 15:17:13 -04:00
Nick Mathewson
e1ddee8bbe Code to generate, store, and parse microdescriptors and consensuses.
The consensus documents are not signed properly, not served, and not
exchanged yet.
2009-10-15 15:17:13 -04:00
Nick Mathewson
a8e92ba8fd Add a function to get the most frequent member of a list. 2009-10-15 15:17:13 -04:00
Nick Mathewson
a7ba02f3f1 Add ability to parse one or more m line from a vote. 2009-10-15 15:17:13 -04:00
Nick Mathewson
bdf4839395 Functions to encode microdescriptors and their lines. 2009-10-15 15:17:12 -04:00
Nick Mathewson
c5f7f04aff Allow signed data to include other hashes later.
Previously, we insisted that a valid signature must be a signature of
the expected digest.  Now we accept anything that starts with the
expected digest.  This lets us include another digest later.
2009-10-15 15:17:12 -04:00
Nick Mathewson
15f4e9600c Signature-checking code can handle longer digests. 2009-10-15 15:17:12 -04:00
Nick Mathewson
8b2f6b27fd Make signature-generation code handle different key and digest lengths. 2009-10-15 15:17:12 -04:00
Nick Mathewson
8d41e6c471 Support for encoding and decoding 256-bit digests in base64 2009-10-15 15:17:12 -04:00
Nick Mathewson
5ef97ddd42 Merge commit 'origin/maint-0.2.1'
Conflicts:
	ChangeLog
	configure.in
	contrib/tor-mingw.nsi.in
	src/or/config.c
	src/win32/orconfig.h
2009-10-15 12:33:22 -04:00
Roger Dingledine
16dc543851 bump to 0.2.1.20 2009-10-15 12:14:18 -04:00
Roger Dingledine
2bee297d57 Move moria1 and Tonga to alternate IP addresses. 2009-10-15 12:14:18 -04:00
Roger Dingledine
2394336426 read the "circwindow" parameter from the consensus
backport of c43859c5c1
backport of 0d13e0ed14
2009-10-14 17:07:32 -04:00
Nick Mathewson
83c3f118db Code to parse and access network parameters.
Partial backport of 381766ce4b.
Partial backport of 56c6d78520.
2009-10-14 16:15:41 -04:00
Nick Mathewson
71cdd99dd7 Another event2 evdns fix. 2009-10-13 18:57:25 -04:00
Nick Mathewson
81eee0ecff Fix a crash when using evdns from Libevent 2.
When we tried to use the deprecated non-threadsafe evdns
interfaces in Libevent 2 without using the also-deprecated
event_init() interface, Libevent 2 would sensibly crash, since it
has no guess where to find the Libevent library.

Here we use the evdns_base_*() functions instead if they're
present, and fake them if they aren't.
2009-10-13 17:54:04 -04:00
Roger Dingledine
4b55ef26c9 bump to 0.2.2.5-alpha-dev 2009-10-12 15:28:29 -04:00
Nick Mathewson
da990d09c3 Merge commit 'public/android' 2009-10-11 23:30:19 -04:00
Roger Dingledine
9d6c79cbbb fix compile on windows 2009-10-11 17:23:47 -04:00
Roger Dingledine
255245a289 bump to 0.2.2.5-alpha 2009-10-11 14:59:20 -04:00
Roger Dingledine
6265b9f09d Move dizum to an alternate IP address. 2009-10-11 14:59:14 -04:00
Peter Palfrader
c4a5e06098 Ship test.h in release
The test suite need the test.h file to build. Add it to
noinst_HEADERS in the Makefile.am so it gets included
in the tarball that make dist produces.
2009-10-11 10:44:16 -04:00
Peter Palfrader
2f760c5461 Fix testsuite call.
tinytest_main() returns 0 on success, -1 on errors and 1 on test
failures.  So test.c should check on !=0 instead of <0.
2009-10-10 18:58:54 -04:00
Roger Dingledine
a9e0e2f819 bump to 0.2.2.4-alpha 2009-10-10 17:29:44 -04:00
Nick Mathewson
5a6575c2d4 Don't set unreachable from dirvote unless we've been running a while.
This is a possible fix for bug 1023, where if we vote (or make a v2
consensus networkstatus) right after we come online, we can call
rep_hist_note_router_unreachable() on every router we haven't connected
to yet, and thereby make all their uptime values reset.
2009-10-10 15:23:00 -04:00
Roger Dingledine
1c62b9d5fa fix a bug where we were decrementing the wrong bucket
i think this doesn't actually affect anything, since linked
conns usually don't impact buckets
2009-10-10 14:52:41 -04:00
Roger Dingledine
746a19e84d remove some dead code. some of it was tickling coverity. 2009-10-10 13:39:41 -04:00
Sebastian Hahn
e35f9414d6 Fix a memleak when throwing away some build times
This was introduced in f7e6e852e8.
Found by Coverity
2009-10-10 13:41:44 +02:00
Mike Perry
18689317e4 Tweak an assert that shouldn't fire either way.
There were however other places where we used to call this
function that might have caused this to fire. Better
safe than sorry now.
2009-10-07 13:05:28 -07:00
Mike Perry
ec05e64a68 Tweak values for when to discard all of our history.
This seems to be happening to me a lot on a garbage DSL line.
We may need to come up with 2 threshholds: a high short onehop
count and a lower longer count.
2009-10-07 12:49:13 -07:00
Mike Perry
b918cd8f04 Remove another overzealous assert.
Pretimeouts may have build time data, just no timeout data.
2009-10-07 12:24:40 -07:00
Roger Dingledine
b4e0d09202 try to stem the 'sea of fail' 2009-10-01 05:35:24 -04:00
Roger Dingledine
9325b9269c Ignore one-hop circuits for circuit timeout calc
Don't count one-hop circuits when we're estimating how long it
takes circuits to build on average. Otherwise we'll set our circuit
build timeout lower than we should. Bugfix on 0.2.2.2-alpha.
2009-10-01 04:15:45 -04:00
Roger Dingledine
b9e8f0a013 Move Tonga to an alternate IP address 2009-09-30 22:35:05 -04:00