Nick Mathewson [Thu, 4 Mar 2010 23:37:40 +0000 (18:37 -0500)]
Apply Roger's bug 1269 fix.
From http://archives.seul.org/tor/relays/Mar-2010/msg00006.html :
As I understand it, the bug should show up on relays that don't set
Address to an IP address (so they need to resolve their Address
line or their hostname to guess their IP address), and their
hostname or Address line fails to resolve -- at that point they'll
pick a random 4 bytes out of memory and call that their address. At
the same time, relays that *do* successfully resolve their address
will ignore the result, and only come up with a useful address if
their interface address happens to be a public IP address.
Sebastian Hahn [Thu, 25 Feb 2010 09:31:36 +0000 (10:31 +0100)]
Properly handle non-terminated strings
Treat strings returned from signed_descriptor_get_body_impl() as not
NUL-terminated. Since the length of the strings is available, this is
not a big problem.
Sebastian Hahn [Tue, 23 Feb 2010 16:09:02 +0000 (17:09 +0100)]
Proper NULL checking for hsdesc publication
Fix a dereference-then-NULL-check sequence. This bug wasn't triggered
in the wild, but we should fix it anyways in case it ever happens.
Also make sure users get a note about this being a bug when they
see it in their log.
Thanks to ekir for discovering and reporting this bug.
Sebastian Hahn [Mon, 22 Feb 2010 10:39:29 +0000 (11:39 +0100)]
Zero a cipher completely before freeing it
We used to only zero the first ptrsize bytes of the cipher. Since
cipher is large enough, we didn't zero too many bytes. Discovered
and fixed by ekir. Fixes bug 1254.
Nick Mathewson [Thu, 18 Feb 2010 04:55:03 +0000 (23:55 -0500)]
Even more conservative option-setting for SSL renegotiation.
This time, set the SSL3_FLAGS_ALLOW_UNSAFE_RENEGOTIATION flag on every
version before OpenSSL 0.9.8l. I can confirm that the option value (0x0010)
wasn't reused until OpenSSL 1.0.0beta3.
Sebastian Hahn [Mon, 8 Feb 2010 14:35:34 +0000 (15:35 +0100)]
Don't use gethostbyname() in resolve_my_address()
Tor has tor_lookup_hostname(), which prefers ipv4 addresses automatically.
Bug 1244 occured because gethostbyname() returned an ipv6 address, which
Tor cannot handle currently. Fixes bug 1244; bugfix on 0.0.2pre25.
Reported by Mike Mestnik.
Sebastian Hahn [Sun, 7 Feb 2010 05:30:55 +0000 (06:30 +0100)]
lookup_last_hid_serv_request() could overflow and leak memory
The problem was that we didn't allocate enough memory on 32-bit
platforms with 64-bit time_t. The memory leak occured every time
we fetched a hidden service descriptor we've fetched before.
Nick Mathewson [Tue, 2 Feb 2010 21:12:45 +0000 (16:12 -0500)]
Link libssl and libcrypto in the right order.
For most linking setups, this doesn't matter. But for some setups, when
statically linking openssl, it does matter, since you need to link things
with dependencies before you link things they depend on.
Nick Mathewson [Mon, 1 Feb 2010 03:48:29 +0000 (22:48 -0500)]
Revise OpenSSL fix to work with OpenSSL 1.0.0beta*
In brief: you mustn't use the SSL3_FLAG solution with anything but 0.9.8l,
and you mustn't use the SSL_OP solution with anything before 0.9.8m, and
you get in _real_ trouble if you try to set the flag in 1.0.0beta, since
they use it for something different.
For the ugly version, see my long comment in tortls.c
Nick Mathewson [Fri, 29 Jan 2010 22:02:17 +0000 (17:02 -0500)]
Decide whether to use SSL flags based on runtime OpenSSL version.
We need to do this because Apple doesn't update its dev-tools headers
when it updates its libraries in a security patch. On the bright
side, this might get us out of shipping a statically linked OpenSSL on
OSX.
Nick Mathewson [Fri, 22 Jan 2010 21:32:15 +0000 (16:32 -0500)]
Avoid a possible crash in tls_log_errors.
We were checking for msg==NULL, but not lib or proc. This case can
only occur if we have an error whose string we somehow haven't loaded,
but it's worth coding defensively here.
Roger Dingledine [Tue, 19 Jan 2010 19:25:15 +0000 (14:25 -0500)]
downgrade a warning
this case can now legitimately happen, if you have a cached v2 status
from moria1, and you run with the new list of dirservers that's missing
the old moria1. it's nothing to worry about; the file will die off in
a month or two.
Martin Peck [Fri, 4 Dec 2009 19:25:08 +0000 (14:25 -0500)]
Improved workaround for disabled OpenSSL renegotiation.
It turns out that OpenSSL 0.9.8m is likely to take a completely
different approach for reenabling renegotiation than OpenSSL 0.9.8l
did, so we need to work with both. :p Fixes bug 1158.
Roger Dingledine [Mon, 23 Nov 2009 15:13:50 +0000 (10:13 -0500)]
fix race condition that can cause crashes at client or exit relay
Avoid crashing if the client is trying to upload many bytes and the
circuit gets torn down at the same time, or if the flip side
happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
Peter Palfrader [Fri, 13 Nov 2009 18:58:59 +0000 (19:58 +0100)]
Merge branch 'debian-merge' into debian-0.2.1
* debian-merge: (37 commits)
New upstream version
bump to 0.2.1.20
Move moria1 and Tonga to alternate IP addresses.
read the "circwindow" parameter from the consensus
Code to parse and access network parameters.
Revert "Teach connection_ap_can_use_exit about Exclude*Nodes"
Work around a memory leak in openssl 0.9.8g (and maybe others)
Teach connection_ap_can_use_exit about Exclude*Nodes
make some bug 1090 warnings go away
Fix a memory leak when parsing a ns
Fix obscure 64-bit big-endian hidserv bug
turns out the packaging changes aren't in 0.2.1.20
update changelog with bundle details
Use an _actual_ fix for the byte-reverse warning.
Use a simpler fix for the byte-reversing warning
Fix compile warnings on Snow Leopard
Add getinfo accepted-server-descriptor. Clean spec.
Reduce log level for bug case that we now know really exists.
Only send reachability status events on overall success/failure
update the README instructions and OS X makefiles
...
Peter Palfrader [Fri, 13 Nov 2009 18:01:22 +0000 (19:01 +0100)]
Merge commit 'tor-0.2.1.20' into debian-merge
* commit 'tor-0.2.1.20': (36 commits)
bump to 0.2.1.20
Move moria1 and Tonga to alternate IP addresses.
read the "circwindow" parameter from the consensus
Code to parse and access network parameters.
Revert "Teach connection_ap_can_use_exit about Exclude*Nodes"
Work around a memory leak in openssl 0.9.8g (and maybe others)
Teach connection_ap_can_use_exit about Exclude*Nodes
make some bug 1090 warnings go away
Fix a memory leak when parsing a ns
Fix obscure 64-bit big-endian hidserv bug
turns out the packaging changes aren't in 0.2.1.20
update changelog with bundle details
Use an _actual_ fix for the byte-reverse warning.
Use a simpler fix for the byte-reversing warning
Fix compile warnings on Snow Leopard
Add getinfo accepted-server-descriptor. Clean spec.
Reduce log level for bug case that we now know really exists.
Only send reachability status events on overall success/failure
update the README instructions and OS X makefiles
Avoid segfault when accessing hidden service.
...
Nick Mathewson [Thu, 5 Nov 2009 23:13:08 +0000 (18:13 -0500)]
Make Tor work with OpenSSL 0.9.8l
To fix a major security problem related to incorrect use of
SSL/TLS renegotiation, OpenSSL has turned off renegotiation by
default. We are not affected by this security problem, however,
since we do renegotiation right. (Specifically, we never treat a
renegotiated credential as authenticating previous communication.)
Nevertheless, OpenSSL's new behavior requires us to explicitly
turn renegotiation back on in order to get our protocol working
again.
Amusingly, this is not so simple as "set the flag when you create
the SSL object" , since calling connect or accept seems to clear
the flags.
For belt-and-suspenders purposes, we clear the flag once the Tor
handshake is done. There's no way to exploit a second handshake
either, but we might as well not allow it.
Nick Mathewson [Tue, 27 Oct 2009 02:12:40 +0000 (22:12 -0400)]
Fix two memory leaks found by Coverity (CIDs 417-418)
The first happens on an error case when a controller wants an
impossible directory object. The second happens when we can't write
our fingerprint file.
Nick Mathewson [Tue, 27 Oct 2009 01:35:26 +0000 (21:35 -0400)]
Add missing break statements for Coverity CIDs #406,407.
The code for these was super-wrong, but will only break things when we
reset an option on a platform where sizeof(time_t) is different from
sizeof(int).
Sebastian Hahn [Wed, 16 Sep 2009 00:23:04 +0000 (02:23 +0200)]
Teach connection_ap_can_use_exit about Exclude*Nodes
To further attempt to fix bug 1090, make sure connection_ap_can_use_exit
always returns 0 when the chosen exit router is excluded. This should fix
bug1090.
Sebastian Hahn [Fri, 11 Sep 2009 13:40:09 +0000 (15:40 +0200)]
make some bug 1090 warnings go away
When we excluded some Exits, we were sometimes warning the user that we
were going to use the node regardless. Many of those warnings were in
fact bogus, because the relay in question was not used to connect to
the outside world.
Sebastian Hahn [Sun, 13 Sep 2009 19:47:55 +0000 (21:47 +0200)]
Fix a memory leak when parsing a ns
Adding the same vote to a networkstatus consensus leads to a memory leak
on the client side. Fix that by only using the first vote from any given
voter, and ignoring the others.
Problem found by Rotor, who also helped writing the patch. Thanks!
Fix an obscure bug where hidden services on 64-bit big-endian
systems might mis-read the timestamp in v3 introduce cells, and
refuse to connect back to the client. Discovered by "rotor".
Bugfix on 0.2.1.6-alpha.
Nick Mathewson [Tue, 1 Sep 2009 19:51:09 +0000 (15:51 -0400)]
Use an _actual_ fix for the byte-reverse warning.
(Given that we're pretty much assuming that int is 32 bits, and given that
hex values are always unsigned, taking out the "ul" from 0xff000000 should
be fine.)
Add a "getinfo status/accepted-server-descriptor" controller
command, which is the recommended way for controllers to learn
whether our server descriptor has been successfully received by at
least on directory authority. Un-recommend good-server-descriptor
getinfo and status events until we have a better design for them.
Roger Dingledine [Mon, 31 Aug 2009 20:14:41 +0000 (16:14 -0400)]
Only send reachability status events on overall success/failure
We were telling the controller about CHECKING_REACHABILITY and
REACHABILITY_FAILED status events whenever we launch a testing
circuit or notice that one has failed. Instead, only tell the
controller when we want to inform the user of overall success or
overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
by SwissTorExit.
Roger Dingledine [Fri, 28 Aug 2009 07:42:09 +0000 (03:42 -0400)]
Only send netinfo clock_skew to controller if an authority told us so
We were triggering a CLOCK_SKEW controller status event whenever
we connect via the v2 connection protocol to any relay that has
a wrong clock. Instead, we should only inform the controller when
it's a trusted authority that claims our clock is wrong. Bugfix
on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
Nick Mathewson [Thu, 20 Aug 2009 15:51:34 +0000 (11:51 -0400)]
Fix a rare infinite-recursion bug when shutting down.
Once we had called log_free_all(), anything that tried to log a
message (like a failed tor_assert()) would fail like this:
1. The logging call eventually invokes the _log() function.
2. _log() calls tor_mutex_lock(log_mutex).
3. tor_mutex_lock(m) calls tor_assert(m).
4. Since we freed the log_mutex, tor_assert() fails, and tries to
log its failure.
5. GOTO 1.
Now we allocate the mutex statically, and never destroy it on
shutdown.
Bugfix on 0.2.0.16-alpha, which introduced the log mutex.
Karsten Loesing [Tue, 11 Aug 2009 15:33:58 +0000 (17:33 +0200)]
Fix possible segmentation fault on directory authorities.
The more verbose logs that were added in ee58153 also include a string
that might not have been initialized. This can lead to segfaults, e.g.,
when setting up private Tor networks. Initialize this string with NULL.
Roger Dingledine [Mon, 10 Aug 2009 08:13:18 +0000 (04:13 -0400)]
Send sendmes when we're down 100 cells, not 101.
Send circuit or stream sendme cells when our window has decreased
by 100 cells, not when it has decreased by 101 cells. Bug uncovered
by Karsten when testing the "reduce circuit window" performance
patch. Bugfix on the 54th commit on Tor -- from July 2002,
before the release of Tor 0.0.0. This is the new winner of the
oldest-bug prize.
Peter Palfrader [Wed, 29 Jul 2009 10:18:37 +0000 (12:18 +0200)]
Merge branch 'debian-merge' into debian
* debian-merge:
New upstream version
bump to 0.2.1.19
document my new relay-early behavior
Changing MaxAdvertisedBW may not need a republish
Write fingerprint to file and log without spaces
Don't leak memory if we get too many create cells
three hacks to workaround bug 1038
Peter Palfrader [Wed, 29 Jul 2009 10:18:06 +0000 (12:18 +0200)]
Merge commit 'tor-0.2.1.19' into debian-merge
* commit 'tor-0.2.1.19':
bump to 0.2.1.19
document my new relay-early behavior
Changing MaxAdvertisedBW may not need a republish
Write fingerprint to file and log without spaces
Don't leak memory if we get too many create cells
three hacks to workaround bug 1038
Sebastian Hahn [Tue, 7 Jul 2009 16:04:00 +0000 (18:04 +0200)]
Changing MaxAdvertisedBW may not need a republish
Relays no longer publish a new server descriptor if they change
their MaxAdvertisedBandwidth config option but it doesn't end up
changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
fixes bug 1026. Patch from Sebastian.
projects / thirdparty / tor.git / log
