Commit Graph

28413 Commits

Author SHA1 Message Date
Roger Dingledine
41f3296180 fix two simple typos in comments 2023-09-05 16:06:54 -04:00
orbea
48f8d69189 crypt_openssl_mgt: define DISABLE_ENGINES after OPENSSL_NO_ENGINE
With LibreSSL-3.8.1 these engines are no long available causing a build
failure, but LibreSSL correctly defines OPENSSL_NO_ENGINE as part of its
opensslfeatures.h. However Tor includes crypto_openssl_mgt.h before any
of the openssl includes which would define OPENSSL_NO_ENGINE and then
fails to define DISABLE_ENGINES.

As the define is used in only a single .c file it is best to move it
there.

Signed-off-by: orbea <orbea@riseup.net>
2023-08-31 14:38:15 -07:00
David Goulet
cc52d8651f Merge branch 'maint-0.4.8' 2023-08-30 08:49:51 -04:00
Tor CI Release
1f88c76848 fallbackdir: Update list generated on August 30, 2023 2023-08-30 08:47:17 -04:00
Tor CI Release
9254028b38 Update geoip files to match ipfire location db, 2023/08/30. 2023-08-30 08:47:12 -04:00
David Goulet
c8844bc929 Merge branch 'maint-0.4.8' 2023-08-28 14:08:43 -04:00
David Goulet
3aa937dd5e Merge branch 'tor-gitlab/mr/750' into maint-0.4.8 2023-08-28 14:08:39 -04:00
David Goulet
4a1815e4cb Merge branch 'maint-0.4.8' 2023-08-28 14:07:47 -04:00
Micah Elizabeth Scott
a3e7e9bda2 equix: Disable huge page support by default
Equi-X supports optionally allocating its solver memory using huge
pages, to reduce the virtual memory subsystem overhead required to make
the entire solver buffer live.

Tor doesn't use this feature, since it seems to have no noticeable
performance benefit at this time, but we still included code for it at
compile time. To improve portability, this patch disables huge page
support by default and enables it only in the cmake build system used
for equix benchmarks.

With this patch equix-bench still supports huge pages. Verified using
strace that we're making the hugepage allocation.

There's no fallback for huge pages, so Equi-X initialization will fail
if they are requested and we don't support them for any runtime or
compile-time reason.

Addresses #40843 (NetBSD) but also prevents future porting issues
related to huge pages.
2023-08-28 10:11:00 -07:00
Micah Elizabeth Scott
95e8ffa97e hashx: Fix compiled hash function on NetBSD
NetBSD includes the idea of a 'maximum protection' per-region,
and an mprotect which exceeds the max protection will be denied.

If we explicitly ask for a maximum which includes execute permission, we
can successfully swap our code buffer's permissions between read-write
and read-execute when each hash program is compiled.

With this patch, the crypto/hashx tests pass on NetBSD 9.
This addresses bug #40844
2023-08-28 10:11:00 -07:00
Micah Elizabeth Scott
ee4e9f7506 hashx: Avoid unused arg warning on OpenBSD and NetBSD
This path in hashx_vm_alloc_huge() for OpenBSD and NetBSD always
fails without checking its parameter. Fix the warning.
2023-08-28 10:11:00 -07:00
Micah Elizabeth Scott
9cac0a85b4 equix: Add NetBSD to "huge pages not supported" path
As suggested by @wiz on #40843, let's add an explicit check to
hashx_vm_alloc_huge() that avoids using a Linux-style default
on NetBSD targets.

This doesn't change the questionable Linux-style default,
but a future patch will disable this code by default so it's not a
portability liability.

(This code is in hashx's VM layer but it's actually only relevant to
equix.)

This addresses bug #40843. Another patch will disable huge pages
by default entirely, but this patch is sufficient to fix the NetBSD
build.
2023-08-28 10:11:00 -07:00
Mike Perry
7666dd777a Bug #40842: Additional diagnostics
Just in case there are other instances hiding in the maze.
2023-08-25 22:53:07 +00:00
Mike Perry
fd6f098c9d Bug #40842: Don't send on sets that are being torn down 2023-08-25 22:45:07 +00:00
David Goulet
aeb2e24a75 Merge branch 'maint-0.4.8' 2023-08-25 12:56:45 -04:00
David Goulet
4119a7f971 Merge branch 'tor-gitlab/mr/748' into maint-0.4.8 2023-08-25 12:56:42 -04:00
David Goulet
4f21fc0fe4 Merge branch 'reapply-exit-policy-on-reload' into 'main'
reapply exit policy on reload

Closes #40676

See merge request tpo/core/tor!735
2023-08-25 16:55:40 +00:00
David Goulet
99a19a0da6 Merge branch 'no_consensus_on_package_lines' into 'main'
Implement proposal 301-dont-vote-on-package-fingerprints.txt

See merge request tpo/core/tor!743
2023-08-25 16:54:54 +00:00
trinity-1686a
73930bda48 fix lint clippy::arc_with_non_send_sync 2023-08-25 12:53:17 -04:00
Mike Perry
380727a16d Bug #40841: Demote extra legs to protocol warn.
Also add more info to leg dump.
2023-08-25 16:32:59 +00:00
trinity-1686a
453c8b46d3 fix lint clippy::arc_with_non_send_sync 2023-08-25 10:30:03 +02:00
David Goulet
97d3cf3950 doxygen: Typo fix in relay.c comment
HTML in comment, what a bad idea...

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-23 17:02:25 -04:00
David Goulet
c56ba686d6 typo: Fix a doxygen html unclosed tag
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-23 16:41:36 -04:00
Tor CI Release
10636f84e8 fallbackdir: Update list generated on August 23, 2023 2023-08-23 09:21:47 -04:00
Tor CI Release
56008b623f Update geoip files to match ipfire location db, 2023/08/23. 2023-08-23 09:21:43 -04:00
David Goulet
c3bc04e355 Fix compilation errors for FreeBSD
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-22 13:37:25 -04:00
David Goulet
c6b1da20a7 Merge remote-tracking branch 'mbeth-private/ticket40833_mr' 2023-08-22 13:24:00 -04:00
David Goulet
e39fb0962f Merge remote-tracking branch 'mbeth-private/ticket40821_mr' 2023-08-22 13:09:54 -04:00
Micah Elizabeth Scott
8991b10cac CI: Diagnostic for failure in test_rebind cleanup
I saw this test fail intermittently due to what seemed like a filesystem
race in docker? The cleanup task was failing with a 'directory not
empty' error, despite trying to do a recursive 'rm'. This patch adds an
'ls' to the same directory, hoping the output might be useful to
diagnose future intermittent failures.
2023-08-15 09:52:30 -07:00
Micah Elizabeth Scott
317a56c133 tor-c-equix: Fix clippy warning
Clippy found a transmute that could have been a reborrow.
2023-08-15 09:52:30 -07:00
David Goulet
00881f1886 Merge branch 'maint-0.4.7' 2023-08-15 12:39:33 -04:00
Mike Perry
a56434a82b Bug 40834: Remove assert and add logs to track no-leg case 2023-08-15 15:05:25 +00:00
Mike Perry
72164740a2 Revert "Nullify on_circuit if last conflux leg"
This reverts commit 5487476fd9.
2023-08-15 14:53:17 +00:00
Nick Mathewson
0cdd5a7900 Implement proposal 301-dont-vote-on-package-fingerprints.txt
This commit adds a new consensus method which, when present, causes
authorities not to consider package fingerprints when computing a
consensus. It builds on earlier work which dropped support for putting
these lines into the votes.
2023-08-15 10:12:25 -04:00
David Goulet
fd3f9e8580 zstd: Check errors right affer compressing/decompressing
Considering a compression bomb before looking for errors led to false negative
log warnings. Instead, it is possible the work failed for whatever reasons
which is not indicative of a compression bomb.

Fixes #40739

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-14 11:05:23 -04:00
Micah Elizabeth Scott
d0343b12c6 test_dos: Fixes for uninitialized stack memory
This was causing CI failures that didn't reproduce on my local machine.
The DoS subsystem now has a new assert() which triggers a BUG on some
nonzero memory contents (or_conn->tracked_for_dos_mitigation), and
uninitialized stack memory might be nonzero.
2023-08-11 18:05:07 -07:00
Micah Elizabeth Scott
2b8d629079 Extend DoS protection to IP addresses with known relays
This exemption used to be helpful in keeping exit relays from tripping
the DoS detection subsystem and losing Tor connectivity. Now exit relays
block re-entry into the network (tor issue #2667) so it's no longer
needed. We'd like to re-enable protection on these addresses to avoid
giving attackers a way around our DoS mitigations.
2023-08-11 16:32:22 -07:00
Micah Elizabeth Scott
a94ce25277 hashx: Fix rare compiler output overflow on aarch64
This is a fix for a very rare buffer overflow in hashx, specific to the
dynamic compiler on aarch64 platforms.

In practice this issue is extremely unlikely to hit randomly, and it's
only been seen in unit tests that supply unusual mock PRNG output to the
program generator. My best attempt at estimating the probability of
hitting the overflow randomly is about 10^-23. Crafting an input with
the intent to overflow can be done only as fast as an exhaustive search,
so long as Blake2B is unbroken.

The root cause is that hashx writes assembly code without any length
checks, and it uses an estimated size rather than an absolute maximum
size to allocate the buffer for compiled code. Some instructions are
much longer than others, especially on aarch64.

The length of the overflow is nearly 300 bytes in the worst synthetic
test cases I've developed so far. Overflow occurs during hashx_make(),
and the subsequent hashx_exec() will always SIGSEGV as the written code
crosses outside the region that's been marked executable. In typical use,
hashx_exec() is called immediately after hashx_make().

This fix increases the buffer size from 1 page to 2 pages on aarch64,
adds an analysis of the compiled code size, and adds runtime checks so we
can gracefully fail on overflow. It also adds a unit test (written in
Rust) that includes a PRNG sequence exercising the overflow. Without
this patch the unit test shows a SIGSEGV on aarch64, with this patch it
runs successfully and matches interpreter output.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-08-11 15:05:11 -07:00
Micah Elizabeth Scott
3e18507dc7 Extend DoS protection to partially-open channels
tor only marks a channel as 'open' once the TLS and OR handshakes have both
completed, and normal "client" (ORPort) DoS protection is not enabled until
the channel becomes open. This patch adds an additional earlier initialization
path for DoS protection on incoming TLS connections.

This leaves the existing dos_new_client_conn() call sites intact, but adds a
guard against multiple-initialization using the existing
tracked_for_dos_mitigation flag. Other types of channels shouldn't be affected
by this patch.
2023-08-09 18:07:34 -07:00
Micah Elizabeth Scott
ef08c00df2 hashx: Fix a few more compiler warnings
Fix a couple cases where size_t values were being confused with int.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-08-07 18:18:24 -07:00
trinity-1686a
083fbd5dd8
handle invalid exitpolicy when reapplying it 2023-08-05 14:06:56 +02:00
Tor CI Release
0c601d0025 fallbackdir: Update list generated on August 04, 2023 2023-08-04 10:08:22 -04:00
Tor CI Release
71748077d0 Update geoip files to match ipfire location db, 2023/08/04. 2023-08-04 10:08:16 -04:00
David Goulet
3ed37ae53c relay: Remove logging for a bug. It triggers a BUG() later
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-02 12:09:41 -04:00
David Goulet
0c270735ef Merge branch 'cargo_hashx_rng' into 'main'
hashx: Rust hook for inspecting and modifying the random number stream

See merge request tpo/core/tor!734
2023-08-01 20:19:42 +00:00
David Goulet
f1fdb58611 Merge branch 'bug40827' into 'main'
Fix assert crash on relay-side due to on_circuit backpointer

See merge request tpo/core/tor!737
2023-08-01 20:13:32 +00:00
Mike Perry
e3ad41e7e5 Bug 40827: Add additional logs and checks for 0-leg conflux case 2023-08-01 17:13:48 +00:00
David Goulet
5487476fd9 Nullify on_circuit if last conflux leg
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-08-01 17:12:11 +00:00
Mike Perry
74d6fd534a Bug 40828: Add more log scrubbing to protocol warnings 2023-07-31 14:12:39 +00:00
trinity-1686a
9de1d14c1c
add config ReevaluateExitPolicy 2023-07-29 23:15:27 +02:00
trinity-1686a
8226148bf1
reapply exit policy on reload 2023-07-29 23:15:23 +02:00
Micah Elizabeth Scott
0ca2e62b28 hashx: Rust hook for inspecting and modifying the random number stream
This patch has no effect on the C tor build.

Adds a function hashx_rng_callback() to the hashx API, defined only
when HASHX_RNG_CALLBACK is defined. This is then used in the Rust
wrapper to implement a similar rng_callback().

Included some minimal test cases. This code is intented for
use in cross-compatibility fuzzing tests which drive multiple
implementations of hashx with the same custom Rng stream.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-07-28 21:27:10 -07:00
Micah Elizabeth Scott
95bcd17705 Include a basic Rust wrapper for Equi-X and HashX
The idea behind this is that we may want to start exporting more pieces
of c-tor as Rust crates so that Arti can perform cross compatibility and
comparison testing using Rust tooling.

This turns the 'tor' repo into a Cargo workspace, and adds one crate to
start with: "tor-c-equix", rooted in src/ext/equix. This actually
includes both Equi-X itself and HashX, since there's less overall
duplication if we package these together instead of packaging HashX
separately.

This patch adds a basic safe Rust interface, but doesn't expose any
additional internals for testing purposes.

No changes to the C code here or the normal Tor build system.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-07-26 12:27:15 -07:00
Tor CI Release
78cb761612 version: Bump version to 0.4.7.14-dev 2023-07-26 12:02:42 -04:00
Tor CI Release
4333762b21 version: Bump version to 0.4.7.14 2023-07-26 10:22:32 -04:00
David Goulet
89b1e6568e Merge branch 'maint-0.4.7' 2023-07-26 10:13:21 -04:00
Tor CI Release
fa40b0a122 fallbackdir: Update list generated on July 26, 2023 2023-07-26 10:12:30 -04:00
Tor CI Release
e4308eb159 Update geoip files to match ipfire location db, 2023/07/26. 2023-07-26 10:12:24 -04:00
David Goulet
2234ecd491 fallback: Take file from main for our release CI
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-07-26 10:07:27 -04:00
David Goulet
47434fc81a geoip: Take the database from main
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-07-26 09:59:26 -04:00
David Goulet
28dfa07069 Merge branch 'maint-0.4.7' 2023-07-24 10:18:53 -04:00
David Goulet
d6fd7d1035 Fix all -Werror=enum-int-mismatch warnings
Close #40824

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-07-24 09:44:42 -04:00
David Goulet
e6a9e00690 Merge branch 'warn-bridge-exit' into 'main'
Warn when operating as bridge and exit

Closes #40819

See merge request tpo/core/tor!730
2023-07-20 14:40:13 +00:00
trinity-1686a
1901720fb9
Warn when operating as bridge and exit 2023-07-17 19:40:26 +02:00
trinity-1686a
9ea80b465f
fix non-fatal assertion when rotate_onion_key fails 2023-07-16 22:29:23 +02:00
Tor CI Release
4b626a9c57 fallbackdir: Update list generated on July 12, 2023 2023-07-12 09:38:16 -04:00
Tor CI Release
a7a3fbffe5 Update geoip files to match ipfire location db, 2023/07/12. 2023-07-12 09:38:10 -04:00
David Goulet
e4a8a128b1 Merge branch 'maint-0.4.7' 2023-07-12 08:17:23 -04:00
Roger Dingledine
3335829347 replace L2 vanguards that aren't Fast or Stable
Rotate to a new L2 vanguard whenever an existing one loses the
Stable or Fast flag. Previously, we would leave these relays in the
L2 vanguard list but never use them, and if all of our vanguards
end up like this we wouldn't have any middle nodes left to choose
from so we would fail to make onion-related circuits.

Fixes bug 40805; bugfix on 0.4.7.1-alpha.
2023-07-05 23:00:38 -04:00
Roger Dingledine
294872a407 trivial typo fix in comment 2023-07-05 16:38:32 -04:00
Mike Perry
04d7f11086 Bug 40566: Remove unused BDP estimators 2023-06-27 19:27:10 +00:00
Mike Perry
7d85298b63 Bug 40566: Remove unused congestion control alg structs. 2023-06-27 16:44:07 +00:00
Mike Perry
641ed48e6d Bug 40566: Unhook unused congestion control algs 2023-06-27 16:44:07 +00:00
Mike Perry
99ad0de9f5 Bug 40566: Remove unused cc alg files 2023-06-27 14:52:56 +00:00
Mike Perry
a945f3c506 Add congestion control tests to build. 2023-06-23 15:08:57 +00:00
Mike Perry
331b874e69 Add CWND test vectors 2023-06-23 15:08:57 +00:00
Mike Perry
06aa454c08 Add RTT Test Vectors 2023-06-23 15:08:57 +00:00
Mike Perry
3647b2f95a Add clock heuristic test vector for congestion control. 2023-06-23 15:08:57 +00:00
Mike Perry
53748705f7 Export variables and functions for CC unit tests. 2023-06-23 15:08:57 +00:00
Mike Perry
646212ce58 Bug 40709: Update and clean up tests for consensus params 2023-06-23 15:08:54 +00:00
Mike Perry
9d022be9fc Bug 40709: Update congestion control parameters
This brings us into sync with the consensus, and will be useful for test
vectors, to ensure behavior consistent with the consensus params.
2023-06-23 15:08:49 +00:00
Mike Perry
796e65e487 Bug 40569: Reduce accepted range for negotiated cc_sendme_inc 2023-06-22 23:12:34 +00:00
Mike Perry
27a0fee882 Bug 40808: Change KISTSchedRunInterval range and default; add KISTSchedRunIntervalClient 2023-06-20 16:29:48 +00:00
David Goulet
8286d88ed0 Merge branch 'ticket40773' into 'main'
Fix compilation error on older gcc versions and MSVC.

See merge request tpo/core/tor!717
2023-06-19 18:32:44 +00:00
David Goulet
94f4d0968b Change git.tpo URLs to gitlab.tpo
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-19 08:09:39 -04:00
David Goulet
7a83aa4f50 Merge branch 'tor-gitlab/mr/722' 2023-06-15 13:23:36 -04:00
David Goulet
cdb270d55e Change git.tpo URLs to gitlab.tpo
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-15 13:00:11 -04:00
Mike Perry
44cd704636 Bug 40811: Count conflux leg launch attempts early.
Also, double check that the consensus has enough overall exits before
attempting conflux set launch.
2023-06-15 16:13:34 +00:00
David Goulet
44368a727a Merge branch 'tor-gitlab/mr/721' 2023-06-14 09:45:27 -04:00
Mike Perry
5d63842e86 Bug 40810: Avoid using 0 RTT legs 2023-06-13 18:18:46 +00:00
Mike Perry
dbd37c0e7b Bug 40810: Improve validation checks to ignore 0-RTT legs
Also add calls to dump the legs of a conflux set if we have too many
2023-06-13 18:18:07 +00:00
David Goulet
d5306e107f Merge branch 'tor-gitlab/mr/715' 2023-06-13 13:03:11 -04:00
Mike Perry
6a513e2ff5 Bug 40801: Do not change read state of marked conns 2023-06-09 16:29:10 +00:00
Mike Perry
da50d21c42 Bug 40801: Send LINKED_ACK before attaching streams
Otherwise, the BEGIN cell arrives at the exit before it has an RTT,
and then it does not know which circuit to prefer in response.
2023-06-09 16:29:10 +00:00
Mike Perry
ff59e2f490 Add BUG() macro to marked edge reads
This will give us a full stacktrace.
2023-06-09 16:24:03 +00:00
Mike Perry
176f0929bb Add conflux logs to diagnose cases where RTTs are absent/zero. 2023-06-09 16:24:03 +00:00
Neel Chauhan
a91315f931 Fix the spacing in the 'Your Tor identity key fingerprint is' log line' 2023-06-07 10:02:33 -07:00
Mike Perry
03d63bc7bd Add a conflux helper to log conflux sets. 2023-06-06 15:15:20 +00:00
Micah Elizabeth Scott
cfbf74352f More fixes for compile-time warnings in equix and hashx
This addresses issue #40800 and a couple other problems I noticed while
trying to reproduce that one.

The original issue is just a missing cast to void* on the args of
__builtin___clear_cache(), and clang is picky about the implicit cast
between what it considers to be char of different signedness. Original
report is from MacOS but it's also reproducible on other clang targets.

The cmake-based original build system for equix and hashx was a handy
way to run tests, but it suffered from some warnings due to incorrect
application of include_directories().

And lastly, there were some return codes from hashx_exec() that get
ignored on equix when asserts are disabled. It bugged me too much to
just silence this with a (void) cast, since even though this is in the
realm of low-likelyhood programming errors and not true runtime errors, I
don't want to make it easy for the hashx_exec() wrappers to return
values that are dangerously wrong if an error is ignored. I made sure
that even if asserts are disabled, we return values that will cause the
solver and verifier to both fail to validate a potential solution.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-06-05 11:45:33 -07:00
Gabriela Moldovan
45ee8a10e2
Fix compilation error on older gcc versions and MSVC.
This fixes an "initializer is not a constant" compilation error that manifests
itself on gcc versions < 8.1 and MSVC (see
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69960#c18).

Fixes bug #40773

Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
2023-06-05 15:03:39 +01:00
Tor CI Release
5e2f6d5433 fallbackdir: Update list generated on June 01, 2023 2023-06-01 09:47:36 -04:00
Tor CI Release
c2c6c7a5e6 Update geoip files to match ipfire location db, 2023/06/01. 2023-06-01 09:47:22 -04:00
David Goulet
7f5355826b test: Really fix the mem leak from prior commit
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 09:07:43 -04:00
David Goulet
faff592c3b test: Fix a mem leak reported by Coverity
Here is the report:

  *** CID 1531835:  Resource leaks  (RESOURCE_LEAK)
  /src/test/test_crypto_slow.c: 683 in test_crypto_equix()
  677
  678           /* Solve phase: Make sure the test vector matches */
  679           memset(&output, 0xa5, sizeof output);
  680           equix_result result;
  681           result = equix_solve(solve_ctx, challenge_literal,
  682                                challenge_len, &output);
  >>>     CID 1531835:  Resource leaks  (RESOURCE_LEAK)
  >>>     Variable "solve_ctx" going out of scope leaks the storage it points to.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-06-01 08:35:08 -04:00
David Goulet
97008526db Merge branch 'maint-0.4.7' 2023-05-31 14:32:07 -04:00
David Goulet
d77f1e7aea Merge branch 'tor-gitlab/mr/714' into maint-0.4.7 2023-05-31 14:28:44 -04:00
Micah Elizabeth Scott
3036bedf30 Update CI builds to Debian Bullseye, fix associated compatibility bugs
This is a change intended for 0.4.7 maintenance as well as main.

The CI builds use Debian Buster which is now end of life, and I was
experiencing inconsistent CI failures with accessing its security update
server. I wanted to update CI to a distro that isn't EOL, and Bullseye
is the current stable release of Debian.

This opened up a small can of worms that this commit also deals with.
In particular there's a docker engine bug that we work around by
removing the docker-specific apt cleanup script if it exists, and
there's a new incompatibility between tracing and sandbox support.

The tracing/sandbox incompatibility itself had two parts:

  - The membarrier() syscall is used to deliver inter-processor
    synchronization events, and the external "userspace-rcu"
    data structure library would make assumptions that if membarrier
    is available at initialization it always will be. This caused
    segfaults in some cases when running trace + sandbox. Resolved this
    by allowing membarrier entirely, in the sandbox.

  - userspace-rcu also assumes it can block signals, and fails
    hard if this can't be done. We already include a similar carveout
    to allow this in the sandbox for fragile-hardening, so I extended
    that to cover tracing as well.

Addresses issue #40799

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-31 11:08:27 -07:00
David Goulet
925201c946 Merge branch 'tor-gitlab/mr/713' 2023-05-31 09:07:45 -04:00
orbea
9850dc59c0 tls: Disable a warning with LibreSSL >= 3.8.0
Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL
3.8.

Based on a patch from OpenBSD.

33fe251a08

These functions are deprecated since OpenSSL 3.0.

https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html
2023-05-29 13:00:32 -07:00
Micah Elizabeth Scott
415c0354b2 hs_pow: Add CompiledProofOfWorkHash torrc option
This exposes the new fallback behavior in hashx via a new AUTOBOOL
configuration option, available to both clients and services. The
default should be fine for nearly everyone, but it might be necessary
to enable or disable the compiler manually for diagnostic purposes.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:03 -07:00
Micah Elizabeth Scott
a397a92be2 hs_pow: Update for equix API to fix issue 40794
This change adapts the hs_pow layer and unit tests to API changes
in hashx and equix which modify the fault recovery responsibilities
and reporting behaivor.

This and the corresponding implementation changes in hashx and equix
form the fix for #40794, both solving the segfault and giving hashx a
way to report those failures up the call chain without them being
mistaken for a different error (unusable seed) that would warrant a
retry.

To handle these new late compiler failures with a minimum of fuss or
inefficiency, the failover is delegated to the internals of hashx and
tor needs only pass in a EQUIX_CTX_TRY_COMPILE flag to get the behavior
that tor was previously responsible for implementing.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
a3513dea54 equix: API changes for new result codes and hashx compatibility
This change adapts Equi-X to the corresponding HashX API changes that
added HASHX_TRY_COMPILE. The new regularized HashX return codes are
reflected by revised corresponding Equi-X return codes.

Both solve and verify operations now return an error/success code, and a
new equix_solutions_buffer struct includes both the solution buffer
and information about the solution count and hashx implementation.

With this change, it's possible to discern between hash construction
failures (invalid seed) and some external error like an mprotect()
failure.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
5a4f92ea7b hashx: API changes to allow recovery from late compile failures
This is an API breaking change to hashx, which modifies the error
handling strategy. The main goal here is to allow unproblematic
recovery from hashx_compile failures.

hashx_alloc can no longer fail for reasons other than memory
allocation. All platform-specific compile failures are now reported via
hashx_make(), in order to both allow later failure and avoid requiring
users of the API to maintain and test multiple failure paths.

Note that late failures may be more common in actual use than early
failures. Early failures represent architectures other than x86_64 and
aarch64. Late failures could represent a number of system configurations
where syscalls are restricted.

The definition of a hashx context no longer tries to overlay storage for
the different types of program, and instead allows one context to always
contain an interpretable description of the program as well as an optional
buffer for compiled code.

The hashx_type enum is now used to mean either a specific type of hash
function or a type of hashx context. You can allocate a context for use
only with interpreted or compiled functions, or you can use
HASHX_TRY_COMPILE to prefer the compiler with an automatic fallback on
the interpreter. After calling hashx_make(), the new hashx_query_type()
can be used if needed to determine which implementation was actually
chosen.

The error return types have been overhauled so that everyone uses the
hashx_result enum, and seed failures vs compile failures are always
clearly distinguishable.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 20:02:02 -07:00
Micah Elizabeth Scott
6fd5ca4914 hashx: allow hashx_compile to fail, avoid segfault without changing API
This is a minimal portion of the fix for tor issue #40794, in which
hashx segfaults due to denial of mprotect() syscalls at runtime.

Prior to this fix, hashx makes the assumption that if the JIT is
supported on the current architecture, it will also be usable at
runtime. This isn't true if mprotect fails on linux, which it may for
various reasons: the tor built-in sandbox, the shadow simulator, or
external security software that implements a syscall filter.

The necessary error propagation was missing internally in hashx,
causing us to obliviously call into code which was never made
executable. With this fix, hashx_make() will instead fail by returning
zero.

A proper fix will require API changes so that callers can discern
between different types of failures. Zero already means that a program
couldn't be constructed, which requires a different response: choosing a
different seed, vs switching implementations. Callers would also benefit
from a way to use one context (with its already-built program) to
run in either compiled or interpreted mode.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
Micah Elizabeth Scott
941613c663 hashx: minor, another logical operator change
The code style in equix and hashx sometimes uses bitwise operators
in place of logical ones in cases where it doesn't really matter
either way. This sometimes annoys our static analyzer tools.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
Micah Elizabeth Scott
c40c5adec2 test_sandbox: equix crypto test case for issue 40794
This is an additional test case for test_sandbox that runs a small
subset of test_crypto_equix() inside the syscall sandbox, where
mprotect() is filtered.

It's reasonable for the sandbox to disallow JIT. We could revise this
policy if we want, but it seems a good default for now. The problem
in issue 40794 is that both equix and hashx need improvements in their
API to handle failures after allocation time, and this failure occurs
while the hash function is being compiled.

With this commit only, the segfault from issue 40794 is reproduced.
Subsequent commits will fix the segfault and revise the API.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-28 19:54:50 -07:00
friendly73
273227afe1 Forgot about the stub names 2023-05-25 11:03:35 -04:00
friendly73
3d5d8d59c1 Added relay prefix to new metrics functions 2023-05-25 11:03:35 -04:00
friendly73
7e57b9dbbf Fixed enum type not found in relay_stub 2023-05-25 11:03:35 -04:00
friendly73
5b76ce1843 Added void stubs for the relay metrics functions to fix building without relay module 2023-05-25 11:03:35 -04:00
friendly73
8cbfc90686 Fixed new arguments for metrics_store_add 2023-05-25 11:03:35 -04:00
friendly73
1899b6230d Removed getter abstraction and moved from rephist to relay_metrics. 2023-05-25 11:03:35 -04:00
friendly73
2f8a88448d Fixed est intro getter using wrong array 2023-05-25 11:03:35 -04:00
friendly73
24bc66f663 Fixed REND1 metric label value 2023-05-25 11:03:35 -04:00
friendly73
36076d3c46 Added INTRO and REND metrics for relay. 2023-05-25 11:03:35 -04:00
David Goulet
a1042f4873 Merge branch 'tor-gitlab/mr/443' 2023-05-25 10:50:15 -04:00
Alexander Færøy
506781d41e Restart PT processes when they die on us.
This patch forces a PT reconfigure of infant PT processes as part of the
PT process' exit handler.

See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
58f0e548ff Log at LD_PT instead of LD_GENERAL for PT process stdout lines.
See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
3338b34ec9 Only terminate PT processes that are running.
See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
0d51dfa605 Log name of managed proxy in exit handler.
This patch ensures that we can figure out which PT that terminated in
the PT exit handler.

See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
Alexander Færøy
5118a8003b Log state transitions for Pluggable Transports
This patch makes Tor log state transitions within the PT layer at the
info log-level. This should make it easier to figure out if Tor ends up
in a strange state.

See: tpo/core/tor#33669
2023-05-25 10:50:11 -04:00
David Goulet
970a534f03 test: Fix parseconf to account for ClientUseIPv6 change for dirauth disabled
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-25 10:20:12 -04:00
David Goulet
86bc3cc452 test: Fix parseconf to account for ClientUseIPv6 change
Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-25 09:21:23 -04:00
David Goulet
a2ec9a1199 Merge branch 'tor-gitlab/mr/711' 2023-05-24 11:45:40 -04:00
Micah Elizabeth Scott
23f4a28f97 token_bucket_ctr: replace 32-bit wallclock time with monotime
This started as a response to ticket #40792 where Coverity is
complaining about a potential year 2038 bug where we cast time_t from
approx_time() to uint32_t for use in token_bucket_ctr.

There was a larger can of worms though, since token_bucket really
doesn't want to be using wallclock time here. I audited the call sites
for approx_time() and changed any that used a 32-bit cast or made
inappropriate use of wallclock time. Things like certificate lifetime,
consensus intervals, etc. need wallclock time. Measurements of rates
over time, however, are better served with a monotonic timer that does
not try and sync with wallclock ever.

Looking closer at token_bucket, its design is a bit odd because it was
initially intended for use with tick units but later forked into
token_bucket_rw which uses ticks to count bytes per second, and
token_bucket_ctr which uses seconds to count slower events. The rates
represented by either token bucket can't be lower than 1 per second, so
the slower timer in 'ctr' is necessary to represent the slower rates of
things like connections or introduction packets or rendezvous attempts.

I considered modifying token_bucket to use 64-bit timestamps overall
instead of 32-bit, but that seemed like an unnecessarily invasive change
that would grant some peace of mind but probably not help much. I was
more interested in removing the dependency on wallclock time. The
token_bucket_rw timer already uses monotonic time. This patch converts
token_bucket_ctr to use monotonic time as well. It introduces a new
monotime_coarse_absolute_sec(), which is currently the same as nsec
divided by a billion but could be optimized easily if we ever need to.

This patch also might fix a rollover bug.. I haven't tested this
extensively but I don't think the previous version of the rollover code
on either token bucket was correct, and I would expect it to get stuck
after the first rollover.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-24 11:43:11 -04:00
David Goulet
9976da9367 Merge branch 'tor-gitlab/mr/709' 2023-05-24 11:37:05 -04:00
David Goulet
0781c2968d Merge branch 'tor-gitlab/mr/710' 2023-05-24 11:12:22 -04:00
Micah Elizabeth Scott
71b2958a62 test_hs_descriptor: Add a test case that fails without the fix for 40793
This adds a bit more to hs_descriptor/test_decode_descriptor, mostly
testing pow-params and triggering the tor_assert() in issue #40793.

There was no mechanism for adding arbitrary test strings to the
encrypted portion of the desc without duplicating encode logic. One
option might be to publicize get_inner_encrypted_layer_plaintext enough
to add a mock implementation. In this patch I opt for what seems like
the simplest solution, at the cost of a small amount of #ifdef noise.
The unpacked descriptor grows a new test-only member that's used for
dropping arbitrary data in at encode time.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-24 11:12:15 -04:00
David Goulet
6afe03aa51 Merge branch 'tor-gitlab/mr/708' 2023-05-24 11:03:47 -04:00
agowa338
ffb764949e ipv6: Flip ClientUseIPv6 to 1
Fixes #40785

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-24 11:03:15 -04:00
David Goulet
8eae9f17ae metrics: Add ticket 40546 changes file and code fix
The MR was using an old function definition so the code fix is for that.

Closes #40546

Signed-off-by: David Goulet <dgoulet@torproject.org>
2023-05-24 10:45:21 -04:00
David Goulet
21ec9017f6 Merge branch 'tor-gitlab/mr/698' 2023-05-24 10:40:25 -04:00
David Goulet
6bf56ac301 Merge branch 'tor-gitlab/mr/703' 2023-05-24 10:38:58 -04:00
Micah Elizabeth Scott
459b775a7e hs_pow: fix insufficient length check in pow-params
The descriptor validation table had an out of date minimum length
for pow-params (3) whereas the spec and the current code expect at
least 4 parameters. This was an opportunity for a malicious service
to cause an assert failure in clients which attempted to parse its
descriptor.

Addresses issue #40793

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-15 12:11:00 -07:00
Micah Elizabeth Scott
a3ff3155c2 test_crypto: avoid memory leak in some hashx test failures
This should fix one of the warnings in issue #40792.

I was sloppy with freeing memory in the failure cases for
test_crypto_hashx. ASAN didn't notice but coverity did. Okay, I'll eat
my vegetables and put hashx_ctx's deinit in an upper scope and use
'goto done' correctly like a properly diligent C programmer.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-11 11:17:43 -07:00
Micah Elizabeth Scott
c71b6a14a3 equix: avoid a coverity warning in hashx_alloc()
This addresses one of the warnings in issue #40792. As far as I can tell
this is a false positive, since the use of "ctx->type" in hashx_free()
can only be hit after the unioned code/program pointer is non-NULL. It's
no big deal to zero this value explicitly to silence the warning though.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-11 11:10:15 -07:00
Mike Perry
79dab29a05 Add torrc option for conflux client UX. 2023-05-11 18:05:28 +00:00
Mike Perry
0c11577987 Fix unit tests. 2023-05-11 18:05:28 +00:00
Mike Perry
a340acb492 Clean up UX decision logic; hardcode for browser UX case. 2023-05-11 18:02:51 +00:00
Roger Dingledine
34da50718a fix minor typos in conflux and pow areas 2023-05-11 13:09:34 -04:00
Mike Perry
c8341abf82 Clean up and disable switch rate limiting.
Switch rate limiting will likely be helpful for limiting OOQ, but according to
shadow it was the cause of slower performance in Hong Kong endpoints.

So let's disable it, and then optimize for OOQ later.
2023-05-10 17:49:51 +00:00
Mike Perry
a98b1d3ab6 Remove two conflux algs: maxrate and cwndrate.
Maxrate had slower throughput than lowrtt in Shadow, which is not too
surprising. We just wanted to test it.
2023-05-10 17:49:51 +00:00
Micah Elizabeth Scott
e643a70879 hs_pow: Modify challenge format, include blinded HS id
This is a protocol breaking change that implements nickm's
changes to prop 327 to add an algorithm personalization string
and blinded HS id to the EquiX challenge string for our onion
service client puzzle.

This corresponds with the spec changes in torspec!130,
and it fixes a proposed vulnerability documented in
ticket tor#40789.

Clients and services prior to this patch will no longer
be compatible with the proposed "v1" proof-of-work protocol.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
138fd57072 hs_pow: add per-circuit effort information to control port
This lets controller apps see the outgoing PoW effort on client
circuits, and the validated effort received on an incoming service
circuit.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
971de27c07 hs_pow: fix error path with outdated assumption
This error path with the "PoW cpuworker returned with no solution.
Will retry soon." message was usually lying. It's concerning
now because we expect to always find a solution no matter how
long it takes, rather than re-enter the solver repeatedly, so any
exit without a solution is a sign of a problem.

In fact when this error path gets hit, we are usually missing a
circuit instead because the request is quite old and the circuits
have been destroyed. This is not an emergency, it's just a sign
of client-side overload.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
cba1ffb43a hs_pow: swap out some comments
i think we're done with these?
and swap in a nonfatal assert to replace one of the comments.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
a13d7bd5e9 hs_pow: always give other events a chance to run between rend requests
This dequeue path has been through a few revisions by now, first
limiting us to a fixed number per event loop callback, then an
additional limit based on a token bucket, then the current version
which has only the token bucket.

The thinking behing processing multiple requests per callback was to
optimize our usage of libevent, but in effect this creates a
prioritization problem. I think even a small fixed limit would be less
reliable than just backing out this optimization and always allowing
other callbacks to interrupt us in-between dequeues.

With this patch I'm seeing much smoother queueing behavior when I add
artificial delays to the main thread in testing.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
6023153631 hs_pow: modified approach to pqueue level thresholds
This centralizes the logic for deciding on these magic thresholds,
and tries to reduce them to just two: a min and max. The min should be a
"nearly empty" threshold, indicating that the queue only contains work
we expect to be able to complete very soon. The max level triggers a
bulk culling process that reduces the queue to half that amount.

This patch calculates both thresholds based on the torrc pqueue rate
settings if they're present, and uses generic defaults if the user asked
for an unlimited dequeue rate in torrc.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
50313d114f hs_pow: faster hs_circuitmap lookup for rend in pow_worker_job_t
The worker job queue for hs_pow needs what's effectively a weak pointer
to two circuits, but there's not a generic mechanism for this in c-tor.
The previous approach of circuit_get_by_global_id() is straightforward
but not efficient. These global IDs are normally only used by the
control port protocol. To reduce the number of O(N) lookups we have over
the whole circuit list, we can use hs_circuitmap to look up the rend
circuit by its auth cookie.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
a6138486f7 hs_pow: review feedback, use MAX for max_trimmed_effort
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
ee63863dca hs_pow: Lower several logs from notice to info
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:41:37 -07:00
Micah Elizabeth Scott
ff678d0fb5 hs_pow: update_suggested_effort fix and cleanup
This is trying to be an AIMD event-driven algorithm, but we ended up with
two different add paths with diverging behavior. This fix makes the AIMD
events more explicit, and it fixes an earlier behavior where the effort
could be decreased (by the add/recalculate branch) even when the pqueue
was not emptying at all. With this patch we shouldn't drop down to an
effort of zero as long as even low-effort attacks are flooding the
pqueue.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:40:46 -07:00
Micah Elizabeth Scott
903c6cf1ab hs_pow: client side effort adjustment
The goal of this patch is to add an additional mechanism for adjusting
PoW effort upwards, where clients rather than services can choose to
solve their puzzles at a higher effort than what was suggested in the
descriptor.

I wanted to use hs_cache's existing unreachability stats to drive this
effort bump, but this revealed some cases where a circuit (intro or
rend) closed early on can end up in hs_cache with an all zero intro
point key, where nobody will find it. This moves intro_auth_pk
initialization earlier in a couple places and adds nonfatal asserts to
catch the problem if it shows up elsewhere.

The actual effort adjustment method I chose is to multiply the suggested
effort by (1 + unresponsive_count), then ensure the result is at least
1. If a service has suggested effort of 0 but we fail to connect,
retries will all use an effort of 1. If the suggestion was 50, we'll try
50, 100, 150, 200, etc. This is bounded both by our client effort limit
and by the limit on unresponsive_count (currently 5).

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:40:46 -07:00
Micah Elizabeth Scott
ac466a2219 hs_pow: leak fix, free the contents of pqueue entries in hs_pow_free_service_state
Asan catches this pretty readily when ending a service gracefully while
a DoS is in progress and the queue is full of items that haven't yet
timed out.

The module boundaries in hs_circuit are quite fuzzy here, but I'm trying
to follow the vibe of the existing hs_pow code.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:29 -07:00
Micah Elizabeth Scott
ac29c7209d hs_pow: bump client-side effort limit from 500 to 10000
500 was quite low, but this limit was helpful when the suggested-effort
estimation algorithm was likely to give us large abrupt increases. Now
that this should be fixed, let's allow spending a bit more time on the
client puzzles if it's actually necessary.

Solving a puzzle with effort=10000 usually completes within a minute
on my old x86_64 machine. We may want to fine tune this further, and it
should probably be made into a config option.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:29 -07:00
Micah Elizabeth Scott
6a0809c4e3 hs_pow: stop having a "minimum effort", and let PoW effort start low
I don't think the concept of "minimum effort" is really useful to us,
so this patch removes it entirely and consequentially changes the way
that "total" effort is calculated so that we don't rely on any minimum
and we instead ramp up effort no faster than necessary.

If at least some portion of the attack is conducted by clients that
avoid PoW or provide incorrect solutions, those (potentially very
cheap) attacks will end up keeping the pqueue full. Prior to this patch,
that would cause suggested efforts to be unnecessarily high, because
rounding these very cheap requests up to even a minimum of 1 will
overestimate how much actual attack effort is being spent.

The result is that this patch is a simplification and it also allows a
slower start, where PoW effort jumps up either by a single unit or by an
amount calculated from actual effort in the queue.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:29 -07:00
Micah Elizabeth Scott
2de98a7f4e hs_pow: Represent equix_solution as a byte array
This patch is intended to clarify the points at which we convert
between the internal representation of an equix_solution and a portable
but opaque byte array representation.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
287c78c5a8 sandbox: allow stack mmap with prot_none
This fixes a failure that was showing up on i386 Debian hosts
with sandboxing enabled, now that cpuworker is enabled on clients.
We already had allowances for creating threads and creating stacks
in the sandbox, but prot_none (probably used for a stack guard)
was not allowed so thread creation failed.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
700814a3a1 hs_pow: Fix nonce cache entry leak
This leak was showing up in address sanitizer runs of test_hs_pow,
but it will also happen during normal operation as seeds are rotated.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
00d9e0d252 hs_pow: Define seed_head as uint8_t[4] instead of uint32_t
This is more consistent with the specification, and it's much
less confusing with endianness. This resolves the underlying
cause of the earlier byte-swap. This patch itself does not
change the wire protocol at all, it's just tidying up the
types we use at the trunnel layer.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
209a59face hs_pow: Don't require uint128_t
We were using a native uint128_t to represent the hs_pow nonce,
but as the comments note it's more portable and more flexible to
use a byte array. Indeed the uint128_t was a problem for 32-bit
platforms. This swaps in a new implementation that uses multiple
machine words to implement the nonce incrementation.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
1a3afeb387 hs_pow: unswap byte order of seed_head field
In proposal 327, "POW_SEED is the first 4 bytes of the seed used".

The proposal doesn't specifically mention the data type of this field,
and the code in hs_pow so far treats it as an integer but semantically
it's more like the first four bytes of an already-encoded little endian
blob. This leads to a byte swap, since the type confusion takes place
in a little-endian subsystem but the wire encoding of seed_head uses
tor's default of big endian.

This patch does not address the underlying type confusion, it's a
minimal change that only swaps the byte order and updates unit tests
accordingly. Further changes will clean up the data types.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
037dea2252 hs_pow: fix assert in services that receive unsolicited proof of work
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
3129910b11 hs_pow: use the compiled HashX implementation
Much faster per-hash, affects both verify and solve.
Only implemented on x86_64 and aarch64, other platforms
always use the interpreted version of hashx.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
c6b168e141 test_hs_pow: add test vectors for our hs_pow client puzzle
This adds test vectors for the overall client puzzle at the
hs_pow and hs_cell layers.

These are similar to the crypto/equix tests, but they also cover
particulars of our hs_pow format like the conversion to byte arrays,
the replay cache, the effort test, and the formatting of the equix
challenge string.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
0c11411f35 hashx: trim trailing whitespace
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
ae86d98815 equix: Portability fixes for big endian platforms
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
daa08557ad equix: Build cleanly with -Wall -Werror
Fixes some type nitpicks that show up in Tor development builds,
which usually run with -Wall -Werror. Tested on x86_64 and aarch64
for clean build and passing equix-tests + hashx-tests.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
246ced3a8c ext: build equix and hashx using automake
This replaces the sketchy cmake invocation we had inside configure

The libs are always built and always used in unit tests, but only
included in libtor and tor when --enable-gpl is set.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
bfa2102c95 hs_pow: Replace libb2 dependency with hashx's internal blake2
This forgoes another external library dependency, and instead
introduces a compatibility header so that interested parties
(who already depend on equix, like hs_pow and unit tests) can
use the implementation of blake2b included in hashx.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
ffa8531fe0 test_crypto: add equix and hashx tests
This adds test vectors for the Equi-X proof of work algorithm and the
Hash-X function it's based on. The overall Equi-X test takes about
10 seconds to run on my machine, so it's in test_crypto_slow. The hashx
test still covers both the compiled and interpreted versions of the
hash function.

There aren't any official test vectors for Equi-X or for its particular
configuration of Hash-X, so I made some up based on the current
implementation.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
92f83347f7 test_crypto: add blake2b test vectors
I'm planning on swapping blake2b implementations, and this test
is intended to prevent regressions. Right now blake2b is only used by
hs_pow.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
dcb9c4df67 hs_pow: Make proof-of-work support optional in configure
This adds a new "pow" module for the user-visible proof
of work support in ./configure, and this disables
src/feature/hs/hs_pow at compile-time.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
9d1a573977 configure: Add --enable-gpl option
This change on its own doesn't use the option for anything, but
it includes support for configure and a message in 'tor --version'

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
557eb81486 hs_pow_solve: use equix_solve more efficiently
This was apparently misinterpreting "zero solutions" as an error
instead of just moving on to the next nonce. Additionally, equix
could have been returning up to 8 solutions and we would only
give one of those a chance to succeed.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
0e271dda77 hs_pow: reduce min_effort default to 1
We may want to choose something larger eventually, but 20 seemed
much too large. Very low nonzero efforts are still useful against
a script kiddie level DoS attack.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
f3b98116b6 hs_pow: Rate limited dequeue
This adds a token bucket ratelimiter on the dequeue side
of hs_pow's priority queue. It adds config options and docs
for those options. (HiddenServicePoWQueueRate/Burst)

I'm testing this as a way to limit the overhead of circuit
creation when we're experiencing a flood of rendezvous requests.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
20d7c8ce14 fix typo in HiddenServiceExportCircuitID
Really inconsequential, since the string was only used for logging a
warning.
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
a0b9f3546e hs_pow: check for expired params in can_client_refetch_desc
Without this check, we never actually refetch the hs descriptor
when PoW parameters expire, because can_client_refetch_desc
deems the descriptor to be still good.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
48c67263d9 hs_metrics: Proof of Work pqueue depth, suggested effort
Adds two new metrics for hs_pow, and an internal parameter within
hs_metrics for implementing gauge parameters that reset before
every update.

Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
2023-05-10 07:38:28 -07:00
Micah Elizabeth Scott
09afc5eacf update_suggested_effort: avoid assert if the pqueue has emptied
top_of_rend_pqueue_is_worthwhile requires a nonempty queue.
2023-05-10 07:37:11 -07:00
Roger Dingledine
eba9190933 compute the client-side pow in a cpuworker thread
We mark the intro circuit with a new flag saying that the pow is
in the cpuworker queue. When the cpuworker comes back, it either
has a solution, in which case we proceed with sending the intro1
cell, or it has no solution, in which case we unmark the intro
circuit and let the whole process restart on the next iteration of
connection_ap_handshake_attach_circuit().
2023-05-10 07:37:11 -07:00
Roger Dingledine
aa41d4b939 refactor send_introduce1()
into two parts:

* a "consider whether to send an intro2 cell" part (now called
consider_sending_introduce1()), and

* an "actually send it" (now called send_introduce1()).
2023-05-10 07:37:11 -07:00
Roger Dingledine
a5b0c7b404 start the cpuworkers always, even for clients
prepares the way for client-side pow cpuworkers

also happens to resolve bug https://bugs.torproject.org/tpo/core/tor/40617
(which went into 0.4.7.4-alpha) because now we survive initing the
cpuworker subsystem when we're not a relay.
2023-05-10 07:37:11 -07:00
Roger Dingledine
0716cd7cb2 allow suggested effort to be 0
First (both client and service), make descriptor parsing not fail when
suggested_effort is 0.

Second (client side), if we get a descriptor with a pow_params section
but with suggested_effort of 0, treat it as not requiring a pow.

Third (service side), when deciding whether the suggested effort has
changed, don't treat "previous suggested effort 0, new suggested effort 0"
as a change.

An alternative design to resolve 'first' and 'second' above would be
to omit the pow_params from the descriptor when suggested_effort is 0,
so clients never see the pow_params so they don't compute a pow. But
I decided to include a pow_params with an explicit suggested_effort
of 0, since this way the client knows the seed etc so they can solve
a higher-effort pow if they want. The tradeoff is that the descriptor
reveals whether HiddenServicePoWDefensesEnabled is set to 1 for this onion
service, even if the AIMD calculation is currently requiring effort 0.
2023-05-10 07:37:11 -07:00
Mike Perry
d36144ba31 Initialize startup effort at 0.
If it works correctly, auto-tuning should set a non-zero effort once
an attack begins.
2023-05-10 07:37:11 -07:00
Mike Perry
ec9e95cf1e Implement AIMD effort estimation.
Now, pow should auto-enable and auto-disable itself.
2023-05-10 07:37:11 -07:00
Mike Perry
5b3a067fe3 Replace the constant bottom-half rate with handled count.
This allows us to more accurately estimate effort, based on real bottom-half
throughput over the duration of a descriptor update.
2023-05-10 07:37:11 -07:00
Mike Perry
121766e6b8 Make the thing compile. 2023-05-10 07:37:11 -07:00
Roger Dingledine
e605620744 clients defend themselves from absurd pow requests
if asked for higher than a cap, we just solve it at the cap

i picked 500 for now but maybe we'll pick a better number in the future.
2023-05-10 07:37:11 -07:00