(My bad!)

Conflicts resolved:
	src/core/or/relay.c

David Goulet authored 3 years ago and Nick Mathewson committed 3 years ago

This issue was reported by Jann Horn part of Google's Project Zero.

Jann's one-sentence summary: entry/middle relays can spoof RELAY_END cells on
half-closed streams, which can lead to stream confusion between OP and
exit.

Fixes #40389

Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.

Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation.  Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

It was used nowhere outside its own unit tests, and it was causing
compilation issues with recent OpenSSL 3.0.0 alphas.

Closes ticket 40399.

Fixes bug 40931; bugfix on 0.2.4.4-alpha. Also tracked as
TROVE-2021-005.

This issue was reported by Jann Horn from Google's Project Zero.

As of GCC 11.1.1, the compiler warns us about code like this:

     if (a)
         b;
         c;

and that's a good thing: we wouldn't want to "goto fail".  But we
had an instance if this in circuituse.c, which was making our
compilation sad.

Fixes bug 40380; bugfix on 0.3.0.1-alpha.

Signed-off-by: David Goulet <dgoulet@torproject.org>

This is a bugfix against my fix for #40133, which has not yet
appeared in 0.3.5.

Signed-off-by: David Goulet <dgoulet@torproject.org>

Fortunately, our tor_free() is setting the variable to NULL after so we were
in a situation where NULL was always used instead of the transport name.

This first appeared in 894ff2dc and results in
basically no bridge with a transport being able to use DoS defenses.

Fixes #40345

Signed-off-by: David Goulet <dgoulet@torproject.org>

"ours" to avoid version bump.

We were looking for the first instance of "directory-signature "
when instead the correct behavior is to look for the first instance
of "directory-signature " at the start of a line.

Unfortunately, this can be exploited as to crash authorities while
they're voting.

Fixes #40316; bugfix on 0.2.2.4-alpha.  This is TROVE-2021-002,
also tracked as CVE-2021-28090.

We're going to disable this feature in all versions for now.