Return early when there is no suitable IPv6 ORPort.
Show the address and port on error, using a convenience function.
Code simplification and refactoring.
Cleanup after 32588.
When IPv6 ORPorts are set to "auto", tor relays and bridges would
advertise an incorrect port in their descriptor.
This may be a low-severity memory safety issue, because the published
port number may be derived from uninitialised or out-of-bounds memory
reads.
Fixes bug 32588; bugfix on 0.2.3.9-alpha.
Previously we just ignored this option, which would leave it unset,
and cause an assertion failure later on when running with the User
option.
Fixes bug 33668; bugfix on 0.4.3.1-alpha.
Add an inline helper function that indicates if the cached object contains a
decrypted descriptor or not.
The descriptor object is NULL if tor is unable to decrypt it (lacking client
authorization) and some actions need to be done only when we have a decrypted
object.
This improves code semantic.
Fixes#33458
Signed-off-by: David Goulet <dgoulet@torproject.org>
Given that ed25519 public key validity checks are usually not needed
and (so far) they are only necessary for onion addesses in the Tor
protocol, we decided to fix this specific bug instance without
modifying the rest of the codebase (see below for other fix
approaches).
In our minimal fix we check that the pubkey in
hs_service_add_ephemeral() is valid and error out otherwise.
When a service can not upload its descriptor(s), we have no logs on why. This
adds logging for each possible reason for each descriptors.
That logging is emitted every second so it is rate limited for each reason and
per descriptor.
Closes#33400
Signed-off-by: David Goulet <dgoulet@torproject.org>
In this case, when we're looking for the voting interval, we should
try looking at the _latest_ consensus if we have one. When we're
looking for the start of the current voting period, we can use our
existing fallback logic without complaint, since the voting interval
code will already have given us a reasonable voting interval, and we
want to have a round starting time based on the current time.
This is not as clean a patch as I would like: see the comment on
ASSUME_AUTHORITY_SCHEDULING. This issue here is that the unit tests
sometimes assume that we are going to be looking at the dirauth
options and behaving like a dirauth, but without setting the options
to turn is into one.
This isn't an issue for actually running Tor, as far as I can tell
with chutney.
Most of this function was about recreating a voting schedule on
demand if it didn't exist yet or was not up-to-date. I've made that
into its own function.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
voting_schedule_recalculate_timing dirauth_sched_recalculate_timing \
voting_schedule_get_start_of_next_interval voting_sched_get_start_of_interval_after \
voting_schedule_get_next_valid_after_time dirauth_sched_get_next_valid_after_time
Apparently it is only used by the unit tests: tor doesn't want it at
all.
I've opened a new ticket (33383) to we if we should remove this
whole feature.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
MIN_DNS_TTL_AT_EXIT MIN_DNS_TTL \
MAX_DNS_TTL_AT_EXIT MAX_DNS_TTL \
dns_clip_ttl clip_dns_ttl
If we receive via 'post' a vote from a dir auth after the
fetch_missing_votes cutoff, that means we didn't get it by the time we
begin the "fetching missing votes from everybody else" phase, which means
it is very likely to cause a consensus split if we count it. Instead,
we reject it.
But we still allow votes that we fetch ourselves after that cutoff.
This is a demo branch for making progress on #4631.
I've been running it on moria1 and it catches and handles real buggy
behavior from directory authorities, e.g.
Jan 28 15:59:50.804 [warn] Rejecting vote from 199.58.81.140 received at 2020-01-28 20:59:50; our cutoff for received votes is 2020-01-28 20:52:30
Jan 28 15:59:50.805 [warn] Rejected vote from 199.58.81.140 ("Vote received too late, would be dangerous to count it").
Jan 29 01:52:52.667 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 06:52:52; our cutoff for received votes is 2020-01-29 06:52:30
Jan 29 01:52:52.669 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Jan 29 04:53:26.323 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 09:53:26; our cutoff for received votes is 2020-01-29 09:52:30
Jan 29 04:53:26.326 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Add doxygen comments to the new recommended and required subprotocol
version strings.
Add a warning to the required protocol documentation, because requiring
the wrong protocols can break the tor network. Also reference
proposal 303: When and how to remove support for protocol versions.
Part of 33285.
Move the recommended and required protocol version lists into the
private section of the dirvote header, and turn them into macros.
Preparation for 33285.
This patch ensures that we always lowercase the BridgeDistribution from
torrc in descriptors before submitting it.
See: https://bugs.torproject.org/32753
Conflicts:
doc/tor.1.txt
src/app/config/config.c
src/app/config/or_options_st.h
src/core/mainloop/connection.h
Between 042 and 043, the dirauth options were modularized so this merge commit
address this by moving the AuthDirRejectUncompressedRequests to the module
along with a series of accessors.
Signed-off-by: David Goulet <dgoulet@torproject.org>
The configured, within the torrc or hardcoded, directory authorities addresses
are now added to the nodelist address set.
Signed-off-by: David Goulet <dgoulet@torproject.org>
We separate v4 and v6 because we often use an IPv4 address represented with
a uint32_t instead of a tor_addr_t.
This will be used to also add the trusted directory addresses taken from the
configuration.
The trusted directories from the consensus are already added to the address
set from their descriptor.
Signed-off-by: David Goulet <dgoulet@torproject.org>
That function is only used to test the global bucket write limit for a
directory connection.
It should _not_ be used for anything else since that function looks to see if
we are a directory authority.
Rename it to something more meaningful. No change in behavior at this commit,
only renaming.
Part of #33029
Signed-off-by: David Goulet <dgoulet@torproject.org>
clang-format sometimes thinks that "#name" should be written as
"# name" if it appears at the start of a line. Using () appears
to suppress this, while confusing Coccinelle.
Doing this makes our macro usage a little clear IMO, and also avoids
having to use an unadorned "new" within a macro. (Clang-format
seems to think that "new" means we're doing C++, and so it generates
some output that checkSpace.pl doesn't care for.)
When the ONION_CLIENT_AUTH_REMOVE command is given to tor, now also remove the
descriptor associated with the client authorization credentials.
Fixes#33148
Signed-off-by: David Goulet <dgoulet@torproject.org>
When we added the ACTIVE and DORMANT virtual signals, we taught the
signal command to handle them, but we didn't teach SIGNAL event to
report them.
To solve this problem and prevent it from recurring, this patch
revises the implementation of control_event_signal() to use the same
signal_table that handle_control_signal() uses. This way, the two
controller commands can't become out of sync.
Fixes bug 33104; bugfix on 0.4.0.1-alpha.
Now we use the exact same INTRO2 decrypt logic regardless of whether the
service is an OB instance or not.
The new get_subcredential_for_handling_intro2_cell() function is responsible
for loading the right subcredentials in either case.
This approach saves us a pair of curve25519 operations for every
subcredential but the first. It is not yet constant-time.
I've noted a few places where IMO we should refactor the code so
that the complete list of subcredentials is passed in earlier.
At this commit, the service reads the config file and parse it to finally set
the service config object with the options.
Part of #32709
Signed-off-by: David Goulet <dgoulet@torproject.org>
The hs_parse_address() can not be used without an options_t object existing
since on error it uses the escaped_safe_str() that looks at the options.
This new function won't log and returns an error message in case of failure
that can then be used to log.
Signed-off-by: David Goulet <dgoulet@torproject.org>
* ticket 32695 removed networkstatus_consensus_has_ipv6(),
keep that change in master.
* ticket 20218 modifies the function name and comment for
routerstatus_has_visibly_changed(), keep that change
in ticket20218_rebased_squashed.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
routerstatus_has_changed routerstatus_has_visibly_changed
It was generated with --no-verify, since it introduces a wide line.
I'll fix it in a subsequent commit.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
directory_must_use_begindir dirclient_must_use_begindir \
directory_fetches_from_authorities dirclient_fetches_from_authorities \
directory_fetches_dir_info_early dirclient_fetches_dir_info_early \
directory_fetches_dir_info_later dirclient_fetches_dir_info_later \
directory_too_idle_to_fetch_descriptors dirclient_too_idle_to_fetch_descriptors
To make Tor still work, we define a minimal dircache_stub.c file
that defines the entry points to the module that can actually be
seen by the compiler when we're building with dircache and relay
disabled.
This function had some XXX comments indicating (correctly) that it
was not actually used by the dirserver code, and that only the
controller still used it.
We already check if there are invalid values in
check_bridge_distribution_setting() and reject the value if that is the
case. We can therefore only have strings of [A-Z] | [a-z] | [0-9] | '-'
| '_' here which is according to the directory specification.
See: https://bugs.torproject.org/32753
Fix dirauth and relay module include.am add_c_file.py
"control line not preceded by a blank line" errors.
Also remove a duplicate ADD_C_FILE: SOURCES in the relay module.
Obviously correct fixes to already-reviewed code.
This patch makes sure we lowercase the value of BridgeDistribution
before we add it to the descriptor as `bridge-distribution-request`.
See: https://bugs.torproject.org/32753
This patch makes sure that we accept values such as "nOne", "None", and
"AnY" as valid values for BridgeDistribution. We later ensure to
lower-case the values before they are forwarded to the BridgeDB.
See: https://bugs.torproject.org/32753
When the BridgeDistribution value was added in commit
ebab521525 the check for whether the value
contains '\n' or '\r' was added as a requirement for whether or not the
value should be escaped.
This patch removes this check and makes sure we call `escaped()` on the
value every time before we add it to a descriptor.
See: https://bugs.torproject.org/32753
We hit this assertion with bug 32868, but I'm stymied figuring out
how we wound up with a routerstatus like this. This patch is a
diagnostic to attempt to figure out what is going on, and to avoid a
crash in the meantime.
When looking up an entry in the rend_cache, stop asserting that it exists but
rather confirm it exists and if not, return that no entry was found.
The reason for that is because the hs_circ_cleanup_on_free() function (which
can end up looking at the rend_cache) can be called from the
circuit_free_all() function that is called _after_ the rend cache is cleaned
up in tor_free_all().
We could fix the free all ordering but then it will just hide a future bug.
Instead, handle a missing rend_cache as a valid use case as in while we are in
the cleanup process.
As Tor becomes more modular, it is getting more and more difficult to ensure
subsystem callstack ordering thus this fix aims at making the HSv2 subsystem
more robust at being called while tor is pretty much in any kind of state.
Fixes#32847.
Signed-off-by: David Goulet <dgoulet@torproject.org>
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
EXPOSE_CLEAN_BACKTRACE BACKTRACE_PRIVATE \
TOR_CHANNEL_INTERNAL_ CHANNEL_OBJECT_PRIVATE \
CHANNEL_PRIVATE_ CHANNEL_FILE_PRIVATE \
EXPOSE_ROUTERDESC_TOKEN_TABLE ROUTERDESC_TOKEN_TABLE_PRIVATE \
SCHEDULER_PRIVATE_ SCHEDULER_PRIVATE
Some ".c" files define *_PRIVATE macros, but those macros are
not used in any header file. Delete them.
These changes were created using the "make autostyle" from
32522, and then split into commits.
I've chosen the "AuthDirMaxServersPerAddr" option here for
simplicity, since it is used literally nowhere else besides the dirauth
module. Once we have all the infrastructure in place for this, we
can move more options into this structure.
These modules are only built when the selected modules are disabled.
The provide stub implementations of the subsystem blocks. Later,
other stub implementations could move here.
Having real subsystem blocks here will let us handle disabled
configuration options better.
With v3, the "pending_final_cpath" of a circuit is always NULL which means
that for v3, established client rendezvous circuit waiting for the intro point
to ACK, will always end up timing out quickly.
This can increase the delays to which you connect to a service since in order
to succeed, the rendezvous circuit needs to fully established
(CIRCUIT_PURPOSE_C_REND_JOINED) within the cutoff of the introduction circuit
as well which is these days around 2-3 seconds.
Fixes#32021
Signed-off-by: David Goulet <dgoulet@torproject.org>
Simplify handle_control_getinfo() by using the new reply lines
abstraction. Previously, this function explicitly checked for whether
it should generate a MidReplyLine, a DataReplyLine, or an
EndReplyLine. control_write_reply_lines() now abstracts this check.
Part of #30984.
In handle_control_getconf(), use the new control reply line
abstraction to simplify output generation. Previously, this function
explicitly checked for whether it should generate a MidReplyLine or an
EndReplyLine. control_write_reply_lines() now abstracts this check.
Part of #30984.
All of these files contain "*.h", except for:
* src/app/config/.may_include
* src/test/.may_include
which also contain "*.inc".
This change prevents includes of "*.c" files, and other
unusually named files.
Part of 32609.
- Remove key_dir which is useless.
- Kill an indentation layer.
We want to make it cleaner and slimmer so that we can reuse parts of it in the
REMOVE command for removing the right client auth file.
Because the function that parses client auth credentials saved on
disk (parse_auth_file_content()) is not future compatible, there is no way to
add support for storing the nickname on the disk. Hence, nicknames cannot
persist after Tor restart making them pretty much useless.
In the future we can introduce nicknames by adding a new file format for client
auth credentials, but this was not deemed worth doing at this stage.
- See hs_client_register_auth_credentials() for the entry point.
- Also set the permanent flag for credentials we read from the filesystem.
- Also add some missing documentation.
Since the removal of ip->circuit_established, this function does litterally
nothing so clean it up.
Part of #32020
Signed-off-by: David Goulet <dgoulet@torproject.org>
By centralizing the circuit cleanup type that is: on close, free and
repurpose, some actions on the circuit can not happen for a certain cleanup
type or for all types.
This passes a cleanup type so the HS subsystem (v2 and v3) can take actions
based on the type of cleanup.
For instance, there is slow code that we do not run on a circuit close but
rather only on free.
Part of #32020
Signed-off-by: David Goulet <dgoulet@torproject.org>
Report back to the v3 subsystem any introduction point client circuit failure
so they can be noted down in the failure cache.
Fixes#32020
Signed-off-by: David Goulet <dgoulet@torproject.org>
Old and messy code path. Structure it in a more pleasant and readable way. No
behavior change with this refactor.
Part of #32020
Signed-off-by: David Goulet <dgoulet@torproject.org>
The FP_ identifiers referred to fingerprints, but they also applied
to address ranges. The router_status_t name invited confusion with
routerstasus_t. Fixes ticket 29826.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
router_status_t rtr_flags_t \
FP_INVALID RTR_INVALID \
FP_BADEXIT RTR_BADEXIT \
FP_REJECT RTR_REJECT
Refactor to decomplexify circuit_about_to_free() and finally have one single
entry point into the HS subsystems (v2 and v3) for when a circuit is freed.
With this, hs_circ_cleanup() becomes the one and only entry point when a
circuit is freed which then routes to the right subsystem version for any
actions to be taken.
This moves a big chunk of code from circuituse.c to rendclient.c. No behavior
change. Next commit will refactor it to reduce our technical debt.
Part of #32020
Signed-off-by: David Goulet <dgoulet@torproject.org>
We now keep descriptor that we can't decode due to missing client
authorization in the cache.
This new function is used when new client authorization are added and to tell
the client cache to retry decoding.
Part of #30382
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit extract most of the code that dirclient.c had to handle the end of
a descriptor directory requests (fetch). It is moved into hs_client.c in order
to have one single point of entry and the rest is fully handled by the HS
subsystem.
As part of #30382, depending on how the descriptor ended up stored (decoded or
not), different SOCKS error code can be returned.
Signed-off-by: David Goulet <dgoulet@torproject.org>
This will allow us to callback into the HS subsytem depending on the decoding
status and return an extended SOCKS5 error code depending on the decoding
issue.
This is how we'll be able to tell the SocksPort connection if we are missing
or have bad client authorization for a service.
Part of #30382
Signed-off-by: David Goulet <dgoulet@torproject.org>
We now keep the descriptor in the cache, obviously not decoded, if it can't be
decrypted for which we believe client authorization is missing or unusable
(bad).
This way, it can be used later once the client authorization are added or
updated.
Part of #30382
Signed-off-by: David Goulet <dgoulet@torproject.org>
Using a standard ending here will let other tools that expect
markdown understand our output here.
This commit was automatically generated with:
for fn in $(find src -name '*.dox'); do \
git mv "$fn" "${fn%.dox}.md"; \
done
In our old design, we had to declare configuration structures (like
or_options_t) and variable tables (like option_vars_) separately,
and we used some magic to enforce their consistency (see
conftesting.h).
With this design, we write a single definition for the configuration
object and its fields, and use C macros to expand it either into a
structure, or a variable table. Since they are both made from the
same source, they can't become inconsistent.
The two designs can coexist happily, and we can migrate from one to
the other at our convenience.
When the relay module is disabled, make "ClientOnly 1" and
"DirCache 0" by default. (But keep "ClientOnly 0" and
"DirCache 1" as the defaults for the unit tests.)
And run "make autostyle".
Part of ticket 32410.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
get_dirportfrontpage relay_get_dirportfrontpage \
parse_port_config port_parse_config \
count_real_listeners port_count_real_listeners \
parse_transport_line pt_parse_transport_line \
ensure_bandwidth_cap config_ensure_bandwidth_cap \
get_effective_bwrate relay_get_effective_bwrate \
get_effective_bwburst relay_get_effective_bwburst \
warn_nonlocal_ext_orports port_warn_nonlocal_ext_orports \
parse_ports_relay port_parse_ports_relay \
update_port_set_relay port_update_port_set_relay \
get_transport_bindaddr_from_config pt_get_bindaddr_from_config \
get_options_for_server_transport pt_get_options_for_server_transport
It was generated with --no-verify, because it has some long lines.
Part of 32213.
This includes app, core, feature, lib, and tools, but excludes
ext, test, and trunnel.
This was generated by the following shell script:
cd src
for dname in $(find lib core feature app tools -type d |grep -v \\.deps$); do
keyword="$(echo "$dname" |sed -e "s/\//_/" )"
target="${dname}/${keyword}.dox"
echo "$target"
cat <<EOF >"$target"
/**
@dir ${dname}
@brief ${dname}
**/
EOF
git add "$target"
done
This commit:
* disables the ExtORPort, ServerTransportPlugin,
ServerTransportListenAddress, and ServerTransportOptions options,
when the relay module is disabled.
Part of 32213.
This commit:
* disables the ORPort, DirPort, DirCache, and BridgeRelay options,
* sets ClientOnly 1,
* disables relay_config.c and relay/transport_config.c,
* disables test_rebind.sh, and
* modifies the expected results for test_parseconf.sh,
when the relay module is disabled.
Part of 32213.
Minor simplification and refactoring.
Make the dirauth tests focus on testing the intention of the code,
rather than option processing order.
Part of 32213.
The DoS heartbeat now contains the number of rejected INTRODUCE2 cell that the
relay has seen.
Closes#31371
Signed-off-by: David Goulet <dgoulet@torproject.org>
This required a small refactoring so we could count properly the INTRO2
sending disallow.
Part of #31371
Signed-off-by: David Goulet <dgoulet@torproject.org>
This commit:
* moves dirauth stats and mtbf config actions into dirauth_config,
* adds thin wrappers to make the moved code compile.
The moved code is disabled when the dirauth module is disabled.
Part of 32213.
This commit:
* moves relay config actions into relay_config,
* moves get_dirportfrontpage() into relay_config,
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the relay module is disabled. (Some of the checks
are re-ordered, so the order of some warnings may change.)
Part of 32213.
This commit:
* moves server transport config checks into transport_config.c,
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the relay module is disabled. (Some of the checks
are re-ordered, so the order of some warnings may change.)
Part of 32213.
This commit:
* moves bandwidth checks into dirauth_config, and
* moves some other minor checks into dirauth_config.
The moved code is disabled when the dirauth module is disabled.
(And some of the checks are re-ordered, so the order of some
warnings may change.)
Part of 32213.
This commit:
* moves accounting and bandwidth checks into relay_config,
* moves testing options checks into relay_config,
* moves some other minor checks into relay_config,
* exposes some code from src/app/config.c
(we'll refactor it later in 29211), and
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the relay module is disabled. (Some of the checks
are re-ordered, so the order of some warnings may change.)
Part of 32213.
This commit:
* creates feature/relay/transport_config.[ch],
* moves server transport config checks into them,
* exposes some code from src/app/config.c
(we'll refactor it later in 29211), and
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the relay module is disabled. (Some of the checks
are re-ordered, so the order of some warnings may change.)
Part of 32213.
This commit:
* moves relay config checks into relay_config.[ch],
* exposes some code from src/app/config.c
(we'll refactor it later in 29211), and
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the relay module is disabled. (Some of the checks
are re-ordered, so the order of some warnings may change.)
Part of 32213.
This commit:
* creates feature/relay/relay_config.[ch],
* moves relay port parsing into them,
* exposes some code from src/app/config.c
(we'll refactor it later in 29211), and
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the relay module is disabled.
Part of 32213.
This commit:
* creates feature/dirauth/dirauth_config.[ch],
* moves the dirauth config code into them,
* copies some macros from src/app/config.c
(we'll refactor them later in 29211), and
* adds thin wrappers to make the moved code compile.
No functional changes: the moved code is still enabled,
even if the dirauth module is disabled.
Part of 32213.
When picking an intro point from the service descriptor, the client failed to
lookup the failure cache.
It made an HS v2 client re-pick bad intro points for which we already know it
won't work in the first place.
Based on Neel Chauhan original patch.
Fixes#25568
Signed-off-by: David Goulet <dgoulet@torproject.org>
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
confparse.h confmgt.h \
confparse.c confmgt.c \
CONFPARSE_PRIVATE CONFMGT_PRIVATE \
TOR_CONFPARSE_H TOR_CONFMGT_H
The former foo_validate() functions are now toplevel
legacy_validate_fn callbacks. The new foo_validate() functions now
call them.
This change lets us remove the old shared_random disk state
validation callback entirely.
The current API of this callback mixes responsibilities, including:
* validation
* transition checking
* processing (modifying) the configuration object.
These will have to be disentangled piece by piece, so for now, we'll
have "legacy" validate functions as well.
This is an automated commit, generated by this command:
./scripts/maint/rename_c_identifier.py \
validate_fn_t legacy_validate_fn_t \
validate_fn legacy_validate_fn
Single hop rejection (POST and GET) for HS v3 descriptor now return a 503 code
which is more accurate code from dir-spec.txt and from other rejection case in
the code.
For instance if you are not a relay and you get a POST request, a 503 code is
sent back with a rejection message.
Part of #31958
Signed-off-by: David Goulet <dgoulet@torproject.org>
First, remove the HSDir mention which should not be in that generic function.
Second, move them to debug() level since they are possible error case.
Part of #31958
Signed-off-by: David Goulet <dgoulet@torproject.org>
Before inspecting the p_chan, we must check if the circuit is marked for close
because if it is the case, the channels are nullified from the circuit.
Several valid cases can mark the circuit for close of the directory
connection.
Fixes#31958
Signed-off-by: David Goulet <dgoulet@torproject.org>
hs_client_purge_state() and hs_cache_clean_as_client() can remove a descriptor
from the client cache with a NEWNYM or simply when the descriptor expires.
Which means that for an INTRO circuit being established during that time, once
it opens, we lookup the descriptor to get the IP object but hey surprised, no
more descriptor.
The approach here is minimalist that is accept the race and close the circuit
since we can not continue. Before that, the circuit would stay opened and the
client wait the SockTimeout.
Fixers #28970.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Only use the HS circuit map to know if an introduction circuit is established
or not. No need for a flag to keep state of something we already have in the
circuit map. Furthermore, the circuit map gets cleaned up properly so it will
always have the "latest truth".
This commit also removes a unit test that was testing specifically that flag
but now we rely solely on the HS circuit map which is also tested few lines
below the removed test.
Fixes#32094
Signed-off-by: David Goulet <dgoulet@torproject.org>
Our minimum version is now 0.2.9.5-alpha. Series 0.3.0, 0.3.1,
0.3.2, 0.3.3, and 0.3.4 are now rejected.
Also, extract this version-checking code into a new function, so we
can test it.
Closes ticket 31549.
Also reject 0.3.5.0 through 0.3.5.6-rc as unstable.
Conflicts:
src/feature/dirparse/authcert_parse.c
src/feature/dirparse/ns_parse.c
src/feature/hs/hs_service.c
src/lib/conf/conftesting.h
src/lib/log/log.h
src/lib/thread/threads.h
src/test/test_options.c
These conflicts were mostly related to autostyle improvements, with
one or two due to doxygen fixes.
This patch removes an overly strict tor_assert() and an ignorable BUG()
expression. Both of these would trigger if a PT was unable to configure
itself during startup. The easy way to trigger this is to configure an
obfs4 bridge where you make the obfs4 process try to bind on a port
number under 1024.
See: https://bugs.torproject.org/31091
This commit introduces the hs_desc_decode_status_t enum which aims at having
more fine grained error code when decoding a descriptor.
This will be useful in later commits when we support keeping a descriptor that
can't be decrypted due to missing or bad client authorization creds.
No behavior change.
Part of #30382.
Signed-off-by: David Goulet <dgoulet@torproject.org>
No code behavior change. This removes duplicate code that was finding all
entry connections for a specific onion service identity key.
The find_entry_conns() helper function is introduced for that.
Part of #30382
Signed-off-by: David Goulet <dgoulet@torproject.org>
Because we need to construct the URI using the TCPProxy configuration
but we don't have a standard URI scheme for haproxy yet, we decided to
not support TCPProxy in TOR_PT_PROXY now. There is no problem with
HTTPSProxy, Socks4Proxy, or Socks5Proxy because they all have standard
URI schemes.
In case of error, a negative value will be returned or NULL written into
first supplied argument.
This patch uses both cases to comply with style in the specific files.
A tor_vasprintf error in process_vprintf would lead to a NULL dereference
later on in buf_add, because the return value -1 casted to size_t would
pass an assertion check inside of buf_add.
On the other hand, common systems will fail on such an operation, so it
is not a huge difference to a simple assertion. Yet it is better to
properly fail instead of relying on such behaviour on all systems.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Found by coverity CID 1454769.
There were a second possible leak that is also fixed in this commit.
Fixes#32063
Signed-off-by: David Goulet <dgoulet@torproject.org>
When considering introduction point of a service's descriptor, do not remove
an intro point that has an established or pending circuit.
Fixes#31652
Signed-off-by: David Goulet <dgoulet@torproject.org>
When encoding introduction points, we were not checking if that intro points
had an established circuit.
When botting up, the service will pick, by default, 3 + 2 intro points and the
first 3 that establish, we use them and upload the descriptor.
However, the intro point is removed from the service descriptor list only when
the circuit has opened and we see that we have already enough intro points, it
is then removed.
But it is possible that the service establishes 3 intro points successfully
before the other(s) have even opened yet.
This lead to the service encoding extra intro points in the descriptor even
though the circuit is not opened or might never establish (#31561).
Fixes#31548
Signed-off-by: David Goulet <dgoulet@torproject.org>
Our minimum version is now 0.2.9.5-alpha. Series 0.3.0, 0.3.1,
0.3.2, 0.3.3, and 0.3.4 are now rejected.
Also, extract this version-checking code into a new function, so we
can test it.
Closes ticket 31549.
Also reject 0.3.5.0 through 0.3.5.6-rc as unstable.
There is a bad design choice in two of our configuration types,
where the empty string encodes a value that is not the same as the
default value. This design choice, plus an implementation mistake,
meant that config_dup() did not preserve the value of routerset_t,
and thereby caused bug #31495.
This comment-only patch documents the two types with the problem,
and suggests that implementors try to avoid it in the future.
Closes ticket 31907.
- The function `decrypt_desc_layer` has a cleaner interface.
- `is_superencrypted_layer` changed from `int` -> `bool`
[ticket details](https://trac.torproject.org/projects/tor/ticket/31589)
add(changes/*): changes file
fix(src/features/hs): is_superencrypted changed from `int` -> `bool`
fix(changes/ticket31589): header
add(changes/ticket31589): subsystem(onion services) to change
The code here parses the fields from the microdescriptor, including
possible annotations, and stores them into a microdesc_t object.
This commit is almost pure code movement; I recommend using
--color-moved to review it.
This code is logically independent of the rest of the function, and
goes better in its own function.
This is almost purely code movement; I suggest reviewing with
--color-moved.
Our dimap code asserts if you try to add the same key twice; this
can't happen if everything is running smoothly, but it's possible if
you try to start a relay where secret_onion_key_ntor is the same as
secret_onion_key_ntor.old.
Fixes bug 30916; bugfix on 0.2.4.8-alpha when ntor keys were
introduced.
We have code in microdescs_parse_from_string() to record the digests
of microdescriptors that we could not parse. But right now, that
code looks at the md->digest field, which is a bit inelegant, and
will stand in the way of sensible refactoring.
Instead, use a local variable to hold the digest.
When tor is missing descriptors for some primary entry guards, make the
log message less alarming. It's normal for descriptors to expire, as long
as tor fetches new ones soon after.
Fixes bug 31657; bugfix on 0.3.3.1-alpha.
