Permalink
Checking mergeability…
Don’t worry, you can still create the pull request.
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also .
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
18
contributors
This comparison is big! We’re only showing the most recent
250
commits
Commits on Dec 19, 2016
Part of #20539, based on #20509.
Part of #20539, based on #20501.
These updates assume that the changes were intentional and permanent. The operators were emailed to confirm.
…days 7 days is a tradeoff between the expected time between major Tor releases, which is 6 months, and the number of relays with enough stability. Relays whose OnionOO stability timer is reset on restart by bug #18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for this issue. Closes ticket #20880; maintains short-term fix in e220214 in tor-0.2.8.2-alpha.
This allows 73% of clients to bootstrap in the first 5 seconds without contacting an authority. Part of #18828.
This is safe now we are choosing 200 fallbacks. Closes ticket 20912.
Exclude relays that have been down for 1 or more days from the fallback candidate list. When a relay operator has multiple relays, this prioritises relays that are up over relays that are down. Fixes issue #20926.
This works around #20909, where relays serve stale consensuses for a short time, and then recover. Update to the fix for #20539.
…y uptime Sometimes, the fallback generation script doesn't add attributes to the fallbacks in the list. If this happens, log an error, and avoid selecting that fallback. This is a rare issue: it should not change selection behaviour. Fixes issue #20945.
Based on: * fallback directory mirror checks, * operator emails and tickets, both before and after the Dec 2016 emails: https://lists.torproject.org/pipermail/tor-relays/2016-December/011113.html https://lists.torproject.org/pipermail/tor-relays/2016-December/011330.html
Replace the 81 remaining fallbacks of the 100 originally introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 fallbacks (123 new, 54 existing, 27 removed) generated in December 2016. Resolves ticket 20170.
"ours" merge to avoid version bump.
"ours" merge to avoid version bump.
"Ours" merge to avoid version bump.
"Ours" merge to avoid version bump.
Self-testing circuits don't use guards, and nobody uses guards when UseEntryGuards is disabled. Fixes bug 21007; bug not in any released Tor.
Commits on Dec 20, 2016
These updates were made after the December 2016 list was created.
This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input.
(ours merge -- there is a separate 0.2.5 patch for 20384.)
This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input.
("ours" merge because there is a separate 20384 patch for 026)
This helps protect against bugs where any part of a buf_t's memory is passed to a function that expects a NUL-terminated input. It also closes TROVE-2016-10-001 (aka bug 20384).
Commits on Dec 21, 2016
This came up on #21035, where somebody tried to build on a linux system with kernel headers including CLOCK_MONOTONIC_COARSE, then run on a kernel that didn't support it. I've adopted a belt-and-suspenders approach here: we detect failures at initialization time, and we also detect (loudly) failures later on. Fixes bug 21035; bugfix on 0.2.9.1-alpha when we started using monotonic time.
Signed-off-by: David Goulet <dgoulet@torproject.org>
First, this commit moves the code used to prune the service list when reloading Tor (HUP signal for instance) to a function from rend_config_services(). Second, fix bug #21054, improve the code by using the newly added circuit_get_next_service_intro_circ() function instead of poking at the global list directly and add _many_ more comments. Fixes #21054. Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Dec 22, 2016
When marking for close a circuit, the reason value, a integer, was assigned to a uint16_t converting any negative reasons (internal) to the wrong value. On the HS side, this was causing the client to flag introduction points to be unreachable as the internal reason was wrongfully converted to a positive 16bit value leading to flag 2 out of 3 intro points to be unreachable. Fixes #20307 and partially fixes #21056 Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Dec 23, 2016
This basically means changing the 'encrypted' field to 'superencrypted'.
(event_init() is obsoleted in libevent 2.) Fixes bug 21051; bugfix on 0.2.9.1-alpha when we dropped libevent 1 support.
Give size_mul_check() external linkage and use it in base64_decode() to avoid a potential integer wrap. Closes #19222
The AC_PROG_SED macro was added in Autoconf 2.59b and the minimum supported Autoconf version is now 2.63 so we can safely assume it is available.
Turning on warnings in Automake makes it complain about not using the AM_PROG_AR macro. The AM_PROG_AR macro is required when LIBRARIES or LTLIBRARIES is used. The macro looks for an archiver and wraps it in the ar-lib script which is automatically generated so Git should ignore it. It makes the custom check for 'ar' obsolete so it is removed. The AM_PROG_AR macro was added in Automake 1.11.2 thus the minimum Automake version is increased.
This commit removes more code related to the old tor-fw-helper which was removed in ticket 13338. Closes ticket 21024.
The abort handler masks the exit status of the backtrace generator by capturing the abort signal from the backtrace handler and exiting with zero. Because the output of the backtrace generator is meant to be piped to `bt_test.py`, its exit status is unimportant and is currently ignored. The abort handler calls `exit(3)` which is not asynchronous-signal-safe and calling it in this context is undefined behavior [0]. Closes ticket 21026. [0] https://www.securecoding.cert.org/confluence/x/34At
Commits on Dec 27, 2016
Found by coverity scan; CID 1398167.
Commits on Dec 30, 2016
Commits on Jan 02, 2017
Previously we were marking directory guards up in ..._process_inbuf(), but that's wrong: we call that function on close as well as on success. Instead, we're marking the dirguard up only after we parse the HTTP headers. Closes 20974.
This is not a great solution, but it's as close to backward-compatible as possible. A better GETINFO API should expose more information.
We switched these to be "if (1) " a while back, so we could keep the indentation and avoid merge conflicts. But it's nice to clean up from time to time.
Because <unset> makes more sense than AAAAAAAAAAAAAAAAAAA... (I have indeed verified that ed25519_fmt() is only used for logging. This patch also clarifies the intention that ed25519_fmt() is only for logging. Closes ticket 21037.
Closes ticket 20921.
Commits on Jan 03, 2017
Closes #21122, bug on multiple tor versions.
This check is already performed regardless of whether the sandbox is active. Fixes bug 21123; bugfix on commit 2ae47d3 in 0.2.5.4-alpha.
Some DNS NXDOMAIN hijackers hijack truly ridiculous domains, like "invalid-stuff!!" or "1.2.3.4.5". This would provoke unit test failures where we used addresses like that to force tor_addr_lookup() to fail. The fix, for testing, is to mock tor_addr_lookup() with a variant that always fails when it gets a name with a !. Fixes bugs 20862 and 20863.
Commits on Jan 04, 2017
Commits on Jan 08, 2017
Commits on Jan 09, 2017
Add the "sr/current" and "sr/previous" keys for the GETINFO command in order to get through the control port the shared random values from the consensus. Closes #19925 Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Jan 10, 2017
This commit adds 3 unit tests which validates a wrong signature length, a wrong authentication key length and a wrong MAC in the cell. Closes #20992 Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Jan 11, 2017
Found using flake8 which gave the following output;
lintChanges.py:10:13: E225 missing whitespace around operator
lintChanges.py:25:1: E302 expected 2 blank lines, found 1
lintChanges.py:46:5: F841 local variable 'lines' is assigned to but never used
lintChanges.py:52:32: E228 missing whitespace around modulo operator
lintChanges.py:53:11: E201 whitespace after '('
lintChanges.py:56:41: E228 missing whitespace around modulo operator
Part of ticket 21096.
Closes ticket 21096.
In 8a0ea3e we added a temp_service_list local variable to rend_config_services, but we didn't add a corresponding "free" for it to all of the exit paths. Fixes bug 20987; bugfix on 0.3.0.1-alpha.
That key size is taken from proposal 224 thus specified in the protocol. Closes #20569 Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Jan 12, 2017
Commits on Jan 13, 2017
In order to help an HS operator knowing if the application configured behind it is not working properly, add a log at warning level for the connection refused or timeout case. This log will only be printed if a client connection fails and is rate limited. Closes #21019 Signed-off-by: David Goulet <dgoulet@torproject.org>
(Based on join work at https://pad.riseup.net/p/profiling-tor)
It is no longer possible for the IPv6 preference options to differ from the IPv6 usage: preferring IPv6 implies possibly using IPv6. Also remove the corresponding unit test warning message checks. (But keep the unit tests themselves - they now run without warnings.)
…info The microdesc consensus does not contain any IPv6 addresses. When a client has a microdesc consensus but no microdescriptor, make it use the hard-coded IPv6 address for the node (if available). (Hard-coded addresses can come from authorities, fallback directories, or configured bridges.) If there is no hard-coded address, log a BUG message, and fail the connection attempt. (All existing code checks for a hard-coded address before choosing a node address.) Fixes 20996, fix on b167e82 from 19608 in 0.2.8.5-alpha.
Let A = UseBridges Let B = ClientUseIPv4 Then firewall_is_fascist_impl expands and simplifies to: B || (!(A || ...) && A) B || (!A && ... && A) B || 0 B
pointed out by toralf on irc
Commits on Jan 14, 2017
Commits on Jan 16, 2017
Commits on Jan 17, 2017
Found by coverity scan; CID 1398917
Our config code is checking correctly at DataDirectoryGroupReadable but then when we initialize the keys, we ignored that option ending up at setting back the DataDirectory to 0700 instead of 0750. Patch by "redfish". Fixes #19953 Signed-off-by: David Goulet <dgoulet@torproject.org>
An operator couldn't set the number of introduction point below the default value which is 3. With this commit, from 0 to the hardcoded maximum is now allowed. Closes #21033 Signed-off-by: David Goulet <dgoulet@torproject.org>
In addition to the comments in the ticket, couple hidden service options have been improved to clarify the maximum and minimum values they can be set to. Closes #21058 Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Jan 18, 2017
The server-side clipping now clamps to one of two values, both for what to report, and how long to cache. Additionally, we move some defines to dns.h, and give them better names.
Related to 19769.
So far, the TTLs for both A and AAAA records were not initialised, resulting in exit relays sending back the value 60 to Tor clients. This also impacts exit relays' DNS cache -- the expiry time for all domains is set to 60. This fixes <https://bugs.torproject.org/19025>.
It's always called with the same arguments, and there wouldn't be much point to calling it differently.
This patch generalizes the two functions router_is_already_dir_fetching_rs and router_is_already_dir_fetching_ds into a single function, router_is_already_dir_fetching_, by lifting the passing of the IPv4 & IPv6 addresses and the directory port number to the caller.
This patch refactors duplicated code, to check if a given router supports fetching the extra-info document, into a common macro called SKIP_MISSING_TRUSTED_EXTRAINFO.
That way, when we are parsing the options and LearnCircuitBuildTimeout is set to 0, we don't assert trying to get the options list with get_options(). Fixes #21062 Signed-off-by: David Goulet <dgoulet@torproject.org>
Renamed to DIRCACHE_MIN_MEM and DIRCACHE_MIN_MB_MEM. Signed-off-by: David Goulet <dgoulet@torproject.org>
Closes #20029 Signed-off-by: David Goulet <dgoulet@torproject.org>
Adds a better semantic and it also follows the same interface for the INTRODUCE1 API which is circuit_is_suitable_for_introduce1(). Signed-off-by: David Goulet <dgoulet@torproject.org>
With the previous commit, we validate the circuit _before_ calling rend_mid_introduce() which handles the INTRODUCE1 payload. Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
- Also remove LCOV marks from blocks of code that can be reachable by tests if we mock relay_send_command_from_edge(). Signed-off-by: David Goulet <dgoulet@torproject.org>
Commits on Jan 19, 2017
In trunnel, {struct}_encoded_len() can return negative values.
Coverity caught this as 1398957.
Commits on Jan 21, 2017
Commits on Jan 22, 2017
Commits on Jan 23, 2017
When marking for close a circuit, the reason value, a integer, was assigned to a uint16_t converting any negative reasons (internal) to the wrong value. On the HS side, this was causing the client to flag introduction points to be unreachable as the internal reason was wrongfully converted to a positive 16bit value leading to flag 2 out of 3 intro points to be unreachable. Fixes #20307 and partially fixes #21056 Signed-off-by: David Goulet <dgoulet@torproject.org>
pointed out by toralf on irc
"ours" merge to avoid taking cherry-picked 20307 fix
(Automated sort and format)
Implements feature 20956.
Commits on Jan 24, 2017
This actually is much easier to write now that guard_selection_t is first-class.
Also, teach it to not use 3DES any more.
Commits on Jan 25, 2017
If a hostname is supplied to tor-resolve which is too long, it will be
silently truncated, resulting in a different hostname lookup:
$ tor-resolve $(python -c 'print("google.com" + "m" * 256)')
If tor-resolve uses SOCKS5, the length is stored in an unsigned char,
which overflows in this case and leads to the hostname "google.com".
As this one is a valid hostname, it returns an address instead of giving
an error due to the invalid supplied hostname.
If tor_mmap_file is called with a file which is larger than SIZE_MAX, only a small part of the file will be memory-mapped due to integer truncation. This can only realistically happen on 32 bit architectures with large file support.
Commits on Jan 27, 2017
Allow separation of exit and relay traffic to different source IP addresses (Ticket #17975). Written by Michael Sonntag.
See: https://trac.torproject.org/projects/tor/ticket/21269 https://bugs.debian.org/851798 Closes #21269 Signed-off-by: David Goulet <dgoulet@torproject.org>
- Remove DES from mandatory list. - always put the closing ; on its own line.
Commits on Jan 28, 2017
If there are no ephemeral or detached onion services, then "GETINFO onions/current" or "GETINFO onions/detached" should return an empty list instead of an error
There are no files selected for viewing