David Goulet [Thu, 25 Jan 2018 21:32:28 +0000 (16:32 -0500)]
dos: Add the DoSRefuseSingleHopClientRendezvous option
This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client
connection. Its default value is "auto" for which we can turn it on or off
with a consensus parameter. Default value is 0.
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Thu, 25 Jan 2018 21:14:40 +0000 (16:14 -0500)]
dos: Detect circuit creation denial of service
Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also be
marked as malicious if it is above threshold.
At this commit, no defense is applied, just detection with a circuit creation
token bucket system.
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Thu, 25 Jan 2018 20:54:58 +0000 (15:54 -0500)]
dos: Initial code of Denial of Service mitigation
This commit introduces the src/or/dos.{c|h} files that contains the code for
the Denial of Service mitigation subsystem. It currently contains basic
functions to initialize and free the subsystem. They are used at this commit.
The torrc options and consensus parameters are defined at this commit and
getters are implemented.
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Thu, 25 Jan 2018 20:44:48 +0000 (15:44 -0500)]
geoip: Add a lookup function for client map entry
The upcoming DoS mitigation subsytem needs to keep information on a per-IP
basis which is also what the geoip clientmap does.
For another subsystem to access that clientmap, this commit adds a lookup
function that returns the entry. For this, the clientmap_entry_t had to be
moved to the header file.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Taylor Yu [Wed, 10 Jan 2018 20:52:04 +0000 (14:52 -0600)]
Work around Travis CI ptrace regression
Travis CI deployed a change that disables ptrace capabilities in
container builds, which prevents LeakSanitizer on clang from working
properly. Set "sudo: required" to force non-container builds for
clang and work around this.
Nick Mathewson [Tue, 19 Dec 2017 18:53:52 +0000 (13:53 -0500)]
Move destroy cells into a separate queue type of their own, to save RAM
We've been seeing problems with destroy cells queues taking up a
huge amount of RAM. We can mitigate this, since while a full packed
destroy cell takes 514 bytes, we only need 5 bytes to remember a
circuit ID and a reason.
Fixes bug 24666. Bugfix on 0.2.5.1-alpha, when destroy cell queues
were introduced.
David Goulet [Wed, 29 Nov 2017 00:02:00 +0000 (19:02 -0500)]
Use local descriptor object to exclude self in path selection
TROVE-2017-12. Severity: Medium
When choosing a random node for a circuit, directly use our router
descriptor to exclude ourself instead of the one in the global
descriptor list. That list could be empty because tor could be
downloading them which could lead to not excluding ourself.
David Goulet [Tue, 21 Nov 2017 15:16:08 +0000 (10:16 -0500)]
hs-v2: Remove any expiring intro from the retry list
TROVE-2017-13. Severity: High.
In the unlikely case that a hidden service could be missing intro circuit(s),
that it didn't have enough directory information to open new circuits and that
an intro point was about to expire, a use-after-free is possible because of
the intro point object being both in the retry list and expiring list at the
same time.
The intro object would get freed after the circuit failed to open and then
access a second time when cleaned up from the expiring list.
Nick Mathewson [Thu, 16 Nov 2017 16:45:15 +0000 (11:45 -0500)]
Fix a traceback when closing a blocked connection "immediately".
When we close a connection via connection_close_immediately, we kill
its events immediately. But if it had been blocked on bandwidth
read/write, we could try to re-add its (nonexistent) events later
from connection_bucket_refill -- if we got to that callback before
we swept the marked connections.
Fixes bug 24167. Fortunately, this hasn't been a crash bug since we
introduced connection_check_event in 0.2.9.10, and backported it.
This is a bugfix on commit 89d422914a0c3cb, I believe, which
appeared in Tor 0.1.0.1-rc.
Nick Mathewson [Wed, 8 Nov 2017 18:22:16 +0000 (13:22 -0500)]
Don't delay descriptor fetches when missing info needed for circuits
When we have fewer than 15 descriptors to fetch, we will delay the
fetch for a little while. That's fine, if we can go ahead and build
circuits... but if not, it's a poor choice indeed.
Fixes bug 23985; bugfix on 0.1.1.11-alpha.
In 0.3.0.3-alpha, when we made primary guard descriptors necessary
for circuit building, this situation got worse.
projects / thirdparty / tor.git / log
