1. 08 Dec, 2017 1 commit
  2. 19 Sep, 2017 1 commit
  3. 14 Sep, 2017 1 commit
    • Taylor Yu's avatar
      Refactor control_event_bootstrap_problem · 818332e7
      Taylor Yu authored
      Change the contract of control_event_bootstrap_problem() to be more
      general and to take a connection_t.  New function
      control_event_bootstrap_prob_or() has the specific or_connection_t
      funcionality previously used.
  4. 11 Sep, 2017 1 commit
    • Nick Mathewson's avatar
      Split the behavior of node_supports_ed25519_link_authentication(). · 3124c921
      Nick Mathewson authored
      Before, this function meant "can we connect to this node and
      authenticate it using its ed25519 key?"  Now it can additionally
      mean, "when somebody else connects to this node, do we expect that
      they can authenticate using the node's ed25519 key"?
      This change lets us future-proof our link authentication a bit.
      Closes ticket 20895.  No backport needed, since ed25519 link
      authentication support has not been in any LTS release yet, and
      existing releases with it should be obsolete before any releases
      without support for linkauth=3 are released.
  5. 05 Sep, 2017 2 commits
    • Nick Mathewson's avatar
      Repair buffer API so everything starts with buf_. · 4a7e90ad
      Nick Mathewson authored
      Our convention is that functions which manipulate a type T should be
      named T_foo.  But the buffer functions were super old, and followed
      all kinds of conventions.  Now they're uniform.
      Here's the perl I used to do this:
      \#!/usr/bin/perl -w -i -p
    • Nick Mathewson's avatar
      Move protocol-specific functions out of buffers.c · 234c5015
      Nick Mathewson authored
      This commit does not change the implementation of any function: it
      only moves code and adds new includes as necessary.  Part of #23149.
  6. 28 Aug, 2017 1 commit
  7. 09 Aug, 2017 1 commit
  8. 03 Aug, 2017 1 commit
  9. 13 Jul, 2017 1 commit
    • Isis Lovecruft's avatar
      rephist: Remove unused crypto_pk statistics. · c59ba015
      Isis Lovecruft authored
      These statistics were largely ununsed, and kept track of statistical information
      on things like how many time we had done TLS or how many signatures we had
      verified.  This information is largely not useful, and would only be logged
      after receiving a SIGUSR1 signal (but only if the logging severity level was
      less than LOG_INFO).
       * FIXES #19871.
       * REMOVES note_crypto_pk_op(), dump_pk_op(), and pk_op_counts from
       * REMOVES every external call to these functions.
  10. 27 Jun, 2017 1 commit
    • Nick Mathewson's avatar
      Fix an errant memset() into the middle of a struct in cell_pack(). · 8d2978b1
      Nick Mathewson authored
      This mistake causes two possible bugs. I believe they are both
      harmless IRL.
      BUG 1: memory stomping
      When we call the memset, we are overwriting two 0 bytes past the end
      of packed_cell_t.body. But I think that's harmless in practice,
      because the definition of packed_cell_t is:
      // ...
      typedef struct packed_cell_t {
        TOR_SIMPLEQ_ENTRY(packed_cell_t) next;
        char body[CELL_MAX_NETWORK_SIZE];
        uint32_t inserted_time;
      } packed_cell_t;
      So we will overwrite either two bytes of inserted_time, or two bytes
      of padding, depending on how the platform handles alignment.
      If we're overwriting padding, that's safe.
      If we are overwriting the inserted_time field, that's also safe: In
      every case where we call cell_pack() from connection_or.c, we ignore
      the inserted_time field. When we call cell_pack() from relay.c, we
      don't set or use inserted_time until right after we have called
      cell_pack(). SO I believe we're safe in that case too.
      BUG 2: memory exposure
      The original reason for this memset was to avoid the possibility of
      accidentally leaking uninitialized ram to the network. Now
      remember, if wide_circ_ids is false on a connection, we shouldn't
      actually be sending more than 512 bytes of packed_cell_t.body, so
      these two bytes can only leak to the network if there is another bug
      somewhere else in the code that sends more data than is correct.
      Fortunately, in relay.c, where we allocate packed_cell_t in
      packed_cell_new() , we allocate it with tor_malloc_zero(), which
      clears the RAM, right before we call cell_pack. So those
      packed_cell_t.body bytes can't leak any information.
      That leaves the two calls to cell_pack() in connection_or.c, which
      use stack-alocated packed_cell_t instances.
      In or_handshake_state_record_cell(), we pass the cell's contents to
      crypto_digest_add_bytes(). When we do so, we get the number of
      bytes to pass using the same setting of wide_circ_ids as we passed
      to cell_pack(). So I believe that's safe.
      In connection_or_write_cell_to_buf(), we also use the same setting
      of wide_circ_ids in both calls. So I believe that's safe too.
      I introduced this bug with 1c0e87f6
      back in; it is bug 22737 and CID 1401591
  11. 05 Jun, 2017 3 commits
  12. 01 Jun, 2017 1 commit
    • Nick Mathewson's avatar
      Fix ed25519 link certificate race on tls context rotation · 34a6755b
      Nick Mathewson authored
      Whenever we rotate our TLS context, we change our Ed25519
      Signing->Link certificate.  But if we've already started a TLS
      connection, then we've already sent the old X509 link certificate,
      so the new Ed25519 Signing->Link certificate won't match it.
      To fix this, we now store a copy of the Signing->Link certificate
      when we initialize the handshake state, and send that certificate
      as part of our CERTS cell.
      Fixes one case of bug22460; bugfix on
  13. 08 May, 2017 4 commits
    • Mike Perry's avatar
    • Mike Perry's avatar
      Bug 17604: Converge on only one long-lived TLS conn between relays. · 76c9330f
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      Accomplished via the following:
      1. Use NETINFO cells to determine if both peers will agree on canonical
         status. Prefer connections where they agree to those where they do not.
      2. Alter channel_is_better() to prefer older orconns in the case of multiple
         canonical connections, and use the orconn with more circuits on it in case
         of age ties.
      Also perform some hourly accounting on how many of these types of connections
      there are and log it at info or notice level.
    • Mike Perry's avatar
      Bug 17592: Clean up connection timeout logic. · d5a151a0
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      This unifies CircuitIdleTimeout and PredictedCircsRelevanceTime into a single
      option, and randomizes it.
      It also gives us control over the default value as well as relay-to-relay
      connection lifespan through the consensus.
    • Mike Perry's avatar
      Netflow record collapsing defense. · b0e92634
      Mike Perry authored and Nick Mathewson's avatar Nick Mathewson committed
      This defense will cause Cisco, Juniper, Fortinet, and other routers operating
      in the default configuration to collapse netflow records that would normally
      be split due to the 15 second flow idle timeout.
      Collapsing these records should greatly reduce the utility of default netflow
      data for correlation attacks, since all client-side records should become 30
      minute chunks of total bytes sent/received, rather than creating multiple
      separate records for every webpage load/ssh command interaction/XMPP chat/whatever
      else happens to be inactive for more than 15 seconds.
      The defense adds consensus parameters to govern the range of timeout values
      for sending padding packets, as well as for keeping connections open.
      The defense only sends padding when connections are otherwise inactive, and it
      does not pad connections used solely for directory traffic at all. By default
      it also doesn't pad inter-relay connections.
      Statistics on the total padding in the last 24 hours are exported to the
      extra-info descriptors.
  14. 15 Mar, 2017 1 commit
  15. 18 Jan, 2017 1 commit
  16. 16 Dec, 2016 3 commits
  17. 08 Dec, 2016 14 commits
  18. 30 Nov, 2016 2 commits
    • Nick Mathewson's avatar
      Use the new guard notification/selection APIs throughout Tor · dbbaa515
      Nick Mathewson authored
      This patch doesn't cover every case; omitted cases are marked with
      "XXXX prop271", as usual.  It leaves both the old interface and the
      new interface for guard status notification, since they don't
      actually work in the same way: the new API wants to be told when a
      circuit has failed or succeeded, whereas the old API wants to know
      when a channel has failed or succeeded.
      I ran into some trouble with directory guard stuff, since when we
      pick the directory guard, we don't actually have a circuit to
      associate it with.  I solved that by allowing guard states to be
      associated with directory connections, not just circuits.
    • Nick Mathewson's avatar
      Split bridge functions into a new module. · 8da24c99
      Nick Mathewson authored
      This patch is just:
         * Code movement
         * Adding headers here and there as needed
         * Adding a bridges_free_all() with a call to it.
      It breaks compilation, since the bridge code needed to make exactly
      2 calls into entrynodes.c internals.  I'll fix those in the next