aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/app/config/config.c2
-rw-r--r--src/app/main/main.c2
-rw-r--r--src/app/main/main.h2
-rw-r--r--src/app/main/ntmain.c4
-rw-r--r--src/core/mainloop/mainloop.c17
-rw-r--r--src/core/or/connection_or.c16
-rw-r--r--src/feature/control/control.c6
-rw-r--r--src/lib/crypt_ops/crypto_curve25519.c2
-rw-r--r--src/lib/crypt_ops/crypto_dh_openssl.c6
-rw-r--r--src/lib/fs/freespace.c1
-rw-r--r--src/lib/tls/tortls_openssl.c46
-rw-r--r--src/test/test_rebind.py16
-rwxr-xr-xsrc/test/test_rebind.sh15
-rw-r--r--src/win32/orconfig.h2
14 files changed, 111 insertions, 26 deletions
diff --git a/src/app/config/config.c b/src/app/config/config.c
index 81cc3e378f..4a8f94da0e 100644
--- a/src/app/config/config.c
+++ b/src/app/config/config.c
@@ -6913,6 +6913,8 @@ parse_port_config(smartlist_t *out,
for (; ports; ports = ports->next) {
tor_addr_t addr;
+ tor_addr_make_unspec(&addr);
+
int port;
int sessiongroup = SESSION_GROUP_UNSET;
unsigned isolation = ISO_DEFAULT;
diff --git a/src/app/main/main.c b/src/app/main/main.c
index ae87add67d..a2b7c08456 100644
--- a/src/app/main/main.c
+++ b/src/app/main/main.c
@@ -1269,7 +1269,7 @@ sandbox_init_filter(void)
return cfg;
}
-static int
+int
run_tor_main_loop(void)
{
handle_signals();
diff --git a/src/app/main/main.h b/src/app/main/main.h
index b64f2ef417..23a436703e 100644
--- a/src/app/main/main.h
+++ b/src/app/main/main.h
@@ -26,4 +26,6 @@ void tor_free_all(int postfork);
int tor_init(int argc, char **argv);
+int run_tor_main_loop(void);
+
#endif /* !defined(TOR_MAIN_H) */
diff --git a/src/app/main/ntmain.c b/src/app/main/ntmain.c
index 800720a0b4..8d2135a587 100644
--- a/src/app/main/ntmain.c
+++ b/src/app/main/ntmain.c
@@ -298,7 +298,7 @@ nt_service_body(int argc, char **argv)
service_status.dwCurrentState = SERVICE_RUNNING;
service_fns.SetServiceStatus_fn(hStatus, &service_status);
set_main_thread();
- do_main_loop();
+ run_tor_main_loop();
tor_cleanup();
}
@@ -326,7 +326,7 @@ nt_service_main(void)
return;
switch (get_options()->command) {
case CMD_RUN_TOR:
- do_main_loop();
+ run_tor_main_loop();
break;
case CMD_LIST_FINGERPRINT:
case CMD_HASH_PASSWORD:
diff --git a/src/core/mainloop/mainloop.c b/src/core/mainloop/mainloop.c
index 7eff82fee4..413c149105 100644
--- a/src/core/mainloop/mainloop.c
+++ b/src/core/mainloop/mainloop.c
@@ -379,6 +379,9 @@ connection_unlink(connection_t *conn)
connection_free(conn);
}
+/** Event that invokes schedule_active_linked_connections_cb. */
+static mainloop_event_t *schedule_active_linked_connections_event = NULL;
+
/**
* Callback: used to activate read events for all linked connections, so
* libevent knows to call their read callbacks. This callback run as a
@@ -395,10 +398,18 @@ schedule_active_linked_connections_cb(mainloop_event_t *event, void *arg)
* so that libevent knows to run their callbacks. */
SMARTLIST_FOREACH(active_linked_connection_lst, connection_t *, conn,
event_active(conn->read_event, EV_READ, 1));
-}
-/** Event that invokes schedule_active_linked_connections_cb. */
-static mainloop_event_t *schedule_active_linked_connections_event = NULL;
+ /* Reactivate the event if we still have connections in the active list.
+ *
+ * A linked connection doesn't get woken up by I/O but rather artificially
+ * by this event callback. It has directory data spooled in it and it is
+ * sent incrementally by small chunks unless spool_eagerly is true. For that
+ * to happen, we need to induce the activation of the read event so it can
+ * be flushed. */
+ if (smartlist_len(active_linked_connection_lst)) {
+ mainloop_event_activate(schedule_active_linked_connections_event);
+ }
+}
/** Initialize the global connection list, closeable connection list,
* and active connection list. */
diff --git a/src/core/or/connection_or.c b/src/core/or/connection_or.c
index 65f4e28c92..e6f04259f5 100644
--- a/src/core/or/connection_or.c
+++ b/src/core/or/connection_or.c
@@ -2880,9 +2880,15 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn,
char label[128];
tor_snprintf(label, sizeof(label),
"EXPORTER FOR TOR TLS CLIENT BINDING %s", authtype_str);
- tor_tls_export_key_material(conn->tls, auth->tlssecrets,
- auth->cid, sizeof(auth->cid),
- label);
+ int r = tor_tls_export_key_material(conn->tls, auth->tlssecrets,
+ auth->cid, sizeof(auth->cid),
+ label);
+ if (r < 0) {
+ if (r != -2)
+ log_warn(LD_BUG, "TLS key export failed for unknown reason.");
+ // If r == -2, this was openssl bug 7712.
+ goto err;
+ }
}
/* 8 octets were reserved for the current time, but we're trying to get out
@@ -3010,10 +3016,8 @@ connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype))
get_current_auth_keypair(),
0 /* not server */);
if (! cell) {
- /* LCOV_EXCL_START */
- log_warn(LD_BUG, "Unable to compute authenticate cell!");
+ log_fn(LOG_PROTOCOL_WARN, LD_NET, "Unable to compute authenticate cell!");
return -1;
- /* LCOV_EXCL_STOP */
}
connection_or_write_var_cell_to_buf(cell, conn);
var_cell_free(cell);
diff --git a/src/feature/control/control.c b/src/feature/control/control.c
index 8208b80c23..795902e6f4 100644
--- a/src/feature/control/control.c
+++ b/src/feature/control/control.c
@@ -7153,7 +7153,7 @@ control_event_bootstrap_core(int loglevel, bootstrap_status_t status,
status = progress;
tor_log(loglevel, LD_CONTROL,
- "Bootstrapped %d%% (%s): %s", status, tag, summary);
+ "Bootstrapped %d%%: %s", status, summary);
tor_snprintf(buf, sizeof(buf),
"BOOTSTRAP PROGRESS=%d TAG=%s SUMMARY=\"%s\"",
status, tag, summary);
@@ -7309,9 +7309,9 @@ control_event_bootstrap_problem(const char *warn, const char *reason,
hostaddr = tor_strdup("?");
log_fn(severity,
- LD_CONTROL, "Problem bootstrapping. Stuck at %d%% (%s): %s. (%s; %s; "
+ LD_CONTROL, "Problem bootstrapping. Stuck at %d%%: %s. (%s; %s; "
"count %d; recommendation %s; host %s at %s)",
- status, tag, summary, warn, reason,
+ status, summary, warn, reason,
bootstrap_problems, recommendation,
or_id, hostaddr);
diff --git a/src/lib/crypt_ops/crypto_curve25519.c b/src/lib/crypt_ops/crypto_curve25519.c
index e6a39a8c08..f3a9de9fc5 100644
--- a/src/lib/crypt_ops/crypto_curve25519.c
+++ b/src/lib/crypt_ops/crypto_curve25519.c
@@ -289,7 +289,7 @@ curve25519_basepoint_spot_check(void)
0x0d,0xbf,0x3a,0x0d,0x26,0x38,0x1a,0xf4,
0xeb,0xa4,0xa9,0x8e,0xaa,0x9b,0x4e,0x6a
};
- const int loop_max=200;
+ const int loop_max=8;
int save_use_ed = curve25519_use_ed;
unsigned char e1[32], e2[32];
unsigned char x[32],y[32];
diff --git a/src/lib/crypt_ops/crypto_dh_openssl.c b/src/lib/crypt_ops/crypto_dh_openssl.c
index 54946458d5..0d9bd513cf 100644
--- a/src/lib/crypt_ops/crypto_dh_openssl.c
+++ b/src/lib/crypt_ops/crypto_dh_openssl.c
@@ -45,6 +45,8 @@ static BIGNUM *dh_param_p_tls = NULL;
/** Shared G parameter for our DH key exchanges. */
static BIGNUM *dh_param_g = NULL;
+/* This function is disabled unless we change the DH parameters. */
+#if 0
/** Validate a given set of Diffie-Hellman parameters. This is moderately
* computationally expensive (milliseconds), so should only be called when
* the DH parameters change. Returns 0 on success, * -1 on failure.
@@ -98,6 +100,7 @@ crypto_validate_dh_params(const BIGNUM *p, const BIGNUM *g)
DH_free(dh);
return ret;
}
+#endif
/**
* Helper: convert <b>hex<b> to a bignum, and return it. Assert that the
@@ -151,8 +154,11 @@ crypto_dh_init_openssl(void)
dh_param_p = bignum_from_hex(OAKLEY_PRIME_2);
dh_param_p_tls = bignum_from_hex(TLS_DH_PRIME);
+ /* Checks below are disabled unless we change the hardcoded DH parameters. */
+#if 0
tor_assert(0 == crypto_validate_dh_params(dh_param_p, dh_param_g));
tor_assert(0 == crypto_validate_dh_params(dh_param_p_tls, dh_param_g));
+#endif
}
/** Number of bits to use when choosing the x or y value in a Diffie-Hellman
diff --git a/src/lib/fs/freespace.c b/src/lib/fs/freespace.c
index 2dbba3c5f8..c18b1e0234 100644
--- a/src/lib/fs/freespace.c
+++ b/src/lib/fs/freespace.c
@@ -19,6 +19,7 @@
#include <windows.h>
#endif
+#include <errno.h>
#include <string.h>
/** Return the amount of free disk space we have permission to use, in
diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c
index 63f6259a6c..99371cfc40 100644
--- a/src/lib/tls/tortls_openssl.c
+++ b/src/lib/tls/tortls_openssl.c
@@ -99,6 +99,9 @@ ENABLE_GCC_WARNING(redundant-decls)
#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
#endif
+/** Set to true iff openssl bug 7712 has been detected. */
+static int openssl_bug_7712_is_present = 0;
+
/** Return values for tor_tls_classify_client_ciphers.
*
* @{
@@ -1054,6 +1057,13 @@ tor_tls_new(tor_socket_t sock, int isServer)
}
#endif /* defined(SSL_set_tlsext_host_name) */
+#ifdef SSL_CTRL_SET_MAX_PROTO_VERSION
+ if (openssl_bug_7712_is_present) {
+ /* We can't actually use TLS 1.3 until this bug is fixed. */
+ SSL_set_max_proto_version(result->ssl, TLS1_2_VERSION);
+ }
+#endif
+
if (!SSL_set_cipher_list(result->ssl,
isServer ? SERVER_CIPHER_LIST : CLIENT_CIPHER_LIST)) {
tls_log_errors(NULL, LOG_WARN, LD_NET, "setting ciphers");
@@ -1671,7 +1681,8 @@ tor_tls_get_tlssecrets,(tor_tls_t *tls, uint8_t *secrets_out))
* provided <b>context</b> (<b>context_len</b> bytes long) and
* <b>label</b> (a NUL-terminated string), compute a 32-byte secret in
* <b>secrets_out</b> that only the parties to this TLS session can
- * compute. Return 0 on success and -1 on failure.
+ * compute. Return 0 on success; -1 on failure; and -2 on failure
+ * caused by OpenSSL bug 7712.
*/
MOCK_IMPL(int,
tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
@@ -1686,6 +1697,39 @@ tor_tls_export_key_material,(tor_tls_t *tls, uint8_t *secrets_out,
secrets_out, DIGEST256_LEN,
label, strlen(label),
context, context_len, 1);
+
+ if (r != 1) {
+ int severity = openssl_bug_7712_is_present ? LOG_WARN : LOG_DEBUG;
+ tls_log_errors(tls, severity, LD_NET, "exporting keying material");
+ }
+
+#ifdef TLS1_3_VERSION
+ if (r != 1 &&
+ strlen(label) > 12 &&
+ SSL_version(tls->ssl) >= TLS1_3_VERSION) {
+
+ if (! openssl_bug_7712_is_present) {
+ /* We might have run into OpenSSL issue 7712, which caused OpenSSL
+ * 1.1.1a to not handle long labels. Let's test to see if we have.
+ */
+ r = SSL_export_keying_material(tls->ssl, secrets_out, DIGEST256_LEN,
+ "short", 5, context, context_len, 1);
+ if (r == 1) {
+ /* A short label succeeds, but a long label fails. This was openssl
+ * issue 7712. */
+ openssl_bug_7712_is_present = 1;
+ log_warn(LD_GENERAL, "Detected OpenSSL bug 7712: disabling TLS 1.3 on "
+ "future connections. A fix is expected to appear in OpenSSL "
+ "1.1.1b.");
+ }
+ }
+ if (openssl_bug_7712_is_present)
+ return -2;
+ else
+ return -1;
+ }
+#endif
+
return (r == 1) ? 0 : -1;
}
diff --git a/src/test/test_rebind.py b/src/test/test_rebind.py
index 2215b42253..00e5a08be7 100644
--- a/src/test/test_rebind.py
+++ b/src/test/test_rebind.py
@@ -11,7 +11,6 @@ import time
LOG_TIMEOUT = 60.0
LOG_WAIT = 0.1
-LOG_CHECK_LIMIT = LOG_TIMEOUT / LOG_WAIT
def fail(msg):
logging.error('FAIL')
@@ -25,8 +24,8 @@ def try_connecting_to_socksport():
socks_socket.close()
def wait_for_log(s):
- log_checked = 0
- while log_checked < LOG_CHECK_LIMIT:
+ cutoff = time.time() + LOG_TIMEOUT
+ while time.time() < cutoff:
l = tor_process.stdout.readline()
l = l.decode('utf8')
if s in l:
@@ -37,7 +36,6 @@ def wait_for_log(s):
# avoid busy-waiting
if len(s) == 0:
time.sleep(LOG_WAIT)
- log_checked += 1
fail('Could not find "{}" in logs after {} seconds'.format(s, LOG_TIMEOUT))
def pick_random_port():
@@ -73,12 +71,19 @@ socks_port = pick_random_port()
assert control_port != 0
assert socks_port != 0
+if len(sys.argv) < 3:
+ fail('Usage: %s <path-to-tor> <data-dir>' % sys.argv[0])
+
if not os.path.exists(sys.argv[1]):
fail('ERROR: cannot find tor at %s' % sys.argv[1])
+if not os.path.exists(sys.argv[2]):
+ fail('ERROR: cannot find datadir at %s' % sys.argv[2])
tor_path = sys.argv[1]
+data_dir = sys.argv[2]
tor_process = subprocess.Popen([tor_path,
+ '-DataDirectory', data_dir,
'-ControlPort', '127.0.0.1:{}'.format(control_port),
'-SOCKSPort', '127.0.0.1:{}'.format(socks_port),
'-Log', 'debug stdout',
@@ -90,9 +95,6 @@ tor_process = subprocess.Popen([tor_path,
if tor_process == None:
fail('ERROR: running tor failed')
-if len(sys.argv) < 2:
- fail('Usage: %s <path-to-tor>' % sys.argv[0])
-
wait_for_log('Opened Control listener on')
try_connecting_to_socksport()
diff --git a/src/test/test_rebind.sh b/src/test/test_rebind.sh
index 76eb9f2e4d..498072de35 100755
--- a/src/test/test_rebind.sh
+++ b/src/test/test_rebind.sh
@@ -14,6 +14,19 @@ fi
exitcode=0
-"${PYTHON:-python}" "${abs_top_srcdir:-.}/src/test/test_rebind.py" "${TESTING_TOR_BINARY}" || exitcode=1
+tmpdir=
+clean () { test -n "$tmpdir" && test -d "$tmpdir" && rm -rf "$tmpdir" || :; }
+trap clean EXIT HUP INT TERM
+
+tmpdir="`mktemp -d -t tor_rebind_test.XXXXXX`"
+if [ -z "$tmpdir" ]; then
+ echo >&2 mktemp failed
+ exit 2
+elif [ ! -d "$tmpdir" ]; then
+ echo >&2 mktemp failed to make a directory
+ exit 3
+fi
+
+"${PYTHON:-python}" "${abs_top_srcdir:-.}/src/test/test_rebind.py" "${TESTING_TOR_BINARY}" "$tmpdir" || exitcode=1
exit ${exitcode}
diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h
index 94bcbbd4dc..4645d4a20f 100644
--- a/src/win32/orconfig.h
+++ b/src/win32/orconfig.h
@@ -218,7 +218,7 @@
#define USING_TWOS_COMPLEMENT
/* Version number of package */
-#define VERSION "0.3.5.5-alpha-dev"
+#define VERSION "0.3.5.6-rc-dev"
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion