Commit Graph

8291 Commits

Author SHA1 Message Date
Sebastian Hahn
da3a6e724f Rate-limit unsafe socks warning
Pick 5 seconds as the limit. 5 seconds is a compromise here between
making sure the user notices that the bad behaviour is (still) happening
and not spamming their log too much needlessly (the log message is
pretty long). We also keep warning every time if safesocks is
specified, because then the user presumably wants to hear about every
blocked instance.

(This is based on the original patch by Sebastian, then backported to
0.2.2 and with warnings split into their own function.)
2010-11-15 13:57:37 -05:00
Karsten Loesing
ff1cf35442 Don't use log_err for non-criticial warnings. 2010-11-15 13:39:53 +01:00
Karsten Loesing
cec21652a7 Try harder not to exceed the 50 KB extra-info descriptor limit.
Our checks that we don't exceed the 50 KB size limit of extra-info
descriptors apparently failed. This patch fixes these checks and reserves
another 250 bytes for appending the signature. Fixes bug 2183.
2010-11-15 12:51:51 +01:00
Nick Mathewson
dbba84c917 Avoid perma-blocking the controller on bug in shrink_freelist
In all likelihood, this bug would make Tor assert, but if it doesn't,
let's not have two bugs.
2010-11-12 13:05:58 -05:00
Robert Ransom
a421e284d0 Disable logging to control port connections in buf_shrink_freelists.
If buf_shrink_freelists calls log_warn for some reason, we don't want the log
call itself to throw buf_shrink_freelists further off the rails.
2010-11-12 03:07:09 -08:00
Robert Ransom
81affe1949 Move the original log_info call out of the core of buf_shrink_freelists.
Sending a log message to a control port can cause Tor to allocate a buffer,
thereby changing the length of the freelist behind buf_shrink_freelists's back,
thereby causing an assertion to fail.

Fixes bug #1125.
2010-11-12 03:04:07 -08:00
Robert Ransom
6a0657d4bb Disable logging to control port connections in buf_shrink_freelists.
If buf_shrink_freelists calls log_warn for some reason, we don't want the log
call itself to throw buf_shrink_freelists further off the rails.
2010-11-12 02:34:58 -08:00
Robert Ransom
6d2e02d79b Move the original log_info call out of the core of buf_shrink_freelists.
Sending a log message to a control port can cause Tor to allocate a buffer,
thereby changing the length of the freelist behind buf_shrink_freelists's back,
thereby causing an assertion to fail.

Fixes bug #1125.
2010-11-12 02:34:51 -08:00
Roger Dingledine
362bb5c625 Merge branch 'maint-0.2.1' into maint-0.2.2 2010-11-11 12:12:17 -05:00
Roger Dingledine
0a38358210 let unpublished bridges learn their ip address too 2010-11-11 11:26:42 -05:00
Nick Mathewson
a4bf5b51e9 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2010-11-10 16:06:43 -05:00
Nick Mathewson
2a50dd9359 Enforce multiplicity rules when parsing annotations.
We would never actually enforce multiplicity rules when parsing
annotations, since the counts array never got entries added to it for
annotations in the token list that got added by earlier calls to
tokenize_string.

Found by piebeer.
2010-11-10 16:02:02 -05:00
Nick Mathewson
089137f011 Fix a bug where seting allow_annotations==0 only ignores annotations, but does not block them 2010-11-10 16:02:02 -05:00
Nick Mathewson
accc51b68c Bulletproof the routerlist manipulation functions to handle reinserting the same descriptor 2010-11-10 14:55:00 -05:00
Sebastian Hahn
5040c855d1 Break NoPublish support 2010-11-10 15:48:26 +01:00
Sebastian Hahn
556a1b9e45 Change Natd into NATD in our options.
Breaking this out of the last commit because this might be more
controversial.
2010-11-10 15:48:26 +01:00
Sebastian Hahn
b9cac605ab Synx manpage and source wrt option capitalization
We had a spelling discrepancy between the manpage and the source code
for some option. Resolve these in favor of the manpage, because it
makes more sense (for example, HTTP should be capitalized).
2010-11-10 15:48:26 +01:00
Sebastian Hahn
13a7e8bea3 Comment out the (unused) RunTesting option
The code that makes use of the RunTesting option is #if 0, so setting
this option has no effect. Mark the option as obsolete for now, so that
Tor doesn't list it as an available option erroneously.
2010-11-10 15:48:25 +01:00
Sebastian Hahn
40fd0c1ca1 Remove the torrc.complete file.
We haven't been keeping it up to date, and the manpage exists as a
replacement for users who want an overview of all available options.
2010-11-10 15:48:25 +01:00
Roger Dingledine
70411a50b1 move to the november 1 maxmind geoip db 2010-11-06 17:41:36 -04:00
Nick Mathewson
114a371c0e Fix the assert in bug 1776
In the case where old_router == NULL but sdmap has an entry for the
router, we can currently safely infer that the old_router was not a
bridge.  Add an assert to ensure that this remains true, and fix the
logic not to die with the tor_assert(old_router) call.
2010-11-02 11:20:09 -04:00
Sebastian Hahn
f87c6f100d Remove delay to become HSDir in privnets 2010-10-26 18:37:57 +02:00
Sebastian Hahn
213139f887 Properly refcount client_identity_key
In a2bb0bf we started using a separate client identity key. When we are
in "public server mode" (that means not a bridge) we will use the same
key. Reusing the key without doing the proper refcounting leads to a
segfault on cleanup during shutdown. Fix that.

Also introduce an assert that triggers if our refcount falls below 0.
That should never happen.
2010-10-26 18:22:04 +02:00
Nick Mathewson
441241c136 Fix a whitespace error 2010-10-21 16:12:04 -04:00
Nick Mathewson
1587735c90 Merge branch 'bug988-nm' into maint-0.2.2 2010-10-21 16:11:02 -04:00
Nick Mathewson
03adb8caad Add some asserts to get_{tlsclient|server}_identity_key
We now require that:
  - Only actual servers should ever call get_server_identity_key
  - If you're being a client or bridge, the client and server keys should
    differ.
  - If you're being a public relay, the client and server keys
    should be the same.
2010-10-21 13:54:12 -04:00
Nick Mathewson
704076680a Rename get_client_identity_key to get_tlsclient_identity_key 2010-10-21 13:54:02 -04:00
Nick Mathewson
5f3010667d Fix a remaining bug in Robert's bug1859 fix.
When intro->extend_info is created for an introduction point, it
only starts out with a nickname, not necessarily an identity digest.
Thus, doing router_get_by_digest isn't necessarily safe.
2010-10-21 11:09:35 -04:00
Nick Mathewson
0e8d1c2217 Merge remote branch 'hoganrobert/bug1859' into maint-0.2.2 2010-10-21 11:01:12 -04:00
Nick Mathewson
ea7f4be6d2 Merge remote branch 'sebastian/relay_early_rend' into maint-0.2.2 2010-10-21 10:49:44 -04:00
Nick Mathewson
0ac9a3df6c Fix a logic error in 98aee84. Found by boboper 2010-10-20 14:40:09 -04:00
Nick Mathewson
2849a95691 Add a ! to directory_caches_dir_info() to fix a logic error
We want to fetch directory info more aggressively if we need it to
refuseunknownexits.  Thus, we'll want it if our exit policy is _NOT_
reject *.
2010-10-20 13:49:38 -04:00
Nick Mathewson
98aee8472f Fix a read of a freed pointer while in set_current_consensus
Found by rransom while working on issue #988.  Bugfix on
0.2.2.17-alpha.  Fixes bug 2097.
2010-10-20 13:10:20 -04:00
Sebastian Hahn
d3b67cba3c Send relay_early cells in rend circs
There are no relay left that run version 0.2.1.3 through 0.2.1.18, so
changing this behaviour should be safe now.
2010-10-18 07:46:51 +02:00
Robert Hogan
0acd5e6208 Issues with router_get_by_nickname()
https://trac.torproject.org/projects/tor/ticket/1859

Use router_get_by_digest() instead of router_get_by_hexdigest()
in circuit_discard_optional_exit_enclaves() and
rend_client_get_random_intro(), per Nick's comments.

Using router_get_by_digest() in rend_client_get_random_intro() will
break hidden services published by Tor versions pre 0.1.2.18 and
0.2.07-alpha as they only publish by nickname. This is acceptable
however as these versions only publish to authority tor26 and
don't work for versions in the 0.2.2.x series anyway.
2010-10-17 12:27:57 +01:00
Robert Hogan
2d8f7a8391 Issues with router_get_by_nickname()
https://trac.torproject.org/projects/tor/ticket/1859

There are two problems in this bug:

1. When an OP makes a .exit request specifying itself as the exit, and the exit
   is not yet listed, Tor gets all the routerinfos needed for the circuit but
   discovers in circuit_is_acceptable() that its own routerinfo is not in the
   routerdigest list and cannot be used. Tor then gets locked in a cycle of
   repeating these two steps. When gathering the routerinfos for a circuit,
   specifically when the exit has been chosen by .exit notation, Tor needs to
   apply the same rules it uses later on when deciding if it can build a
   circuit with those routerinfos.

2. A different bug arises in the above situation when the Tor instance's
   routerinfo *is* listed in the routerlist, it shares its nickname with a
   number of other Tor nodes, and it does not have 'Named' rights to its
   nickname.
   So for example, if (i) there are five nodes named Bob in the network, (ii) I
   am running one of them but am flagged as 'Unnamed' because someone else
   claimed the 'Bob' nickname first, and (iii) I run my Tor as both client
   and exit the following can happen to me:
     - I go to www.evil.com
     - I click on a link www.evil.com.bob.exit
     - My request will exit through my own Tor node rather than the 'Named'
       node Bob or any of the others.
     - www.evil.com now knows I am actually browsing from the same computer
       that is running my 'Bob' node

So to solve both issues we need to ensure:

- When fulfilling a .exit request we only choose a routerinfo if it exists in
  the routerlist, even when that routerinfo is ours.
- When getting a router by nickname we only return our own router information
  if it is not going to be used for building a circuit.

We ensure this by removing the special treatment afforded our own router in
router_get_by_nickname(). This means the function will only return the
routerinfo of our own router if it is in the routerlist built from authority
info and has a unique nickname or is bound to a non-unique nickname.

There are some uses of router_get_by_nickname() where we are looking for the
router by name because of a configuration directive, specifically local
declaration of NodeFamilies and EntryNodes and other routers' declaration of
MyFamily. In these cases it is not at first clear if we need to continue
returning our own routerinfo even if our router is not listed and/or has a
non-unique nickname with the Unnamed flag.

The patch treats each of these cases as follows:

Other Routers' Declaration of MyFamily
 This happens in routerlist_add_family(). If another router declares our router
 in its family and our router has the Unnamed flag or is not in the routerlist
 yet, should we take advantage of the fact that we know our own routerinfo to
 add us in anyway? This patch says 'no, treat our own router just like any
 other'. This is a safe choice because it ensures our client has the same view
 of the network as other clients. We also have no good way of knowing if our
 router is Named or not independently of the authorities, so we have to rely on
 them in this.

Local declaration of NodeFamilies
 Again, we have no way of knowing if the declaration 'NodeFamilies
 Bob,Alice,Ringo' refers to our router Bob or the Named router Bob, so we have
to defer to the authorities and treat our own router like any other.

Local declaration of NodeFamilies
 Again, same as above. There's also no good reason we would want our client to
 choose it's own router as an entry guard if it does not meet the requirements
 expected of any other router on the network.

In order to reduce the possibility of error, the patch also replaces two
instances where we were using router_get_by_nickname() with calls to
router_get_by_hexdigest() where the identity digest of the router
is available.
2010-10-13 18:29:01 +01:00
Robert Ransom
a2bb0bfdd5 Maintain separate server and client identity keys when appropriate.
Fixes a bug described in ticket #988.
2010-10-04 21:51:53 -07:00
Robert Ransom
17efbe031d Maintain separate server and client TLS contexts.
Fixes bug #988.
2010-10-04 21:51:47 -07:00
Robert Ransom
d3879dbd16 Refactor tor_tls_context_new:
* Make tor_tls_context_new internal to tortls.c, and return the new
  tor_tls_context_t from it.

* Add a public tor_tls_context_init wrapper function to replace it.
2010-10-04 17:57:29 -07:00
Robert Ransom
89dffade8d Add public_server_mode function. 2010-10-04 17:57:29 -07:00
Robert Ransom
1b8c8059c7 Correct a bogus comment.
Whether or not OpenSSL reference-counts SSL_CTX objects is irrelevant;
what matters is that Tor reference-counts its wrapper objects for
SSL_CTXs.
2010-10-04 13:53:54 -04:00
Robert Ransom
c70d9d77ab Correct a couple of log messages in tortls.c 2010-10-04 13:53:48 -04:00
Robert Ransom
068185eca2 Fix several comments in tortls.c 2010-10-04 13:47:57 -04:00
Nick Mathewson
69b4138c00 Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2 2010-10-04 12:32:35 -04:00
Karsten Loesing
bad609ae6b Update to the October 1 2010 Maxmind GeoLite Country database. 2010-10-04 11:45:53 +02:00
Roger Dingledine
734ba2f937 fix comment 2010-10-01 14:11:08 -04:00
Roger Dingledine
6cb5383e56 log when we guess our ip address, not just when we fail 2010-10-01 13:32:38 -04:00
Roger Dingledine
6e00877fa3 bump to 0.2.2.17-alpha-dev 2010-10-01 04:59:11 -04:00
Roger Dingledine
a3f488a887 bump to 0.2.2.17-alpha 2010-09-30 17:49:11 -04:00
Sebastian Hahn
0702429cf7 Note an XXX about potential overflow 2010-09-30 06:24:01 +02:00
Sebastian Hahn
73def430e3 Use an upper and lower bound for bridge weights
When picking bridges (or other nodes without a consensus entry (and
thus no bandwidth weights)) we shouldn't just trust the node's
descriptor. So far we believed anything between 0 and 10MB/s, where 0
would mean that a node doesn't get any use from use unless it is our
only one, and 10MB/s would be a quite siginficant weight. To make this
situation better, we now believe weights in the range from 20kB/s to
100kB/s. This should allow new bridges to get use more quickly, and
means that it will be harder for bridges to see almost all our traffic.
2010-09-30 06:17:54 +02:00
Sebastian Hahn
45c51e3238 Fix check-spaces 2010-09-30 06:17:32 +02:00
Roger Dingledine
d17fcad3ae Merge commit 'mikeperry/bug1772' into maint-0.2.2 2010-09-30 00:00:06 -04:00
Mike Perry
7eedd0f6bc Nominaly lower the minimum timeout value to 1500.
This won't change any behavior, since it will still be rounded back
up to 2seconds, but should reduce the chances of some extra warns.
2010-09-29 20:58:09 -07:00
Roger Dingledine
3cbe463e96 Merge branch 'bug1772' into maint-0.2.2 2010-09-29 23:52:18 -04:00
Roger Dingledine
f2aa8f08cb fix two casts 2010-09-29 23:51:25 -04:00
Mike Perry
c8f731fabb Comment network liveness and change detection behavior. 2010-09-29 19:35:40 -07:00
Roger Dingledine
ceb3d4d578 no measurement circs if not enough build times
In the first 100 circuits, our timeout_ms and close_ms
are the same. So we shouldn't transition circuits to purpose
CIRCUIT_PURPOSE_C_MEASURE_TIMEOUT, since they will just timeout again
next time we check.
2010-09-29 18:05:10 -04:00
Roger Dingledine
7f10707c42 refactor and recomment; no actual changes 2010-09-29 18:01:22 -04:00
Roger Dingledine
48cd096276 Merge commit 'mikeperry/bug1739' into maint-0.2.2 2010-09-29 17:17:59 -04:00
Roger Dingledine
474e4d2722 Merge commit 'mikeperry/bug1740' into maint-0.2.2 2010-09-29 17:05:38 -04:00
Mike Perry
4324bb1b21 Cap the circuit build timeout to the max time we've seen.
Also, cap the measurement timeout to 2X the max we've seen.
2010-09-29 11:49:43 -07:00
Mike Perry
11910cf5b3 Do away with the complexity of the network liveness detection.
We really should ignore any timeouts that have *no* network activity for their
entire measured lifetime, now that we have the 95th percentile measurement
changes. Usually this is up to a minute, even on fast connections.
2010-09-29 11:49:43 -07:00
Mike Perry
0744a175af Fix state checks on liveness handling.
If we really want all this complexity for these stages here, we need to handle
it better for people with large timeouts. It should probably go away, though.
2010-09-29 11:49:43 -07:00
Mike Perry
9a77743b7b Fix non-live condition checks.
Rechecking the timeout condition was foolish, because it is checked on the
same codepath. It was also wrong, because we didn't round.

Also, the liveness check itself should be <, and not <=, because we only have
1 second resolution.
2010-09-29 11:49:31 -07:00
Mike Perry
c5b5643965 Send control port events for timeouts.
We now differentiate between timeouts and cutoffs by the REASON string and
the PURPOSE string.
2010-09-29 11:46:36 -07:00
Mike Perry
5aa4564ab9 Only count timeout data for 3 hop circuits.
Use 4/3 of this timeout value for 4 hop circuits, and use half of it for
canabalized circuits.
2010-09-29 11:41:27 -07:00
Roger Dingledine
a58610a87e even more comment 2010-09-28 23:50:56 -04:00
Roger Dingledine
512433346f improve code comments, based on comments from nick 2010-09-28 23:27:00 -04:00
Roger Dingledine
9997676802 handle ugly edge case in retrying entrynodes
Specifically, a circ attempt that we'd launched while the network was
down could timeout after we've marked our entrynodes up, marking them
back down again. The fix is to annotate as bad the OR conns that were
around before we did the retry, so if a circuit that's attached to them
times out we don't do anything about it.
2010-09-28 22:32:38 -04:00
Roger Dingledine
7de1caa33f Actually notice when our last entrynode goes down
Otherwise we'd never set have_minimum_dir_info to false, so the
"optimistic retry" would never trigger.
2010-09-28 21:59:31 -04:00
Roger Dingledine
bb22360bad optimistically retry EntryNodes on socks request
We used to mark all our known bridges up when they're all down and we
get a new socks request. Now do that when we've set EntryNodes too.
2010-09-28 19:10:23 -04:00
Roger Dingledine
8bac188572 remove a redundant assert 2010-09-28 19:10:22 -04:00
Roger Dingledine
127f37ad29 refactor; no actual changes 2010-09-28 19:10:22 -04:00
Roger Dingledine
09a715bb72 Merge branch 'maint-0.2.1' into maint-0.2.2 2010-09-28 18:37:55 -04:00
Roger Dingledine
339993b409 actually retry bridges when your network goes away 2010-09-28 18:36:15 -04:00
Roger Dingledine
a467bf5fbb a dir-spec entry for refuseunknownexits
plus quiet a log line
2010-09-27 18:32:09 -04:00
Roger Dingledine
9d7f0badb5 changelog entry for bug1751 2010-09-27 17:44:00 -04:00
Nick Mathewson
614eeb378b Merge remote branch 'sebastian/bug1964' into maint-0.2.2 2010-09-27 17:26:32 -04:00
Sebastian Hahn
c951830002 Fix a bridge segfault
When we enabled support to change statistic options without restarting
Tor we forgot to initialize geoip_countries. Fix that.
2010-09-27 23:19:25 +02:00
Nick Mathewson
c97072ef34 Merge branch 'bug1751_enabling' into maint-0.2.2 2010-09-27 17:08:03 -04:00
Nick Mathewson
6c5b9ba625 Change bug1751 enabling code based on comments from arma 2010-09-27 17:07:22 -04:00
Nick Mathewson
e385961542 Merge remote branch 'public/bug1954' into maint-0.2.2 2010-09-27 15:39:40 -04:00
Nick Mathewson
24a45f54d2 Merge branch 'bug1805' into maint-0.2.2 2010-09-27 12:25:32 -04:00
Nick Mathewson
9c8fb75edf Clean up some bug1805 comments based on arma's feedback 2010-09-27 12:23:49 -04:00
Nick Mathewson
1cbdbff961 Merge remote branch 'mikeperry/bug1952-merge' into maint-0.2.2 2010-09-27 12:17:41 -04:00
Mike Perry
0ff86042ac Implement new Wxx constraints.
Cases 1 and 3b are provably correct. Case 2b has a fallback to first try to
maximize entropy.
2010-09-27 08:53:41 -07:00
Nick Mathewson
d073d7d4eb Consistency issues in load_windows_system_library patch. Thanks Sebastian 2010-09-24 14:16:55 -04:00
Nick Mathewson
c8e1538a0b Merge remote branch 'sebastian/continuation' 2010-09-24 13:43:55 -04:00
Sebastian Hahn
851255170a Note that the torrc format doesn't need nl at end 2010-09-24 13:32:27 +02:00
Nick Mathewson
9b49a89430 Merge branch 'bug1511' 2010-09-23 23:16:25 -04:00
Nick Mathewson
0a0cc4599f Tweak continuation-and-comment logic
I think there was a read-off-the-end-of-the-buffer bug that I fixed.
At least I added some good comments, I hope.
2010-09-23 22:58:04 -04:00
Sebastian Hahn
1d29ad891e Add new torrc line continuation unit tests
We want to make sure that we don't break old torrc files that might have
used something like this made-up example:

    ContactInfo UberUser <uber@user.com> # /// Fake email! \\\
    Log info file /home/nick.mathewson/projects/tor-info.log

And we also want to support the following style of writing your torrc:

    ExcludeNodes \
    # Node1337 is run by the Bavarian Illuminati
      Node1337, \
    # The operator of Node99 looked at me funny
      Node99

The code already handles both cases, but the unit test should help prove
it.
2010-09-23 22:46:13 +02:00
Nick Mathewson
c9cb4f0a0e Rename has_completed_circuit to can_complete_circuit
Also redocument it.  Related to #1362.
2010-09-22 01:52:57 -04:00
Nick Mathewson
31f22505a6 Merge remote branch 'arma/bug1362' 2010-09-22 01:45:57 -04:00
Nick Mathewson
4ef9ccc883 Changes to bug1959_part1 on review from arma.
Significant one: we want to say "not enough entry nodes descriptors, so we
can't build circuits" only when we have 0 descriptors.
2010-09-22 01:30:23 -04:00
Nick Mathewson
49c177437b Make our min-info check also check for entry node presence
Part of a fix for bug1959
2010-09-21 15:17:40 -04:00
Nick Mathewson
52db5c2539 Even more accurate handling for shifting accounting intervals
Roger correctly pointed out that my code was broken for accounting
periods that shifted forwards, since
start_of_accounting_period_containing(interval_start_time) would not
be equal to interval_start_time, but potentially much earlier.
2010-09-21 14:59:43 -04:00
Nick Mathewson
aa7f55c45f Use load_windows_system_library in place of LoadLibrary 2010-09-21 14:40:10 -04:00
Nick Mathewson
418e6caeeb New function to load windows system libraries
This function uses GetSystemDirectory() to make sure we load the version
of the library from c:\windows\system32 (or local equivalent) rather than
whatever version lives in the cwd.
2010-09-21 14:39:23 -04:00