Commit Graph

17114 Commits

Author SHA1 Message Date
Nick Mathewson
53f9f71985 ug no, the RIGHT fix. 2016-07-21 15:29:56 +02:00
Nick Mathewson
9c210d0e81 Avoid infinite stack explosion in windows monotime.
[init calls get calls init calls get calls init.... ]
2016-07-21 15:26:05 +02:00
Nick Mathewson
1d0775684d Once more, 32-bit fixes on monotime mocking 2016-07-21 14:32:15 +02:00
Nick Mathewson
9c87869dde Merge branch 'maint-0.2.8' 2016-07-21 14:15:19 +02:00
Nick Mathewson
f1973e70a4 Coverity hates it when we do "E1 ? E2 : E2".
It says, 'Incorrect expression (IDENTICAL_BRANCHES)'

Fix for CID 1364127. Not in any released Tor.
2016-07-21 14:14:33 +02:00
Nick Mathewson
22314f9050 loony mingwcross bug: insist we dont have clock_gettime. 2016-07-21 14:09:00 +02:00
Nick Mathewson
852cff043b fix monotime test mocking on 32-bit systems 2016-07-21 14:05:29 +02:00
Nick Mathewson
61ce6dcb40 Make monotime test mocking work with oom tests. 2016-07-21 07:02:34 -04:00
Nick Mathewson
50463524a9 Use new mock functions in buffer/time_tracking test 2016-07-21 07:02:33 -04:00
Nick Mathewson
2d26b1a549 Actually make monotonic time functions mockable.
This is different from making the functions mockable, since
monotime_t is opaque and so providing mocks for the functions is
really hard.
2016-07-21 07:02:33 -04:00
Nick Mathewson
72a1f0180d Revert "Make the monotonic{_coarse,}_get() functions mockable."
This reverts commit 2999f0b33f.
2016-07-21 10:30:21 +02:00
Nick Mathewson
2999f0b33f Make the monotonic{_coarse,}_get() functions mockable. 2016-07-21 10:25:23 +02:00
Nick Mathewson
a31078a581 Merge branch 'maint-0.2.8' 2016-07-19 12:34:37 +02:00
Nick Mathewson
4d5b252f0f Merge branch 'maint-0.2.7' into maint-0.2.8 2016-07-19 12:34:27 +02:00
Nick Mathewson
4d70ed7be0 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-07-19 12:32:14 +02:00
Nick Mathewson
210928f66a Merge branch 'maint-0.2.5' into maint-0.2.6 2016-07-19 12:31:54 +02:00
Nick Mathewson
d95c2809b3 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-07-19 12:31:20 +02:00
Nick Mathewson
558f7d3701 Merge branch 'monotonic_v2_squashed' 2016-07-19 11:42:26 +02:00
Nick Mathewson
1e3cf1cc83 Be sure to call monotime_init() at startup. 2016-07-19 11:40:47 +02:00
Nick Mathewson
6ba415d400 Make sure initialized_at is initialized before use. 2016-07-19 11:40:47 +02:00
Nick Mathewson
abcb8ce25d Unit tests for monotonic time 2016-07-19 11:40:47 +02:00
Nick Mathewson
2a217ef723 Expose monotonic time ratchet functions for testing. 2016-07-19 11:40:47 +02:00
Nick Mathewson
7bc4ca7de9 Remove tor_gettimeofday_cached_monotonic as broken and unneeded 2016-07-19 11:40:47 +02:00
Nick Mathewson
c7558c906a Use coarse monotonic timer instead of cached monotonized libevent time. 2016-07-19 11:40:46 +02:00
Nick Mathewson
6a2002fc09 convert timers.c to use real monotonic time. 2016-07-19 11:40:46 +02:00
Nick Mathewson
dc6f5d1dc1 Basic portable monotonic timer implementation
This code uses QueryPerformanceCounter() [**] on Windows,
mach_absolute_time() on OSX, clock_gettime() where available, and
gettimeofday() [*] elsewhere.

Timer types are stored in an opaque OS-specific format; the only
supported operation is to compute the difference between two timers.

[*] As you know, gettimeofday() isn't monotonic, so we include
a simple ratchet function to ensure that it only moves forward.

[**] As you may not know, QueryPerformanceCounter() isn't actually
always as monotonic as you might like it to be, so we ratchet that
one too.

We also include a "coarse monotonic timer" for cases where we don't
actually need high-resolution time.  This is GetTickCount{,64}() on
Windows, clock_gettime(CLOCK_MONOTONIC_COARSE) on Linux, and falls
back to regular monotonic time elsewhere.
2016-07-19 11:40:46 +02:00
Karsten Loesing
79939c6f11 Update geoip and geoip6 to the July 6 2016 database. 2016-07-18 08:40:22 +02:00
teor (Tim Wilson-Brown)
d8cd994ef6
Allow clients to retry HSDirs much faster in test networks 2016-07-18 13:25:15 +10:00
teor (Tim Wilson-Brown)
6afd5506e9
Rewrite test-network.sh so out-of-tree and $PATH binaries work 2016-07-18 12:15:49 +10:00
Andrea Shepard
94c27d4e8f Keep make check-spaces happy 2016-07-17 23:22:29 +00:00
Nick Mathewson
c138c9a2be Merge branch 'maint-0.2.8' 2016-07-17 13:55:04 -04:00
Nick Mathewson
fbae15a856 Merge remote-tracking branch 'weasel/bug19660' into maint-0.2.8 2016-07-17 13:54:40 -04:00
Nick Mathewson
bec4e41f4b Fix warnings in test_util_formats.
Storing 255 into a char gives a warning when char is signed.

Fixes bug 19682; bugfix on 0.2.8.1-alpha, where these tests were added.
2016-07-17 13:51:45 -04:00
teor (Tim Wilson-Brown)
579a80d4ae
Clients avoid choosing nodes that can't do ntor
If we know a node's version, and it can't do ntor, consider it not running.
If we have a node's descriptor, and it doesn't have a valid ntor key,
consider it not running.

Refactor these checks so they're consistent between authorities and clients.
2016-07-15 09:55:49 +10:00
teor (Tim Wilson-Brown)
a76d528bec
Clients no longer download descriptors for relays without ntor 2016-07-15 09:55:49 +10:00
teor (Tim Wilson-Brown)
24e8bb2d83
Relays make sure their own descriptor has an ntor key 2016-07-15 09:55:49 +10:00
teor (Tim Wilson-Brown)
33da2abd05
Authorities reject descriptors without ntor keys
Before, they checked for version 0.2.4.18-rc or later, but this
would not catch relays without version lines, or buggy or malicious
relays missing an ntor key.
2016-07-15 09:55:49 +10:00
U+039b
c735220a0b
Remove bufferevents dead code
Signed-off-by: U+039b <*@0x39b.fr>
2016-07-14 18:46:37 +02:00
Nick Mathewson
9932544297 Merge branch 'maint-0.2.8' 2016-07-13 09:19:35 -04:00
Nick Mathewson
bb731ca665 Merge remote-tracking branch 'Jigsaw52/seccomp-fix-18397' into maint-0.2.8 2016-07-13 09:16:59 -04:00
Peter Palfrader
36b06be738 Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing whitelist
If we did not find a non-private IPaddress by iterating over interfaces,
we would try to get one via
get_interface_address6_via_udp_socket_hack().  This opens a datagram
socket with IPPROTO_UDP.  Previously all our datagram sockets (via
libevent) used IPPROTO_IP, so we did not have that in the sandboxing
whitelist.  Add (SOCK_DGRAM, IPPROTO_UDP) sockets to the sandboxing
whitelist.  Fixes bug 19660.
2016-07-11 09:37:01 +02:00
Daniel Pinto
20e89453fd Adds missing syscalls to seccomp filter.
Fixes #18397 which prevented tor starting with Sandbox 1.
2016-07-09 00:36:37 +01:00
Nick Mathewson
aa971c5924 Move our "what time is it now" compat functions into a new module
I'm not moving our "format and parse the time" functions, since
those have been pretty volatile over the last couple of years.
2016-07-08 10:38:59 -04:00
Nick Mathewson
466259eb50 Merge remote-tracking branch 'sebastian/libevent2' 2016-07-08 09:57:31 -04:00
Nick Mathewson
a931d157fd Bump maint-0.2.8 to 0.2.8.5-rc-dev 2016-07-07 12:43:52 -04:00
Nick Mathewson
acba4cc954 test coverage on onion_fast: 0%->100% 2016-07-06 13:43:12 -04:00
Nick Mathewson
08cc0ef832 Capture the LOG_ERR messages in our tests that had logged errors.
(It's confusing for the test to write an expected error to stdout,
and then tell the user "OK".)
2016-07-06 13:01:08 -04:00
Nick Mathewson
96d32f02f2 When saving mocked log messages, always create the list.
Otherwise, our code needs to check "list && smarlist_len(list)..."
2016-07-06 12:59:43 -04:00
Nick Mathewson
ae22c249c3 Improve test coverage a little on onion*.c 2016-07-06 12:37:52 -04:00
Nick Mathewson
9c1d8cdd8d Merge branch 'maint-0.2.8' 2016-07-06 10:17:22 -04:00
Nick Mathewson
3252550fc5 Fix sign in test-timers 2016-07-06 10:07:02 -04:00
teor (Tim Wilson-Brown)
b167e82f62
When checking if a routerstatus is reachable, don't check the node
This fixes #19608, allowing IPv6-only clients to use
microdescriptors, while preserving the ability of bridge clients
to have some IPv4 bridges and some IPv6 bridges.

Fix on c281c036 in 0.2.8.2-alpha.
2016-07-06 14:46:22 +10:00
Nick Mathewson
78196c8822 Merge remote-tracking branch 'teor/bug18456' 2016-07-05 19:10:08 -04:00
David Goulet
245c10de07 Test: fix shared random test checking bad errno
The test was checking for EISDIR which is a Linux-ism making other OSes
unhappy. Instead of checking for a negative specific errno value, just make
sure it's negative indicating an error. We don't need more for this test.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-05 14:00:06 -04:00
Nick Mathewson
1135405c8c Fix a variable-shadowing bug in check_private_dir
We introduded a shadowed variable, thereby causing a log message to
be wrong. Fixes 19578. I believe the bug was introduced by
54d7d31cba in 0.2.2.29-beta.
2016-07-05 13:43:58 -04:00
Nick Mathewson
5a047cdc5f Fix shared-random test 2016-07-05 13:31:18 -04:00
Nick Mathewson
8f44d2822e Update version to 0.2.8.5-rc. This is not yet a release. 2016-07-05 13:05:36 -04:00
Nick Mathewson
5c97b42cac Merge branch 'maint-0.2.8' 2016-07-05 12:52:30 -04:00
Nick Mathewson
e99cc8740f Repair unit test that assumed we have 9 dirauths. 2016-07-05 12:52:19 -04:00
Nick Mathewson
8cae4abbac Merge branch 'maint-0.2.8' 2016-07-05 12:43:17 -04:00
Nick Mathewson
8d25ab6347 Merge remote-tracking branch 'weasel/bug19557' into maint-0.2.8 2016-07-05 12:40:25 -04:00
Nick Mathewson
74cbbda86e Merge remote-tracking branch 'weasel/bug19556' into maint-0.2.8 2016-07-05 12:39:40 -04:00
Nick Mathewson
f54ffa463a Merge branch 'maint-0.2.8' 2016-07-05 12:23:25 -04:00
Nick Mathewson
f4408747d3 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-07-05 12:23:14 -04:00
Nick Mathewson
6e96aadadb Merge branch 'maint-0.2.6' into maint-0.2.7 2016-07-05 12:22:47 -04:00
Nick Mathewson
c28ba994ec Merge branch 'maint-0.2.5' into maint-0.2.6 2016-07-05 12:21:25 -04:00
Nick Mathewson
9d3de77d4d Merge branch 'maint-0.2.4' into maint-0.2.5 2016-07-05 12:20:42 -04:00
Nick Mathewson
e11cc95717 Merge remote-tracking branch 'asn/bug19555' 2016-07-05 12:17:21 -04:00
Nick Mathewson
87758dbebc Merge remote-tracking branch 'dgoulet/bug19567_029_01' 2016-07-05 12:14:04 -04:00
Nick Mathewson
e889da1d7f Merge remote-tracking branch 'asn/bug19551' 2016-07-05 12:12:09 -04:00
Nick Mathewson
8ba4ba0a74 Grammar.
I grepped and hand-inspected the "it's" instances, to see if any
were supposed to be possessive.  While doing that, I found a
"the the", so I grepped to see if there were any more.
2016-07-05 12:10:12 -04:00
Sebastian Hahn
e7b70b69ec Remove src/or/eventdns_tor.h based on cypherpunk's review 2016-07-04 21:39:43 +02:00
David Goulet
267e16ea61 sr: add the base16 RSA identity digest to commit
Keep the base16 representation of the RSA identity digest in the commit object
so we can use it without using hex_str() or dynamically encoding it everytime
we need it. It's used extensively in the logs for instance.

Fixes #19561

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-04 12:05:48 -04:00
David Goulet
cc34929abc sr: Fix comment in shared_random.h
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-04 11:44:10 -04:00
David Goulet
7d04638a60 test: Fix shared random buffer overrun
Encoded commit has an extra byte at the end for the NUL terminated byte and
the test was overrunning the payload buffer by one byte.

Found by Coverity issue 1362984.

Fixes #19567

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-04 11:40:06 -04:00
David Goulet
c6de05d529 sr: Remove useless code in disk_state_update()
This patch also updates a comment in the same function for accuracy.

Found by Coverity issue 1362985. Partily fixes #19567.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-04 11:33:41 -04:00
George Kadianakis
34bd333529 prop250: Fix voting_schedule_t memleak in sr_state_update(). 2016-07-04 17:42:25 +03:00
George Kadianakis
f03c74c631 prop250: Plug TorVersion memleak in disk_state_reset(). 2016-07-04 17:42:25 +03:00
Sebastian Hahn
bd1a85cc91 Address review comments from cypherpunks 2016-07-04 16:34:40 +02:00
Sebastian Hahn
265e40b481 Raise libevent dependency to 2.0.10-stable or newer
Only some very ancient distributions don't ship with Libevent 2 anymore,
even the oldest supported Ubuntu LTS version has it. This allows us to
get rid of a lot of compat code.
2016-07-04 12:40:09 +02:00
Sebastian Hahn
ec6ea66240 Remove two wrong comments 2016-07-04 12:26:14 +02:00
Sebastian Hahn
7ae34e722a
Remove urras as a default trusted directory authority
It had been a directory authority since 0.2.1.20.
2016-07-03 21:59:32 +02:00
Peter Palfrader
55d380f3df sandboxing: allow writing to stats/hidserv-stats
Our sandboxing code would not allow us to write to stats/hidserv-stats,
causing tor to abort while trying to write stats.  This was previously
masked by bug#19556.
2016-07-03 18:05:43 +02:00
Peter Palfrader
2c4e78d95b sandboxing: allow open() of stats dir
When sandboxing is enabled, we could not write any stats to disk.
check_or_create_data_subdir("stats"), which prepares the private stats
directory, calls check_private_dir(), which also opens and not just stats() the
directory.  Therefore, we need to also allow open() for the stats dir in our
sandboxing setup.
2016-07-03 17:47:45 +02:00
Sebastian Hahn
0d6f3d647d Remove HAVE_EVENT_H from winconfig
This was accidentally left in in f25e2167f5.
2016-07-03 04:34:38 +02:00
Sebastian Hahn
19054ab18a Remove HAVE_EVENT_* defines from winconfig
They were accidentally left sitting around in 517e0f965.
2016-07-03 04:32:54 +02:00
George Kadianakis
43d317f99c Fix edge case fail of shared random unittest.
The test_state_update() test would fail if you run it between 23:30 and
00:00UTC in the following line because n_protocol_runs was 2:

  tt_u64_op(state->n_protocol_runs, ==, 1);

The problem is that when you launch the test at 23:30UTC (reveal phase),
sr_state_update() gets called from sr_state_init() and it will prepare
the state for the voting round at 00:00UTC (commit phase). Since we
transition from reveal to commit phase, this would trigger a phase
transition and increment the n_protocol_runs counter.

The solution is to initialize the n_protocol_runs to 0 explicitly in the
beginning of the test, as we do for n_reveal_rounds, n_commit_rounds etc.
2016-07-02 02:49:59 +03:00
Andrea Shepard
be78e9ff37 Keep make check-spaces happy 2016-07-01 21:52:32 +00:00
Nick Mathewson
aa05dea5ff Windows open() returns eacces when eisdir would be sane 2016-07-01 16:23:06 -04:00
Nick Mathewson
1597c42384 Fix i386 conversion warnings 2016-07-01 15:53:01 -04:00
Nick Mathewson
3566ff05fd Fix a -Wmissing-variable-declarations warning 2016-07-01 15:30:12 -04:00
Nick Mathewson
aaa3129043 Merge remote-tracking branch 'dgoulet/ticket16943_029_05-squashed'
Trivial Conflicts:
	src/or/or.h
	src/or/routerparse.c
2016-07-01 15:29:05 -04:00
David Goulet
36e201dffc prop250: Add a DEL state action and return const SRVs
The *get* state query functions for the SRVs now only return const pointers
and the DEL action needs to be used to delete the SRVs from the state.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:42 -04:00
David Goulet
4a1904c126 prop250: Use the new dirvote_get_intermediate_param_value for AuthDirNumSRVAgreements
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:42 -04:00
Nick Mathewson
6927467bef Refactor parameter computation and add a helper function
This patch makes us retain the intermediate list of K=V entries for
the duration of computing our vote, and lets us use that list with
a new function in order to look up parameters before the consensus
is published.

We can't actually use this function yet because of #19011: our
existing code to do this doesn't actually work, and we'll need a new
consensus method to start using it.

Closes ticket #19012.
2016-07-01 14:01:42 -04:00
David Goulet
09ecbdd8ee prop250: Fix format string encoding in log statement
Commit and reveal length macro changed from int to unsigned long int
(size_t) because of the sizeof().

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:42 -04:00
David Goulet
e62f3133bb prop250: Change reveal_num to uint64_t and version to uint32_t
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:42 -04:00
George Kadianakis
899d2b890b prop250: Don't use {0} to init static struct -- causes warning on clang.
See ticket #19132 for the clang/llvm warning.

Since voting_schedule is a global static struct, it will be initialized
to zero even without explicitly initializing it with {0}.

This is what the C spec says:

	If an object that has automatic storage duration is not initialized
	explicitly, its value is indeterminate. If an object that has static
	storage duration is not initialized explicitly, then:

	— if it has pointer type, it is initialized to a null pointer;
	— if it has arithmetic type, it is initialized to (positive or unsigned) zero;
	— if it is an aggregate, every member is initialized (recursively) according to these rules;
	— if it is a union, the first named member is initialized (recursively) according to these rules.
2016-07-01 14:01:41 -04:00
George Kadianakis
ebbff31740 prop250: Silence a logging message.
LOG_NOTICE is a bit too much for that one.
2016-07-01 14:01:41 -04:00
George Kadianakis
f6f4668b1d prop250: Don't reject votes containing commits of unknown dirauths.
Instead just ignore those commits.

Squash this commit with 33b2ade.
2016-07-01 14:01:41 -04:00
David Goulet
5fe9a50c31 prop250: Pass the dst length to sr_srv_encode()
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
d43646e191 prop250: Fix unit tests about the RSA fingerprint check
Code has been changed so every RSA fingerprint for a commit in our state is
validated before being used. This fixes the unit tests by mocking one of the
key function and updating the hardcoded state string.

Also, fix a time parsing overflow on platforms with 32bit time_t

Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-07-01 14:01:41 -04:00
David Goulet
cd858d78a7 prop250: Sort commits in lexicographical order in votes
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
63ca307127 prop250: Improve log messages
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
George Kadianakis
edea044147 prop250: Sort smartlist before you get most frequent SRV.
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
545b77e2f8 prop250: Only trust known authority when computing SRV
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
0f27d92e4c prop250: Add version to Commit line in vote and state
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
8ac88f6f97 prop250: Add a valid flag to sr_commit_t
We assert on it using the ASSERT_COMMIT_VALID() macro in critical places
where we use them expecting a commit to be valid.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
056b6186ad prop250: Use RSA identity digest instead of fingerprint
The prop250 code used the RSA identity key fingerprint to index commit in a
digestmap instead of using the digest.

To behavior change except the fact that we are actually using digestmap
correctly.

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 14:01:41 -04:00
David Goulet
c0cec2ffd3 prop250: change time_t to uint64_t
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2016-07-01 14:01:41 -04:00
David Goulet
39be8af709 prop250: Add unit tests
Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-07-01 14:01:41 -04:00
David Goulet
727d419a9d prop250: Initialize the SR subsystem and us it!
This commit makes it that tor now uses the shared random protocol by
initializing the subsystem.

Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-07-01 14:01:41 -04:00
David Goulet
0c26a6db7e prop250: Parse votes and consensus
One of the last piece that parses the votes and consensus in order to update
our state and make decision for the SR values.

We need to inform the SR subsystem when we set the current consensus because
this can be called when loaded from file or downloaded from other authorities
or computed.

The voting schedule is used for the SR timings since we are bound to the
voting system.

Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-07-01 14:01:41 -04:00
David Goulet
ca6ceec112 prop250: Put commits and SRVs in votes/consensus
This commit adds the commit(s) line in the vote as well as the SR values. It
also has the mechanism to add the majority SRVs in the consensus.

Signed-off-by: George Kadianakis <desnacked@riseup.net>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 13:25:03 -04:00
David Goulet
5b183328fd prop250: Add commit and SR values generation code
This adds the logic of commit and SR values generation. Furthermore, the
concept of a protocol run is added that is commit is generated at the right
time as well as SR values which are also rotated before a new protocol run.

Signed-off-by: George Kadianakis <desnacked@riseup.net>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-07-01 13:23:27 -04:00
Nick Mathewson
738a8c655a Add an extra check to test_dir to try to debug windows jenkins issue 2016-07-01 10:10:55 -04:00
Nick Mathewson
ac9784f7f5 Fix a missing break; in dump_desc_init()
Found by coverity scan; this is CID 1362983
2016-07-01 10:02:22 -04:00
Nick Mathewson
0531d5155e Merge remote-tracking branch 'teor/bug19530-v2' 2016-07-01 10:00:37 -04:00
Nick Mathewson
903ec20c0b Merge branch 'maint-0.2.8' 2016-07-01 09:54:08 -04:00
teor (Tim Wilson-Brown)
514f0041d1
Avoid disclosing exit IP addresses in exit policies by default
From 0.2.7.2-alpha onwards, Exits would reject all the IP addresses
they knew about in their exit policy. But this may have disclosed
addresses that were otherwise unlisted.

Now, only advertised addresses are rejected by default by
ExitPolicyRejectPrivate. All known addresses are only rejected when
ExitPolicyRejectLocalInterfaces is explicitly set to 1.
2016-07-01 15:37:13 +10:00
teor (Tim Wilson-Brown)
744077dd15
When tor can't find a directory, log less 2016-07-01 14:26:00 +10:00
teor (Tim Wilson-Brown)
516c02b178
Make authority_certs_fetch_missing support bridge hints
This also fixes an issue where bridge clients may have found a
routerstatus for a directory mirror, and connected to it directly.
2016-07-01 14:01:25 +10:00
teor (Tim Wilson-Brown)
f90bfaae8d
Refactor duplicate code in authority_certs_fetch_missing 2016-07-01 14:00:25 +10:00
teor (Tim Wilson-Brown)
d3ca6fe475
Call purpose_needs_anonymity in authority_certs_fetch_missing 2016-07-01 14:00:20 +10:00
teor (Tim Wilson-Brown)
b4dcf56768
Hex-encode raw digest before printing in authority_certs_fetch_missing 2016-07-01 14:00:07 +10:00
teor (Tim Wilson-Brown)
596ccbf839
Refactor authority_certs_fetch_missing to call get_options once 2016-07-01 09:35:27 +10:00
Nick Mathewson
64ee7bcd0c Make sure that our tests expect the windows path separator as needed 2016-06-30 18:26:44 -04:00
Nick Mathewson
69e22e294b Set binary mode when checking malformed descriptor. 2016-06-30 18:23:58 -04:00
Nick Mathewson
889cfac676 One more tt_u64_op 2016-06-30 16:46:53 -04:00
Nick Mathewson
591078c76d use tt_u64_op for comparing len_descs_dumped 2016-06-30 15:34:36 -04:00
Nick Mathewson
b750a77e3f fix naked memcmps 2016-06-30 15:34:16 -04:00
Nick Mathewson
2713de2a47 Fix more naked strdup/malloc/free instances 2016-06-30 14:36:31 -04:00
Nick Mathewson
9a92f58219 Avoid naked strdups in test_dir.c 2016-06-30 14:30:28 -04:00
Nick Mathewson
7a7bd1f9ea Fix a memory leak in test_dir_populate_dump_desc_fifo 2016-06-30 14:30:26 -04:00
Nick Mathewson
c3b720fb26 Try to fix warnings when size_t is smaller than st.st_size. 2016-06-30 14:20:04 -04:00
Nick Mathewson
b5beb2afa6 fix a syntax warning 2016-06-30 14:19:55 -04:00
Nick Mathewson
ded7e8093c Fix three -Wtautological-constant-out-of-range-compare warnings. 2016-06-30 14:08:28 -04:00
Nick Mathewson
3627718348 Fix -Wextra-semi warning 2016-06-30 13:50:16 -04:00
Nick Mathewson
6d2f006bf4 Fix a 32-bit compilation failure 2016-06-30 13:47:45 -04:00
Nick Mathewson
8917c4f19f A little more specificity in documentation for getinfo download/ stuff
Also, a const.
2016-06-30 13:42:38 -04:00
Nick Mathewson
cb54390e0f Merge remote-tracking branch 'andrea/ticket19323_squashed' 2016-06-30 11:44:58 -04:00
Nick Mathewson
c6846d7bf0 Merge remote-tracking branch 'andrea/bug18322_v3_squashed' 2016-06-30 11:18:00 -04:00
Nick Mathewson
a31f55b16b Merge remote-tracking branch 'teor/bug19483-fix-v2' 2016-06-30 11:04:13 -04:00
Andrea Shepard
13a16e0011 Also check if the sandbox is configured as well as if it's active; sandbox_init() runs rather late in the startup process 2016-06-30 09:37:23 +00:00
Andrea Shepard
34d9dabed1 Do sandbox_is_active() check before reconstructing dump_desc() FIFO on startup too 2016-06-30 07:45:55 +00:00
Andrea Shepard
9580b99dab Add unit test for dump_desc_populate_fifo_from_directory() 2016-06-30 07:03:26 +00:00
Andrea Shepard
f99c9df02b Make things mockable for dump_desc_populate_fifo_from_directory() unit test 2016-06-30 07:03:26 +00:00
Andrea Shepard
42f089473a Unit test for dump_desc_populate_one_file() 2016-06-30 07:03:26 +00:00
Andrea Shepard
2154160a24 Add support for mocking functions declared with attributes without causing gcc warnings 2016-06-30 07:03:26 +00:00
Andrea Shepard
421cf21b3c Reload unparseable descriptor dump FIFO state from on-disk dumped descriptors at startup 2016-06-30 07:03:26 +00:00
Andrea Shepard
38cced90ef Move unparseable descriptor dumps into subdirectory of DataDir 2016-06-30 07:03:25 +00:00
Andrea Shepard
dc37546cff Add sandbox_is_active() check to dump_desc() 2016-06-30 07:03:25 +00:00
Andrea Shepard
603f483092 Use uint64_t for total length of dumped descriptors, nad be careful about overflows in the loop in dump_desc_fifo_add_and_clean() 2016-06-30 07:03:25 +00:00
Andrea Shepard
824ee581b0 Add dir/dump_unparseable_descriptors unit test 2016-06-30 07:03:25 +00:00
Andrea Shepard
2a17b93cc4 Make options_get_datadir_fname2_suffix() mockable 2016-06-30 07:03:25 +00:00
Andrea Shepard
35fc5879fb Expose a few more dump_desc()-related things to the test suite 2016-06-30 07:03:25 +00:00
Andrea Shepard
4e4a760491 Add extern support for file-scope variables in testsupport.h 2016-06-30 07:03:25 +00:00
Andrea Shepard
17ed2fed68 Expose dump_desc() to the test suite and make things it calls mockable 2016-06-30 07:03:24 +00:00
Andrea Shepard
726dc9acf5 Remove old unparseable descriptor logging mechanism, add bump-to-head-of-queue for repeated unparseable descriptors, rename config variable 2016-06-30 07:03:24 +00:00
Andrea Shepard
1cde3e2776 Add multiple descriptor dump support for dump_desc() in routerparse.c; fixes bug 18322 2016-06-30 07:03:24 +00:00
Roger Dingledine
4dc7b3ca28 fix typo 2016-06-29 22:56:56 -04:00
teor (Tim Wilson-Brown)
69535f1284
Add tv_udiff and tv_mdiff unit tests with negative values 2016-06-30 09:29:18 +10:00
teor (Tim Wilson-Brown)
aae14f8346
Fix bug19483: avoid range checks when they are always true
Some compilers are smart enough to work out that comparisons to
LONG_MAX are a no-op on L64.
2016-06-30 09:29:14 +10:00
Nick Mathewson
7602b0b31f Merge remote-tracking branch 'weasel/bug19503' 2016-06-29 16:10:10 -04:00
teor (Tim Wilson-Brown)
d36a0c4d22
Add more unit tests for tv_udiff and tv_mdiff 2016-06-29 17:23:42 +10:00
teor (Tim Wilson-Brown)
4234ca3bf2
Improve overflow checks in tv_udiff and tv_mdiff
Validate that tv_usec inputs to tv_udiff and tv_mdiff are in range.

Do internal calculations in tv_udiff and tv_mdiff in 64-bit,
which makes the function less prone to integer overflow,
particularly on platforms where long and time_t are 32-bit,
but tv_sec is 64-bit, like some BSD configurations.

Check every addition and subtraction that could overflow.
2016-06-29 17:23:24 +10:00
Andrea Shepard
ad0ce8716d Unit tests for GETINFO download/desc and download/bridge cases 2016-06-29 06:55:57 +00:00
Andrea Shepard
45724beac4 Unit test for GETINFO download/cert case 2016-06-29 05:58:22 +00:00
Andrea Shepard
becf510ef2 Unit test for GETINFO download/networkstatus case 2016-06-29 05:56:21 +00:00
Andrea Shepard
657eaee6ae Expose GETINFO download status statics for test suite and make things mockable 2016-06-29 05:55:42 +00:00
Andrea Shepard
c692900728 Add bridge descriptor download status queries to GETINFO 2016-06-29 05:55:42 +00:00
Andrea Shepard
8798ca4be2 Add router descriptor download status queries to GETINFO 2016-06-29 05:55:42 +00:00
Andrea Shepard
18c6e13993 Expose authority certificate download statuses on the control port 2016-06-29 05:55:42 +00:00
teor (Tim Wilson-Brown)
2e51608a8b
Fix an integer overflow bug in the tv_mdiff range check
The temporary second used for rounding can cause overflow,
depending on the order the compiler performs the operations.
2016-06-29 12:53:50 +10:00
Nick Mathewson
f42dbc4e26 Merge branch 'maint-0.2.8' 2016-06-28 19:15:43 -04:00
Nick Mathewson
2c9354fc10 Merge branch 'bug19071-extra-squashed' into maint-0.2.8 2016-06-28 19:15:20 -04:00
teor (Tim Wilson-Brown)
26146dbe9e Comment-out fallbacks in a way the stem fallback parser understands
If we manually remove fallbacks in C by adding '/*' and '*/' on separate
lines, stem still parses them as being present, because it only looks at
the start of a line.

Add a comment to this effect in the generated source code.
2016-06-28 19:15:08 -04:00
Nick Mathewson
d793a988cd Merge branch 'maint-0.2.8' 2016-06-28 11:22:48 -04:00
Nick Mathewson
bc9a0f82b3 whitespace fixes 2016-06-28 11:14:42 -04:00
Nick Mathewson
f87aa4555d Merge remote-tracking branch 'teor/bug18812' into maint-0.2.8 2016-06-28 11:12:51 -04:00
teor (Tim Wilson-Brown)
608c12baaf
Resolve bug18812 by logging fallback key changes at info level 2016-06-28 14:18:16 +10:00
teor (Tim Wilson-Brown)
812fd416ef
Make it clear that fallbacks include authorities
Comment-only change
2016-06-28 14:14:04 +10:00
teor (Tim Wilson-Brown)
14b1c7a66e
Refactor connection_or_client_learned_peer_id for bug18812
No behavioural change.
Also clarify some comments.
2016-06-28 14:12:18 +10:00
Nick Mathewson
4e2a7cd3ae Add missing braces around conditional. 2016-06-27 13:19:49 -04:00
Nick Mathewson
14169a3d70 Remove an always-true condition: all ints are <= INT_MAX 2016-06-27 13:18:54 -04:00
Nick Mathewson
2197bfcc6a Merge branch 'maint-0.2.8' 2016-06-27 13:17:42 -04:00
Andrea Shepard
8cf9fe5ba6 Expose consensus download statuses on the control port 2016-06-27 16:38:37 +00:00
Peter Palfrader
54c3066c72 Fix a typo in the getting passphrase prompt for the ed25519 identity key 2016-06-25 13:33:35 +02:00
Yawning Angel
0116eae59a Bug19499: Fix GCC warnings when building against bleeding edge OpenSSL.
The previous version of the new accessors didn't specify const but it
was changed in master.
2016-06-24 22:20:41 +00:00
Nick Mathewson
703254a832 Merge remote-tracking branch 'public/bug15942_v2_alternative' 2016-06-23 09:01:24 -04:00
teor (Tim Wilson-Brown)
828e2e1a2e
Remove a fallback that changed DirPort
The operator has confirmed that the DirPort change is perament.
The relay will be reconsidered as a fallback in 0.2.9.
2016-06-23 10:38:03 +10:00
Nick Mathewson
61dac57aa3 Merge branch 'maint-0.2.8' 2016-06-22 08:20:11 -04:00
teor (Tim Wilson-Brown)
69635e41c8
Remove and blacklist 3 fallbacks which disappeared
Blacklist them in case they appear again.
2016-06-22 12:18:10 +10:00
teor (Tim Wilson-Brown)
b15cecd4f8
Remove 2 fallbacks: one lost guard, the other had bad uptime
Leave these fallbacks in the whitelist, they may improve before 0.2.9.
2016-06-22 12:18:06 +10:00
teor (Tim Wilson-Brown)
7e9532b9be
Remove and blacklist 4 fallbacks which are unsuitable
Remove a fallback that changed its fingerprint after it was listed
This happened after to a software update:
https://lists.torproject.org/pipermail/tor-relays/2016-June/009473.html

Remove a fallback that changed IPv4 address

Remove two fallbacks that were slow to deliver consensuses,
we can't guarantee they'll be fast in future.

Blacklist all these fallbacks until operators confirm they're stable.
2016-06-22 12:16:57 +10:00
Nick Mathewson
cb8557f7c9 Merge branch 'maint-0.2.8' 2016-06-21 09:00:40 -04:00
Ivan Markin
b432efb838 Remove useless message about nonexistent onion services after uploading a descriptor 2016-06-21 09:00:22 -04:00
Nick Mathewson
dd9cebf109 Merge branch 'maint-0.2.8' 2016-06-21 08:54:49 -04:00
George Kadianakis
f038e9cb00 Fix bug when disabling heartbeats.
Callbacks can't return 0.
2016-06-21 08:54:30 -04:00
David Goulet
b3b4ffce2e prop250: Add memory and disk state in new files
This commit introduces two new files with their header.

"shared_random.c" contains basic functions to initialize the state and allow
commit decoding for the disk state to be able to parse them from disk.

"shared_random_state.c" contains everything that has to do with the state
for both our memory and disk. Lots of helper functions as well as a
mechanism to query the state in a synchronized way.

Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: George Kadianakis <desnacked@riseup.net>
2016-06-20 15:26:58 -04:00
David Goulet
9744a40f7a Add tor_htonll/ntohll functions
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2016-06-20 15:26:58 -04:00
David Goulet
49e8f47505 util: zero target buffer of base*_encode/decode
Make sure to memset(0) the destination buffer so we don't leave any
uninitialized data.

Fixes #19462

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-06-20 13:47:19 -04:00
Nick Mathewson
2f75b34dce Patch from dgoulet: fix a base16 problem that manifested w stem 2016-06-20 13:37:45 -04:00
Nick Mathewson
5fbd195918 Coverage hack for test_switch_id.sh
This hack provides a way to make sure we can see coverage from
test-switch-id.  If you set OVERRIDE_GCDA_PERMISSIONS_HACK, we
temporarily make the .gcda files mode 0666 before we run the
test scripts, and then we set them to 0644 again afterwards.

That's necessary because the test_switch_id.sh script does a
setuid() to 'nobody' part way through, and drops the ability to
change its mind back.
2016-06-20 11:15:47 -04:00
Nick Mathewson
603cb712ef Small coverage improvements on compat.c 2016-06-20 11:03:13 -04:00
Nick Mathewson
ba28da8de5 compat.c coverage: simplify under-tested alloc_getcwd.
Yes, HURD lacks PATH_MAX.  But we already limited the maximum buffer
to 4096, so why not just use that?
2016-06-20 10:47:31 -04:00
Nick Mathewson
2b74e13a7c More coverage in backtrace.c 2016-06-20 10:31:36 -04:00
Nick Mathewson
c1f0ec3058 Merge remote-tracking branch 'dgoulet/bug19465_029_01' 2016-06-20 10:20:41 -04:00
Nick Mathewson
ba88d78127 Fix unit test crash on 32-bit. 2016-06-20 10:20:03 -04:00
Nick Mathewson
a09ec22a9b Simpler implementation of random exponential backoff.
Consumes more entropy, but is easier to read.
2016-06-20 10:10:02 -04:00
David Goulet
85edef27eb test: Increase offset to rendcache descriptor time
Slow system can sometime take more than 10 seconds to reach the test
callsite resulting in the unit test failing when using time in the future or
in the past.

Fixes #19465

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-06-20 09:53:11 -04:00
Nick Mathewson
6cedd49323 Merge branch 'bug14013_029_01_squashed' 2016-06-20 08:48:09 -04:00
nikkolasg
568dc27a19 Make base16_decodes return number of decoded bytes
base16_decodes() now returns the number of decoded bytes. It's interface
changes from returning a "int" to a "ssize_t". Every callsite now checks the
returned value.

Fixes #14013

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-06-20 08:44:58 -04:00
Nick Mathewson
1160ac1283 Changes file for 19063; use the BUG macro 2016-06-19 12:38:15 -04:00
U+039b
58e6a6aaeb Fix #19063: Add check in utility macro 2016-06-19 12:34:49 -04:00
Nick Mathewson
81cfd5c9a1 Merge branch 'zlib_coverage_squashed' 2016-06-19 12:20:38 -04:00
Nick Mathewson
d937b86699 Unindent block 2016-06-19 12:20:24 -04:00
Nick Mathewson
5a725dab0a Mark some torgzip lines as unreachable/untestable. 2016-06-19 12:20:24 -04:00
Nick Mathewson
358fc026d9 Remove a ridiculous realloc call from torgzip.c
realloc()ing a thing in order to try to save memory on it just
doesn't make sense with today's allocators.  Instead, let's use the
fact that whenever we decompress something, either it isn't too big,
or we chop it up, or we reallocate it.
2016-06-19 12:20:24 -04:00
Nick Mathewson
808015316a Remove support for zlib <= 1.1
zlib 1.2 came out in 2003; earlier versions should be dead by now.

Our workaround code was only preventing us from using the gzip
encoding (if we decide to do so), and having some dead code linger
around in torgzip.c
2016-06-19 12:20:24 -04:00
Nick Mathewson
b421648da2 Merge remote-tracking branch 'public/thread_coverage' 2016-06-19 12:15:55 -04:00
Andrea Shepard
5a4ed29f01 Better comments on exponential-backoff related members of download_status_t 2016-06-18 19:05:46 +00:00
Andrea Shepard
1f1df4ab74 Move exponential-random backoff computation out of download_status_schedule_get_delay() into separate function, per code review 2016-06-18 18:23:55 +00:00
Andrea Shepard
1dfbfd319e Better comment for download_status_schedule_get_delay() per code review 2016-06-18 17:11:32 +00:00
Andrea Shepard
6370c4ee87 Use exponential backoff for router descriptor downloads from consensuses 2016-06-18 16:32:17 +00:00
Andrea Shepard
5cb27d8991 Use exponential backoffs for bridge descriptor downloads 2016-06-18 16:32:17 +00:00
Andrea Shepard
36d45a9f64 Use exponential backoffs for certificate downloads 2016-06-18 16:32:17 +00:00
Andrea Shepard
5104e5645f Use exponential backoffs for consensus downloads 2016-06-18 16:32:16 +00:00
Andrea Shepard
1553512af4 Unit test for DL_SCHED_RANDOM_EXPONENTIAL 2016-06-18 16:32:16 +00:00
Andrea Shepard
695b0bd1d5 Implement DL_SCHED_RANDOM_EXPONENTIAL support for download_status_t 2016-06-18 16:32:16 +00:00
Andrea Shepard
033cf30b3c Keep make check-spaces happy 2016-06-18 16:07:44 +00:00
Nick Mathewson
48b25e6811 Merge branch 'bug18280_029_03_nm_squashed' 2016-06-17 13:53:57 -04:00
David Goulet
f4f9a9be40 test: Add base32_encode/decode unit tests
Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-06-17 13:53:47 -04:00
David Goulet
4e4a7d2b0c Fix base32 API to take any source length in bytes
Fixes #18280

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2016-06-17 13:53:47 -04:00
cypherpunks
94762e37b9 Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS
The Autoconf macro AC_USE_SYSTEM_EXTENSIONS defines preprocessor macros
which turn on extensions to C and POSIX. The macro also makes it easier
for developers to use the extensions without needing (or forgetting) to
define them manually.

The macro can be safely used because it was introduced in Autoconf 2.60
and Tor requires Autoconf 2.63 and above.
2016-06-17 10:17:44 -04:00
Nick Mathewson
9a63f059b9 Merge remote-tracking branch 'dgoulet/bug18604_029_01' 2016-06-17 09:07:41 -04:00
Nick Mathewson
a8c766220f Mark an abort() as unreachable. 2016-06-16 15:53:05 -04:00
Nick Mathewson
a418904962 Coverage on parse_config_line_from_str_verbose. 2016-06-16 15:52:19 -04:00
Nick Mathewson
c9ea9de806 Remove parse_config_line_from_str alias
All of our code just uses parse_config_line_from_str_verbose.
2016-06-16 15:40:56 -04:00
Nick Mathewson
128ab31c64 Mark code unreachable in unescape_string()
Also, add tests for it in case someday it does become reachable.
2016-06-16 15:36:08 -04:00
Nick Mathewson
dd73787190 On Windows, tv_sec is long, not time_t.
I'm not angry, Windows: just very disappointed.
2016-06-16 13:57:16 -04:00
David Goulet
ab35f9de46 Correctly close intro circuit when deleting ephemeral HS
When deleting an ephemeral HS, we were only iterating on circuit with an
OPEN state. However, it could be possible that an intro point circuit didn't
reached the open state yet.

This commit makes it that we close the circuit regardless of its state
except if it was already marked for close.

Fixes #18604

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-06-16 13:09:24 -04:00
Nick Mathewson
6ceb37971e Try to fix memarea test on 32-bit systems 2016-06-16 11:59:51 -04:00
Nick Mathewson
5c596cdbc0 Tests for message rate-limiting
Also note a bug in the rate-limiting message.
2016-06-16 11:54:50 -04:00
Nick Mathewson
9b0bd65f22 I believe I found some dead code in our time parsing functions 2016-06-16 11:14:12 -04:00
Nick Mathewson
79370914d1 tests for size_mul_check__()
it's important, and we should make sure we got it right.
2016-06-16 10:43:01 -04:00
Nick Mathewson
41cb26c169 Correct the rounding behavior on tv_mdiff.
Fix for bug 19428.
2016-06-16 10:16:04 -04:00
Nick Mathewson
f05a213fe1 Improve coverage on tv_udiff, and tv_mdiff.
I found some bugs in tv_mdiff; separate commit for that
2016-06-16 10:07:44 -04:00
Nick Mathewson
6dc2b605b8 Improve coverage on esc_for_log, esc_for_log_len 2016-06-16 09:58:53 -04:00
Nick Mathewson
d1ab295d7b add LCOV_EXCL for unreachable exit() blocks in src/common 2016-06-16 09:50:52 -04:00
Nick Mathewson
f986e26850 Reach 100% line coverage on memarea.c 2016-06-16 09:37:44 -04:00
Nick Mathewson
7b54d7ebbd Mark src/common tor_assert(0)/tor_fragile_assert() unreached for coverage
I audited this to make sure I was only marking ones that really
should be unreachable.
2016-06-15 17:28:26 -04:00
Nick Mathewson
e718a582af Bump to 0.2.8.4-rc-dev 2016-06-15 12:55:17 -04:00
David Goulet
c7f1b46a10 Perform cache lookup when FetchHidServDescriptors is set
The FetchHidServDescriptors check was placed before the descriptor cache
lookup which made the option not working because it was never using the
cache in the first place.

Fixes #18704

Patched-by: twim
Signef-off-by: David Goulet <dgoulet@torproject.org>
2016-06-15 10:04:07 -04:00
Nick Mathewson
3a0d42fbf9 bump version to 0.2.8.4-rc 2016-06-14 20:36:35 -04:00
Nick Mathewson
05e2750ea7 whoops; blank line 2016-06-14 20:21:59 -04:00
Nick Mathewson
227d3b3d6b Use ENABLE/DISABLE_GCC_WARNING in masater. 2016-06-14 20:21:02 -04:00
Nick Mathewson
8486dea8d7 Merge branch 'maint-0.2.8' 2016-06-14 20:16:46 -04:00
Nick Mathewson
d6b01211b9 Resolve the remaining openssl "-Wredundant-decls" warnings.
Another part of 19406
2016-06-14 20:14:53 -04:00
Nick Mathewson
3bffdf05d1 use new-form macros to disable -Wredundant-decls 2016-06-14 12:22:52 -04:00
Nick Mathewson
df4fa92a88 Merge branch 'maint-0.2.8' 2016-06-14 12:17:24 -04:00
Nick Mathewson
71aacbe427 Suppress the Wredundant-decls warning in another set of openssl headers 2016-06-14 12:17:02 -04:00
Yawning Angel
c5e2f7b944 Bug 19406: Fix the unit tests to work with OpenSSL 1.1.x
Just as it says on the tin.  Don't need to fully disable any tests and
reduce coverage either.  Yay me.
2016-06-14 12:13:09 -04:00
Yawning Angel
6ddef1f7e0 Bug 19406: OpenSSL removed SSL_R_RECORD_TOO_LARGE in 1.1.0.
This is a logging onlu change, we were suppressing the severity down to
INFO when it occured (treating it as "Mostly harmless").  Now it is no
more.
2016-06-14 12:13:09 -04:00
Yawning Angel
b563a3a09d Bug 19406: OpenSSL made RSA and DH opaque in 1.1.0.
There's accessors to get at things, but it ends up being rather
cumbersome.  The only place where behavior should change is that the
code will fail instead of attempting to generate a new DH key if our
internal sanity check fails.

Like the previous commit, this probably breaks snapshots prior to pre5.
2016-06-14 12:13:09 -04:00
Yawning Angel
86f0b80681 Bug 19406: OpenSSL changed the Thread API in 1.1.0 again.
Instead of `ERR_remove_thread_state()` having a modified prototype, it
now has the old prototype and a deprecation annotation.  Since it's
pointless to add extra complexity just to remain compatible with an old
OpenSSL development snapshot, update the code to work with 1.1.0pre5
and later.
2016-06-14 12:13:09 -04:00
Nick Mathewson
4c90cdc0e7 Coverity dislikes (double) (int/int).
When you divide an int by an int and get a fraction and _then_ cast
to double, coverity assumes that you meant to cast to a double
first.

In my fix for -Wfloat-conversion in 493499a339, I
did something like this that coverity didn't like.

Instead, I'm taking another approach here.

Fixes CID 1232089, I hope.
2016-06-13 11:25:19 -04:00
Nick Mathewson
6a7d11f38a Merge branch 'maint-0.2.8' 2016-06-13 10:49:24 -04:00
Nick Mathewson
2ee3dbe801 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-06-13 10:49:05 -04:00
Nick Mathewson
80089c9e7c Merge branch 'maint-0.2.6' into maint-0.2.7 2016-06-13 10:48:56 -04:00
Nick Mathewson
b4bb88606e Merge branch 'maint-0.2.5' into maint-0.2.6 2016-06-13 10:48:48 -04:00
Nick Mathewson
f25f7b759c Merge branch 'maint-0.2.4' into maint-0.2.5 2016-06-13 10:48:35 -04:00
Andrea Shepard
925f76b486 Keep make check-spaces happy 2016-06-12 21:47:14 +00:00
Roger Dingledine
0616fd6fb6 typo/comment/log fixes i found in my sandbox from montreal 2016-06-12 16:14:15 -04:00
Karsten Loesing
c14c662758 Update geoip and geoip6 to the June 7 2016 database. 2016-06-12 11:35:50 +02:00
Nick Mathewson
47edbd4fad Fix build on 32-bit systems. 2016-06-11 13:26:05 -04:00
Nick Mathewson
ada5668c5e Merge remote-tracking branch 'public/bug19203_027' into maint-0.2.8 2016-06-11 10:16:00 -04:00
Nick Mathewson
d6b2af7a3a Merge branch 'bug19180_easy_squashed' 2016-06-11 10:15:40 -04:00
Nick Mathewson
e80a032b61 Add clang's -Wstring-conversion, and fix the one place it hits 2016-06-11 10:11:54 -04:00
Nick Mathewson
53a3b39da1 Add -Wmissing-variable-declarations, with attendant fixes
This is a big-ish patch, but it's very straightforward.  Under this
clang warning, we're not actually allowed to have a global variable
without a previous extern declaration for it.  The cases where we
violated this rule fall into three roughly equal groups:
  * Stuff that should have been static.
  * Stuff that was global but where the extern was local to some
    other C file.
  * Stuff that was only global when built for the unit tests, that
    needed a conditional extern in the headers.

The first two were IMO genuine problems; the last is a wart of how
we build tests.
2016-06-11 10:11:54 -04:00
Nick Mathewson
80f1a2cbbd Add the -Wextra-semi warning from clang, and fix the cases where it triggers 2016-06-11 10:11:54 -04:00
Nick Mathewson
c3adbf755b Resolve some warnings from OSX clang. 2016-06-11 10:11:53 -04:00
Nick Mathewson
9bbd6502f0 Use autoconf, not gcc version, to decide which warnings we have
This gives more accurate results under Clang, which can only help us
detect more warnings in more places.

Fixes bug 19216; bugfix on 0.2.0.1-alpha
2016-06-11 10:11:53 -04:00
Nick Mathewson
4caed2424a Enable -Woverlength-strings for GCC>=4.6 on MOST of the code.
IMO it's fine for us to make exceptions to this rule in the unit
tests, but not in the code at large.
2016-06-11 10:11:52 -04:00
Nick Mathewson
8f2d2933f9 Use -Wdouble-promotion in GCC >= 4.6
This warning triggers on silently promoting a float to a double.  In
our code, it's just a sign that somebody used a float by mistake,
since we always prefer double.
2016-06-11 10:11:52 -04:00
Nick Mathewson
493499a339 Add -Wfloat-conversion for GCC >= 4.9
This caught quite a few minor issues in our unit tests and elsewhere
in our code.
2016-06-11 10:11:52 -04:00
Nick Mathewson
2ff20c93a5 Add -Wunused-const-variable=2 on GCC >=6.1
This caused a trivial warning in curve25519-donna-64bit.h, which
had two unused constants.  I commented them out.
2016-06-11 10:11:52 -04:00
Nick Mathewson
b14c1f4082 Merge remote-tracking branch 'public/bug19203_027' into HEAD 2016-06-11 10:11:44 -04:00
Nick Mathewson
4f8086fb20 Enable -Wnull-dereference (GCC >=6.1), and fix the easy cases
This warning, IIUC, means that the compiler doesn't like it when it
sees a NULL check _after_ we've already dereferenced the
variable. In such cases, it considers itself free to eliminate the
NULL check.

There are a couple of tricky cases:

One was the case related to the fact that tor_addr_to_in6() can
return NULL if it gets a non-AF_INET6 address.  The fix was to
create a variant which asserts on the address type, and never
returns NULL.
2016-06-11 10:10:29 -04:00
Nick Mathewson
c274f825da Merge remote-tracking branch 'asn/bug17688' 2016-06-11 10:07:15 -04:00
Andrea Shepard
9eeaeddbb1 Reduce make check-spaces noise 2016-06-09 11:50:25 +00:00
Nick Mathewson
f016213f7f Unit tests for our zlib code to test and reject compression bombs. 2016-06-08 18:08:30 -04:00
Nick Mathewson
429d15c529 Mark the unreachable lines in compat_{,p}threads and workqueue
These are all related to failures from functions that either can't
fail as we call them, or where we cannot provoke failure.
2016-06-08 17:30:22 -04:00
Nick Mathewson
3cc374456b Add several test scripts wrapping test_workqueue
This is a fairly easy way for us to get our test coverage up on
compat_threads.c and workqueue.c -- I already implemented these
tests, so we might as well enable them.
2016-06-08 17:29:06 -04:00
George Kadianakis
36dd9538d9 Don't rely on consensus parameter to use a single guard. 2016-06-07 17:22:47 +03:00
Nick Mathewson
1e330e1947 Repair test_crypto_openssl_version with LibreSSL 2016-06-06 10:45:23 -04:00
Nick Mathewson
c19a3d1bf8 Merge branch 'maint-0.2.8' 2016-06-06 10:18:07 -04:00
Nick Mathewson
83513a93a1 Check tor_sscanf return value in test_crypto.c
Coverity noticed that we check tor_sscanf's return value everywhere
else.
2016-06-06 10:01:50 -04:00
Nick Mathewson
6eeedc02d8 Use directory_must_use_begindir to predict we'll surely use begindir
Previously, we used !directory_fetches_from_authorities() to predict
that we would tunnel connections.  But the rules have changed
somewhat over the course of 0.2.8
2016-06-02 10:40:39 -04:00
Nick Mathewson
ed0ecd9f13 Use tor_sscanf, not sscanf, in test_crypto.c
Fixes the 0.2.9 instance of bug #19213, which prevented mingw64 from
working.  This case wasn't in any released Tor.
2016-06-02 10:16:15 -04:00
Nick Mathewson
b458a81cc5 Merge branch 'maint-0.2.8' 2016-06-02 10:13:35 -04:00
Nick Mathewson
a32ca313c4 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-06-02 10:12:56 -04:00
Nick Mathewson
5854b19816 Use tor_sscanf, not sscanf, in test_util.c.
Fixes the 0.2.7 case of bug #19213, which prevented mingw64 from
working.
2016-06-02 10:11:29 -04:00
Nick Mathewson
3cdc8bfa2c Let's not even talk about those errors, ok? 2016-05-30 17:14:46 -04:00
Nick Mathewson
97f2c1c58e Wait, we had sprintf() in our unit tests?? FOR SHAME! 2016-05-30 16:50:57 -04:00
Nick Mathewson
4f1a04ff9c Replace nearly all XXX0vv comments with smarter ones
So, back long ago, XXX012 meant, "before Tor 0.1.2 is released, we
had better revisit this comment and fix it!"

But we have a huge pile of such comments accumulated for a large
number of released versions!  Not cool.

So, here's what I tried to do:

  * 0.2.9 and 0.2.8 are retained, since those are not yet released.

  * XXX+ or XXX++ or XXX++++ or whatever means, "This one looks
    quite important!"

  * The others, after one-by-one examination, are downgraded to
    plain old XXX.  Which doesn't mean they aren't a problem -- just
    that they cannot possibly be a release-blocking problem.
2016-05-30 16:18:16 -04:00
Nick Mathewson
ce31db4326 We no longer generate v0 directories. Remove the code to do so 2016-05-30 16:05:37 -04:00
Nick Mathewson
bdc59e33c1 Fix a warning on unnamed nodes in node_get_by_nickname().
There was a > that should have been an ==, and a missing !.  These
together prevented us from issuing a warning in the case that a
nickname matched an Unnamed node only.

Fixes bug 19203; bugfix on 0.2.3.1-alpha.
2016-05-30 12:03:03 -04:00
Nick Mathewson
1e5ad15688 Merge remote-tracking branch 'arma/task19035-fixedup' 2016-05-27 13:22:16 -04:00
Roger Dingledine
3b83da1069 remove a now-unused section of or.h 2016-05-27 12:32:41 -04:00
Nick Mathewson
ce1dbbc4fd Enable the -Waggregate-return warning
Suppress it in the one spot in the code where we actually do want to
allow an aggregate return in order to call the mallinfo() API.
2016-05-27 11:26:14 -04:00
Nick Mathewson
0df2c5677a Use ENABLE_GCC_WARNING and DISABLE_GCC_WARNING in tortls.c
Previously we'd done this ad hoc.
2016-05-27 11:25:42 -04:00
Nick Mathewson
0279e48473 Add support for temporarily suppressing a warning
There are a few places where we want to disable a warning: for
example, when it's impossible to call a legacy API without
triggering it, or when it's impossible to include an external header
without triggering it.

This pile of macros uses GCC's c99 _Pragma support, plus the usual
macro trickery, to enable and disable warnings.
2016-05-27 11:23:52 -04:00
Roger Dingledine
500c4bf807 remove an unneeded layer of indentation
no actual behavior changes
2016-05-27 11:15:21 -04:00
Roger Dingledine
11d52a449c Disable GET /tor/bytes.txt and GETINFO dir-usage
Remove support for "GET /tor/bytes.txt" DirPort request, and
"GETINFO dir-usage" controller request, which were only available
via a compile-time option in Tor anyway.

Feature was added in 0.2.2.1-alpha. Resolves ticket 19035.
2016-05-27 11:15:21 -04:00
Nick Mathewson
437cbb17c2 Merge remote-tracking branch 'asn/feature19036' 2016-05-27 10:37:11 -04:00
Nick Mathewson
476714e1a4 Merge remote-tracking branch 'arma/bug18840' 2016-05-27 10:35:55 -04:00
Nick Mathewson
f25806409d Bump to 0.2.8.3-alpha-dev 2016-05-26 21:09:01 -04:00
Nick Mathewson
0a74346fe4 Bump to 0.2.8.3-alpha 2016-05-26 12:29:45 -04:00
Nick Mathewson
8c1c71aa2c Merge branch 'maint-0.2.8' 2016-05-26 12:12:54 -04:00
Nick Mathewson
a873ba8edd Fix two long lines 2016-05-26 12:11:57 -04:00
George Kadianakis
d875101e03 Functionify code that writes votes to disk. 2016-05-26 15:35:13 +03:00
Nick Mathewson
b7fac185a6 Merge branch 'maint-0.2.8' 2016-05-25 16:59:46 -04:00
Nick Mathewson
36b2b48308 Merge branch 'bug18668_028' into maint-0.2.8 2016-05-25 16:58:43 -04:00
Nick Mathewson
28cbcd033c Merge branch 'maint-0.2.8' 2016-05-25 16:40:51 -04:00
Nick Mathewson
9cf6af76eb Fix a double-free bug in routerlist_reparse_old
I introduced this bug when I moved signing_key_cert into
signed_descriptor_t. Bug not in any released Tor.  Fixes bug 19175, and
another case of 19128.

Just like signed_descriptor_from_routerinfo(), routerlist_reparse_old()
copies the fields from one signed_descriptor_t to another, and then
clears the fields from the original that would have been double-freed by
freeing the original.  But when I fixed the s_d_f_r() bug [#19128] in
50cbf22099, I missed the fact that the code was duplicated in
r_p_o().

Duplicated code strikes again!

For a longer-term solution here, I am not only adding the missing fix to
r_p_o(): I am also extracting the duplicated code into a new function.

Many thanks to toralf for patiently sending me stack traces until
one made sense.
2016-05-25 16:11:35 -04:00
Nick Mathewson
44ea3dc331 Merge branch 'maint-0.2.8' 2016-05-25 10:21:15 -04:00
Nick Mathewson
6d375f17fc Merge branch 'bug19161_028_v2' into maint-0.2.8 2016-05-25 10:17:26 -04:00
Nick Mathewson
a3ec811c2e Merge branch 'maint-0.2.8' 2016-05-25 09:27:47 -04:00
Nick Mathewson
fdfc528f85 Merge branch 'bug19152_024_v2' into maint-0.2.8 2016-05-25 09:26:45 -04:00
Nick Mathewson
c4c4380a5e Fix a dangling pointer issue in our RSA keygen code
If OpenSSL fails to generate an RSA key, do not retain a dangling
pointer to the previous (uninitialized) key value. The impact here
should be limited to a difficult-to-trigger crash, if OpenSSL is
running an engine that makes key generation failures possible, or if
OpenSSL runs out of memory. Fixes bug 19152; bugfix on
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and Baishakhi
Ray.

This is potentially scary stuff, so let me walk through my analysis.
I think this is a bug, and a backport candidate, but not remotely
triggerable in any useful way.

Observation 1a:

Looking over the OpenSSL code here, the only way we can really fail in
the non-engine case is if malloc() fails.  But if malloc() is failing,
then tor_malloc() calls should be tor_asserting -- the only way that an
attacker could do an exploit here would be to figure out some way to
make malloc() fail when openssl does it, but work whenever Tor does it.

(Also ordinary malloc() doesn't fail on platforms like Linux that
overcommit.)

Observation 1b:

Although engines are _allowed_ to fail in extra ways, I can't find much
evidence online  that they actually _do_ fail in practice. More evidence
would be nice, though.

Observation 2:

We don't call crypto_pk_generate*() all that often, and we don't do it
in response to external inputs. The only way to get it to happen
remotely would be by causing a hidden service to build new introduction
points.

Observation 3a:

So, let's assume that both of the above observations are wrong, and the
attacker can make us generate a crypto_pk_env_t with a dangling pointer
in its 'key' field, and not immediately crash.

This dangling pointer will point to what used to be an RSA structure,
with the fields all set to NULL.  Actually using this RSA structure,
before the memory is reused for anything else, will cause a crash.

In nearly every function where we call crypto_pk_generate*(), we quickly
use the RSA key pointer -- either to sign something, or to encode the
key, or to free the key.  The only exception is when we generate an
intro key in rend_consider_services_intro_points().  In that case, we
don't actually use the key until the intro circuit is opened -- at which
point we encode it, and use it to sign an introduction request.

So in order to exploit this bug to do anything besides crash Tor, the
attacker needs to make sure that by the time the introduction circuit
completes, either:
  * the e, d, and n BNs look valid, and at least one of the other BNs is
    still NULL.
OR
  * all 8 of the BNs must look valid.

To look like a valid BN, *they* all need to have their 'top' index plus
their 'd' pointer indicate an addressable region in memory.

So actually getting useful data of of this, rather than a crash, is
going to be pretty damn hard.  You'd have to force an introduction point
to be created (or wait for one to be created), and force that particular
crypto_pk_generate*() to fail, and then arrange for the memory that the
RSA points to to in turn point to 3...8 valid BNs, all by the time the
introduction circuit completes.

Naturally, the signature won't check as valid [*], so the intro point
will reject the ESTABLISH_INTRO cell.  So you need to _be_ the
introduction point, or you don't actually see this information.

[*] Okay, so if you could somehow make the 'rsa' pointer point to a
different valid RSA key, then you'd get a valid signature of an
ESTABLISH_INTRO cell using a key that was supposed to be used for
something else ... but nothing else looks like that, so you can't use
that signature elsewhere.

Observation 3b:

Your best bet as an attacker would be to make the dangling RSA pointer
actually contain a fake method, with a fake RSA_private_encrypt
function that actually pointed to code you wanted to execute.  You'd
still need to transit 3 or 4 pointers deep though in order to make that
work.

Conclusion:

By 1, you probably can't trigger this without Tor crashing from OOM.

By 2, you probably can't trigger this reliably.

By 3, even if I'm wrong about 1 and 2, you have to jump through a pretty
big array of hoops in order to get any kind of data leak or code
execution.

So I'm calling it a bug, but not a security hole. Still worth
patching.
2016-05-25 09:23:57 -04:00
Nick Mathewson
6abceca182 Merge branch 'memarea_overflow_027_squashed' into maint-0.2.8 2016-05-25 09:22:02 -04:00
Nick Mathewson
be2d37ad3c Fix a pointer arithmetic bug in memarea_alloc()
Fortunately, the arithmetic cannot actually overflow, so long as we
*always* check for the size of potentially hostile input before
copying it.  I think we do, though.  We do check each line against
MAX_LINE_LENGTH, and each object name or object against
MAX_UNPARSED_OBJECT_SIZE, both of which are 128k.  So to get this
overflow, we need to have our memarea allocated way way too high up
in RAM, which most allocators won't actually do.

Bugfix on 0.2.1.1-alpha, where memarea was introduced.

Found by Guido Vranken.
2016-05-25 09:20:37 -04:00
Nick Mathewson
0ef36626ea Use calloc, not malloc(a*b), in ed25519 batch signature check fn
[Not a triggerable bug unless somebody is going to go checking
millions+ of signatures in a single go.]
2016-05-25 08:59:08 -04:00
Nick Mathewson
be3875cda2 Make sure that libscrypt_scrypt actually exists before using it.
Previously, if the header was present, we'd proceed even if the
function wasn't there.

Easy fix for bug 19161.  A better fix would involve trying harder to
find libscrypt_scrypt.
2016-05-24 10:31:02 -04:00
Nick Mathewson
b53a2059c4 Expose crypto_digest_algorithm_get_length from crypto.c
Also, use it in routerparse.c
2016-05-23 10:58:27 -04:00
Nick Mathewson
2a884926c0 Merge remote-tracking branch 'dgoulet/bug19066_029_01' 2016-05-23 10:45:13 -04:00
Nick Mathewson
9c7edb0f3e Merge branch 'maint-0.2.8' 2016-05-20 10:46:50 -04:00
cypherpunks
0e20d056e9 Prevent ASAN from registering a SIGSEGV handler
AddressSanitizer's (ASAN) SIGSEGV handler overrides the backtrace
handler and prevents it from printing its backtrace. The output of ASAN
is different from what 'bt_test.py' expects and causes backtrace test
failures.

The 'allow_user_segv_handler' option allows applications to set their
own SIGSEGV handler but is not supported by older GCC versions. These
older GCC versions do support the 'handle_segv' which prevents ASAN from
setting its SIGSEGV handler.
2016-05-20 08:34:18 -04:00
Nick Mathewson
22eed6dec2 Whoops. We use -Wmussing-prototypes. 2016-05-20 08:29:26 -04:00
Nick Mathewson
acc083b520 Make another variable unsigned. 2016-05-20 08:12:09 -04:00
Nick Mathewson
50cbf22099 Fix a bug related to moving signing_key_cert
Now that the field exists in signed_descriptor_t, we need to make
sure we free it when we free a signed_descriptor_t, and we need to
make sure that we don't free it when we convert a routerinfo_t to a
signed_descriptor_t.

But not in any released Tor. I found this while working on #19128.

One problem: I don't see how this could cause 19128.
2016-05-20 07:59:09 -04:00
Nick Mathewson
f2205071f0 Remove round_int64_to_next_multiple_of: It is now unused. 2016-05-19 21:21:24 -04:00
Nick Mathewson
2775dd8649 Compute HS stats outputs without round_int64_...
Fix for bug 19130.
2016-05-19 21:21:24 -04:00
Nick Mathewson
dcc4fd4403 Merge branch 'maint-0.2.8' 2016-05-19 16:05:13 -04:00
Nick Mathewson
33841a6030 Merge remote-tracking branch 'teor/fix18809-warnings' into maint-0.2.8 2016-05-19 16:04:56 -04:00
Nick Mathewson
649785d464 Merge branch 'link_ftrapv_clang32' 2016-05-19 16:01:35 -04:00
Nick Mathewson
4a14c2cfc7 Merge branch 'maint-0.2.8' 2016-05-19 15:56:39 -04:00
Nick Mathewson
0d6f293e0e Merge remote-tracking branch 'public/bug19073' into maint-0.2.8 2016-05-19 15:56:31 -04:00
teor (Tim Wilson-Brown)
2d21f03cdc
Fix unused-but-set-variable warnings in the connection unit tests
No behaviour change - just remove the variables
2016-05-19 12:49:36 -04:00
teor (Tim Wilson-Brown)
c5d87ef6af
Describe what happens when we get a consensus, but no certificates
Comment-only change
2016-05-19 12:35:09 -04:00
Nick Mathewson
a7a44f2db0 Merge branch 'maint-0.2.8' 2016-05-19 08:29:58 -04:00
Nick Mathewson
06803c317f Fix a compilation error in test_dir.c 2016-05-19 08:27:11 -04:00
Nick Mathewson
d718c717a6 Merge branch 'maint-0.2.8' 2016-05-19 08:25:12 -04:00
Nick Mathewson
9f217c83b0 Merge branch 'bug18809_028_squashed' into maint-0.2.8 2016-05-19 08:17:02 -04:00
teor (Tim Wilson-Brown)
f698b509d8 Add unit tests for networkstatus_consensus_is_bootstrapping 2016-05-19 07:58:41 -04:00
teor (Tim Wilson-Brown)
d5c70d7102 Restore and improve download schedule unit tests 2016-05-19 07:58:41 -04:00
teor (Tim Wilson-Brown)
4254d0297c Update unit tests for multiple bootstrap connections 2016-05-19 07:58:41 -04:00
teor (Tim Wilson-Brown)
ab0a7e2961 Remove consensus_max_download_tries by refactoring
No behaviour change

This function is used twice. The code is simpler if we split
it up and inline it where it is used.
2016-05-19 07:58:40 -04:00
teor (Tim Wilson-Brown)
84ab26c320 Stop downloading consensuses when a consensus has been downloaded
Previosuly, during bootstrap, we would continue to download
consensuses if we had a consensus, but didn't have the certificates
to validate it.
2016-05-19 07:58:40 -04:00
Nick Mathewson
6d6c8287d5 Include __mulodi4 in libor_ctime when it fixes clang -m32 -ftrapv
We use a pretty specific pair of autoconf tests here to make sure
that we only add this code when:
   a) a 64-bit signed multiply fails to link,
 AND
   b) the same 64-bit signed multiply DOES link correctly when
      __mulodi4 is defined.

Closes ticket 19079.
2016-05-18 09:50:38 -04:00
Nick Mathewson
33034600c2 Add __mulodi4 source to src/ext
We need to define this function when compiling with clang -m32 -ftrapv,
since otherwise we get link errors, since apparently some versions
of libclang_rt.builtins don't define a version of it that works? Or
clang doesn't know to look for it?

This definition is taken from the LLVM source at
  https://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/builtins/mulodi4.c

I've also included the license (dual BSD-ish/MIT-ish).
2016-05-18 09:44:01 -04:00
Nick Mathewson
159ea7a88f Fix a bad sizeof() in test_crypto.c. Harmless. Spotted by coverity. 2016-05-18 08:29:13 -04:00
Nick Mathewson
2729f166cb whitespace fixes 2016-05-17 20:08:03 -04:00
Nick Mathewson
ab932cd7bf Remove duplicate siging_key_cert fields.
With the fix for #17150, I added a duplicate certificate here.  Here
I remove the original location in 0.2.8.  (I wouldn't want to do
that in 027, due to the amount of authority-voting-related code
drift.)

Closes 19073.
2016-05-17 20:04:16 -04:00
Nick Mathewson
a7f6e434be Merge branch 'maint-0.2.8' 2016-05-17 19:48:49 -04:00
Nick Mathewson
3f49474349 Merge branch 'bug17150_027_extra' into maint-0.2.8 2016-05-17 19:47:22 -04:00
Nick Mathewson
00f74e0372 Improve API of routerinfo_incompatible_with_extrainfo()
This API change makes it so that routerinfo_incompatible...() no
longer takes a routerinfo_t, so that it's obvious that it should
only look at fields from the signed_descriptor_t.

This change should prevent a recurrence of #17150.
2016-05-17 13:24:01 -04:00
Nick Mathewson
49ff09aef2 Fix another, more subtle, case of bug 17150.
We need to make sure that the corresponding sd and ei match in their
certificates.
2016-05-17 13:16:36 -04:00
Nick Mathewson
8acfac7375 Copy the signing_key_cert field into signed_descriptor_t
We need this field to be in signed_descriptor_t so that
routerinfo_incompatible_with_extrainfo can work correctly (#17150).
But I don't want to move it completely in this patch, since a great
deal of the code that messes with it has been in flux since 0.2.7,
when this ticket was opened.  I should open another ticket about
removing the field from routerinfo_t and extrainfo_t later on.

This patch fixes no actual behavior.
2016-05-17 13:14:04 -04:00
Nick Mathewson
64748f2f98 Fix documentation for routerinfo_incompatible_with_extrainfo 2016-05-17 13:08:34 -04:00
Nick Mathewson
7d1eb0d570 When making sure digest256 matches in ei, look at sd, not ri.
The routerinfo we pass to routerinfo_incompatible_with_extrainfo is
the latest routerinfo for the relay.  The signed_descriptor_t, on
the other hand, is the signed_descriptor_t that corresponds to the
extrainfo.  That means we should be checking the digest256 match
with that signed_descriptor_t, not with the routerinfo.

Fixes bug 17150 (and 19017); bugfix on 0.2.7.2-alpha.
2016-05-17 12:57:03 -04:00
Nick Mathewson
44da47d3c1 Move extra_info_digest256 into signed_descriptor_t
This patch includes no semantic changes; it's just a field movement.

It's prerequisite for a fix to 19017/17150.
2016-05-17 12:53:12 -04:00
Nick Mathewson
36909674b4 Merge remote-tracking branch 'teor/bug18963-remember-v2' 2016-05-17 12:15:53 -04:00
Nick Mathewson
6382cd93cb Merge branch 'maint-0.2.8' 2016-05-17 11:10:20 -04:00
Nick Mathewson
548d14247e Merge remote-tracking branch 'arma/bug18616-v4' into maint-0.2.8 2016-05-17 10:48:12 -04:00
Roger Dingledine
06031b441e touchups and refactorings on bug 18616 branch
no behavior changes
2016-05-16 17:43:47 -04:00
Nick Mathewson
0f9b0b8bfe Initialize networking _before_ initializing libevent in the tests
This prevents WSANOTINITIALISED errors and fixes bug 18668. Bugfix
on 0.2.8.1-alpha -- 1bac468882 specifically.
2016-05-16 14:30:04 -04:00
David Goulet
50ff24e276 dirauth: don't use hardcoded length when parsing digests
When parsing detached signature, we make sure that we use the length of the
digest algorithm instead of an hardcoded DIGEST256_LEN in order to avoid
comparing bytes out of bound with a smaller digest length such as SHA1.

Fixes #19066

Signed-off-by: David Goulet <dgoulet@torproject.org>
2016-05-16 11:18:51 -04:00
Nick Mathewson
249f3a1664 Fix memory leak in test_crypto_aes_ctr_testvec 2016-05-16 09:55:09 -04:00
Nick Mathewson
9abd7b8f90 Windows lacks truncate(3).
Fix the new crypto tests, which used truncate(3).
2016-05-16 09:25:19 -04:00
Nick Mathewson
060e0d0a75 Merge branch 'crypto_unit_tests_v2_squashed' 2016-05-16 08:26:11 -04:00
Nick Mathewson
62c5a1fa45 Mark even more crypto lines (the fragile_assert ones) as unreachable 2016-05-16 08:26:00 -04:00
Nick Mathewson
b688945dfb Refactor digest allocation backend code
I'm doing this to simplify crypto_digest_smartlist_prefix, and make
it better covered by our tests.
2016-05-16 08:26:00 -04:00
Nick Mathewson
365d0fcc6d Cover all our DH code, and/or mark it unreachable. 2016-05-16 08:26:00 -04:00
Nick Mathewson
94b34d1be6 At long last, unit tests for degenerate DH public keys.
Apparently, we detect and reject them correctly. Aren't you glad?
2016-05-16 08:26:00 -04:00
Nick Mathewson
98a590577a Treat absent argument to crypto_log_errors as a bug. 2016-05-16 08:26:00 -04:00
Nick Mathewson
d88656ec06 Slight improvements to DH coverage. 2016-05-16 08:25:59 -04:00
Nick Mathewson
c395334879 Mark some unreachable lines in crypto.c 2016-05-16 08:25:59 -04:00
Nick Mathewson
7a5f15b6e0 Improve test coverage of our strongest-rng code. 2016-05-16 08:25:59 -04:00
Nick Mathewson
148f0004e1 Test coverage on ed25519 load/store functions. 2016-05-16 08:25:59 -04:00
Nick Mathewson
ec81329339 Do not leak the 'tag' when trying to read a truncated ed25519 key file
Fix for bug 18956.
2016-05-16 08:25:59 -04:00
Nick Mathewson
5b91e70a4f Mark unreachable lines in crypto_ed25519.c 2016-05-16 08:25:59 -04:00
Nick Mathewson
8a536be705 Mark unreachable lines in crypto_curve25519.c
Also, resolve a bug in test_ntor_cl.c
2016-05-16 08:25:53 -04:00
Nick Mathewson
820b1984ad Mark three lines unreachable, with extensive docs and use of BUG macros 2016-05-16 08:25:53 -04:00
Nick Mathewson
df3a5e0cad HKDF-SHA256 test vectors from RFC5869 2016-05-16 08:25:53 -04:00
Nick Mathewson
7bc9d1e002 Merge branch 'maint-0.2.8' 2016-05-12 15:33:56 -04:00
Nick Mathewson
e8cc9f3edf Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-12 15:33:47 -04:00
Nick Mathewson
4165b1a0da Merge branch 'bug18977_026_v2' into maint-0.2.7 2016-05-12 15:33:35 -04:00
Nick Mathewson
44cbd00dfa Fix a compiler warning on windows when sizeof(long)==sizeof(int) 2016-05-12 14:51:38 -04:00
Nick Mathewson
20b01cece8 Merge branch 'bug18977_024_v2' into bug18977_026_v2
Had conflicts related to other correct_tm bugs in 0.2.6.  Added wday
for another case.
2016-05-12 14:39:06 -04:00
Nick Mathewson
e57f26c135 Have correct_tm set tm_wday as well.
The tm_wday field had been left uninitialized, which was causing
some assertions to fail on Windows unit tests.

Fixes bug 18977.
2016-05-12 14:37:27 -04:00
Nick Mathewson
6bc052365a Use a much less clever scan_signed no-overflow hack 2016-05-12 14:33:26 -04:00
Nick Mathewson
a7207329a8 Run tor_sscanf test in subprocess, in hopes of coaxing more info from jenkins 2016-05-12 13:37:05 -04:00
Nick Mathewson
445e05a015 Fix inconsistent tab/space mixing in include.am files.
This is a whitespace only, cosmetic fix.

There is still some inconsistency between lists, but less
inconsistency inside individual lists.
2016-05-12 13:06:58 -04:00
Nick Mathewson
607a9056d4 Merge branch 'ftrapv_v3'
There were some conflicts here, and some breakage to fix concerning
library link order in newer targets.
2016-05-12 13:00:45 -04:00
Nick Mathewson
fb999abea6 Document why we build memwipe that way. 2016-05-12 12:56:47 -04:00
Nick Mathewson
b1dce55b82 Do not apply bugtrapping flags to test-memwipe, since testing memwipe requires bugs.
Fixes bug 18901.
2016-05-12 11:22:10 -04:00
Nick Mathewson
ef01109932 Rename SOURCES to SRC for things in include.am 2016-05-12 11:21:28 -04:00
Nick Mathewson
e40cfc4425 Move the ctime part of choose_array_element_by_weight into di_ops
This way it gets the ctime options.
2016-05-12 11:21:28 -04:00
Nick Mathewson
20432fc541 Refactor out u64_dbl_t
This type saved a tiny amount of allocation, but not enough to be
worth keeping.

(This is in preparation for moving choose_array_element_by_weight)
2016-05-12 11:21:28 -04:00
Nick Mathewson
ce854a8d22 Add -ftrapv to gcc-hardening ... mostly!
We know there are overflows in curve25519-donna-c32, so we'll have
to have that one be fwrapv.

Only apply the asan, ubsan, and trapv options to the code that does
not need to run in constant time.  Those options introduce branches
to the code they instrument.

(These introduced branches should never actually be taken, so it
might _still_ be constant time after all, but branch predictors are
complicated enough that I'm not really confident here. Let's aim for
safety.)

Closes 17983.
2016-05-12 11:21:28 -04:00
Nick Mathewson
58e0e587a6 Merge branch 'maint-0.2.8' 2016-05-12 11:09:40 -04:00
Nick Mathewson
ce6f2d1c4d Merge remote-tracking branch 'arma/bug19003-try2' into maint-0.2.8 2016-05-12 11:09:33 -04:00
Nick Mathewson
f936f186b2 Use tor_queue.h, not sys/queue.h, in timeouts.[ch].
Closes 19041.
2016-05-12 10:10:59 -04:00
Nick Mathewson
99c0e1bd5b Fix bad allocation in pubsub.c
Closes 19038.  Bug not in any released Tor.
2016-05-12 09:56:42 -04:00
Roger Dingledine
5a83122961 Authorities now sort the "package" lines in their votes
(They are already sorted in the consensus documents)

Fixes bug 18840; bugfix on 0.2.6.3-alpha.
2016-05-11 19:04:13 -04:00
Roger Dingledine
694f1fe808 write v3-status-votes file earlier in consensus voting
Make directory authorities write the v3-status-votes file out
to disk earlier in the consensus process, so we have the votes
even if we abort the consensus process later on.

Resolves ticket 19036.
2016-05-11 17:34:38 -04:00
Roger Dingledine
9e44273a4a fix 'make dist' which was broken by ticket 18365's merge 2016-05-11 16:15:37 -04:00
Nick Mathewson
e3a4511049 Merge remote-tracking branch 'public/bug18815' 2016-05-11 14:12:39 -04:00
Roger Dingledine
ad8b9dcd47 Merge branch 'maint-0.2.8' 2016-05-11 13:43:06 -04:00
Roger Dingledine
163cee1b64 Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-11 13:42:40 -04:00
Roger Dingledine
d40e8695f4 unbreak the build (when warnings are enabled) 2016-05-11 13:42:00 -04:00
Nick Mathewson
60e9e48448 Merge branch 'ticket16698_v2' 2016-05-11 13:39:38 -04:00
Nick Mathewson
03ae44a9e8 Fix comment for directory_handle_command_get 2016-05-11 13:39:11 -04:00
teor (Tim Wilson-Brown)
cdb528d841
Fetch certificates from the same directory as previous certificates
Improves the fix to #18963.
2016-05-11 13:30:30 -04:00
teor (Tim Wilson-Brown)
730cfeb6bd
Fetch certificates from the same directory as the consensus
Resolves ticket 18963; fix on #4483 in 0.2.8.1-alpha.
2016-05-11 13:30:08 -04:00
Nick Mathewson
00ee62b8a5 Merge branch 'pubsub_squashed' 2016-05-11 13:26:29 -04:00
Nick Mathewson
80a6c8caa3 Basic work on a publish/subscribe abstraction
The goal here is to provide a way to decouple pieces of the code
that want to learn "when something happens" from those that realize
that it has happened.

The implementation here consists of a generic backend, plus a set of
macros to define and implement a set of type-safe frontends.
2016-05-11 13:25:11 -04:00
Nick Mathewson
3c6f059e6a Merge remote-tracking branch 'arma/feature18760' 2016-05-11 13:22:31 -04:00
Nick Mathewson
e9e6a1f547 Merge branch 'maint-0.2.8' 2016-05-11 13:20:57 -04:00
Nick Mathewson
8d962233f6 Merge remote-tracking branch 'teor/bug18816_simplify' into maint-0.2.8 2016-05-11 13:20:51 -04:00
Nick Mathewson
022d32252a Merge branch 'maint-0.2.8' 2016-05-11 13:17:02 -04:00
Nick Mathewson
24fbb9a81b Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-11 13:15:17 -04:00
John Brooks
bf3e32a452 Fix out-of-bounds write during voting with duplicate ed25519 keys
In dirserv_compute_performance_thresholds, we allocate arrays based
on the length of 'routers', a list of routerinfo_t, but loop over
the nodelist. The 'routers' list may be shorter when relays were
filtered by routers_make_ed_keys_unique, leading to an out-of-bounds
write on directory authorities.

This bug was originally introduced in 26e89742, but it doesn't look
possible to trigger until routers_make_ed_keys_unique was introduced
in 13a31e72.

Fixes bug 19032; bugfix on tor 0.2.8.2-alpha.
2016-05-11 13:11:03 -04:00
teor (Tim Wilson-Brown)
797ece042d
Confim we want certificates from fallbacks
Comment-only change
2016-05-11 13:08:45 -04:00
teor (Tim Wilson-Brown)
2cbad2aac7
Revert "Switch between fallback and authority when auth cert fetch fails"
This reverts commit 92d7ee08b8.
2016-05-11 13:06:13 -04:00
Roger Dingledine
b8b5bccfd9 refactor the #19003 patches
fix the logic in one of the comments
2016-05-11 13:03:49 -04:00
Nick Mathewson
71267bef4c Merge branch 'maint-0.2.8' 2016-05-11 12:36:55 -04:00
Nick Mathewson
28e1aa1118 Merge branch 'bug18761_028_squashed' into maint-0.2.8 2016-05-11 12:36:27 -04:00
Nick Mathewson
b59d79134e Log find_rp_for_intro_() failures at LOG_PROTOCOL_WARN.
Closes ticket 18761.

Also fix a whitespace issue.
2016-05-11 12:36:19 -04:00
Nick Mathewson
79f9e63ebf Merge branch 'maint-0.2.8' 2016-05-11 12:30:18 -04:00
Nick Mathewson
50d777dcf4 Split directory_handle_command_get into subfunctions.
This was one of our longest functions, at 600 lines.  It makes a nice
table-driven URL-based function instead.

The code is a bit ugly, it leave the indentation as it is in hopes of
making pending directory.c changes easier to merge.  Later we can
clean up the indentation.

Also, remove unused mallinfo export code from directory.c

Closes ticket 16698
2016-05-10 14:19:03 -04:00
teor (Tim Wilson-Brown)
92d7ee08b8
Switch between fallback and authority when auth cert fetch fails 2016-05-10 11:25:55 -04:00
teor (Tim Wilson-Brown)
64b948f5fa
Use the consensus download schedule for authority certificates
Previously, we were using the generic schedule for some downloads,
and the consensus schedule for others.

Resolves ticket 18816; fix on fddb814fe in 0.2.4.13-alpha.
2016-05-10 11:25:50 -04:00
Roger Dingledine
53aaed81dd get rid of another no-longer-used function 2016-05-10 11:16:30 -04:00
Roger Dingledine
be0e1e9e2f Stop being so strict about the payload length of "rendezvous1" cells
We used to be locked in to the "tap" handshake length, and now we can
handle better handshakes like "ntor".

Resolves ticket 18998.

I checked that relay_send_command_from_edge() behaves fine when you
hand it a payload with length 0. Clients behave fine too, since current
clients remain strict about the required length in the rendezvous2 cells.
(Clients will want to become less strict once they have an alternate
format that they're willing to receive.)
2016-05-09 20:34:27 -04:00
Nick Mathewson
7fa11a92d5 Merge branch 'maint-0.2.8' 2016-05-09 14:59:47 -04:00
Nick Mathewson
55cf1970bc Merge branch 'maint-0.2.7' into maint-0.2.8 2016-05-09 14:59:18 -04:00
Nick Mathewson
7fe80c2905 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-05-09 14:56:56 -04:00
Nick Mathewson
0b477bfd55 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-05-09 14:55:45 -04:00
Nick Mathewson
368146370b Merge branch 'maint-0.2.4' into maint-0.2.5 2016-05-09 14:55:22 -04:00
Roger Dingledine
aa6341d4b9 stop looping once we know what the answer will be
suggested during code review by dgoulet
2016-05-09 14:42:42 -04:00
Roger Dingledine
1f72653544 fix a bug where relays would use the aggressive client bootstrapping retry number 2016-05-09 14:42:32 -04:00
Roger Dingledine
d5a96286c2 simplify more -- we only call these funcs when bootstrapping 2016-05-09 14:42:21 -04:00
Roger Dingledine
c98fbd4169 remove some more unused code 2016-05-09 14:42:09 -04:00
Roger Dingledine
bcae392e0e avoid another redundant check
we should avoid launching a consensus fetch if we don't want one,
but if we do end up with an extra one, we should let the other checks
take care of it.
2016-05-09 14:41:54 -04:00
Nick Mathewson
33d3572a1d Merge branch 'feature15588_squashed' 2016-05-09 14:41:36 -04:00
Roger Dingledine
e230e80ab3 get rid of the scattered checks to cancel a consensus fetch
We'll back off from the request in connection_ap_handshake_attach_circuit,
or cancel it in connection_dir_close_consensus_fetches, and those are the
only places we need to check.
2016-05-09 14:41:32 -04:00
Roger Dingledine
a7665df2f8 close other consensus fetches when we get a consensus
not once per second, and only do it when a consensus arrives
2016-05-09 14:41:14 -04:00
Roger Dingledine
59da060f10 use the new function here too 2016-05-09 14:40:54 -04:00
Roger Dingledine
91c58013be avoid following through on a consensus fetch if we have one already arriving 2016-05-09 14:40:42 -04:00
Roger Dingledine
ce8266d52d fix typos/etc before i go nuts on #18809 2016-05-09 14:40:21 -04:00
John Brooks
162aa14eef Move rend client name checks to one function 2016-05-09 14:30:34 -04:00
teor (Tim Wilson-Brown)
c2817774c2
Allow directories in small networks to bootstrap
Skip DirPort checks when the consensus has no exits.

Resolves #19003, bugfix on #18050 in 0.2.8.1-alpha.
2016-05-09 14:29:07 -04:00
John Brooks
dcc11674db Add client auth for ADD_ONION services 2016-05-09 14:28:58 -04:00
John Brooks
d15354c73b Add client auth to rend_service_add_ephemeral 2016-05-09 14:28:08 -04:00
John Brooks
d5a23ce115 Move rend auth cookie en-/decoding to a function
Tor stores client authorization cookies in two slightly different forms.
The service's client_keys file has the standard base64-encoded cookie,
including two chars of padding. The hostname file and the client remove
the two padding chars, and store an auth type flag in the unused bits.

The distinction makes no sense. Refactor all decoding to use the same
function, which will accept either form, and use a helper function for
encoding the truncated format.
2016-05-09 14:28:08 -04:00
teor (Tim Wilson-Brown)
0c41ae1832
Add a comment to have_enough_path_info()
Comment only change
2016-05-09 14:26:13 -04:00
Nick Mathewson
69380033d6 Merge branch 'timeouts_v2_squashed' 2016-05-09 14:06:10 -04:00
Nick Mathewson
af132fc299 timer tests: differences in timing accuracy can be negative.
Also, use symbolic names for good-enough thresholds for timer accuracy.
2016-05-09 14:04:54 -04:00
Nick Mathewson
11a09778d6 Test coverage for timers. 2016-05-09 14:04:54 -04:00
Nick Mathewson
10fd4535c2 Fix an OSX/clang compilation warning 2016-05-09 14:04:54 -04:00
Nick Mathewson
118556e4b3 Quick-and-dirty test for timers code. 2016-05-09 14:04:53 -04:00
Nick Mathewson
dcf948da06 Add wrappers to tie the new timeouts into libevent. 2016-05-09 14:04:06 -04:00
John Brooks
e7ff23beea Make rend_authorized_client_free public
This is needed by control.c.

Also, check whether client_name is set before doing memwipe.
2016-05-09 13:53:24 -04:00
John Brooks
896271d525 Use uint8_t for rend descriptor_cookie fields 2016-05-09 13:53:09 -04:00
Karsten Loesing
3c2d4611ce Update geoip and geoip6 to the May 4 2016 database. 2016-05-09 17:51:15 +02:00
teor (Tim Wilson-Brown)
c75bf388b5
Warn users when addresses in ports and descriptor are inconsistent
This mitigates bug 13953.
2016-05-07 10:22:02 -07:00
teor (Tim Wilson-Brown)
faec7956a9
Refactor duplicate code in config.c into port_binds_ipv4/6
No behavioural change

Preserves and documents behaviour when passed AF_UNSPEC.
2016-05-07 10:17:46 -07:00
Nick Mathewson
641cdc345c Merge branch 'maint-0.2.8' 2016-05-05 08:25:27 -04:00
teor (Tim Wilson-Brown)
03fc4cf04c Refactor router_pick_directory_server_impl to use node functions
No behavioural change

This makes the use of the node explicit in the function, rather
than hiding the node lookup in fascist_firewall_allows_rs.
2016-05-05 08:24:17 -04:00
teor (Tim Wilson-Brown)
225448ad34 Comment-only change to clarify routerstatus_t IPv4 byte order 2016-05-05 08:24:17 -04:00
teor (Tim Wilson-Brown)
7ec273bd4a Rename skip_or and skip_dir to avoid confusion
Variable rename only
2016-05-05 08:24:17 -04:00
Nick Mathewson
68d913c49c Merge branch 'feature18483-028-v2-squashed' into maint-0.2.8 2016-05-05 08:16:36 -04:00
teor (Tim Wilson-Brown)
9aa280cc0c Only choose directory DirPorts on relays 2016-05-05 08:16:28 -04:00
teor (Tim Wilson-Brown)
88deb52d55 Make clients only select directories with reachable ORPorts
This makes sure clients will only select relays which support
begindir over ORPort.
2016-05-05 08:16:28 -04:00
teor (Tim Wilson-Brown)
833b5f71a7 Make clients always use begindir for directory requests
This improves client anonymity and avoids directory header tampering.
The extra load on the authorities should be offset by the fallback
directories feature.

This also simplifies the fixes to #18809.
2016-05-05 08:16:28 -04:00
teor (Tim Wilson-Brown)
2e5b35db81
Make directory node selection more reliable
Delete an unnecessary check for non-preferred IP versions.

Allows clients which can't reach any directories of their
preferred IP address version to get directory documents.

Patch on #17840 in 0.2.8.1-alpha.
2016-05-05 11:54:53 +10:00
Nick Mathewson
2da2718609 Merge branch 'maint-0.2.8' 2016-05-04 15:23:38 -04:00
Nick Mathewson
01e7f42a09 Merge branch 'bug18921_squashed' into maint-0.2.8 2016-05-04 15:23:26 -04:00
teor (Tim Wilson-Brown)
0cf90bac2a Choose the correct address for one-hop connections
After #17840 in 0.2.8.1-alpha, we incorrectly chose an IPv4
address for all DIRIND_ONEHOP directory connections,
even if the routerstatus didn't have an IPv4 address.

This likely affected bridge clients with IPv6 bridges.

Resolves #18921.
2016-05-04 15:23:14 -04:00
Nick Mathewson
2384256a37 Merge branch 'maint-0.2.8' 2016-05-04 15:12:20 -04:00
Nick Mathewson
b8e8910d60 Merge branch 'bug18686_025' into maint-0.2.8 2016-05-04 15:12:11 -04:00
Nick Mathewson
c7b9e0b8ed Report success when not terminating an already terminated process.
Also, document the actual behavior and return values of
tor_terminate_process.

Fixes bug18686; bugfix on 0.2.3.9-alpha.
2016-05-04 15:10:36 -04:00
Nick Mathewson
e24c902272 Merge branch 'maint-0.2.8' 2016-05-04 14:47:13 -04:00
Nick Mathewson
31332a878d Merge branch 'bug18710_025' into maint-0.2.8 2016-05-04 14:47:04 -04:00
Scott Dial
0ca3f495c6 Fix dnsserv.c assertion when no supported questions are requested.
The problem is that "q" is always set on the first iteration even
if the question is not a supported question. This set of "q" is
not necessary, and will be handled after exiting the loop if there
if a supported q->type was found.

    [Changes file by nickm]

lease enter the commit message for your changes. Lines starting
2016-05-04 14:45:09 -04:00
Nick Mathewson
230a3d1400 Merge branch 'maint-0.2.8' 2016-05-03 16:12:29 -04:00
Yawning Angel
8f292f1c33 Fix keccak-tiny portability on exotic platforms.
* SHA-3/SHAKE use little endian for certain things, so byteswap as
   needed.

 * The code was written under the assumption that unaligned access to
   quadwords is allowed, which isn't true particularly on non-Intel.
2016-05-03 16:12:07 -04:00
Nick Mathewson
5845c22822 Ed25519 test vectors from draft-irtf-cfrg-eddsa-05 2016-05-03 09:54:26 -04:00
Nick Mathewson
54697fa40b Add test vector for AES_CTR from NIST SP800-38a sec F.5 2016-05-03 09:40:47 -04:00
Nick Mathewson
44a3248197 Add test vector for Curve25519 from RFC7748 2016-05-03 09:31:34 -04:00
Nick Mathewson
405b637598 tests for some of the simpler functions in crypto.c 2016-05-03 09:21:08 -04:00
Nick Mathewson
d1f2af57df White-box tests for crypto_rand_*_range(), rand_hostname().
Coverage-driven; part of ticket 16794.
2016-05-03 09:21:07 -04:00
Nick Mathewson
8340becd39 Merge branch 'maint-0.2.8' 2016-05-02 14:02:15 -04:00
s0rlxmh0
054d939853 (cherry-picked by nickm, with changes file from isis.) 2016-05-02 14:01:36 -04:00
Nick Mathewson
b2083cba9e Merge remote-tracking branch 'dgoulet/bug13239_029_01' 2016-05-02 13:55:00 -04:00
Nick Mathewson
b72aa18d73 test_bt.sh: Check stderr for backtrace as well as stdout.
addresssanitizer likes to put backtraces on stderr.
2016-05-02 12:58:58 -04:00
teor (Tim Wilson-Brown)
b6ba6afa37 Refactor DirPort & begindir descriptor checks
No actual behaviour changes
2016-04-28 12:26:39 +10:00
teor (Tim Wilson-Brown)
211e56ad87 Remove redundant descriptor checks for OR/Dir reachability
The ORPort and DirPort must be reachable, or we won't publish a
descriptor.
2016-04-28 12:26:39 +10:00
teor (Tim Wilson-Brown)
b51316c0e7 Refactor common code out of reachability checks
No actual changes in behavior
2016-04-28 12:26:39 +10:00
teor (Tim Wilson-Brown)
d3c60f2bd7 Avoid checking ORPort reachability when the network is disabled
This is consistent with existing DirPort reachability checks.
2016-04-28 12:26:38 +10:00
teor (Tim Wilson-Brown)
05cf286713 Make mock function static to prevent future clashes 2016-04-28 12:26:38 +10:00
teor (Tim Wilson-Brown)
75dd2a285b Descriptors depend on more config options now they list begindir support
Bugfix on #12538 in 0.2.8.1-alpha.
2016-04-28 12:26:38 +10:00
teor (Tim Wilson-Brown)
692828bea5 Decide to advertise begindir support like we decide to advertise DirPort
Decide to advertise begindir support in a similar way to how
we decide to advertise DirPort.

Fix up the associated descriptor-building unit tests.

Resolves #18616, bugfix on 0c8e042c30 in #12538 in 0.2.8.1-alpha.
2016-04-28 12:26:38 +10:00
Nick Mathewson
fb9c9e04f0 Merge branch 'maint-0.2.8' 2016-04-26 19:27:39 -04:00
teor (Tim Wilson-Brown)
1fd4340f82 April 2016 fallbacks for 0.2.8-rc 2016-04-26 19:26:22 -04:00
Nick Mathewson
4a44e2d6f1 Merge remote-tracking branch 'yawning-schwanenleid/feature18685' 2016-04-26 13:39:50 -04:00
Nick Mathewson
bff53aabce Remove redundant declarations of MIN
Apparently somewhere along the line we decided that MIN might be
missing.

But we already defined it (if it was missing) in compat.h, which
everybody includes.

Closes ticket 18889.
2016-04-25 15:28:58 -04:00
Nick Mathewson
26db1b65b9 Remove trunnel files from libor/libcrypto, since they are in libtrunnel. Found with modularity tool. 2016-04-20 13:39:07 -04:00
David Goulet
1e553b6c68 Increase number of preemptive internal circuits
When we connect to a hidden service as a client we may need three internal
circuits, one for the descriptor retrieval, introduction, and rendezvous.
Let's try to make sure we have them. Closes #13239.

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2016-04-19 14:24:20 -04:00
Nick Mathewson
520799f084 Merge branch 'handles_squashed' 2016-04-19 14:08:05 -04:00
Nick Mathewson
e015f7c9cc Basic 'handle' implementation and tests.
This abstraction covers the case where one part of the program needs
to refer to another object that is allowed to disappear.
2016-04-19 14:07:43 -04:00
Nick Mathewson
94e3555187 Merge remote-tracking branch 'public/lcov_excl' 2016-04-19 14:05:51 -04:00
Nick Mathewson
4f37919fa1 Change UseOptimisticData default to 1.
This lets us use optimistic data for downloading our initial
consensus.

Closes ticket 18815.
2016-04-18 13:55:23 -04:00
Nick Mathewson
12e26a6e76 Disambiguate: Avoid defining two static functions called chunk_free_unchecked 2016-04-15 12:20:14 -04:00
Nick Mathewson
8c6b528b00 Disambiguate: Avoid defining two static functions both called gettweak() 2016-04-15 12:19:51 -04:00
Nick Mathewson
381dae43b6 Add branch prediction to util_bug.h, and fix a bug. 2016-04-15 09:12:03 -04:00
Nick Mathewson
c77cf8825a Quick function to find out the timeout object's view of "now" 2016-04-15 09:03:22 -04:00
Nick Mathewson
9d6c530015 Fix compilation of timeout.c with our flags and warnings. 2016-04-15 09:03:22 -04:00
Nick Mathewson
05499b6ded Add timeouts to libor-event.a 2016-04-15 09:03:22 -04:00
Nick Mathewson
32e80ea3d3 Import timeouts.c directly from William Ahern's git.
Imported from here: https://github.com/wahern/timeout

Imported as of upstream e5a9e8bfaa9c631bdc54002181795931b65bdc1a.

All sources unmodified.
2016-04-15 09:03:22 -04:00
Nick Mathewson
0e354ad459 Merge branch 'assert_nonfatal_squashed' 2016-04-14 16:25:21 -04:00
Nick Mathewson
a86ed1d717 Add an IF_BUG_ONCE macro, since that's a pretty common pattern too. 2016-04-14 16:25:07 -04:00
Nick Mathewson
532820b11c Add a BUG macro for usage in if checks. 2016-04-14 16:25:06 -04:00
Nick Mathewson
a885271c08 Add new tor_assert_nonfatal*() macros.
Unlike tor_assert(), these macros don't abort the process.  They're
good for checking conditions we want to warn about, but which don't
warrant a full crash.

This commit also changes the default implementation for
tor_fragile_assert() to tor_assert_nonfatal_unreached_once().

Closes ticket 18613.
2016-04-14 16:24:28 -04:00
Roger Dingledine
525307c0ea fix typos/etc before i go nuts on #18809 2016-04-13 00:06:30 -04:00
Nick Mathewson
0630f1982d Add LCOV_EXCL* markers to crypto.c and crypto_s2k.c
This marks some lines as unreachable by the unit tests, and as
therefore excluded from test coverage.

(Note: This convention is only for lines that are absolutely
unreachable.  Don't use it anywhere you wouldn't add a
tor_fragile_assert().)
2016-04-12 21:13:33 -04:00
Roger Dingledine
0aacc07036 encourage rejected relays to contact us
When the directory authorities refuse a bad relay's descriptor,
encourage the relay operator to contact us. Many relay operators
won't notice this line in their logs, but it's a win if even a
few learn why we don't like what their relay was doing.

Resolves ticket 18760.

I didn't specify a contact mechanism (e.g. an email address), because
every time we've done that in the past, a few years later we noticed
that the code was pointing people to an obsolete contact address.
2016-04-12 19:54:04 -04:00
Nick Mathewson
eafcd7b0fc Merge branch 'maint-0.2.8' 2016-04-12 13:02:37 -04:00
Nick Mathewson
7babf33239 Merge remote-tracking branch 'public/bug18716_027' into maint-0.2.8 2016-04-12 13:02:02 -04:00
Nick Mathewson
1a065cea46 Do not link tests against both libor.a and libor-testing.a
Also, put libor-testing.a at a better position in the list of
libraries, to avoid linker errors.

This is a fix, or part of a fix, for 18490.

Conflicts:
	src/test/include.am
2016-04-12 02:48:46 +00:00
Nick Mathewson
39c057d45a memarea: Don't assume that sizeof(ulong) >= sizeof(void*).
Fixes bug 18716; bugfix on 0.2.1.1-alpha where memarea.c was
introduced.  Found by wbenny.
2016-04-07 11:10:14 -04:00
Nick Mathewson
591029253f Merge branch 'bug14334_squashed' 2016-04-07 10:59:55 -04:00
George Kadianakis
d5acb633ae Don't mark guards as unreachable if connection_connect() fails. 2016-04-07 10:59:46 -04:00
David Goulet
40827da3bf Turn TestingClientBootstrap* into non-testing options
This changes simply renames them by removing "Testing" in front of them and
they do not require TestingTorNetwork to be enabled anymore.

Fixes #18481

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2016-04-07 10:57:59 -04:00
Nick Mathewson
7532cd439b When we get a bad nickname, explain what a good one is.
Closes #18300; patch from "icanhasaccount".
2016-04-07 10:54:53 -04:00
Nick Mathewson
e703484722 Merge branch 'maint-0.2.8' 2016-04-07 10:46:15 -04:00
Nick Mathewson
d8a056daed Merge branch 'maint-0.2.7' into maint-0.2.8 2016-04-07 10:46:07 -04:00
Nick Mathewson
ad4ff7a5b9 Merge branch 'maint-0.2.6' into maint-0.2.7 2016-04-07 10:45:46 -04:00
Nick Mathewson
2ce99b9f48 Merge branch 'maint-0.2.5' into maint-0.2.6 2016-04-07 10:45:38 -04:00
Nick Mathewson
34a51d1621 Merge branch 'maint-0.2.4' into maint-0.2.5 2016-04-07 10:45:32 -04:00
Karsten Loesing
97c6e717b9 Update geoip and geoip6 to the April 5 2016 database. 2016-04-07 11:10:09 +02:00
Nick Mathewson
d5b3679392 Merge branch 'maint-0.2.8' 2016-04-05 23:56:21 -04:00
Nick Mathewson
d7a0382ba3 Don't call the system toupper or tolower.
Yes, we could cast to unsigned char first, but it's probably safest
to just use our own (in test_util), or remove bad-idea features that
we don't use (in readpassphrase.c).

Fixes 18728.
2016-04-05 23:22:28 -04:00
Nick Mathewson
20d39e86af Merge branch 'maint-0.2.8' 2016-04-05 23:18:48 -04:00
Roger Dingledine
d037369e56 quiet debug logs from periodic_event_dispatch()
Stop blasting twelve lines per second from periodic_event_dispatch()
at loglevel debug.

Resolves ticket 18729; fix on 0.2.8.1-alpha.
2016-04-05 23:13:55 -04:00
Nick Mathewson
b46d126e64 Merge branch 'maint-0.2.8' 2016-04-05 10:38:53 -04:00
Nick Mathewson
967491f156 Only define NEW_THREAD_API when not building with LibreSSL. 2016-04-05 10:38:15 -04:00
Nick Mathewson
16f7851807 Merge remote-tracking branch 'teor/bug18720' 2016-04-05 10:08:11 -04:00
Nick Mathewson
6720628c97 Merge branch 'maint-0.2.8' 2016-04-05 10:06:18 -04:00
Yawning Angel
5db21f8f81 OpenSSL 1.1.0-pre5-dev and later made BIO opaque.
Detect newer versions and fix our TLS code to use the new API.
2016-04-05 10:03:24 -04:00
Yawning Angel
6729d7328c OpenSSL 1.1.0-pre4 and later(?) have a new "thread API".
It appears that setting the various callbacks is no longer required, so
don't.
2016-04-05 10:03:24 -04:00
teor (Tim Wilson-Brown)
6a2b4db4f9 Fix a comment typo in compat.h 2016-04-05 13:45:37 +10:00
teor (Tim Wilson-Brown)
5d2b1c784b Clarify comments on connection_t's address fields 2016-04-05 13:45:09 +10:00
Nick Mathewson
7865402106 Move tor_assert implementation into its own header/module. 2016-04-04 11:06:04 -04:00
Nick Mathewson
705d3b221e Merge branch 'incoming_queue_symbol_fix' 2016-04-01 14:16:49 -04:00
Nick Mathewson
4b3e6c4d43 Merge branch 'maint-0.2.8' 2016-04-01 08:18:03 -04:00
Nick Mathewson
fdb57db581 Merge branch 'bug18133_027' into maint-0.2.8 2016-04-01 08:17:56 -04:00
Nick Mathewson
4093f343ca fix indentation 2016-04-01 08:16:21 -04:00
Nick Mathewson
9e57ffa520 Merge branch 'maint-0.2.8' 2016-04-01 08:15:05 -04:00
Nick Mathewson
e247093e0e Merge remote-tracking branch 'karsten/task-18460-2' into maint-0.2.8 2016-04-01 08:10:58 -04:00
Yawning Angel
a19f4192da Issue a STATUS_SERVER event on meaningful hibernation state changes.
Implements feature #18685.
2016-03-30 20:19:11 +00:00
Andrea Shepard
183d465f0e Merge branch 'bug15221_027' into maint-0.2.7 2016-03-30 12:23:42 +00:00
Nick Mathewson
beba70ec77 Don't declare "incoming_queue" in every file including channel.h
Found with my wacky symbol-usage-enforcer.
2016-03-29 13:55:14 -04:00
Andrea Shepard
0b45cab147 Merge branch 'bug18570_027' into maint-0.2.7 2016-03-29 15:01:36 +00:00
Roger Dingledine
1103d82492 fix typo in comment 2016-03-29 10:56:26 -04:00
Andrea Shepard
1218d731d1 Merge branch 'bug16248_027' into maint-0.2.7 2016-03-29 14:33:45 +00:00
Nick Mathewson
4e76b206b5 Merge remote-tracking branch 'arma/feature18624' 2016-03-29 08:06:21 -04:00
Nick Mathewson
90c24c0ced Merge branch 'maint-0.2.8' 2016-03-28 20:09:22 -04:00
Nick Mathewson
ba87f5bb25 Fix my dumb unreleased bug in 18673 2016-03-28 20:09:09 -04:00
Nick Mathewson
055a7a198a Rename tor_dup_addr to tor_addr_to_str_dup.
Patch from icanhasaccount; closes 18462.
2016-03-28 16:36:51 -04:00
Nick Mathewson
3220bd816b Merge branch 'maint-0.2.8' 2016-03-28 16:14:21 -04:00
Nick Mathewson
447b1c6b1d Begin an 0.2.9 branch 2016-03-28 15:54:59 -04:00
Nick Mathewson
a3f36bfd81 and NOW the version is 0.2.8.2-alpha-dev 2016-03-28 15:53:17 -04:00
Nick Mathewson
5b12642d09 Bump version correctly this time 2016-03-28 11:22:20 -04:00
Nick Mathewson
addd181721 Fix memory leak in TestingEnableCellStatsEvent
Only when we were actually flushing the cell stats to a controller
would we free them.  Thus, they could stay in RAM even after the
circuit was freed (eg if we didn't have any controllers).

Fixes bug 18673; bugfix on 0.2.5.1-alpha.
2016-03-28 11:12:15 -04:00
Nick Mathewson
68e663f777 Fix memory leaks that stopped chutney working with asan 2016-03-28 10:24:28 -04:00
Nick Mathewson
1d315b28a2 Fix a memory leak in tor-gencert.
This way I can run chutney under asan.

Fixes part of 18672.
2016-03-28 10:21:41 -04:00
Nick Mathewson
fc877b3c9e Bump the version number 2016-03-28 09:32:14 -04:00
Nick Mathewson
32e8886314 One more test that didnt pass on windows. See #18665. 2016-03-28 08:57:29 -04:00
Nick Mathewson
9604a5ba91 Fix memory-counting error in rephist.c. Bug 18651. (Now with actual patch) 2016-03-28 07:40:20 -04:00
Nick Mathewson
4895d8288c Do not treat "DOCDOC" as doxygen. 2016-03-26 10:11:45 -04:00
Nick Mathewson
cc90b57b04 add a little documentation to memarea. (I have been testing a tool.) 2016-03-26 10:09:19 -04:00
Nick Mathewson
c0568a89d9 Whitespace fixes 2016-03-26 09:54:31 -04:00
Nick Mathewson
dd572dac34 Fix all doxygen warnings (other than missing docs) 2016-03-26 09:53:12 -04:00
Nick Mathewson
c81b1358e7 Merge branch 'bug18649_squashed' 2016-03-26 08:17:19 -04:00
teor (Tim Wilson-Brown)
6057fb2f5b Clarify excess consensus connection cleanup by adding comments
Comment-only change
2016-03-26 08:16:33 -04:00
Nick Mathewson
24c0c5ef19 Disable failing broken time format case for windows. 2016-03-25 22:00:20 -04:00
Nick Mathewson
8d16c2f30e Merge remote-tracking branch 'arma/bug18625' 2016-03-25 17:19:59 -04:00
Nick Mathewson
4bb44f2c15 Only check in-boundsness of seconds when time_t is smaller than i64
Otherwise coverity complains that we're checking an whether an int64 is
less than INT64_MIN, which of course it isn't.

Fixes CID 1357176. Not in any released Tor.
2016-03-25 16:46:02 -04:00
Karsten Loesing
b79d8590c9 Include IPv6 consensus downloads in dirreq stats.
Fixes #18460.
2016-03-25 20:56:29 +01:00
Roger Dingledine
8251fe5150 use a clearer argument for connection_ap_make_link()
that function calls it argument "want_onehop", so it makes more
sense to pass that boolean into it.
2016-03-24 19:57:39 -04:00
Roger Dingledine
98abd49f6f remove the extraneous dir_port variable
we already are using "port" to describe the place we're going to
ask to connect to.
2016-03-24 19:14:32 -04:00
Roger Dingledine
fbd79f38c2 remove a redundant check about whether dirport is 0 2016-03-24 19:14:31 -04:00
Roger Dingledine
f590a303db revert the or_connection and dir_connection flags
They incorrectly summarized what the function was planning to do,
leading to wrong behavior like making an http request to an orport,
or making a begindir request to a dirport.

This change backs out some of the changes made in commit e72cbf7a, and
most of the changes made in commit ba6509e9.

This patch resolves bug 18625. There more changes I want to make
after this one, for code clarity.
2016-03-24 19:14:21 -04:00
Nick Mathewson
d5f50cb052 Merge remote-tracking branch 'dgoulet/bug18623_028_01' 2016-03-24 15:03:50 -04:00
Roger Dingledine
c4208ef65f dir auths only give Guard if they're giving Stable
This change allows us to simplify path selection for clients, and it
should have minimal effect in practice since >99% of Guards already have
the Stable flag. Implements ticket 18624.
2016-03-24 15:00:01 -04:00
David Goulet
ba6509e9e1 Fix broken directory request to the DirPort
Commit e72cbf7a4 introduced a change to directory_initiate_command_rend()
that made tor use the ORPort when making a directory request to the DirPort.
The primary consequence was that a relay couldn't selftest its DirPort thus
failing to work and join the network properly.

The main issue was we were always considering an anonymized connection to be
an OR connection which is not true.

Fixes #18623

Signed-off-by: David Goulet <dgoulet@ev0ke.net>
2016-03-24 13:57:53 -04:00
Nick Mathewson
4f86d75a4b try to fix a test failure for sizeof(time_t)==4. 2016-03-24 12:26:46 -04:00
Nick Mathewson
6256c61d95 Merge branch 'timegm_overflow_squashed' 2016-03-24 10:18:00 -04:00
teor (Tim Wilson-Brown)
19fb86a2dc Add a missing UL on a long in a unit test 2016-03-24 10:17:48 -04:00
teor (Tim Wilson-Brown)
b99bd3e7ff Add unit tests with dates from 2035 to 2039
Platforms with 32-bit time_t sometimes give different results.
They don't always indicate failure on overflow, #18480 should
fix these.
2016-03-24 10:17:48 -04:00
teor (Tim Wilson-Brown)
e71e8e005a Avoid overflow in tor_timegm on 32 bit platforms due to year 2038 2016-03-24 10:17:48 -04:00
Nick Mathewson
424af93ded Merge branch 'bug18517_squashed' 2016-03-24 10:14:05 -04:00
teor (Tim Wilson-Brown)
f2153f9716 Always allow OR connections to bridges on private addresses
Regardless of the setting of ExtendAllowPrivateAddresses.

This fixes a bug with pluggable transports that ignore the
(potentially private) address in their bridge line.

Fixes bug 18517; bugfix on 23b088907f in tor-0.2.8.1-alpha.
2016-03-24 10:13:58 -04:00
Nick Mathewson
54559e5845 Merge remote-tracking branch 'teor/bug18351' 2016-03-24 09:33:58 -04:00
Nick Mathewson
ea9472d085 Merge remote-tracking branch 'teor/bug18489' 2016-03-24 09:01:28 -04:00
teor (Tim Wilson-Brown)
b1569e39c8 Check if fallbacks support extrainfo descriptors before requesting them
When requesting extrainfo descriptors from a trusted directory
server, check whether it is an authority or a fallback directory
which supports extrainfo descriptors.

Fixes bug 18489; bugfix on 90f6071d8d in tor-0.2.4.7-alpha.

Reported by "atagar", patch by "teor".
2016-03-24 22:03:58 +11:00
teor (Tim Wilson-Brown)
eb5a262a15 Code indentation whitespace-only fix 2016-03-24 21:56:37 +11:00
teor (Tim Wilson-Brown)
355f78364a Clarify ReachableAddress log messages
Make it clearer that they are about outgoing connection attempts.
Specify the options involved where they were missing from one log
message.
Clarify a comment.
2016-03-24 20:59:49 +11:00
teor (Tim Wilson-Brown)
f2a344e397 Downgrade IP version warnings to avoid filling logs
Downgrade logs and backtraces about IP versions to
info-level. Only log backtraces once each time tor runs.

Assists in diagnosing bug 18351; bugfix on c3cc8e16e in
tor-0.2.8.1-alpha.

Reported by "sysrqb" and "Christian", patch by "teor".
2016-03-24 10:39:23 +11:00
Nick Mathewson
7123e9706e Repair build when no sandbox support is enabled. 2016-03-22 13:18:18 -04:00
Nick Mathewson
ca8423a703 Merge remote-tracking branch 'public/bug18253' 2016-03-22 10:08:50 -04:00
Nick Mathewson
dae8484107 Try to fix an intermittent test failure on openbsd. 2016-03-22 09:12:59 -04:00
Nick Mathewson
9dff41694a Never use sprintf. tor_snprintf instead. Bug in tests, not in any released tor. 2016-03-22 08:52:17 -04:00
Nick Mathewson
a17537a238 Fix an fd leak in check_private_dir().
The fd would leak when the User wasn't recogniezed by
getpwnam(). Since we'd then go on to exit, this wasn't a terribad
leak, but it's still not as nice as no leak at all.

CID 1355640; bugfix on no released Tor.
2016-03-22 08:29:51 -04:00
Roger Dingledine
580e549f75 remove extraneous breaks
commit edeba3d4 removed a switch, but left the "break" lines in
from that switch. fortunately the resulting behavior was not wrong,
since there was an outer switch that it was ok to break from.
2016-03-21 17:11:18 -04:00
Roger Dingledine
4861e24552 fix indentation after #18332 patches
no actual changes here -- but the new indenting makes it clear
that the fixes in #18332 were not as good as they should have been.
the next commit will deal with that.
2016-03-21 17:08:02 -04:00
Nick Mathewson
6a91cab79c Merge branch 'maint-0.2.7' 2016-03-21 13:26:04 -04:00
Nick Mathewson
e1e62f9d57 Merge branch 'ed25519_voting_fixes_squashed' into maint-0.2.7 2016-03-21 13:25:12 -04:00
Nick Mathewson
2f2fba8a91 Use nth consistently in dircollate.h.
Documentation-only patch. Issue 17668.T6.
2016-03-21 13:24:09 -04:00
Nick Mathewson
b24f15a9a1 In routers_make_ed_keys_unique, break ties for published_on
This ensures that if we can't use published_on to decide an ed,rsa
mapping, we at least decide deterministically.

Resolves 17668.T3
2016-03-21 13:24:09 -04:00
Nick Mathewson
beef6ed451 Assert that dircollator is collated when we're reading its output.
Fix for 17668.S2.
2016-03-21 13:24:09 -04:00
Nick Mathewson
48f8229504 After we strip out duplicate entries from 'routers', don't use 'rl'.
We've got to make sure that every single subsequent calculation in
dirserv_generate_networkstatus_vote_obj() are based on the list of
routerinfo_t *after* we've removed possible duplicates, not before.
Fortunately, none of the functions that were taking a routerlist_t
as an argument were actually using any fields other than this list
of routers.

Resolves issue 18318.DG3.
2016-03-21 13:24:09 -04:00
Nick Mathewson
fa07c60c67 Fix another case of 17668: Add NoEdConsensus
I had a half-built mechanism to track, during the voting process,
whether the Ed25519 value (or lack thereof) reflected a true
consensus among the authorities.  But we never actually inserted this
field in the consensus.

The key idea here is that we first attempt to match up votes by pairs
of <Ed,RSA>, where <Ed> can be NULL if we're told that there is no
Ed key.  If this succeeds, then we can treat all those votes as 'a
consensus for Ed'.  And we can include all other votes with a
matching RSA key and no statement about Ed keys as being "also about
the same relay."

After that, we look for RSA keys we haven't actually found an entry
for yet, and see if there are enough votes for them, NOT considering
Ed keys.  If there are, we match them as before, but we treat them
as "not a consensus about ed".

When we include an entry in a consensus, if it does not reflect a
consensus about ed keys, then we include a new NoEdConsensus flag on
it.

This is all only for consensus method 22 or later.

Also see corresponding dir-spec patch.
2016-03-21 13:24:09 -04:00
Nick Mathewson
60ca3f358f Document has_ed25519_listing 2016-03-21 13:23:32 -04:00
Nick Mathewson
13a31e72db Never vote for an ed key twice.
When generating a vote, and we have two routerinfos with the same ed
key, omit the one published earlier.

This was supposed to have been solved by key pinning, but when I
made key pinning optional, I didn't realize that this would jump up
and bite us.  It is part of bug 18318, and the root cause of 17668.
2016-03-21 13:23:32 -04:00
Nick Mathewson
c20e34e189 Fix log message subjects in networkstatus_parse_vote_from_string()
Some of these messages called the thing being parsed a "vote" whether
it is a vote or a consensus.

Fixes bug 18368.
2016-03-21 13:23:32 -04:00
Nick Mathewson
6182e34628 Document dircollate.c (and remove an unused global) 2016-03-21 13:23:32 -04:00
Nick Mathewson
233180a9ab Merge remote-tracking branch 'public/bug18548' 2016-03-21 12:36:41 -04:00
Nick Mathewson
005a20ec85 Log a better message when OfflineMasterKey is set.
Fixes bug 18133; bugfix on 0.2.7.2-alpha.
2016-03-21 11:57:23 -04:00
Nick Mathewson
d567796946 Merge remote-tracking branch 'public/bug17443_v2' 2016-03-21 11:21:31 -04:00
Nick Mathewson
ddd30f966a Merge remote-tracking branch 'arma/ticket18332-try3' 2016-03-21 10:41:23 -04:00
Nick Mathewson
13eb120bea Merge remote-tracking branch 'special/bug18600' 2016-03-21 10:32:39 -04:00
Nick Mathewson
cb3f9bc2d4 Merge branch 'bug18570_027' 2016-03-21 10:20:16 -04:00
Andrea Shepard
bd87d37a86 Make sure channel_t queues its own copy of incoming cells 2016-03-21 10:14:47 -04:00
Andrea Shepard
1cdc7fddb2 Add new channel/queue_incoming unit tests; modify channel unit tests for new clarified handling of alloc/free responsibility for queued incoming cells 2016-03-21 10:14:47 -04:00
Steven Chamberlain
a42938c076 test_options.c: assert that TransProxyType is tested
If a new platform defines USE_TRANSPARENT, ensure that a test runs for
its TransProxyType.
2016-03-21 09:51:35 -04:00