Commit Graph

15335 Commits

Author SHA1 Message Date
George Kadianakis
b7b7dab00d Recreate nodelist before use if it's outdated.
We currently only do the check when we are about to use the HSDir indices.
2018-06-20 08:01:02 -04:00
George Kadianakis
a686464420 Recreate voting schedule before use if it's outdated. 2018-06-20 08:01:02 -04:00
George Kadianakis
2520ee34c6 Require live consensus to compute responsible HSDirs.
Here is how this changes the HSv3 client-side and service-side:

For service side we already required live consensus to upload descriptors (see
9e900d1db7) so we should never get there without
a live consensus.

For the client-side we now require a live consensus to attempt to connect to
HS.  While this changes the client behavior in principle, it doesn't really
change it, because we always required live consensus to set HSDir indices, so
before this patch a client with no live consensus would try to compute
responsible HSDirs without any HSDir indices and bug out. This makes the client
behavior more consistent, by requiring a live consensus (and hence a
semi-synced clock) for the client to connect to an HS entirely.

The alternative would have been to allow setting HSDir indices with a non-live
consensus, but this would cause the various problems outlined by commit
b89d2fa1db.
2018-06-13 13:42:34 +03:00
Nick Mathewson
f399887cfe Merge remote-tracking branch 'mikeperry-github/bug26259' 2018-06-08 10:17:00 -04:00
Nick Mathewson
aef0607f38 Merge branch 'maint-0.3.3' 2018-06-08 10:11:57 -04:00
Nick Mathewson
c27bb4072c Merge branch 'maint-0.3.2' into maint-0.3.3 2018-06-08 10:11:57 -04:00
Nick Mathewson
dd63033fcb Merge branch 'maint-0.3.1' into maint-0.3.2 2018-06-08 10:11:57 -04:00
Nick Mathewson
1ef8023e00 Merge branch 'maint-0.2.9' into maint-0.3.1 2018-06-08 10:11:57 -04:00
rl1987
719b5c1d27 Avoid out-of-bounds smartlist access in protover_compute_vote()
and contract_protocol_list()
2018-06-08 10:11:32 -04:00
Nick Mathewson
3716ddf1b4 Merge remote-tracking branch 'rl1987/doc25237' 2018-06-02 11:35:06 -07:00
Nick Mathewson
9f884a38e3 Merge branch 'maint-0.3.3' 2018-06-02 10:36:49 -07:00
Nick Mathewson
f15f90e2ca Merge branch 'bug26121-033-squashed' into maint-0.3.3 2018-06-02 10:36:44 -07:00
Mike Perry
fe5764012a Bug 26121: Improve BUILDTIMEOUT_SET accuracy.
We were miscounting the total number of circuits for the TIMEOUT_RATE and
CLOSE_RATE fields of this event.
2018-06-02 10:36:36 -07:00
David Goulet
66e76066e0 hs-v3: Build onion address before registering ephemeral service
With the work on #25500 (reducing CPU client usage), the HS service main loop
callback is enabled as soon as the HS service map changes which happens when
registering a new service.

Unfortunately, for an ephemeral service, we were building the onion address
*after* the registration leading to the "service->onion_address` to be an
empty string.

This broke the "HS_DESC CREATED" event which had no onion address in it. And
also, we were logging an empty onion address for that service.

Fixes #25939

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-06-02 10:33:20 -07:00
rl1987
f8d549db7b Point reader to a section in tor-spec.txt 2018-06-02 11:15:10 +03:00
Mike Perry
93ee227e18 Bug 26259: Don't count 0-length RELAY_COMMAND_DATA in CIRC_BW OVERHEAD
This cell should be treated as invalid for purposes of CIRC_BW.
2018-06-01 00:23:08 +00:00
Nick Mathewson
fa1890e97f Merge remote-tracking branch 'public/bug25691_033_again_squashed' into maint-0.3.3 2018-05-27 10:03:11 -04:00
Nick Mathewson
38f8b3c63d Merge branch 'maint-0.3.3' 2018-05-22 14:13:28 -04:00
Nick Mathewson
80d673ccea Merge branch 'trove-2018-005_032' into maint-0.3.3 2018-05-22 14:13:23 -04:00
Nick Mathewson
7483aef896 avoid a signed/unsigned comparison. 2018-05-22 14:12:44 -04:00
Nick Mathewson
cde5c9d0c3 Merge branch 'maint-0.3.3' 2018-05-22 13:35:33 -04:00
Nick Mathewson
a5d4ce2b39 Make the TROVE-2018-005 fix work with rust. 2018-05-22 13:35:20 -04:00
Nick Mathewson
b858f576c3 Merge branch 'maint-0.3.3' 2018-05-22 12:54:31 -04:00
Nick Mathewson
6e8e005b53 Merge branch 'trove-2018-005_032' into maint-0.3.3 2018-05-22 12:54:26 -04:00
Nick Mathewson
240bb17714 uint breaks compilation on windows 2018-05-22 12:54:05 -04:00
Isis Lovecruft
3283619acf vote: TROVE-2018-005 Make DirAuths omit misbehaving routers from their vote. 2018-05-22 12:28:33 -04:00
Isis Lovecruft
056be68b1b protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing.
In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of
`proto_entry_t`s to their protocol name concatenated with each version number.
For example, given a `proto_entry_t` like so:

    proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t));
    proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t));

    proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa");
    proto->ranges = smartlist_new();

    range->low = 1;
    range->high = 65536;

    smartlist_add(proto->ranges, range);

(Where `[19KB]` is roughly 19KB of `"a"` bytes.)  This would expand in
`expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the
string, e.g.:

    "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1"
    "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2"
    […]
    "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535"

Thus constituting a potential resource exhaustion attack.

The Rust implementation is not subject to this attack, because it instead
expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031,
and a `HashMap<UnvalidatedProtocol, ProtoSet>` after).  Neither Rust version is
subject to this attack, because it only stores the `String` once per protocol.
(Although a related, but apparently of too minor impact to be usable, DoS bug
has been fixed in #24031. [0])

[0]: https://bugs.torproject.org/24031

 * ADDS hard limit on protocol name lengths in protover.c and checks in
   parse_single_entry() and expand_protocol_list().
 * ADDS tests to ensure the bug is caught.
 * FIXES #25517: https://bugs.torproject.org/25517
2018-05-22 12:28:33 -04:00
Nick Mathewson
a3a8d80beb Merge branch 'trove-2018-005_032' into trove-2018-005_033 2018-05-22 12:27:15 -04:00
Nick Mathewson
bc2d6876b3 Add stdbool to protover.h. Only needed for the 032 backport 2018-05-22 12:15:52 -04:00
Isis Lovecruft
b681438daf vote: TROVE-2018-005 Make DirAuths omit misbehaving routers from their vote. 2018-05-22 12:13:41 -04:00
Isis Lovecruft
eb96692842 protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing.
In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of
`proto_entry_t`s to their protocol name concatenated with each version number.
For example, given a `proto_entry_t` like so:

    proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t));
    proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t));

    proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa");
    proto->ranges = smartlist_new();

    range->low = 1;
    range->high = 65536;

    smartlist_add(proto->ranges, range);

(Where `[19KB]` is roughly 19KB of `"a"` bytes.)  This would expand in
`expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the
string, e.g.:

    "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1"
    "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2"
    […]
    "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535"

Thus constituting a potential resource exhaustion attack.

The Rust implementation is not subject to this attack, because it instead
expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031,
and a `HashMap<UnvalidatedProtocol, ProtoSet>` after).  Neither Rust version is
subject to this attack, because it only stores the `String` once per protocol.
(Although a related, but apparently of too minor impact to be usable, DoS bug
has been fixed in #24031. [0])

[0]: https://bugs.torproject.org/24031

 * ADDS hard limit on protocol name lengths in protover.c and checks in
   parse_single_entry() and expand_protocol_list().
 * ADDS tests to ensure the bug is caught.
 * FIXES #25517: https://bugs.torproject.org/25517
2018-05-22 12:12:01 -04:00
Nick Mathewson
3d12663243 Fix a crash bug when testing reachability
Fixes bug 25415; bugfix on 0.3.3.2-alpha.
2018-05-22 08:35:37 -04:00
Nick Mathewson
2b0aab7a6e Add comments explaining when a connected cell has an UNSPEC addr
Should prevent other bugs like 26117.
2018-05-16 14:12:50 -04:00
Nick Mathewson
3c4353179f Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-16 12:11:45 -04:00
Nick Mathewson
8340f641c3 Merge branch 'maint-0.3.1' into maint-0.3.2 2018-05-16 12:11:45 -04:00
Nick Mathewson
d3a972561a Merge branch 'maint-0.2.9' into maint-0.3.1 2018-05-16 12:11:45 -04:00
Mike Perry
d0b1157fc1 Bug 26117: Move CIRC_BW field accounting.
Previously, we used the AF_UNSPEC check to represent valid connected cell
data as a result of the lack of return. This was incorrect.
2018-05-15 18:58:24 +00:00
Nick Mathewson
fcfa22d80a Merge branch 'maint-0.3.3' 2018-05-16 12:11:46 -04:00
Nick Mathewson
5eb2d58880 Add a missing return after marking a stream for bad connected cell
Fixes bug 26072; bugfix on 0.2.4.7-alpha.
2018-05-14 15:54:48 -04:00
Nick Mathewson
a394a2dd86 Merge branch 'bug25903_v5_squashed' 2018-05-14 14:25:07 -04:00
Mike Perry
fd504587d5 Bug 25903: Tests 2018-05-14 14:24:58 -04:00
Nick Mathewson
a9ef335c1b Use router_get_my_routerinfo_with_err to implement the old version
Having one function implemented in terms of the other should keep
them from diverging.

follow-up on #25852
2018-05-14 14:12:36 -04:00
Nick Mathewson
d27fd7ff6b Merge remote-tracking branch 'rl1987/bug25852_take2' 2018-05-14 14:05:50 -04:00
Nick Mathewson
aab626405c Merge remote-tracking branch 'catalyst-github/bug25756' 2018-05-11 18:15:43 -04:00
Roger Dingledine
962c2f8776 get rid of whitespace before #ifdef's
i don't know if whitespace is ok to have before preprocessing
directives on all platforms, but anyway we almost never have it,
so now things are more uniform.
2018-05-11 16:27:55 -04:00
David Goulet
51f65c185e control: Mask the event(s) before using ANY_EVENT_IS_INTERESTING()
Before this commit, the control events were never triggered. It was introduced
with commit 0c19ce7bde.

Fixes #26082

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-05-11 08:58:11 -04:00
Nick Mathewson
75e5b778e1 Merge remote-tracking branch 'public/bug25981' 2018-05-10 19:31:11 -04:00
rl1987
036df13a03 Tweak error handling for #25852 2018-05-10 16:45:57 +03:00
rl1987
8ad97b7dcf Avoid confusion with errno from libc 2018-05-10 16:33:08 +03:00
Nick Mathewson
b343ba9060 Merge branch 'maint-0.3.2' into maint-0.3.3 2018-05-10 09:22:32 -04:00