Commit Graph

11620 Commits

Author SHA1 Message Date
Nick Mathewson
8d6bb3a559 Make our digest-mismatch warnings a touch better 2015-09-24 17:45:33 -04:00
Nick Mathewson
e62fe2f02d Put braces around reject-lines for IPv6 addrs
Fixes bug 17149; bug not in any released Tor.
2015-09-24 16:51:25 -04:00
Nick Mathewson
01733e2b15 New AuthDirPinKeys option to enable/disable keypinning enforcement
Implements ticket #17135.  We're going to need this one to avoid
chaos as everybody figures out how ed25519 keys work.
2015-09-23 11:22:26 -04:00
Nick Mathewson
efea1e904a Extract the add-or-replace-keypin logic into a new function
We're about to need to call it in another place too.
2015-09-23 11:07:17 -04:00
Nick Mathewson
c5e87e33c7 Allow conflicts to occur in keypinning journal
When we find a conflict in the keypinning journal, treat the new
entry as superseding all old entries that overlap either of its
keys.

Also add a (not-yet-used) configuration option to disable keypinning
enforcement.
2015-09-23 11:02:21 -04:00
Nick Mathewson
6b6a714732 Fix a memory leak in router_parse_addr_policy_item_from_string. CID 1324770 2015-09-22 09:55:05 -04:00
Nick Mathewson
df0b4f0342 Merge branch 'feature16769_squashed' 2015-09-22 09:26:30 -04:00
Nick Mathewson
1911f80fb5 Disable --master-key as not-yet-working for 0.2.7 2015-09-22 09:24:35 -04:00
Nick Mathewson
bca4211de5 Add a --master-key option
This lets the user override the default location for the master key
when used with --keygen

Part of 16769.
2015-09-22 09:24:35 -04:00
Nick Mathewson
d8f031aec2 Add a new --newpass option to add or remove secret key passphrases. 2015-09-22 09:24:35 -04:00
Nick Mathewson
e94ef30a2f Merge branch 'feature16944_v2' 2015-09-22 09:19:28 -04:00
teor (Tim Wilson-Brown)
a659a3fced Merge branch 'bug17027-reject-private-all-interfaces-v2' into bug16069-bug17027
src/test/test_policy.c:
Merged calls to policies_parse_exit_policy by adding additional arguments.
fixup to remaining instance of ~EXIT_POLICY_IPV6_ENABLED.
Compacting logic test now produces previous list length of 4, corrected this.

src/config/torrc.sample.in:
src/config/torrc.minimal.in-staging:
Merged torrc modification dates in favour of latest.
2015-09-16 09:09:54 +10:00
teor (Tim Wilson-Brown)
fd85f2cd70 fixup Clarify ambiguous log message in router_add_exit_policy 2015-09-16 03:59:30 +10:00
teor (Tim Wilson-Brown)
ab6f93caa7 fixup Only set TAPMP_STAR_IPV6_ONLY if TAPMP_EXTENDED_STAR is set
Also fix a comment.
2015-09-16 03:58:06 +10:00
teor (Tim Wilson-Brown)
eb1759e63c Log an info-level message for each IP blocked by ExitPolicyRejectPrivate
Log an info-level message containing the reject line added to the
exit policy for each local IP address blocked by ExitPolicyRejectPrivate:
 - Published IPv4 and IPv6 addresses
 - Publicly routable IPv4 and IPv6 interface addresses
2015-09-16 02:58:34 +10:00
teor (Tim Wilson-Brown)
098b82c7b2 ExitPolicyRejectPrivate rejects local IPv6 address and interface addresses
ExitPolicyRejectPrivate now rejects more local addresses by default:
 * the relay's published IPv6 address (if any), and
 * any publicly routable IPv4 or IPv6 addresses on any local interfaces.

This resolves a security issue for IPv6 Exits and multihomed Exits that
trust connections originating from localhost.

Resolves ticket 17027. Patch by "teor".
Patch on 42b8fb5a15 (11 Nov 2007), released in 0.2.0.11-alpha.
2015-09-16 02:56:50 +10:00
teor (Tim Wilson-Brown)
d3358a0a05 ExitPolicy accept6/reject6 produces IPv6 wildcard addresses only
In previous versions of Tor, ExitPolicy accept6/reject6 * produced
policy entries for IPv4 and IPv6 wildcard addresses.

To reduce operator confusion, change accept6/reject6 * to only produce
an IPv6 wildcard address.

Resolves bug #16069.

Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
36ad8d8fdc Warn about redundant torrc ExitPolicy lines due to accept/reject *:*
Tor now warns when ExitPolicy lines occur after accept/reject *:*
or variants. These lines are redundant, and were always ignored.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:12 +10:00
teor (Tim Wilson-Brown)
e033d5e90b Ignore accept6/reject6 IPv4, warn about unexpected rule outcomes
When parsing torrc ExitPolicies, we now warn if:
  * an IPv4 address is used on an accept6 or reject6 line. The line is
    ignored, but the rest of the policy items in the list are used.
    (accept/reject continue to allow both IPv4 and IPv6 addresses in torrcs.)
  * a "private" address alias is used on an accept6 or reject6 line.
    The line filters both IPv4 and IPv6 private addresses, disregarding
    the 6 in accept6/reject6.

When parsing torrc ExitPolicies, we now issue an info-level message:
  * when expanding an accept/reject * line to include both IPv4 and IPv6
    wildcard addresses.

In each instance, usage advice is provided to avoid the message.

Partial fix for ticket 16069. Patch by "teor".
Patch on 2eb7eafc9d and a96c0affcb (25 Oct 2012),
released in 0.2.4.7-alpha.
2015-09-16 00:13:03 +10:00
teor (Tim Wilson-Brown)
60312dc08b Update comments about ExitPolicy parsing
Fix incomplete and incorrect comments.

Comment changes only.
2015-09-14 11:12:28 +10:00
Nick Mathewson
a444b11323 Convince coverity that we do not have a particular memory leak 2015-09-13 14:44:46 -04:00
David Goulet
8b98172579 Add a rend cache failure info dup function
When validating a new descriptor against our rend cache failure, we were
added the failure entry to the new cache entry without duplicating. It was
then freed just after the validation ending up in a very bad memory state
that was making tor abort(). To fix this, a dup function has been added and
used just before adding the failure entry.

Fixes #17041

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-11 15:09:07 +02:00
Nick Mathewson
41891cbf93 Merge remote-tracking branch 'public/ed25519_hup_v2' 2015-09-10 10:37:13 -04:00
Yawning Angel
f6c446db47 Check NoKeepAliveIsolateSOCKSAuth in a better place.
No functional changes, but since NoKeepAliveIsolateSOCKSAuth isn't
part of isoflag, it should be checked where all other similar options
are, and bypass the (no-op) masking at the end.
2015-09-09 13:52:30 +00:00
Nick Mathewson
7ffc048f0a Make NoKeepAliveIsolateSOCKSAuth work as expected 2015-09-08 14:03:54 -04:00
Nick Mathewson
fcec1f3381 Merge branch 'feature15482_squashed' 2015-09-08 14:03:04 -04:00
Yawning Angel
54510d4d1a Add KeepAliveIsolateSOCKSAuth as a SOCKSPort option.
This controls the circuit dirtyness reset behavior added for Tor
Browser's user experience fix (#15482). Unlike previous iterations
of this patch, the tunable actually works, and is documented.
2015-09-08 14:02:08 -04:00
Nick Mathewson
d70b1b4da1 Never ever try to load the secret key if offline_master is set
(Not even if we can't find the public key.)
2015-09-04 09:55:07 -04:00
Nick Mathewson
0ba4e0895a Add "OfflineMasterKey" option
When this is set, and Tor is running as a relay, it will not
generate or load its secret identity key.  You can manage the secret
identity key with --keygen.  Implements ticket 16944.
2015-09-04 09:55:07 -04:00
Nick Mathewson
e73206f681 Only return 0..255 from main().
I think this may fix some bugs with windows exit codes being screwy.
2015-09-03 11:38:00 -04:00
Nick Mathewson
eb71777bb2 Merge remote-tracking branch 'dgoulet/bug15963_026_01' 2015-09-02 16:00:07 -04:00
David Goulet
d6bfedb8e5 Don't vote HSDir if we aren't voting Fast
Fixes #15963

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-02 17:03:00 +02:00
Nick Mathewson
bc64a6b2b9 Fix crashes in tests 2015-09-02 11:02:00 -04:00
David Goulet
07b3028db7 Prohibit the use of one entry node with an HS
In a nutshell, since a circuit can not exit at its entry point, it's very
easy for an attacker to find the hidden service guard if only one EntryNodes
is specified since for that guard, the HS will refuse to build a rendezvous
circuit to it.

For now, the best solution is to stop tor to allow a single EntryNodes for
an hidden service.

Fixes #14917

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-02 10:47:20 -04:00
Nick Mathewson
f6bd8fbb80 Let recent relays run with the chutney sandbox.
Fixes 16965
2015-09-02 09:59:50 -04:00
Nick Mathewson
910e25358a Let bridge authorities run under the sandbox
(found thanks to teor's chutney haxx)
2015-09-02 09:59:22 -04:00
Nick Mathewson
f273295cad Merge remote-tracking branch 'dgoulet/bug15254_027_01' 2015-09-02 09:05:55 -04:00
Nick Mathewson
db5a9302c1 correct the doc for find_rp_for_intro.
Thanks to Roger for spotting this!
2015-09-02 08:51:24 -04:00
Nick Mathewson
4cff437a0a Remove remaining references to "nulterminate" in comments
Thanks to Roger for spotting this!
2015-09-02 08:50:26 -04:00
Nick Mathewson
7153cd5094 Include dns_structs.h in tarball 2015-09-02 08:45:12 -04:00
David Goulet
d40358d91e Enable hidden service statistics by default
HiddenServiceStatistics option is now set to "1" by default.

Fixes #15254

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-09-02 13:53:36 +02:00
Nick Mathewson
fc191df930 Remove the unused "nulterminate" option to buf_pullup()
I was going to add a test for this, but I realized that it had no
users.  So, removed.
2015-09-01 14:36:25 -04:00
Mike Perry
a16115d9cb Bug 15482: Don't abandon circuits that are still in use for browsing.
Only applies to connections with SOCKS auth set, so that non-web Tor
activity is not affected.

Simpler version of Nick's patch because the randomness worried me, and I'm not
otherwise sure why we want a max here.
2015-09-01 15:21:47 +00:00
Nick Mathewson
d891e2a9c5 missing semicolon 2015-09-01 09:55:20 -04:00
Nick Mathewson
f4ded2cdc9 Fix an always-false check with an assertion
In validate_recommended_package_line, at this point in the function,
n_entries is always >= 1.  Coverity doesn't like us checking it for
0.

CID 1268063.
2015-09-01 09:52:46 -04:00
Nick Mathewson
b977a570c4 Fix a false-positive in coverity scan with an assertion
CID 1301373
2015-09-01 09:50:33 -04:00
Nick Mathewson
f64ef65b9d Fix code for checking expired certificates on load
Fixes CID 1306915, which noticed that the check was dead.
2015-09-01 09:47:51 -04:00
Nick Mathewson
a55f257d6a Simplify API for find_rp_for_intro()
The function now unconditionally allocates a new extend_info_t.
This should convince coverity that we're not leaking memory.
(CID 1311875)
2015-09-01 09:30:48 -04:00
Sebastian Hahn
bbb73eaf31 properly delete current channel in channel_free_list
channel_unregister() removes channels from the current smartlist while
we're in a SMORTLIST_FOREACH loop. This only works by accident.
2015-09-01 15:10:10 +02:00
Nick Mathewson
e8675dc7fc Merge remote-tracking branch 'rl1987/test_dns_resolve_rebased' 2015-08-26 11:32:40 -04:00
Andreas Stieger
19df037e53 Log malformed hostnames in socks5 request respecting SafeLogging 2015-08-25 09:36:34 -04:00
rl1987
77a5ca901f Unit test dns_resolve(), dns_clip_ttl(), dns_get_expiry_ttl(). 2015-08-23 16:02:39 +03:00
Nick Mathewson
80a45835c4 Is this the syntax that will make freebsd make happy? 2015-08-21 12:03:05 -04:00
Nick Mathewson
3b6d2f9bf4 Merge branch 'workqueue_squashed' 2015-08-21 10:37:01 -04:00
Sebastian Hahn
5cf24ff3af Fix a bunch of check-spaces complaints 2015-08-21 10:36:53 -04:00
Sebastian Hahn
32220d38c0 Ensure worker threads actually exit when it is time
This includes a small refactoring to use a new enum (workqueue_reply_t)
for the return values instead of just ints.
2015-08-21 10:36:53 -04:00
Nick Mathewson
b58dfba76f Rename EVENT_SIGNAL -> EVENT_GOT_SIGNAL
This avoids a conflict with a macro decl from libevent 1.x.

Fixes bug 16867; bug not in any released Tor.
2015-08-20 18:42:20 -04:00
Nick Mathewson
037e8763a7 Reload Ed25519 keys on sighup.
Closes ticket 16790.
2015-08-19 13:37:21 -04:00
Nick Mathewson
428bb2d1c8 Merge branch 'ed25519_keygen_squashed' 2015-08-19 13:36:59 -04:00
Nick Mathewson
426ef9c8eb More log messages for keygen problems 2015-08-19 13:36:51 -04:00
Nick Mathewson
c88a8a7ca3 Explain better why we are about to load the master key. 2015-08-19 13:36:51 -04:00
Nick Mathewson
a1b5e8b30b Don' call failure to get keys a bug; it's possible now. 2015-08-19 13:36:50 -04:00
Nick Mathewson
76ec891572 When we infer the master key from the certificate, save it to disk. 2015-08-19 13:36:50 -04:00
Nick Mathewson
138b28dc35 Add test_keygen tests for all log outputs; improve keygen outputs. 2015-08-19 13:36:50 -04:00
Nick Mathewson
8f6f1544c9 Resolve failing test_keygen tests. 2015-08-19 13:36:50 -04:00
Nick Mathewson
f362e7a873 Checkpoint work on ed25519 keygen improvements.
Needs changes file, documentation, test integration, more tests.
2015-08-19 13:36:49 -04:00
Nick Mathewson
2f5202c636 Merge remote-tracking branch 'teor/feature14882-TestingDirAuthVoteIsStrict-v3' 2015-08-18 09:53:50 -04:00
Nick Mathewson
a7de5bd02e Merge remote-tracking branch 'arma/bug16844-logs' 2015-08-18 09:19:39 -04:00
Nick Mathewson
eafae7f677 Merge branch 'decouple_controller_events_squashed' 2015-08-18 08:56:31 -04:00
Nick Mathewson
9ec94f1d22 Use thread-local storage to block event_queue recursion. 2015-08-18 08:56:23 -04:00
Nick Mathewson
e2a6a7ec61 Multithreading support for event-queue code. 2015-08-18 08:56:23 -04:00
Nick Mathewson
81f3572467 Refactor initialization logic for control-event-queue
This puts the init logic in a separate function, which we will need
once we have locking.
2015-08-18 08:56:23 -04:00
Nick Mathewson
60c8fbf1ff Remove obsolete event_format_t
We used to use this when we had some controllers that would accept
long names and some that wouldn't.  But it's been obsolete for a
while, and it's time to strip it out of the code.
2015-08-18 08:56:23 -04:00
Nick Mathewson
bab221f113 Refactor our logic for sending events to controllers
Previously we'd put these strings right on the controllers'
outbufs. But this could cause some trouble, for these reasons:

  1) Calling the network stack directly here would make a huge portion
     of our networking code (from which so much of the rest of Tor is
     reachable) reachable from everything that potentially generated
     controller events.

  2) Since _some_ events (EVENT_ERR for instance) would cause us to
     call connection_flush(), every control_event_* function would
     appear to be able to reach even _more_ of the network stack in
     our cllgraph.

  3) Every time we generated an event, we'd have to walk the whole
     connection list, which isn't exactly fast.

This is an attempt to break down the "blob" described in
http://archives.seul.org/tor/dev/Mar-2015/msg00197.html -- the set of
functions from which nearly all the other functions in Tor are
reachable.

Closes ticket 16695.
2015-08-18 08:55:28 -04:00
Sebastian Hahn
fe4c0a187d Use tabs in src/or/include.am 2015-08-18 08:19:00 -04:00
Sebastian Hahn
63db8170ae Fix typo in double_digest_map type 2015-08-18 08:18:44 -04:00
teor
d1c94dcbea Refactor TestingDirAuthVote* into dirserv_set_routerstatus_testing
Make it easier to unit test TestingDirAuthVote{Exit,Guard,HSDir}
by refactoring the code which sets flags based on them into a
new function dirserv_set_routerstatus_testing.
2015-08-18 14:54:40 +10:00
teor
359faf5e4b New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags
"option to prevent guard,exit,hsdir flag assignment"

"A node will never receive the corresponding flag unless
that node is specified in the
TestingDirAuthVote{Exit,Guard,HSDir} list, regardless of
its uptime, bandwidth, exit policy, or DirPort".

Patch modified by "teor": VoteOnHidServDirectoriesV2
is now obsolete, so TestingDirAuthVoteHSDir always
votes on HSDirs.

Closes ticket 14882. Patch by "robgjansen".
Commit message and changes file by "teor"
with quotes from "robgjansen".
2015-08-18 14:51:57 +10:00
teor
0cb82013cc Fix TestingDirAuthVoteHSDir docs: HSDir flag needs DirPort
Fix an error in the manual page and comments for
TestingDirAuthVoteHSDir, which suggested that a
HSDir required "ORPort connectivity". While this is true,
it is in no way unique to the HSDir flag. Of all the flags,
only HSDirs need a DirPort configured in order for the
authorities to assign that particular flag.

Fixed as part of 14882. Patch by "teor".
Bugfix on 0.2.6.3 (f9d57473e1 on 10 January 2015).
2015-08-18 14:51:57 +10:00
Nick Mathewson
d07fe5dffe Merge remote-tracking branches 'public/decouple_lost_owner' and 'public/decouple_signals' 2015-08-17 16:24:45 -04:00
Roger Dingledine
b4732bd2ea Logs and debug info that I used for finding bug 16844 2015-08-17 14:34:50 -04:00
Nick Mathewson
573bd1f033 Merge remote-tracking branch 'public/decouple_retry_directory' 2015-08-17 13:50:19 -04:00
Nick Mathewson
2691b2bb06 Fix an assertion failure introduced in 20254907d7
Fixes bug 16829; bug not in any released Tor.
2015-08-17 09:51:50 -04:00
Nick Mathewson
fd16a2b56f Fix a stupid memory leak I introduced in 8afbc154. Bug not in any released Tor. 2015-08-17 09:42:35 -04:00
Isis Lovecruft
2e0a50abf4 Remove redundant tor_free() in command_process_create_cell().
* FIXES #16823: https://bugs.torproject.org/16823
   If an OP were to send a CREATE_FAST cell to an OR, and that
   CREATE_FAST cell had unparseable key material, then tor_free() would
   be called on the create cell twice.  This fix removes the second
   (conditional on the key material being bad) call to tor_free(), so
   that now the create cell is always freed once, regardless of the status of
   the key material.

   (This isn't actually a double-free bug, since tor_free() sets its
   input to NULL, and has no effect when called with input NULL.)
2015-08-17 09:26:07 -04:00
Nick Mathewson
a053451ddf Merge remote-tracking branch 'isis/fix/circuitlist-docstring-typo' 2015-08-17 09:25:23 -04:00
Nick Mathewson
34aefe6f38 Merge remote-tracking branch 'public/decouple_init_keys' 2015-08-14 08:40:51 -04:00
Nick Mathewson
216bde38e0 Fix some types on container fns 2015-08-13 22:14:14 -04:00
Nick Mathewson
e62518865b Decouple routerlist_retry_directory_downloads() from the blob
Instead of having it call update_all_descriptor_downloads and
update_networkstatus_downloads directly, we can have it cause them to
get rescheduled and called from run_scheduled_events.

Closes ticket 16789.
2015-08-13 09:45:30 -04:00
Nick Mathewson
c7c73f1178 Change lost_owning_controller() to call activate_signal().
Closes ticket 16788.
2015-08-13 09:17:41 -04:00
Nick Mathewson
3cc6d59521 Fix a windows compilation error 2015-08-12 13:16:08 -04:00
Nick Mathewson
9deb3c61fe Fix a memory leak when adding an ri with expired ed certs
Fixes bug 16539; bugfix on 0.2.7.2-alpha.
2015-08-12 12:27:45 -04:00
Nick Mathewson
f4f0b43268 Try to decouple process_signal() from anything not event-driven
This needs debugging; it currently breaks the stem tests.
2015-08-12 11:25:00 -04:00
Nick Mathewson
b65d53519a Decouple the backend for directory_all_unreachable to simplify our CFG
See ticket 16762.
2015-08-12 11:02:20 -04:00
Nick Mathewson
835e09e54b Split the client-only parts of init_keys() into a separate function
This should simplify the callgraph a little more.
2015-08-11 10:41:20 -04:00
Nick Mathewson
da04fed865 Merge branch 'bug16389_027_03_squashed' 2015-08-11 09:34:55 -04:00
David Goulet
7dce409802 Expire after 5 minutes rend cache failure entries
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-11 09:34:41 -04:00
David Goulet
6e96723524 Add created timestamp to a rend cache failure entry
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-11 09:34:41 -04:00
David Goulet
1070be8217 Use an enum for INTRO_POINT_FAILURE_*
Safer, wiser, stronger!

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-11 09:34:41 -04:00
David Goulet
d06af95ba3 Purge client HS failure cache on NEWNYM
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2015-08-11 09:34:41 -04:00