As of GCC 11.1.1, the compiler warns us about code like this:

     if (a)
         b;
         c;

and that's a good thing: we wouldn't want to "goto fail".  But we
had an instance if this in circuituse.c, which was making our
compilation sad.

Fixes bug 40380; bugfix on 0.3.0.1-alpha.

Signed-off-by: David Goulet <dgoulet@torproject.org>

This is a bugfix against my fix for #40133, which has not yet
appeared in 0.3.5.

Signed-off-by: David Goulet <dgoulet@torproject.org>

We were looking for the first instance of "directory-signature "
when instead the correct behavior is to look for the first instance
of "directory-signature " at the start of a line.

Unfortunately, this can be exploited as to crash authorities while
they're voting.

Fixes #40316; bugfix on 0.2.2.4-alpha.  This is TROVE-2021-002,
also tracked as CVE-2021-28090.

We're going to disable this feature in all versions for now.

Now deprecated in libc >= 2.33

Closes #40309

Signed-off-by: David Goulet <dgoulet@torproject.org>

It can be called with strings that should have been
length-delimited, but which in fact are not.  This can cause a
CPU-DoS bug or, in a worse case, a crash.

Since this function isn't essential, the best solution for older
Tors is to just turn it off.

Fixes bug 40286; bugfix on 0.2.2.1-alpha when dump_desc() was
introduced.

Signed-off-by: David Goulet <dgoulet@torproject.org>

Any lookup now will be certain and not probabilistic as the bloomfilter.

Closes #40269

Signed-off-by: David Goulet <dgoulet@torproject.org>

The TORPROTOCOL reason causes the client to close the circuit which is not
what we want because other valid streams might be on it.

Instead, CONNECTION_REFUSED will leave it open but will not allow more streams
to be attached to it. The client then open a new circuit to the destination.

Closes #40270

Signed-off-by: David Goulet <dgoulet@torproject.org>

This is to minimize false positive and thus deny reentry to Exit connections
that were in reality not re-entering. Helps with overall UX.

Signed-off-by: David Goulet <dgoulet@torproject.org>

Obey the "allow-network-reentry" consensus parameters in order to decide to
allow it or not at the Exit.

Closes #40268

Signed-off-by: David Goulet <dgoulet@torproject.org>

George Kadianakis authored 4 years ago and David Goulet committed 4 years ago

Signed-off-by: David Goulet <dgoulet@torproject.org>

Roger Dingledine authored 4 years ago and David Goulet committed 4 years ago

Exit relays now reject exit attempts to known relay addresses + ORPort and
also to authorities on the ORPort and DirPort.

Closes #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>

In order to deny re-entry in the network, we now keep a bloomfilter of relay
ORPort + address and authorities ORPort + address and DirPort + address
combinations.

So when an Exit stream is handled, we deny anything connecting back into the
network on the ORPorts for relays and on the ORPort+DirPort for the
authorities.

Related to #2667

Signed-off-by: David Goulet <dgoulet@torproject.org>

This one should work on GCC _and_ on Clang.  The previous version
made Clang happier by not having unreachable "fallthrough"
statements, but made GCC sad because GCC didn't think that the
unconditional failures were really unconditional, and therefore
_wanted_ a FALLTHROUGH.

This patch adds a FALLTHROUGH_UNLESS_ALL_BUGS_ARE_FATAL macro that
seems to please both GCC and Clang in this case: ordinarily it is a
FALLTHROUGH, but when ALL_BUGS_ARE_FATAL is defined, it's an
abort().

Fixes bug 40241 again.  Bugfix on earlier fix for 40241, which was
merged into maint-0.3.5 and forward, and released in 0.4.5.3-rc.

Some days before this commit, the network experienced a DDoS on the directory
authorities that prevented them to generate a consensus for more than 5 hours
straight.

That in turn entirely disabled onion service v3, client and service side, due
to the subsystem requiring a live consensus to function properly.

We know require a reasonably live consensus which means that the HSv3
subsystem will to its job for using the best consensus tor can find. If the
entire network is using an old consensus, than this should be alright.

If the service happens to use a live consensus while a client is not, it
should still work because the client will use the current SRV it sees which
might be the previous SRV for the service for which it still publish
descriptors for.

If the service is using an old one and somehow can't get a new one while
clients are on a new one, then reachability issues might arise. However, this
is a situation we already have at the moment since the service will simply not
work if it doesn't have a live consensus while a client has one.

Fixes #40237

Signed-off-by: David Goulet <dgoulet@torproject.org>

We're getting "fallback annotation annotation in unreachable code"
warnings when we build with ALL_BUGS_ARE_FATAL. This patch fixes
that.

Fixes bug 40241.  Bugfix on 0.3.5.4-alpha.

Bug reported and diagnosed in:
    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975977

Fixes bug #40210.

Previously, our code would send back an error if the socks5 request
parser said anything but DONE.  But there are other non-error cases,
like TRUNCATED: we shouldn't send back errors for them.

This patch lowers the responsibility for setting the error message
into the parsing code, since the actual type of the error message
will depend on what problem was encountered.

Fixes bug 40190; bugfix on 0.3.5.1-alpha.

Previously, hashlib.shake_256 was a class (if present); now it can
also be a function.  This change invalidated our old
compatibility/workaround code, and made one of our tests fail.

Fixes bug 40179; bugfix on 0.3.1.6-rc when the workaround code was
added.

OpenSSL doesn't seem to report error locations in the same way as
before, which broke one of our tests.

Fixes bug 40170; bugfix on 0.2.8.1-alpha.

Apparently it conflicts with definitions elsewhere in Openssl 3.0.0.

The "engines.h" header has lots of stuff; the "opensslv.h" header
has the version number, which is all we actually need here.

We need to do this because we're about to change this header to
conditionally define OPENSSL_SUPPRESS_DEPRECATED, and it would be
too late to do so if we'd already included "engines.h".

In brief: we go through a lot of gymnastics to handle huge protover
numbers, but after years of development we're not even close to 10
for any of our current versions.  We also have a convenient
workaround available in case we ever run out of protocols: if (for
example) we someday need Link=64, we can just add Link2=0 or
something.

This patch is a minimal patch to change tor's behavior; it doesn't
take advantage of the new restrictions.

Implements #40133 and proposal 318.

David Goulet authored 4 years ago and Nick Mathewson committed 4 years ago

If at least one service is configured as a version 2, a log warning is emitted
once and only once.

Closes #40003

Signed-off-by: David Goulet <dgoulet@torproject.org>

First, we introduce a flag to teach src/test/test to split its work
into chunks.  Then we replace our invocation of src/test/test in our
"make check" target with a set of 8 scripts that invoke the first
8th of the tests, the second 8th, and so on.

This change makes our "make -kj4 check" target in our hardened
gitlab build more than twice as fast, since src/test/test was taking
the longest to finish.

Closes 40098.

Fixes #40135

Signed-off-by: David Goulet <dgoulet@torproject.org>

We already fixed these in #40099 and #40125.

This patch fixes #40126.  Bugfix on 0.2.8.1-alpha.

The rend_cache/entry_free was missing the rend cache allocation increment
before freeing the object.

Without it, it had an underflow bug:

  Sep 17 08:40:13.845 [warn] rend_cache_decrement_allocation(): Bug: Underflow
  in rend_cache_decrement_allocation (on Tor 0.4.5.0-alpha-dev
  7eef9ced)

Fixes #40125

Signed-off-by: David Goulet <dgoulet@torproject.org>