Commit Graph

3772 Commits

Author SHA1 Message Date
teor (Tim Wilson-Brown)
098b82c7b2 ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
 * the relay's published IPv6 address (if any), and
 * any publicly routable IPv4 or IPv6 addresses on any local interfaces.

This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.

Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a15 (11 Nov 2007), released in 0.2.0.11-alpha.
2015-09-16 02:56:50 +10:00
teor (Tim Wilson-Brown)
d3358a0a05 ExitPolicy accept6/reject6 produces IPv6 wildcard addresses only
In previous versions of Tor, ExitPolicy accept6/reject6 * produced
policy entries for IPv4 and IPv6 wildcard addresses.

To reduce operator confusion, change accept6/reject6 * to only produce
an IPv6 wildcard address.

Resolves bug #16069.

Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
36ad8d8fdc Warn about redundant torrc ExitPolicy lines due to accept/reject *:*
Tor now warns when ExitPolicy lines occur after accept/reject *:*
or variants. These lines are redundant, and were always ignored.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
e033d5e90b Ignore accept6/reject6 IPv4, warn about unexpected rule outcomes
When parsing torrc ExitPolicies, we now warn if:
  * an IPv4 address is used on an accept6 or reject6 line. The line is
    ignored, but the rest of the policy items in the list are used.
    (accept/reject continue to allow both IPv4 and IPv6 addresses in torrcs.)
  * a "private" address alias is used on an accept6 or reject6 line.
    The line filters both IPv4 and IPv6 private addresses, disregarding
    the 6 in accept6/reject6.

When parsing torrc ExitPolicies, we now issue an info-level message:
  * when expanding an accept/reject * line to include both IPv4 and IPv6
    wildcard addresses.

In each instance, usage advice is provided to avoid the message.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:03 +10:00
teor (Tim Wilson-Brown)
31eb486c46 Add get_interface_address[6]_list for a list of interface IP addresses
Add get_interface_address[6]_list by refactoring
get_interface_address6. Add unit tests for new and existing functions.

Preparation for ticket 17027. Patch by "teor".
Patch on 42b8fb5a15 (11 Nov 2007), released in 0.2.0.11-alpha.
2015-09-15 17:04:18 +10:00
Nick Mathewson
902517a7c0 Use SSL_get_client_ciphers() on openssl 1.1+, not SSL_get_ciphers...
(which isn't correct.)

Fixes bug 17047; bugfix on 0.2.7.2-alpha, introduced by the merge in
0030765e04, apparently.
2015-09-13 11:51:51 -04:00
Nick Mathewson
41891cbf93 Merge remote-tracking branch 'public/ed25519_hup_v2' 2015-09-10 10:37:13 -04:00
Nick Mathewson
2f8c0584bf Fold changes files into changelog 2015-09-09 09:44:31 -04:00
Nick Mathewson
638e5f976b Fix warnings from lintChanges 2015-09-09 09:35:05 -04:00
Nick Mathewson
98be93d6d7 changes file for 16953 2015-09-08 14:44:34 -04:00
Nick Mathewson
fcec1f3381 Merge branch 'feature15482_squashed' 2015-09-08 14:03:04 -04:00
Yawning Angel
54510d4d1a Add KeepAliveIsolateSOCKSAuth as a SOCKSPort option.
This controls the circuit dirtyness reset behavior added for Tor
Browser's user experience fix (#15482). Unlike previous iterations
of this patch, the tunable actually works, and is documented.
2015-09-08 14:02:08 -04:00
Nick Mathewson
280672bdbc Handle negative inputs to crypto_random_time_range().
(These inputs are possible when Shadow starts the world at time_t 0,
and breaks our assumption that Tor didn't exist in the 1970s.)

Fixes regression introduced in 241e6b09. Fixes #16980.
2015-09-08 10:22:01 -04:00
Nick Mathewson
0ba4e0895a Add "OfflineMasterKey" option
When this is set, and Tor is running as a relay, it will not
generate or load its secret identity key.  You can manage the secret
identity key with --keygen.  Implements ticket 16944.
2015-09-04 09:55:07 -04:00
Nick Mathewson
aa430c7225 Now normalize_exit has a bug number. 2015-09-03 15:10:57 -04:00
Nick Mathewson
e73206f681 Only return 0..255 from main().
I think this may fix some bugs with windows exit codes being screwy.
2015-09-03 11:38:00 -04:00
Nick Mathewson
eb71777bb2 Merge remote-tracking branch 'dgoulet/bug15963_026_01' 2015-09-02 16:00:07 -04:00
David Goulet
d6bfedb8e5 Don't vote HSDir if we aren't voting Fast
Fixes #15963

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-02 17:03:00 +02:00
David Goulet
07b3028db7 Prohibit the use of one entry node with an HS
In a nutshell, since a circuit can not exit at its entry point, it's very
easy for an attacker to find the hidden service guard if only one EntryNodes
is specified since for that guard, the HS will refuse to build a rendezvous
circuit to it.

For now, the best solution is to stop tor to allow a single EntryNodes for
an hidden service.

Fixes #14917

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-02 10:47:20 -04:00
Nick Mathewson
f6bd8fbb80 Let recent relays run with the chutney sandbox.
Fixes 16965
2015-09-02 09:59:50 -04:00
Nick Mathewson
910e25358a Let bridge authorities run under the sandbox
(found thanks to teor's chutney haxx)
2015-09-02 09:59:22 -04:00
Nick Mathewson
fe4273fdc1 Merge remote-tracking branch 'teor/autodetect-chutney-path' 2015-09-02 09:17:24 -04:00
Nick Mathewson
569368e5a9 Merge remote-tracking branch 'teor/master' 2015-09-02 09:15:16 -04:00
David Goulet
d40358d91e Enable hidden service statistics by default
HiddenServiceStatistics option is now set to "1" by default.

Fixes #15254

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-02 13:53:36 +02:00
Nick Mathewson
fc191df930 Remove the unused "nulterminate" option to buf_pullup()
I was going to add a test for this, but I realized that it had no
users.  So, removed.
2015-09-01 14:36:25 -04:00
teor (Tim Wilson-Brown)
5cde98e882 Test bridges and hidden services in make test-network
Make "bridges+hs" the default test network. This tests almost all
tor functionality during make test-network, while allowing tests
to succeed on non-IPv6 systems.

Requires chutney commit 396da92 in test-network-bridges-hs.

Closes tickets 16945 (tor), 16946 (chutney) . Patches by "teor".
2015-09-02 00:52:30 +10:00
Nick Mathewson
0e60c52c6c Merge branch 'ticket16901' 2015-09-01 10:42:47 -04:00
Nick Mathewson
2c5fec15f7 Merge remote-tracking branch 'sebastian/channel_free_list' 2015-09-01 09:19:00 -04:00
Sebastian Hahn
6034e21331 Include doc/TUNING in our release tarballs 2015-09-01 09:15:11 -04:00
Sebastian Hahn
bbb73eaf31 properly delete current channel in channel_free_list
channel_unregister() removes channels from the current smartlist while
we're in a SMORTLIST_FOREACH loop. This only works by accident.
2015-09-01 15:10:10 +02:00
Nick Mathewson
b79e90f6ba Fail in configure when openssl is too old. #16901. 2015-09-01 09:02:12 -04:00
rl1987
54565ca804 Remove -F from tor-resolve(1) usage message. 2015-08-30 21:57:24 +03:00
teor (Tim Wilson-Brown)
d9948dfc9d Autodetect CHUTNEY_PATH if chutney is next to tor
If the chutney and tor sources are side-by-side in the same
parent directory, autodetect the chutney path.

Closes ticket 16903. Patch by "teor".
2015-08-27 10:31:35 +10:00
Nick Mathewson
e8675dc7fc Merge remote-tracking branch 'rl1987/test_dns_resolve_rebased' 2015-08-26 11:32:40 -04:00
Nick Mathewson
2afbe0ae28 Expand changes file 2015-08-25 09:37:52 -04:00
Andreas Stieger
19df037e53 Log malformed hostnames in socks5 request respecting SafeLogging 2015-08-25 09:36:34 -04:00
rl1987
99a03b2389 Adding changes file. 2015-08-23 16:06:41 +03:00
Sebastian Hahn
32220d38c0 Ensure worker threads actually exit when it is time
This includes a small refactoring to use a new enum (workqueue_reply_t)
for the return values instead of just ints.
2015-08-21 10:36:53 -04:00
Nick Mathewson
037e8763a7 Reload Ed25519 keys on sighup.
Closes ticket 16790.
2015-08-19 13:37:21 -04:00
Nick Mathewson
428bb2d1c8 Merge branch 'ed25519_keygen_squashed' 2015-08-19 13:36:59 -04:00
Nick Mathewson
8589c47049 changes file for ed25519_keygen branch 2015-08-19 13:36:51 -04:00
Nick Mathewson
2f5202c636 Merge remote-tracking branch 'teor/feature14882-TestingDirAuthVoteIsStrict-v3' 2015-08-18 09:53:50 -04:00
Nick Mathewson
eafae7f677 Merge branch 'decouple_controller_events_squashed' 2015-08-18 08:56:31 -04:00
Nick Mathewson
bab221f113 Refactor our logic for sending events to controllers
Previously we'd put these strings right on the controllers'
outbufs. But this could cause some trouble, for these reasons:

  1) Calling the network stack directly here would make a huge portion
     of our networking code (from which so much of the rest of Tor is
     reachable) reachable from everything that potentially generated
     controller events.

  2) Since _some_ events (EVENT_ERR for instance) would cause us to
     call connection_flush(), every control_event_* function would
     appear to be able to reach even _more_ of the network stack in
     our cllgraph.

  3) Every time we generated an event, we'd have to walk the whole
     connection list, which isn't exactly fast.

This is an attempt to break down the "blob" described in
http://archives.seul.org/tor/dev/Mar-2015/msg00197.html -- the set of
functions from which nearly all the other functions in Tor are
reachable.

Closes ticket 16695.
2015-08-18 08:55:28 -04:00
teor
359faf5e4b New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags
"option to prevent guard,exit,hsdir flag assignment"

"A node will never receive the corresponding flag unless
that node is specified in the
TestingDirAuthVote{Exit,Guard,HSDir} list, regardless of
its uptime, bandwidth, exit policy, or DirPort".

Patch modified by "teor": VoteOnHidServDirectoriesV2
is now obsolete, so TestingDirAuthVoteHSDir always
votes on HSDirs.

Closes ticket 14882. Patch by "robgjansen".
Commit message and changes file by "teor"
with quotes from "robgjansen".
2015-08-18 14:51:57 +10:00
Nick Mathewson
d07fe5dffe Merge remote-tracking branches 'public/decouple_lost_owner' and 'public/decouple_signals' 2015-08-17 16:24:45 -04:00
Nick Mathewson
7efdf5cb49 Merge remote-tracking branch 'yawning/feature16535' 2015-08-17 14:53:46 -04:00
Yawning Angel
a77616f605 Enable ed25519-donna's SSE2 code when possible for 32 bit x86.
This probably requires the user to manually set CFLAGS, but should
result in a net gain on 32 bit x86. Enabling SSE2 support would be
possible on x86_64, but will result in slower performance.

Implements feature #16535.
2015-08-17 18:41:41 +00:00
Nick Mathewson
f724b2e5aa Merge remote-tracking branch 'public/bug16741_026' 2015-08-17 14:40:27 -04:00
Nick Mathewson
5fe18bcf54 Merge remote-tracking branch 'yawning/feature16533' 2015-08-17 14:16:20 -04:00
Nick Mathewson
573bd1f033 Merge remote-tracking branch 'public/decouple_retry_directory' 2015-08-17 13:50:19 -04:00
Nick Mathewson
98b2a3b3d5 Increase AccountingMax example value to 40 GB.
(Change not made in torrc.minimal.in; only in torrc.sample and
torrc.minimal.in-staging)

Closes ticket 16742.
2015-08-14 09:54:29 -04:00
Nick Mathewson
34aefe6f38 Merge remote-tracking branch 'public/decouple_init_keys' 2015-08-14 08:40:51 -04:00
Nick Mathewson
e62518865b Decouple routerlist_retry_directory_downloads() from the blob
Instead of having it call update_all_descriptor_downloads and
update_networkstatus_downloads directly, we can have it cause them to
get rescheduled and called from run_scheduled_events.

Closes ticket 16789.
2015-08-13 09:45:30 -04:00
Nick Mathewson
c7c73f1178 Change lost_owning_controller() to call activate_signal().
Closes ticket 16788.
2015-08-13 09:17:41 -04:00
David Goulet
0b3fe6272e Add changes file for #16389
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-13 15:09:35 +02:00
Nick Mathewson
6b26962966 Merge branch 'bug16539' 2015-08-12 13:35:53 -04:00
Nick Mathewson
2088b3b8e2 whoops; add a stale changes file 2015-08-12 12:31:03 -04:00
Nick Mathewson
9deb3c61fe Fix a memory leak when adding an ri with expired ed certs
Fixes bug 16539; bugfix on 0.2.7.2-alpha.
2015-08-12 12:27:45 -04:00
Yawning Angel
78fad380cd Use ed25519-donna's batch verification support when applicable.
The code was always in our Ed25519 wrappers, so enable it when using
the ed25519-donna backend, and deal with the mocking related
crypto_rand silliness.

Implements feature 16533.
2015-08-12 16:01:28 +00:00
Nick Mathewson
b65d53519a Decouple the backend for directory_all_unreachable to simplify our CFG
See ticket 16762.
2015-08-12 11:02:20 -04:00
Nick Mathewson
835e09e54b Split the client-only parts of init_keys() into a separate function
This should simplify the callgraph a little more.
2015-08-11 10:41:20 -04:00
Nick Mathewson
7ee7149389 Make HSDir depend on Running/Valid again.
When we removed Running/Valid checks from Fast and Stable in 8712, I
removed them from HSDir too, which apparently wasn't a good idea.

Reverts part of a65e835800.  Fixes bug 16524. Bugfix
on 0.2.7.2-alpha.
2015-08-11 08:42:19 -04:00
Nick Mathewson
8afbc154f7 Remove a 9-function strongly connected component of tor's callgraph.
microdesc_free_() called get_microdesc_cache(), which had the fun
side-effect of potentially reloading the whole cache from disk.
Replace it with a variant that doesn't.
2015-08-10 15:00:17 -04:00
Nick Mathewson
8c92ffab22 Merge remote-tracking branch 'dgoulet/bug16274_027_02' 2015-08-10 11:49:04 -04:00
Nick Mathewson
720a9ccb2f Check for EINTR correctly on windows
(even though these are nonblocking calls and EINTR shouldn't be possible).

Also, log what error we're seing if drain_fn fails.
2015-08-07 09:12:33 -04:00
Nick Mathewson
887d86b76d Merge remote-tracking branch 'public/decouple-write' 2015-08-06 12:58:18 -04:00
Nick Mathewson
e86c3b283a Merge remote-tracking branch 'public/bug16286' 2015-08-06 12:44:13 -04:00
David Goulet
79798a2363 Set the open file limit to the current value before changing it
If setrlimit() failed, max_out wasn't set in set_max_file_descriptors()
ending in a state where we don't use ULIMIT_BUFFER for things like tor
private key files.

Also fix the set_max_file_descriptors() documentation.

Fixes #16274

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-05 13:17:33 -04:00
Nick Mathewson
1d63ecbed0 Let's try to get test_workqueue working on windows 2015-08-05 10:34:46 -04:00
Nick Mathewson
9e07dfa34b Merge remote-tracking branch 'public/bug13338' 2015-08-04 14:00:58 -04:00
cypherpunks
b3ea3c8e2f Switch order of unblocking threads and releasing the mutex.
According to POSIX, the mutex must be locked by the thread calling the signal
functions to ensure predictable scheduling behavior.

Found the issue using Helgrind which gave the warning `dubious: associated lock
is not held by any thread`.
2015-08-04 13:35:02 -04:00
Nick Mathewson
62e6513b48 When building with coverage, run chutney with coverage
Previously, this required me to do stuff like
  'cp src/or/tor-cov src/or/tor' ,
which is pretty embarrassing.
2015-08-03 13:23:58 -04:00
Nick Mathewson
6de49f4d9a Improved targets for "run all the tests, no, all of them." 2015-08-03 13:03:58 -04:00
Nick Mathewson
20254907d7 Improve log messages for problems about ed25519 keypinning
Fixes 16286; bugfix on 0.2.7.2-alpha.
2015-07-31 10:47:39 -04:00
David Goulet
8c83e8cec0 Add get_max_sockets() and remove dead code
The control port was using set_max_file_descriptors() with a limit set to 0
to query the number of maximum socket Tor can use. With the recent changes
to that function, a check was introduced to make sure a user can not set a
value below the amount we reserved for non socket.

This commit adds get_max_sockets() that returns the value of max_sockets so
we can stop using that "setter" function to get the current value.

Finally, the dead code is removed that is the code that checked for limit
equal to 0. From now on, set_max_file_descriptors() should never be used
with a limit set to 0 for a valid use case.

Fixes #16697

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-07-30 15:21:12 -04:00
Nick Mathewson
aadff62745 Do not autoflush control connections as their outbufs get big
Doing this is no longer necessary, and it leads to weird recursions in
our call graph.  Closes ticket 16480.
2015-07-30 13:31:27 -04:00
Nick Mathewson
2369f81403 changes file for callgraph scripts 2015-07-30 12:35:52 -04:00
Nick Mathewson
beac91cf08 Wrap windows-only C files in #ifdef _WIN32
This should make some scripts and IDEs happier.
2015-07-30 11:14:15 -04:00
Nick Mathewson
7b7cb0d779 Merge remote-tracking branch 'origin/maint-0.2.6' 2015-07-29 10:48:29 -04:00
Nick Mathewson
9d86f6665a Merge remote-tracking branch 'origin/maint-0.2.5' into maint-0.2.6 2015-07-29 10:48:13 -04:00
Nick Mathewson
01bb260f31 Merge remote-tracking branch 'origin/maint-0.2.4' into maint-0.2.5 2015-07-29 10:47:07 -04:00
Nick Mathewson
8b1f88eded Merge remote-tracking branch 'teor/feature14175-chutney-performance-v2' 2015-07-29 10:36:23 -04:00
Karsten Loesing
7004d67430 Update geoip and geoip6 to the July 8 2015 database. 2015-07-29 15:49:04 +02:00
Nick Mathewson
36c0ae6f78 Fold final entries into changelog 2015-07-27 10:53:09 -04:00
Yawning Angel
da6aa7bfa5 Allow a single trailing . when validating FQDNs from SOCKS.
URI syntax (and DNS syntax) allows for a single trailing `.` to
explicitly distinguish between a relative and absolute
(fully-qualified) domain name. While this is redundant in that RFC 1928
DOMAINNAME addresses are *always* fully-qualified, certain clients
blindly pass the trailing `.` along in the request.

Fixes bug 16674; bugfix on 0.2.6.2-alpha.
2015-07-27 12:58:40 +00:00
Nick Mathewson
382c27d8a9 Merge branch 'ticket2325_squashed' 2015-07-22 12:24:21 -04:00
Nick Mathewson
6e1eaa936a changes file for bug16631 2015-07-21 13:59:25 -04:00
Nick Mathewson
7521c3ee91 Document the torrc format as thoroughly as possible
Closes ticket 2325
2015-07-20 12:05:44 -04:00
Nick Mathewson
0a329a7a05 Merge remote-tracking branch 'public/bug16162_026' 2015-07-20 11:01:58 -04:00
Nick Mathewson
6632a731fd Use a more recommended syntax for the systemd unit file
closes 16162.
2015-07-20 11:01:34 -04:00
Nick Mathewson
60a52ed83d Add the remaining changes items to ChangeLog for 0.2.7.2-alpha 2015-07-16 16:06:25 -04:00
Nick Mathewson
515de3ac19 Make all changes files work with lintChanges 2015-07-16 16:04:56 -04:00
Nick Mathewson
579a73c9bc Start changelog sections that are straight copies from 0.2.6 2015-07-16 15:55:54 -04:00
Nick Mathewson
6a08bcf530 Merge remote-tracking branch 'public/ticket16543' 2015-07-16 15:47:00 -04:00
Nick Mathewson
2ba6542517 Merge remote-tracking branch 'sysrqb/bug15220_026_sysrqb' 2015-07-16 15:38:08 -04:00
Nick Mathewson
8cb5070376 Use C99 variadic macros when not on GCC.
1) We already require C99.

2) This allows us to support MSVC again (thanks to Gisle Vanem for
   this part)

3) This change allows us to dump some rotten old compatibility code
   from log.c
2015-07-15 14:43:35 -04:00
Nick Mathewson
d2cb923320 Remove tor-fw-helper code
It did a good idea, but the code-quality of libupnpc and libnatpnp
is so dodgy that I'm not really comfortable including them alongside
Tor proper.  Instead, we'll recommend that people do the pure-go
reimplementation instead.  Closes ticket 13338.
2015-07-14 14:48:22 -04:00
Nick Mathewson
a65e835800 Add changes file for 8712; apply it to HSDir flag as well. 2015-07-14 14:03:30 -04:00
Nick Mathewson
2f8cf524ba Remove the HidServDirV2 and VoteOnHidServDirectoriesV2 options
(Mark them as obsolete)

Closes 16543.
2015-07-10 09:05:26 -04:00