Nick Mathewson [Mon, 3 Aug 2020 15:25:37 +0000 (11:25 -0400)]
Remove channel_is_canonical_is_reliable()
This function once served to let circuits continue to be built over
version-1 link connections. But such connections are long-obsolete,
and it's time to remove this check.
Nick Mathewson [Thu, 30 Jul 2020 18:24:25 +0000 (14:24 -0400)]
Fix a bug in buf_move_all() when the input buffer is empty.
We found this in #40076, after we started using buf_move_all() in
more places. Fixes bug #40076; bugfix on 0.3.3.1-alpha. As far as
I know, the crash only affects master, but I think this warrants a
backport, "just in case".
Daniel Pinto [Tue, 28 Jul 2020 23:34:08 +0000 (00:34 +0100)]
Fix startup crash with seccomp sandbox enabled #40072
Fix crash introduced in #40020. On startup, tor calls
check_private_dir on the data and key directories. This function
uses open instead of opendir on the received directory. Data and
key directoryes are only opened here, so the seccomp rule added
should be for open instead of opendir, despite the fact that they
are directories.
Nick Mathewson [Wed, 22 Jul 2020 19:20:41 +0000 (15:20 -0400)]
Treat all extorport connections with un-set addresses as remote
Without this fix, if an PT forgets to send a USERADDR command, that
results in a connection getting treated as local for the purposes of
rate-limiting.
If the PT _does_ use USERADDR, we still believe it.
Nick Mathewson [Wed, 22 Jul 2020 18:45:03 +0000 (14:45 -0400)]
Adjust the rules for warning about too many connections.
Previously we tolerated up to 1.5 connections for every relay we
were connected to, and didn't warn if we had fewer than 5
connections total.
Now we tolerate up to 1.5 connections per relay, and up to 4
connections per authority, and we don't warn at all when we have
fewer than 25 connections total.
Fixes bug 33880, which seems to have been provoked by our #17592
change in 0.3.5.
Daniel Pinto [Wed, 1 Jul 2020 19:30:04 +0000 (20:30 +0100)]
Fix seccomp sandbox rules for openat #27315
The need for casting negative syscall arguments depends on the
glibc version. This affects the rules for the openat syscall which
uses the constant AT_FDCWD that is defined as a negative number.
This commit adds logic to only apply the cast when necessary, on
glibc versions from 2.27 onwards.
Daniel Pinto [Wed, 1 Jul 2020 22:51:39 +0000 (23:51 +0100)]
Fix seccomp sandbox rules for opening directories #40020
Different versions of glibc use either open or openat for the
opendir function. This commit adds logic to use the correct rule
for each glibc version, namely:
- Until 2.14 open is used
- From 2.15 to to 2.21 openat is used
- From 2.22 to 2.26 open is used
- From 2.27 onwards openat is used
Daniel Pinto [Wed, 1 Jul 2020 19:30:04 +0000 (20:30 +0100)]
Fix seccomp sandbox rules for openat #27315
The need for casting negative syscall arguments depends on the
glibc version. This affects the rules for the openat syscall which
uses the constant AT_FDCWD that is defined as a negative number.
This commit adds logic to only apply the cast when necessary, on
glibc versions from 2.27 onwards.
Nick Mathewson [Fri, 17 Jul 2020 13:31:32 +0000 (09:31 -0400)]
Use gitlab-friendly URLs when formatting changelogs as HTML
Our old https://bugs.torproject.org/nnnn URLs only work for bugs
numbered before 40000. Newer gitlab bugs need to have specific
projects mentioned.
This patch assumes that bugs are in tpo/core/tor by default, but
allows us to refer to several other projects by saying
e.g. "chutney#40002" if we want.
Nick Mathewson [Mon, 13 Jul 2020 13:24:26 +0000 (09:24 -0400)]
Remove check-cocci from check-local target.
check-cocci is still a good idea -- perhaps as a cron job? But
doing it as part of our regular tests has just been confusing,
especially to volunteers who shouldn't have to become coccinelle
experts in order to get their patches through our CI.
David Goulet [Thu, 9 Jul 2020 11:55:46 +0000 (07:55 -0400)]
hs-v3: Remove a possible BUG() condition
When receiving an introduction NACK, the client either decides to close or
re-extend the circuit to another intro point.
In order to do this, the service descriptor needs to exists but it is possible
that it gets removed from the cache between the establishement of the
introduction circuit and the reception of the (N)ACK.
For that reason, the BUG(desc == NULL) is removed because it is a possible
normal use case. Tor recovers gracefully already.
Fixes #34087
Signed-off-by: David Goulet <dgoulet@torproject.org>
Refactor setup_intro_circ_auth_key() to make it simpler.
It now uses the 'goto err' pattern, instead of the fatal_unreached()
pattern. The latter pattern is usually used when there is a loop, but there is
no loop in this function so it can be simplified easily.
This commit modifies the behavior of `parse_extended_address` in such a way
that if it fails, it will always return a `BAD_HOSTNAME` value, which is then
used to return the 0xF6 extended error code. This way, in any case that is
not a valid v2 address, we return the 0xF6 error code, which is the expected
behavior.
Signed-off-by: David Goulet <dgoulet@torproject.org>
Don't set by default the prefer IPv6 feature on client ports because it breaks
the torsocks use case. The SOCKS resolve command is lacking a mechanism to ask
for a specific address family (v4 or v6) thus prioritizing IPv6 when an IPv4
address is asked on the resolve SOCKS interface resulting in a failure.
Tor Browser explicitly set PreferIPv6 so this should not affect the majority
of our users.
Closes #33796
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Tue, 7 Jul 2020 13:20:28 +0000 (09:20 -0400)]
CI: Fix Appveyor printf format error
For some reasons, Appveyor started to use the stdio printf format for 64 bit
values (PRIu64, ...). Mingw doesn't like that so force it to use the Windows
specific macros by setting D__USE_MINGW_ANSI_STDIO=0.
Alexander Færøy [Sat, 16 May 2020 19:18:56 +0000 (19:18 +0000)]
Use ((x + 7) >> 3) instead of (x >> 3) when converting from bits to bytes.
This patch changes our bits-to-bytes conversion logic in the NSS
implementation of `tor_tls_cert_matches_key()` from using (x >> 3) to
((x + 7) >> 3) since DER bit-strings are allowed to contain a number of
bits that is not a multiple of 8.
Additionally, we add a comment on why we cannot use the
`DER_ConvertBitString()` macro from NSS, as we would potentially apply
the bits-to-bytes conversion logic twice, which would lead to an
insignificant amount of bytes being compared in
`SECITEM_ItemsAreEqual()` and thus turn the logic into being a
prefix match instead of a full match.
The `DER_ConvertBitString()` macro is defined in NSS as:
/*
** Macro to convert der decoded bit string into a decoded octet
** string. All it needs to do is fiddle with the length code.
*/
#define DER_ConvertBitString(item) \
{ \
(item)->len = ((item)->len + 7) >> 3; \
}
Alexander Færøy [Sat, 16 May 2020 15:34:37 +0000 (15:34 +0000)]
Add constness to length variables in `tor_tls_cert_matches_key`.
We add constness to `peer_info_orig_len` and `cert_info_orig_len` in
`tor_tls_cert_matches_key` to ensure that we don't accidentally alter
the variables.
Alexander Færøy [Tue, 31 Mar 2020 02:33:54 +0000 (02:33 +0000)]
Fix out-of-bound memory read in `tor_tls_cert_matches_key()` for NSS.
This patch fixes an out-of-bound memory read in
`tor_tls_cert_matches_key()` when Tor is compiled to use Mozilla's NSS
instead of OpenSSL.
The NSS library stores some length fields in bits instead of bytes, but
the comparison function found in `SECITEM_ItemsAreEqual()` needs the
length to be encoded in bytes. This means that for a 140-byte,
DER-encoded, SubjectPublicKeyInfo struct (with a 1024-bit RSA public key
in it), we would ask `SECITEM_ItemsAreEqual()` to compare the first 1120
bytes instead of 140 (140bytes * 8bits = 1120bits).
This patch fixes the issue by converting from bits to bytes before
calling `SECITEM_ItemsAreEqual()` and convert the `len`-fields back to
bits before we leave the function.
Alexander Færøy [Tue, 31 Mar 2020 02:28:12 +0000 (02:28 +0000)]
Run `tor_tls_cert_matches_key()` Test Suite with both OpenSSL and NSS.
This patch lifts the `tor_tls_cert_matches_key()` tests out of the
OpenSSL specific TLS test suite and moves it into the generic TLS test
suite that is executed for both OpenSSL and NSS.
This patch is largely a code movement, but we had to rewrite parts of
the test to avoid using OpenSSL specific data-types (such as `X509 *`)
and replace it with the generic Tor abstraction type
(`tor_x509_cert_impl_t *`).
Nick Mathewson [Fri, 26 Jun 2020 15:18:38 +0000 (11:18 -0400)]
Carry TLS error strings forward to controller when reporting them.
Now instead of saying "DONE, DONE" or "MISC, MISC" or "TLS_ERROR,
TLS_ERROR", we can finally give a nice sensible "TLS_ERROR,
wrong version number" which should help debug a great deal.
Nick Mathewson [Tue, 30 Jun 2020 15:54:13 +0000 (11:54 -0400)]
Downgrade "Bug: No entry found in extrainfo map" message.
This is not actually a bug! It can happen for a bunch of reasons,
which all boil down to "trying to add an extrainfo for which we no
longer have the corresponding routerinfo".
projects / thirdparty / tor.git / log
