diff options
| -rw-r--r-- | changes/bug13325 | 4 | ||||
| -rw-r--r-- | changes/bug13331-make-j2-test-network-hang | 3 | ||||
| -rw-r--r-- | changes/feature13161-TestingDirAuthVoteExit | 7 | ||||
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | doc/tor.1.txt | 19 | ||||
| -rw-r--r-- | src/common/tortls.c | 48 | ||||
| -rw-r--r-- | src/or/config.c | 1 | ||||
| -rw-r--r-- | src/or/dirserv.c | 15 | ||||
| -rw-r--r-- | src/or/or.h | 4 | ||||
| -rwxr-xr-x | src/test/test-network.sh | 5 |
10 files changed, 91 insertions, 19 deletions
diff --git a/changes/bug13325 b/changes/bug13325 new file mode 100644 index 0000000000..b1da4d0bd5 --- /dev/null +++ b/changes/bug13325 @@ -0,0 +1,4 @@ + o Compilation fixes: + - Build and run correctly on systems like OpenBSD-current that + have patched OpenSSL to remove get_cipher_by_char and/or its + implementations. Fixes issue 13325. diff --git a/changes/bug13331-make-j2-test-network-hang b/changes/bug13331-make-j2-test-network-hang new file mode 100644 index 0000000000..85c0ad8e37 --- /dev/null +++ b/changes/bug13331-make-j2-test-network-hang @@ -0,0 +1,3 @@ + o Minor bugfixes: + - Stop an apparent test-network hang when used with make -j2. + Fixes bug 13331. diff --git a/changes/feature13161-TestingDirAuthVoteExit b/changes/feature13161-TestingDirAuthVoteExit new file mode 100644 index 0000000000..d6c8f414a3 --- /dev/null +++ b/changes/feature13161-TestingDirAuthVoteExit @@ -0,0 +1,7 @@ + o Minor features (testing): + - Add the TestingDirAuthVoteExit option, a list of nodes to vote + Exit for regardless of their uptime, bandwidth, or exit policy. + TestingTorNetwork must be set for this option to have any effect. + Works around an issue where authorities would take up to 35 minutes + to give nodes the Exit flag in a test network, despite short + consensus intervals. Partially implements ticket 13161. diff --git a/configure.ac b/configure.ac index 73499c22ef..c0523e1082 100644 --- a/configure.ac +++ b/configure.ac @@ -582,6 +582,10 @@ else fi AC_SUBST(TOR_OPENSSL_LIBS) +AC_CHECK_MEMBERS([struct ssl_method_st.get_cipher_by_char], , , +[#include <openssl/ssl.h> +]) + dnl ------------------------------------------------------ dnl Where do you live, zlib? And how do we call you? diff --git a/doc/tor.1.txt b/doc/tor.1.txt index ff178196a8..9477d47798 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -964,10 +964,10 @@ The following options are useful only for clients (that is, if (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections, and DNSPort requests are all considered to be different protocols.) **IsolateDestPort**;; - Don't share circuits with streams targetting a different + Don't share circuits with streams targeting a different destination port. **IsolateDestAddr**;; - Don't share circuits with streams targetting a different + Don't share circuits with streams targeting a different destination address. **SessionGroup=**__INT__;; If no other isolation rules would prevent it, allow streams @@ -1018,7 +1018,7 @@ The following options are useful only for clients (that is, if requests via this connection. **PreferIPv6Automap**;; When serving a hostname lookup request on this port that - should get automapped (according to AutomapHostsOnResove), + should get automapped (according to AutomapHostsOnResolve), if we could return either an IPv4 or an IPv6 answer, prefer an IPv6 answer. (On by default.) **PreferSOCKSNoAuth**;; @@ -1425,7 +1425,7 @@ The following options are useful only for clients (that is, if whose view of the current time is skewed. If this option is set to 0, we do not send this timestamp, and hidden services on obsolete Tor versions will not work. If this option is set to 1, we send the timestamp. If - this optoin is "auto", we take a recommendation from the latest consensus + this option is "auto", we take a recommendation from the latest consensus document. (Default: auto) @@ -2032,7 +2032,7 @@ The following options are used to configure a hidden service. [[HiddenServicePort]] **HiddenServicePort** __VIRTPORT__ [__TARGET__]:: Configure a virtual port VIRTPORT for a hidden service. You may use this option multiple times; each time applies to the service using the most - recent hiddenservicedir. By default, this option maps the virtual port to + recent HiddenServiceDir. By default, this option maps the virtual port to the same port on 127.0.0.1 over TCP. You may override the target port, address, or both by specifying a target of addr, port, or addr:port. You may also have multiple lines with the same VIRTPORT: when a user @@ -2197,6 +2197,15 @@ The following options are used for running a testing Tor network. Try this often to download a v3 authority certificate before giving up. Changing this requires that **TestingTorNetwork** is set. (Default: 8) +[[TestingDirAuthVoteExit]] **TestingDirAuthVoteExit** __node__,__node__,__...__:: + A list of identity fingerprints, nicknames, country codes and + address patterns of nodes to vote Exit for regardless of their + uptime, bandwidth, or exit policy. See the **ExcludeNodes** + option for more information on how to specify nodes. + + + In order for this option to have any effect, **TestingTorNetwork** + has to be set. + [[TestingDirAuthVoteGuard]] **TestingDirAuthVoteGuard** __node__,__node__,__...__:: A list of identity fingerprints, nicknames, country codes and address patterns of nodes to vote Guard for regardless of their diff --git a/src/common/tortls.c b/src/common/tortls.c index eda10bbe2e..f4a07f0b93 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -1463,6 +1463,43 @@ static uint16_t v2_cipher_list[] = { /** Have we removed the unrecognized ciphers from v2_cipher_list yet? */ static int v2_cipher_list_pruned = 0; +/** Return 0 if <b>m</b> does not support the cipher with ID <b>cipher</b>; + * return 1 if it does support it, or if we have no way to tell. */ +static int +find_cipher_by_id(const SSL_METHOD *m, uint16_t cipher) +{ + const SSL_CIPHER *c; +#ifdef HAVE_STRUCT_SSL_METHOD_ST_GET_CIPHER_BY_CHAR + if (m && m->get_cipher_by_char) { + unsigned char cipherid[3]; + set_uint16(cipherid, htons(cipher)); + cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting + * with a two-byte 'cipherid', it may look for a v2 + * cipher with the appropriate 3 bytes. */ + c = m->get_cipher_by_char(cipherid); + if (c) + tor_assert((c->id & 0xffff) == cipher); + return c != NULL; + } else +#endif + if (m && m->get_cipher && m->num_ciphers) { + /* It would seem that some of the "let's-clean-up-openssl" forks have + * removed the get_cipher_by_char function. Okay, so now you get a + * quadratic search. + */ + int i; + for (i = 0; i < m->num_ciphers(); ++i) { + c = m->get_cipher(i); + if (c && (c->id & 0xffff) == cipher) { + return 1; + } + } + return 0; + } else { + return 1; /* No way to search */ + } +} + /** Remove from v2_cipher_list every cipher that we don't support, so that * comparing v2_cipher_list to a client's cipher list will give a sensible * result. */ @@ -1474,16 +1511,7 @@ prune_v2_cipher_list(void) inp = outp = v2_cipher_list; while (*inp) { - unsigned char cipherid[3]; - const SSL_CIPHER *cipher; - /* Is there no better way to do this? */ - set_uint16(cipherid, htons(*inp)); - cipherid[2] = 0; /* If ssl23_get_cipher_by_char finds no cipher starting - * with a two-byte 'cipherid', it may look for a v2 - * cipher with the appropriate 3 bytes. */ - cipher = m->get_cipher_by_char(cipherid); - if (cipher) { - tor_assert((cipher->id & 0xffff) == *inp); + if (find_cipher_by_id(m, *inp)) { *outp++ = *inp++; } else { inp++; diff --git a/src/or/config.c b/src/or/config.c index 921d032529..3b37a123af 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -439,6 +439,7 @@ static config_var_t option_vars_[] = { V(TestingDescriptorMaxDownloadTries, UINT, "8"), V(TestingMicrodescMaxDownloadTries, UINT, "8"), V(TestingCertMaxDownloadTries, UINT, "8"), + V(TestingDirAuthVoteExit, ROUTERSET, NULL), V(TestingDirAuthVoteGuard, ROUTERSET, NULL), VAR("___UsingTestNetworkDefaults", BOOL, UsingTestNetworkDefaults_, "0"), diff --git a/src/or/dirserv.c b/src/or/dirserv.c index 374cfa6f40..c8f47e648e 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -2169,12 +2169,19 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs, rs->ipv6_orport = ri->ipv6_orport; } - /* Iff we are in a testing network, use TestingDirAuthVoteGuard to + /* Iff we are in a testing network, use TestingDirAuthVoteExit to + give out Exit flags, and TestingDirAuthVoteGuard to give out Guard flags. */ - if (options->TestingTorNetwork && - routerset_contains_routerstatus(options->TestingDirAuthVoteGuard, + if (options->TestingTorNetwork) { + if (routerset_contains_routerstatus(options->TestingDirAuthVoteExit, + rs, 0)) { + rs->is_exit = 1; + } + + if (routerset_contains_routerstatus(options->TestingDirAuthVoteGuard, rs, 0)) { - rs->is_possible_guard = 1; + rs->is_possible_guard = 1; + } } } diff --git a/src/or/or.h b/src/or/or.h index 54cee46ee3..4130ea6351 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4056,6 +4056,10 @@ typedef struct { /** Minimum value for the Fast flag threshold on testing networks. */ uint64_t TestingMinFastFlagThreshold; + /** Relays in a testing network which should be voted Exit + * regardless of exit policy. */ + routerset_t *TestingDirAuthVoteExit; + /** Relays in a testing network which should be voted Guard * regardless of uptime and bandwidth. */ routerset_t *TestingDirAuthVoteGuard; diff --git a/src/test/test-network.sh b/src/test/test-network.sh index 4fe4e639fe..d28fbde80f 100755 --- a/src/test/test-network.sh +++ b/src/test/test-network.sh @@ -51,3 +51,8 @@ n=$BOOTSTRAP_TIME; while [ $n -gt 0 ]; do sleep 1; n=$(expr $n - 1); $ECHO_N . done; echo "" ./chutney verify $CHUTNEY_NETWORK +VERIFY_EXIT_STATUS=$? +# work around a bug/feature in make -j2 (or more) +# where make hangs if any child processes are still alive +./chutney stop $CHUTNEY_NETWORK +exit $VERIFY_EXIT_STATUS |