Commit Graph

11718 Commits

Author SHA1 Message Date
teor (Tim Wilson-Brown)
e14f9dd44f fixup! Add controller getinfo exit-policy/reject-private
Stop ignoring ExitPolicyRejectPrivate in getinfo
exit-policy/reject-private. Fix a memory leak.

Set ExitPolicyRejectPrivate in the unit tests, and make a mock
function declaration static.
2015-11-25 22:26:10 -05:00
Nick Mathewson
289b184e11 Merge branch 'bug17654_try1' 2015-11-25 12:25:44 -05:00
Nick Mathewson
fe8eb9b366 Merge remote-tracking branch 'public/decouple_dir_request_failed' 2015-11-25 09:21:25 -05:00
Nick Mathewson
dce708d11c Fix a logic error in connection_tls_continue_handshake().
(If we take the branch above this assertion, than we *didn't* have a
v1 handshake.  So if we don't take the branch, we did.  So if we
reach this assertion, we must be running as a server, since clients
no longer attempt v1 handshakes.)

Fix for bug 17654; bugfix on 9d019a7db7.

Bug not in any released Tor.
2015-11-25 09:17:44 -05:00
Nick Mathewson
45caeec9a0 Merge remote-tracking branch 'teor/comments-20151123' 2015-11-25 09:08:15 -05:00
Nick Mathewson
2079ec9ee6 Merge remote-tracking branch 'teor/feature8961-replaycache-sha256' 2015-11-25 08:55:18 -05:00
Nick Mathewson
be30c61ac1 Merge branch 'maint-0.2.7' 2015-11-25 08:53:46 -05:00
teor (Tim Wilson-Brown)
23b088907f Refuse to make direct connections to private OR addresses
Refuse connection requests to private OR addresses unless
ExtendAllowPrivateAddresses is set. Previously, tor would
connect, then refuse to send any cells to a private address.

Fixes bugs 17674 and 8976; bugfix on b7c172c9ec (28 Aug 2012)
Original bug 6710, released in 0.2.3.21-rc and an 0.2.2 maint
release.

Patch by "teor".
2015-11-25 03:11:15 +11:00
teor (Tim Wilson-Brown)
2e9779e5d8 Use SHA256 in the replaycache, rather than SHA1
This migrates away from SHA1, and provides further hash flooding
protection on top of the randomised siphash implementation.

Add unit tests to make sure that different inputs don't have the
same hash.
2015-11-24 09:08:53 +11:00
David Goulet
273b267fa2 Fix: use the right list in find_expiring_intro_point()
The wrong list was used when looking up expired intro points in a rend
service object causing what we think could be reachability issues and
triggering a BUG log.

Fixes #16702

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-11-23 09:02:54 -05:00
Roger Dingledine
6cdd024c94 fix two typos in comments 2015-11-23 07:40:13 -05:00
Nick Mathewson
cbc1b8a4f7 fix "make check-spaces" 2015-11-20 10:52:56 -05:00
Nick Mathewson
e3cf39cefd Fix compilation warnings 2015-11-20 10:51:19 -05:00
Nick Mathewson
35e886fe13 Merge branch 'getinfo-private-exitpolicy-v4-squashed' 2015-11-20 10:48:28 -05:00
teor (Tim Wilson-Brown)
10a6390deb Add controller getinfo exit-policy/reject-private
exit-policy/reject-private lists the reject rules added by
ExitPolicyRejectPrivate. This makes it easier for stem to
display exit policies.

Add unit tests for getinfo exit-policy/*.

Completes ticket #17183. Patch by "teor".
2015-11-20 10:48:19 -05:00
teor (Tim Wilson-Brown)
6913bdfcc5 Refactor router_dump_exit_policy_to_string
Split out policy_dump_to_string to use it in getinfo_helper_policies.
2015-11-20 10:39:37 +11:00
teor (Tim Wilson-Brown)
66fac9fbad Block OutboundBindAddressIPv[4|6]_ and configured ports on exit relays
Modify policies_parse_exit_policy_reject_private so it also blocks
the addresses configured for OutboundBindAddressIPv4_ and
OutboundBindAddressIPv6_, and any publicly routable port addresses
on exit relays.

Add and update unit tests for these functions.
2015-11-20 10:39:13 +11:00
teor (Tim Wilson-Brown)
c73c5a293f Refactor policies_parse_exit_policy_internal
Move the code that rejects publicly routable exit relay addresses
to policies_parse_exit_policy_reject_private. Add
addr_policy_append_reject_addr_list and use it to reject interface
addresses.

This removes the duplicate reject checks on local_address and
ipv6_local_address, but duplicates will be removed by
exit_policy_remove_redundancies at the end of the function.

This also removes the info-level logging on rejected interface
addresses. Instead, log a debug-level message in
addr_policy_append_reject_addr.

This simplifies policies_parse_exit_policy_internal and prepares for
reporting these addresses over the control port in #17183.
2015-11-20 10:32:51 +11:00
Nick Mathewson
118bdc3a6d Merge remote-tracking branch 'public/decouple_conn_attach_2' 2015-11-19 10:44:31 -05:00
Yawning Angel
85bb71049a Fix a startup time assert caused by periodic events not being initialized.
Loading a on disk bridge descriptor causes a directory download to be
scheduled, which asserts due to the periodic events not being
initialized yet.

Fixes bug #17635, not in any released version of tor.
2015-11-18 11:31:05 +00:00
Nick Mathewson
8af5afedc9 windows already has a CALLBACK macro... 2015-11-17 10:00:41 -05:00
Nick Mathewson
dc0d2b5970 Don't relaunch dir requests recursively if connection_connect() returns -1
Closes ticket 17589.
2015-11-17 09:40:05 -05:00
Nick Mathewson
d3cb659541 Fix a server-side crash on DNS init 2015-11-17 09:37:50 -05:00
Nick Mathewson
70f337fdb2 Some unit tests now require that periodic events be initialized. 2015-11-17 09:26:50 -05:00
Nick Mathewson
58edf92678 Free pending_entry_connections on shutdown. 2015-11-17 09:06:47 -05:00
Nick Mathewson
84b3350c83 Be more conservative in scanning the list of pending streams
Now we only re-scan the list in the cases we did before: when we
have a new circuit that we should try attaching to, or when we have
added a new stream that we haven't tried to attach yet.

This is part of 17590.
2015-11-17 09:04:25 -05:00
Nick Mathewson
b1d56fc589 Decouple ..attach_circuit() from most of its callers.
Long ago we used to call connection_ap_handshake_attach_circuit()
only in a few places, since connection_ap_attach_pending() attaches
all the pending connections, and does so regularly.  But this turned
out to have a performance problem: it would introduce a delay to
launching or connecting a stream.

We couldn't just call connection_ap_attach_pending() every time we
make a new connection, since it walks the whole connection list.  So
we started calling connection_ap_attach_pending all over, instead!
But that's kind of ugly and messes up our callgraph.

So instead, we now have connection_ap_attach_pending() use a list
only of the pending connections, so we can call it much more
frequently.  We have a separate function to scan the whole
connection array to see if we missed adding anything, and log a
warning if so.

Closes ticket #17590
2015-11-17 08:53:34 -05:00
Nick Mathewson
b91bd27e6f Whoops; in this context the EV_TIMEOUT flag is needed 2015-11-17 08:53:16 -05:00
Nick Mathewson
c113d19b53 Merge branch 'bug3199_redux_3' 2015-11-17 08:27:42 -05:00
Nick Mathewson
661e5bdbfa Changes to 3199 branch based on feedback from special 2015-11-17 08:26:04 -05:00
Nick Mathewson
eb721ed2d9 Add documentation for periodic event api 2015-11-16 10:40:23 -05:00
teor (Tim Wilson-Brown)
d3b7546753 Add a missing "if" in the comment on warn_nonlocal_controller_ports
Also reflow all the lines of that comment so that they're under
the maximum width.
2015-11-16 16:27:11 +11:00
teor (Tim Wilson-Brown)
dd82550a5e Add missing " in AccountingMax comment in or.h 2015-11-16 12:34:53 +11:00
Nick Mathewson
dd00fd0a1f Change periodic.c to use libevent directly
Libevent's periodic timers aren't the right solution when the
timeout potentially changes every time.
2015-11-13 16:25:40 -05:00
Nick Mathewson
65a6489e5e fix whitespace; remove dead code 2015-11-13 16:24:45 -05:00
Nick Mathewson
2bf8fb5ee3 Fold all of the run-every-second stuff back into run_scheduled_events() 2015-11-13 16:24:45 -05:00
Nick Mathewson
9f31908a40 Turn all of run_scheduled_events() into a bunch of periodic events
This patch is designed to look good when you see it through 'diff -b':
it mostly leaves entries in the same order, and leaves the code unmodified.
2015-11-13 16:24:45 -05:00
Nick Mathewson
e8b459a2fa Connect periodic events to main 2015-11-13 16:24:44 -05:00
Kevin Butler
fbeff307f7 Infrastructure for replacing global periodic events in main.c
(This is from Kevin's bug3199 patch series; nick extracted it into
 a new file and changed the interface a little, then did some API
 tweaks on it.)
2015-11-13 16:24:44 -05:00
Nick Mathewson
7a940fac1c appease check-spaces 2015-11-13 13:46:47 -05:00
Nick Mathewson
d467227323 Merge remote-tracking branch 'public/ticket11150_client_only' 2015-11-13 09:58:16 -05:00
Nick Mathewson
f7ccc9b975 Merge branch 'decouple_circuit_mark_squashed' 2015-11-12 14:20:24 -05:00
Nick Mathewson
8b4e5b7ee9 Experimentally decouple the main body of circuit_mark_for_close 2015-11-12 14:20:16 -05:00
Nick Mathewson
d20a3d07e3 Merge branch 'karsten_bug13192_026_03_teor' 2015-11-12 11:40:58 -05:00
teor (Tim Wilson-Brown)
0d5a439292 Mark fallback directoriess as too busy after a 503 response
Mark fallback directory mirrors as "too busy" when they return
a 503 response. Previously, the code just marked authorities as busy.

Unless clients set their own fallback directories, they will never see
this bug. (There are no default fallbacks yet.)

Fixes bug 17572; bugfix on 5c51b3f1f0 released in 0.2.4.7-alpha.
Patch by "teor".
2015-11-10 09:47:48 +11:00
rl1987
a187c772af Seventh test case for dns_resolve_impl(). 2015-10-24 14:30:53 +03:00
rl1987
f53dcf6a35 Sixth test case for dns_resolve_impl. 2015-10-24 14:30:52 +03:00
rl1987
cc1bed9974 Add a fifth unit test. 2015-10-24 14:30:52 +03:00
rl1987
1096f7638e A second test case for dns_resolve_impl. 2015-10-24 14:30:50 +03:00
Nick Mathewson
52fd384a46 Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-21 11:18:11 -04:00
Nick Mathewson
9c4a0aef0c Fix a memory leak in reading an expired ed signing key.
Closes 17403.
2015-10-21 11:16:28 -04:00
Nick Mathewson
35edd74e25 Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-21 10:56:40 -04:00
Nick Mathewson
5d45a26f39 Whoops; infinite recursion 2015-10-21 10:56:27 -04:00
Nick Mathewson
d14b009b23 Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-21 10:54:12 -04:00
Nick Mathewson
8b01849f3b Yet more memory leaks in the rendcache tests 2015-10-21 10:54:07 -04:00
Nick Mathewson
aa96abe66b Fix memory leak in rend_cache_failure_entry_free()
Bug 17402.
2015-10-21 10:52:57 -04:00
Nick Mathewson
a5e873ff29 Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-21 10:28:16 -04:00
Nick Mathewson
03eb999d42 Fix an (unreachable) memory leak in rendcache.c
The 0.2.8 unit tests provoke this leak, though I don't think it can
happen IRL.
2015-10-21 10:27:19 -04:00
Nick Mathewson
46cd466dec Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-21 10:00:52 -04:00
Nick Mathewson
34b4da709d Fix a bunch more memory leaks in the tests. 2015-10-21 10:00:05 -04:00
Nick Mathewson
5b2070198a Fix a use-after-free in validate_intro_point_failure. Bug 17401. Found w valgrind 2015-10-21 09:59:19 -04:00
Nick Mathewson
a8a26ca30e Merge remote-tracking branch 'origin/maint-0.2.7' 2015-10-15 13:56:53 -04:00
Nick Mathewson
7e7683b254 Merge remote-tracking branch 'origin/maint-0.2.6' into maint-0.2.7 2015-10-15 13:56:41 -04:00
David Goulet
2ec5e24c58 Add hidserv-stats filname to our sandbox filter
Fixes #17354

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-10-15 13:42:34 -04:00
Nick Mathewson
9d019a7db7 tor_tls_finish_handshake is server-side only. 2015-10-07 10:32:54 -04:00
Nick Mathewson
6505d529a5 Remove client-side support for detecting v1 handshake
Fixes more of 11150
2015-10-07 10:13:39 -04:00
Nick Mathewson
bd1a137893 Remove the client-side code for the v1 and v2 tls handshakes.
(This is safe since super-old Tor servers are no longer allowed on
the network.)

Closes the client-side part of 11150.
2015-10-07 10:04:12 -04:00
Nick Mathewson
15bfdbeb9d fix check-spaces once more 2015-10-06 11:32:37 -04:00
Nick Mathewson
f179abdca9 Merge remote-tracking branch 'twstrike/rendcache_tests'
Conflicts:
        src/test/include.am
	src/test/rend_test_helpers.c
	src/test/rend_test_helpers.h
2015-10-06 11:32:06 -04:00
Ola Bini
70de8d4bf8
Fix spaces and other smaller issues 2015-10-05 14:31:10 -05:00
Roger Dingledine
c9cb5516ab fix easy typo 2015-10-04 12:28:25 -04:00
Nick Mathewson
21c201202e Merge remote-tracking branch 'twstrike/dir-handle-cmd-get' 2015-10-02 15:04:28 +02:00
Nick Mathewson
67182226f1 Merge remote-tracking branch 'teor/warn-when-time-goes-backwards' 2015-10-02 13:56:28 +02:00
Nick Mathewson
488e9a0502 Merge remote-tracking branch 'teor/routerset-parse-IPv6-literals'
(Minor conflicts)
2015-10-02 13:54:20 +02:00
Nick Mathewson
0b3190d4b7 Merge remote-tracking branch 'donncha/feature14846_4' 2015-10-02 13:40:26 +02:00
teor (Tim Wilson-Brown)
763cb393d3 fixup #17188: Add most likely reasons for clock going backwards
Add "You might have an empty clock battery or bad NTP server."
2015-10-01 09:58:15 +02:00
Nick Mathewson
71e4649f02 Disallow transitions on SyslogIdentityTag, since they do not work right 2015-09-30 18:34:15 +02:00
Peter Palfrader
1cf0d82280 Add SyslogIdentityTag
When logging to syslog, allow a tag to be added to the syslog identity
("Tor"), i.e. the string prepended to every log message.  The tag can be
configured by setting SyslogIdentityTag and defaults to none.  Setting
it to "foo" will cause logs to be tagged as "Tor-foo".  Closes: #17194.
2015-09-30 18:34:15 +02:00
teor (Tim Wilson-Brown)
cd279ca7f5 Warn when the system clock is set back in time
Warn when the state file was last written in the future.
Tor doesn't know that consensuses have expired if the clock is in the past.

Patch by "teor". Implements ticket #17188.
2015-09-30 13:33:56 +02:00
Marcin Cieślak
f75325c132 No spaces around = in variable assignment
BSD make takes spaces around = literally
and produces a "TESTING_TOR_BINARY "
variable with a trailing space, which leads
to test_keygen.sh failure.

Fixes 17154
2015-09-29 10:09:02 +02:00
Nick Mathewson
8d6bb3a559 Make our digest-mismatch warnings a touch better 2015-09-24 17:45:33 -04:00
Nick Mathewson
e62fe2f02d Put braces around reject-lines for IPv6 addrs
Fixes bug 17149; bug not in any released Tor.
2015-09-24 16:51:25 -04:00
Nick Mathewson
01733e2b15 New AuthDirPinKeys option to enable/disable keypinning enforcement
Implements ticket #17135.  We're going to need this one to avoid
chaos as everybody figures out how ed25519 keys work.
2015-09-23 11:22:26 -04:00
Nick Mathewson
efea1e904a Extract the add-or-replace-keypin logic into a new function
We're about to need to call it in another place too.
2015-09-23 11:07:17 -04:00
Nick Mathewson
c5e87e33c7 Allow conflicts to occur in keypinning journal
When we find a conflict in the keypinning journal, treat the new
entry as superseding all old entries that overlap either of its
keys.

Also add a (not-yet-used) configuration option to disable keypinning
enforcement.
2015-09-23 11:02:21 -04:00
Nick Mathewson
6b6a714732 Fix a memory leak in router_parse_addr_policy_item_from_string. CID 1324770 2015-09-22 09:55:05 -04:00
Nick Mathewson
df0b4f0342 Merge branch 'feature16769_squashed' 2015-09-22 09:26:30 -04:00
Nick Mathewson
1911f80fb5 Disable --master-key as not-yet-working for 0.2.7 2015-09-22 09:24:35 -04:00
Nick Mathewson
bca4211de5 Add a --master-key option
This lets the user override the default location for the master key
when used with --keygen

Part of 16769.
2015-09-22 09:24:35 -04:00
Nick Mathewson
d8f031aec2 Add a new --newpass option to add or remove secret key passphrases. 2015-09-22 09:24:35 -04:00
Nick Mathewson
e94ef30a2f Merge branch 'feature16944_v2' 2015-09-22 09:19:28 -04:00
teor (Tim Wilson-Brown)
a659a3fced Merge branch 'bug17027-reject-private-all-interfaces-v2' into bug16069-bug17027
src/test/test_policy.c:
Merged calls to policies_parse_exit_policy by adding additional arguments.
fixup to remaining instance of ~EXIT_POLICY_IPV6_ENABLED.
Compacting logic test now produces previous list length of 4, corrected this.

src/config/torrc.sample.in:
src/config/torrc.minimal.in-staging:
Merged torrc modification dates in favour of latest.
2015-09-16 09:09:54 +10:00
teor (Tim Wilson-Brown)
fd85f2cd70 fixup Clarify ambiguous log message in router_add_exit_policy 2015-09-16 03:59:30 +10:00
teor (Tim Wilson-Brown)
ab6f93caa7 fixup Only set TAPMP_STAR_IPV6_ONLY if TAPMP_EXTENDED_STAR is set
Also fix a comment.
2015-09-16 03:58:06 +10:00
teor (Tim Wilson-Brown)
eb1759e63c Log an info-level message for each IP blocked by ExitPolicyRejectPrivate
Log an info-level message containing the reject line added to the
exit policy for each local IP address blocked by ExitPolicyRejectPrivate:
 - Published IPv4 and IPv6 addresses
 - Publicly routable IPv4 and IPv6 interface addresses
2015-09-16 02:58:34 +10:00
teor (Tim Wilson-Brown)
098b82c7b2 ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
 * the relay's published IPv6 address (if any), and
 * any publicly routable IPv4 or IPv6 addresses on any local interfaces.

This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.

Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a15 (11 Nov 2007), released in 0.2.0.11-alpha.
2015-09-16 02:56:50 +10:00
Reinaldo de Souza Jr
4ff08bb581 Add tests for directory_handle_command_get 2015-09-15 11:08:50 -05:00
Ola Bini
ade5005853
Add tests for the rend cache 2015-09-15 16:21:50 +02:00
teor (Tim Wilson-Brown)
d3358a0a05 ExitPolicy accept6/reject6 produces IPv6 wildcard addresses only
In previous versions of Tor, ExitPolicy accept6/reject6 * produced
policy entries for IPv4 and IPv6 wildcard addresses.

To reduce operator confusion, change accept6/reject6 * to only produce
an IPv6 wildcard address.

Resolves bug #16069.

Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
36ad8d8fdc Warn about redundant torrc ExitPolicy lines due to accept/reject *:*
Tor now warns when ExitPolicy lines occur after accept/reject *:*
or variants. These lines are redundant, and were always ignored.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00