Commit Graph

13559 Commits

Author SHA1 Message Date
Nick Mathewson
12d428aaff Prop140: Fix a crash bug.
Found while fuzzing: this could occur if we tried to copy a
nonexistent "line 0" while applying a diff.
2017-03-16 14:42:56 -04:00
Nick Mathewson
653c6d129e Make consensus diff sha3 operations mockable.
(We'll want this for fuzzing)
2017-03-16 14:40:33 -04:00
Nick Mathewson
6a36e5ff3b String-based API for consensus diffs.
Also, add very strict split/join functions, and totally forbid
nonempty files that end with somethig besides a newline.  This
change is necessary to ensure that diff/apply are actually reliable
inverse operations.
2017-03-16 14:39:54 -04:00
Nick Mathewson
eff9fbd17d Fix an abstraction violation.
Don't alias the insides of smartlist_t; that way lies madness.
2017-03-16 14:38:29 -04:00
Nick Mathewson
69b3e11e59 Use "const" in consdiff.[ch] 2017-03-16 14:38:29 -04:00
Nick Mathewson
3647751c2a prop140: Use sha3-256, not sha2-256
This is a protocol update from recent prop140 changes.

Also, per #21673, we need to check the entire document, including
signatures.
2017-03-16 14:38:29 -04:00
Nick Mathewson
e1418c09fc Fix an unreachable memory leak.
Also add a missing newline.
2017-03-16 14:38:29 -04:00
Nick Mathewson
f193b666cd Remove digest[12]_hex 2017-03-16 14:38:29 -04:00
Nick Mathewson
c6046f4db8 Tweak&test log messages on apply_diff 2017-03-16 14:38:29 -04:00
Nick Mathewson
5766eed38f Fixes when applying diffs: Allow 2-line diffs, fix bogus free
The 2-line diff changs is needed to make the unit tests actually
test the cases that they thought they were testing.

The bogus free was found while testing those cases
2017-03-16 14:38:29 -04:00
Nick Mathewson
ab1fd85c99 Mark some warnings as bugs, and as (hopefully) unreachable. 2017-03-16 14:38:28 -04:00
Nick Mathewson
06017f35e8 Fix some logging on failed apply_ed_diff 2017-03-16 14:38:28 -04:00
Nick Mathewson
97620cf18f No need to end a log message with newline. 2017-03-16 14:38:28 -04:00
Nick Mathewson
360d043ac7 Use "STATIC" to export consdiff fns for testing
Previously test_consdiff.c just did #include "consdiff.c", which is
not great style, and messes up coverage testing.
2017-03-16 14:38:28 -04:00
Daniel Martí
590ffdb2c9 Consensus diff backend from Daniel Martí GSOC project.
(This commit was extracted by nickm based on the final outcome of
the project, taking only the changes in the files touched by this
commit from the consdiff_rebased branch.  The directory-system
changes are going to get worked on separately.)
2017-03-16 14:38:28 -04:00
Nick Mathewson
7505f452c8 Run the copyright update script. 2017-03-15 16:13:17 -04:00
Nick Mathewson
3b2d6da453 Merge branch 'maint-0.3.0' 2017-03-15 11:09:22 -04:00
Nick Mathewson
567a56ae2e Merge branch 'bug20059_024_v2' into maint-0.3.0 2017-03-15 11:07:38 -04:00
Nick Mathewson
ec5fe41209 Avoid a double-mark bug when makring a pending circuit as "too old"
Fixes bug 20059; bugfix on 0.1.0.1-rc.
2017-03-15 11:05:37 -04:00
Nick Mathewson
6004dd2162 Merge branch 'deprecate_getinfo_network_status' 2017-03-15 11:01:26 -04:00
Nick Mathewson
a783c5cbae Merge remote-tracking branch 'public/feature21496' 2017-03-15 10:59:30 -04:00
teor
c34411d9cb Log info about intro point limits when they are reached and reset
Depends on 21594, part of 21622.
2017-03-14 11:54:08 -04:00
teor
c99d0e742a Log more info when a service descriptor has the wrong number of intro points
Depends on 21598, part of 21622.
2017-03-14 11:53:34 -04:00
teor
d0927b6646 Create function to log service introduction point creation limits
Depends on 21594, part of 21622.

(Resolved merge conflict in static function declarations.
2017-03-14 11:53:34 -04:00
Nick Mathewson
236e1f31d9 Fix some compilation warnings in {test_,}hs_descriptor.c
Nothing big: just some const char[]s that should have been static,
and some integer truncation warnings.

Warnings not in any released Tor.
2017-03-13 22:36:47 -04:00
Nick Mathewson
d9cd4b7072 Merge branch 'maint-0.3.0' 2017-03-13 16:22:54 -04:00
Nick Mathewson
43dd9bf0fc Merge remote-tracking branch 'asn/bug21334_v3' 2017-03-13 16:18:55 -04:00
George Kadianakis
61f318b1b0 prop224: Rename padding size def to something less confusing.
People felt it could refer to the descriptor header section instead of
the plaintext of the superencrypted section.
2017-03-13 15:58:28 +02:00
George Kadianakis
e6b03151fb prop224: Add unittests for decode_superencrypted(). 2017-03-13 15:55:21 +02:00
George Kadianakis
163596d9c2 prop224: Move some utility crypto funcs to the top of the file. 2017-03-13 15:55:21 +02:00
George Kadianakis
d0fe199269 prop224: Implement decoding of superencrypted HS descriptor.
[Consider starting review from desc_decrypt_all() ]
2017-03-13 15:55:20 +02:00
George Kadianakis
b2e37b87a7 prop224: Implement encoding of superencrypted HS descriptor.
Also, relaxed the checks of encrypted_data_length_is_valid() since now
only one encrypted section has padding requirements and we don't
actually care to check that all the padding is there.

Consider starting code review from function encode_superencrypted_data().
2017-03-13 15:55:20 +02:00
George Kadianakis
bb602f6197 prop224: Prepare for superencrypted HS descriptors.
- Refactor our HS desc crypto funcs to be able to differentiate between
  the superencrypted layer and the encrypted layer so that different
  crypto constants and padding is used in each layer.

- Introduce some string constants.

- Add some comments.
2017-03-13 15:49:14 +02:00
Nick Mathewson
8587f663ee Remove DIR_SPOOL_CACHED_DIR: Nothing uses it. 2017-03-13 08:02:25 -04:00
Nick Mathewson
16b64fcfe1 Mark GETINFO network-status as deprecated with a warning
control-spec has marked it deprecated for a long time.

Closes ticket 21703.
2017-03-10 12:05:50 -05:00
Alexander Færøy
85dccce35d
Make MAX_DIR_PERIOD independent of MIN_ONION_KEY_LIFETIME.
As part of the work for proposal #274 we are going to remove the need
for MIN_ONION_KEY_LIFETIME and turn it into a dynamic value defined by a
consensus parameter.

See: https://bugs.torproject.org/21641
2017-03-10 13:04:43 +01:00
Nick Mathewson
118d7018d0 Merge branch 'bug21415_testfix_030' 2017-03-09 09:25:19 -05:00
George Kadianakis
6cab0f8ad7 Fix failing bridges+ipv6-min integration test.
The bridges+ipv6-min integration test has a client with bridges:
    Bridge 127.0.0.1:5003
    Bridge [::1]:5003
which got stuck in guard_selection_have_enough_dir_info_to_build_circuits()
because it couldn't find the descriptor of both bridges.

Specifically, the guard_has_descriptor() function could not find the
node_t of the [::1] bridge, because the [::1] bridge had no identity
digest assigned to it.

After further examination, it seems that during fetching the descriptor
for our bridges, we used the CERTS cell to fill the identity digest of
127.0.0.1:5003 properly. However, when we received a CERTS cell from
[::1]:5003 we actually ignored its identity digest because the
learned_router_identity() function was using
get_configured_bridge_by_addr_port_digest() which was returning the
127.0.0.1 bridge instead of the [::1] bridge (because it prioritizes
digest matching over addrport matching).

The fix replaces get_configured_bridge_by_addr_port_digest() with the
recent get_configured_bridge_by_exact_addr_port_digest() function. It
also relaxes the constraints of the
get_configured_bridge_by_exact_addr_port_digest() function by making it
return bridges whose identity digest is not yet known.

By using the _exact_() function, learned_router_identity() actually
fills in the identity digest of the [::1] bridge, which then allows
guard_has_descriptor() to find the right node_t and verify that the
descriptor is there.

FWIW, in the bridges+ipv6-min test both 127.0.0.1 and [::1] bridges
correspond to the same node_t, which I guess makes sense given that it's
actually the same underlying bridge.
2017-03-09 09:19:19 -05:00
George Kadianakis
41324b5ae1 Revert "Restore correct behavior of 0.3.0.4-rc with bridges+ipv6-min"
This reverts commit 5298ab5917.
2017-03-09 09:19:12 -05:00
Alexander Færøy
02fc0a5ecf
Remove fgets() compatbility function and related tests.
This patch removes the `tor_fgets()` wrapper around `fgets(3)` since it
is no longer needed. The function was created due to inconsistency
between the returned values of `fgets(3)` on different versions of Unix
when using `fgets(3)` on non-blocking file descriptors, but with the
recent changes in bug #21654 we switch from unbuffered to direct I/O on
non-blocking file descriptors in our utility module.

We continue to use `fgets(3)` directly in the geoip and dirserv module
since this usage is considered safe.

This patch also removes the test-case that was created to detect
differences in the implementation of `fgets(3)` as well as the changes
file since these changes was not included in any releases yet.

See: https://bugs.torproject.org/21654
2017-03-09 00:10:18 +01:00
Nick Mathewson
27058bd8cb Fix a memory leak in config_get_assigned_option()
This was introducd in 4d83999213 in 0.3.0.3-alpha.  This is bug
21682.
2017-03-08 10:06:48 -05:00
Nick Mathewson
ad19f1507a Merge branch 'maint-0.3.0' 2017-03-07 08:08:28 -05:00
Nick Mathewson
552bc39c32 Merge branch 'bug21594_030_squashed' into maint-0.3.0 2017-03-07 08:05:16 -05:00
teor
93ede051c2 Remove delay in hidden service introduction point checks
Make hidden services with 8 to 10 introduction points check for failed
circuits immediately after startup. Previously, they would wait for 5
minutes before performing their first checks.

Fixes bug 21594; bugfix on commit 190aac0eab in Tor 0.2.3.9-alpha.
Reported by alecmuffett.
2017-03-07 08:04:57 -05:00
Nick Mathewson
85cf6dcba3 Stop declining to download microdescs with future published times.
This change is the only one necessary to allow future versions of
the microdescriptor consensus to replace every 'published' date with
e.g. 2038-01-01 00:00:00; this will save 50-75% in compressed
microdescriptor diff size, which is quite significant.

This commit is a minimal change for 0.2.9; future series will
reduce the use of the 'published' date even more.

Implements part of ticket 21642; implements part of proposal 275.
2017-03-06 15:37:01 -05:00
Nick Mathewson
88b91d7753 Merge remote-tracking branch 'ahf/bugs/20988' 2017-03-06 12:04:58 -05:00
Nick Mathewson
5203cd2f11 Check for NULL as input to extrainfo_parse_entry_from_string()
We hope this will make the clangalyzer less worried about this function.

Closes ticket 21496.
2017-03-06 11:31:11 -05:00
Nick Mathewson
0a54e5d148 Fix a function name in a comment. Closes 21580 2017-03-06 11:27:50 -05:00
Nick Mathewson
00d1093daf Merge branch 'feature21598_squashed' 2017-03-04 23:22:46 -05:00
teor
f24638aa49 Log a message when a hidden service has fewer intro points than expected
Closes ticket 21598.
2017-03-04 23:22:34 -05:00
Nick Mathewson
958ec0f5f8 Merge branch 'bug21599_squashed' 2017-03-04 23:16:29 -05:00
teor
684778e705 Simplify hidden service descriptor creation
Use an existing flag to check if an introduction point is established.

Cleanup after 21596.

Fixes bug 21599; bugfix on 0.2.7.2-alpha.
2017-03-04 23:15:55 -05:00
Nick Mathewson
fe17955661 Merge remote-tracking branch 'teor/bug21596_030' 2017-03-04 23:10:40 -05:00
Nick Mathewson
3a1cba7d90 Merge branch 'maint-0.3.0' 2017-03-04 20:24:02 -05:00
Nick Mathewson
333d5d0f2a Merge remote-tracking branch 'teor/bug21576_029_v2' into maint-0.3.0 2017-03-04 20:23:38 -05:00
teor
3e2d06bd3d
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:57:58 +11:00
teor
e0486c9371
Make hidden services always check for failed intro point connections
Previously, they would stop checking when they exceeded their intro point
creation limit.

Fixes bug 21596; bugfix on commit d67bf8b2f2 in Tor 0.2.7.2-alpha.
Reported by alecmuffett.
2017-03-02 15:34:45 +11:00
teor
4b5cdb2c30
Fix a crash when a connection tries to open just after it has been unlinked
Fixes bug 21576; bugfix on Tor 0.2.9.3-alpha.
Reported by alecmuffett.
2017-03-02 11:10:30 +11:00
Alexander Færøy
3dca5a6e71
Use tor_fgets() instead of fgets().
This patch changes our use of fgets() to tor_fgets() for more consistent
error handling across different versions of the C library.
2017-03-01 21:26:27 +01:00
Nick Mathewson
7d3883d084 Merge branch 'maint-0.3.0' 2017-03-01 15:11:23 -05:00
Nick Mathewson
5298ab5917 Restore correct behavior of 0.3.0.4-rc with bridges+ipv6-min
In that chutney test, the bridge client is configured to connect to
the same bridge at 127.0.0.1:5003 _and_ at [::1]:5003, with no
change in transports.

That meant, I think, that the descriptor is only assigned to the
first bridge when it arrives, and never the second.
2017-03-01 15:02:16 -05:00
Nick Mathewson
a0a4f8ae5d Merge remote-tracking branch 'asn/bug21586' 2017-03-01 09:21:34 -05:00
George Kadianakis
931948ac6a Prevent SRV assert when called from misconfigured bridge auth. 2017-03-01 15:56:29 +02:00
Nick Mathewson
d8fa6f9ddb Merge branch 'maint-0.3.0' 2017-03-01 08:54:58 -05:00
George Kadianakis
18a98206ed Improve descriptor checks in the new guard algorithm.
- Make sure we check at least two guards for descriptor before making
  circuits. We typically use the first primary guard for circuits, but
  it can also happen that we use the second primary guard (e.g. if we
  pick our first primary guard as an exit), so we should make sure we
  have descriptors for both of them.

- Remove BUG() from the guard_has_descriptor() check since we now know
  that this can happen in rare but legitimate situations as well, and we
  should just move to the next guard in that case.
2017-03-01 08:46:53 -05:00
teor
9340035873
Remove the unused field or_connection_t.is_connection_with_client
To discover if a connection is from a tor client, use:
channel_is_client(TLS_CHAN_TO_BASE(or_connection_t.chan))

Part of 21406.
2017-03-01 16:22:37 +11:00
Nick Mathewson
ef610467fa Merge remote-tracking branch 'teor/bug21507-029' 2017-02-28 11:19:24 -05:00
Nick Mathewson
242f9b3ffb Merge remote-tracking branch 'public/bug21407' 2017-02-28 11:17:30 -05:00
Nick Mathewson
8112800138 Merge branch 'maint-0.3.0' 2017-02-28 08:28:55 -05:00
Nick Mathewson
3a60214f32 Merge remote-tracking branch 'public/bug21007_case2_030' into maint-0.3.0 2017-02-28 08:28:46 -05:00
Nick Mathewson
928235506b Merge branch 'maint-0.3.0' 2017-02-28 08:20:09 -05:00
Nick Mathewson
16f337e763 Merge branch 'bug21027_v2_squashed' into maint-0.3.0 2017-02-28 08:16:43 -05:00
Nick Mathewson
1582adabbb Change approach to preventing duplicate guards.
Previously I'd made a bad assumption in the implementation of
prop271 in 0.3.0.1-alpha: I'd assumed that there couldn't be two
guards with the same identity.  That's true for non-bridges, but in
the bridge case, we allow two bridges to have the same ID if they
have different addr:port combinations -- in order to have the same
bridge ID running multiple PTs.

Fortunately, this assumption wasn't deeply ingrained: we stop
enforcing the "one guard per ID" rule in the bridge case, and
instead enforce "one guard per <id,addr,port>".

We also needed to tweak our implementation of
get_bridge_info_for_guard, since it made the same incorrect
assumption.

Fixes bug 21027; bugfix on 0.3.0.1-alpha.
2017-02-28 08:16:33 -05:00
Nick Mathewson
c0aa7ac5ac Merge branch 'disable_memory_sentinels_squashed' 2017-02-27 16:25:25 -05:00
Nick Mathewson
b923c4dc9f Code to disable memory sentinels for fuzzing
This feature makes it possible to turn off memory sentinels (like
those used for safety in buffers.c and memarea.c) when fuzzing, so
that we can catch bugs that they would otherwise prevent.
2017-02-27 16:25:10 -05:00
Nick Mathewson
b6a9be0415 Merge branch 'maint-0.3.0' 2017-02-27 11:25:46 -05:00
Nick Mathewson
c51919b0da Merge branch 'bug21369_check_029_squashed' into maint-0.3.0 2017-02-27 11:25:34 -05:00
Nick Mathewson
1421f75331 Merge branch 'maint-0.3.0' 2017-02-27 11:03:25 -05:00
Nick Mathewson
2b3518b81f Merge remote-tracking branch 'teor/bug20711' into maint-0.3.0 2017-02-27 11:00:02 -05:00
Nick Mathewson
65b012c90b Fix a wide line 2017-02-27 10:58:26 -05:00
Nick Mathewson
135a0c2054 Fix a "directive within macro arguments" warning 2017-02-27 10:58:19 -05:00
Nick Mathewson
0e7d2882f9 Merge remote-tracking branch 'ahf/bugs/21206' 2017-02-27 10:53:12 -05:00
Nick Mathewson
074f248463 Add one other BUG check to try to fix/solve 21369.
Teor thinks that this connection_dirserv_add_dir_bytes_to_outbuf()
might be the problem, if the "remaining" calculation underflows.  So
I'm adding a couple of checks there, and improving the casts.
2017-02-27 10:01:27 -05:00
Nick Mathewson
ee5471f9aa Try to check for (and prevent) buffer size INT_MAX overflow better.
Possible fix or diagnostic for 21369.
2017-02-27 10:01:27 -05:00
Nick Mathewson
02aaa7f9ed Merge branch 'maint-0.3.0' 2017-02-24 11:37:41 -05:00
Nick Mathewson
619771f60b Whitespace fix. 2017-02-24 11:37:33 -05:00
Nick Mathewson
d73755e36e Merge branch 'maint-0.3.0' 2017-02-24 11:37:04 -05:00
David Goulet
4ed10e5053 hs: Fix bad use of sizeof() when encoding ESTABLISH_INTRO legacy cell
When encoding a legacy ESTABLISH_INTRO cell, we were using the sizeof() on a
pointer instead of using the real size of the destination buffer leading to an
overflow passing an enormous value to the signing digest function.
Fortunately, that value was only used to make sure the destination buffer
length was big enough for the key size and in this case it always was because
of the overflow.

Fixes #21553

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-24 11:36:36 -05:00
Nick Mathewson
5e08fc8557 Also allow C_MEASURE_TIMEOUT circuits to lack guard state.
Fixes a case of 21007; bugfix on 0.3.0.1-alpha when prop271 was
implemented. Found by toralf.
2017-02-24 11:12:21 -05:00
George Kadianakis
f8ac4bb9fd prop224: Rename desc->encrypted_blob to desc->superencrypted_blob 2017-02-24 16:37:24 +02:00
George Kadianakis
6d71eda263 prop224: Rename auth_required HS desc field to intro_auth_required.
And remove "password" type from the list of intro auths.
2017-02-24 16:37:24 +02:00
Nick Mathewson
515e1f663a Add an O(1) map from channel->global_identifier to channel 2017-02-21 20:58:25 -05:00
teor
57154e71aa
Reject Tor versions that contain non-numeric prefixes
strto* and _atoi64 accept +, -, and various whitespace before numeric
characters. And permitted whitespace is different between POSIX and Windows.

Fixes bug 21507 and part of 21508; bugfix on 0.0.8pre1.
2017-02-19 22:38:06 +11:00
Nick Mathewson
aec45bc0b1 Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-02-17 17:10:47 -05:00
Nick Mathewson
efa5bbaba0 Merge branch 'maint-0.3.0' 2017-02-17 11:47:49 -05:00
Nick Mathewson
823fb68a14 Remove a redundant check in ..transition_affects_guards()
scan-build found that we we checking UseEntryGuards twice.

Fixes bug 21492.
2017-02-17 11:47:25 -05:00
Nick Mathewson
9b1d99018b Merge branch 'maint-0.3.0' 2017-02-17 11:33:04 -05:00
Nick Mathewson
5dbbd6bc39 Merge branch 'maint-0.2.9' into maint-0.3.0 2017-02-17 11:32:45 -05:00
Nick Mathewson
67cec7578c Check for micro < 0, rather than checking "minor" twice.
Bug found with clang scan-build.  Fixes bug on f63e06d3dc.
Bug not present in any released Tor.
2017-02-17 11:31:39 -05:00
Nick Mathewson
d004b9222e The UseCreateFast consensus parameter now defaults to 0.
You can still override it with FastFirstHopPK.  But that's
deprecated.

Closes ticket 21407.
2017-02-16 15:30:26 -05:00
Alexander Færøy
3848d23643 Save number of sent/received RELAY_DATA cells for directory connections.
This patch makes us store the number of sent and received RELAY_DATA
cells used for directory connections. We log the numbers after we have
received an EOF in connection_dir_client_reached_eof() from the
directory server.
2017-02-16 15:11:53 +00:00
Nick Mathewson
31be66ea5a Merge remote-tracking branch 'meejah/ticket-21329-onions-current' 2017-02-16 09:40:56 -05:00
David Goulet
3336f26e60 hs: Avoid a strlen(NULL) if descriptor is not found in cache
Instead of returning 404 error code, this led to a NULL pointer being used and
thus a crash of tor.

Fixes #21471

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-15 10:27:41 -05:00
Nick Mathewson
d633c4757c Merge branch 'maint-0.2.9' 2017-02-15 08:19:51 -05:00
Nick Mathewson
fea93abecd whoops; make 21450 compile 2017-02-15 08:19:37 -05:00
Nick Mathewson
62f98ad485 Merge branch 'maint-0.2.9' 2017-02-15 07:58:15 -05:00
Nick Mathewson
cb6b3b7cad Limit version numbers to 0...INT32_MAX.
Closes 21450; patch from teor.
2017-02-15 07:57:34 -05:00
Nick Mathewson
76d79d597a Merge branch 'maint-0.2.9' 2017-02-15 07:48:42 -05:00
Nick Mathewson
5d88267bf4 Merge branch 'bug21278_extra_029' into maint-0.2.9 2017-02-15 07:48:30 -05:00
Nick Mathewson
ec6b5a098d Merge branch 'bug21278_redux_029_squashed' into maint-0.2.9 2017-02-15 07:48:18 -05:00
Nick Mathewson
eeb743588a Merge branch 'maint-0.2.8' into maint-0.2.9 2017-02-15 07:48:10 -05:00
Nick Mathewson
1ebdae6171 Merge branch 'maint-0.2.7' into maint-0.2.8 2017-02-15 07:47:28 -05:00
Nick Mathewson
ed806843dc Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-15 07:47:21 -05:00
Nick Mathewson
3781f24b80 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-15 07:47:12 -05:00
Nick Mathewson
a452b71395 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-15 07:47:04 -05:00
Roger Dingledine
3c4da8a130 give tor_version_parse_platform some function documentation 2017-02-15 07:46:34 -05:00
Nick Mathewson
02e05bd74d When examining descriptors as a dirserver, reject ones with bad versions
This is an extra fix for bug 21278: it ensures that these
descriptors and platforms will never be listed in a legit consensus.
2017-02-15 07:46:34 -05:00
Nick Mathewson
f63e06d3dc Extract the part of tor_version_as_new_as that extracts platform
Also add a "strict" mode to reject negative inputs.
2017-02-15 07:46:34 -05:00
Nick Mathewson
dec7dc3d82 Merge remote-tracking branch 'dgoulet/ticket20656_030_01' 2017-02-14 19:15:10 -05:00
Nick Mathewson
7e469c1002 Merge branch 'bug20894_029_v3' 2017-02-14 19:10:20 -05:00
Nick Mathewson
4c1ecd7583 fixup! Don't atoi off the end of a buffer chunk.
Use STATIC.
2017-02-14 16:45:18 -05:00
Nick Mathewson
c4f2faf301 Don't atoi off the end of a buffer chunk.
Fixes bug 20894; bugfix on 0.2.0.16-alpha.

We already applied a workaround for this as 20834, so no need to
freak out (unless you didn't apply 20384 yet).
2017-02-14 16:38:47 -05:00
Nick Mathewson
a0ef3cf088 Prevent int underflow in dirvote.c compare_vote_rs_.
This should be "impossible" without making a SHA1 collision, but
let's not keep the assumption that SHA1 collisions are super-hard.

This prevents another case related to 21278.  There should be no
behavioral change unless -ftrapv is on.
2017-02-14 16:31:23 -05:00
Nick Mathewson
1afc2ed956 Fix policies.c instance of the "if (r=(a-b)) return r" pattern
I think this one probably can't underflow, since the input ranges
are small.  But let's not tempt fate.

This patch also replaces the "cmp" functions here with just "eq"
functions, since nothing actually checked for anything besides 0 and
nonzero.

Related to 21278.
2017-02-14 16:31:11 -05:00
Nick Mathewson
194e31057f Avoid integer underflow in tor_version_compare.
Fix for TROVE-2017-001 and bug 21278.

(Note: Instead of handling signed ints "correctly", we keep the old
behavior, except for the part where we would crash with -ftrapv.)
2017-02-14 16:10:27 -05:00
David Goulet
3f005c0433 protover: Add new version for prop224 for HSIntro/HSDir
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-14 10:51:18 -05:00
Nick Mathewson
f5995692da Replace entry_guard_get_by_id_digest_for_guard_selection impl.
We already implemented this whole function somewhere else; no need
to have the same code twice.
2017-02-14 10:28:54 -05:00
Alexander Færøy
89334a040d Remove unused variable in directory_command_should_use_begindir()
This patch removes the unused router_purpose variable in
directory_command_should_use_begindir().
2017-02-10 23:01:52 +00:00
Alexander Færøy
a0ee5777b0 Change RELAY_BEGINDIR to RELAY_BEGIN_DIR in comments.
This is a purely cosmetic patch that changes RELAY_BEGINDIR in various
comments to RELAY_BEGIN_DIR, which should make it easier to grep for the
symbols.
2017-02-09 16:48:11 +00:00
Nick Mathewson
2670844b2b whoops, removed a semicolon :( 2017-02-09 10:59:48 -05:00
Nick Mathewson
f594bdb3ad One more prop271 XXX. 2017-02-09 10:52:47 -05:00
Nick Mathewson
14c2a1f403 Update some more XXXXprop271 comments to refer to actual tickets or to be up-to-date 2017-02-09 10:48:28 -05:00
Nick Mathewson
3919f4f529 Remove an XXXprop271 comment: turns out we didn't need a tristate 2017-02-09 10:30:20 -05:00
Nick Mathewson
d15273e9f5 Change "prop271" in XXXXs about guard Ed identity to refer to #20872. 2017-02-09 10:29:02 -05:00
Nick Mathewson
fe76741021 Remove a suggestion in an XXX271 comment; it is now 21424. 2017-02-09 10:25:32 -05:00
Nick Mathewson
41f880c396 Remove an XXXprop271 comment that has been replaced by #21423 2017-02-09 10:13:54 -05:00
Nick Mathewson
875e5ee3f7 Revise an XXXprop271 comment -- it has been superseded by #21422 2017-02-09 10:11:44 -05:00
Nick Mathewson
58208457a6 Remove an XXXprop271 comment -- it has been replaced by #21421 2017-02-09 10:07:56 -05:00
Nick Mathewson
f263cf954a Remove a redundant XXX271 comment 2017-02-09 09:57:39 -05:00
Alexander Færøy
56bbaed0dc Log response size in connection_dir_client_reached_eof()
This patch ensures that we log the size of the inbuf when a directory
client have reached EOF on the connection.

See: https://bugs.torproject.org/21206
2017-02-07 16:11:01 +00:00
Alexander Færøy
bf37ca07fc Be explicit about body size in log messages.
This patch makes the log-statements in `connection_dir_client_reached_eof`
more explicit by writing "body size" instead of just "size" which could
be confused as being the size of the entire response, which would
include HTTP status-line and headers.

See: https://bugs.torproject.org/21206
2017-02-07 16:08:56 +00:00
Nick Mathewson
4bce2072ac Merge branch 'maint-0.2.6' into maint-0.2.7 2017-02-07 10:39:03 -05:00
Nick Mathewson
8a1f0876ed Merge branch 'maint-0.2.6' into maint-0.2.7-redux 2017-02-07 10:38:05 -05:00
Nick Mathewson
f2a30413a3 Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 10:37:53 -05:00
Nick Mathewson
2ce4330249 Merge remote-tracking branch 'public/bug18710_025' into maint-0.2.5 2017-02-07 10:37:43 -05:00
Nick Mathewson
c056d19323 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 10:37:31 -05:00
Nick Mathewson
3f5a710958 Revert "Revert "Add hidserv-stats filname to our sandbox filter""
This reverts commit 5446cb8d3d.

The underlying revert was done in 0.2.6, since we aren't backporting
seccomp2 loosening fixes to 0.2.6.  But the fix (for 17354) already
went out in 0.2.7.4-rc, so we shouldn't revert it in 0.2.7.
2017-02-07 10:13:20 -05:00
Alexander Færøy
06e15c8b7c Add debug log statement when sending a directory command.
This patch adds a debug log statement when sending a request to a
directory server. The information logged includes: the payload size (if
available), the total size of the request, the address and port of the
directory server, and the purpose of the directory connection.

See: https://bugs.torproject.org/21206
2017-02-07 15:04:59 +00:00
Nick Mathewson
e91bb84a91 Merge branch 'maint-0.2.6' into maint-0.2.7-redux
maint-0.2.7-redux is an attempt to try to re-create a plausible
maint-0.2.7 branch.  I've started from the tor-0.2.7.6, and then I
merged maint-0.2.6 into the branch.

This has produced 2 conflicts: one related to the
rendcommon->rendcache move, and one to the authority refactoring.
2017-02-07 09:59:12 -05:00
Nick Mathewson
85a2487f97 Disable a log_backtrace (which 0.2.4 does not have) in 16248 fix 2017-02-07 09:49:23 -05:00
Nick Mathewson
cfeb1db2fb Add comments to connection_check_event(). 2017-02-07 09:48:24 -05:00
Nick Mathewson
457d38a6e9 Change behavior on missing/present event to warn instead of asserting.
Add a changes file.
2017-02-07 09:48:19 -05:00
Nick Mathewson
650c03127a If we start/stop reading on a dnsserv connection, don't assert.
Fixes bug 16248. Patch from cypherpunks.  Bugfix on 0.2.0.1-alpha.
2017-02-07 09:48:13 -05:00
Nick Mathewson
5446cb8d3d Revert "Add hidserv-stats filname to our sandbox filter"
Reverting this in 0.2.6 only -- we're no backporting
seccomp2-loosening fixes to 0.2.6.

This reverts commit 2ec5e24c58.
2017-02-07 09:28:50 -05:00
Nick Mathewson
9379984128 Merge branch 'teor_bug21357-v2_029' into maint-0.2.9 2017-02-07 09:24:08 -05:00
Nick Mathewson
c6f2ae514e Merge branch 'maint-0.2.5' into maint-0.2.6 2017-02-07 09:18:54 -05:00
Nick Mathewson
b9ef21cf56 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-07 09:17:59 -05:00
Nick Mathewson
e4a42242ea Backport the tonga->bifroest move to 0.2.4.
This is a backport of 19728 and 19690
2017-02-07 09:15:21 -05:00
John Brooks
053e11f397 Fix out-of-bounds read in INTRODUCE2 client auth
The length of auth_data from an INTRODUCE2 cell is checked when the
auth_type is recognized (1 or 2), but not for any other non-zero
auth_type. Later, auth_data is assumed to have at least
REND_DESC_COOKIE_LEN bytes, leading to a client-triggered out of bounds
read.

Fixed by checking auth_len before comparing the descriptor cookie
against known clients.

Fixes #15823; bugfix on 0.2.1.6-alpha.
2017-02-07 08:31:37 -05:00
Nick Mathewson
19e25d5cab Prevention: never die from extend_info_from_node() failure.
Bug 21242 occurred because we asserted that extend_info_from_node()
had succeeded...even though we already had the code to handle such a
failure.  We fixed that in 93b39c5162.

But there were four other cases in our code where we called
extend_info_from_node() and either tor_assert()ed that it returned
non-NULL, or [in one case] silently assumed that it returned
non-NULL. That's not such a great idea.  This patch makes those
cases check for a bug of this kind instead.

Fixes bug 21372; bugfix on 0.2.3.1-alpha when
extend_info_from_node() was introduced.
2017-02-03 10:35:07 -05:00
Nick Mathewson
9d5a9feb40 Merge branch 'dgoulet/bug21302_030_01_squashed' 2017-02-03 09:54:24 -05:00
David Goulet
eea763400f hs: Remove intro point expiring node if no circuit
Once a second, we go over all services and consider the validity of the intro
points. Now, also try to remove expiring nodes that have no more circuit
associated to them. This is possible if we moved an intro point object
previously to that list and the circuit actually timed out or was closed by
the introduction point itself.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-03 09:54:07 -05:00
David Goulet
8573d99470 hs: Fix an underflow in rend_service_intro_has_opened()
In rend_service_intro_has_opened(), this is subject to a possible underflow
because of how the if() casts the results. In the case where the expiring
nodes list length is bigger than the number of IP circuits, we end up in the
following situation where the result will be cast to an unsigned int. For
instance, "5 - 6" is actually a BIG number.

Ultimately leading to closing IP circuits in a non stop loop.

Partially fixes #21302.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-03 09:54:06 -05:00
cypherpunks
27df23abb6 Use the standard OpenBSD preprocessor definition 2017-02-03 09:37:39 -05:00
Nick Mathewson
0f79fb51e5 dirauth: Fix for calling routers unreachable for wrong ed25519
Previously the dirserv_orconn_tls_done() function would skip routers
when they advertised an ed25519 key but didn't present it during the
link handshake.  But that covers all versions between 0.2.7.2-alpha
and 0.2.9.x inclusive!

Fixes bug 21107; bugfix on 0.3.0.1-alpha.
2017-02-02 10:37:25 -05:00
Nick Mathewson
d732409402 In dirserv_single_reachability_test, node can be const. 2017-02-02 09:36:36 -05:00
Nick Mathewson
6777cd0a84 Merge remote-tracking branch 'public/bug21356_029' 2017-02-02 09:03:13 -05:00
Nick Mathewson
b11f00c153 Merge branch 'bug21294_030_01_squashed' 2017-02-02 08:48:20 -05:00
David Goulet
83df359214 config: Stop recommending Tor2web if in non anonymous mode
Because we don't allow client functionalities in non anonymous mode,
recommending Tor2web is a bad idea.

If a user wants to use Tor2web as a client (losing all anonymity), it should
run a second tor, not use it with a single onion service tor.

Fixes #21294.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-02 08:47:59 -05:00
Nick Mathewson
2d2ab29ce8 Merge remote-tracking branch 'asn/bug21052' 2017-02-01 15:53:16 -05:00
David Goulet
cc0342a2ae hs: Fix possible integer underflow with IP nodes
In rend_consider_services_intro_points(), we had a possible interger underflow
which could lead to creating a very large number of intro points. We had a
safe guard against that *except* if the expiring_nodes list was not empty
which is realistic thing.

This commit removes the check on the expiring nodes length being zero. It's
not because we have an empty list of expiring nodes that we don't want to open
new IPs. Prior to this check, we remove invalid IP nodes from the main list of
a service so it should be the only thing to look at when deciding if we need
to create new IP(s) or not.

Partially fixes #21302.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-01 11:07:09 -05:00
Nick Mathewson
f1530d0e5a Merge branch 'teor_bug21357-v2_029' 2017-02-01 09:39:25 -05:00
teor
408c53b7a7 Scale IPv6 address counts in policy_summary_reject to avoid overflow
This disregards anything smaller than an IPv6 /64, and rejects ports that
are rejected on an IPv6 /16 or larger.

Adjust existing unit tests, and add more to cover exceptional cases.

No IPv4 behaviour changes.

Fixes bug 21357
2017-02-01 09:39:06 -05:00
teor
4667a40ca9 Fix IPv6 support in policy_summary_reject and policy_summary_accept
This interim fix results in too many IPv6 rejections.

No behaviour change for IPv4 counts, except for overflow fixes that
would require 4 billion redundant 0.0.0.0/0 policy entries to trigger.

Part of 21357
2017-02-01 09:39:06 -05:00
teor
82850d0da6 Refactor policy_summary_reject to prepare for IPv6 changes
No behaviour change, apart from non-fatal assertions

Part of 21357
2017-02-01 09:39:06 -05:00
teor
7e7b3d3df3 Add unit tests for IPv6 address summaries and IPv4 netblock rejection
These tests currently fail due to bug 21357
2017-02-01 09:39:06 -05:00
teor
e95b8f7df9 Fix write_short_policy usage comment 2017-02-01 09:39:05 -05:00
Nick Mathewson
c3b6354412 fix a wide line 2017-02-01 09:35:29 -05:00
Nick Mathewson
222f2fe469 Merge branch 'bug21150_030_01_squashed' 2017-02-01 09:30:02 -05:00
David Goulet
51b562c605 Use an internal variable for HiddenServiceStatistics
Stop modifying the value of our torrc option HiddenServiceStatistics just
because we're not a bridge or relay. This bug was causing Tor Browser users to
write "HiddenServiceStatistics 0" in their torrc files as if they had chosen
to change the config.

Fixes #21150

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-02-01 09:29:53 -05:00
Nick Mathewson
78011bb7ba Merge branch 'bug21242' 2017-02-01 09:09:58 -05:00
Nick Mathewson
2e93bffa1d Merge remote-tracking branch 'public/bug21129' 2017-02-01 09:01:44 -05:00
Nick Mathewson
f8885b76ef Merge remote-tracking branch 'public/bug21128' 2017-02-01 09:01:28 -05:00
Nick Mathewson
a5aec6ac37 Merge branch 'bug21108_029' 2017-01-31 18:51:26 -05:00
Roger Dingledine
6ff7850f26 be explicit in clear_status_flags_on_sybil that we leave BadExit alone 2017-01-31 18:50:16 -05:00
Nick Mathewson
35d8270942 When marking guard state instances on a channel, don't mark NULL
It's okay for guard_state to be null: we might have a fallback
circuit, or we might not be using guards.

Fixes bug 211228; bugfix on 0.3.0.1-alpha
2017-01-31 14:44:14 -05:00
Nick Mathewson
0f0d4356b2 Don't try to use confirmed_idx in remove_guard_from_...lists()
Since we can call this function more than once before we update all
the confirmed_idx fields, we can't rely on all the relays having an
accurate confirmed_idx.

Fixes bug 21129; bugfix on 0.3.0.1-alpha
2017-01-31 14:34:32 -05:00
Nick Mathewson
a47c133c86 Do not clear is_bad_exit on sybil.
But do clear is_v2_dir.

Fixes bug 21108 -- bugfix on d95e7c7d67 in
0.2.0.13-alpha.
2017-01-31 14:12:14 -05:00
Nick Mathewson
d183ec231b Call monotime_init() earlier.
We need to call it before nt_service_parse_options(), since
nt_service_parse_options() can call back into nt_service_main(),
which calls do_main_loop().

Fixes bug 21356; bugfix on 0.2.9.1-alpha.
2017-01-31 13:02:49 -05:00
Nick Mathewson
746d959100 Don't build circuits till primary guards have descriptors
In addition to not wanting to build circuits until we can see most
of the paths in the network, and in addition to not wanting to build
circuits until we have a consensus ... we shouldn't build circuits
till all of our (in-use) primary guards have descriptors that we can
use for them.

This is another bug 21242 fix.
2017-01-31 12:31:43 -05:00
Nick Mathewson
02da24f8e5 Don't (usually) return any guards that are missing descriptors.
Actually, it's _fine_ to use a descriptorless guard for fetching
directory info -- we just shouldn't use it when building circuits.
Fortunately, we already have a "usage" flag that we can use here.

Partial fix for bug 21242.
2017-01-31 12:30:33 -05:00
Nick Mathewson
26957a127a entry_guard_pick_for_circuit(): TRAFFIC guards must have descriptors
This relates to the 21242 fix -- entry_guard_pick_for_circuit()
should never yield nodes without descriptors when the node is going
to be used for traffic, since we won't be able to extend through
them.
2017-01-31 11:47:09 -05:00
Nick Mathewson
93b39c5162 Downgrade assertion to nonfatal for #21242
This assertion triggered in the (error) case where we got a result
from guards_choose_guard() without a descriptor.  That's not
supposed to be possible, but it's not worth crashing over.
2017-01-31 11:35:57 -05:00
Nick Mathewson
09a00a2f82 Merge remote-tracking branch 'public/bug21300' 2017-01-31 11:09:04 -05:00
Nick Mathewson
cccd3f1dae entrynodes: Remove "split these functions" XXXXs
They now have a ticket: #21349.
2017-01-30 10:49:40 -05:00
Nick Mathewson
7d0df8bad8 Remove a couple of stale comments from entrynodes.h 2017-01-30 10:38:24 -05:00
Nick Mathewson
fe04bdcdbb GUARD_WAIT is now specified too 2017-01-30 10:33:17 -05:00
Nick Mathewson
ead934e61e Remove prop271 "spec deviation" comments -- the spec has been updated
In some cases, replace those comments with better ones.
2017-01-30 10:30:09 -05:00
Nick Mathewson
4d83999213 Make "GETCONF SocksPort" work again
I broke "GETCONF *Port" in 20956, when I made SocksPort a
subordinate option of the virtual option SocksPortLines, so that I
could make SocksPort and __SocksPort provide qthe same
functionality.  The problem was that you can't pass a subordinate
option to GETCONF.

So, this patch fixes that by letting you fetch subordinate options.

It won't always be meaningful to consider these options
out-of-context, but that can be the controller-user's
responsibility to check.

Closes ticket 21300.
2017-01-30 10:09:47 -05:00
Nick Mathewson
558c04f5b1 Merge branch 'combined-fuzzing-v4' 2017-01-30 08:40:46 -05:00
Nick Mathewson
2202ad7ab0 Fix a pair of compilation errors. 2017-01-30 08:37:27 -05:00
Nick Mathewson
143235873b Memory leak on bogus ed key in microdesc 2017-01-30 08:37:26 -05:00
Nick Mathewson
a092bcdd4f Fix a memory leak found while fuzzing 2017-01-30 08:37:26 -05:00
Nick Mathewson
b1567cf500 Three more fuzzers: consensus, hsdesc, intro points 2017-01-30 08:37:24 -05:00
teor
584d723e04 Restrict fuzzing to the directory headers 2017-01-30 08:37:23 -05:00
Nick Mathewson
e2aeaeb76c Make a bunch of signature/digest-checking functions mockable 2017-01-30 08:37:22 -05:00
meejah
fc58c37e33 Ticket #21329: GETINFO onions/current returns empty list
If there are no ephemeral or detached onion services, then
"GETINFO onions/current" or "GETINFO onions/detached" should
return an empty list instead of an error
2017-01-28 13:59:29 -07:00
Daniel Kahn Gillmor
e1337b4252 client: set IPv6Traffic to on by default
See:
  https://trac.torproject.org/projects/tor/ticket/21269
  https://bugs.debian.org/851798

Closes #21269

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-27 09:12:32 -05:00
Nick Mathewson
795582169a Bulletproof conn_get_outbound_address() a little. 2017-01-27 08:12:14 -05:00
Nick Mathewson
782c52658c Remove an impossible comparison. 2017-01-27 08:08:08 -05:00
Nick Mathewson
81c78ec755 Outbindbindaddress variants for Exit and OR.
Allow separation of exit and relay traffic to different source IP
addresses (Ticket #17975). Written by Michael Sonntag.
2017-01-27 08:05:29 -05:00
Nick Mathewson
818b44cc7c Repair the (deprecated, ugly) DROPGUARDS controller function.
This actually is much easier to write now that guard_selection_t is
first-class.
2017-01-24 09:18:56 -05:00
Nick Mathewson
fae4d3d925 Merge remote-tracking branch 'asn/remove_legacy_guards' 2017-01-24 09:01:25 -05:00
George Kadianakis
b047d97b28 Remove some more remnants of legacy guard selection. 2017-01-24 13:35:57 +02:00
Nick Mathewson
d95d988946 Merge branch 'feature_20956_029' 2017-01-23 16:07:15 -05:00
Nick Mathewson
83307fc267 Add __SocksPort etc variants for non-persistent use
Implements feature 20956.
2017-01-23 16:06:51 -05:00
David Goulet
96c7ddbc7e circuit: Change close reasons from uint16_t to int
When marking for close a circuit, the reason value, a integer, was assigned to
a uint16_t converting any negative reasons (internal) to the wrong value. On
the HS side, this was causing the client to flag introduction points to be
unreachable as the internal reason was wrongfully converted to a positive
16bit value leading to flag 2 out of 3 intro points to be unreachable.

Fixes #20307 and partially fixes #21056

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-22 19:02:01 -05:00
Nick Mathewson
e52f49aa80 Merge remote-tracking branch 'public/ticket18319' 2017-01-21 14:44:00 -05:00
teor
d35ca518b4 Remove extra newline from proxy_prepare_for_restart definition 2017-01-19 08:12:26 -05:00
Nick Mathewson
85a17ee2e7 whitespace fixes 2017-01-18 17:14:42 -05:00
Nick Mathewson
88e4ffab9e Merge remote-tracking branch 'dgoulet/ticket20029_030_06-resquash' 2017-01-18 17:13:36 -05:00
George Kadianakis
d6c14915cd Improve a few comments.
- Also remove LCOV marks from blocks of code that can be reachable by tests
  if we mock relay_send_command_from_edge().

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:59:16 -05:00
David Goulet
50cfc98340 prop224: Add unit tests for INTRODUCE1 support
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:54 -05:00
David Goulet
5208085be1 hs: Rename rend_mid_introduce() with legacy semantic
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:34 -05:00
David Goulet
db77a38da2 hs: Remove useless code in rend_mid_introduce()
With the previous commit, we validate the circuit _before_ calling
rend_mid_introduce() which handles the INTRODUCE1 payload.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:34 -05:00
David Goulet
9d7505a62a prop224: Rename hs_intro_circuit_is_suitable()
Adds a better semantic and it also follows the same interface for the
INTRODUCE1 API which is circuit_is_suitable_for_introduce1().

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:34 -05:00
David Goulet
e1497744c8 prop224: Add INTRODUCE1 cell relay support
Closes #20029

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 16:58:33 -05:00
Nick Mathewson
d5d7c3e638 Remove argument from guards_choose_dirguard 2017-01-18 15:58:19 -05:00
Nick Mathewson
3efe8bb8ac Remove some now-spurious blocks and indentation. 2017-01-18 15:45:02 -05:00
Nick Mathewson
5b97d7e110 Remove PDS_FOR_GUARD 2017-01-18 15:42:28 -05:00
Nick Mathewson
6d03e36fd0 Remove GS_TYPE_LEGACY 2017-01-18 15:37:01 -05:00
Nick Mathewson
a31a5581ee Remove UseDeprecatedGuardAlgorithm. 2017-01-18 15:33:26 -05:00
Nick Mathewson
472b277207 Remove the (no longer compiled) code for legacy guard selection.
Part of 20830.
2017-01-18 15:27:10 -05:00
Nick Mathewson
e167a0e17d Merge remote-tracking branch 'dgoulet/bug21062_030_01' 2017-01-18 15:11:36 -05:00
Nick Mathewson
e0e729d4b5 put units in constant names for DIRCACHE_MEN_MEM* 2017-01-18 15:08:10 -05:00
Neel Chauhan
426ceb41ef Rename DIRCACHE_MIN_BANDWIDTH and DIRCACHE_MIN_MB_BANDWIDTH
Renamed to DIRCACHE_MIN_MEM and DIRCACHE_MIN_MB_MEM.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 13:15:54 -05:00
David Goulet
0069d14753 circuit: Make circuit_build_times_disabled take an or_options_t
That way, when we are parsing the options and LearnCircuitBuildTimeout is set
to 0, we don't assert trying to get the options list with get_options().

Fixes #21062

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-18 12:53:01 -05:00
Nick Mathewson
fa00f2dce5 Merge branch 'ahf_bugs_17847_2_squashed' 2017-01-18 11:04:58 -05:00
Alexander Færøy
46ef32ba22 Refactor duplicated extrainfo checks into a common macro.
This patch refactors duplicated code, to check if a given router
supports fetching the extra-info document, into a common macro called
SKIP_MISSING_TRUSTED_EXTRAINFO.
2017-01-18 11:04:49 -05:00
Alexander Færøy
0ff9ea2afd Generalize router_is_already_dir_fetching_{rs,ds}.
This patch generalizes the two functions
router_is_already_dir_fetching_rs and router_is_already_dir_fetching_ds
into a single function, router_is_already_dir_fetching_, by lifting the
passing of the IPv4 & IPv6 addresses and the directory port number to
the caller.
2017-01-18 11:04:49 -05:00
Nick Mathewson
b6dce6cfec Merge remote-tracking branch 'asn/bug21142' 2017-01-18 10:44:35 -05:00
Nick Mathewson
9469aaaa82 Handle __NonSavedOptions correctly inside LINELIST_V blocks. 2017-01-18 10:25:10 -05:00
Nick Mathewson
3dd738d5f9 Simplify the VPORT() macro in config.c
It's always called with the same arguments, and there wouldn't be
much point to calling it differently.
2017-01-18 10:07:55 -05:00
Nick Mathewson
69cb6f34cb Merge remote-tracking branch 'dgoulet/bug19953_030_01' 2017-01-18 09:10:46 -05:00
Nick Mathewson
4334a4b784 Merge remote-tracking branch 'dgoulet/bug21033_030_01' 2017-01-18 09:08:16 -05:00
Nick Mathewson
e69afb853d Merge branch 'bug19769_19025_029' 2017-01-18 09:02:48 -05:00
Philipp Winter
eae68fa2d2 Initialise DNS TTL for A and AAAA records.
So far, the TTLs for both A and AAAA records were not initialised,
resulting in exit relays sending back the value 60 to Tor clients.  This
also impacts exit relays' DNS cache -- the expiry time for all domains
is set to 60.

This fixes <https://bugs.torproject.org/19025>.
2017-01-18 08:57:09 -05:00
Nick Mathewson
609065f165 DefecTor countermeasure: change server- and client-side DNS TTL clipping
The server-side clipping now clamps to one of two values, both
for what to report, and how long to cache.

Additionally, we move some defines to dns.h, and give them better
names.
2017-01-18 08:55:57 -05:00
David Goulet
1636777dc8 hs: Allow from 0 to MAX introduction points
An operator couldn't set the number of introduction point below the default
value which is 3. With this commit, from 0 to the hardcoded maximum is now
allowed.

Closes #21033

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-17 14:58:50 -05:00
David Goulet
e16148a582 relay: Honor DataDirectoryGroupReadable at key init
Our config code is checking correctly at DataDirectoryGroupReadable but then
when we initialize the keys, we ignored that option ending up at setting back
the DataDirectory to 0700 instead of 0750. Patch by "redfish".

Fixes #19953

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-17 14:40:01 -05:00
Nick Mathewson
92c3926479 Fix a double-free in rend_config_services()
Found by coverity scan; CID 1398917
2017-01-17 11:35:26 -05:00
George Kadianakis
def7115fe4 prop271: Move new funcs to top, to avoid compiler warnings. 2017-01-17 14:35:38 +02:00
George Kadianakis
2938fd3b85 prop271: When we exhaust all guards, mark all of them for retry.
In the past, when we exhausted all guards in our sampled set, we just
waited there till we mark a guard for retry again (usually takes 10 mins
for a primary guard, 1 hour for a non-primary guard). This patch marks
all guards as maybe-reachable when we exhaust all guards (this can
happen when network is down for some time).
2017-01-17 14:35:38 +02:00
George Kadianakis
1bc440eda4 Correctly maintain circuits in circuits_pending_other_guards(). 2017-01-17 13:26:59 +02:00
Nick Mathewson
111c66b2f0 Merge remote-tracking branch 'public/ticket20921' 2017-01-16 12:59:39 -05:00
Neel Chauhan
9e5512b48d Disallow setting UseBridges to 1 and UseEntryGuards to 0 2017-01-14 14:55:23 -05:00
Nick Mathewson
fc2656004a Merge remote-tracking branch 'dgoulet/bug20307_030_01' 2017-01-13 16:56:56 -05:00
Nick Mathewson
94e8f60901 Merge branch 'ipv6-only-client_squashed' 2017-01-13 16:49:48 -05:00
teor
2debcc869f Remove redundant boolean expression from firewall_is_fascist_impl()
Let A = UseBridges
Let B = ClientUseIPv4

Then firewall_is_fascist_impl expands and simplifies to:
B || (!(A || ...) && A)
B || (!A && ... && A)
B || 0
B
2017-01-13 16:49:33 -05:00
teor
0417dae580 When IPv6 addresses have not been downloaded, use hard-coded address info
The microdesc consensus does not contain any IPv6 addresses.
When a client has a microdesc consensus but no microdescriptor, make it
use the hard-coded IPv6 address for the node (if available).

(Hard-coded addresses can come from authorities, fallback directories,
or configured bridges.)

If there is no hard-coded address, log a BUG message, and fail the
connection attempt. (All existing code checks for a hard-coded address
before choosing a node address.)

Fixes 20996, fix on b167e82 from 19608 in 0.2.8.5-alpha.
2017-01-13 16:49:33 -05:00
teor
5227ff4aad Remove redundant options checks for IPv6 preference conflicts
It is no longer possible for the IPv6 preference options to differ from the
IPv6 usage: preferring IPv6 implies possibly using IPv6.

Also remove the corresponding unit test warning message checks.
(But keep the unit tests themselves - they now run without warnings.)
2017-01-13 16:49:27 -05:00
Nick Mathewson
3e45b12f38 Merge remote-tracking branch 'dgoulet/bug21054_030_01' 2017-01-13 16:45:55 -05:00
Nick Mathewson
5762d6489d Merge branch 'bug21019_030_01_squashed' 2017-01-13 12:11:00 -05:00
David Goulet
fb8dad5ceb hs: Log if service can't connect to application
In order to help an HS operator knowing if the application configured behind
it is not working properly, add a log at warning level for the connection
refused or timeout case. This log will only be printed if a client connection
fails and is rate limited.

Closes #21019

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-13 12:10:53 -05:00
Nick Mathewson
7844c5ddd7 Have circuit_get_global_origin_circuit_list() return the right list. Bug 21118 2017-01-12 13:18:09 -05:00
Nick Mathewson
f1d622e2b2 repair whitespace. 2017-01-11 14:59:19 -05:00
Nick Mathewson
62c6d5fe16 Merge remote-tracking branch 'dgoulet/ticket19925_030_01' 2017-01-11 14:33:55 -05:00
Nick Mathewson
ac3b559e93 Merge branch 'bug20569_030_02_squashed' 2017-01-11 12:52:52 -05:00
David Goulet
870b5e2227 hs: Use AES-256 for v3 descriptor
That key size is taken from proposal 224 thus specified in the protocol.

Closes #20569

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-11 12:52:34 -05:00
Nick Mathewson
7892683e7e Merge remote-tracking branch 'asn/bug20852_v1' 2017-01-11 10:14:50 -05:00
Nick Mathewson
8f893fbca9 Merge remote-tracking branch 'public/bug20974' 2017-01-11 09:51:58 -05:00
Nick Mathewson
2db858ef61 Merge remote-tracking branch 'jryans/dependant-corrected' 2017-01-11 09:28:54 -05:00
Nick Mathewson
b9054c6ee4 Merge branch 'bug20987_squashed' 2017-01-11 09:21:09 -05:00
Nick Mathewson
3a3e88dbd4 Fix memory leak when failing to configure hidden services.
In 8a0ea3ee43 we added a
temp_service_list local variable to rend_config_services, but we
didn't add a corresponding "free" for it to all of the exit paths.

Fixes bug 20987; bugfix on 0.3.0.1-alpha.
2017-01-11 09:20:23 -05:00
Nick Mathewson
730cc16b72 Merge remote-tracking branch 'teor/bug21123' 2017-01-11 09:15:04 -05:00
David Goulet
8a33abcd65 control: Add GETINFO command for the shared random values
Add the "sr/current" and "sr/previous" keys for the GETINFO command in order
to get through the control port the shared random values from the consensus.

Closes #19925

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-01-09 11:33:05 -05:00
George Kadianakis
e1d7661412 Max HS descriptor size is now 50kb and also consensus param. 2017-01-09 15:02:56 +02:00
Chelsea H. Komlo
655ffeadd5 comment fixups 2017-01-08 13:14:56 -05:00
teor
518ef61975
Clarify the message logged when a remote relay is unexpectedly missing a port
(Users were confusing this with a local port.)

Fixes bug 20711; bugfix on 0.2.8.2-alpha.
2017-01-03 16:56:32 +11:00
teor
18f47bbb73
Allow relays to use directory mirrors without a DirPort
These relays need to be contacted over their ORPorts using a begindir
connection, and relays try not to use begindir connections.

Fixes bug 20711; bugfix on 0.2.8.2-alpha.
2017-01-03 16:52:56 +11:00
teor
c83463ef74
Remove a rendundant check for PidFile changes at runtime
This check is already performed regardless of whether the sandbox is active.

Fixes bug 21123; bugfix on commit 2ae47d3 in 0.2.5.4-alpha.
2017-01-03 15:03:34 +11:00
Nick Mathewson
ef0559c3e3 Extract global_origin_circuit_list manipulation code into new fns.
Closes ticket 20921.
2017-01-02 13:12:06 -05:00
Nick Mathewson
97ed2ce085 Unindent long-misindented blocks.
We switched these to be "if (1) " a while back, so we could keep
the indentation and avoid merge conflicts.  But it's nice to clean
up from time to time.
2017-01-02 12:16:57 -05:00
Nick Mathewson
26651d7fdb Fix some dubious indentation 2017-01-02 12:13:11 -05:00
Nick Mathewson
b317813485 Make GETINFO entry-guards work again with prop271
This is not a great solution, but it's as close to
backward-compatible as possible.  A better GETINFO API should expose
more information.
2017-01-02 10:10:03 -05:00
Nick Mathewson
9d37449fb0 Move entry-guard-is-up notification later into dirguard path.
Previously we were marking directory guards up in
..._process_inbuf(), but that's wrong: we call that function on
close as well as on success.  Instead, we're marking the dirguard up
only after we parse the HTTP headers. Closes 20974.
2017-01-02 09:56:06 -05:00
J. Ryan Stinnett
58172be657 Use the correct spelling for "Dependent" in the control protocol.
Fixes #18146.
2016-12-29 22:32:42 -06:00
Nick Mathewson
0a0e513d42 Merge remote-tracking branch 'dgoulet/bug20991_030_01' 2016-12-23 10:56:36 -05:00
Nick Mathewson
40ce7a83c4 whitespace fix 2016-12-23 10:46:14 -05:00
Nick Mathewson
0087fe36c1 Merge remote-tracking branch 'dgoulet/bug20572_030_01' 2016-12-23 10:03:35 -05:00
Nick Mathewson
9fb2bf2f3f Merge remote-tracking branch 'dgoulet/bug19899_030_01' 2016-12-23 08:28:05 -05:00
George Kadianakis
7456677a50 Make outter (plaintext) layer of HS desc conform to prop224.
This basically means changing the 'encrypted' field to 'superencrypted'.
2016-12-23 15:07:21 +02:00
David Goulet
955d4b7abd circuit: Change close reasons from uint16_t to int
When marking for close a circuit, the reason value, a integer, was assigned to
a uint16_t converting any negative reasons (internal) to the wrong value. On
the HS side, this was causing the client to flag introduction points to be
unreachable as the internal reason was wrongfully converted to a positive
16bit value leading to flag 2 out of 3 intro points to be unreachable.

Fixes #20307 and partially fixes #21056

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-22 12:37:42 -05:00
David Goulet
2d1fa58fb4 test: Add unit test for prune_services_on_reload()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-21 15:00:19 -05:00
David Goulet
36b5ca2c8b hs: Move and improve the service pruning code
First, this commit moves the code used to prune the service list when
reloading Tor (HUP signal for instance) to a function from
rend_config_services().

Second, fix bug #21054, improve the code by using the newly added
circuit_get_next_service_intro_circ() function instead of poking at the global
list directly and add _many_ more comments.

Fixes #21054.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-21 15:00:19 -05:00
David Goulet
8a05e1a5d2 circuit: Add a function to get the next service intro circuit
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-21 15:00:19 -05:00
Nick Mathewson
2673b4b7a8 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-12-20 18:23:19 -05:00
Nick Mathewson
b6227edae1 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
This helps protect against bugs where any part of a buf_t's memory
is passed to a function that expects a NUL-terminated input.

It also closes TROVE-2016-10-001 (aka bug 20384).
2016-12-20 18:22:53 -05:00
Nick Mathewson
39ef343523 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
This helps protect against bugs where any part of a buf_t's memory
is passed to a function that expects a NUL-terminated input.
2016-12-20 18:20:01 -05:00
Nick Mathewson
8f857c23b7 Add a one-word sentinel value of 0x0 at the end of each buf_t chunk
This helps protect against bugs where any part of a buf_t's memory
is passed to a function that expects a NUL-terminated input.
2016-12-20 18:18:53 -05:00
Nick Mathewson
a9c8a5ff18 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-12-20 18:14:21 -05:00
Nick Mathewson
b18bde23cf Merge branch 'maint-0.2.5' into maint-0.2.6 2016-12-20 18:11:25 -05:00
Nick Mathewson
db58d4d16f Merge branch 'maint-0.2.4' into maint-0.2.5 2016-12-20 18:11:08 -05:00
teor
fca91a7793 for fuzzing: Add a function to make a buf with given contents
(Teor wrote the code, nick extracted it into a smaller patch.)
2016-12-19 15:02:08 -05:00
teor
02068c6391 For fuzzing: Expose directory_handle_command.
(Nick extracted this patch from a larger patch by Teor.)
2016-12-19 15:02:08 -05:00
Nick Mathewson
c468df3961 Don't warn about absent guard state when none expected.
Self-testing circuits don't use guards, and nobody uses guards when
UseEntryGuards is disabled.

Fixes bug 21007; bug not in any released Tor.
2016-12-19 12:24:30 -05:00
Nick Mathewson
f9f1e3c94b Merge branch 'maint-0.2.9' 2016-12-19 08:03:17 -05:00
Nick Mathewson
de65647461 Merge branch 'maint-0.2.8' into maint-0.2.9 2016-12-19 07:58:43 -05:00
Nick Mathewson
c11de4c45f Merge branch 'bug21018_024' into maint-0.2.8 2016-12-19 07:58:21 -05:00
Nick Mathewson
2dc5226644 Merge branch 'maint-0.2.9' 2016-12-19 07:31:19 -05:00
Nick Mathewson
169a93fff2 Merge branch 'maint-0.2.8' into maint-0.2.9 2016-12-19 07:30:42 -05:00
teor
4181e812c7
Update the fallback directory mirror list in December 2016
Replace the 81 remaining fallbacks of the 100 originally introduced
in Tor 0.2.8.3-alpha in March 2016, with a list of 177 fallbacks
(123 new, 54 existing, 27 removed) generated in December 2016.

Resolves ticket 20170.
2016-12-19 15:44:20 +11:00
Nick Mathewson
0fb3058ece Make log message warn about detected attempts to exploit 21018. 2016-12-18 20:17:28 -05:00
Nick Mathewson
d978216dea Fix parsing bug with unecognized token at EOS
In get_token(), we could read one byte past the end of the
region. This is only a big problem in the case where the region
itself is (a) potentially hostile, and (b) not explicitly
nul-terminated.

This patch fixes the underlying bug, and also makes sure that the
one remaining case of not-NUL-terminated potentially hostile data
gets NUL-terminated.

Fix for bug 21018, TROVE-2016-12-002, and CVE-2016-1254
2016-12-18 20:17:24 -05:00
Nick Mathewson
ae89d9745d Revert ticket 20982 changes.
They broke stem, and breaking application compatibility is usually a
bad idea.

This reverts commit 6e10130e18,
commit 78a13df158, and
commit 62f52a888a.

We might re-apply this later, if all the downstream tools can handle
it, and it turns out to be useful for some reason.
2016-12-18 10:04:36 -05:00
Roger Dingledine
51ee549a90 fix typos and trivial syntax problems 2016-12-18 04:06:02 -05:00
Nick Mathewson
762b799545 Rename 'remove' -> 'rmv' to avoid shadowing a libc global 2016-12-16 14:04:57 -05:00
J. Ryan Stinnett
19cf074f4d hs: Remove private keys from hs_desc_plaintext_data_t.
Since both the client and service will use that data structure to store the
descriptor decoded data, only the public keys are common to both.

Fixes #20572.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:48:33 -05:00
David Goulet
e76b072def test: fix the generate ESTABLISH_INTRO v3 cell
The "sig_len" fields was moved below the "end_sig_fields" in the trunnel
specification so when signing the cell content, the function generating such a
cell needed to be adjust.

Closes #20991

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
David Goulet
db0e926849 hs: Remove a useless cast in verify_establish_intro_cell()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
David Goulet
b0ccb6bfa5 hs: Add an extra safety check on ESTABLISH_INTRO sig len
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-16 12:21:07 -05:00
Nick Mathewson
23c09b6bc2 Resolve a division-by-zero complaint from coverity. CID 1397272 2016-12-16 12:21:02 -05:00
Nick Mathewson
c52c47ae6f Disable the legacy guard algorithm. Code isn't removed yet.
(Keeping the code around in case I broke Tor in some unexpected
way.)
2016-12-16 11:42:34 -05:00
Nick Mathewson
990a863d7c Merge branch 'ticket20831_v2' 2016-12-16 11:40:19 -05:00
Nick Mathewson
506bd6d47c Make NumDirectoryGuards work with the new guard algorithm.
Now that we support NumEntryGuards, NumDirectoryGuards is pretty
easy to put back in.
2016-12-16 11:34:31 -05:00
Nick Mathewson
d9200d853d Make NumEntryGuards work as expected again.
Further, add a "guard-n-primary-guards-to-use" parameter, defaulting
to 1, for NumEntryGuards to override.
2016-12-16 11:34:31 -05:00
Nick Mathewson
deb8bcadce 271: Algorithm tweak to allow multiple entry guards.
Previously, we had NumEntryGuards kind of hardwired to 1.  Now we
have the code (but not the configuarability) to choose randomly from
among the first N primary guards that would work, where N defaults
to 1.

Part of 20831 support for making NumEntryGuards work again.
2016-12-16 11:34:31 -05:00
Nick Mathewson
385602e982 Respect GuardLifetime in prop271 code.
It overrides both the GUARD_LIFETIME and the
GUARD_CONFIRMED_MIN_LIFETIME options.
2016-12-16 11:34:31 -05:00
Nick Mathewson
3902a18a69 Remove UseDirectoryGuards
It is obsoleted in an always-on direction by prop271.
2016-12-16 11:32:51 -05:00
Nick Mathewson
988b0afbd6 Merge branch 'ticket20826_v2' 2016-12-16 11:29:02 -05:00
Nick Mathewson
e044b4f8ce Support restrictive ENTRYNODES configurations correctly.
Since we already had a separate function for getting the universe of
possible guards, all we had to do was tweak it to handle very the
GS_TYPE_RESTRICTED case.
2016-12-16 11:28:27 -05:00
Nick Mathewson
4ec9751c14 guard->nickname is never NULL. 2016-12-16 11:25:59 -05:00
Nick Mathewson
2cee38f76a Merge branch 'prop271_030_v1_squashed' 2016-12-16 11:20:59 -05:00
Nick Mathewson
20292ec497 Per suggestion, increase the retry frequency for primary guards. 2016-12-16 11:06:22 -05:00
Nick Mathewson
fc7751a989 Rewrite state transition logic in entry_guards_note_success()
asn found while testing that this function can be reached with
GUARD_STATE_COMPLETE circuits; I believe this happens when
cannibalization occurs.

The added complexity of handling one more state made it reasonable
to turn the main logic here into a switch statement.
2016-12-16 11:06:22 -05:00
Nick Mathewson
2e2f3a4d99 Add a separate, non-fractional, limit to the sampled guard set size.
Letting the maximum sample size grow proportionally to the number of
guards defeats its purpose to a certain extent.  Noted by asn during
code review.

Fixes bug 20920; bug not in any released (or merged) version of Tor.
2016-12-16 11:06:22 -05:00
Nick Mathewson
e50d85b90c Clean check for live consensus when updating the guard sample.
The valid_until check was redundant.
2016-12-16 11:06:22 -05:00
Nick Mathewson
b7088e5b5a Move a TODO comment into doxygen comments. 2016-12-16 11:06:22 -05:00
George Kadianakis
50783d0123 Easy code fixes.
- Correctly maintain the previous guard selection in choose_guard_selection().
- Print bridge identifier instead of nothing in entry_guard_describe()._
2016-12-16 11:06:22 -05:00
George Kadianakis
7ab2678074 Trivial documentation improvements. 2016-12-16 11:06:22 -05:00
Nick Mathewson
6867950432 Wrap all of the legacy guard code, and its users, in #ifdefs
This will make it easier to see what we remove down the line.
2016-12-16 11:06:22 -05:00
Nick Mathewson
2b4bfe62ee Fix a signed/unsigned warning on 32-bit 2016-12-16 11:06:21 -05:00
Nick Mathewson
52e196bab5 Don't make $hexid nicknames persistent.
(That's asking for trouble, and also totally completely redundant.)
2016-12-16 11:06:21 -05:00
Nick Mathewson
79d3e94f8b prop271: Tests for the highlevel or_state_t encode/decode functions 2016-12-16 11:06:20 -05:00
Nick Mathewson
217590ad05 Extract guard_selection_infer_type into its own function. 2016-12-16 11:06:20 -05:00
Nick Mathewson
2c8c58ab2f Another tweak for guard restrictions: don't let complete circs block
If a complete circuit C2 doesn't obey the restrictions of C1, then
C2 cannot block C1.

The patch here is a little big-ish, since we can no longer look
through all the complete circuits and all the waiting circuits on a
single pass: we have to find the best waiting circuit first.
2016-12-16 11:06:20 -05:00
Nick Mathewson
87f9b42179 Implement support for per-circuit guard restrictions.
This is an important thing I hadn't considered when writing prop271:
sometimes you have to restrict what guard you use for a particular
circuit.  Most frequently, that would be because you plan to use a
certain node as your exit, and so you can't choose that for your
guard.

This change means that the upgrade-waiting-circuits algorithm needs
a slight tweak too: circuit A cannot block circuit B from upgrading
if circuit B needs to follow a restriction that circuit A does not
follow.
2016-12-16 11:06:20 -05:00
Nick Mathewson
17c3faa2e3 guards_choose_dirguard(): replace one XXXX with another.
I had been asking myself, "hey, doesn't the new code need to look at
this "info" parameter? The old code did!"  But it turns out that the
old code hasn't, since 05f7336624.

So instead of "support this!" the comment now says "we can remove
this!"
2016-12-16 11:06:20 -05:00
Nick Mathewson
9d065ecc3d Fix a magic number in get_max_sample_size 2016-12-16 11:06:20 -05:00
Nick Mathewson
1e9cd5d2bb Note a couple of XXX-prop271s as spec deviations. 2016-12-16 11:06:19 -05:00
Nick Mathewson
f4e64c04f4 Remove some resolved "XXXX prop271" comments. 2016-12-16 11:06:19 -05:00
Nick Mathewson
80fa404625 Fix for small test networks: don't refuse to have any sampled guards.
Don't restrict the sample size if the network size is less than 20
guards.  Maybe we'll think of a better rule later on?
2016-12-16 11:06:19 -05:00
Nick Mathewson
eac8b3f758 Remove a few unused arguments. 2016-12-16 11:06:19 -05:00
Nick Mathewson
84bfa895d7 Change return value of entry_guard_succeeded to an enum.
George pointed out that (-1,0,1) for (never usable, maybe usable
later, usable right now) was a pretty rotten convention that made
the code harder to read.
2016-12-16 11:06:19 -05:00
Nick Mathewson
46619ec914 Note some large functions that could be split.
George Kadianakis pointed these out.
2016-12-16 11:06:19 -05:00
Nick Mathewson
3bcbbea350 More progress on bridge implementation with prop271 guards
Here we handle most (all?) of the remaining tasks, and fix some
bugs, in the prop271 bridge implementation.

  * We record bridge identities as we learn them.
  * We only call deprecated functions from bridges.c when the
    deprecated guard algorithm is in use.
  * We update any_bridge_descriptors_known() and
    num_bridges_usable() to work correctly with the new backend
    code. (Previously, they called into the guard selection logic.
  * We update bridge directory fetches to work with the new
    guard code.
  * We remove some erroneous assertions where we assumed that we'd
    never load a guard that wasn't for the current selection.

Also, we fix a couple of typos.
2016-12-16 11:06:18 -05:00
Nick Mathewson
82fa71610d Implement bridge backends for sampling, filtering guards.
Still missing is functionality for picking bridges when we don't
know a descriptor for them yet, and functionality for learning a
bridge ID.

Everything else remains (basically) the same. Neat!
2016-12-16 11:06:18 -05:00
Nick Mathewson
53f248f6c9 Add some needed accessors/inspectors for bridge/guard convergence 2016-12-16 11:06:18 -05:00
Nick Mathewson
1d52ac4d3f Lay down some infrastructure for bridges in the New Guard Order.
This includes:
  * making bridge_info_t exposed but opaque
  * allowing guards where we don't know an identity
  * making it possible to learn the identity of a guard
  * creating a guard that lacks a node_t
  * remembering a guard's address and port.
  * Looking up a guard by address and port.
  * Only enforcing the rule that we need a live consensus to update
    the "listed" status for guards when we are not using bridges.
2016-12-16 11:06:18 -05:00
Nick Mathewson
89f5f149df Remove guard_selection argument from status-reporting functions
This prevents us from mixing up multiple guard_selections
2016-12-16 11:06:18 -05:00
Nick Mathewson
6dcbc24a4e Add a backpointer from entry_guard_t to guard_selection_t
This is safe, because no entry_guard_t ever outlives its
guard_selection_t.

I want this because now that multiple guard selections can be active
during one tor session, we should make sure that any information we
register about guards is with respect to the selection that they came
from.
2016-12-16 11:06:18 -05:00
Nick Mathewson
404e9e5611 Have multiple guard contexts we can switch between.
Currently, this code doesn't actually have the contexts behave
differently, (except for the legacy context), but it does switch
back and forth between them nicely.
2016-12-16 11:06:18 -05:00
Nick Mathewson
c6d218c44b Unit tests for entry_guard_{pick_for_circuit,succeeded,failed} 2016-12-16 11:06:17 -05:00
Nick Mathewson
9493711077 Mark confirmed guards primary as appropriate.
If a guard becomes primary as a result of confirming it, consider
the circuit through that guard as a primary circuit.

Also, note open questions on behavior when confirming nonprimary guards
2016-12-16 11:06:17 -05:00
Nick Mathewson
d2af9826fd Turn #defines for prop271 into networkstatus params
Some of these will get torrc options to override them too; this
is just the mechanical conversion.

Also, add documentation for a couple of undocumented (but now used)
parameters.
2016-12-16 11:06:17 -05:00
Nick Mathewson
039bd01767 Add a wrapper for a common networkstatus param pattern
We frequently want to check a networkstatus parameter only when it
isn't overridden from the torrc file.
2016-12-16 11:06:16 -05:00
Nick Mathewson
2ea5aa7182 Expire circuits that have been WAITING_FOR_BETTER_GUARD too long
(This is required by 3.9 in prop271, but is better done as a
separate function IMO)
2016-12-16 11:06:16 -05:00
Nick Mathewson
e56bc1e5de Move the 'dirty' flag for the guards to a global again
It makes more sense to have a single dirty flag, since we always
regenerate the whole state file when we save it.
2016-12-16 11:06:16 -05:00
Nick Mathewson
bce0f79252 Mark some more BUG lines as unreachable. 2016-12-16 11:06:16 -05:00
Nick Mathewson
a7bc73935b Test get_guard_selection_by_name 2016-12-16 11:06:15 -05:00
Nick Mathewson
526b0e2ce2 Avoid division-by-zero in pathbias_check_*_success_count 2016-12-16 11:06:15 -05:00
Nick Mathewson
ac67819396 Make sure primary-guards are up-to-date when we inspect them.
(Plus some magic to prevent and detect recursive invocation of
entry_guards_update_primary(), since that can cause some pretty
tricky misbehavior.)
2016-12-16 11:06:15 -05:00
Nick Mathewson
f71be74340 When freeing a guard state, cancel it if its state is unknown
We don't want a guard to stay "pending" forever if the
circuit_guard_state_t for it is freed before it succeeds or fails.
2016-12-16 11:06:15 -05:00
Nick Mathewson
897626953b Rebuild the guard lists as appropriate on torrc change.
(Also, prepare to tie guard changes into the mark-all-old-circuits
logic.)
2016-12-16 11:06:15 -05:00
cypherpunks
62f52a888a Remove the version prefix from version numbers 2016-12-16 10:41:36 -05:00
cypherpunks
78a13df158 Remove the trailing dot from version numbers 2016-12-16 10:41:36 -05:00
teor
2e2d22d29a
Make fascist_firewall_use_ipv6() check ORPort & DirPort IP preferences
This makes clients try harder to find an IPv6 address when searching for
a directory server.

Required for #19608.
2016-12-16 22:30:55 +11:00
David Goulet
cacfd82c8d cell: Add a control cell ID for semantic
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-15 11:44:02 -05:00
Nick Mathewson
4098bfa260 Fix double-typedef of or_circuit_t. 2016-12-14 16:46:54 -05:00
Nick Mathewson
a8ac2a62cb Fix a few clang warnings. 2016-12-14 16:01:27 -05:00
Nick Mathewson
81360c4a5f whitespace fixes 2016-12-14 15:41:08 -05:00
Nick Mathewson
a675ef8eea Fix a "make check" regression in --list-fingerprint. 2016-12-14 15:39:31 -05:00
Nick Mathewson
c838d34921 Merge branch 'dgoulet_ticket19043_030_03_squashed' 2016-12-14 15:28:28 -05:00
David Goulet
a4eb17ed89 prop224: Use LOG_PROTOCOL_WARN instead of log_warn(LD_PROTOCOL, ...) in hs_intropoint.c
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-14 15:19:10 -05:00
David Goulet
118691cd47 crypto: Change crypto_mac_sha3_256 to use the key length in the construction
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-14 15:18:40 -05:00
George Kadianakis
12dfe56b1c prop224: Use new HS functions in old HS code.
This is needed to make old code unittestable.
2016-12-14 15:18:40 -05:00
George Kadianakis
d7be1fd519 prop224: Introduce the new introduction point code.
(pun not intended)

Now our code supports both legacy and prop224 ESTABLISH_INTRO cells :)

hs_intro_received_establish_intro() is the new entry point.
2016-12-14 15:18:36 -05:00
George Kadianakis
c4c90d56b5 prop224: Add code that generates ESTABLISH_INTRO cells.
Currently unused. It will only be used for creating ESTABLISH_INTRO
cells in unittests :)
2016-12-14 15:17:58 -05:00
George Kadianakis
9192e5928c prop224 prepwork: Use of HS circuitmap in existing HS code.
The new HS circuitmap API replaces old public functions as follows:
   circuit_clear_rend_token -> hs_circuitmap_remove_circuit
   circuit_get_rendezvous -> hs_circuitmap_get_rend_circ
   circuit_get_intro_point -> hs_circuitmap_get_intro_circ_v2
   circuit_set_rendezvous_cookie -> hs_circuitmap_register_rend_circ
   circuit_set_intro_point_digest -> hs_circuitmap_register_intro_circ_v2

This commit also removes the old rendinfo code that is now unused.
It also fixes the broken rendinfo unittests.
2016-12-14 15:17:58 -05:00
George Kadianakis
2b9abbef2e prop224 prepwork: Introduce HS circuitmap subsystem.
The HS circuitmap is a hash table that maps introduction and rendezvous
tokens to specific circuits such that given a token it's easy to find
the corresponding circuit. It supports rend circuits and v2/v3 intro
circuits.

It will be used by the prop224 ESTABLISH_INTRO code to register and
lookup v3 introduction circuits.

The next commit after this removes the old code and fixes the unittests.
Please consult both commits while reviewing functionality differences
between the old and new code. Let me know if you want this rebased
differently :)

WRT architectural differences, this commit removes the rendinfo pointer
from or_circuit_t. It then adds an hs_token_t pointer and a hashtable
node for the HS circuitmap. IIUC, this adds another pointer to the
weight of or_circuit_t. Let me know if you don't like this, or if you
have suggestions on improving it.
2016-12-14 15:17:58 -05:00
George Kadianakis
e17cc3f0a6 prop224 prepwork: Finish decoupling old ESTABLISH_INTRO creation logic. 2016-12-14 15:17:57 -05:00
George Kadianakis
b5b34e62f7 prpo224 prepwork: Decouple legacy ESTABLISH_INTRO creation logic.
This commit only moves code.
2016-12-14 15:17:57 -05:00
Nick Mathewson
963e70673a Merge remote-tracking branch 'teor/fix-frac-paths-comment' 2016-12-13 20:30:51 -05:00
teor
e2537a5982
Clarify a comment in compute_frac_paths_available 2016-12-14 10:25:01 +11:00
Nick Mathewson
55d02c004c Remove AuthDirMaxServersPerAuthAddr
Back when Roger had do do most of our testing on the moria host, we
needed a higher limit for the number of relays running on a single
IP address when that limit was shared with an authority. Nowadays,
the idea is pretty obsolete.

Also remove the router_addr_is_trusted_dir() function, which served
no other purpose.

Closes ticket 20960.
2016-12-13 13:09:27 -05:00
Nick Mathewson
56b11905e5 Remove a little dead code from routerparse.c
In c35fad2bde, merged in
0.2.4.7-alpha, we removed the code to parse v1 directory
objects. When we did so, we removed everything that could set the
CST_CHECK_AUTHORITY flag for check_signature_token().

So in this code, we remove the flag itself, the code to handle the
flag, and a function that only existed to handle the flag.
2016-12-13 09:36:59 -05:00
Nick Mathewson
0dd48bfe5a Change the default of AuthDirPinKeys to 1.
Closes ticket 18319.
2016-12-13 08:54:38 -05:00
Nick Mathewson
1bd562f1c4 Merge branch 'people-to-node-type' 2016-12-12 09:50:31 -05:00
J. Ryan Stinnett
d5df9fa235 Replace "people" with the appropriate network component in comments
Fixes #18145.
2016-12-12 09:50:21 -05:00
Nick Mathewson
1ad96ed9cd Merge remote-tracking branch 'rubiate/ticket20511' 2016-12-12 09:20:56 -05:00
Nick Mathewson
a40d212383 Downgrade a harmless bug warning to info.
Makes 19926 less annoying in 0.2.9.  In 0.3.0, we should actually
fix this.
2016-12-09 08:43:09 -05:00
Nick Mathewson
a3b8286b0e Merge branch 'maint-0.2.9' 2016-12-09 08:30:55 -05:00
David Goulet
9bb3bcbc41 router: Fix memory leak in signed_descriptor_move()
The signed_descriptor_move() was not releasing memory inside the destination
object before overwriting it with the source object. This commit adds a reset
function that free that memory inside a signed descriptor object and zero it.

Closes #20715.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-09 08:30:46 -05:00
Nick Mathewson
e1f00c5f86 whitespace cleanups 2016-12-08 16:53:29 -05:00
Nick Mathewson
e93234af70 Merge branch 'feature15056_v1_squashed' 2016-12-08 16:49:24 -05:00
Nick Mathewson
236e8b605e Adding some assertions to onion.c 2016-12-08 16:48:01 -05:00
Nick Mathewson
d0b76f5099 Fix comment on connection_or_client_learned_peer_id(). 2016-12-08 16:48:01 -05:00
Nick Mathewson
5eef00eb04 Tiny cleanup of chan handling when setting connection ID digests 2016-12-08 16:48:01 -05:00
Nick Mathewson
9bf9e34a01 Use connection_or_clear_identity in connection_or_clear_identity_map. 2016-12-08 16:48:01 -05:00
Nick Mathewson
937aef48ee Add an ed25519_copy; use it in a couple of places dgoulet suggested. 2016-12-08 16:48:01 -05:00
Nick Mathewson
cd741cc595 Canonicity update for ed25519.
If a node can prove its Ed25519 identity, don't consider connections
to it canonical unless they match both identities.

Includes link handshake changes needed to avoid crashing with bug
warnings, since the tests now reach more parts of the code.

Closes ticket 20355
2016-12-08 16:48:00 -05:00
Nick Mathewson
424ae9e18b helper to test a node for matching an ed25519 ID. 2016-12-08 16:48:00 -05:00
Nick Mathewson
3b1e04fe45 Teach channel_rsa_id_group_set_badness_() about Ed25519
(Only run the connection_or_group_set_badness_() function on groups
of channels that have the same RSA and Ed25519 identities.)

There's a possible opportunity here where we might want to set a
channel to "bad" if it has no ed25519 identity and some other
channel has some.  Also there's an opportunity to add a warning if
we ever have an Ed mismatch on open connections with the same RSA
ID.
2016-12-08 16:48:00 -05:00
Nick Mathewson
5ada249579 Enforce directionality in connection_or_set_identity_digest().
This function has never gotten testing for the case where an
identity had been set, and then got set to something else.  Rather
than make it handle those cases, we forbid them.
2016-12-08 16:47:59 -05:00
Nick Mathewson
68acf8f12e Tell channel_set_identity_digest() that ed keys can be NULL 2016-12-08 16:47:59 -05:00
Nick Mathewson
e0ab293837 Add a few more debug/info-level logs for ed25519 link handshake stuff 2016-12-08 16:47:59 -05:00
Nick Mathewson
3d7e485402 Add an option to disable dirauth ed25519 link key checks.
If there is some horrible bug in our ed25519 link authentication
code that causes us to label every single ed25519-having node as
non-running, we'll be glad we had this.  Otherwise we can remove it
later.
2016-12-08 16:47:59 -05:00
Nick Mathewson
7daf152172 Enforce Ed25519 identities (client-side)
This patch makes two absolutely critical changes:
  - If an ed25519 identity is not as expected when creating a channel,
    we call that channel unsuccessful and close it.
  - When a client creating a channel or an extend cell for a circuit, we
    only include the ed25519 identity if we believe that the node on
    the other side supports ed25519 link authentication (from
    #15055).  Otherwise we will insist on nodes without the right
    link protocol authenticating themselves.
  - When deciding to extend to another relay, we only upgrade the
    extend to extend by ed25519 ID when we know the ed25519 ID _and_
    we know that the other side can authenticate.

This patch also tells directory servers, when probing nodes, to
try to check their ed25519 identities too (if they can authenticate
by ed25519 identity).

Also, handle the case where we connect by RSA Id, and learn the
ED25519 ID for the node in doing so.
2016-12-08 16:47:58 -05:00
Nick Mathewson
ae6b73e847 Dirauth: Don't treat a router as reachable if the Ed25519 key didn't match 2016-12-08 16:47:58 -05:00
Nick Mathewson
88252b2d76 Comment-only: note some places where we want to propagate Ed25519 info
This is not for 15056, since it's about UI, and not about circuit
extension.
2016-12-08 16:47:58 -05:00
Nick Mathewson
9e840e6c7d Add ExtendByEd25519ID consensus parameter/torrc option
I need to be able to turn on Ed25519 support in client generation
of  extend cells so I can test it, but leave it off-by-default until
enough clients support it for us to turn it on for a bunch at once.

This is part of #15056 / prop#220.
2016-12-08 16:47:58 -05:00
Nick Mathewson
6788418f28 Propagate Ed25519 identities downwards into more functions.
Actually set ed25519 identities on channels when we set a channel's
identity.
2016-12-08 16:47:58 -05:00
Nick Mathewson
af3af49408 Add a function to check whether a given ed id key is ours 2016-12-08 16:47:58 -05:00
Nick Mathewson
c837786868 Teach circuit_extend() more about Ed25519 identities.
- forbid extending to the previous hop by Ed25519 ID.
- If we know the Ed25519 ID for the next hop and the client doesn't,
  insist on the one from the consensus.
2016-12-08 16:47:57 -05:00
Nick Mathewson
6aa239df36 Rename connection_or_remove_from_identity_map 2016-12-08 16:47:57 -05:00
Nick Mathewson
cdce221e68 Remove orconn_identity_map.
It is no longer needed; look up channels by identity instead.
2016-12-08 16:47:57 -05:00
Nick Mathewson
a20c8a81d7 Migrate main data loop for set_bad_connections to use channel structures
This was the last user of our or_connections-by-ID map.  It also had
a tendency to be O(N) in cases that only had to be O(1).
2016-12-08 16:47:57 -05:00
Nick Mathewson
bfff729728 Add a bunch of work-in-progress comments for 15056 planning 2016-12-08 16:47:57 -05:00
Nick Mathewson
ef5158b2d2 When attempting to find a channel by ID, consider Ed ID.
Right now, there's only a mechanism to look for a channel where the
RSA ID matches *and* the ED ID matches. We can add a separate map
later if we want.
2016-12-08 16:47:56 -05:00
Nick Mathewson
b658893590 Merge branch 'bug19960_2' 2016-12-07 15:23:14 -05:00
Nick Mathewson
53d4e89626 Netbsd doesn't have ipfw, only the regular pf transport stuff.
Attempted fix for 19960.

Also, fixes a typo.
2016-12-07 15:22:44 -05:00
Nick Mathewson
2499ea359a Merge branch 'maint-0.2.9' 2016-12-07 11:14:56 -05:00
Nick Mathewson
0815f96416 Fix a BUG() warning from next_random_exponential_delay().
Fixes 20875; this code is as suggested by teor on the ticket.  Thanks!
2016-12-07 11:13:11 -05:00
Nick Mathewson
41adfd6fa3 Fix a couple more crypto_digest() calls to be explicit < 0 2016-12-05 10:31:31 -05:00
Nick Mathewson
f92630941a Merge remote-tracking branch 'chelseakomlo/20717_hashing_api_bug' 2016-12-05 10:27:16 -05:00
Nick Mathewson
5923418eff Merge remote-tracking branch 'jryans/service_is_ephemeral' 2016-12-05 08:57:00 -05:00
Nick Mathewson
f96f4c0e42 Merge remote-tracking branch 'chelseakomlo/circuituse' 2016-12-05 08:25:22 -05:00
Nick Mathewson
0ded72322c Merge branch 'maint-0.2.9' 2016-12-05 08:21:46 -05:00
J. Ryan Stinnett
cf2f36b8b4 Test for .git as readable instead of a dir to support worktrees
Fixes #20492.
2016-12-05 08:21:17 -05:00
J. Ryan Stinnett
63d3ba96f9 Use rend_service_is_ephemeral for all service checks in rendservice.c
Fixes #20853.
2016-12-04 14:35:09 -06:00
teor
8a0ea3ee43
Use a temporary service list when validating and adding hidden services
This resolves two issues:
* the checks in rend_add_services were only being performed when adding
  the service, and not when the service was validated,
  (this meant that duplicate checks were not being performed, and some SETCONF
  commands appeared to succeed when they actually failed), and
* if one service failed while services were being added, then the service
  list would be left in an inconsistent state (tor dies when this happens,
  but the code is cleaner now).

Fixes #20860.
2016-12-03 09:10:46 +11:00
teor
93c62f5ac1
Add a missing rend_service_free in rend_service_add 2016-12-03 08:24:47 +11:00
teor
0446188674
Clarify the function documentation for rend_get_service_list_mutable
Comment-only change
2016-12-03 08:23:01 +11:00
Nick Mathewson
ca4a0ae0b1 Merge branch 'maint-0.2.9' 2016-12-02 12:10:39 -05:00
David Goulet
907cd8a0cf protover: Fix old tor hardcoded version check
When computing old Tor protocol line version in protover, we were looking at
0.2.7.5 twice instead of the specific case for 0.2.9.1-alpha.

Fixes #20810

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-12-02 12:09:08 -05:00
Nick Mathewson
ed4213fa08 Merge remote-tracking branch 'teor/bug20667' 2016-12-02 12:07:10 -05:00
Nick Mathewson
d7ec1708b1 Merge branch 'maint-0.2.9' 2016-12-02 12:00:53 -05:00
Nick Mathewson
8b93cbc16d Merge branch 'bug20716_026' into maint-0.2.9 2016-12-02 12:00:46 -05:00
overcaffeinated
3b6da3f90c Fix memory leak in bug 20716
newconn->address is strdup'ed twice when new_type == CONN_TYPE_AP
and conn->socket_family == AF_UNIX. Whilst here, juggle code to
make sure newconn->port is assigned from an initialised value in
the above case.
2016-12-01 10:14:42 -05:00
teor
b917b3875e Stop ignoring misconfigured hidden services
Instead, refuse to start tor until the misconfigurations have been corrected.

Fixes bug 20559; bugfix on multiple commits in 0.2.7.1-alpha and earlier.
2016-12-01 09:51:33 -05:00