Merge branch 'maint-0.2.4' into release-0.2.4

12 files changed, 63 insertions, 17 deletions

diff --git a/changes/bug1038-3 b/changes/bug1038-3
new file mode 100644
index 0000000000..5af4afa46f
--- /dev/null
+++ b/changes/bug1038-3
@@ -0,0 +1,6 @@
+  o Minor bugfixes:
+    - Warn and drop the circuit if we receive an inbound 'relay early'
+      cell. Those used to be normal to receive on hidden service circuits
+      due to bug 1038, but the buggy Tor versions are long gone from
+      the network so we can afford to resume watching for them. Resolves
+      the rest of bug 1038; bugfix on 0.2.1.19.
diff --git a/changes/bug12227 b/changes/bug12227
new file mode 100644
index 0000000000..d8b5d08a55
--- /dev/null
+++ b/changes/bug12227
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Avoid an illegal read from stack when initializing the TLS
+      module using a version of OpenSSL without all of the ciphers
+      used by the v2 link handshake. Fixes bug 12227; bugfix on
+      0.2.4.8-alpha.  Found by "starlight".
diff --git a/changes/bug12718 b/changes/bug12718
new file mode 100644
index 0000000000..0c5f708446
--- /dev/null
+++ b/changes/bug12718
@@ -0,0 +1,5 @@
+  o Minor bugfixes:
+    - Correct a confusing error message when trying to extend a circuit
+      via the control protocol but we don't know a descriptor or
+      microdescriptor for one of the specified relays. Fixes bug 12718;
+      bugfix on 0.2.3.1-alpha.
diff --git a/changes/prop221 b/changes/prop221
new file mode 100644
index 0000000000..b2bf44bc37
--- /dev/null
+++ b/changes/prop221
@@ -0,0 +1,6 @@
+  o Minor features:
+    - Stop sending the CREATE_FAST cells by default; instead, use a
+      parameter in the consensus to decide whether to use
+      CREATE_FAST. This can improve security on connections where
+      Tor's circuit handshake is stronger than the available TLS
+      connection security levels. Implements proposal 221.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 779db61c29..4f3612b102 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1119,15 +1119,17 @@ The following options are useful only for clients (that is, if
     the node "foo". Disabled by default since attacking websites and exit
     relays can use it to manipulate your path selection. (Default: 0)
 
-[[FastFirstHopPK]] **FastFirstHopPK** **0**|**1**::
+[[FastFirstHopPK]] **FastFirstHopPK** **0**|**1**|**auto**::
     When this option is disabled, Tor uses the public key step for the first
     hop of creating circuits. Skipping it is generally safe since we have
     already used TLS to authenticate the relay and to establish forward-secure
-    keys. Turning this option off makes circuit building slower. +
+    keys. Turning this option off makes circuit building a little
+    slower. Setting this option to "auto" takes advice from the authorities
+    in the latest consensus about whether to use this feature.  +
  +
     Note that Tor will always use the public key step for the first hop if it's
     operating as a relay, and it will never use the public key step if it
-    doesn't yet know the onion key of the first hop. (Default: 1)
+    doesn't yet know the onion key of the first hop. (Default: auto)
 
 [[TransPort]] **TransPort**  \['address':]__port__|**auto** [_isolation flags_]::
     Open this port to listen for transparent proxy connections.  Set this to
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 8f3f6a7130..c13b12fd40 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -1489,10 +1489,13 @@ prune_v2_cipher_list(void)
 
   inp = outp = v2_cipher_list;
   while (*inp) {
-    unsigned char cipherid[2];
+    unsigned char cipherid[3];
     const SSL_CIPHER *cipher;
     /* Is there no better way to do this? */
     set_uint16(cipherid, htons(*inp));
+    cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting
+                      * with a two-byte 'cipherid', it may look for a v2
+                      * cipher with the appropriate 3 bytes. */
     cipher = m->get_cipher_by_char(cipherid);
     if (cipher) {
       tor_assert((cipher->id & 0xffff) == *inp);
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 2b4d3c3118..4603de071f 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -663,16 +663,18 @@ should_use_create_fast_for_circuit(origin_circuit_t *circ)
 
   if (!circ->cpath->extend_info->onion_key)
     return 1; /* our hand is forced: only a create_fast will work. */
-  if (!options->FastFirstHopPK)
-    return 0; /* we prefer to avoid create_fast */
   if (public_server_mode(options)) {
     /* We're a server, and we know an onion key. We can choose.
      * Prefer to blend our circuit into the other circuits we are
      * creating on behalf of others. */
     return 0;
   }
+  if (options->FastFirstHopPK == -1) {
+    /* option is "auto", so look at the consensus. */
+    return networkstatus_get_param(NULL, "usecreatefast", 1, 0, 1);
+  }
 
-  return 1;
+  return options->FastFirstHopPK;
 }
 
 /** Return true if <b>circ</b> is the type of circuit we want to count
diff --git a/src/or/circuituse.c b/src/or/circuituse.c
index c2d2b2e87c..06a51a04a2 100644
--- a/src/or/circuituse.c
+++ b/src/or/circuituse.c
@@ -1382,10 +1382,11 @@ circuit_build_failed(origin_circuit_t *circ)
     failed_at_last_hop = 1;
   }
   if (circ->cpath &&
-      circ->cpath->state != CPATH_STATE_OPEN) {
-    /* We failed at the first hop. If there's an OR connection
-     * to blame, blame it. Also, avoid this relay for a while, and
-     * fail any one-hop directory fetches destined for it. */
+      circ->cpath->state != CPATH_STATE_OPEN &&
+      ! circ->base_.received_destroy) {
+    /* We failed at the first hop for some reason other than a DESTROY cell.
+     * If there's an OR connection to blame, blame it. Also, avoid this relay
+     * for a while, and fail any one-hop directory fetches destined for it. */
     const char *n_chan_id = circ->cpath->extend_info->identity_digest;
     int already_marked = 0;
     if (circ->base_.n_chan) {
diff --git a/src/or/command.c b/src/or/command.c
index 699b02fb47..78fd4fad33 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -443,10 +443,22 @@ command_process_relay_cell(cell_t *cell, channel_t *chan)
    * gotten no more than MAX_RELAY_EARLY_CELLS_PER_CIRCUIT of them. */
   if (cell->command == CELL_RELAY_EARLY) {
     if (direction == CELL_DIRECTION_IN) {
-      /* Allow an unlimited number of inbound relay_early cells,
-       * for hidden service compatibility. There isn't any way to make
-       * a long circuit through inbound relay_early cells anyway. See
-       * bug 1038. -RD */
+      /* Inbound early cells could once be encountered as a result of
+       * bug 1038; but relays running versions before 0.2.1.19 are long
+       * gone from the network, so any such cells now are surprising. */
+      log_warn(LD_OR,
+               "Received an inbound RELAY_EARLY cell on circuit %u."
+               " Closing circuit. Please report this event,"
+               " along with the following message.",
+               (unsigned)cell->circ_id);
+      if (CIRCUIT_IS_ORIGIN(circ)) {
+        circuit_log_path(LOG_WARN, LD_OR, TO_ORIGIN_CIRCUIT(circ));
+      } else if (circ->n_chan) {
+        log_warn(LD_OR, " upstream=%s",
+                 channel_get_actual_remote_descr(circ->n_chan));
+      }
+      circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL);
+      return;
     } else {
       or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
       if (or_circ->remaining_relay_early_cells == 0) {
@@ -499,6 +511,7 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan)
   log_debug(LD_OR,"Received for circID %u.",(unsigned)cell->circ_id);
 
   reason = (uint8_t)cell->payload[0];
+  circ->received_destroy = 1;
 
   if (!CIRCUIT_IS_ORIGIN(circ) &&
       cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) {
diff --git a/src/or/config.c b/src/or/config.c
index a2811ebc21..1de91878b7 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -236,7 +236,7 @@ static config_var_t option_vars_[] = {
   OBSOLETE("FallbackNetworkstatusFile"),
   V(FascistFirewall,             BOOL,     "0"),
   V(FirewallPorts,               CSV,      ""),
-  V(FastFirstHopPK,              BOOL,     "1"),
+  V(FastFirstHopPK,              AUTOBOOL, "auto"),
   V(FetchDirInfoEarly,           BOOL,     "0"),
   V(FetchDirInfoExtraEarly,      BOOL,     "0"),
   V(FetchServerDescriptors,      BOOL,     "1"),
diff --git a/src/or/control.c b/src/or/control.c
index a88de12d69..ae9dd69d21 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -2506,7 +2506,7 @@ handle_control_extendcircuit(control_connection_t *conn, uint32_t len,
       goto done;
     }
     if (!node_has_descriptor(node)) {
-      connection_printf_to_buf(conn, "552 descriptor for \"%s\"\r\n", n);
+      connection_printf_to_buf(conn, "552 No descriptor for \"%s\"\r\n", n);
       goto done;
     }
     smartlist_add(nodes, (void*)node);
diff --git a/src/or/or.h b/src/or/or.h
index 3eaf3447dc..34f055cf06 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2785,6 +2785,9 @@ typedef struct circuit_t {
    * allowing n_streams to add any more cells. (OR circuit only.) */
   unsigned int streams_blocked_on_p_chan : 1;
 
+  /** True iff this circuit has received a DESTROY cell in either direction */
+  unsigned int received_destroy : 1;
+
   uint8_t state; /**< Current status of this circuit. */
   uint8_t purpose; /**< Why are we creating this circuit? */