Nick Mathewson [Tue, 30 Apr 2019 16:42:33 +0000 (12:42 -0400)]
Move voteflags.[ch] to become dirauth only.
For various reasons, this was a nontrivial movement. There are
several places in the code where we do something like "update the
flags on this routerstatus or node if we're an authority", and at
least one where we pretended to be an authority when we weren't.
Nick Mathewson [Tue, 30 Apr 2019 18:45:58 +0000 (14:45 -0400)]
Use safe_mem_is_zero in a few more places.
I don't believe any of these represent a real timing vulnerability
(remote timing against memcmp() on a modern CPU is not easy), but
these are the ones where I believe we should be more careful.
Nick Mathewson [Tue, 30 Apr 2019 18:43:35 +0000 (14:43 -0400)]
Rename tor_mem_is_zero to fast_mem_is_zero()
For memeq and friends, "tor_" indicates constant-time and "fast_"
indicates optimized. I'm fine with leaving the constant-time
"safe_mem_is_zero" with its current name, but the "tor_" prefix on
the current optimized version is misleading.
Also, make the tor_digest*_is_zero() uniformly constant-time, and
add a fast_digest*_is_zero() version to use as needed.
A later commit in this branch will fix all the users of
tor_mem_is_zero().
Taylor Yu [Wed, 10 Apr 2019 20:11:36 +0000 (15:11 -0500)]
Manually fix some control replies
Manually fix up some reply-generating code that the Coccinelle scripts
won't match. Some more complicated ones remain -- these are mostly
ones that accumulate data to send, and then call connection_buf_add()
or connection_write_str_to_buf() directly.
Taylor Yu [Tue, 9 Apr 2019 17:22:31 +0000 (12:22 -0500)]
Factor out control reply output
Create a set of abstractions for controller commands and events to
output replies to the control channel. The control protocol has a
relatively consistent SMTP-like structure, so it's helpful when code
that implements control commands and events doesn't explicitly format
everything on its own.
Taylor Yu [Mon, 8 Apr 2019 16:34:12 +0000 (11:34 -0500)]
Split reply formatting out of control_fmt.c
Split the core reply formatting code out of control_fmt.c into
control_proto.c. The remaining code in control_format.c deals with
specific subsystems and will eventually move to join those subsystems.
Nick Mathewson [Fri, 26 Apr 2019 17:17:35 +0000 (13:17 -0400)]
Rename and clarify some functions for periodic events
When we tell the periodic event manager about an event, we are
"registering" that event. The event sits around without being
usable, however, until we "connect" the event to libevent. In the
end, we "disconnect" the event and remove its libevent parts.
Previously, we called these operations "add", "setup", and
"destroy", which led to confusion.
Nick Mathewson [Thu, 25 Apr 2019 18:20:41 +0000 (14:20 -0400)]
Turn 'mainloop' into a subsystem.
We need a little refactoring for this to work, since the
initialization code for the periodic events assumes that libevent is
already initialized, which it can't be until it's configured.
This change, combined with the previous ones, lets other subsystems
declare their own periodic events, without mainloop.c having to know
about them. Implements ticket 30293.
David Goulet [Wed, 24 Apr 2019 19:39:10 +0000 (15:39 -0400)]
sendme: Better handle the random padding
We add random padding to every cell if there is room. This commit not only
fixes how we compute that random padding length/offset but also improves its
safety with helper functions and a unit test.
Part of #26288
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Thu, 7 Mar 2019 17:30:13 +0000 (12:30 -0500)]
prop289: Keep the digest bytes, not the object
The digest object is as large as the entire internal digest object's state,
which is often much larger than the actual set of bytes you're transmitting.
This commit makes it that we keep the digest itself which is 20 bytes.
Part of #26288
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Wed, 9 Jan 2019 20:27:51 +0000 (15:27 -0500)]
prop289: Match the SENDME digest
Now that we keep the last seen cell digests on the Exit side on the circuit
object, use that to match the SENDME v1 transforming this whole process into a
real authenticated SENDME mechanism.
Part of #26841
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Wed, 9 Jan 2019 19:03:32 +0000 (14:03 -0500)]
prop289: Support SENDME v1 cell parsing
This commit makes tor able to parse and handle a SENDME version 1. It will
look at the consensus parameter "sendme_accept_min_version" to know what is
the minimum version it should look at.
IMPORTANT: At this commit, the validation of the cell is not fully
implemented. For this, we need #26839 to be completed that is to match the
SENDME digest with the last cell digest.
Closes #26841
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Wed, 9 Jan 2019 17:22:35 +0000 (12:22 -0500)]
prop289: Support sending SENDME version 1
This code will obey the consensus parameter "sendme_emit_min_version" to know
which SENDME version it should send. For now, the default is 0 and the
parameter is not yet used in the consensus.
This commit adds the support to send version 1 SENDMEs but aren't sent on the
wire at this commit.
Closes #26840
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Wed, 9 Jan 2019 17:02:01 +0000 (12:02 -0500)]
prop289: Add two consensus parameters
In order to be able to deploy the authenticated SENDMEs, these two consensus
parameters are needed to control the minimum version that we can emit and
accept.
See section 4 in prop289 for more details.
Note that at this commit, the functions that return the values aren't used so
compilation fails if warnings are set to errors.
Closes #26842
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Wed, 9 Jan 2019 16:03:49 +0000 (11:03 -0500)]
sendme: Always close stream if deliver window is negative
Previously, we would only close the stream when our deliver window was
negative at the circuit-level but _not_ at the stream-level when receiving a
DATA cell.
This commit adds an helper function connection_edge_end_close() which
sends an END and then mark the stream for close for a given reason.
That function is now used both in case the deliver window goes below zero for
both circuit and stream level.
Part of #26840
Signed-off-by: David Goulet <dgoulet@torproject.org>
David Goulet [Tue, 8 Jan 2019 20:03:04 +0000 (15:03 -0500)]
sendme: Refactor SENDME cell processing
This is a bit of a complicated commit. It moves code but also refactors part
of it. No behavior change, the idea is to split things up so we can better
handle and understand how SENDME cells are processed where ultimately it will
be easier to handle authenticated SENDMEs (prop289) using the intermediate
functions added in this commit.
The entry point for the cell arriving at the edge (Client or Exit), is
connection_edge_process_relay_cell() for which we look if it is a circuit or
stream level SENDME. This commit refactors that part where two new functions
are introduced to process each of the SENDME types.
The sendme_process_circuit_level() has basically two code paths. If we are a
Client (the circuit is origin) or we are an Exit. Depending on which, the
package window is updated accordingly. Then finally, we resume the reading on
every edge streams on the circuit.
The sendme_process_stream_level() applies on the edge connection which will
update the package window if needed and then will try to empty the inbuf if
need be because we can now deliver more cells.
Again, no behavior change but in order to split that code properly into their
own functions and outside the relay.c file, code modification was needed.
Part of #26840.
Signed-off-by: David Goulet <dgoulet@torproject.org>
projects / thirdparty / tor.git / log
