Commit Graph

7860 Commits

Author SHA1 Message Date
David Goulet
ee7c50b8a7 fallbackdir: Renegerate list with 200 relays
Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-04-13 15:15:58 -04:00
Nick Mathewson
32f5ad7665 Update geoip files to match ipfire location db, 2021/04/13. 2021-04-13 10:35:50 -04:00
Nick Mathewson
f078aab71e Merge branch 'bug40316_035_v2' into maint-0.3.5 2021-03-15 08:58:54 -04:00
Nick Mathewson
890ae4fb1a Fix detection of point to insert signatures on a pending consensus.
We were looking for the first instance of "directory-signature "
when instead the correct behavior is to look for the first instance
of "directory-signature " at the start of a line.

Unfortunately, this can be exploited as to crash authorities while
they're voting.

Fixes #40316; bugfix on 0.2.2.4-alpha.  This is TROVE-2021-002,
also tracked as CVE-2021-28090.
2021-03-15 08:56:58 -04:00
Nick Mathewson
efca9ce41c Clarify new intended strategy with TROVE-2021-001
We're going to disable this feature in all versions for now.
2021-03-15 08:53:36 -04:00
Nick Mathewson
f46f4562cf Merge branch 'bug40286_disable_min_035' into maint-0.3.5 2021-03-15 08:41:03 -04:00
Nick Mathewson
c1ce126c74 Use the right ticket number. 2021-03-12 11:31:36 -05:00
Nick Mathewson
aa6c7741e8 update geoip-2021-03-12 to mention provider transition. 2021-03-12 11:29:09 -05:00
Nick Mathewson
a7b3cb06f5 Update geoip files to match ipfire location db, 2021/03/12. 2021-03-12 11:26:07 -05:00
David Goulet
296a557bfc Remove mallinfo() from codebase
Now deprecated in libc >= 2.33

Closes #40309

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-02-23 11:02:33 -05:00
Nick Mathewson
ede88c374c Disable the dump_desc() function.
It can be called with strings that should have been
length-delimited, but which in fact are not.  This can cause a
CPU-DoS bug or, in a worse case, a crash.

Since this function isn't essential, the best solution for older
Tors is to just turn it off.

Fixes bug 40286; bugfix on 0.2.2.1-alpha when dump_desc() was
introduced.
2021-02-19 12:31:19 -05:00
Roger Dingledine
93ac6ec4d3 exit: Deny re-entry into the network
Exit relays now reject exit attempts to known relay addresses + ORPort and
also to authorities on the ORPort and DirPort.

Closes #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-29 14:19:17 -05:00
David Goulet
9556276f07 Merge branch 'tor-gitlab/mr/50' into maint-0.3.5 2021-01-28 12:46:24 -05:00
David Goulet
290007e3c4 Merge branch 'tor-gitlab/mr/239' into maint-0.3.5 2021-01-28 12:42:26 -05:00
David Goulet
02bd135cb1 Merge branch 'tor-gitlab/mr/243' into maint-0.3.5 2021-01-28 12:36:35 -05:00
David Goulet
1bdccc03a9 Merge branch 'tor-gitlab/mr/254' into maint-0.3.5 2021-01-28 12:10:39 -05:00
David Goulet
045db909c2 Merge remote-tracking branch 'tor-gitlab/mr/140' into maint-0.3.5 2021-01-28 12:08:14 -05:00
David Goulet
c6fb26695b Merge remote-tracking branch 'tor-gitlab/mr/186' into maint-0.3.5 2021-01-28 12:04:37 -05:00
David Goulet
8500700aa4 build: Add "make lsp" command
Generates the compile_commands.json file using the "bear" application so the
ccls server can be more efficient with our code base.

Closes #40227

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-21 16:06:31 -05:00
Nick Mathewson
faf7b550e7 Merge remote-tracking branch 'tor-gitlab/mr/143' into maint-0.3.5 2021-01-19 12:53:30 -05:00
Nick Mathewson
fa8ecf8820 Better fix for #40241 (--enable-all-bugs-are-fatal and fallthrough)
This one should work on GCC _and_ on Clang.  The previous version
made Clang happier by not having unreachable "fallthrough"
statements, but made GCC sad because GCC didn't think that the
unconditional failures were really unconditional, and therefore
_wanted_ a FALLTHROUGH.

This patch adds a FALLTHROUGH_UNLESS_ALL_BUGS_ARE_FATAL macro that
seems to please both GCC and Clang in this case: ordinarily it is a
FALLTHROUGH, but when ALL_BUGS_ARE_FATAL is defined, it's an
abort().

Fixes bug 40241 again.  Bugfix on earlier fix for 40241, which was
merged into maint-0.3.5 and forward, and released in 0.4.5.3-rc.
2021-01-13 09:54:43 -05:00
David Goulet
04b0263974 hs-v3: Require reasonably live consensus
Some days before this commit, the network experienced a DDoS on the directory
authorities that prevented them to generate a consensus for more than 5 hours
straight.

That in turn entirely disabled onion service v3, client and service side, due
to the subsystem requiring a live consensus to function properly.

We know require a reasonably live consensus which means that the HSv3
subsystem will to its job for using the best consensus tor can find. If the
entire network is using an old consensus, than this should be alright.

If the service happens to use a live consensus while a client is not, it
should still work because the client will use the current SRV it sees which
might be the previous SRV for the service for which it still publish
descriptors for.

If the service is using an old one and somehow can't get a new one while
clients are on a new one, then reachability issues might arise. However, this
is a situation we already have at the moment since the service will simply not
work if it doesn't have a live consensus while a client has one.

Fixes #40237

Signed-off-by: David Goulet <dgoulet@torproject.org>
2021-01-12 09:46:35 -05:00
Nick Mathewson
ccdbbae4ec Fix warnings in current debian-hardened CI.
We're getting "fallback annotation annotation in unreachable code"
warnings when we build with ALL_BUGS_ARE_FATAL. This patch fixes
that.

Fixes bug 40241.  Bugfix on 0.3.5.4-alpha.
2021-01-11 14:25:56 -05:00
George Kadianakis
d89974c5c6 Fix Keccak undefined behavior on exotic platforms.
Bug reported and diagnosed in:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975977

Fixes bug #40210.
2020-12-17 13:49:17 +02:00
Nick Mathewson
c4fe66e342 Socks5: handle truncated client requests correctly
Previously, our code would send back an error if the socks5 request
parser said anything but DONE.  But there are other non-error cases,
like TRUNCATED: we shouldn't send back errors for them.

This patch lowers the responsibility for setting the error message
into the parsing code, since the actual type of the error message
will depend on what problem was encountered.

Fixes bug 40190; bugfix on 0.3.5.1-alpha.
2020-12-14 10:14:03 -05:00
Nick Mathewson
fcae26adf7 Merge remote-tracking branch 'tor-gitlab/mr/195' into maint-0.3.5 2020-11-16 22:42:15 -05:00
Nick Mathewson
52e439c13e Merge remote-tracking branch 'tor-gitlab/mr/189' into maint-0.3.5 2020-11-09 16:13:24 -05:00
Nick Mathewson
31a6a101a0 Handle a change in the implementation of hashlib in Python 3.9
Previously, hashlib.shake_256 was a class (if present); now it can
also be a function.  This change invalidated our old
compatibility/workaround code, and made one of our tests fail.

Fixes bug 40179; bugfix on 0.3.1.6-rc when the workaround code was
added.
2020-11-05 09:34:36 -05:00
Nick Mathewson
c48d25ac8d Fix a previously overstrict log message check.
OpenSSL doesn't seem to report error locations in the same way as
before, which broke one of our tests.

Fixes bug 40170; bugfix on 0.2.8.1-alpha.
2020-10-28 10:47:39 -04:00
Nick Mathewson
59f76a8a1f Changes file for #40165 (openssl deprecation warnings) 2020-10-28 10:34:22 -04:00
Nick Mathewson
dd63b97288 Implement proposal 318: Limit protovers to 0..63
In brief: we go through a lot of gymnastics to handle huge protover
numbers, but after years of development we're not even close to 10
for any of our current versions.  We also have a convenient
workaround available in case we ever run out of protocols: if (for
example) we someday need Link=64, we can just add Link2=0 or
something.

This patch is a minimal patch to change tor's behavior; it doesn't
take advantage of the new restrictions.

Implements #40133 and proposal 318.
2020-10-14 11:28:37 -04:00
Nick Mathewson
741edf1b45 Merge remote-tracking branch 'tor-github/pr/1827/head' into maint-0.3.5 2020-10-07 09:29:07 -04:00
David Goulet
b404f085ad hs-v2: Add deprecation warning for service
If at least one service is configured as a version 2, a log warning is emitted
once and only once.

Closes #40003

Signed-off-by: David Goulet <dgoulet@torproject.org>
2020-10-07 08:38:23 -04:00
Nick Mathewson
5f5587ee50 Merge remote-tracking branch 'tor-gitlab/mr/77' into maint-0.3.5 2020-10-07 08:29:23 -04:00
Nick Mathewson
ad7ffa5240 Merge remote-tracking branch 'tor-gitlab/mr/79' into maint-0.3.5 2020-10-07 08:25:55 -04:00
Nick Mathewson
98e14720b5 Merge remote-tracking branch 'tor-github/pr/1661/head' into maint-0.3.5 2020-10-07 08:14:46 -04:00
Nick Mathewson
968b6c30c1 Merge remote-tracking branch 'tor-gitlab/mr/43' into maint-0.3.5 2020-10-07 08:09:59 -04:00
Nick Mathewson
e0e0ef713e Merge remote-tracking branch 'tor-gitlab/mr/137' into maint-0.3.5 2020-10-07 08:07:53 -04:00
Nick Mathewson
84a5bd48e2 Merge remote-tracking branch 'tor-gitlab/mr/103' into maint-0.3.5 2020-10-07 08:05:31 -04:00
Nick Mathewson
ed6a328297 Merge branch 'mr_124_squashed' into maint-0.3.5 2020-10-07 08:00:59 -04:00
Nick Mathewson
c5ba8b6221 Parallelize src/test/test into chunks.
First, we introduce a flag to teach src/test/test to split its work
into chunks.  Then we replace our invocation of src/test/test in our
"make check" target with a set of 8 scripts that invoke the first
8th of the tests, the second 8th, and so on.

This change makes our "make -kj4 check" target in our hardened
gitlab build more than twice as fast, since src/test/test was taking
the longest to finish.

Closes 40098.
2020-10-07 08:00:49 -04:00
David Goulet
faf89ec6c2 srv: Remove spammy debug log
Fixes #40135

Signed-off-by: David Goulet <dgoulet@torproject.org>
2020-09-22 11:06:34 -04:00
Nick Mathewson
7945e075a4 Fix underflow in rend_cache/free_all test.
We already fixed these in #40099 and #40125.

This patch fixes #40126.  Bugfix on 0.2.8.1-alpha.
2020-09-17 14:04:54 -04:00
David Goulet
47f1d19f8e test: Increment rend cache allocation before freeing
The rend_cache/entry_free was missing the rend cache allocation increment
before freeing the object.

Without it, it had an underflow bug:

  Sep 17 08:40:13.845 [warn] rend_cache_decrement_allocation(): Bug: Underflow
  in rend_cache_decrement_allocation (on Tor 0.4.5.0-alpha-dev
  7eef9ced61)

Fixes #40125

Signed-off-by: David Goulet <dgoulet@torproject.org>
2020-09-17 13:00:23 -04:00
Nick Mathewson
020e8e41c6 Resolve a compilation warning in test_connection.c
Instead of casting an enum to a void and back, use a string --
that's better C anyway.

Fixes bug 40113; bugfix on 0.2.9.3-alpha.
2020-09-14 11:50:38 -04:00
George Kadianakis
248cbc2d22 statistics: Properly count all rendezvous cells (avoid undercounting).
tl;dr We were not counting cells flying from the client to the service, but we
were counting cells flying from the service to the client.

When a rendezvous cell arrives from the client to the RP, the RP forwards it to
the service.

For this to happen, the cell first passes through command_process_relay_cell()
which normally does the statistics counting. However because the `rend_circ`
circuit was not flagged with `circuit_carries_hs_traffic_stats` in
rend_mid_rendezvous(), the cell is not counted there.

Then the cell goes to circuit_receive_relay_cell() which has a special code
block based on `rend_splice` specifically for rendezvous cells, and the cell
gets directly passed to `rend_circ` via a direct call to
circuit_receive_relay_cell(). The cell never passes through
command_process_relay_cell() ever again and hence is never counted by our
rephist module.

The fix here is to flag the `rend_circ` circuit with
`circuit_carries_hs_traffic_stats` so that the cell is counted as soon as it
hits command_process_relay_cell().

Furthermore we avoid double-counting cells since the special code block of
circuit_receive_relay_cell() makes us count rendezvous cells only as they enter
the RP and not as they exit it.

Fixes #40117.
2020-09-07 13:29:44 +03:00
David Goulet
ea339227c2 conn: Remove assert on new listener connection when retrying
Opening a new listener connection can fail in many ways like a bind()
permission denied on a low port for instance.

And thus, we should expect to handle an error when creating a new one instead
of assert() on it.

To hit the removed assert:

  ORPort 80
  KeepBindCapabilities 0

Start tor. Then edit torrc:

  ORPort <some-IP>:80

HUP tor and the assert is hit.

Fixes #40073

Signed-off-by: David Goulet <dgoulet@torproject.org>
2020-09-01 10:01:21 -04:00
Nick Mathewson
f9bb49d870 Fix allocation counting in clean_v2_descs_as_dir test.
Without this fix, running this test on its own would fail.

Fixes bug 40099. Bugfix on ade5005853 in 0.2.8.1-alpha.
2020-08-12 14:25:46 -04:00
Nick Mathewson
afb6ff1739 Validate ed25519 keys and canonicity from circuit_n_conn_done()
Fixes bug 40080. Bugfix on 0.2.7.2-alpha.
2020-08-06 15:59:28 -04:00
Nick Mathewson
435f31aed3 Remove channel_is_canonical_is_reliable()
This function once served to let circuits continue to be built over
version-1 link connections.  But such connections are long-obsolete,
and it's time to remove this check.

Closes #40081.
2020-08-03 11:25:37 -04:00