Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T14:49:48Zhttps://gitlab.torproject.org/legacy/trac/-/issues/17223tortls.c compile errors on git master/current2020-06-13T14:49:48ZTractortls.c compile errors on git master/currentHi,
On NetBSD 6_Stable (i386) compiling against openssl git master/current,
I have been receiving the following errors for a couple of days:
CC src/common/tortls.o
In file included from src/common/tortls.c:75:0:
src/common/tor...Hi,
On NetBSD 6_Stable (i386) compiling against openssl git master/current,
I have been receiving the following errors for a couple of days:
CC src/common/tortls.o
In file included from src/common/tortls.c:75:0:
src/common/tortls.h:139:15: error: conflicting types for 'SSL_SESSION_get_master_key'
/usr/local/ssl/include/openssl/ssl.h:1658:15: note: previous declaration of 'SSL_SESSION_get_master_key' was here
src/common/tortls.c: In function 'log_cert_lifetime':
src/common/tortls.c:2139:3: warning: passing argument 1 of 'X509_get_notBefore' discards qualifiers from pointer target type
/usr/local/ssl/include/openssl/x509.h:694:13: note: expected 'struct X509 *' but argument is of type 'const struct X509 *'
src/common/tortls.c:2147:3: warning: passing argument 1 of 'X509_get_notAfter' discards qualifiers from pointer target type
/usr/local/ssl/include/openssl/x509.h:696:12: note: expected 'struct X509 *' but argument is of type 'const struct X509 *'
src/common/tortls.c: In function 'check_cert_lifetime_internal':
src/common/tortls.c:2309:3: warning: passing argument 1 of 'X509_get_notBefore' discards qualifiers from pointer target type
/usr/local/ssl/include/openssl/x509.h:694:13: note: expected 'struct X509 *' but argument is of type 'const struct X509 *'
src/common/tortls.c:2314:3: warning: passing argument 1 of 'X509_get_notAfter' discards qualifiers from pointer target type
/usr/local/ssl/include/openssl/x509.h:696:12: note: expected 'struct X509 *' but argument is of type 'const struct X509 *'
src/common/tortls.c: At top level:
src/common/tortls.h:139:15: warning: 'SSL_SESSION_get_master_key' used but never defined
Makefile:3222: recipe for target 'src/common/tortls.o' failed
gmake[1]: *** [src/common/tortls.o] Error 1
gmake[1]: Leaving directory '/usr/local/src/tor'
Makefile:1855: recipe for target 'all' failed
gmake: *** [all] Error 2
I understand maintaining sync (tor/openssl - master branches) is not the
primary concern of the effort, but thought I would bring this to your attention.
--gene
**Trac**:
**Username**: yancmTor: 0.2.8.x-finalYawning AngelYawning Angelhttps://gitlab.torproject.org/legacy/trac/-/issues/17188Tor should warn users when traveling backwards through time2020-06-13T14:49:41ZTracTor should warn users when traveling backwards through timeAn attacker can do evil things by rewinding a user's clock, without having to own their machine (e.g., NTP attacks).
Tor maintains a monotonic clock to prevent rewinding attacks while Tor is running. Tor also keeps some persistent info...An attacker can do evil things by rewinding a user's clock, without having to own their machine (e.g., NTP attacks).
Tor maintains a monotonic clock to prevent rewinding attacks while Tor is running. Tor also keeps some persistent information about the user's time in the state file, in the LastWritten field.
On launch, if Tor sees that the system time has been rewound to before the LastWritten time, it should warn the user that something strange is happening. However, Tor should not update the monotonic clock or fail to launch, since the user may have changed the time deliberately.
**Trac**:
**Username**: hdevalenceTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17183Add exit-policy/reject-private so stem can discover ExitPolicyRejectPrivate r...2020-06-13T14:51:06ZteorAdd exit-policy/reject-private so stem can discover ExitPolicyRejectPrivate rulesAdd controller getinfo exit-policy/reject-private for the reject rules added by ExitPolicyRejectPrivate. This makes it easier for stem to display exit policies. Add unit tests for getinfo exit-policy/*.Add controller getinfo exit-policy/reject-private for the reject rules added by ExitPolicyRejectPrivate. This makes it easier for stem to display exit policies. Add unit tests for getinfo exit-policy/*.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17158Run an opt-in process for fallback directories2020-06-13T18:13:30ZteorRun an opt-in process for fallback directories
* Draft an email requesting that relay operators opt-in their ID and IP as a fallback directory
* Convince someone @ torproject.org to send the email to tor-relays
* someone @ torproject.org collates responses and adds them to the white...
* Draft an email requesting that relay operators opt-in their ID and IP as a fallback directory
* Convince someone @ torproject.org to send the email to tor-relays
* someone @ torproject.org collates responses and adds them to the whitelist
* Once we have enough whitelist entries, we merge the whitelisted fallback directories into the codeTor: 0.2.8.x-finalteorteorhttps://gitlab.torproject.org/legacy/trac/-/issues/17153tor test networks should allow IPv6 private addresses2020-06-13T14:54:58Zteortor test networks should allow IPv6 private addresses`net/nodes/003br/notice.log:Sep 25 09:42:34.000 [warn] Unable to use configured IPv6 address "[::1]" in a descriptor. Skipping it. Try specifying a globally reachable address explicitly.`
I'm sure there's a tor option that allows privat...`net/nodes/003br/notice.log:Sep 25 09:42:34.000 [warn] Unable to use configured IPv6 address "[::1]" in a descriptor. Skipping it. Try specifying a globally reachable address explicitly.`
I'm sure there's a tor option that allows private addresses in descriptors for IPv4. It should do that for IPv6 as well.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17085Improve coverage on src/common/util_process.c2020-06-13T14:49:13ZTracImprove coverage on src/common/util_process.cThe changes are in the branch "util_process_tests"
https://github.com/twstrike/tor_for_patching/tree/util_process_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "util_process_tests"
https://github.com/twstrike/tor_for_patching/tree/util_process_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17084Improve coverage on src/common/util_format.c2020-06-13T14:49:12ZTracImprove coverage on src/common/util_format.cThe changes are in the branch "util_format_tests"
https://github.com/twstrike/tor_for_patching/tree/util_format_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "util_format_tests"
https://github.com/twstrike/tor_for_patching/tree/util_format_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17082Improve coverage on src/common/tortls.c2020-06-13T14:49:12ZTracImprove coverage on src/common/tortls.cThe changes are in the branch "tortls_tests"
https://github.com/twstrike/tor_for_patching/tree/tortls_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "tortls_tests"
https://github.com/twstrike/tor_for_patching/tree/tortls_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17080Improve coverage on src/or/main.c (run_scheduled_events)2020-06-13T14:49:11ZTracImprove coverage on src/or/main.c (run_scheduled_events)The changes are in the branch "run-scheduled-events"
https://github.com/twstrike/tor_for_patching/tree/run-scheduled-events
**Trac**:
**Username**: rjuniorThe changes are in the branch "run-scheduled-events"
https://github.com/twstrike/tor_for_patching/tree/run-scheduled-events
**Trac**:
**Username**: rjuniorhttps://gitlab.torproject.org/legacy/trac/-/issues/17079Improve coverage on src/or/rendcache.c2020-06-13T14:49:10ZTracImprove coverage on src/or/rendcache.cThe changes are in the branch "rendcache_tests"
https://github.com/twstrike/tor_for_patching/tree/rendcache_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "rendcache_tests"
https://github.com/twstrike/tor_for_patching/tree/rendcache_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17078Improve coverage on src/common/procmon.c2020-06-13T14:49:10ZTracImprove coverage on src/common/procmon.cThe changes are in the branch "procmon_tests"
https://github.com/twstrike/tor_for_patching/tree/procmon_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "procmon_tests"
https://github.com/twstrike/tor_for_patching/tree/procmon_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17077Improve coverage on src/or/config.c (parse_port_config)2020-06-13T14:49:09ZTracImprove coverage on src/or/config.c (parse_port_config)The changes are in the branch "parse_port_config_tests"
https://github.com/twstrike/tor_for_patching/tree/parse_port_config_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "parse_port_config_tests"
https://github.com/twstrike/tor_for_patching/tree/parse_port_config_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17076Improve coverage on src/or/config.c (options_validate)2020-06-13T14:53:30ZTracImprove coverage on src/or/config.c (options_validate)The changes are in the branch "options_test"
https://github.com/twstrike/tor_for_patching/tree/options_test
**Trac**:
**Username**: rjuniorThe changes are in the branch "options_test"
https://github.com/twstrike/tor_for_patching/tree/options_test
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17075Improve coverage on common/compat_libevent.c2020-06-13T14:49:07ZTracImprove coverage on common/compat_libevent.cThe changes are in the branch "compat_libevent_tests"
https://github.com/twstrike/tor_for_patching/tree/compat_libevent_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "compat_libevent_tests"
https://github.com/twstrike/tor_for_patching/tree/compat_libevent_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17074Improve coverage on src/common/address.c2020-06-13T14:49:07ZTracImprove coverage on src/common/address.cThe changes are in the branch "address_tests"
https://github.com/twstrike/tor_for_patching/tree/address_tests
**Trac**:
**Username**: rjuniorThe changes are in the branch "address_tests"
https://github.com/twstrike/tor_for_patching/tree/address_tests
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17060routerset_parse doesn't accept IPv6 addresses2020-06-13T14:49:03Zteorrouterset_parse doesn't accept IPv6 addresses`routerset_parse` accepts addresses containing '.' (literal IPv4) and '*' (wildcard, potentially IPv4 and/or IPv6). But it doesn't accept addresses containing ':' (literal IPv6).
This is a bugfix on 3ce6e2fba290 (Thu Jul 24 13:44:04 200...`routerset_parse` accepts addresses containing '.' (literal IPv4) and '*' (wildcard, potentially IPv4 and/or IPv6). But it doesn't accept addresses containing ':' (literal IPv6).
This is a bugfix on 3ce6e2fba290 (Thu Jul 24 13:44:04 2008) in 0.2.1.3-alpha, and similar code which added IPv6 address parsing capabilities to `tor_addr_parse_mask_ports`.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17026Set unused smartlist entries to zero2020-06-13T14:48:53ZSebastian HahnSet unused smartlist entries to zeroBranch forthcoming.Branch forthcoming.Tor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17004Add tests for function directory_handle_command_get2020-06-13T14:48:50ZTracAdd tests for function directory_handle_command_getIncrease test coverage for the function `directory_handle_command_get `
All changes are in the following branch (https://github.com/twstrike/tor/tree/dir-handle-cmd-get)
**Trac**:
**Username**: rjuniorIncrease test coverage for the function `directory_handle_command_get `
All changes are in the following branch (https://github.com/twstrike/tor/tree/dir-handle-cmd-get)
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/17003Improve test coverage on src/or/directory.c2020-06-13T14:48:50ZTracImprove test coverage on src/or/directory.cRelated branch on github (https://github.com/twstrike/tor/tree/directory-tests)
I believe it's related to #16805
**Trac**:
**Username**: rjuniorRelated branch on github (https://github.com/twstrike/tor/tree/directory-tests)
I believe it's related to #16805
**Trac**:
**Username**: rjuniorTor: 0.2.8.x-finalhttps://gitlab.torproject.org/legacy/trac/-/issues/16861Pad Tor connections to collapse netflow records2020-06-13T14:54:41ZMike PerryPad Tor connections to collapse netflow recordsThe collection of traffic statistics from routers is quite common. Recently, there was a minor scandal when a University network administrator upstream of UtahStateExits (and UtahStateMeekBridge) posted that they had collected over 360G ...The collection of traffic statistics from routers is quite common. Recently, there was a minor scandal when a University network administrator upstream of UtahStateExits (and UtahStateMeekBridge) posted that they had collected over 360G of netflow records to boingboing:
https://lists.torproject.org/pipermail/tor-relays/2015-August/007575.html
Unfortunately, the comment has since disappeared, but the tor-relays archives preserve it.
This interested me, so I asked some questions about the defaults and record resolution, and did some additional searching. It turns out that Cisco IOS routers have an "inactive flow timeout" that by default is 15 seconds, and it can't be set lower than 10 seconds. What this timeout does is cause the router to emit a new netflow "record" for a connection that is idle for that long, even if it stays open. Several other routers have similar settings. The Fortinet default is also 15 seconds for this. For Juniper, it is also 30 seconds (but Juniper routers can set it as low as 4 seconds).
With this information, I decided to write a patch that sends padding on a client's Tor connection bidirectionally at a random interval that we can control from the consensus, with a default of 4s-14s. It only sends padding if the connection is idle. It does not pad connections that are used only for tunneled directory traffic.
It also gives us the ability to control how long we keep said connections open. Since the default netflow settings for Cisco also generate a record for active flows after 30 minutes, it doesn't make a whole lot of sense to pad beyond that point.
This should mean that the total overhead for this defense is very low, especially since we have recently moved to only one guard. Well under 50 bytes/second for at most 30 minutes.
I still have a few questions, though, which is why I put so many people in Cc to this ticket. I will put my questions in the first comment.Tor: 0.3.1.x-finalMike PerryMike Perry