Commit Graph

9892 Commits

Author SHA1 Message Date
David Goulet
adcb094cb6 Merge branch 'tor-gitlab/mr/392' into maint-0.4.5 2021-10-06 15:45:13 -04:00
David Goulet
065ebd10c2 Merge branch 'tor-gitlab/mr/393' into maint-0.4.5 2021-10-06 15:41:12 -04:00
David Goulet
a53c949dcf Merge branch 'tor-gitlab/mr/420' into maint-0.4.5 2021-10-06 15:35:30 -04:00
David Goulet
f0d1240a07 hs-v2: Only log once the connection warning to v2
Closes #40474

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-10-06 13:20:22 -04:00
David Goulet
cac612af42 dir: Do not flag non-running failing HSDir
When a directory request fails, we flag the relay as non Running so we
don't use it anymore.

This can be problematic with onion services because there are cases
where a tor instance could have a lot of services, ephemeral ones, and
keeps failing to upload descriptors, let say due to a bad network, and
thus flag a lot of nodes as non Running which then in turn can not be
used for circuit building.

This commit makes it that we never flag nodes as non Running on a onion
service directory request (upload or fetch) failure as to keep the
hashring intact and not affect other parts of tor.

Fortunately, the onion service hashring is _not_ selected by looking at
the Running flag but since we do a 3-hop circuit to the HSDir, other
services on the same instance can influence each other by removing nodes
from the consensus for path selection.

This was made apparent with a small network that ran out of nodes to
used due to rapid succession of onion services uploading and failing.
See #40434 for details.

Fixes #40434

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-17 13:27:14 -04:00
David Goulet
33abeeab94 Merge branch 'maint-0.3.5' into maint-0.4.5 2021-08-12 12:13:25 -04:00
Alexander Færøy
eca5b62213 Update GeoIP files to match IPFire location DB as per 2021/08/12. 2021-08-12 15:38:11 +00:00
Alexander Færøy
81635ec577 Merge branch 'maint-0.3.5' into maint-0.4.5 2021-08-11 13:15:58 +00:00
Alexander Færøy
7e0971d868 Merge remote-tracking branch 'tor-gitlab/mr/417' into maint-0.3.5 2021-08-11 13:15:35 +00:00
Alexander Færøy
c48d1c3f7c Merge branch 'maint-0.3.5' into maint-0.4.5 2021-08-11 13:14:26 +00:00
George Kadianakis
fe5a9db1e6 Disable ed25519-donna's batch verification.
Fixes bug 40078.

As reported by hdevalence our batch verification logic can cause an assert
crash.

The assert happens because when the batch verification of ed25519-donna fails,
the code in `ed25519_checksig_batch()` falls back to doing a single
verification for each signature.

The crash occurs because batch verification failed, but then all signatures
individually verified just fine.

That's because batch verification and single verification use a different
equation which means that there are sigs that can pass single verification
but fail batch verification.

Fixing this would require modding ed25519-donna which is not in scope for
this ticket, and will be soon deprecated in favor of arti and
ed25519-dalek, so my branch instead removes batch verification.
2021-08-11 13:14:05 +00:00
David Goulet
0e60b65f6c fallbackdir: Regenerate list
New list for all stable releases.

Closes #40447

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 09:07:05 -04:00
David Goulet
399518da02 relay: Reduce streaming compression ratio from HIGH to LOW
Fixes #40301

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 12:51:32 +00:00
David Goulet
70d8fb3eab relay: Reduce streaming compression ratio from HIGH to LOW
Fixes #40301

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-08-11 12:47:20 +00:00
George Kadianakis
98b9df61f6 Merge branch 'mr/395' into maint-0.4.5 2021-07-06 13:42:29 +03:00
Nick Mathewson
c1d96358d4 Use native timegm when available.
Continue having a tor_gmtime_impl() unit test so that we can detect
any problems in our replacement function; add a new test function to
make sure that gmtime<->timegm are a round-trip on now-ish times.

This is a fix for bug #40383, wherein we ran into trouble because
tor_timegm() does not believe that time_t should include a count of
leap seconds, but FreeBSD's gmtime believes that it should.  This
disagreement meant that for a certain amount of time each day,
instead of calculating the most recent midnight, our voting-schedule
functions would calculate the second-most-recent midnight, and lead
to an assertion failure.

I am calling this a bugfix on 0.2.0.3-alpha when we first started
calculating our voting schedule in this way.
2021-07-06 13:33:05 +03:00
Nick Mathewson
e60d14bb6b Missing changes file for #40409 2021-06-30 08:14:57 -04:00
Alexander Færøy
83483bd4f6 Enable deterministic RNG for address set tests.
This patch enables the deterministic RNG for address set tests,
including the tests which uses address set indirectly via the nodelist
API.

This should prevent random test failures in the highly unlikely case of
a false positive which was seen in tor#40419.

See: tpo/core/tor#40419.
2021-06-25 16:43:10 +00:00
Nick Mathewson
200e9a55e0 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-06-10 12:30:29 -04:00
Nick Mathewson
0ae9fd62fd Merge branch 'maint-0.3.5' into maint-0.4.4 2021-06-10 12:30:11 -04:00
George Kadianakis
f57b5c48e0 Fix TROVE-2021-006: Out-of-bounds read on v3 desc parsing 2021-06-10 12:11:10 -04:00
Nick Mathewson
ec696a95e5 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-06-10 08:53:07 -04:00
Nick Mathewson
0f2d45328d Merge branch 'maint-0.3.5' into maint-0.4.4
Conflicts resolved:
	src/core/or/relay.c
2021-06-10 08:52:39 -04:00
David Goulet
adb248b6d6 TROVE-2021-003: Check layer_hint before half-closed end and resolve cells
This issue was reported by Jann Horn part of Google's Project Zero.

Jann's one-sentence summary: entry/middle relays can spoof RELAY_END cells on
half-closed streams, which can lead to stream confusion between OP and
exit.

Fixes #40389
2021-06-10 08:50:05 -04:00
Nick Mathewson
1da8621c0a Merge branch 'maint-0.4.4' into maint-0.4.5 2021-06-10 08:42:15 -04:00
Nick Mathewson
31eaa81f59 Merge branch 'maint-0.3.5' into maint-0.4.4 2021-06-10 08:42:15 -04:00
Nick Mathewson
d71bf986b4 Merge branch 'bug40391_035' into maint-0.3.5 2021-06-10 08:41:59 -04:00
Nick Mathewson
e2d01aac9e Merge branch 'maint-0.4.4' into maint-0.4.5 2021-06-10 08:37:34 -04:00
Nick Mathewson
7c19a4d924 Merge branch 'maint-0.3.5' into maint-0.4.4 2021-06-10 08:37:26 -04:00
Nick Mathewson
7fdfc2ea54 Merge branch 'bug40390_035_squashed' into maint-0.3.5 2021-06-10 08:34:25 -04:00
Nick Mathewson
c0aa9e0a1b Assert on _all_ failures from RAND_bytes().
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.

Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation.  Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
2021-06-10 08:33:57 -04:00
Nick Mathewson
d60f8fe98a Merge branch 'maint-0.4.4' into maint-0.4.5 2021-06-10 08:21:48 -04:00
Nick Mathewson
57a41348ee Merge branch 'maint-0.3.5' into maint-0.4.4 2021-06-10 08:21:47 -04:00
Nick Mathewson
520d5c108f Update geoip files to match ipfire location db, 2021/06/10. 2021-06-10 08:20:13 -04:00
Nick Mathewson
9348b1b440 changes file for #40175 2021-06-01 12:16:06 -04:00
Nick Mathewson
d12b16614d Prefer mmap()ed consensus files over cached_dir_t entries.
Cached_dir_t is a somewhat "legacy" kind of storage when used for
consensus documents, and it appears that there are cases when
changing our settings causes us to stop updating those entries.

This can cause trouble, as @arma found out in #40375, where he
changed his settings around, and consensus diff application got
messed up: consensus diffs were being _requested_ based on the
latest consensus, but were being (incorrectly) applied to a
consensus that was no longer the latest one.

This patch is a minimal fix for backporting purposes: it has Tor do
the same search when applying consensus diffs as we use to request
them.  This should be sufficient for correct behavior.

There's a similar case in GETINFO handling; I've fixed that too.

Fixes #40375; bugfix on 0.3.1.1-alpha.
2021-05-26 13:02:56 -04:00
Alexander Færøy
11c7e65730 Merge branch 'maint-0.3.5' into maint-0.4.4 2021-05-25 13:25:23 +00:00
Alexander Færøy
4a7379b80a Merge branch 'maint-0.4.4' into maint-0.4.5 2021-05-25 13:25:23 +00:00
Nick Mathewson
42ba87d964 Remove the function tor_tls_assert_renegotiation_unblocked.
It was used nowhere outside its own unit tests, and it was causing
compilation issues with recent OpenSSL 3.0.0 alphas.

Closes ticket 40399.
2021-05-25 07:38:31 -04:00
Nick Mathewson
4c06c619fa Use a more secure hash function for the circuitmux hashtable.
Fixes bug 40931; bugfix on 0.2.4.4-alpha. Also tracked as
TROVE-2021-005.

This issue was reported by Jann Horn from Google's Project Zero.
2021-05-18 08:40:09 -04:00
Nick Mathewson
97b61e21a9 Merge remote-tracking branch 'tor-gitlab/mr/387' into maint-0.4.5 2021-05-17 09:09:42 -04:00
Daniel Pinto
e0a8454691 Make SAVECONF keep only one backup and add sandbox rules for it. #40317
When seccomp sandbox is active, SAVECONF failed because it was not
able to save the backup files for torrc. This commit simplifies
the implementation of SAVECONF and sandbox by making it keep only
one backup of the configuration file.
2021-05-17 13:50:19 +02:00
David Goulet
5f009a59da conn: MetricsPort listener is a listener port
The connection type for the listener part was missing from the "is
connection a listener" function.

This lead to our periodic event that retries our listeners to keep
trying to bind() again on an already opened MetricsPort.

Closes #40370

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-05-12 15:13:50 -04:00
Nick Mathewson
f5acfe6723 Add a sandbox workaround for Glibc 2.33
This change permits the newfstatat() system call, and fixes issues
40382 (and 40381).

This isn't a free change.  From the commit:

    // Libc 2.33 uses this syscall to implement both fstat() and stat().
    //
    // The trouble is that to implement fstat(fd, &st), it calls:
    //     newfstatat(fs, "", &st, AT_EMPTY_PATH)
    // We can't detect this usage in particular, because "" is a pointer
    // we don't control.  And we can't just look for AT_EMPTY_PATH, since
    // AT_EMPTY_PATH only has effect when the path string is empty.
    //
    // So our only solution seems to be allowing all fstatat calls, which
    // means that an attacker can stat() anything on the filesystem. That's
    // not a great solution, but I can't find a better one.
2021-05-07 12:12:11 -04:00
Nick Mathewson
7c86f34340 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-05-07 10:41:34 -04:00
Nick Mathewson
48dd87933d Merge branch 'maint-0.3.5' into maint-0.4.4 2021-05-07 10:41:33 -04:00
Nick Mathewson
e2c1ac214c Reindent a few lines to fix a GCC warning.
As of GCC 11.1.1, the compiler warns us about code like this:

     if (a)
         b;
         c;

and that's a good thing: we wouldn't want to "goto fail".  But we
had an instance if this in circuituse.c, which was making our
compilation sad.

Fixes bug 40380; bugfix on 0.3.0.1-alpha.
2021-05-07 10:39:20 -04:00
Nick Mathewson
7fe819c951 Merge branch 'maint-0.4.4' into maint-0.4.5 2021-05-07 09:53:58 -04:00
Nick Mathewson
f68aeda549 Merge branch 'maint-0.3.5' into maint-0.4.4 2021-05-07 09:53:57 -04:00
Nick Mathewson
621f8a304a Update geoip files to match ipfire location db, 2021/05/07. 2021-05-07 09:53:46 -04:00