Commit Graph

38902 Commits

Author SHA1 Message Date
David Goulet
c6b1da20a7 Merge remote-tracking branch 'mbeth-private/ticket40833_mr' 2023-08-22 13:24:00 -04:00
David Goulet
3487a0d696 changes: Add changes file for ticket 40821
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-22 13:11:37 -04:00
David Goulet
e39fb0962f Merge remote-tracking branch 'mbeth-private/ticket40821_mr' 2023-08-22 13:09:54 -04:00
David Goulet
2300cf33a0 Merge branch 'rust_ci' into 'main'
Rust and CI fixes

See merge request tpo/core/tor!742
2023-08-15 17:13:11 +00:00
Micah Elizabeth Scott
8991b10cac CI: Diagnostic for failure in test_rebind cleanup
I saw this test fail intermittently due to what seemed like a filesystem
race in docker? The cleanup task was failing with a 'directory not
empty' error, despite trying to do a recursive 'rm'. This patch adds an
'ls' to the same directory, hoping the output might be useful to
diagnose future intermittent failures.
2023-08-15 09:52:30 -07:00
Micah Elizabeth Scott
41dac5e2d1 CI: Add Rust tests and clippy
This adds a new "rust-latest" CI target that runs tests and clippy for
everything in the workspace. It's a subset of the equivalent on Arti.
2023-08-15 09:52:30 -07:00
Micah Elizabeth Scott
824e9c6e16 cargo: Move lockfile to root and update
Change 3f66ff9b00 added geoip-db-tool to
the main workspace, so it's no longer using a local lockfile. Move its
lock to the crate root, remove from gitignore, and update it.

(We could also choose to not keep the lockfiles checked in, but it seems
useful to have them in our test and maintenance tooling here.)
2023-08-15 09:52:30 -07:00
Micah Elizabeth Scott
317a56c133 tor-c-equix: Fix clippy warning
Clippy found a transmute that could have been a reborrow.
2023-08-15 09:52:30 -07:00
Micah Elizabeth Scott
4ec193dcc5 geoip-db-tool: Fix clippy warnings
This fixes warnings found by clippy 0.1.71 on Rust 1.71.1

Tested this by doing a geoip update without committing changes.
2023-08-15 09:52:30 -07:00
David Goulet
00881f1886 Merge branch 'maint-0.4.7' 2023-08-15 12:39:33 -04:00
David Goulet
c9dceca281 Merge branch 'bug40834' into 'main'
Revert "Nullify on_circuit if last conflux leg"

See merge request tpo/core/tor!744
2023-08-15 15:29:46 +00:00
Mike Perry
51459b543f Changes file for bug40834 2023-08-15 15:09:04 +00:00
Mike Perry
a56434a82b Bug 40834: Remove assert and add logs to track no-leg case 2023-08-15 15:05:25 +00:00
Mike Perry
72164740a2 Revert "Nullify on_circuit if last conflux leg"
This reverts commit 5487476fd9.
2023-08-15 14:53:17 +00:00
David Goulet
67bfb87dcb Merge branch 'main' into 'main'
Clean up torify

See merge request tpo/core/tor!740
2023-08-14 15:09:09 +00:00
David Goulet
fd3f9e8580 zstd: Check errors right affer compressing/decompressing
Considering a compression bomb before looking for errors led to false negative
log warnings. Instead, it is possible the work failed for whatever reasons
which is not indicative of a compression bomb.

Fixes #40739

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-14 11:05:23 -04:00
David Goulet
2c5c752fd2 Merge branch 'hashx_sizet_mr' into 'main'
hashx: Fix a few more compiler warnings

See merge request tpo/core/tor!739
2023-08-14 13:00:46 +00:00
Micah Elizabeth Scott
d0343b12c6 test_dos: Fixes for uninitialized stack memory
This was causing CI failures that didn't reproduce on my local machine.
The DoS subsystem now has a new assert() which triggers a BUG on some
nonzero memory contents (or_conn->tracked_for_dos_mitigation), and
uninitialized stack memory might be nonzero.
2023-08-11 18:05:07 -07:00
Micah Elizabeth Scott
2b8d629079 Extend DoS protection to IP addresses with known relays
This exemption used to be helpful in keeping exit relays from tripping
the DoS detection subsystem and losing Tor connectivity. Now exit relays
block re-entry into the network (tor issue #2667) so it's no longer
needed. We'd like to re-enable protection on these addresses to avoid
giving attackers a way around our DoS mitigations.
2023-08-11 16:32:22 -07:00
Micah Elizabeth Scott
a94ce25277 hashx: Fix rare compiler output overflow on aarch64
This is a fix for a very rare buffer overflow in hashx, specific to the
dynamic compiler on aarch64 platforms.

In practice this issue is extremely unlikely to hit randomly, and it's
only been seen in unit tests that supply unusual mock PRNG output to the
program generator. My best attempt at estimating the probability of
hitting the overflow randomly is about 10^-23. Crafting an input with
the intent to overflow can be done only as fast as an exhaustive search,
so long as Blake2B is unbroken.

The root cause is that hashx writes assembly code without any length
checks, and it uses an estimated size rather than an absolute maximum
size to allocate the buffer for compiled code. Some instructions are
much longer than others, especially on aarch64.

The length of the overflow is nearly 300 bytes in the worst synthetic
test cases I've developed so far. Overflow occurs during hashx_make(),
and the subsequent hashx_exec() will always SIGSEGV as the written code
crosses outside the region that's been marked executable. In typical use,
hashx_exec() is called immediately after hashx_make().

This fix increases the buffer size from 1 page to 2 pages on aarch64,
adds an analysis of the compiled code size, and adds runtime checks so we
can gracefully fail on overflow. It also adds a unit test (written in
Rust) that includes a PRNG sequence exercising the overflow. Without
this patch the unit test shows a SIGSEGV on aarch64, with this patch it
runs successfully and matches interpreter output.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-08-11 15:05:11 -07:00
Micah Elizabeth Scott
3e18507dc7 Extend DoS protection to partially-open channels
tor only marks a channel as 'open' once the TLS and OR handshakes have both
completed, and normal "client" (ORPort) DoS protection is not enabled until
the channel becomes open. This patch adds an additional earlier initialization
path for DoS protection on incoming TLS connections.

This leaves the existing dos_new_client_conn() call sites intact, but adds a
guard against multiple-initialization using the existing
tracked_for_dos_mitigation flag. Other types of channels shouldn't be affected
by this patch.
2023-08-09 18:07:34 -07:00
наб
9ae2f8a229
Clean up torify
Replace pathfind() which tries to parse $PATH manually with command -v.

exec is always fatal, regardless of if it managed to execute.
2023-08-09 15:58:45 +02:00
Micah Elizabeth Scott
ef08c00df2 hashx: Fix a few more compiler warnings
Fix a couple cases where size_t values were being confused with int.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-08-07 18:18:24 -07:00
Tor CI Release
3d63d713ea version: Bump version to 0.4.8.3-rc-dev 2023-08-04 10:44:28 -04:00
Tor CI Release
0ddbabfc54 version: Bump version to 0.4.8.3-rc 2023-08-04 10:15:28 -04:00
David Goulet
c862a66b6c release: ChangeLog update for 0.4.8.3-rc
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-04 10:11:44 -04:00
Tor CI Release
0c601d0025 fallbackdir: Update list generated on August 04, 2023 2023-08-04 10:08:22 -04:00
Tor CI Release
71748077d0 Update geoip files to match ipfire location db, 2023/08/04. 2023-08-04 10:08:16 -04:00
David Goulet
8a21d908ae geoip: Fix cargo target directory
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-04 10:04:36 -04:00
David Goulet
3f66ff9b00 cargo: Add geoip db tool to top level workspace
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-04 09:55:26 -04:00
David Goulet
49ea768465 ci: Move tag to the x86-64 template
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-02 13:30:28 -04:00
David Goulet
64f28d3366 ci: Tag physical our i386 minimal job
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-02 13:20:06 -04:00
David Goulet
ec7a03e112 Merge branch 'remove-conflux-bug-log' into 'main'
relay: Remove logging for a bug. It triggers a BUG() later

See merge request tpo/core/tor!738
2023-08-02 16:48:03 +00:00
David Goulet
3ed37ae53c relay: Remove logging for a bug. It triggers a BUG() later
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-02 12:09:41 -04:00
David Goulet
0c270735ef Merge branch 'cargo_hashx_rng' into 'main'
hashx: Rust hook for inspecting and modifying the random number stream

See merge request tpo/core/tor!734
2023-08-01 20:19:42 +00:00
David Goulet
f1fdb58611 Merge branch 'bug40827' into 'main'
Fix assert crash on relay-side due to on_circuit backpointer

See merge request tpo/core/tor!737
2023-08-01 20:13:32 +00:00
Mike Perry
78e14ca124 Changes file for bug 40827 2023-08-01 17:13:48 +00:00
Mike Perry
e3ad41e7e5 Bug 40827: Add additional logs and checks for 0-leg conflux case 2023-08-01 17:13:48 +00:00
David Goulet
5487476fd9 Nullify on_circuit if last conflux leg
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-01 17:12:11 +00:00
David Goulet
08ae74056f Merge branch 'bug40828' into 'main'
Bug40828

See merge request tpo/core/tor!736
2023-07-31 15:43:33 +00:00
Mike Perry
f26942cb0c Changes file for bug40828 2023-07-31 14:13:16 +00:00
Mike Perry
74d6fd534a Bug 40828: Add more log scrubbing to protocol warnings 2023-07-31 14:12:39 +00:00
Micah Elizabeth Scott
0ca2e62b28 hashx: Rust hook for inspecting and modifying the random number stream
This patch has no effect on the C tor build.

Adds a function hashx_rng_callback() to the hashx API, defined only
when HASHX_RNG_CALLBACK is defined. This is then used in the Rust
wrapper to implement a similar rng_callback().

Included some minimal test cases. This code is intented for
use in cross-compatibility fuzzing tests which drive multiple
implementations of hashx with the same custom Rng stream.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-07-28 21:27:10 -07:00
David Goulet
4667195ded Merge branch 'cargo' into 'main'
Include a basic Rust wrapper for Equi-X and HashX

See merge request tpo/core/tor!733
2023-07-26 20:01:56 +00:00
Micah Elizabeth Scott
95bcd17705 Include a basic Rust wrapper for Equi-X and HashX
The idea behind this is that we may want to start exporting more pieces
of c-tor as Rust crates so that Arti can perform cross compatibility and
comparison testing using Rust tooling.

This turns the 'tor' repo into a Cargo workspace, and adds one crate to
start with: "tor-c-equix", rooted in src/ext/equix. This actually
includes both Equi-X itself and HashX, since there's less overall
duplication if we package these together instead of packaging HashX
separately.

This patch adds a basic safe Rust interface, but doesn't expose any
additional internals for testing purposes.

No changes to the C code here or the normal Tor build system.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-07-26 12:27:15 -07:00
David Goulet
1e3b5c94ab Merge branch 'maint-0.4.7' 2023-07-26 12:02:47 -04:00
Tor CI Release
78cb761612 version: Bump version to 0.4.7.14-dev 2023-07-26 12:02:42 -04:00
David Goulet
652147413c Merge branch 'maint-0.4.7' 2023-07-26 10:23:27 -04:00
Tor CI Release
4333762b21 version: Bump version to 0.4.7.14 2023-07-26 10:22:32 -04:00
David Goulet
89b1e6568e Merge branch 'maint-0.4.7' 2023-07-26 10:13:21 -04:00