Commit Graph

182 Commits

Author SHA1 Message Date
Nick Mathewson
ff55840343 Don't pass a NULL into a %s when logging client auth file load failure
Fortunately, in 0.3.5.1-alpha we improved logging for various
failure cases involved with onion service client auth.

Unfortunately, for this one, we freed the file right before logging
its name.

Fortunately, tor_free() sets its pointer to NULL, so we didn't have
a use-after-free bug.

Unfortunately, passing NULL to %s is not defined.

Fortunately, GCC 9.1.1 caught the issue!

Unfortunately, nobody has actually tried building Tor with GCC 9.1.1
before. Or if they had, they didn't report the warning.

Fixes bug 30475; bugfix on 0.3.5.1-alpha.
2019-05-10 17:47:43 -04:00
George Kadianakis
501d1ae0bd Merge branch 'tor-github/pr/973' 2019-05-10 12:49:01 +03:00
David Goulet
3885e7b44b Merge branch 'tor-github/pr/1000'
Signed-off-by: David Goulet <dgoulet@torproject.org>
2019-05-08 08:02:28 -04:00
George Kadianakis
4060b7623d Revert "Hiding crypt_path_t: Create a constructor for crypt_path_t."
This reverts commit ab8b80944967ee5a6a0c45dbf61839cf257bfe44.
2019-05-03 18:15:26 +03:00
George Kadianakis
58fbbc1409 Hiding crypt_path_t: Rename some functions to fit the crypt_path API.
Some of these functions are now public and cpath-specific so their name should
signify the fact they are part of the cpath module:

assert_cpath_layer_ok -> cpath_assert_layer_ok
assert_cpath_ok -> cpath_assert_ok
onion_append_hop -> cpath_append_hop
circuit_init_cpath_crypto -> cpath_init_circuit_crypto
circuit_free_cpath_node -> cpath_free
onion_append_to_cpath -> cpath_extend_linked_list
2019-05-03 18:15:26 +03:00
George Kadianakis
f5635989b0 Hiding crypt_path_t: Create a constructor for crypt_path_t.
We are using an opaque pointer so the structure needs to be allocated on the
heap. This means we now need a constructor for crypt_path_t.

Also modify all places initializing a crypt_path_t to use the constructor.
2019-05-03 18:15:11 +03:00
George Kadianakis
f74a80dc3b Hiding crypt_path_t: Move init functions to crypt_path.c.
This commit only moves code.
2019-05-03 18:15:00 +03:00
Nick Mathewson
295feeb093 Replace all remaining tor_mem_is_zero() with fast_mem_is_zero() 2019-04-30 14:49:05 -04:00
teor
3d89f0374a
hs_config: Allow Tor to be configured as an IPv6-only v3 single onion service
Part of #23588.
2019-04-24 17:29:18 +10:00
Neel Chauhan
b65f8c419a
Add firewall_choose_address_ls() and hs_get_extend_info_from_lspecs() tests 2019-04-24 17:28:38 +10:00
Neel Chauhan
2618347657
Use fascist_firewall_choose_address_ls() in hs_get_extend_info_from_lspecs() 2019-04-24 17:28:34 +10:00
Nick Mathewson
8bea0c2fa3 Rename outvar to follow _out convention. 2019-04-23 14:14:17 -04:00
Nick Mathewson
475ac11bc1 Merge remote-tracking branch 'tor-github/pr/935' 2019-04-23 14:11:04 -04:00
Neel Chauhan
2ab19a48c2 Initialize rate_limited in hs_pick_hsdir() to false 2019-04-19 09:50:54 -04:00
Neel Chauhan
efde686aa5 Only set rate_limited in hs_pick_hsdir() if rate_limited_count or responsible_dirs_count is greater than 0 2019-04-19 09:21:20 -04:00
Neel Chauhan
943559b180 Make rate_limited and is_rate_limited a bool 2019-04-19 08:33:00 -04:00
Neel Chauhan
011307dd5f Make repeated/rate limited HSFETCH queries fail with QUERY_RATE_LIMITED 2019-04-11 15:21:17 -04:00
teor
ce5e38642d crypto_format: Remove the return value from ed25519_signature_to_base64()
Also remove all checks for the return value, which were redundant anyway,
because the function never failed.

Part of 29660.
2019-04-05 15:17:19 +10:00
teor
e3124fef54 crypto_format: Remove the return value from curve25519_public_to_base64()
And fix the documentation on the function: it does produce trailing
"="s as padding.

Also remove all checks for the return value, which were redundant anyway,
because the function never failed.

Part of 29660.
2019-04-05 15:17:19 +10:00
teor
7d513a5d55 crypto_format: Remove the return values from digest256_to_base64()
... and ed25519_public_to_base64(). Also remove all checks for the return
values, which were redundant anyway, because the functions never failed.

Part of 29960.
2019-04-05 15:17:19 +10:00
Nick Mathewson
a49f506e05 Split all controller events code into a new control_events.c
Also, split the formatting code shared by control.c and
control_events.c into controller_fmt.c.
2019-03-25 12:11:59 -04:00
Nick Mathewson
065b74fa36 Fix all nonconformant headers' guard macros. 2019-03-12 15:20:22 -04:00
Nick Mathewson
61adcb22c5 Merge branch 'bug23576-041-rebased-squashed' 2019-03-12 11:10:01 -04:00
teor
680b2afd84 hs: abolish hs_desc_link_specifier_dup()
The previous commits introduced link_specifier_dup(), which is
implemented using trunnel's opaque interfaces. So we can now
remove hs_desc_link_specifier_dup().

Cleanup after bug 22781.
2019-03-12 11:09:53 -04:00
teor
bb98bc8562 hs: abolish hs_desc_link_specifier_t
The previous commits for 23576 confused hs_desc_link_specifier_t
and link_specifier_t. Removing hs_desc_link_specifier_t fixes this
confusion.

Fixes bug 22781; bugfix on 0.3.2.1-alpha.
2019-03-12 11:09:53 -04:00
George Kadianakis
7fbfdf2af7 Merge branch 'tor-github/pr/611' 2019-02-26 12:33:23 +02:00
Nick Mathewson
69238ca2da Merge remote-tracking branch 'tor-github/pr/646' 2019-02-24 17:17:16 -05:00
Nick Mathewson
7f59b9fb1f Merge branch 'maint-0.3.5' 2019-02-08 08:37:46 -05:00
Nick Mathewson
ab65347819 Merge branch 'ticket29040_1_changes' into maint-0.3.5 2019-02-08 08:37:43 -05:00
teor
6170d3fcf1 hs: Onion services put IPv6 addresses in service descriptors
Rewrite service_intro_point_new() to take a node_t. Since
node_get_link_specifier_smartlist() supports IPv6 link specifiers,
this refactor adds IPv6 addresses to onion service descriptors.

Part of 23576, implements 26992.
2019-01-31 07:53:22 +01:00
teor
cdda3dc484 hs: Move get_lspecs_from_node to nodelist.c
Also:
* rename to node_get_link_specifier_smartlist
* rewrite to return a smartlist
* add link_specifier_smartlist_free

Part of 23576.
2019-01-30 15:15:41 +01:00
Neel Chauhan
c985940de9 Add version 3 onion service support to HSFETCH 2019-01-24 10:22:41 -05:00
Suphanat Chunhapanya
238a9080c6 hs-v3: add an option param to safe log functions
We add an option param to safe_str and safe_str_client because in
some case we need to use those functions before global_options is set.
2019-01-24 04:31:18 +07:00
Suphanat Chunhapanya
8de735f068 hs-v3: fix use after free in client auth config
We accidentally use `auth` after freeing it in
client_service_authorization_free. The way to solve it is to
free after using it.
2019-01-24 04:31:07 +07:00
Nick Mathewson
adeeb8841e Merge branch 'maint-0.3.5' 2019-01-23 11:18:14 -05:00
rl1987
712a622fce Log an HSDesc we failed to parse at Debug loglevel 2019-01-23 10:37:10 -05:00
Nick Mathewson
f632335feb Fix users of base32_decode to check for expected length in return.
Also, when we log about a failure from base32_decode(), we now
say that the length is wrong or that the characters were invalid:
previously we would just say that there were invalid characters.

Follow-up on 28913 work.
2019-01-17 13:32:19 -05:00
Nick Mathewson
2f683465d4 Bump copyright date to 2019 2019-01-16 12:33:22 -05:00
Nick Mathewson
efe55b8898 Bump copyright date to 2019. 2019-01-16 12:32:32 -05:00
Nick Mathewson
d21fa48cac Merge branch 'maint-0.3.5' 2019-01-11 18:53:24 -05:00
Nick Mathewson
efd765a948 Merge remote-tracking branch 'tor-github/pr/563' into maint-0.3.5 2019-01-11 18:53:18 -05:00
Nick Mathewson
46a321fbdd Merge branch 'maint-0.3.5' 2018-12-05 10:25:12 -05:00
Nick Mathewson
967efc0d28 Merge remote-tracking branch 'tor-github/pr/546' into maint-0.3.5 2018-12-05 10:23:28 -05:00
David Goulet
cec616a0c8 hs-v3: Don't BUG() if descriptor is found on SOCKS connection retry
When retrying all SOCKS connection because new directory information just
arrived, do not BUG() if a connection in state AP_CONN_STATE_RENDDESC_WAIT is
found to have a usable descriptor.

There is a rare case when this can happen as detailed in #28669 so the right
thing to do is put that connection back in circuit wait state so the
descriptor can be retried.

Fixes #28669

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-12-04 14:34:04 -05:00
David Goulet
43bd4d7509 hs-v3: Add the helper function mark_conn_as_waiting_for_circuit
This helper function marks an entry connection as pending for a circuit and
changes its state to AP_CONN_STATE_CIRCUIT_WAIT. The timestamps are set to
now() so it can be considered as new.

No behaviour change, this helper function will be used in next commit.

Part of #28669

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-12-04 14:34:04 -05:00
David Goulet
00b59d9281 conn: Use connection_ap_mark_as_waiting_for_renddesc()
Use the helper function connection_ap_mark_as_waiting_for_renddesc()
introduced in previous commit everywhere in the code where an AP connection
state is transitionned to AP_CONN_STATE_RENDDESC_WAIT.

Part of #28669

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-12-04 14:10:00 -05:00
Nick Mathewson
02843c4a4e Test for check_network_participation_callback() 2018-11-26 16:32:40 -05:00
Nick Mathewson
35558c39dd Merge remote-tracking branch 'dgoulet/ticket27471_035_02' into maint-0.3.5 2018-11-16 08:57:56 -05:00
David Goulet
8fb318860e Merge branch 'maint-0.3.5' 2018-11-13 10:43:03 -05:00
David Goulet
6f2151be9a Merge branch 'tor-github/pr/487' into maint-0.3.5 2018-11-13 10:37:25 -05:00
Fernando Fernandez Mancera
f60607ee96 Improve log message in hs_service.c
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
2018-11-01 12:40:52 +02:00
David Goulet
aa1ae1343a Merge branch 'maint-0.3.5' 2018-10-30 11:44:14 -04:00
David Goulet
488969fe9c Merge branch 'tor-github/pr/438' into maint-0.3.5 2018-10-30 11:43:54 -04:00
David Goulet
124c43704c Merge branch 'maint-0.3.5' 2018-10-30 11:37:44 -04:00
David Goulet
95559279e1 Merge branch 'tor-github/pr/415' into maint-0.3.5 2018-10-30 11:36:36 -04:00
David Goulet
cdb065d6b2 Merge branch 'maint-0.3.5' 2018-10-30 10:55:10 -04:00
Neel Chauhan
82b3a02302 Detect the onion service version and then check for invalid options unless we have set HiddenServiceVersion 2018-10-30 10:48:56 -04:00
George Kadianakis
5c2212c734 HSv3: Correctly memwipe client auth keystream.
Wipe the whole thing, not just the size of the pointer.
2018-10-26 14:55:17 +03:00
George Kadianakis
a614731144 Documentation: Move the hs_service_descriptor_t elements around.
Move the elements around to concentrate mutable and immutable elements
together. This commit changes no code, check with --color-moved.
2018-10-23 16:43:54 +03:00
George Kadianakis
df78fb2451 Documentation: Document which descriptor elements are (im)mutable. 2018-10-23 16:43:54 +03:00
George Kadianakis
29c194e022 Func rename: Make it clear that update_all_descriptors() does intro points.
With the new refresh_service_descriptor() function we had both
refresh_service_descriptor() and update_service_descriptor() which is basically
the same thing.

This commit renames update_service_descriptor() to
update_service_descriptor_intro_points() to make it clear it's not a generic
refresh and it's only about intro points.

Commit changes no code.
2018-10-23 16:43:54 +03:00
David Goulet
81c466c34a hs-v3: Create desc signing key cert before uploading
Before this commit, we would create the descriptor signing key certificate
when first building the descriptor.

In some extreme cases, it lead to the expiry of the certificate which triggers
a BUG() when encoding the descriptor before uploading.

Ticket #27838 details a possible scenario in which this can happen. It is an
edge case where tor losts internet connectivity, notices it and closes all
circuits. When it came back up, the HS subsystem noticed that it had no
introduction circuits, created them and tried to upload the descriptor.

However, in the meantime, if tor did lack a live consensus because it is
currently seeking to download one, we would consider that we don't need to
rotate the descriptors leading to using the expired signing key certificate.

That being said, this commit does a bit more to make this process cleaner.
There are a series of things that we need to "refresh" before uploading a
descriptor: signing key cert, intro points and revision counter.

A refresh function is added to deal with all mutable descriptor fields. It in
turn simplified a bit the code surrounding the creation of the plaintext data.

We keep creating the cert when building the descriptor in order to accomodate
the unit tests. However, it is replaced every single time the descriptor is
uploaded.

Fixes #27838

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-22 16:34:41 -04:00
Nick Mathewson
62401812c7 Merge remote-tracking branch 'dgoulet/ticket27471_035_02' 2018-10-18 13:01:41 -04:00
David Goulet
9ba16c4d03 hs-v3: Close client intro circuits if the descriptor is replaced
When storing a descriptor in the client cache, if we are about to replace an
existing descriptor, make sure to close every introduction circuits of the old
descriptor so we don't have leftovers lying around.

Ticket 27471 describes a situation where tor is sending an INTRODUCE1 cell on
an introduction circuit for which it doesn't have a matching intro point
object (taken from the descriptor).

The main theory is that, after a new descriptor showed up, the introduction
points changed which led to selecting an introduction circuit not used by the
service anymore thus for which we are unable to find the corresponding
introduction point within the descriptor we just fetched.

Closes #27471.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-18 12:56:51 -04:00
David Goulet
56f713b8a4 hs-v3: Always generate the descriptor cookie
It won't be used if there are no authorized client configured. We do that so
we can easily support the addition of a client with a HUP signal which allow
us to avoid more complex code path to generate that cookie if we have at least
one client auth and we had none before.

Fixes #27995

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-18 11:46:07 -04:00
Nick Mathewson
0a41d17c15 Merge branch 'ticket27549_035_01_squashed' 2018-10-18 10:16:30 -04:00
David Goulet
3a8f32067d hs-v3: Consolidate descriptor cookie computation code
Both client and service had their own code for this. Consolidate into one
place so we avoid duplication.

Closes #27549

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-10-18 10:16:07 -04:00
Roger Dingledine
df78a2730c merge in some fixes i found in a sandbox 2018-10-17 13:56:41 -04:00
Neel Chauhan
f93ee8e4c4 Fix typo in comment for hs_cell_parse_introduce2() 2018-10-16 10:59:42 -04:00
Nick Mathewson
11161395af Merge branch 'maint-0.3.4' 2018-10-15 12:52:54 -04:00
Nick Mathewson
23ce9a60fb Merge branch 'maint-0.3.4' 2018-10-15 10:48:35 -04:00
Nick Mathewson
67351f6724 Merge remote-tracking branch 'tor-github/pr/380' 2018-10-12 11:39:37 -04:00
Neel Chauhan
3cc089ce59 Add newline between hs_client_get_random_intro_from_edge() and hs_client_receive_introduce_ack() 2018-10-05 19:54:26 -04:00
Nick Mathewson
6785aa4010 Move routerparse and parsecommon to their own module. 2018-10-01 00:04:06 -05:00
Nick Mathewson
de0b07c634 Merge branch 'router_split' 2018-09-26 09:47:59 -04:00
Nick Mathewson
5e5e019b31 Merge remote-tracking branch 'dgoulet/bug27550_035_01' 2018-09-26 08:36:09 -04:00
Nick Mathewson
4f0bc0c8f5 Revise things that had included router.h before
Make them only include the headers that they needed, and sort their
headers while we're at it.
2018-09-25 17:57:58 -04:00
Nick Mathewson
934859cf80 Move key-loading and crosscert-checking out of feature/relay
This is also used by onion services, so it needs to go in another
module.
2018-09-25 15:14:57 -04:00
Nick Mathewson
78295904f7 Merge branch 'ticket26744' 2018-09-24 10:56:50 -04:00
Nick Mathewson
b7bd162af7 Merge remote-tracking branch 'dgoulet/ticket27774_035_03' 2018-09-21 13:02:12 -04:00
Nick Mathewson
194acfb51d Split directory.c code into several modules
Parts of this C file naturally belong in dircache, dirclient, and
dircommon: so, move them there.
2018-09-21 12:57:22 -04:00
Nick Mathewson
0e4c42a912 Merge remote-tracking branch 'ahf-github/asn/bugs4700_2' 2018-09-21 09:40:16 -04:00
Nick Mathewson
c7ce6b9821 Split main.c into main.c and mainloop.c
The main.c code is responsible for initialization and shutdown;
the mainloop.c code is responsible for running the main loop of Tor.

Splitting the "generic event loop" part of mainloop.c from the
event-loop-specific part is not done as part of this patch.
2018-09-21 09:14:06 -04:00
David Goulet
49e4bda50b fixup! hs-v3: Silence some logging for client authorization 2018-09-21 08:52:47 -04:00
David Goulet
79265a6fb6 hs-v3: Don't BUG() if the RP node_t is invalid client side
When sending the INTRODUCE1 cell, we acquire the needed data for the cell but
if the RP node_t has invalid data, we'll fail the send and completely kill the
SOCKS connection.

Instead, close the rendezvous circuit and return a transient error meaning
that Tor can recover by selecting a new rendezvous point. We'll also do the
same when we are unable to encode the INTRODUCE1 cell for which at that point,
we'll simply take another shot at a new rendezvous point.

Fixes #27774

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-09-21 08:44:12 -04:00
Nick Mathewson
e7ac8fabcc Merge remote-tracking branch 'dgoulet/ticket27410_035_01' 2018-09-20 16:22:16 -04:00
Nick Mathewson
2ed0d240e8 Merge remote-tracking branch 'dgoulet/ticket27410_032_01' 2018-09-20 16:22:02 -04:00
Alexander Færøy
8ecaf41003 Support 'none' in torrc for HiddenServiceExportCircuitID.
See: https://bugs.torproject.org/4700
2018-09-20 20:59:42 +02:00
Nick Mathewson
08e3b88f07 Split routerlist.c into 4 separate modules
There are now separate modules for:
    * the list of router descriptors
    * the list of authorities and fallbacks
    * managing authority certificates
    * selecting random nodes
2018-09-19 17:08:57 -04:00
David Goulet
cb81a69f90 test: hs-v3 desc has arrived unit test
That unit test makes sure we don't have pending SOCK request if the descriptor
turns out to be unusable.

Part of #27410.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-09-19 11:11:57 -04:00
David Goulet
f4f809fe3d hs-v3: Close all SOCKS request on descriptor failure
Client side, when a descriptor is finally fetched and stored in the cache, we
then go over all pending SOCKS request for that descriptor. If it turns out
that the intro points are unusable, we close the first SOCKS request but not
the others for the same .onion.

This commit makes it that we'll close all SOCKS requests so we don't let
hanging the other ones.

It also fixes another bug which is having a SOCKS connection in RENDDESC_WAIT
state but with a descriptor in the cache. At some point, tor will expire the
intro failure cache which will make that descriptor usable again. When
retrying all SOCKS connection (retry_all_socks_conn_waiting_for_desc()), we
won't end up in the code path where we have already the descriptor for a
pending request causing a BUG().

Bottom line is that we should never have pending requests (waiting for a
descriptor) with that descriptor in the cache (even if unusable).

Fixees #27410.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-09-19 11:11:57 -04:00
Alexander Færøy
9b511dc5d6 Change HiddenServiceExportCircuitID to take a string parameter: the protocol.
This patch changes HiddenServiceExportCircuitID so instead of being a
boolean it takes a string, which is the protocol. Currently only the
'haproxy' protocol is defined.

See: https://bugs.torproject.org/4700
2018-09-15 16:52:36 +03:00
George Kadianakis
6069185bcc Save original virtual port in edge conn HS ident. 2018-09-15 16:32:24 +03:00
George Kadianakis
27d7491f5a Introduce per-service HiddenServiceExportCircuitID torrc option.
Moves code to a function, better viewed with --color-moved.
2018-09-15 16:31:22 +03:00
Nick Mathewson
4bdba5fa4b Merge branch 'maint-0.3.4' 2018-09-14 12:56:31 -04:00
Nick Mathewson
bfc847255a Merge remote-tracking branch 'dgoulet/ticket27545_035_01' 2018-09-12 10:18:11 -04:00
Suphanat Chunhapanya
57c82b74b4 hs-v3: Shuffle the list of authorized clients
This commit makes it that the authorized clients in the descriptor are in
random order instead of ordered by how they were read on disk.

Fixes #27545

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-09-11 11:23:49 -04:00
David Goulet
672620901b hs-v3: Silence some logging for client authorization
If a tor client gets a descriptor that it can't decrypt, chances are that the
onion requires client authorization.

If a tor client is configured with client authorization for an onion but
decryption fails, it means that the configured keys aren't working anymore.

In both cases, we'll log notice the former and log warn the latter and the
rest of the decryption errors are now at info level.

Two logs statement have been removed because it was redundant and printing the
fetched descriptor in the logs when 80% of it is encrypted wat not helping.

Fixes #27550

Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-09-10 15:04:22 -04:00
George Kadianakis
34a2cbb249 Address coverity warnings (CID 1439133/1439132).
>>>>    CID 1439133:  Null pointer dereferences  (REVERSE_INULL)
>>>>    Null-checking "fields" suggests that it may be null, but it
>>>> has already been dereferenced on all paths leading to the check.

>>>>    CID 1439132:  Null pointer dereferences  (REVERSE_INULL)
>>>>    Null-checking "fields" suggests that it may be null, but it
>>>> has already been dereferenced on all paths leading to the check.
2018-09-10 16:54:19 +03:00
George Kadianakis
3695ef6343 HSv3: Don't assert when reading bad client-side privkeys. 2018-09-07 14:05:07 -04:00