Commit Graph

1636 Commits

Author SHA1 Message Date
Nick Mathewson
c99ec36def expand documentation on tor_remove_file 2017-12-20 10:43:27 -05:00
Nick Mathewson
4b7b305bf0 Remove pre-unlink check tor_remove_file; check errno instead.
This removes a time-of-check/time-of-use issue, though in this case
it would probably be harmless.
2017-12-20 10:42:02 -05:00
Nick Mathewson
18543c2c9b Merge remote-tracking branch 'ffmancera/github/bug23271' 2017-12-20 10:40:32 -05:00
Alexander Færøy
d4f4108601
Add MainloopStats option.
This patch adds support for MainloopStats that allow developers to get
main event loop statistics via Tor's heartbeat status messages. The new
status log message will show how many succesful, erroneous, and idle
event loop iterations we have had.

See: https://bugs.torproject.org/24605
2017-12-16 02:41:21 +01:00
Nick Mathewson
20f802ea3c Add an option to disable signal handler installation.
Closes ticket 24588.
2017-12-15 12:48:29 -05:00
Nick Mathewson
fdd5734875 Remove the unused is_parent==0 option from handle_signals. 2017-12-15 12:45:30 -05:00
Fernando Fernandez Mancera
61c721f145 Add remove file function and remove ephemeral files.
Adding tor_remove_file(filename) and refactoring tor_cleanup().

Removing CookieAuthFile and ExtORPortCookieAuthFile when tor_cleanup() is
called.

Fixes #23271.

Signed-off-by: Fernando Fernandez Mancera <ffernandezmancera@gmail.com>
2017-12-15 17:01:22 +01:00
Nick Mathewson
3809036c63 Reset all main.c state at exit
This change is part of 24587.
2017-12-11 14:05:34 -05:00
Nick Mathewson
f205dabf7a Stop using event_base_once().
This function leaks memory when the event_base is freed before the
event itself fires.  That's not harmful, but it's annoying when
trying to debug other memory leaks.

Fixes bug 24584; bugfix on 0.2.8.1-alpha.
2017-12-11 12:23:02 -05:00
Nick Mathewson
322abc030e On exit, free the event_base and set its pointer to NULL.
When we didn't do this before, we'd have some still-reachable memory
warnings, and we'd find ourselves crashing when we tried to
reinitialize libevent.

Part of 24581 (don't crash when restarting Tor in-process)
2017-12-11 11:52:19 -05:00
Nick Mathewson
a7a0cebb59 Merge branch 'more_directories_squashed' 2017-12-05 19:49:45 -05:00
Nick Mathewson
a9806af261 Create a CacheDirectory and KeyDirectory options.
They work the same as DataDirectory, but default slightly different.

Tor is not actually updated to use them yet.
2017-12-05 19:49:28 -05:00
Nick Mathewson
39a780e85a Clean up a needlessly complex get_datadir_fname use 2017-12-05 19:49:28 -05:00
Nick Mathewson
3907faf2fd New accessors for keydir/cachedir access
This patch is a result of auditing all of our uses of
get_datadir_fname() and its kin, and dividing them into cache vs
keys vs other data.

The new get_keydir_fname() and get_cachedir_fname() functions don't
actually do anything new yet.
2017-12-05 19:49:28 -05:00
Nick Mathewson
bf882b0373 re-run ./scripts/maint/annotate_ifdef_directives 2017-11-21 14:07:43 -05:00
Nick Mathewson
552218437c Merge branch 'ticket12062_squashed' 2017-11-09 09:20:55 -05:00
Nick Mathewson
0c6eabf088 Audit all of the "is the network turned off" checks.
DisableNetwork is a subset of net_is_disabled(), which is (now) a
subset of should_delay_dir_fetches().

Some of these changes are redundant with others higher or lower in
the call stack.  The ones that I think are behavior-relevant are
listed in the changes file.  I've also added comments in a few
places where the behavior is subtle.

Fixes bug 12062; bugfix on various versions.
2017-11-09 09:19:42 -05:00
Nick Mathewson
ef25f957e7 Merge branch 'tor_api_squashed' 2017-11-01 13:22:16 -04:00
Nick Mathewson
fa02ea102e Add a public tor_api.h with an implementation in tor_api.c
The main effect of this change is to commit to an extensible
long-term API.

Closes ticket 23684.
2017-11-01 13:22:09 -04:00
Nick Mathewson
b76a161e01 Merge branch 'fix-torrcd-sandbox-22605v2' 2017-10-31 13:58:33 -04:00
Nick Mathewson
5e52beceb0 Only prototype rust_welcome_string() when it exists. 2017-10-27 13:03:24 -04:00
Nick Mathewson
f803c1bb17 declare shutdown_did_not_work_callback() with ATTR_NORETURN 2017-10-27 11:51:42 -04:00
Nick Mathewson
79e7c0af0e Add a comment about removing the failsafe event loop exit code 2017-10-27 11:15:43 -04:00
Nick Mathewson
0a10335d2e Clarify doc on tell_event_loop_to_run_external_code() 2017-10-27 11:14:37 -04:00
Nick Mathewson
30a681553f Merge remote-tracking branch 'public/exit_carefully' 2017-10-27 11:13:05 -04:00
Nick Mathewson
f5e9e2748f Merge branch 'protover-rust-impl_squashed' 2017-10-27 10:05:30 -04:00
Chelsea Holland Komlo
91bca5c31b move to allocating c strings from rust 2017-10-27 10:02:08 -04:00
Nick Mathewson
be49fadad0 Merge branch 'maint-0.3.2' 2017-10-26 09:03:21 -04:00
George Kadianakis
cbc70437a7 Update entry guard state whenever we download a consensus.
Update guard state even if we don't have enough dirinfo since that
actually affects the future download of dirinfos.

Fixes #23862 on 0.3.0.1-alpha
2017-10-26 13:36:04 +03:00
Nick Mathewson
1df43aff41 Return instead of exiting in options_init_from_torrc() 2017-10-20 11:39:17 -04:00
Nick Mathewson
853e73e815 Return from instead of exit()ing when ed25519 key check fails. 2017-10-20 11:39:17 -04:00
Nick Mathewson
c247a2df6b On locking failure, return -1 instead of exit()ing.
This is safe, since the only caller (options_act) will check the
return value, and propagate failure.
2017-10-20 11:39:17 -04:00
Nick Mathewson
9bafc3b1ef Replace most bad exits in main.c, hibernate.c
This should make most of the reasons that we hibernate cleaner.
2017-10-20 11:39:17 -04:00
Nick Mathewson
c82cc8acb5 Add a failsafe to kill tor if the new exit code doesn't work.
It _should_ work, and I don't see a reason that it wouldn't, but
just in case, add a 10 second timer to make tor die with an
assertion failure if it's supposed to exit but it doesn't.
2017-10-20 11:39:17 -04:00
Nick Mathewson
f0c3b62381 Expose a new function to make the event loop exit once and for all.
Instead of calling tor_cleanup(), exit(x), we can now call
tor_shutdown_event_loop_and_exit.
2017-10-20 11:39:17 -04:00
Nick Mathewson
78cbced45c Rename "tell_event_loop_to_finish" to "...run_external_code"
This function was never about 'finishing' the event loop, but rather
about making sure that the code outside the event loop would be run
at least once.
2017-10-20 09:59:48 -04:00
Nick Mathewson
35746a9ee7 Comment-only change: annotate exit() calls.
Sometimes when we call exit(), it's because the process is
completely hopeless: openssl has a broken AES-CTR implementation, or
the clock is in the 1960s, or something like that.

But sometimes, we should return cleanly from tor_main() instead, so
that embedders can keep embedding us and start another Tor process.

I've gone through all the exit() and _exit() calls to annotate them
with "exit ok" or "XXXX bad exit" -- the next step will be to fix
the bad exit()s.

First step towards 23848.
2017-10-19 13:42:28 -04:00
Nick Mathewson
c1deabd3b0 Run our #else/#endif annotator on our source code. 2017-09-15 16:24:44 -04:00
Nick Mathewson
c3892a582f exit with nonzero status if certificate expiration dump fails
Fixes bug 23488.

Bugfix on b2a7e8df900eabe41d6e866f; bug not in any released Tor.
2017-09-12 19:05:33 -04:00
Nick Mathewson
ca19a95d54 Merge remote-tracking branch 'dgoulet/ticket23355_032_01' 2017-09-08 12:13:48 -04:00
Nick Mathewson
6ec5059723 Refactor buffer APIs to put a buf_t first.
By convention, a function that frobs a foo_t should be called
foo_frob, and it should have a foo_t * as its first argument.  But
for many of the buf_t functions, the buf_t was the final argument,
which is silly.
2017-09-05 13:57:51 -04:00
Nick Mathewson
d61da9e61f Repair wide lines from previous commit. 2017-09-05 13:57:51 -04:00
Nick Mathewson
4a7e90adc5 Repair buffer API so everything starts with buf_.
Our convention is that functions which manipulate a type T should be
named T_foo.  But the buffer functions were super old, and followed
all kinds of conventions.  Now they're uniform.

Here's the perl I used to do this:

\#!/usr/bin/perl -w -i -p

s/read_to_buf\(/buf_read_from_socket\(/;
s/flush_buf\(/buf_flush_to_socket\(/;
s/read_to_buf_tls\(/buf_read_from_tls\(/;
s/flush_buf_tls\(/buf_flush_to_tls\(/;
s/write_to_buf\(/buf_add\(/;
s/write_to_buf_compress\(/buf_add_compress\(/;
s/move_buf_to_buf\(/buf_move_to_buf\(/;
s/peek_from_buf\(/buf_peek\(/;
s/fetch_from_buf\(/buf_get_bytes\(/;
s/fetch_from_buf_line\(/buf_get_line\(/;
s/fetch_from_buf_line\(/buf_get_line\(/;
s/buf_remove_from_front\(/buf_drain\(/;
s/peek_buf_startswith\(/buf_peek_startswith\(/;
s/assert_buf_ok\(/buf_assert_ok\(/;
2017-09-05 13:57:51 -04:00
Nick Mathewson
150089cbd7 Move the tls parts of buffers.c into buffers_tls.c 2017-09-05 13:57:51 -04:00
Nick Mathewson
56df123933 Merge branch 'bug23331_032_01_squashed' 2017-09-05 08:24:28 -04:00
David Goulet
9e900d1db7 hs: Don't enter the HS v3 subsystem without a live consensus
The service needs the latest SRV and set of relays for the best accurate
hashring to upload its descriptor to so it needs a live consensus thus don't
do anything until we have it.

Fixes #23331

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-09-05 08:24:22 -04:00
Nick Mathewson
e2e13e7c8a Merge branch 'maint-0.3.1' 2017-09-04 11:40:02 -04:00
Daniel Pinto
23147dd168 Adds files included by torrc and defaults to sandbox filter #22605 2017-08-30 18:20:07 +01:00
David Goulet
22295759af prop224: Purge client state on NEWNYM
Closes #23355

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-30 09:15:54 -04:00
David Goulet
2549b3e923 sandbox: Fix double free when initializing HSv3 filenames
Don't free a reference that has been stolen.

Fixes #23329

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-25 09:28:10 -04:00
Nick Mathewson
91c6bc160b Merge remote-tracking branch 'dgoulet/ticket17242_032_03-squashed' 2017-08-24 15:12:16 -04:00
David Goulet
2671399e67 prop224: Add a client intro point state cache
This cache keeps track of the state of intro points which is needed when we
have failures when using them. It is similar to the failure cache of the
legacy system.

At this commit, it is unused but initialized, cleanup and freed.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:28 -04:00
George Kadianakis
7aef3ec0fd prop224: Add client-side HS descriptor cache.
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-24 13:03:27 -04:00
Nick Mathewson
d37e8b407a Merge branch 'feature22976_squashed' 2017-08-24 09:23:43 -04:00
Nick Mathewson
86ee35ad5b Don't do expensive consensus stuff when not a cache.
This includes generating and storing compressed consensuses, and
consensus diffs.  Fixes bug 23275; bugfix on 0.3.1.1-alpha.
2017-08-23 10:22:51 -04:00
Nick Mathewson
133e1e870b Merge remote-tracking branch 'dgoulet/bug23091_032_01' 2017-08-11 09:39:57 -04:00
Nick Mathewson
801aa5d03b Block the port-forwarding helper at a higher point 2017-08-09 10:58:07 -04:00
Nick Mathewson
34e4122025 Merge branch 'ticket20657_nickm_bugfixes_squashed' 2017-08-08 20:31:57 -04:00
David Goulet
5d2506d70c prop224: Sandbox support for service
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
David Goulet
0f104ddce5 prop224: Scheduled events for service
Add the main loop entry point to the HS service subsystem. It is run every
second and make sure that all services are in their quiescent state after that
which means valid descriptors, all needed circuits opened and latest
descriptors have been uploaded.

For now, only v2 is supported and placeholders for v3 actions for that main
loop callback.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-08 20:29:33 -04:00
Isis Lovecruft
b2a7e8df90
routerkeys: Add cmdline option for learning signing key expiration.
* CLOSES #17639.
 * ADDS new --key-expiration commandline option which prints when the
   signing key expires.
2017-08-03 22:20:02 +00:00
David Goulet
5b03c7ba6d Fix check_expired_networkstatus_callback() if condition
The condition was always true meaning that we would reconsider updating our
directory information every 2 minutes.

If valid_until is 6am today, then now - 24h == 1pm yesterday which means that
"valid_until < (now - 24h)" is false. But at 6:01am tomorrow, "valid_until <
(now - 24h)" becomes true which is that point that we shouldn't trust the
consensus anymore.

Fixes #23091

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-08-02 13:28:45 -04:00
Nick Mathewson
ef4ea864ea Merge remote-tracking branch 'dgoulet/ticket21979_032_04' 2017-07-13 17:23:37 -04:00
Nick Mathewson
62d241ad22 Merge remote-tracking branch 'isis/bug19476' 2017-07-13 16:58:45 -04:00
David Goulet
765ed5dac1 prop224: Add a init/free_all function for the whole subsystem
Introduces hs_init() located in hs_common.c which initialize the entire HS v3
subsystem. This is done _prior_ to the options being loaded because we need to
allocate global data structure before we load the configuration.

The hs_free_all() is added to release everything from tor_free_all().

Note that both functions do NOT handle v2 service subsystem but does handle
the common interface that both v2 and v3 needs such as the cache and
circuitmap.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:08 -04:00
David Goulet
02e2edeb33 prop224: Add hs_config.{c|h} with a refactoring
Add the hs_config.{c|h} files contains everything that the HS subsystem needs
to load and configure services. Ultimately, it should also contain client
functions such as client authorization.

This comes with a big refactoring of rend_config_services() which has now
changed to only configure a single service and it is stripped down of the
common directives which are now part of the generic handler.

This is ground work for prop224 of course but only touches version 2 services
and add XXX note for version 3.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-07-13 16:49:08 -04:00
Isis Lovecruft
c59ba01550
rephist: Remove unused crypto_pk statistics.
These statistics were largely ununsed, and kept track of statistical information
on things like how many time we had done TLS or how many signatures we had
verified.  This information is largely not useful, and would only be logged
after receiving a SIGUSR1 signal (but only if the logging severity level was
less than LOG_INFO).

 * FIXES #19871.
 * REMOVES note_crypto_pk_op(), dump_pk_op(), and pk_op_counts from
   src/or/rephist.c.
 * REMOVES every external call to these functions.
2017-07-13 20:24:48 +00:00
Isis Lovecruft
9de12397cf
If writing a heartbeat message fails, retry after MIN_HEARTBEAT_PERIOD.
* FIXES #19476.
2017-07-12 03:08:04 +00:00
cypherpunks
f516c9ca99
Use the return value for choosing intervals 2017-07-12 03:08:02 +00:00
Nick Mathewson
c29a559e7b Merge branch 'maint-0.3.1' 2017-06-26 14:15:21 -04:00
Nick Mathewson
d72cfb259d Patch for 22720 from huyvq: exit(1) more often
See changes file for full details.
2017-06-26 14:14:56 -04:00
huyvq
d92b999757 Convert authdir_mode_handles_descs(options, -1) with authdir_mode(options) 2017-06-21 13:49:17 -04:00
Nick Mathewson
e3b1573be6 Merge branch 'maint-0.3.0' 2017-06-05 15:52:06 -04:00
Nick Mathewson
a9be768959 Bugfix: Regenerate more certificates when appropriate
Previously we could sometimes change our signing key, but not
regenerate the certificates (signing->link and signing->auth) that
were signed with it.  Also, we would regularly replace our TLS x.509
link certificate (by rotating our TLS context) but not replace our
signing->link ed25519 certificate.  In both cases, the resulting
inconsistency would make other relays reject our link handshakes.

Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha.
2017-05-31 18:45:35 -04:00
Nick Mathewson
69ef94820b Merge branch 'add_rust_squashed' 2017-05-19 08:47:18 -04:00
Sebastian Hahn
f8ef7c65d1 Add some Rust utility functions and print support
This gives an indication in the log that Tor was built with Rust
support, as well as laying some groundwork for further string-returning
APIs to be converted to Rust
2017-05-19 08:47:10 -04:00
Nick Mathewson
d34fa32ece Merge branch 'ticket21953_029' 2017-05-19 06:49:04 -04:00
Nick Mathewson
15cc41e664 Define HeapEnableTerminationOnCorruption if the headers don't.
MSDN says that it's always going to be 1, and they're usually pretty
accurate about that.

Fixes a bug in 21953.
2017-05-19 06:46:49 -04:00
Nick Mathewson
a546487287 Merge branch 'maint-0.3.0' 2017-05-15 18:24:38 -04:00
Nick Mathewson
3b8888c544 Initialize the HS cache at startup
Failure to do this caused an assertion failure with #22246 . This
assertion failure can be triggered remotely, so we're tracking it as
medium-severity TROVE-2017-002.
2017-05-15 13:49:29 -04:00
Nick Mathewson
077d3085ec
actually enable background compresion for consensuses 2017-05-12 17:45:55 +02:00
Nick Mathewson
4410271446 Merge branch 'ticket21953_029' 2017-05-12 08:40:30 -04:00
Nick Mathewson
503f101d2b Enable some windows hardening features
One (HeapEnableTerminationOnCorruption) is on-by-default since win8;
the other (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) supposedly only
affects ATL, which (we think) we don't use.  Still, these are good
hygiene. Closes ticket 21953.
2017-05-11 16:39:02 -04:00
Nick Mathewson
4d30dde156 Merge branch 'netflow_padding-v6-rebased2-squashed' 2017-05-08 13:54:59 -04:00
Mike Perry
687a85950a Cache netflow-related consensus parameters.
Checking all of these parameter lists for every single connection every second
seems like it could be an expensive waste.

Updating globally cached versions when there is a new consensus will still
allow us to apply consensus parameter updates to all existing connections
immediately.
2017-05-08 13:49:23 -04:00
Mike Perry
76c9330f9d Bug 17604: Converge on only one long-lived TLS conn between relays.
Accomplished via the following:

1. Use NETINFO cells to determine if both peers will agree on canonical
   status. Prefer connections where they agree to those where they do not.
2. Alter channel_is_better() to prefer older orconns in the case of multiple
   canonical connections, and use the orconn with more circuits on it in case
   of age ties.

Also perform some hourly accounting on how many of these types of connections
there are and log it at info or notice level.
2017-05-08 13:49:22 -04:00
Mike Perry
d5a151a067 Bug 17592: Clean up connection timeout logic.
This unifies CircuitIdleTimeout and PredictedCircsRelevanceTime into a single
option, and randomizes it.

It also gives us control over the default value as well as relay-to-relay
connection lifespan through the consensus.

Conflicts:
	src/or/circuituse.c
	src/or/config.c
	src/or/main.c
	src/test/testing_common.c
2017-05-08 13:49:22 -04:00
Mike Perry
b0e92634d8 Netflow record collapsing defense.
This defense will cause Cisco, Juniper, Fortinet, and other routers operating
in the default configuration to collapse netflow records that would normally
be split due to the 15 second flow idle timeout.

Collapsing these records should greatly reduce the utility of default netflow
data for correlation attacks, since all client-side records should become 30
minute chunks of total bytes sent/received, rather than creating multiple
separate records for every webpage load/ssh command interaction/XMPP chat/whatever
else happens to be inactive for more than 15 seconds.

The defense adds consensus parameters to govern the range of timeout values
for sending padding packets, as well as for keeping connections open.

The defense only sends padding when connections are otherwise inactive, and it
does not pad connections used solely for directory traffic at all. By default
it also doesn't pad inter-relay connections.

Statistics on the total padding in the last 24 hours are exported to the
extra-info descriptors.
2017-05-08 13:49:21 -04:00
Nick Mathewson
7b8d48a6cb Clean the consdiffmgr cache and launch new diffs as needed. 2017-04-27 21:40:12 -04:00
Nick Mathewson
24f7059704 Configure sandbox using consdiffmgr; free cdm on exit. 2017-04-25 19:52:34 -04:00
Nick Mathewson
4266ec766a Use atomic counters for compressor allocation. 2017-04-25 10:29:07 -04:00
Alexander Færøy
c2d1d949de Use tor_compress_supports_method() before printing library versions.
This patch ensures that Tor checks if a given compression method is
supported before printing the version string when calling `tor
--library-versions`.

Additionally, we use the `tor_compress_supports_method()` to check if a
given version is supported for Tor's start-up version string, but here
we print "N/A" if a given compression method is unavailable.

See: https://bugs.torproject.org/21662
2017-04-25 08:10:10 -04:00
Alexander Færøy
be4dc54634 Display LZMA and Zstandard versions when starting Tor.
See: https://bugs.torproject.org/21662
2017-04-25 08:10:09 -04:00
Alexander Færøy
9d5bc1a935 Move zlib compression code into its own module.
This patch refactors the `torgzip` module to allow us to extend a common
compression API to support multiple compression backends.

Additionally we move the gzip/zlib code into its own module under the
name `compress_zlib`.

See https://bugs.torproject.org/21664
2017-04-25 08:06:01 -04:00
Nick Mathewson
e7506c03cf Isolate dmalloc/openssl bridge code to crypto.c
This makes it so main.c, and the rest of src/or, no longer need to
include any openssl headers.
2017-03-31 10:04:44 -04:00
Daniel Pinto
e843481bf5 Fix very small memory leak #21788
Leak caused by clean_up_backtrace_handler not being called
on shutdown.
2017-03-20 01:03:05 +00:00
Nick Mathewson
58680d0429 Merge branch 'ahf_bugs_21641_squashed' 2017-03-17 11:16:24 -04:00
Alexander Færøy
946ccf3e4d Check onion key consensus parameters every hour.
This patch changes the way we decide when to check for whether it's time
to rotate and/or expiry our onion keys. Due to proposal #274 we can now
have the keys rotate at different frequencies than before and we thus
do the check once an hour when our Tor daemon is running in server mode.

This should allow us to quickly notice if the network consensus
parameter have changed while we are running instead of having to wait
until the current parameters timeout value have passed.

See: See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
853b54dea4 Add periodic timer for expiring old onion keys.
This patch adds a new timer that is executed when it is time to expire
our current set of old onion keys. Because of proposal #274 this can no
longer be assumed to be at the same time we rotate our onion keys since
they will be updated less frequently.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00
Alexander Færøy
23ae5b655b Make MIN_ONION_KEY_LIFETIME a consensus parameter defined value.
This patch turns `MIN_ONION_KEY_LIFETIME` into a new function
`get_onion_key_lifetime()` which gets its value from a network consensus
parameter named "onion-key-rotation-days". This allows us to tune the
value at a later point in time with no code modifications.

We also bump the default onion key lifetime from 7 to 28 days as per
proposal #274.

See: https://bugs.torproject.org/21641
2017-03-17 11:15:43 -04:00