diff options
38 files changed, 452 insertions, 77 deletions
diff --git a/changes/bug31356_and_logs b/changes/bug31356_and_logs new file mode 100644 index 0000000000..fb5307cb69 --- /dev/null +++ b/changes/bug31356_and_logs @@ -0,0 +1,11 @@ + o Minor bugfixes (circuit padding negotiation): + - Bump circuit padding protover to explicitly signify that the hs setup + machine support is finalized in 0.4.1.x-stable. This also means that + 0.4.1.x-alpha clients will not negotiate padding with 0.4.1.x-stable + relays, and 0.4.1.x-stable clients will not negotiate padding with + 0.4.1.x-alpha relays (or 0.4.0.x relays). Fixes bug 31356; + bugfix on 0.4.1.1-alpha. + o Minor features (circuit padding logging): + - Demote noisy client-side warn log to a protocol warning. Add additional + log messages and circuit id fields to help with fixing bug 30992 and any + other future issues. diff --git a/changes/doc31089 b/changes/doc31089 new file mode 100644 index 0000000000..2fc0ba4f7d --- /dev/null +++ b/changes/doc31089 @@ -0,0 +1,4 @@ + o Documentation: + - Use RFC 2397 data URL scheme to embed image into tor-exit-notice.html + so that operators would no longer have to host it themselves. + Closes ticket 31089. diff --git a/changes/ticket24964 b/changes/ticket24964 new file mode 100644 index 0000000000..171c86eb1d --- /dev/null +++ b/changes/ticket24964 @@ -0,0 +1,4 @@ + o Minor feature (onion service v3): + - Do not allow single hop client to fetch or post an HS descriptor from an + HSDir. Closes ticket 24964; + diff --git a/changes/ticket30979 b/changes/ticket30979 new file mode 100644 index 0000000000..8ae9b3c418 --- /dev/null +++ b/changes/ticket30979 @@ -0,0 +1,5 @@ + o Minor features (git hooks): + - Our pre-push git hook now checks for a special file + before running practracker, so that it only runs on branches + that are based on master. + Closes ticket 30979. diff --git a/changes/ticket31030 b/changes/ticket31030 new file mode 100644 index 0000000000..4d99323b4e --- /dev/null +++ b/changes/ticket31030 @@ -0,0 +1,3 @@ + o Minor bugfixes (coverity, tests): + - Fix several coverity warnings from our unit tests. Fixes bug 31030; + bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha. diff --git a/changes/ticket31175 b/changes/ticket31175 new file mode 100644 index 0000000000..cff13761a4 --- /dev/null +++ b/changes/ticket31175 @@ -0,0 +1,3 @@ + o Minor features (development tools): + - Our best-practices tracker now looks at headers as well as + C files. Closes ticket 31175. diff --git a/changes/ticket31406 b/changes/ticket31406 new file mode 100644 index 0000000000..0ebe6f6c47 --- /dev/null +++ b/changes/ticket31406 @@ -0,0 +1,3 @@ + o Minor features (directory authority): + - A new IP address the directory authority "dizum" has been changed. Closes + ticket 31406; diff --git a/contrib/operator-tools/tor-exit-notice.html b/contrib/operator-tools/tor-exit-notice.html index 7f3d7525d0..f0f9a6344c 100644 --- a/contrib/operator-tools/tor-exit-notice.html +++ b/contrib/operator-tools/tor-exit-notice.html @@ -37,15 +37,180 @@ privacy</a> to people who need it most: average computer users. This router IP should be generating no other traffic, unless it has been compromised.</p> -<!-- FIXME: you should consider grabbing your own copy of - how_tor_works_thumb.png and serving it locally. But note that if - you're serving this file with Tor's DirPortFrontPage option, it - can only serve a single file, so you would need to put this image - up on your own webserver somewhere if you want a local copy. --> - <p style="text-align:center"> <a href="https://www.torproject.org/about/overview"> -<img src="https://www.torproject.org/images/how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"/> +<img src="data:image/png;base64, +iVBORw0KGgoAAAANSUhEUgAAAQQAAACQCAMAAADZVuXZAAAABGdBTUEAANbY1E9Y +MgAAABl0RVh0U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAAGAUExURej4 +6Zycm+Hh4XZ2duTk5LS0tfP79OLc3P/r/6iopv///2ZmZgMDAw8PD/b29v39/cTE +whUVFS8vL/Ly8by8uvv7+vn5+CUlJcXCm+/v7xsbGuzs7E5OTq2trASbBVpaWszM +yaKipDk5ONra2iAhH8/OrX9/fPf35vv77j4+Pvj2zPz82Onp6PPz3t7e3ra2n66s +if7+9b+/v+3t7efn529vb9DQ0GNjY4iIiLi9xtfX15aWldTU1Ofmyy6wMZCQjtkG +Bufl4ZTcmYiLjujo4dbVwmppZmvLcd3czoaHhaSstsjIyMTL07Pmt9ny2sjty/// +/EVBPe/x05WcpZGRkVKzV+Pj3vDuw9vasqOfet/extbd5uPivOVXVvr9+dHY35WU +hefm1IjJi8zR2e+bm/vg4C5PMvfFxf3w8DlyQP/4+Nvj6/77/IuTnZ7KolF8Vv39 +/+bi5v/9/HvCgCU7KLm5uMraylZfa3CZdf3//P3//7TQtu3k7ZwICPn9/eLu7gnB +e20AAB3ZSURBVHja7F2JQ9rY1hdCOh/33YRAQhBDIAGJbLJYwAUqFhfUulu1taO1 ++zZdpp193ve9f/0754ZNwG4683yvHjAJycnJvb977pb8chz6x5X8Y+gf5JuXKxCu +QPgYCE5KiEBGs980CKGACSBYRA4ZhA/5v0kQPJRQIsijQZql8qhMv0kQqtRLNSoG +IPtZ3huZ/CZBoH5SclN11BX1gU9Eole9w1UX+a2CIN/cvwny4/6PN9maLW+ep4d4 +908wsG+bBbu4BYvvLjEI/iJRNU3LZBZuOrP7rn2X62Yms0XkgWcfb9Rnw+HwLC7C +jc1rg6+hfrclawto0rWPcnNhYUHbWvD09kn/XECwFopwHDf29xdgq6/ngn37CwzP +hYXW2nPBIIjlLXeJs1a4pclIKBn1BUa9At0vZPpP3WiEw3sPN1o/r/3ZmA3vbW70 +K8rlLQ4sWmAyFEr6mEkv2Vd71PzZrZlyWVJ0t6NScZhuXpHk93JP/jxBv1g2JIXX +Taalg5a4JV80CNKWOblUKiEG2y0QjC1nT2J+b4Rn62qfufW9cPjhcc9OTSIlsFha +igCszOQIgLAs9mFFSgAWV2ppeQV3QevRUrOJKpQRx01GIskoaI14qVEoei4WBFkq +nEQikUlMsA0CXGa44Dp1mYez4fr/nWFRrYdnT9eLjLQ1GZkEiYT29p76ApBwQRgA +gkRAZ4mhb19XqCUWegpZrSaUphL6KQNB8jv9F+0JiZMQoBBCP7DT4qW5hKsbgvDe +xkeNboTD3QpavBBBkwBrvfE0wLInbPWBEJQKTAsujblDLasPBLE8lm8qQc1CWwJV +Cln/RXtCYiW5HdreDjEMWKlRPbHf8fjw3qfNXpsNb3ZAMAohNPg06Vtfj0C6R4SB +ICiJ7RATLGIEX+DGHvSDULO1oMoEsM5AEY1lL9wT0itRqAgIAfM2SDB1256wgIW8 +93mGxb02DAhCEuRtfX1zY3O97kVcC4e9IGhKArVYg4AXBq3SIBBWmNK2jRTgCX6a +fXfRnpC2fAwAXzMpVKD5tBMONcK/z4Y3Pts084bGQ2wY02Av6gMQNoY2AARhIAhB +KRH1Rdvgo9ZS+oHYB8IJJC+KWuCmUEaU5tIXXx3SXACTAfWNuSRtgQANf/jOFxkP +4vjhAzSM6SiY8z19GtrY+O3FU8SAJgaDYGOPXo4XLo33gzBuNXVYc4VO5R77C0Cw +RgPsEiN2XQDRx5zgBzAq+lLzdRxEBaU0phlRXV9/ITCbwkAQmmrtC58FAmqNtDD4 +CzwB2gRrZGSUQWBfg+JlXA0cGM5e+0LzOJIM7wEIIyPMYL0OfkDR6CAQ0lDJ8cre +Fvjczg25HwSWuK7k/RXVIWV5mX1MSROE4ZTzj6++xLVflHTAa0vbpJA+/KUXhHg6 +wLLW0bJSN3o9oTp+FzRsnGw4aW784scJqRVMRxcEAMK48xzX+J942id0MLCNpu/s +rfdXh9aFm9dd2ekHIZUXOqaYopL6C9qEu1hnGcqtxNxJuc5xDS2e8qG9Vsk1PeFl +uGssgSAMpwNCN/SU5lPf91WHHUloS7OI/gIQUgcH36PcYcI2D1I/ngeEpsk7TZPM +ZuqOCH3H7EY3CKAUH8477p6crJzczQ/H7xwcHPZ5wsHBnTvDw3lbycwN3/n+4ODC +q4ORy+cd+eE8yDCTu458XsqcY4oSVMBkPgcpH0aTYBcs5iRxExrNh93VYTiHx+PD +TcnlhnPxXhBiCuyOd5SGwbDkumAQ/K41Xnc8WF5cNIxFWCzu53leqZ5nsirHJN59 +iCYXbZMLJs8bLhX6jtnwqfzp7mW4bBzEiP+i6LqixHpnkUVJdytVOC7F45JhVHNu +ni9rFzyLJKLmqubu5ttA35WcRU0+D9R+OeMs37170jFZdbk00UMam6TeGXp4ZFes +nMsjBPH1eDyfm3G6ir33E4gItnK5eEvyejXr1NSLvr3mf6cWlUQhkYC/QgHWEiBw +PqQ9fjE7hsZsSRSWVX/L4my9cxsus18eHxtLJMaYLH9X1Po7Zo9YXF4ea0p6bCw+ +UxTPeWNpAAg3dVZc8XhrCRUwN36uiyy2/KpplFX4VqbaFcIjLaoJURxjXybqsNKH +gaokEqDAVGy9Yz540SCoZUX647jwQ8H/g7+AC/8PJKcsn+caIq/s+9GS/7i1Cip8 +q4I1HnbUFn+HS6KrFPxqQS0oCt/bFoGXKgUVTKjHqqqiX23xynf+CwZBlqZ5RR1j +ONsfNcfz1fNcJujmpw9F8F40iiKO6zzfavE2Wq2CDE2cMTYOFQL+ZFDjQbReQGd4 +PgdHZVAbAzU5AambUS8cBF3Xc+nx9Dh+QdJuXXdXz1PtNLCgL47bglk8dLtXc+1m +v1Ufgrrpdg8bceweFrHNM0H6QKiabjOPKobdMjpAqSxe+N1mR61SqdUqJzWQE7as +6K7zgBBUKjVmDFYnTcMOpe3o4ePWjVa3A2S3An+4cFRMReqt7mqWNysVplbZhQ9u +5mIX7Qmqy1BgYDCtoPBsqUjV4HlAEGOS0hKet+1K2XbpzQ61qnvVMNbgUzYMo1w2 +JKkcc/WWsV+bwcNdsmbMaBfdJnhELVMsFjOZTDHDlvgjeK6rwDihyMwwi0VmU+sM +AFpDZ48qBmU5CH9MgrAlqp7+3rZ5EA7jB76i/6J7B7wQfD3wZX8ee8c5xWMb8dgG +PZ5um3sb5N8sl+CB7OzmJQFhW6CKbnZ2U+qzqzMlxOsR2rvZchKmryNdNhxmtF11 +ff/BIFCn5vYKJCCQaAVyKkcILS7B/uTkJBHICEnSIBFGYcPOPXUSjsacpVFCdKrX +3BZRqENNUtNHv5zRsXdZQNCitGa6a5Ye8Eo1pOdEIx676CkRVMGxQkIB96RJ9IiO +nRbNOkOEun1MY8R0R8FjvBkv/PgKVsulAYGSMnXr1pJS9gb5CHi1gx2doT5BQRDc +ZIVWFBeJSQGDgTCDILjZmSUAIUj1edn3dSA0LgsIJqWxIlUoNUZ84Pky1PrsNtSG +DJFKAb9ABKpnKM2QIqUaA4EE6IqEjUiEJnf5JFkSRuUoOs6XU90a65eud/D+7Ulo +1K+6SFJ/6Lk8IHg/0cUFBu302d1mkDvH/Gp243KAYBkVYhGjpApkhVQwR3wJK7+0 +QpYssqKYRHFQaB+IanAe7D1MDZRKFZkatAxNg2NELJe+Ng3dd1v/rb2DGVIE12iV +eiejRFirQRFnoeQVqkeyPhFaTL8gQasn0Qx1ey3Ivy80yY06RzI0S3VoSd0+FQ5+ +ZRr2wpelizRNIRYhmpeGoDeETlJYgmERv0ImvaMwCEgWwe8Ni1AYRgWUEtaNbCg6 +Img4kIgESSwEjvC1IGzOqvbcqCXv2lt+z4Ablv3iuZC7zXSEzggijApgTFimSxHi +otuQJ2WFCCvgByQk0ijkN7SdDZEADyD4RqjkrcGhAICgkSzlaejsMYIoiyKb/Yls +i90/7Dr8poGZW+g/b4uovXNpdX+A/a1zTfXbIFhJEiFWNBYiZpCRmZO4lHXCBxQp +SkrqUiRCuKhTq3i4KjQCAYePWD5eKUHWLUiozw0nn4nBuJbJaAuZhQx+2V+m+1GB +Gma3S7Y8pCBrONNGomNQfE/I+0Jv9sQHP5AtFYyBEnw1DdU853ok0KkOXyhfMlHy +Z4lYNQxJUpo3VySj+l7svoWK/BfZOFYiv5aQnBfa9vmQOSgkE8c93EGPtkwik0uc +VVqyaZYjAqWjBU2+ABD+UlGrW2aJs1i6Q01mZGGsm3sozzLuoLIEGJQiSOFjDEUh +mihke0AoLm9FUKs0GYm0KIYjhfGLAcHim3tC2Ujbr5Py/PSnbayHwx9t31Vjq9Li +hyI7D7k4+2Onihim07KUcNtsx+iLFz/ZvLmAlugHoQBT26W2GnK36MWAINEIX6Uc +8VGZCu5i1BJIhS5Be6m7ynSFeKMh7C8rpESz2aWoANVBwt205cx7JDy7sRc+/iMc +Xr9W72F3iVKhxuihkSard0QQlNMgXAvPhqWEI4R8x1C00fgpwKhb3uWx2AAQbCIj +qD21jdFrC/KFtAnbEuQfxj4zIWck5i1HqpEYrUXlpRjMpXE+7SEwZnAmVZxA+4K1 +aUoCLtq6Zz4bPg5vbOxthGc3r4WHwsenuU2ikbA6DEVWxFQf737Yf4wMLyl9EgK1 +7aivvg46o8jDWOwHYTHhCyEtMhmo16NQFZCzM7ZzMSAsSdRdIYYVBRBmKJmswuho +PiqWYJv6KY6ZHSbN+nTLdBMefIEqNc9I+05pfSNM1vfW12fr9fpGYwAIye0k46Ai +Ow9BcJ8CgTxEEMasZDIZ3Wu82dxcf7jHCEnx9CAQQO3p3oc3mxuohjS3sQvxhBr1 +KQ4cJAjKPI04EQQ6CqNCapZXKM4PRj0kMuIlPoGbhg4SR1QC3nFivrCBbUKY/B4O +16+Fw7NDjeNwHwjRpM1QDNi0QMEc//FU7hrh8J9jFraHjfr6hrr5Z4Nx3OLp3jbB +tZgORKPRp3uN9Q0PMkORrtLH+bx8vYNopJF7yOiXNj2P0vx4D/flYRhZpKDx9reH +mxvKh98YHyc+PsATRsDYT3t7HzY33nzYY6Sd8f8IELgmjxFZ26zszIPelwcaStqy +tQLr64EmOW0xFev3BG+bFPm0yVvqozu+83xE3jWfJPSCAG0bm9p//k2eSHNdO3X5 +uR/O8ITR0dPUyNzBqx4QgtAwjjAe40/1+ghlat47qXu9nhBPe9EWWHvYJkXuHHZ7 +gidrmtPTq9MVaXqad+s8f7/6SHr0aFpf5cvGmoR7p/ndVbUfhPrmtQb5sLlO6jiQ +V5Y02c1leTY9LinEsaLAPo9L4edJJSiVVgh1EK5CXJM+nHG/fHxEHj8jTx4fvRwI +QoqzCYreNoMtfqMXBFnaOfEylLxPnzaJaSM7A0EYYXrepz95myy31CnOp8hz3Pz8 +69XXq6u7q6s6vzoNIkm8vgpbPOzc3X3N/fprZ+DeAuF49uFefe9DIzw0O7RORJgZ +a6OS7qvC8NgbY5Posq9KV6I4oTbozChPyyHemqaGgC8GiXPPjp7978u5J3NngGAJ +p4mR9MaTXlIggHBXaPIYW1qBndT9h71tQgqVuric4DCnQPDIqxYHuZ9eW3vkuH/v +3r1Xznuv7r969epeFn7wj9bWpldXX3OlDuWtBcLvs43NjT1oo0k9XCciLVEtSWoj +2yXsCpJ4B1XiiMuSSEgJKRxxV6DXDIVgpJDUGAhk7ujo+Rw5yxNOTvMTKU0f/Njn +Cam80MNj3N45+OdpQrXHFU/1sh1p4LQnyGuO0vz8CnzmYT1fq813pGbBkRVrxbJ2 +Xf7+NoGBsDlbDzcaJEaTNAO1npZgpBiK4E0DKtLRAI6tKQwdRygZodYolQI+qkI3 ++fyIHB0BEHNneUIqlU6l06kuOfhnPwhMDfXSHe0fYRzVxaj2ZOKppgpTZavUwSkQ +VFdZ+qhAuyAZsaDnq3sHB8W7DN3yyUcNfqfuqN0d7shJrWIqvZ2aeN+s1KwurXyt +4nAoQRxHdd2PDiqOSm24W0DNbXQ3zx5VDmrwaQluaRp+g/aCPdLuont9OQgiCZa/ +7BTk5q3l+Nx+FuS7fScvlWPZPtqdP+iMGW6FV3I4287lcooxE4sVxaHwqTeq1Eys +Kin8cA4UUTcnGTMzzuBF3E8Ad8bVs2cDVEL2yiD8qaASS1+Agiq7lIWFmw8ePMDF +gqSJAzgFHlXM5BaXD/FzuLy8bGiiqoJauB4e6gYLjC3OwPFD9l1c/JetdoZUI58N +whx59vL9c+jmXpKXzxFvzeMRg34RHzwqREagQ5I1DY1gEB1PDIpagMjg0VqQBOVP +3dtSh3O6eReJwnnH3Txs5HLD/cn27y9K7hsdWTQWlx/g7ArG5d3VZrGsLN648T18 +mBxKi8sfSUE5QgR8zOyFho56PgrC/6pzR3NzR48fzz2fO3pG/NSiQepz00nsIoPQ +TBIPHYFZBEzj8Tk9hSl3gPdFHSEOmkyf8XEM3sWme/lXC8pib4L8RanvzLhkjyvf +7HXNy6t9aobyMU9QRG434Ao5aTDr+7gnAAhPnhw9noN6MfeEkEkvdpEW9SUBBPak +lUTKJcM5SQNUIjUFXCAQEUYtxUs/fWtONBT+QSIhqgkRliJsLPO80cfXrSq8qqoJ +f6GAK/hsSYpSttVm20NZTZmOb/kTCdBR/QnU3ZJ4Xj7TD5TQUqTi8KluJ4V29uMg +iOAAT46Ons09hnEPkaI61UrEFcCHD0KQgbA0WeKzkZDOBUmWcqPFQC2iR6CDlGHK +6fkECLzOHzYpfAvwt8jzfNnTr8Xr44zn+ByZfmPIUGxj1a4QLtg7LA4hi/H5GKpd +Gwa1szitfkqzppCM+ETTsEao+6MgfEeePH/58smT5+9exp7B+N+Ixd45CXGio8c8 +WVJGbl/R73cRA73RWY6RLJkpk4wkymUS+wQIVSiDCrYIbpR8vlJxVLK958iGCQd3 +dnZuHOwwycFvs2X64WxrxKi7TVNhChsHBzs3mJr7fMTev2MW6c8YNneP8QKn2XY/ +KVCM8W6zR/jOexbh1t1mQzfNU4oOk6/Klx4Ejxq0iXsZmxjIGHx9TZknmJ2pzpyW +bIfHyOZ1iFUx1q+m+S89CC3OXvdyIFZiW5qbXf3/tZYr+LFJVG0Ne62qFx1E4tLK +X/jU9j8HhC9+MfW/EoSNKxDIqQnENwvCVZtwBUJ3F/lNgzA0ewUC2WxcgUDq9SsQ +SP3hFQjkX1/UJjwnzx//F4JwHP58AN7PPSYqgDD3+BKBIAY1kHFcaMFx9ihgPPil +L3TOHn6e3tzc8/b2JQJBHRj/uS8shSfDsNLGM5qG3wWErHOH9pdZe74tD5AOH/B5 +LyRPLgkI8uLWCmdZVmlyMrLdjKiV7I/HKFa3JF5ncRZrK/jY0KHL77tuvrDJgz9T +eE/GZySp9eaq5BTJD+9bd+GO5nqMPnl8SUDQ4qRU4jiuhGEuk3ZAtxGS7QtFaKCa +xS2xQJCM36X7u+IxMlcQY4ll1CqVJm0aGBKgYsetF9qffFUC/xYQpC0MoYg0xqdP +f7Kz5+0HIYjxGJdKNlTRwOioV1g5FYoQJ9NqVZ0BJQ6sMconRusTjILB3OrZ8wFX +fzb3SWj+JhAizRiK9foLO9LigKCUQWmrFY+xyVQVLHFBPD2HClYTixHkfEYiL96+ +tUOdCnzCYJ4wN/Dyzx7PXQYQMB6jTWNcr7+w+WtCoQ8ETQI1DDa5nWzGpBRKY6dA +qM/ONqqJP0N2hMu39Q/NAJd3myAMlqO5T3WVf48nJJClmXzx22+bmw9/22M0k0Eg +sHiMdjhGRvGiS6cIir8j5fP+2PA2WAOdt/U3gs2BOkmU/e/mnr0cePXHcyCXAgTo +E5J2PMbN9cbZIETbkRZHMXsAQjct7Q8E4d6YEgWg9hpv1pHziUH9qDVmqFDeP5wx +eAIQnn0+CJ5PyDvPV71ArzUDLb798GZjY/1Ng5FtBocibIVjbEaCXOohKO6Fw9Vx +BRmRjcb65tDQev0t0nasdPkPLO+zGsCXR3OfB4InaL5WeH668maNnzZ1nS8/qj4y +Hj2CrbVyeQ0JYKv87u7XBO7Q4uloM8jl5nqIUjso5eIAEAIBXzsSJJKRSqmeUISN +sJHKYczMFy/evtn85cWLn9DWStp4Mtep+R55zSivVWOPsrEZfFATe/XqO6fTmYWt +bPZeNluNzTxak6oDmCrqo9Kv3Ovd3Qry3pD8Nz29Zk5L06vIe9tF3tvr+Xlu6Wui +nIEn+EYZkdFbr4eapLN0f4zWeDpgh1rsxGPsBYH8+SY1HLDJnL/V39h40pNU+air +8VN5rvR69/VuydzddczXKq+xAOH7+nWFZxw+E/LC/Sr3c5ZEifu1yXvT1+7fv3fv +1b1X+uY9EPhhPgJXgHPnS9WvCF+iDSd8yD2EzL198RNtxWPsbxPSAZuh2GbnWYNC +EcabMTPfNj40OXz5nftHnQbBI69y3C6SF9ce7WJGXkFWfrnXzMobdOpVJDL2Ufgw +do+jBENbC8ar3AojvdVqnE1+W5nnkPcGK8t0ql9VHXxeoRPn82wQfALjMdKW4kmf +J4jVnTgLSdmKyWjHIix3hdL2BHmL2zUBhbW13UeP7qPE7BX8mmYgrO5y3M1+EPyZ +KpLb1hjBbY19mmS3bpn5mtfOMFov7REhfae/TUiFGAG8FXHSOzI8IDLnk3iLytnG +Kp46NU4QszizYMKegLMPzzaakW1ws6oNoPD55TblTWuy3ewVUuC0JhPuq2K4aHEk +HB4cfH8nHo8Px+98f4A/B4FgExM7kuoH4dHB99tNujwKtDQB3/epcne6WGwcV7FY +dOECtlwgbGX/tDeC6oAu0uO3n/eqamvdJa1dX/X4Vxs+SKXsb5PImTo4SA0AIY6h +Fu/Y4d4ALvglxQcFpYxjrMYcI4KxM1KnPYH4VVFuvYDZeg+zvaO1T/3EYAkagwud +Ss9MrzoOHzy4gTQUWNwYr7hXpb7WRXSV1/hrhcIPhcRxoaBuZaclo9obblLMKnk3 +EkNZTDtc3HXnc8POM0tH5+x32TPzXzhipNokBTiRR+An6rlf7PcHi1kjXztZbEal +zLvLTlemj1ziUWVt5m5H8k5NlvspnzOG5EiMjeG9lCFYisq0YWTPZqpElBkKXk7K +S2dnZCAIAjKYhckSH1F925P03P8Myy/KMXWLbLWEVMVB9Et1IWvcOFw+vHHjxvLy +jcP4zP6Adz7BVlFy381hhcD4pTmlKH8s3FRkxQoQ6vOWqY/OfDEIk9Sn0SWN+gTx +vBgUWWTWpmCMVqjI/dxHv5R7wPJ/eDizzHiaTxRFHeAvP/KFBIuaiVKIu+SPddsR +KUaNChFik0Swvqg6lJI+frsyaoQooVnunP9MhIi61OeJBt9XeLLOxz0FP0Zb9B9j +XEai9BMUPaL7zuIvdgA+Ow7fncXD/PLZVTYyWaKioAtl6qbKl4BgSFBOSlXKEIn4 +eem8tSHoVpSEmFCRxwllpyYSfqUTj7Gjlud5qRmu8Pn40OB4jKoT0vNDoQAoed7D +Ej5EGuAwbclKkkZivEeOKeK/dSoNuePt3OHi2tBQjtdzff4V5E3TzG20qM07jKg3 +ICilkgMYAc2xhIhxLhM4EDpfLMK/A4RgzmE6zHyO9e05+GDYRbOvXJDIqJ8SXprp +eyuiCjo5xHLHZsju5NyrunH5QWDDWGV6WlLYC1mM0bnWF2kRJj7O7CmJZYt97zGI +MdOBsSgrjoq9cDgqDnPm8oOAw1gMG5HJdFZB8YxAISq2i2yE6setvi5EY1McycAl +LiRjrftNnksLArHjOzZvXJHzBUBRm1McFr2yuSVeePDqb1CuQLgC4QqEKxCuQLgC +4QqEKxA+AsKV/GPoyhEIuQLhCoRPgcBdJ+RW39vFUxxK5/fEbULcnItMdCLBOyb6 +jcWmmL2uo82fvWJyE5+TbLBn31+Y4s74j22xibMucX4QINt696/rnEisqQliTnwK +hKbsfhyEz054r92PJ/OcIJgcZxKrXOUmRBt0sH79NgcFxk1hTM7bLpcFbmC5YlPc +VAx3ViZuTbkmOO62OFHBE9ygzDwBNG5fd+BRNH+bm7ougqFbxDHFldkGAMhxtnHY +F4OfoPQzx7na+1p6aA+ud52Dv1ZiUFkHZTQ6EYM/dsWpWMyyOMfXgoDiuDV1/frU +LfNnnjNv3W5BrDtIjLvOUkN+npgwXZZrhYA7TEDSIE+3retkql0Q1anrLq6MINwG +h/mZHUXzE6Qy8bNJXFPirk54N24w6G3jFXa+wyQOKIef7X0Ondgn2CAAKghuOzGg +XHEQNx8rk6qFyeSuszTFABcrdh5PQK/SJ27ddjgsk2+B4IDsg22WmaoJ7m/pJupf +53DJCvGWxU25On7JPIGdsMuKmJnXJxwIdAzM2Rtsd4UZdzCEYalPEF3fbe1r6dlt +jI4gtBPTUr6ugyvYILA0YZWZOhcIzBOgJlgxO5EdT3DZIIgW1BI3FAuibjEQJnjm +M7ft2l8GC9ZE0xN0d+soywOvExdLvb3R8QSXDUKlma/2vp+bel0gtBPTAsFtkgmu +4wnWuUHYReyh4b9t4ZecbhPsNuw25GkCgIhZrE24Dl4uWrfgtNvXJ1hV1Fttggtr +MTvaAgGrryVC6u0NtrtZ/095QntfS68LhHZiWsq3OM7NibdYm7CCbQIDYcJxNU64 +GixdgXAFwhUIny3/L8AAEAy9MIp/F7YAAAAASUVORK5CYII=" +alt="How Tor works" style="border-style:none"/> </a></p> <p> diff --git a/doc/tor.1.txt b/doc/tor.1.txt index f357fa3335..362c409903 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -2973,7 +2973,7 @@ The following options are used to configure a hidden service. [[HiddenServiceExportCircuitID]] **HiddenServiceExportCircuitID** __protocol__:: The onion service will use the given protocol to expose the global circuit - identifier of each inbound client circuit via the selected protocol. The only + identifier of each inbound client circuit. The only protocol supported right now \'haproxy'. This option is only for v3 services. (Default: none) + + @@ -2990,12 +2990,12 @@ The following options are used to configure a hidden service. + global_circuit_id = (0xAA << 24) + (0xBB << 16) + (0xCC << 8) + 0xDD; + + - In the case above, where the last 32-bit is 0xffffffff, the global circuit + In the case above, where the last 32-bits are 0xffffffff, the global circuit identifier would be 4294967295. You can use this value together with Tor's - control port where it is possible to terminate a circuit given the global - circuit identifier. For more information about this see controls-spec.txt. + + control port to terminate particular circuits using their global + circuit identifiers. For more information about this see control-spec.txt. + + - The HAProxy version 1 proxy protocol is described in detail at + The HAProxy version 1 protocol is described in detail at https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt [[HiddenServiceMaxStreams]] **HiddenServiceMaxStreams** __N__:: diff --git a/scripts/git/pre-push.git-hook b/scripts/git/pre-push.git-hook index 71abc9aa2b..40a3bffa79 100755 --- a/scripts/git/pre-push.git-hook +++ b/scripts/git/pre-push.git-hook @@ -28,10 +28,14 @@ if [ -x "$workdir/.git/hooks/pre-commit" ]; then fi fi -if [ -e scripts/maint/practracker/practracker.py ]; then - if ! python3 ./scripts/maint/practracker/practracker.py "$workdir"; then - exit 1 - fi +PT_DIR=scripts/maint/practracker + +if [ -e "${PT_DIR}/practracker.py" ]; then + if [ -e "${PT_DIR}/.enable_practracker_in_hooks" ]; then + if ! python3 "${PT_DIR}/practracker.py" "$workdir"; then + exit 1 + fi + fi fi remote="$1" @@ -104,4 +108,3 @@ do done exit 0 - diff --git a/scripts/maint/practracker/.enable_practracker_in_hooks b/scripts/maint/practracker/.enable_practracker_in_hooks new file mode 100644 index 0000000000..a9e707f5da --- /dev/null +++ b/scripts/maint/practracker/.enable_practracker_in_hooks @@ -0,0 +1 @@ +This file is present to tell our git hooks to run practracker on this branch. diff --git a/scripts/maint/practracker/exceptions.txt b/scripts/maint/practracker/exceptions.txt index 75a8b50967..4f3943f21c 100644 --- a/scripts/maint/practracker/exceptions.txt +++ b/scripts/maint/practracker/exceptions.txt @@ -45,6 +45,7 @@ problem function-size /src/app/config/config.c:parse_dir_fallback_line() 101 problem function-size /src/app/config/config.c:parse_port_config() 446 problem function-size /src/app/config/config.c:parse_ports() 168 problem function-size /src/app/config/config.c:getinfo_helper_config() 113 +problem file-size /src/app/config/or_options_st.h 1112 problem include-count /src/app/main/main.c 68 problem function-size /src/app/main/main.c:dumpstats() 102 problem function-size /src/app/main/main.c:tor_init() 137 @@ -67,6 +68,7 @@ problem include-count /src/core/mainloop/mainloop.c 63 problem function-size /src/core/mainloop/mainloop.c:conn_close_if_marked() 108 problem function-size /src/core/mainloop/mainloop.c:run_connection_housekeeping() 123 problem file-size /src/core/or/channel.c 3487 +problem file-size /src/core/or/channel.h 780 problem function-size /src/core/or/channeltls.c:channel_tls_handle_var_cell() 160 problem function-size /src/core/or/channeltls.c:channel_tls_process_versions_cell() 170 problem function-size /src/core/or/channeltls.c:channel_tls_process_netinfo_cell() 214 @@ -86,6 +88,7 @@ problem function-size /src/core/or/circuitmux.c:circuitmux_set_policy() 109 problem function-size /src/core/or/circuitmux.c:circuitmux_attach_circuit() 113 problem file-size /src/core/or/circuitpadding.c 3043 problem function-size /src/core/or/circuitpadding.c:circpad_machine_schedule_padding() 107 +problem file-size /src/core/or/circuitpadding.h 809 problem function-size /src/core/or/circuitpadding_machines.c:circpad_machine_relay_hide_intro_circuits() 103 problem function-size /src/core/or/circuitpadding_machines.c:circpad_machine_client_hide_rend_circuits() 112 problem function-size /src/core/or/circuitstats.c:circuit_build_times_parse_state() 123 @@ -114,11 +117,13 @@ problem include-count /src/core/or/connection_or.c 51 problem function-size /src/core/or/connection_or.c:connection_or_group_set_badness_() 105 problem function-size /src/core/or/connection_or.c:connection_or_client_learned_peer_id() 142 problem function-size /src/core/or/connection_or.c:connection_or_compute_authenticate_cell_body() 231 +problem file-size /src/core/or/or.h 1103 +problem include-count /src/core/or/or.h 49 problem file-size /src/core/or/policies.c 3249 problem function-size /src/core/or/policies.c:policy_summarize() 107 problem function-size /src/core/or/protover.c:protover_all_supported() 117 -problem file-size /src/core/or/relay.c 3263 -problem function-size /src/core/or/relay.c:circuit_receive_relay_cell() 126 +problem file-size /src/core/or/relay.c 3264 +problem function-size /src/core/or/relay.c:circuit_receive_relay_cell() 127 problem function-size /src/core/or/relay.c:relay_send_command_from_edge_() 109 problem function-size /src/core/or/relay.c:connection_ap_process_end_not_open() 192 problem function-size /src/core/or/relay.c:connection_edge_process_relay_cell_not_open() 137 @@ -136,6 +141,7 @@ problem function-size /src/feature/client/dnsserv.c:evdns_server_callback() 153 problem file-size /src/feature/client/entrynodes.c 3824 problem function-size /src/feature/client/entrynodes.c:entry_guards_upgrade_waiting_circuits() 155 problem function-size /src/feature/client/entrynodes.c:entry_guard_parse_from_state() 246 +problem file-size /src/feature/client/entrynodes.h 639 problem function-size /src/feature/client/transports.c:handle_proxy_line() 108 problem function-size /src/feature/client/transports.c:parse_method_line_helper() 110 problem function-size /src/feature/client/transports.c:create_managed_proxy_environment() 109 @@ -277,3 +283,4 @@ problem function-size /src/tools/tor-gencert.c:parse_commandline() 111 problem function-size /src/tools/tor-resolve.c:build_socks5_resolve_request() 102 problem function-size /src/tools/tor-resolve.c:do_resolve() 171 problem function-size /src/tools/tor-resolve.c:main() 112 + diff --git a/scripts/maint/practracker/metrics.py b/scripts/maint/practracker/metrics.py index 82f1cd64e9..9f69b2ac1f 100644 --- a/scripts/maint/practracker/metrics.py +++ b/scripts/maint/practracker/metrics.py @@ -27,7 +27,9 @@ def get_function_lines(f): # Skip lines that look like they are defining functions with these # names: they aren't real function definitions. - REGEXP_CONFUSE_TERMS = {"MOCK_IMPL", "ENABLE_GCC_WARNINGS", "ENABLE_GCC_WARNING", "DUMMY_TYPECHECK_INSTANCE", + REGEXP_CONFUSE_TERMS = {"MOCK_IMPL", "MOCK_DECL", "HANDLE_DECL", + "ENABLE_GCC_WARNINGS", "ENABLE_GCC_WARNING", + "DUMMY_TYPECHECK_INSTANCE", "DISABLE_GCC_WARNING", "DISABLE_GCC_WARNINGS"} in_function = False diff --git a/scripts/maint/practracker/practracker.py b/scripts/maint/practracker/practracker.py index 7e51edb48f..0fdfd4a40a 100755 --- a/scripts/maint/practracker/practracker.py +++ b/scripts/maint/practracker/practracker.py @@ -35,6 +35,10 @@ MAX_FILE_SIZE = 3000 # lines MAX_FUNCTION_SIZE = 100 # lines # Recommended number of #includes MAX_INCLUDE_COUNT = 50 +# Recommended file size for headers +MAX_H_FILE_SIZE = 500 +# Recommended include count for headers +MAX_H_INCLUDE_COUNT = 15 # Map from problem type to functions that adjust for tolerance TOLERANCE_FNS = { @@ -161,8 +165,12 @@ def main(argv): help="Make all warnings into errors") parser.add_argument("--terse", action="store_true", help="Do not emit helpful instructions.") + parser.add_argument("--max-h-file-size", default=MAX_H_FILE_SIZE, + help="Maximum lines per .H file") + parser.add_argument("--max-h-include-count", default=MAX_H_INCLUDE_COUNT, + help="Maximum includes per .H file") parser.add_argument("--max-file-size", default=MAX_FILE_SIZE, - help="Maximum lines per C file size") + help="Maximum lines per C file") parser.add_argument("--max-include-count", default=MAX_INCLUDE_COUNT, help="Maximum includes per C file") parser.add_argument("--max-function-size", default=MAX_FUNCTION_SIZE, @@ -180,9 +188,11 @@ def main(argv): # 0) Configure our thresholds of "what is a problem actually" filt = problem.ProblemFilter() - filt.addThreshold(problem.FileSizeItem("*", int(args.max_file_size))) - filt.addThreshold(problem.IncludeCountItem("*", int(args.max_include_count))) - filt.addThreshold(problem.FunctionSizeItem("*", int(args.max_function_size))) + filt.addThreshold(problem.FileSizeItem("*.c", int(args.max_file_size))) + filt.addThreshold(problem.IncludeCountItem("*.c", int(args.max_include_count))) + filt.addThreshold(problem.FileSizeItem("*.h", int(args.max_h_file_size))) + filt.addThreshold(problem.IncludeCountItem("*.h", int(args.max_h_include_count))) + filt.addThreshold(problem.FunctionSizeItem("*.c", int(args.max_function_size))) # 1) Get all the .c files we care about files_list = util.get_tor_c_files(TOR_TOPDIR) diff --git a/scripts/maint/practracker/problem.py b/scripts/maint/practracker/problem.py index 73519d446f..13c8e55143 100644 --- a/scripts/maint/practracker/problem.py +++ b/scripts/maint/practracker/problem.py @@ -108,10 +108,11 @@ class ProblemFilter(object): self.thresholds = dict() def addThreshold(self, item): - self.thresholds[item.get_type()] = item + self.thresholds[(item.get_type(),item.get_file_type())] = item def matches(self, item): - filt = self.thresholds.get(item.get_type(), None) + key = (item.get_type(), item.get_file_type()) + filt = self.thresholds.get(key, None) if filt is None: return False return item.is_worse_than(filt) @@ -158,6 +159,12 @@ class Item(object): def get_type(self): return self.problem_type + def get_file_type(self): + if self.problem_location.endswith(".h"): + return "*.h" + else: + return "*.c" + class FileSizeItem(Item): """ Denotes a problem with the size of a .c file. diff --git a/scripts/maint/practracker/util.py b/scripts/maint/practracker/util.py index 5a8876a0f6..695668f561 100644 --- a/scripts/maint/practracker/util.py +++ b/scripts/maint/practracker/util.py @@ -5,12 +5,14 @@ import os EXCLUDE_SOURCE_DIRS = {"src/test/", "src/trunnel/", "src/rust/", "src/ext/", ".git/"} +EXCLUDE_FILES = {"orconfig.h"} + def _norm(p): return os.path.normcase(os.path.normpath(p)) def get_tor_c_files(tor_topdir): """ - Return a list with the .c filenames we want to get metrics of. + Return a list with the .c and .h filenames we want to get metrics of. """ files_list = [] exclude_dirs = { _norm(os.path.join(tor_topdir, p)) for p in EXCLUDE_SOURCE_DIRS } @@ -23,8 +25,10 @@ def get_tor_c_files(tor_topdir): directories.sort() filenames.sort() for filename in filenames: - # We only care about .c files - if not filename.endswith(".c"): + # We only care about .c and .h files + if not (filename.endswith(".c") or filename.endswith(".h")): + continue + if filename in EXCLUDE_FILES: continue full_path = os.path.join(root,filename) diff --git a/src/app/config/auth_dirs.inc b/src/app/config/auth_dirs.inc index 08a919b053..278f08bfcf 100644 --- a/src/app/config/auth_dirs.inc +++ b/src/app/config/auth_dirs.inc @@ -7,7 +7,7 @@ "86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D", "dizum orport=443 " "v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 " - "194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755", + "45.66.33.45:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755", "Serge orport=9001 bridge " "66.111.2.131:9030 BA44 A889 E64B 93FA A2B1 14E0 2C2A 279A 8555 C533", "gabelmoo orport=443 " diff --git a/src/core/or/circuitpadding.c b/src/core/or/circuitpadding.c index 47870bcaa1..99c68d5f6b 100644 --- a/src/core/or/circuitpadding.c +++ b/src/core/or/circuitpadding.c @@ -138,6 +138,11 @@ static void circpad_circuit_machineinfo_free_idx(circuit_t *circ, int idx) { if (circ->padding_info[idx]) { + log_fn(LOG_INFO,LD_CIRC, "Freeing padding info idx %d on circuit %u (%d)", + idx, CIRCUIT_IS_ORIGIN(circ) ? + TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0, + circ->purpose); + tor_free(circ->padding_info[idx]->histogram); timer_free(circ->padding_info[idx]->padding_timer); tor_free(circ->padding_info[idx]); @@ -210,8 +215,9 @@ circpad_marked_circuit_for_padding(circuit_t *circ, int reason) } log_info(LD_CIRC, "Circuit %d is not marked for close because of a " - "pending padding machine.", CIRCUIT_IS_ORIGIN(circ) ? - TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0); + "pending padding machine in index %d.", + CIRCUIT_IS_ORIGIN(circ) ? + TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0, i); /* If the machine has had no network events at all within the * last circpad_delay_t timespan, it's in some deadlock state. @@ -222,10 +228,11 @@ circpad_marked_circuit_for_padding(circuit_t *circ, int reason) if (circ->padding_info[i]->last_cell_time_sec + (time_t)CIRCPAD_DELAY_MAX_SECS < approx_time()) { log_notice(LD_BUG, "Circuit %d was not marked for close because of a " - "pending padding machine for over an hour. Circuit is a %s", + "pending padding machine in index %d for over an hour. " + "Circuit is a %s", CIRCUIT_IS_ORIGIN(circ) ? TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0, - circuit_purpose_to_string(circ->purpose)); + i, circuit_purpose_to_string(circ->purpose)); return 0; // abort timer reached; mark the circuit for close now } @@ -524,7 +531,9 @@ circpad_choose_state_length(circpad_machine_runtime_t *mi) mi->state_length = clamp_double_to_int64(length); - log_info(LD_CIRC, "State length sampled to %"PRIu64".", mi->state_length); + log_info(LD_CIRC, "State length sampled to %"PRIu64" for circuit %u", + mi->state_length, CIRCUIT_IS_ORIGIN(mi->on_circ) ? + TO_ORIGIN_CIRCUIT(mi->on_circ)->global_identifier : 0); } /** @@ -1206,7 +1215,9 @@ circpad_send_padding_cell_for_callback(circpad_machine_runtime_t *mi) /* Make sure circuit didn't close on us */ if (mi->on_circ->marked_for_close) { log_fn(LOG_INFO,LD_CIRC, - "Padding callback on a circuit marked for close. Ignoring."); + "Padding callback on circuit marked for close (%u). Ignoring.", + CIRCUIT_IS_ORIGIN(mi->on_circ) ? + TO_ORIGIN_CIRCUIT(mi->on_circ)->global_identifier : 0); return CIRCPAD_STATE_CHANGED; } @@ -1417,7 +1428,9 @@ circpad_machine_schedule_padding,(circpad_machine_runtime_t *mi)) // Don't pad in end (but also don't cancel any previously // scheduled padding either). if (mi->current_state == CIRCPAD_STATE_END) { - log_fn(LOG_INFO, LD_CIRC, "Padding end state"); + log_fn(LOG_INFO, LD_CIRC, "Padding end state on circuit %u", + CIRCUIT_IS_ORIGIN(mi->on_circ) ? + TO_ORIGIN_CIRCUIT(mi->on_circ)->global_identifier : 0); return CIRCPAD_STATE_UNCHANGED; } @@ -1457,7 +1470,9 @@ circpad_machine_schedule_padding,(circpad_machine_runtime_t *mi)) } else { mi->padding_scheduled_at_usec = 1; } - log_fn(LOG_INFO,LD_CIRC,"\tPadding in %u usec", in_usec); + log_fn(LOG_INFO,LD_CIRC,"\tPadding in %u usec on circuit %u", in_usec, + CIRCUIT_IS_ORIGIN(mi->on_circ) ? + TO_ORIGIN_CIRCUIT(mi->on_circ)->global_identifier : 0); // Don't schedule if we have infinite delay. if (in_usec == CIRCPAD_DELAY_INFINITE) { @@ -1481,7 +1496,9 @@ circpad_machine_schedule_padding,(circpad_machine_runtime_t *mi)) timeout.tv_sec = in_usec/TOR_USEC_PER_SEC; timeout.tv_usec = (in_usec%TOR_USEC_PER_SEC); - log_fn(LOG_INFO, LD_CIRC, "\tPadding in %u sec, %u usec", + log_fn(LOG_INFO, LD_CIRC, "\tPadding circuit %u in %u sec, %u usec", + CIRCUIT_IS_ORIGIN(mi->on_circ) ? + TO_ORIGIN_CIRCUIT(mi->on_circ)->global_identifier : 0, (unsigned)timeout.tv_sec, (unsigned)timeout.tv_usec); if (mi->padding_timer) { @@ -1512,6 +1529,12 @@ static void circpad_machine_spec_transitioned_to_end(circpad_machine_runtime_t *mi) { const circpad_machine_spec_t *machine = CIRCPAD_GET_MACHINE(mi); + circuit_t *on_circ = mi->on_circ; + + log_fn(LOG_INFO,LD_CIRC, "Padding machine in end state on circuit %u (%d)", + CIRCUIT_IS_ORIGIN(on_circ) ? + TO_ORIGIN_CIRCUIT(on_circ)->global_identifier : 0, + on_circ->purpose); /* * We allow machines to shut down and delete themselves as opposed @@ -1527,7 +1550,6 @@ circpad_machine_spec_transitioned_to_end(circpad_machine_runtime_t *mi) * here does. */ if (machine->should_negotiate_end) { - circuit_t *on_circ = mi->on_circ; if (machine->is_origin_side) { /* We free the machine info here so that we can be replaced * by a different machine. But we must leave the padding_machine @@ -1593,7 +1615,9 @@ circpad_machine_spec_transition,(circpad_machine_runtime_t *mi, * a transition to itself. All non-specified events are ignored. */ log_fn(LOG_INFO, LD_CIRC, - "Circpad machine %d transitioning from %u to %u", + "Circuit %u circpad machine %d transitioning from %u to %u", + CIRCUIT_IS_ORIGIN(mi->on_circ) ? + TO_ORIGIN_CIRCUIT(mi->on_circ)->global_identifier : 0, mi->machine_index, mi->current_state, s); /* If this is not the same state, switch and init tokens, @@ -2147,7 +2171,10 @@ circpad_add_matching_machines(origin_circuit_t *on_circ, if (circpad_negotiate_padding(on_circ, machine->machine_num, machine->target_hopnum, CIRCPAD_COMMAND_START) < 0) { - log_info(LD_CIRC, "Padding not negotiated. Cleaning machine"); + log_info(LD_CIRC, + "Padding not negotiated. Cleaning machine from circuit %u", + CIRCUIT_IS_ORIGIN(circ) ? + TO_ORIGIN_CIRCUIT(circ)->global_identifier : 0); circpad_circuit_machineinfo_free_idx(circ, i); circ->padding_machine[i] = NULL; on_circ->padding_negotiation_failed = 1; @@ -2732,8 +2759,9 @@ circpad_node_supports_padding(const node_t *node) { if (node->rs) { log_fn(LOG_INFO, LD_CIRC, "Checking padding: %s", - node->rs->pv.supports_padding ? "supported" : "unsupported"); - return node->rs->pv.supports_padding; + node->rs->pv.supports_hs_setup_padding ? + "supported" : "unsupported"); + return node->rs->pv.supports_hs_setup_padding; } log_fn(LOG_INFO, LD_CIRC, "Empty routerstatus in padding check"); @@ -2810,8 +2838,9 @@ circpad_negotiate_padding(origin_circuit_t *circ, &type)) < 0) return -1; - log_fn(LOG_INFO,LD_CIRC, "Negotiating padding on circuit %u (%d)", - circ->global_identifier, TO_CIRCUIT(circ)->purpose); + log_fn(LOG_INFO,LD_CIRC, + "Negotiating padding on circuit %u (%d), command %d", + circ->global_identifier, TO_CIRCUIT(circ)->purpose, command); return circpad_send_command_to_hop(circ, target_hopnum, RELAY_COMMAND_PADDING_NEGOTIATE, @@ -2874,7 +2903,8 @@ circpad_handle_padding_negotiate(circuit_t *circ, cell_t *cell) if (CIRCUIT_IS_ORIGIN(circ)) { log_fn(LOG_PROTOCOL_WARN, LD_CIRC, - "Padding negotiate cell unsupported at origin."); + "Padding negotiate cell unsupported at origin (circuit %u)", + TO_ORIGIN_CIRCUIT(circ)->global_identifier); return -1; } @@ -2941,21 +2971,24 @@ circpad_handle_padding_negotiated(circuit_t *circ, cell_t *cell, /* Verify this came from the expected hop */ if (!circpad_padding_is_from_expected_hop(circ, layer_hint)) { - log_fn(LOG_WARN, LD_CIRC, - "Padding negotiated cell from wrong hop!"); + log_fn(LOG_PROTOCOL_WARN, LD_CIRC, + "Padding negotiated cell from wrong hop on circuit %u", + TO_ORIGIN_CIRCUIT(circ)->global_identifier); return -1; } if (circpad_negotiated_parse(&negotiated, cell->payload+RELAY_HEADER_SIZE, CELL_PAYLOAD_SIZE-RELAY_HEADER_SIZE) < 0) { log_fn(LOG_PROTOCOL_WARN, LD_CIRC, - "Received malformed PADDING_NEGOTIATED cell; " - "dropping."); + "Received malformed PADDING_NEGOTIATED cell on circuit %u; " + "dropping.", TO_ORIGIN_CIRCUIT(circ)->global_identifier); return -1; } if (negotiated->command == CIRCPAD_COMMAND_STOP) { - log_info(LD_CIRC, "Received STOP command on PADDING_NEGOTIATED"); + log_info(LD_CIRC, + "Received STOP command on PADDING_NEGOTIATED for circuit %u", + TO_ORIGIN_CIRCUIT(circ)->global_identifier); /* There may not be a padding_info here if we shut down the * machine in circpad_shutdown_old_machines(). Or, if * circpad_add_matching_matchines() added a new machine, @@ -2969,7 +3002,9 @@ circpad_handle_padding_negotiated(circuit_t *circ, cell_t *cell, free_circ_machineinfos_with_machine_num(circ, negotiated->machine_type); TO_ORIGIN_CIRCUIT(circ)->padding_negotiation_failed = 1; log_fn(LOG_PROTOCOL_WARN, LD_CIRC, - "Middle node did not accept our padding request."); + "Middle node did not accept our padding request on circuit %u (%d)", + TO_ORIGIN_CIRCUIT(circ)->global_identifier, + circ->purpose); } circpad_negotiated_free(negotiated); diff --git a/src/core/or/or.h b/src/core/or/or.h index db6d089582..ab258629a6 100644 --- a/src/core/or/or.h +++ b/src/core/or/or.h @@ -841,8 +841,8 @@ typedef struct protover_summary_flags_t { unsigned int supports_v3_rendezvous_point: 1; /** True iff this router has a protocol list that allows clients to - * negotiate link-level padding. Requires Padding>=1. */ - unsigned int supports_padding : 1; + * negotiate hs circuit setup padding. Requires Padding>=2. */ + unsigned int supports_hs_setup_padding : 1; } protover_summary_flags_t; typedef struct routerinfo_t routerinfo_t; diff --git a/src/core/or/protover.c b/src/core/or/protover.c index e12919f0a8..ccd33fabf7 100644 --- a/src/core/or/protover.c +++ b/src/core/or/protover.c @@ -402,7 +402,7 @@ protover_get_supported_protocols(void) #endif "Microdesc=1-2 " "Relay=1-2 " - "Padding=1 " + "Padding=2 " "FlowCtrl=1"; } diff --git a/src/core/or/protover.h b/src/core/or/protover.h index d8e541735f..af45a31aeb 100644 --- a/src/core/or/protover.h +++ b/src/core/or/protover.h @@ -28,6 +28,8 @@ struct smartlist_t; #define PROTOVER_HS_INTRO_V3 4 /** The protover version number that signifies HSv3 rendezvous point support */ #define PROTOVER_HS_RENDEZVOUS_POINT_V3 2 +/** The protover that signals support for HS circuit setup padding machines */ +#define PROTOVER_HS_SETUP_PADDING 2 /** List of recognized subprotocols. */ /// C_RUST_COUPLED: src/rust/protover/ffi.rs `translate_to_rust` diff --git a/src/core/or/relay.c b/src/core/or/relay.c index d66caf3ad0..a437b54792 100644 --- a/src/core/or/relay.c +++ b/src/core/or/relay.c @@ -265,8 +265,8 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, if (cell_direction == CELL_DIRECTION_OUT) { ++stats_n_relay_cells_delivered; log_debug(LD_OR,"Sending away from origin."); - if ((reason = connection_edge_process_relay_cell(cell, circ, conn, NULL)) - < 0) { + reason = connection_edge_process_relay_cell(cell, circ, conn, NULL); + if (reason < 0) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "connection_edge_process_relay_cell (away from origin) " "failed."); @@ -276,8 +276,9 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, if (cell_direction == CELL_DIRECTION_IN) { ++stats_n_relay_cells_delivered; log_debug(LD_OR,"Sending to origin."); - if ((reason = connection_edge_process_relay_cell(cell, circ, conn, - layer_hint)) < 0) { + reason = connection_edge_process_relay_cell(cell, circ, conn, + layer_hint); + if (reason < 0) { /* If a client is trying to connect to unknown hidden service port, * END_CIRC_AT_ORIGIN is sent back so we can then close the circuit. * Do not log warn as this is an expected behavior for a service. */ diff --git a/src/core/or/versions.c b/src/core/or/versions.c index 2a572d4704..06417bb4eb 100644 --- a/src/core/or/versions.c +++ b/src/core/or/versions.c @@ -448,8 +448,9 @@ memoize_protover_summary(protover_summary_flags_t *out, out->supports_v3_rendezvous_point = protocol_list_supports_protocol(protocols, PRT_HSREND, PROTOVER_HS_RENDEZVOUS_POINT_V3); - out->supports_padding = - protocol_list_supports_protocol(protocols, PRT_PADDING, 1); + out->supports_hs_setup_padding = + protocol_list_supports_protocol(protocols, PRT_PADDING, + PROTOVER_HS_SETUP_PADDING); protover_summary_flags_t *new_cached = tor_memdup(out, sizeof(*out)); cached = strmap_set(protover_summary_map, protocols, new_cached); diff --git a/src/feature/dirauth/keypin.c b/src/feature/dirauth/keypin.c index 667feb2c03..3ca2c3ef91 100644 --- a/src/feature/dirauth/keypin.c +++ b/src/feature/dirauth/keypin.c @@ -438,7 +438,7 @@ keypin_load_journal_impl(const char *data, size_t size) tor_log(severity, LD_DIRSERV, "Loaded %d entries from keypin journal. " "Found %d corrupt lines (ignored), %d duplicates (harmless), " - "and %d conflicts (resolved in favor or more recent entry).", + "and %d conflicts (resolved in favor of more recent entry).", n_entries, n_corrupt_lines, n_duplicates, n_conflicts); return 0; diff --git a/src/feature/dircache/dircache.c b/src/feature/dircache/dircache.c index 1b36f716f4..7c6af3582b 100644 --- a/src/feature/dircache/dircache.c +++ b/src/feature/dircache/dircache.c @@ -1390,8 +1390,9 @@ handle_get_hs_descriptor_v3(dir_connection_t *conn, const char *pubkey_str = NULL; const char *url = args->url; - /* Reject unencrypted dir connections */ - if (!connection_dir_is_encrypted(conn)) { + /* Reject non anonymous dir connections (which also tests if encrypted). We + * do not allow single hop clients to query an HSDir. */ + if (!connection_dir_is_anonymous(conn)) { write_short_http_response(conn, 404, "Not found"); goto done; } @@ -1632,10 +1633,10 @@ directory_handle_command_post,(dir_connection_t *conn, const char *headers, goto done; } - /* Handle HS descriptor publish request. */ - /* XXX: This should be disabled with a consensus param until we want to - * the prop224 be deployed and thus use. */ - if (connection_dir_is_encrypted(conn) && !strcmpstart(url, "/tor/hs/")) { + /* Handle HS descriptor publish request. We force an anonymous connection + * (which also tests for encrypted). We do not allow single-hop client to + * post a descriptor onto an HSDir. */ + if (connection_dir_is_anonymous(conn) && !strcmpstart(url, "/tor/hs/")) { const char *msg = "HS descriptor stored successfully."; /* We most probably have a publish request for an HS descriptor. */ diff --git a/src/feature/dircommon/directory.c b/src/feature/dircommon/directory.c index 9e6f72e9ac..b3db0aa108 100644 --- a/src/feature/dircommon/directory.c +++ b/src/feature/dircommon/directory.c @@ -7,6 +7,10 @@ #include "app/config/config.h" #include "core/mainloop/connection.h" +#include "core/or/circuitlist.h" +#include "core/or/connection_edge.h" +#include "core/or/connection_or.h" +#include "core/or/channeltls.h" #include "feature/dircache/dircache.h" #include "feature/dircache/dirserv.h" #include "feature/dirclient/dirclient.h" @@ -15,6 +19,10 @@ #include "feature/stats/geoip_stats.h" #include "lib/compress/compress.h" +#include "core/or/circuit_st.h" +#include "core/or/or_circuit_st.h" +#include "core/or/edge_connection_st.h" +#include "core/or/or_connection_st.h" #include "feature/dircommon/dir_connection_st.h" #include "feature/nodelist/routerinfo_st.h" @@ -167,6 +175,67 @@ connection_dir_is_encrypted(const dir_connection_t *conn) return TO_CONN(conn)->linked; } +/** Return true iff the given directory connection <b>dir_conn</b> is + * anonymous, that is, it is on a circuit via a public relay and not directly + * from a client or bridge. + * + * For client circuits via relays: true for 2-hop+ paths. + * For client circuits via bridges: true for 3-hop+ paths. + * + * This first test if the connection is encrypted since it is a strong + * requirement for anonymity. */ +bool +connection_dir_is_anonymous(const dir_connection_t *dir_conn) +{ + const connection_t *conn, *linked_conn; + const edge_connection_t *edge_conn; + const circuit_t *circ; + + tor_assert(dir_conn); + + if (!connection_dir_is_encrypted(dir_conn)) { + return false; + } + + /* + * Buckle up, we'll do a deep dive into the connection in order to get the + * final connection channel of that connection in order to figure out if + * this is a client or relay link. + * + * We go: dir_conn -> linked_conn -> edge_conn -> on_circuit -> p_chan. + */ + + conn = TO_CONN(dir_conn); + linked_conn = conn->linked_conn; + + /* The dir connection should be connected to an edge connection. It can not + * be closed or marked for close. */ + if (linked_conn == NULL || linked_conn->magic != EDGE_CONNECTION_MAGIC || + conn->linked_conn_is_closed || conn->linked_conn->marked_for_close) { + log_info(LD_DIR, "Rejected HSDir request: not linked to edge"); + return false; + } + + edge_conn = TO_EDGE_CONN((connection_t *) linked_conn); + circ = edge_conn->on_circuit; + + /* Can't be a circuit we initiated and without a circuit, no channel. */ + if (circ == NULL || CIRCUIT_IS_ORIGIN(circ)) { + log_info(LD_DIR, "Rejected HSDir request: not on OR circuit"); + return false; + } + + /* Get the previous channel to learn if it is a client or relay link. */ + if (BUG(CONST_TO_OR_CIRCUIT(circ)->p_chan == NULL)) { + log_info(LD_DIR, "Rejected HSDir request: no p_chan"); + return false; + } + + /* Will be true if the channel is an unauthenticated peer which is only true + * for clients and bridges. */ + return !channel_is_client(CONST_TO_OR_CIRCUIT(circ)->p_chan); +} + /** Parse an HTTP request line at the start of a headers string. On failure, * return -1. On success, set *<b>command_out</b> to a copy of the HTTP * command ("get", "post", etc), set *<b>url_out</b> to a copy of the URL, and diff --git a/src/feature/dircommon/directory.h b/src/feature/dircommon/directory.h index ba3f8c1b0e..4fc743ad3d 100644 --- a/src/feature/dircommon/directory.h +++ b/src/feature/dircommon/directory.h @@ -94,6 +94,7 @@ int parse_http_command(const char *headers, char *http_get_header(const char *headers, const char *which); int connection_dir_is_encrypted(const dir_connection_t *conn); +bool connection_dir_is_anonymous(const dir_connection_t *conn); int connection_dir_reached_eof(dir_connection_t *conn); int connection_dir_process_inbuf(dir_connection_t *conn); int connection_dir_finished_flushing(dir_connection_t *conn); diff --git a/src/feature/rend/rendmid.c b/src/feature/rend/rendmid.c index 192da166ee..ef2a44c40d 100644 --- a/src/feature/rend/rendmid.c +++ b/src/feature/rend/rendmid.c @@ -117,6 +117,8 @@ rend_mid_establish_intro_legacy(or_circuit_t *circ, const uint8_t *request, /* Now, set up this circuit. */ circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_INTRO_POINT); hs_circuitmap_register_intro_circ_v2_relay_side(circ, (uint8_t *)pk_digest); + token_bucket_ctr_init(&circ->introduce2_bucket, hs_dos_get_intro2_rate(), + hs_dos_get_intro2_burst(), (uint32_t) approx_time()); log_info(LD_REND, "Established introduction point on circuit %u for service %s", diff --git a/src/rust/protover/protover.rs b/src/rust/protover/protover.rs index f7d9d6d15f..7a76fcdd94 100644 --- a/src/rust/protover/protover.rs +++ b/src/rust/protover/protover.rs @@ -168,7 +168,7 @@ pub(crate) fn get_supported_protocols_cstr() -> &'static CStr { LinkAuth=3 \ Microdesc=1-2 \ Relay=1-2 \ - Padding=1 \ + Padding=2 \ FlowCtrl=1" ) } else { @@ -183,7 +183,7 @@ pub(crate) fn get_supported_protocols_cstr() -> &'static CStr { LinkAuth=1,3 \ Microdesc=1-2 \ Relay=1-2 \ - Padding=1 \ + Padding=2 \ FlowCtrl=1" ) } diff --git a/src/test/test_btrack.c b/src/test/test_btrack.c index 9e5d0d0723..21e88a57b6 100644 --- a/src/test/test_btrack.c +++ b/src/test/test_btrack.c @@ -44,6 +44,8 @@ test_btrack_launch(void *arg) { orconn_state_msg_t conn; ocirc_chan_msg_t circ; + memset(&conn, 0, sizeof(conn)); + memset(&circ, 0, sizeof(circ)); (void)arg; conn.gid = 1; @@ -93,6 +95,8 @@ test_btrack_delete(void *arg) { orconn_state_msg_t state; orconn_status_msg_t status; + memset(&state, 0, sizeof(state)); + memset(&status, 0, sizeof(status)); (void)arg; state.gid = 1; diff --git a/src/test/test_circuitpadding.c b/src/test/test_circuitpadding.c index 915f086615..934ddb0208 100644 --- a/src/test/test_circuitpadding.c +++ b/src/test/test_circuitpadding.c @@ -92,10 +92,10 @@ static void nodes_init(void) { padding_node.rs = tor_malloc_zero(sizeof(routerstatus_t)); - padding_node.rs->pv.supports_padding = 1; + padding_node.rs->pv.supports_hs_setup_padding = 1; non_padding_node.rs = tor_malloc_zero(sizeof(routerstatus_t)); - non_padding_node.rs->pv.supports_padding = 0; + non_padding_node.rs->pv.supports_hs_setup_padding = 0; } static void diff --git a/src/test/test_controller_events.c b/src/test/test_controller_events.c index a8967bba50..9fb2bc7256 100644 --- a/src/test/test_controller_events.c +++ b/src/test/test_controller_events.c @@ -429,6 +429,7 @@ static void test_cntev_orconn_state(void *arg) { orconn_state_msg_t conn; + memset(&conn, 0, sizeof(conn)); (void)arg; MOCK(queue_control_event_string, mock_queue_control_event_string); @@ -468,6 +469,7 @@ static void test_cntev_orconn_state_pt(void *arg) { orconn_state_msg_t conn; + memset(&conn, 0, sizeof(conn)); (void)arg; MOCK(queue_control_event_string, mock_queue_control_event_string); @@ -503,6 +505,7 @@ static void test_cntev_orconn_state_proxy(void *arg) { orconn_state_msg_t conn; + memset(&conn, 0, sizeof(conn)); (void)arg; MOCK(queue_control_event_string, mock_queue_control_event_string); diff --git a/src/test/test_hs_cache.c b/src/test/test_hs_cache.c index d71f8b6b18..86ac7e7fb1 100644 --- a/src/test/test_hs_cache.c +++ b/src/test/test_hs_cache.c @@ -10,6 +10,7 @@ #define DIRCACHE_PRIVATE #define DIRCLIENT_PRIVATE #define HS_CACHE_PRIVATE +#define TOR_CHANNEL_INTERNAL_ #include "trunnel/ed25519_cert.h" #include "feature/hs/hs_cache.h" @@ -20,7 +21,12 @@ #include "core/mainloop/connection.h" #include "core/proto/proto_http.h" #include "lib/crypt_ops/crypto_format.h" +#include "core/or/circuitlist.h" +#include "core/or/channel.h" +#include "core/or/edge_connection_st.h" +#include "core/or/or_circuit_st.h" +#include "core/or/or_connection_st.h" #include "feature/dircommon/dir_connection_st.h" #include "feature/nodelist/networkstatus_st.h" @@ -232,6 +238,8 @@ helper_fetch_desc_from_hsdir(const ed25519_public_key_t *blinded_key) /* The dir conn we are going to simulate */ dir_connection_t *conn = NULL; + edge_connection_t *edge_conn = NULL; + or_circuit_t *or_circ = NULL; /* First extract the blinded public key that we are going to use in our query, and then build the actual query string. */ @@ -245,8 +253,16 @@ helper_fetch_desc_from_hsdir(const ed25519_public_key_t *blinded_key) /* Simulate an HTTP GET request to the HSDir */ conn = dir_connection_new(AF_INET); tt_assert(conn); + TO_CONN(conn)->linked = 1; /* Signal that it is encrypted. */ tor_addr_from_ipv4h(&conn->base_.addr, 0x7f000001); - TO_CONN(conn)->linked = 1;/* Pretend the conn is encrypted :) */ + + /* Pretend this conn is anonymous. */ + edge_conn = edge_connection_new(CONN_TYPE_EXIT, AF_INET); + TO_CONN(conn)->linked_conn = TO_CONN(edge_conn); + or_circ = or_circuit_new(0, NULL); + or_circ->p_chan = tor_malloc_zero(sizeof(channel_t)); + edge_conn->on_circuit = TO_CIRCUIT(or_circ); + retval = directory_handle_command_get(conn, hsdir_query_str, NULL, 0); tt_int_op(retval, OP_EQ, 0); @@ -263,8 +279,11 @@ helper_fetch_desc_from_hsdir(const ed25519_public_key_t *blinded_key) done: tor_free(hsdir_query_str); - if (conn) + if (conn) { + tor_free(or_circ->p_chan); + connection_free_minimal(TO_CONN(conn)->linked_conn); connection_free_minimal(TO_CONN(conn)); + } return received_desc; } diff --git a/src/test/test_hs_common.c b/src/test/test_hs_common.c index abded6021e..de3f7e04f7 100644 --- a/src/test/test_hs_common.c +++ b/src/test/test_hs_common.c @@ -502,6 +502,7 @@ test_desc_reupload_logic(void *arg) pubkey_hex, strlen(pubkey_hex)); hs_build_address(&pubkey, HS_VERSION_THREE, onion_addr); service = tor_malloc_zero(sizeof(hs_service_t)); + tt_assert(service); memcpy(service->onion_address, onion_addr, sizeof(service->onion_address)); ed25519_secret_key_generate(&service->keys.identity_sk, 0); ed25519_public_key_generate(&service->keys.identity_pk, diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c index a303f10411..2e4be4e295 100644 --- a/src/test/test_hs_service.c +++ b/src/test/test_hs_service.c @@ -1265,6 +1265,7 @@ test_service_event(void *arg) /* Set a service for this circuit. */ service = helper_create_service(); + tt_assert(service); ed25519_pubkey_copy(&circ->hs_ident->identity_pk, &service->keys.identity_pk); diff --git a/src/test/test_introduce.c b/src/test/test_introduce.c index 4a6d90d97e..104e973b1f 100644 --- a/src/test/test_introduce.c +++ b/src/test/test_introduce.c @@ -383,8 +383,10 @@ make_intro_from_plaintext( /* Output the cell */ *cell_out = cell; + cell = NULL; done: + tor_free(cell); return cell_len; } @@ -535,4 +537,3 @@ struct testcase_t introduce_tests[] = { INTRODUCE_LEGACY(late_parse_v3), END_OF_TESTCASES }; - diff --git a/src/test/test_token_bucket.c b/src/test/test_token_bucket.c index d3ce591388..31670718d9 100644 --- a/src/test/test_token_bucket.c +++ b/src/test/test_token_bucket.c @@ -93,7 +93,7 @@ test_token_bucket_ctr_dec(void *arg) /* Keep underflowing shouldn't flag the bucket as empty. */ tt_uint_op(false, OP_EQ, token_bucket_ctr_dec(&tb, BURST)); - tt_int_op(tb.counter.bucket, OP_EQ, (int32_t) ((BURST + 1) * -1)); + tt_int_op(tb.counter.bucket, OP_EQ, - (int32_t) (BURST + 1)); done: ; diff --git a/src/test/test_util.c b/src/test/test_util.c index 41ecbfd388..c56d3488ba 100644 --- a/src/test/test_util.c +++ b/src/test/test_util.c @@ -5399,11 +5399,13 @@ test_util_socketpair(void *arg) tt_skip(); } #endif /* defined(__FreeBSD__) */ +#ifdef ENETUNREACH if (ersatz && socketpair_result == -ENETUNREACH) { /* We can also fail with -ENETUNREACH if we have no network stack at * all. */ tt_skip(); } +#endif tt_int_op(0, OP_EQ, socketpair_result); tt_assert(SOCKET_OK(fds[0])); |