This is to allow a visual feedback in the logs for operators setting up Onion
Balance so they can confirm they properly configured the instances.
Signed-off-by: David Goulet <dgoulet@torproject.org>
LOG_PROTOCOL_WARN was in core/or.h, but the function it depends on is in
app/config.h. Put them in the same header, to reduce dependencies.
Part of 33633.
The ob_subcreds array was not copied after SIGHUP, and that left the
post-SIGHUP service with a NULL ob_subcreds pointer (until the next descriptor
gets build where we regenerate ob_subcreds in hs_ob_refresh_keys()).
Fixes bug #33762; not in any released tor version.
This patch doesn't actually use the results of the parsed object to
create the service configuration: subsequent patches will do
that. This patch just introduces the necessary configuration tables
and starts using them to validate the configuration.
As of this writing, this patch breaks tests. I'll likely fix that
in a rebase later on: the current error messages for failures to
parse options are a regression, so I've opened #33640 for that.
If the buf_t's length could potentially become greater than INT_MAX - 1,
it sets off an IF_BUG_ONCE in buf_read_from_tls().
All of the rest of the buffers.c code has similar BUG/asserts for this
invariant.
Return early when there is no suitable IPv6 ORPort.
Show the address and port on error, using a convenience function.
Code simplification and refactoring.
Cleanup after 32588.
When IPv6 ORPorts are set to "auto", tor relays and bridges would
advertise an incorrect port in their descriptor.
This may be a low-severity memory safety issue, because the published
port number may be derived from uninitialised or out-of-bounds memory
reads.
Fixes bug 32588; bugfix on 0.2.3.9-alpha.
Previously we just ignored this option, which would leave it unset,
and cause an assertion failure later on when running with the User
option.
Fixes bug 33668; bugfix on 0.4.3.1-alpha.
For example, "TOR_SKIP_TESTCASES=crypto/.. ./src/test/test" will run
the tests and suppress all the "crypto/" tests. You could get the
same effect by running "./src/test/test :crypto/..", but that can be
harder to arrange from CI.
Part of a fix/workaround for 33643.
Add an inline helper function that indicates if the cached object contains a
decrypted descriptor or not.
The descriptor object is NULL if tor is unable to decrypt it (lacking client
authorization) and some actions need to be done only when we have a decrypted
object.
This improves code semantic.
Fixes#33458
Signed-off-by: David Goulet <dgoulet@torproject.org>
Given that ed25519 public key validity checks are usually not needed
and (so far) they are only necessary for onion addesses in the Tor
protocol, we decided to fix this specific bug instance without
modifying the rest of the codebase (see below for other fix
approaches).
In our minimal fix we check that the pubkey in
hs_service_add_ephemeral() is valid and error out otherwise.
In the openssl that I have, it should be safe to only check the size
of n. But if I'm wrong, or if other openssls work differently, we
should check whether any of the fields are too large.
Issue spotted by Teor.
This function does a nonfatal assertion to make sure that a machine
is not registered twice, but Tobias Pulls found a case where it
happens. Instead, make the function exit early so that it doesn't
cause a remotely triggered memory leak.
Fixes bug 33619; bugfix on 0.4.0.1-alpha. This is also tracked as
TROVE-2020-004.
Although OpenSSL before 1.1.1 is no longer supported, it's possible
that somebody is still using it with 0.3.5, so we probably shouldn't
break it with this fix.
Now port_cfg_new() returns all default flags and
port_parse_config() acts on defaults returned by port_cfg_new()
that is uses the default port_cfg_t object returned by port_cfg_new()
and modifies them later according to the port specifications in
configuration files
Might close tor#32994.
Stop forcing all non-SOCKSPorts to prefer IPv6 exit connections.
Instead, prefer IPv6 connections by default, but allow users to change
their configs using the "NoPreferIPv6" port flag.
Fixes bug 33608; bugfix on 0.4.3.1-alpha.
When a service can not upload its descriptor(s), we have no logs on why. This
adds logging for each possible reason for each descriptors.
That logging is emitted every second so it is rate limited for each reason and
per descriptor.
Closes#33400
Signed-off-by: David Goulet <dgoulet@torproject.org>
For a bridge configured with a pluggable transport, the transport name is
used, with the IP address, for the GeoIP client cache entry.
However, the DoS subsystem was not aware of it and always passing NULL when
doing a lookup into the GeoIP cache.
This resulted in bridges with a PT are never able to apply DoS defenses for
newly created connections.
Fixes#33491
Signed-off-by: David Goulet <dgoulet@torproject.org>
This function works a little bit like strsep(), to get a chunk of
configuration lines with a given header. We can use this to make
hidden service config easier to parse.
In this case, when we're looking for the voting interval, we should
try looking at the _latest_ consensus if we have one. When we're
looking for the start of the current voting period, we can use our
existing fallback logic without complaint, since the voting interval
code will already have given us a reasonable voting interval, and we
want to have a round starting time based on the current time.
This is not as clean a patch as I would like: see the comment on
ASSUME_AUTHORITY_SCHEDULING. This issue here is that the unit tests
sometimes assume that we are going to be looking at the dirauth
options and behaving like a dirauth, but without setting the options
to turn is into one.
This isn't an issue for actually running Tor, as far as I can tell
with chutney.
Most of this function was about recreating a voting schedule on
demand if it didn't exist yet or was not up-to-date. I've made that
into its own function.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
voting_schedule_recalculate_timing dirauth_sched_recalculate_timing \
voting_schedule_get_start_of_next_interval voting_sched_get_start_of_interval_after \
voting_schedule_get_next_valid_after_time dirauth_sched_get_next_valid_after_time
Previously we had initialized only the library subsystems. This
made it hard to write some tests, and encouraged people to put their
subsystems at a level lower than they really belonged at. Instead,
it probably just makes sense to initialize everything before we
start the tests.
Without this fix, 33316 breaks our tests because of raising the
level of the ocirc/orconn events.
This code was in our process module, but it doesn't belong there:
process is for launching and monitoring subprocesses, not for
hardening the current process.
This change lets us have our subsystem init order more closely match
our dependency order.
Apparently it is only used by the unit tests: tor doesn't want it at
all.
I've opened a new ticket (33383) to we if we should remove this
whole feature.
In "make test-network", add tests for single onion services v2 and v3.
In "make test-network-all", test onion services v2 and v3 in the same
network.
Part of 33334.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
MIN_DNS_TTL_AT_EXIT MIN_DNS_TTL \
MAX_DNS_TTL_AT_EXIT MAX_DNS_TTL \
dns_clip_ttl clip_dns_ttl
If we receive via 'post' a vote from a dir auth after the
fetch_missing_votes cutoff, that means we didn't get it by the time we
begin the "fetching missing votes from everybody else" phase, which means
it is very likely to cause a consensus split if we count it. Instead,
we reject it.
But we still allow votes that we fetch ourselves after that cutoff.
This is a demo branch for making progress on #4631.
I've been running it on moria1 and it catches and handles real buggy
behavior from directory authorities, e.g.
Jan 28 15:59:50.804 [warn] Rejecting vote from 199.58.81.140 received at 2020-01-28 20:59:50; our cutoff for received votes is 2020-01-28 20:52:30
Jan 28 15:59:50.805 [warn] Rejected vote from 199.58.81.140 ("Vote received too late, would be dangerous to count it").
Jan 29 01:52:52.667 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 06:52:52; our cutoff for received votes is 2020-01-29 06:52:30
Jan 29 01:52:52.669 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Jan 29 04:53:26.323 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 09:53:26; our cutoff for received votes is 2020-01-29 09:52:30
Jan 29 04:53:26.326 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Add doxygen comments to the new recommended and required subprotocol
version strings.
Add a warning to the required protocol documentation, because requiring
the wrong protocols can break the tor network. Also reference
proposal 303: When and how to remove support for protocol versions.
Part of 33285.
Some connections aren't counted for statistics or accounting,
because they have been specifically configured by the user to
local addresses.
Comment-only change.
Closes 33201.
Use bridges+hs-v23 for "make test-network",
rather than using chutney's old default.
This change requires a recent version of chutney,
because the old bridges+hs-v23 did not work.
(See chutney's 33302 for details.)
Closes 28208.
The IPv6 test only runs if IPv6 is available.
Also, explicitly use the bridges+hs-v2 network for the IPv4-only test.
This network was chutney's default as of January 2020.
Closes 33300.
Closing these file descriptors can hide sanitiser logs.
Instead, flush the logs before tor exits, using fsync().
Some Windows environments don't have fsync(), so we check
for it at compile time.
Fixes bug 33087; bugfix on 0.4.1.6.
Make sure that the following hard-coded protocol version lists are
sorted:
* supported protocols
* recommended relay and client protocols
* required relay and client protocols
This test currently fails, because the supported protocols are not
sorted.
Tests for 33285.
Move the recommended and required protocol version lists into the
private section of the dirvote header, and turn them into macros.
Preparation for 33285.
This patch ensures that we always lowercase the BridgeDistribution from
torrc in descriptors before submitting it.
See: https://bugs.torproject.org/32753
Conflicts:
doc/tor.1.txt
src/app/config/config.c
src/app/config/or_options_st.h
src/core/mainloop/connection.h
Between 042 and 043, the dirauth options were modularized so this merge commit
address this by moving the AuthDirRejectUncompressedRequests to the module
along with a series of accessors.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Authorities were never sending back 503 error code because by design they
should be able to always answer directory requests regardless of bandwidth
capacity.
However, that recently backfired because of a large number of requests from
unknown source using the DirPort that are _not_ getting their 503 code which
overloaded the DirPort leading to the authority to be unable to answer to its
fellow authorities.
This is not a complete solution to the problem but it will help ease off the
load on the authority side by sending back 503 codes *unless* the connection
is from a known relay or an authority.
Fixes#33029
Signed-off-by: David Goulet <dgoulet@torproject.org>
This controls the previous feature added that makes dirauth send back a 503
error code on non relay connections if under bandwidth pressure.
Signed-off-by: David Goulet <dgoulet@torproject.org>
The configured, within the torrc or hardcoded, directory authorities addresses
are now added to the nodelist address set.
Signed-off-by: David Goulet <dgoulet@torproject.org>
We separate v4 and v6 because we often use an IPv4 address represented with
a uint32_t instead of a tor_addr_t.
This will be used to also add the trusted directory addresses taken from the
configuration.
The trusted directories from the consensus are already added to the address
set from their descriptor.
Signed-off-by: David Goulet <dgoulet@torproject.org>
That function is only used to test the global bucket write limit for a
directory connection.
It should _not_ be used for anything else since that function looks to see if
we are a directory authority.
Rename it to something more meaningful. No change in behavior at this commit,
only renaming.
Part of #33029
Signed-off-by: David Goulet <dgoulet@torproject.org>
clang-format sometimes thinks that "#name" should be written as
"# name" if it appears at the start of a line. Using () appears
to suppress this, while confusing Coccinelle.
Doing this makes our macro usage a little clear IMO, and also avoids
having to use an unadorned "new" within a macro. (Clang-format
seems to think that "new" means we're doing C++, and so it generates
some output that checkSpace.pl doesn't care for.)
These belong in util_bug.h (and they already are there).
Their presence made clang-format misindent these functions in a way
that checkSpace.pl dislikes.
