Commit Graph

24223 Commits

Author SHA1 Message Date
George Kadianakis
bd1ac408d8 Remove dead code from circpad_machine_remove_token(). 2019-07-25 10:24:19 -04:00
David Goulet
2a4b156978 Merge branch 'tor-github/pr/1171' into maint-0.4.1 2019-07-25 09:02:53 -04:00
Nick Mathewson
b2a6b52825 Bump version to 0.4.1.4-rc 2019-07-25 09:00:53 -04:00
Nick Mathewson
167d873bde Fix clang-detected errors related to log_domain_mask_t 2019-07-24 09:08:48 -04:00
George Kadianakis
bb33a2f290 Merge branch 'tor-github/pr/1181' into maint-0.4.1 2019-07-24 12:31:56 +03:00
George Kadianakis
5aa526c2d8 circpad: some more logging changes.
- Add an info log when receiving a STOP command.
- Keep warning if we receive padding from a wrong hop.
2019-07-23 12:22:26 +03:00
Mike Perry
a3089662c0 More LOG_PROTOCOL_WARN.
Make origin-side messages about padding negotiation failure into
LOG_PROTOCOL_WARN.

I'm not sure I like this either.. But the negotiation refusal case might
happen naturally due to consensus drift, and is functionally no different than
a corrupted cell.
2019-07-23 12:22:25 +03:00
Mike Perry
86f298441b Make some warns into protocol warns
I'm not sure I agree with this option.
2019-07-23 12:22:24 +03:00
Mike Perry
065f25c2ce Bug 30649: Check that machine is absent before warn 2019-07-23 12:22:15 +03:00
Nick Mathewson
5fb070a14d Extract the log_domain_t type to a lower-level header
This way, both err and log may depend on it.
2019-07-19 10:17:22 -04:00
Nick Mathewson
f682de609b Adjust tor_log.rs for 64-bit log domains. 2019-07-19 10:07:32 -04:00
Nick Mathewson
a9379d6750 Set 'routerlist' global to NULL before freeing it.
There is other code that uses this value, and some of it is
apparently reachable from inside router_dir_info_changed(), which
routerlist_free() apparently calls.  (ouch!)  This is a minimal fix
to try to resolve the issue without causing other problems.

Fixes bug 31003. I'm calling this a bugfix on 0.1.2.2-alpha, where
the call to router_dir_info_changed() was added to routerlist_free().
2019-07-19 09:49:52 -04:00
Tobias Stoeckmann
17458a87d7 Prevent UB on signed overflow.
Overflowing a signed integer in C is an undefined behaviour.
It is possible to trigger this undefined behaviour in tor_asprintf on
Windows or systems lacking vasprintf.

On these systems, eiter _vscprintf or vsnprintf is called to retrieve
the required amount of bytes to hold the string. These functions can
return INT_MAX. The easiest way to recreate this is the use of a
specially crafted configuration file, e.g. containing the line:

FirewallPorts AAAAA<in total 2147483610 As>

This line triggers the needed tor_asprintf call which eventually
leads to an INT_MAX return value from _vscprintf or vsnprintf.

The needed byte for \0 is added to the result, triggering the
overflow and therefore the undefined behaviour.

Casting the value to size_t before addition fixes the behaviour.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-07-19 09:21:32 -04:00
Nick Mathewson
2e55fa9587 Adjust log callback type to use log_domain_mask_t 2019-07-08 14:11:02 -04:00
Nick Mathewson
4512578e49 Add a compile-time assertion to prevent a recurrence of 31080. 2019-07-08 13:41:35 -04:00
Nick Mathewson
09c692e72b Use a 64-bit mask for log domains, and fix a conflict
When we added LD_MESG, we created a conflict with the LD_NO_MOCK
flag.  We now need 64 bits for log domains in order to fix this
issue.

Fixes bug 31080; bugfix on 0.4.1.1-alpha.
2019-07-08 13:32:45 -04:00
Nick Mathewson
d972f29d8d Move declaration of LD_NO_MESG to make conflict more apparent. 2019-07-08 13:00:31 -04:00
Nick Mathewson
1dd9527897 Merge branch 'maint-0.2.9' into maint-0.3.5 2019-07-01 14:25:12 -04:00
Nick Mathewson
2a42d6be27 Merge branch 'maint-0.3.5' into maint-0.4.0 2019-07-01 14:25:12 -04:00
Nick Mathewson
5e16601000 Merge branch 'maint-0.4.0' into maint-0.4.1 2019-07-01 14:25:12 -04:00
teor
f3b2a81ce7
fallback: apply the second fallback list from 2019
Update the fallback directory mirrors by merging the current list with:
fallback_dirs_2019-06-28-08-58-39_AU_f0437a39ddbc8459.inc

Part of 28795, see that ticket for logs.
2019-06-28 21:16:50 +10:00
teor
37c2808ab0
fallback: apply the first fallback list from 2019
Update the fallback directory mirrors by replacing the old list with:
fallback_dirs_2019-06-25-11-49-10_AU_a37adb956fbb5cd2.inc

Part of 28795, see that ticket for logs.
2019-06-28 21:05:00 +10:00
Nick Mathewson
3ccf91027b Merge remote-tracking branch 'tor-github/pr/1101' into maint-0.4.1 2019-06-26 10:05:51 -04:00
Nick Mathewson
648d5df628 Merge remote-tracking branch 'tor-github/pr/1118' into maint-0.4.1 2019-06-26 09:49:40 -04:00
George Kadianakis
00acccac64 Merge branch 'tor-github/pr/1114' into maint-0.4.1 2019-06-26 10:51:12 +03:00
Nick Mathewson
e4f66bf7ff bump to 0.4.1.3-alpha-dev 2019-06-25 11:55:53 -04:00
Nick Mathewson
8803930de8 Merge remote-tracking branch 'tor-github/pr/1130' into maint-0.4.1 2019-06-24 13:36:10 -04:00
Nick Mathewson
aab5f42ae0 bump to 0.4.1.3-alpha 2019-06-24 09:32:46 -04:00
teor
8356cc5b51 stats: Always publish pluggable transports in extra info documents
Always publish bridge pluggable transport information in the extra info
descriptor, even if ExtraInfoStatistics is 0. This information is
needed by BridgeDB.

Fixes bug 30956; bugfix on 0.4.1.1-alpha.
2019-06-24 19:44:24 +10:00
David Goulet
6a0763cd66 guard: Ignore marked for close circuit when changing state to open
When we consider all circuits in "waiting for guard" state to be promoted to
an "open" state, we were considering all circuits, even the one marked for
close.

This ultiamtely triggers a "circuit_has_opened()" called on the circuit that
is marked for close which then leads to possible undesirable behaviors within
a subsystem.

For instance, the HS subsystem would be unable to find the authentication key
of the introduction point circuit leading to a BUG() warning and a duplicate
mark for close on the circuit.

This commit also adds a unit test to make sure we never select marked for
close circuits when upgrading its guard state from waiting for guard to open.

Fixes #30871

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-06-19 07:41:45 -04:00
David Goulet
e3f3478032 guard: Ignore marked for close circuit when changing state to open
When we consider all circuits in "waiting for guard" state to be promoted to
an "open" state, we were considering all circuits, even the one marked for
close.

This ultiamtely triggers a "circuit_has_opened()" called on the circuit that
is marked for close which then leads to possible undesirable behaviors within
a subsystem.

For instance, the HS subsystem would be unable to find the authentication key
of the introduction point circuit leading to a BUG() warning and a duplicate
mark for close on the circuit.

This commit also adds a unit test to make sure we never select marked for
close circuits when upgrading its guard state from waiting for guard to open.

Fixes #30871

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-06-19 07:40:05 -04:00
Nick Mathewson
4ab1d1c0c4 Fix memleak when failing to parse a CSV_INTERVAL.
Fixes bug 30894; bugfix on 0.3.4.1-alpha
2019-06-15 16:47:16 -04:00
David Goulet
ea14fb136c Merge branch 'tor-github/pr/1050' into maint-0.4.1 2019-06-11 11:29:46 -04:00
Nick Mathewson
cad0de35bd Give a compile warning when we don't have any flags for minherit().
Part of ticket 30686.
2019-06-11 11:29:23 -04:00
Nick Mathewson
93ddc51cbd Give a more useful failure messgae when we fail to minherit().
Part of ticket 30686.
2019-06-11 11:29:23 -04:00
Nick Mathewson
afa2c39baa Merge branch 'maint-0.3.5' into maint-0.4.0 2019-06-11 10:17:18 -04:00
Nick Mathewson
ce89fe36c8 Merge branch 'maint-0.4.0' into maint-0.4.1 2019-06-11 10:17:18 -04:00
Nick Mathewson
b0fa1f4fb0 Merge branch 'maint-0.2.9' into maint-0.3.5 2019-06-11 10:17:17 -04:00
Karsten Loesing
0ec4ebd00d Update geoip and geoip6 to the June 10 2019 database. 2019-06-11 16:12:50 +02:00
Nick Mathewson
29842f68e7 Merge remote-tracking branch 'tor-github/pr/1082' into maint-0.4.1 2019-06-11 08:41:48 -04:00
George Kadianakis
a15ec8bf84 circpad: some more logging changes.
- Add an info log when receiving a STOP command.
- Keep warning if we receive padding from a wrong hop.
2019-06-11 14:28:38 +03:00
George Kadianakis
eab9dc06af Merge branch 'tor-github/pr/1065' into maint-0.4.1 2019-06-11 13:48:10 +03:00
teor
a742a80eea
Merge remote-tracking branch 'tor-github/pr/1091' into maint-0.3.5 2019-06-11 14:51:37 +10:00
teor
cb20054ccd
Merge remote-tracking branch 'tor-github/pr/924' into maint-0.3.5 2019-06-11 14:46:24 +10:00
Nick Mathewson
6a72cc2598 Merge branch 'maint-0.4.0' into maint-0.4.1 2019-06-10 18:33:26 -04:00
teor
b9041e8a63
test: fix a typo in test_rebind.sh
Closes 30821.
2019-06-10 20:56:40 +10:00
teor
430dd2da6e
Merge branch 'bug30713_035' into bug30713_040 2019-06-10 20:50:53 +10:00
teor
be0a4be276
Travis: Skip test_rebind on macOS builds
Skip test_rebind when the TOR_SKIP_TEST_REBIND environmental variable
is set.

Skip test_rebind on macOS in Travis builds, because it is unreliable
on macOS on Travis.

Fixes bug 30713; bugfix on 0.3.5.1-alpha.
2019-06-10 20:49:59 +10:00
Nick Mathewson
ecc5feff38 bump to 0.4.1.2-alpha-dev 2019-06-06 08:28:34 -04:00
teor
c7fc53c2e7
Merge branch 'bug30781_040' into bug30781_master 2019-06-06 09:57:31 +10:00
teor
fb3f461406
Merge branch 'bug30781_035' into bug30781_040 2019-06-06 09:56:50 +10:00
teor
c8c2e2b8fc
Merge branch 'bug30781_034' into bug30781_035
Moved fix from src/or/routerparse.c to src/feature/dirparse/routerparse.c.
2019-06-06 09:55:44 +10:00
teor
dc8e3cd5ce
Merge branch 'bug30781_029' into bug30781_034 2019-06-06 09:53:02 +10:00
teor
ba83c1e5cf
dirparse: Stop crashing when parsing unknown descriptor purpose annotations
We think this bug can only be triggered by modifying a local file.

Fixes bug 30781; bugfix on 0.2.0.8-alpha.
2019-06-06 09:51:24 +10:00
Nick Mathewson
6a6f7eb671 Merge remote-tracking branch 'tor-github/pr/988' into maint-0.4.0 2019-06-05 16:22:52 -04:00
Nick Mathewson
e51b57ee04 Merge remote-tracking branch 'tor-github/pr/952' into maint-0.4.0 2019-06-05 16:16:34 -04:00
Nick Mathewson
04cb2d4010 Merge remote-tracking branch 'tor-github/pr/741' into maint-0.4.0 2019-06-05 16:14:51 -04:00
Nick Mathewson
2300a619a5 Merge remote-tracking branch 'tor-github/pr/1039' into maint-0.4.0 2019-06-05 16:13:53 -04:00
Nick Mathewson
a56d7e37aa Merge remote-tracking branch 'tor-github/pr/1020' into maint-0.4.0 2019-06-05 16:10:51 -04:00
Mike Perry
a6399da598 Bug 29034: Cleanup hs circuitmap when purpose changes.
Leave the other rend and hs_ident data around until circuit free, since code
may still try to inspect it after marking the circuit for close. The
circuitmap is the important thing to clean up, since repurposed
intropoints must be removed from this map to ensure validity.
2019-06-05 12:56:49 -07:00
Nick Mathewson
54eb3c043c Merge remote-tracking branch 'tor-github/pr/1076' 2019-06-05 15:35:43 -04:00
Mike Perry
e54ce03b4f More LOG_PROTOCOL_WARN.
Make origin-side messages about padding negotiation failure into
LOG_PROTOCOL_WARN.

I'm not sure I like this either.. But the negotiation refusal case might
happen naturally due to consensus drift, and is functionally no different than
a corrupted cell.
2019-06-05 12:33:39 -07:00
Mike Perry
c525135dac Bug 29034: Cleanup hs circuitmap when purpose changes.
Leave the other rend and hs_ident data around until circuit free, since code
may still try to inspect it after marking the circuit for close. The
circuitmap is the important thing to clean up, since repurposed
intropoints must be removed from this map to ensure validity.
2019-06-05 11:50:44 -07:00
Mike Perry
31c34f6524 Revert "hs: Implement a helper to repurpose a circuit"
This reverts commit 3789f22bcb.
2019-06-05 11:38:01 -07:00
Mike Perry
a42131bf48 Revert "test: Add test_hs_circ.c for HS circuit testing"
This reverts commit 41b94722e5.
2019-06-05 11:37:32 -07:00
Neel Chauhan
27e067df4f Add missing newline after decode_intro_points() closing bracket 2019-06-05 12:50:01 -04:00
George Kadianakis
917e4e9eae Don't access rend data after a circuit has been marked for close.
This can cause issues if the circuit was repurposed into a padding circuit
instead of closing, since in that case we will wipe off the rend_data.
2019-06-05 18:19:44 +03:00
Nick Mathewson
892a313b6a Replace a missing end-of-comment string
This happened when I went to fix long lines after running "make
autostyle".
2019-06-05 09:35:45 -04:00
Nick Mathewson
60213a3621 Run "make autostyle." 2019-06-05 09:33:35 -04:00
Nick Mathewson
d1b02456c1 Bump to 0.4.1.2-alpha 2019-06-05 09:25:21 -04:00
Nick Mathewson
b39a8d315d Merge remote-tracking branch 'tor-github/pr/1053' 2019-06-05 09:04:09 -04:00
George Kadianakis
99bf3d8e14 Merge branch 'tor-github/pr/1072' 2019-06-05 14:40:38 +03:00
David Goulet
a63c5f844b Merge branch 'tor-github/pr/1067' 2019-06-04 09:57:03 -04:00
Nick Mathewson
4022b6d6b7 Merge branch 'bug29670_035' into bug29670_041 2019-06-04 08:29:05 -04:00
David Goulet
33382184b6 sendme: Do not decrement window in a log_debug()
If "Log debug ..." is not set, the decrement never happens. This lead to the
package/deliver window to be out of sync at the stream level and thus breaking
the connection after 50+ cells.

Fixes #30628

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-06-03 14:31:51 -04:00
Nick Mathewson
fd8beab4dd Merge branch 'bug29875_035' into bug29875_master 2019-05-31 12:40:43 -04:00
Nick Mathewson
8015979eeb num_bridges_usable(): only count configured bridges.
When this function was implemented, it counted all the entry guards
in the bridge set.  But this included previously configured bridges,
as well as currently configured ones!  Instead, only count the
_filtered_ bridges (ones that are configured and possibly reachable)
as maybe usable.

Fixes bug 29875; bugfix on 0.3.0.1-alpha.
2019-05-31 12:28:42 -04:00
Nick Mathewson
5b3c886584 Consider dir info to have changed when the bridges change
Otherwise, we won't realize that we haven't got enough bridge
information to build circuits.  Part of a fix for ticket 29875.
2019-05-31 12:27:42 -04:00
David Goulet
41b94722e5 test: Add test_hs_circ.c for HS circuit testing
For now, only tests HS circuit repurpose function.

Part of #29034

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-31 10:43:01 -04:00
Nick Mathewson
3c3158f182 Fix some tests for CL_PORT_NO_STREAM_OPTIONS
The comment in the tests was correct: this option _was_ inverted wrt
SessionGroup=.
2019-05-31 09:03:20 -04:00
Nick Mathewson
70b85358af Fix a logic error in deciding whether to accept SessionGroup=
Fixes bug 22619; bugfix on 0.2.7.2-alpha
2019-05-31 08:26:10 -04:00
Mike Perry
6263755728 Make some warns into protocol warns
I'm not sure I agree with this option.
2019-05-30 16:25:29 -07:00
Mike Perry
de3eb8c5e4 Bug 30649: Check that machine is absent before warn 2019-05-30 15:28:17 -07:00
George Kadianakis
dd62cb788e Merge branch 'tor-github/pr/1059' 2019-05-30 21:01:59 +03:00
David Goulet
8dfc8d7063 Merge branch 'tor-github/pr/1057' 2019-05-30 12:58:35 -04:00
David Goulet
a462ca7cce Merge branch 'tor-github/pr/1055' 2019-05-30 12:53:52 -04:00
David Goulet
ef9170db4c Merge branch 'tor-github/pr/1054' 2019-05-30 09:59:21 -04:00
David Goulet
61bd8f428b Merge branch 'tor-github/pr/1049' 2019-05-30 09:56:18 -04:00
George Kadianakis
d8bd98b2fd Merge branch 'tor-github/pr/1032' 2019-05-29 21:28:04 +03:00
George Kadianakis
650bdca97f Merge branch 'maint-0.4.0' 2019-05-29 21:20:02 +03:00
George Kadianakis
00108b75d4 Merge branch 'tor-github/pr/924' into maint-0.4.0 2019-05-29 21:19:56 +03:00
Nick Mathewson
ba9b0319b0 Shutdown libevent _after_ the subsystems.
This is necessary since shutting down libevent frees some pointer
that the subsystems want to free themselves. A longer term solution
will be to turn the evloop module into a subsystem itself, but for
now it is best to do the minimal fix.

Fixes bug 30629; bugfix on 0.4.1.1-alpha.
2019-05-29 11:25:47 -04:00
Nick Mathewson
5cbd71b977 Make get_proxy_type() connection-specific
Previously, we were looking at our global settings to see what kind
of proxy we had.  But doing this would sometimes give us the wrong
results when we had ClientTransportPlugin configured but we weren't
using it for a particular connection.  In several places in the
code, we had added checks to see if we were _really_ using a PT or
whether we were using a socks proxy, but we had forgotten to do so
in at least once case.  Instead, since every time we call this
function we are asking about a single connection, it is probably
best just to make this function connection-specific.

Fixes bug 29670; bugfix on 0.2.6.2-alpha.
2019-05-29 11:00:09 -04:00
Nick Mathewson
2d66250d8a Remove want_cmddata from HSFETCH, which does not in fact want data
This looks a copy-and-paste error to me.  Fixes bug 30646; bugfix on
0.4.1.1-alpha.
2019-05-29 10:10:57 -04:00
Nick Mathewson
8f0b29961e Merge branch 'ticket30561_029' into ticket30561_035 2019-05-29 09:43:20 -04:00
David Goulet
3789f22bcb hs: Implement a helper to repurpose a circuit
When we repurpose a hidden service circuit, we need to clean up from the HS
circuit map and any HS related data structured contained in the circuit.

This commit adds an helper function that does it when repurposing a hidden
service circuit.

Fixes #29034

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-29 09:40:13 -04:00
Nick Mathewson
0e0cf4abd8 Tweak comments in tor_vasprintf(), and add a changes file for 30651 2019-05-29 09:38:57 -04:00
Tobias Stoeckmann
0d5a0b4f0c Fixed tor_vasprintf on systems without vasprintf.
If tor is compiled on a system with neither vasprintf nor _vscprintf,
the fallback implementation exposes a logic flaw which prevents
proper usage of strings longer than 127 characters:

* tor_vsnprintf returns -1 if supplied buffer is not large enough,
  but tor_vasprintf uses this function to retrieve required length
* the result of tor_vsnprintf is not properly checked for negative
  return values

Both aspects together could in theory lead to exposure of uninitialized
stack memory in the resulting string. This requires an invalid format
string or data that exceeds integer limitations.

Fortunately tor is not even able to run with this implementation because
it runs into asserts early on during startup. Also the unit tests fail
during a "make check" run.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

  [backported to 0.2.9 by nickm]
2019-05-29 09:33:24 -04:00
Taylor R Campbell
7971b3a5a6 Use MAP_INHERIT_ZERO or MAP_INHERIT_NONE if available.
Fixes assertion failure in tests on NetBSD:

slow/prob_distr/stochastic_log_logistic: [forking] May 25 03:56:58.091 [err] tor_assertion_failed_(): Bug: src/lib/crypt_ops/crypto_rand_fast.c:184: crypto_fast_rng_new_from_seed: Assertion inherit != INHERIT_RES_KEEP failed; aborting. (on Tor 0.4.1.1-alpha-dev 29955f13e5)
May 25 03:56:58.091 [err] Bug: Assertion inherit != INHERIT_RES_KEEP failed in crypto_fast_rng_new_from_seed at src/lib/crypt_ops/crypto_rand_fast.c:184: . (Stack trace not available) (on Tor 0.4.1.1-alpha-dev 29955f13e5)
[Lost connection!]
2019-05-29 08:56:01 -04:00
Nick Mathewson
24a2352d56 Trivial fix for a trivial warning with gcc 9.1.1
Fix on 4e3d144fb0940d8ee5a89427d471ea3656e8e122; bug not in any
released Tor.
2019-05-28 19:45:50 -04:00
David Goulet
ff9aa32143 Merge branch 'tor-github/pr/1047' 2019-05-28 14:59:07 -04:00
George Kadianakis
0a86f14add Merge branch 'tor-github/pr/1042' 2019-05-27 14:22:01 +03:00
George Kadianakis
130eb227ac Merge branch 'tor-github/pr/1043' 2019-05-27 14:20:51 +03:00
Nick Mathewson
fcd51fd49f Tests for deciding how full our relay cells should be 2019-05-27 14:20:36 +03:00
Nick Mathewson
0bc1241494 Make sure that we send at least some random data in RELAY_DATA cells
Proposal 289 prevents SENDME-flooding by requiring the other side to
authenticate the data it has received.  But this data won't actually
be random if they are downloading a known resource.  "No problem",
we said, "let's fell the empty parts of our cells with some
randomness!" and we did that in #26871.

Unfortunately, if the relay data payloads are all completely full,
there won't be any empty parts for us to randomize.

Therefore, we now pick random "randomness windows" between
CIRCWINDOW_INCREMENT/2 and CIRCWINDOW_INCREMENT. We remember whether we have
sent a cell containing at least 16 bytes of randomness in that window.  If we
haven't, then when the window is exhausted, we send one.  (This window approach
is designed to lower the number of rng checks we have to do.  The number 16 is
pulled out of a hat to change the attacker's guessing difficulty to
"impossible".)

Implements 28646.
2019-05-27 14:20:07 +03:00
Roger Dingledine
94914e2a4d trivial whitespace fixes 2019-05-26 17:32:42 -04:00
Nick Mathewson
07ccffa989 Coverage: do not include test-rebind in coverage builds.
Because it invokes the Tor mainloop, it does unpredictable things to
test coverage of a lot of code that it doesn't actually test at
all.  (It is more an integration test than anything else.)
2019-05-23 12:48:51 -04:00
Nick Mathewson
b882810245 In coverage builds, use branch-free timeradd() and timersub()
The ordinary definitions of timeradd() and timersub() contain a
branch. However, in coverage builds, this means that we get spurious
complaints about partially covered basic blocks, in a way that makes
our coverage determinism harder to check.
2019-05-23 12:48:51 -04:00
Nick Mathewson
2bb5d8148b In coverage builds, avoid basic-block complexity in log_debug
Ordinarily we skip calling log_fn(LOG_DEBUG,...) if debug logging is
completely disabled.  However, in coverage builds, this means that
we get spurious complaints about partially covered basic blocks, in
a way that makes our coverage determinism harder to check.
2019-05-23 12:48:51 -04:00
David Goulet
29955f13e5 Merge branch 'tor-github/pr/1022' 2019-05-23 09:50:28 -04:00
David Goulet
e13e2012b9 Merge branch 'tor-github/pr/1034' 2019-05-23 09:40:07 -04:00
David Goulet
327bb0e2ca Merge branch 'tor-github/pr/988' 2019-05-23 09:30:36 -04:00
Nick Mathewson
530d1179ff Extract length-deciding function from package_raw_inbuf. 2019-05-23 08:28:46 -04:00
Roger Dingledine
e4d1187584 refactor logic to decide how much to package from inbuf
no actual changes in behavior
2019-05-23 08:28:46 -04:00
Nick Mathewson
57ee0e3af9 Only reject POSTDESCRIPTOR purpose= when the purpose is unrecognized
Fixes bug 30580; bugfix on 0.4.1.1-alpha.
2019-05-23 08:24:29 -04:00
Nick Mathewson
ebe39dcb92 Now this repository is full of 0.4.1.1-alpha-dev 2019-05-22 18:07:29 -04:00
Nick Mathewson
fa410162a3 circuitpadding tests: Use tt_i64_op() to compare int64_t values
Bug not in any released Tor.
2019-05-22 15:19:24 -04:00
Nick Mathewson
3a7ed8bc5f Bump to 0.4.1.1-alpha 2019-05-22 11:56:02 -04:00
Nick Mathewson
24c2502070 Merge remote-tracking branch 'dgoulet/ticket30454_035_01' 2019-05-22 11:50:46 -04:00
Nick Mathewson
e6b862e6a8 Merge branch 'ticket30428_041_02_squashed' 2019-05-22 11:48:43 -04:00
David Goulet
0cad83bea4 sendme: Add non fatal asserts for extra safety
Two non fatal asserts are added in this commit. First one is to see if the
SENDME digest list kept on the circuit for validation ever grows bigger than
the maximum number of expected SENDME on a circuit (currently 10).

The second one is to know if we ever send more than one SENDME at a time on a
circuit. In theory, we shouldn't but if we ever do, the v1 implementation
wouldn't work because we only keep one single cell digest (the previous cell
to the SENDME) on the circuit/cpath. Thus, sending two SENDME consecutively
will lead to a mismatch on the other side because the same cell digest would
be use and thus the circuit would collapse.

Finally, add an extra debug log in case we emit a v0 which also includes the
consensus emit version in that case.

Part of #30428

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
5479ffabf8 sendme: Always pop last SENDME digest from circuit
We must not accumulate digests on the circuit if the other end point is using
another SENDME version that is not using those digests like v0.

This commit makes it that we always pop the digest regardless of the version.

Part of #30428

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
482c4972b9 sendme: Clarify how sendme_circuit_cell_is_next() works
Commit 4ef8470fa5480d3b was actually reverted before because in the end we
needed to do this minus 1 check on the window.

This commit clarifies that in the code, takes the useful comment changes from
4ef8470fa5480d3b and makes sendme_circuit_cell_is_next() private since it
behaves in a very specific way that one external caller might expect.

Part of #30428.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
3835a3acf5 sendme: Properly record SENDMEs on both edges
Turns out that we were only recording the "b_digest" but to have
bidirectionnal authenticated SENDMEs, we need to use the "f_digest" in the
forward cell situation.

Because of the cpath refactoring, this commit plays with the crypt_path_ and
relay_crypto_t API a little bit in order to respect the abstractions.

Previously, we would record the cell digest as the SENDME digest in the
decrypt cell function but to avoid code duplication (both directions needs to
record), we now do that right after iff the cell is recognized (at the edge).
It is now done in circuit_receive_relay_cell() instead.

We now also record the cell digest as the SENDME digest in both relay cell
encryption functions since they are split depending on the direction.
relay_encrypt_cell_outbound() and relay_encrypt_cell_inbound() need to
consider recording the cell digest depending on their direction (f vs b
digest).

Fixes #30428

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
44265dd671 sendme: Never fallback to v0 if unknown version
There was a missing cell version check against our max supported version. In
other words, we do not fallback to v0 anymore in case we do know the SENDME
version.

We can either handle it or not, never fallback to the unauthenticated version
in order to avoid gaming the authenticated logic.

Add a unit tests making sure we properly test that and also test that we can
always handle the default emit and accepted versions.

Fixes #30428

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
69e0d5bfc7 sendme: Validate v1 SENDMEs on both client and exit side
The validation of the SENDME cell is now done as the very first thing when
receiving it for both client and exit. On failure to validate, the circuit is
closed as detailed in the specification.

Part of #30428

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
59b9eecc19 sendme: Record cell digest on both client and exit
It turns out that only the exit side is validating the authenticated SENDME v1
logic and never the client side. Which means that if a client ever uploaded
data towards an exit, the authenticated SENDME logic wouldn't apply.

For this to work, we have to record the cell digest client side as well which
introduced a new function that supports both type of edges.

This also removes a test that is not valid anymore which was that we didn't
allow cell recording on an origin circuit (client).

Part of #30428

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-22 11:47:20 -04:00
David Goulet
245dccb77d Merge remote-tracking branch 'nickm/ticket30454_034_01_squashed' into ticket30454_035_01 2019-05-22 11:43:55 -04:00
rl1987
2845607f97 In microdesc_cache_reload(), set journal length to length of string we read
Hopefully this will fix CID 1444769.
2019-05-20 09:08:10 -04:00
David Goulet
56908c6f1c hs: Remove hs_cell_onion_key_type_t enum
Unify this with the trunnel ABI so we don't duplicate.

Part of #30454

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-20 08:56:34 -04:00
David Goulet
7d3e904a27 trunnel: Remove INTRODUCE1 status code IN statement
We want to support parsing a cell with unknown status code so we are forward
compatible.

Part of #30454

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-20 08:56:34 -04:00
David Goulet
79cfe2ddd7 hs: Remove hs_intro_auth_key_type_t enum
Like the previous commit about the INTRODUCE_ACK status code, change all auth
key type to use the one defined in the trunnel file.

Standardize the use of these auth type to a common ABI.

Part of #30454

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-20 08:56:34 -04:00
David Goulet
dcc1d8d15b hs: Get rid of duplicate hs_cell_introd_ack_status_t
This enum was the exact same as hs_intro_ack_status_t that was removed at the
previous commit. It was used client side when parsing the INTRODUCE_ACK cell.

Now, the entire code dealing with the INTRODUCE_ACK cell (both sending and
receiving) have been modified to all use the same ABI defined in the trunnel
introduce1 file.

Finally, the client will default to the normal behavior when receiving an
unknown NACK status code which is to note down that we've failed and re-extend
to the next intro point. This way, unknown status code won't trigger a
different behavior client side.

Part of #30454.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-20 08:56:34 -04:00
David Goulet
590d97bc10 hs: Define INTRODUCE_ACK status code in trunnel
Remove the hs_intro_ack_status_t enum and move the value into trunnel. Only
use these values from now on in the intro point code.

Interestingly enough, the client side also re-define these values in hs_cell.h
with the hs_cell_introd_ack_status_t enum. Next commit will fix that and force
to use the trunnel ABI.

Part of #30454

Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-20 08:56:34 -04:00
rl1987
49acbfad23 Don't forget to use the mutex in testing_enable_prefilled_rng() 2019-05-17 19:30:09 +03:00
Nick Mathewson
37aae23945 OOM-purge the DNS cache one part at a time
Previously we purged it in 1-hour increments -- but one-hour is the
maximum TTL for the cache!  Now we do it in 25%-TTL increments.

Fixes bug 29617; bugfix on 0.3.5.1-alpha.
2019-05-17 10:03:41 -04:00
Nick Mathewson
b2b779228d Merge remote-tracking branch 'tor-github/pr/1033' 2019-05-17 08:18:20 -04:00
Nick Mathewson
9cec7a7b5c Merge branch 'maint-0.4.0' 2019-05-17 08:10:17 -04:00
Nick Mathewson
e5deb2bbc7 Merge branch 'maint-0.3.4' into maint-0.3.5 2019-05-17 08:10:16 -04:00
Nick Mathewson
c7f9f7e542 Merge branch 'maint-0.3.5' into maint-0.4.0 2019-05-17 08:10:16 -04:00
Nick Mathewson
a521c42788 Merge branch 'maint-0.2.9' into maint-0.3.4 2019-05-17 08:10:15 -04:00
Karsten Loesing
4e262196a8 Update geoip and geoip6 to the May 13 2019 database. 2019-05-17 08:52:13 +02:00
Mike Perry
857c54ca03 Refactor rend machines, stage 2/2: Move histogram code.
Comment clarifications now that the code is seperated. It's the same code, but
its doing this for different reasons on each side.
2019-05-16 20:17:14 +00:00
Mike Perry
0cba53c6ed Refactor rend machines, stage 1/2: Move state transition code. 2019-05-16 20:17:11 +00:00
Nick Mathewson
d5db40a014 test_channel_listener: free 'chan' explicitly
This should fix CID 1437442, where coverity can't tell that
channel_free_all() frees the fake channel we allocated.
2019-05-16 15:35:21 -04:00
Mike Perry
bbb974234c Refactor intro machines, stage 2/2: Move histogram code.
The client side had garbage histograms and deadcode here, too. That code has
been removed.

The tests have also been updated to properly test the intro circ by sending
padding from the relay side to the client, and verifying that both shut down
when padding was up. (The tests previously erroneously tested only the client
side of intro circs, which actually were supposed to be doing nothing).
2019-05-16 19:21:19 +00:00
Nick Mathewson
0a9685b3a7 hs tests: explicitly free 'service' variable.
This should fix about 15 CID issues, where coverity can't tell that
hs_free_all() frees the service we allocated.
2019-05-16 15:21:18 -04:00
Mike Perry
f237fed746 Refactor intro machines, stage 1/2: Move state transition code.
This just moves the state transition directives into the proper client/relay
side functions. It also allows us to remove some dead-code from the client
side (since the client doesn't send padding).
2019-05-16 19:21:14 +00:00
Nick Mathewson
1bf451cffb rng_test_helpers: add a needless lock/unlock pair to please coverity
Fix for CID 1444908
2019-05-16 15:04:40 -04:00
George Kadianakis
42ea3a416e Improve logging around the circpad module..
- Add some more useful logs for future debugging.

- Stop usage of circpad_state_to_string(). It's innacurate.

- Reduce severity and fix up log domain of some logging messages.
2019-05-16 14:23:32 +03:00