diff options
| -rw-r--r-- | changes/bug26627 | 7 | ||||
| -rw-r--r-- | changes/bug26785 | 4 | ||||
| -rw-r--r-- | changes/bug26853 | 3 | ||||
| -rw-r--r-- | changes/bug26924 | 4 | ||||
| -rw-r--r-- | changes/bug26927 | 4 | ||||
| -rw-r--r-- | changes/ticket26647 | 4 | ||||
| -rw-r--r-- | configure.ac | 3 | ||||
| -rw-r--r-- | src/common/compress_zstd.c | 4 | ||||
| -rw-r--r-- | src/or/connection_or.c | 14 | ||||
| -rw-r--r-- | src/or/control.c | 4 | ||||
| -rw-r--r-- | src/or/hs_circuit.c | 20 | ||||
| -rw-r--r-- | src/or/hs_service.c | 29 | ||||
| -rw-r--r-- | src/or/hs_service.h | 5 | ||||
| -rw-r--r-- | src/test/test_hs_cell.c | 4 | ||||
| -rw-r--r-- | src/test/test_hs_intropoint.c | 4 | ||||
| -rw-r--r-- | src/test/test_hs_service.c | 2 | ||||
| -rwxr-xr-x | src/test/test_key_expiration.sh | 8 |
17 files changed, 96 insertions, 27 deletions
diff --git a/changes/bug26627 b/changes/bug26627 new file mode 100644 index 0000000000..d28bd05d53 --- /dev/null +++ b/changes/bug26627 @@ -0,0 +1,7 @@ + o Minor bugfixes (v3 onion services): + - Stop sending ed25519 link specifiers in v3 onion service introduce + cells, when the rendezvous point doesn't support ed25519 link + authentication. Fixes bug 26627; bugfix on 0.3.2.4-alpha. + - Stop putting ed25519 link specifiers in v3 onion service descriptors, + when the intro point doesn't support ed25519 link authentication. + Fixes bug 26627; bugfix on 0.3.2.4-alpha. diff --git a/changes/bug26785 b/changes/bug26785 new file mode 100644 index 0000000000..e6392fcbdd --- /dev/null +++ b/changes/bug26785 @@ -0,0 +1,4 @@ + o Minor bugfixes (compilation, portability): + - Don't try to use a pragma to temporarily disable + -Wunused-const-variable if the compiler doesn't support it. + Fixes bug 26785; bugfix on 0.3.2.11. diff --git a/changes/bug26853 b/changes/bug26853 new file mode 100644 index 0000000000..6ee47789b9 --- /dev/null +++ b/changes/bug26853 @@ -0,0 +1,3 @@ + o Minor bugfixes (continuous integration): + - Skip an unreliable key expiration test on Windows, until the underlying + issue in bug 26076 is resolved. Fixes bug 26853; bugfix on 0.3.2.1-alpha. diff --git a/changes/bug26924 b/changes/bug26924 new file mode 100644 index 0000000000..882db56b40 --- /dev/null +++ b/changes/bug26924 @@ -0,0 +1,4 @@ + o Minor bugfixes (single onion services, Tor2web): + - Log a protocol warning when single onion services or Tor2web clients + fail to authenticate direct connections to relays. + Fixes bug 26924; bugfix on 0.2.9.1-alpha. diff --git a/changes/bug26927 b/changes/bug26927 new file mode 100644 index 0000000000..cd035bba8e --- /dev/null +++ b/changes/bug26927 @@ -0,0 +1,4 @@ + o Minor bugfixes (logging): + - Improve the log message when connection initiators fail to authenticate + direct connections to relays. + Fixes bug 26927; bugfix on 0.3.0.1-alpha. diff --git a/changes/ticket26647 b/changes/ticket26647 new file mode 100644 index 0000000000..1c2e917c6d --- /dev/null +++ b/changes/ticket26647 @@ -0,0 +1,4 @@ + o Minor features (controller): + - The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and net/listeners/extor + respectively. Closes ticket 26647. diff --git a/configure.ac b/configure.ac index ba58f9d740..b71d648f15 100644 --- a/configure.ac +++ b/configure.ac @@ -2198,6 +2198,9 @@ dnl -Wthread-safety-precise if test "$tor_cv_cflags__Woverlength_strings" = "yes"; then AC_DEFINE([HAVE_CFLAG_WOVERLENGTH_STRINGS], 1, [True if we have -Woverlength-strings]) fi + if test "$tor_cv_cflags__warn_unused_const_variable_2" = "yes"; then + AC_DEFINE([HAVE_CFLAG_WUNUSED_CONST_VARIABLE], 1, [True if we have -Wunused-const-variable]) + fi if test "x$enable_fatal_warnings" = "xyes"; then # I'd like to use TOR_CHECK_CFLAGS here, but I can't, since the diff --git a/src/common/compress_zstd.c b/src/common/compress_zstd.c index 193a0289f0..b9f9f1f076 100644 --- a/src/common/compress_zstd.c +++ b/src/common/compress_zstd.c @@ -19,10 +19,14 @@ #include "compress_zstd.h" #ifdef HAVE_ZSTD +#ifdef HAVE_CFLAG_WUNUSED_CONST_VARIABLE DISABLE_GCC_WARNING(unused-const-variable) +#endif #include <zstd.h> +#ifdef HAVE_CFLAG_WUNUSED_CONST_VARIABLE ENABLE_GCC_WARNING(unused-const-variable) #endif +#endif /** Total number of bytes allocated for Zstandard state. */ static atomic_counter_t total_zstd_allocation; diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 267463312c..221b8dc8ad 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -50,6 +50,7 @@ #include "proto_cell.h" #include "reasons.h" #include "relay.h" +#include "rendcommon.h" #include "rephist.h" #include "router.h" #include "routerkeys.h" @@ -1923,10 +1924,13 @@ connection_or_client_learned_peer_id(or_connection_t *conn, conn->identity_digest); const int is_authority_fingerprint = router_digest_is_trusted_dir( conn->identity_digest); + const int non_anonymous_mode = rend_non_anonymous_mode_enabled(options); int severity; const char *extra_log = ""; - if (server_mode(options)) { + /* Relays, Single Onion Services, and Tor2web make direct connections using + * untrusted authentication keys. */ + if (server_mode(options) || non_anonymous_mode) { severity = LOG_PROTOCOL_WARN; } else { if (using_hardcoded_fingerprints) { @@ -1950,8 +1954,8 @@ connection_or_client_learned_peer_id(or_connection_t *conn, } log_fn(severity, LD_HANDSHAKE, - "Tried connecting to router at %s:%d, but RSA identity key was not " - "as expected: wanted %s + %s but got %s + %s.%s", + "Tried connecting to router at %s:%d, but RSA + ed25519 identity " + "keys were not as expected: wanted %s + %s but got %s + %s.%s", conn->base_.address, conn->base_.port, expected_rsa, expected_ed, seen_rsa, seen_ed, extra_log); @@ -1968,8 +1972,8 @@ connection_or_client_learned_peer_id(or_connection_t *conn, } if (!expected_ed_key && ed_peer_id) { - log_info(LD_HANDSHAKE, "(we had no Ed25519 ID in mind when we made this " - "connection."); + log_info(LD_HANDSHAKE, "(We had no Ed25519 ID in mind when we made this " + "connection.)"); connection_or_set_identity_digest(conn, (const char*)rsa_peer_id, ed_peer_id); changed_identity = 1; diff --git a/src/or/control.c b/src/or/control.c index 1898725025..3f677ba348 100644 --- a/src/or/control.c +++ b/src/or/control.c @@ -1896,6 +1896,8 @@ getinfo_helper_listeners(control_connection_t *control_conn, if (!strcmp(question, "net/listeners/or")) type = CONN_TYPE_OR_LISTENER; + else if (!strcmp(question, "net/listeners/extor")) + type = CONN_TYPE_EXT_OR_LISTENER; else if (!strcmp(question, "net/listeners/dir")) type = CONN_TYPE_DIR_LISTENER; else if (!strcmp(question, "net/listeners/socks")) @@ -1904,6 +1906,8 @@ getinfo_helper_listeners(control_connection_t *control_conn, type = CONN_TYPE_AP_TRANS_LISTENER; else if (!strcmp(question, "net/listeners/natd")) type = CONN_TYPE_AP_NATD_LISTENER; + else if (!strcmp(question, "net/listeners/httptunnel")) + type = CONN_TYPE_AP_HTTP_CONNECT_LISTENER; else if (!strcmp(question, "net/listeners/dns")) type = CONN_TYPE_AP_DNS_LISTENER; else if (!strcmp(question, "net/listeners/control")) diff --git a/src/or/hs_circuit.c b/src/or/hs_circuit.c index 3a674f6223..0a9999a190 100644 --- a/src/or/hs_circuit.c +++ b/src/or/hs_circuit.c @@ -559,10 +559,14 @@ retry_service_rendezvous_point(const origin_circuit_t *circ) return; } -/* Add all possible link specifiers in node to lspecs. - * legacy ID is mandatory thus MUST be present in node. If the primary address - * is not IPv4, log a BUG() warning, and return an empty smartlist. - * Includes ed25519 id and IPv6 link specifiers if present in the node. */ +/* Add all possible link specifiers in node to lspecs: + * - legacy ID is mandatory thus MUST be present in node; + * - include ed25519 link specifier if present in the node, and the node + * supports ed25519 link authentication, even if its link versions are not + * compatible with us; + * - include IPv4 link specifier, if the primary address is not IPv4, log a + * BUG() warning, and return an empty smartlist; + * - include IPv6 link specifier if present in the node. */ static void get_lspecs_from_node(const node_t *node, smartlist_t *lspecs) { @@ -600,8 +604,12 @@ get_lspecs_from_node(const node_t *node, smartlist_t *lspecs) link_specifier_set_ls_len(ls, link_specifier_getlen_un_legacy_id(ls)); smartlist_add(lspecs, ls); - /* ed25519 ID is only included if the node has it. */ - if (!ed25519_public_key_is_zero(&node->ed25519_id)) { + /* ed25519 ID is only included if the node has it, and the node declares a + protocol version that supports ed25519 link authentication, even if that + link version is not compatible with us. (We are sending the ed25519 key + to another tor, which may support different link versions.) */ + if (!ed25519_public_key_is_zero(&node->ed25519_id) && + node_supports_ed25519_link_authentication(node, 0)) { ls = link_specifier_new(); link_specifier_set_ls_type(ls, LS_ED25519_ID); memcpy(link_specifier_getarray_un_ed25519_id(ls), &node->ed25519_id, diff --git a/src/or/hs_service.c b/src/or/hs_service.c index c31f8bbf68..21daaaa248 100644 --- a/src/or/hs_service.c +++ b/src/or/hs_service.c @@ -376,17 +376,21 @@ service_intro_point_free_void(void *obj) } /* Return a newly allocated service intro point and fully initialized from the - * given extend_info_t ei if non NULL. If is_legacy is true, we also generate - * the legacy key. On error, NULL is returned. + * given extend_info_t ei if non NULL. + * If is_legacy is true, we also generate the legacy key. + * If supports_ed25519_link_handshake_any is true, we add the relay's ed25519 + * key to the link specifiers. * * If ei is NULL, returns a hs_service_intro_point_t with an empty link * specifier list and no onion key. (This is used for testing.) + * On any other error, NULL is returned. * * ei must be an extend_info_t containing an IPv4 address. (We will add supoort * for IPv6 in a later release.) When calling extend_info_from_node(), pass * 0 in for_direct_connection to make sure ei always has an IPv4 address. */ STATIC hs_service_intro_point_t * -service_intro_point_new(const extend_info_t *ei, unsigned int is_legacy) +service_intro_point_new(const extend_info_t *ei, unsigned int is_legacy, + unsigned int supports_ed25519_link_handshake_any) { hs_desc_link_specifier_t *ls; hs_service_intro_point_t *ip; @@ -453,10 +457,13 @@ service_intro_point_new(const extend_info_t *ei, unsigned int is_legacy) } smartlist_add(ip->base.link_specifiers, ls); - /* ed25519 identity key is optional for intro points */ - ls = hs_desc_link_specifier_new(ei, LS_ED25519_ID); - if (ls) { - smartlist_add(ip->base.link_specifiers, ls); + /* ed25519 identity key is optional for intro points. If the node supports + * ed25519 link authentication, we include it. */ + if (supports_ed25519_link_handshake_any) { + ls = hs_desc_link_specifier_new(ei, LS_ED25519_ID); + if (ls) { + smartlist_add(ip->base.link_specifiers, ls); + } } /* IPv6 is not supported in this release. */ @@ -1586,8 +1593,12 @@ pick_intro_point(unsigned int direct_conn, smartlist_t *exclude_nodes) tor_assert_nonfatal(!ed25519_public_key_is_zero(&info->ed_identity)); } - /* Create our objects and populate them with the node information. */ - ip = service_intro_point_new(info, !node_supports_ed25519_hs_intro(node)); + /* Create our objects and populate them with the node information. + * We don't care if the intro's link auth is compatible with us, because + * we are sending the ed25519 key to a remote client via the descriptor. */ + ip = service_intro_point_new(info, !node_supports_ed25519_hs_intro(node), + node_supports_ed25519_link_authentication(node, + 0)); if (ip == NULL) { goto err; } diff --git a/src/or/hs_service.h b/src/or/hs_service.h index d163eeef28..f3cd49e073 100644 --- a/src/or/hs_service.h +++ b/src/or/hs_service.h @@ -307,8 +307,9 @@ STATIC void remove_service(hs_service_ht *map, hs_service_t *service); STATIC int register_service(hs_service_ht *map, hs_service_t *service); /* Service introduction point functions. */ STATIC hs_service_intro_point_t *service_intro_point_new( - const extend_info_t *ei, - unsigned int is_legacy); + const extend_info_t *ei, + unsigned int is_legacy, + unsigned int supports_ed25519_link_handshake_any); STATIC void service_intro_point_free_(hs_service_intro_point_t *ip); #define service_intro_point_free(ip) \ FREE_AND_NULL(hs_service_intro_point_t, \ diff --git a/src/test/test_hs_cell.c b/src/test/test_hs_cell.c index 1b3c788a67..aed28d3bd2 100644 --- a/src/test/test_hs_cell.c +++ b/src/test/test_hs_cell.c @@ -38,7 +38,7 @@ test_gen_establish_intro_cell(void *arg) attempt to parse it. */ { /* We only need the auth key pair here. */ - hs_service_intro_point_t *ip = service_intro_point_new(NULL, 0); + hs_service_intro_point_t *ip = service_intro_point_new(NULL, 0, 0); /* Auth key pair is generated in the constructor so we are all set for * using this IP object. */ ret = hs_cell_build_establish_intro(circ_nonce, ip, buf); @@ -106,7 +106,7 @@ test_gen_establish_intro_cell_bad(void *arg) ed25519_sign_prefixed() function and make it fail. */ cell = trn_cell_establish_intro_new(); tt_assert(cell); - ip = service_intro_point_new(NULL, 0); + ip = service_intro_point_new(NULL, 0, 0); cell_len = hs_cell_build_establish_intro(circ_nonce, ip, NULL); service_intro_point_free(ip); expect_log_msg_containing("Unable to make signature for " diff --git a/src/test/test_hs_intropoint.c b/src/test/test_hs_intropoint.c index 5b75e38935..ec4dcb4705 100644 --- a/src/test/test_hs_intropoint.c +++ b/src/test/test_hs_intropoint.c @@ -49,7 +49,7 @@ new_establish_intro_cell(const char *circ_nonce, /* Auth key pair is generated in the constructor so we are all set for * using this IP object. */ - ip = service_intro_point_new(NULL, 0); + ip = service_intro_point_new(NULL, 0, 0); tt_assert(ip); cell_len = hs_cell_build_establish_intro(circ_nonce, ip, buf); tt_i64_op(cell_len, OP_GT, 0); @@ -75,7 +75,7 @@ new_establish_intro_encoded_cell(const char *circ_nonce, uint8_t *cell_out) /* Auth key pair is generated in the constructor so we are all set for * using this IP object. */ - ip = service_intro_point_new(NULL, 0); + ip = service_intro_point_new(NULL, 0, 0); tt_assert(ip); cell_len = hs_cell_build_establish_intro(circ_nonce, ip, cell_out); tt_i64_op(cell_len, OP_GT, 0); diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c index 2e5280610f..c1e9f3ced6 100644 --- a/src/test/test_hs_service.c +++ b/src/test/test_hs_service.c @@ -241,7 +241,7 @@ static hs_service_intro_point_t * helper_create_service_ip(void) { hs_desc_link_specifier_t *ls; - hs_service_intro_point_t *ip = service_intro_point_new(NULL, 0); + hs_service_intro_point_t *ip = service_intro_point_new(NULL, 0, 0); tor_assert(ip); /* Add a first unused link specifier. */ ls = tor_malloc_zero(sizeof(*ls)); diff --git a/src/test/test_key_expiration.sh b/src/test/test_key_expiration.sh index 5511dbf18c..cf6608634d 100755 --- a/src/test/test_key_expiration.sh +++ b/src/test/test_key_expiration.sh @@ -13,6 +13,14 @@ if [ $# -eq 0 ] || [ ! -f ${1} ] || [ ! -x ${1} ]; then fi fi +UNAME_OS=`uname -s | cut -d_ -f1` +if test "$UNAME_OS" = 'CYGWIN' || \ + test "$UNAME_OS" = 'MSYS' || \ + test "$UNAME_OS" = 'MINGW'; then + echo "This test is unreliable on Windows. See trac #26076. Skipping." >&2 + exit 77 +fi + if [ $# -ge 1 ]; then TOR_BINARY="${1}" shift |