summaryrefslogtreecommitdiff
path: root/src/common
AgeCommit message (Collapse)Author
2019-10-23Merge remote-tracking branch 'tor-github/pr/1178' into maint-0.2.9teor
2019-09-09build: The <sys/sysctl.h> is now deprecated on LinuxDavid Goulet
Closes #31673
2019-08-10Merge remote-tracking branch 'tor-github/pr/1052' into maint-0.2.9teor
2019-08-09Merge remote-tracking branch 'tor-github/pr/762' into maint-0.2.9teor
2019-08-08Fix a warning about casting the results of GetProcAddress.Nick Mathewson
Fixes bug 31374; bugfix on 0.2.9.1-alpha.
2019-07-19Prevent UB on signed overflow.Tobias Stoeckmann
Overflowing a signed integer in C is an undefined behaviour. It is possible to trigger this undefined behaviour in tor_asprintf on Windows or systems lacking vasprintf. On these systems, eiter _vscprintf or vsnprintf is called to retrieve the required amount of bytes to hold the string. These functions can return INT_MAX. The easiest way to recreate this is the use of a specially crafted configuration file, e.g. containing the line: FirewallPorts AAAAA<in total 2147483610 As> This line triggers the needed tor_asprintf call which eventually leads to an INT_MAX return value from _vscprintf or vsnprintf. The needed byte for \0 is added to the result, triggering the overflow and therefore the undefined behaviour. Casting the value to size_t before addition fixes the behaviour. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2019-05-29Tweak comments in tor_vasprintf(), and add a changes file for 30651Nick Mathewson
2019-05-29Fixed tor_vasprintf on systems without vasprintf.Tobias Stoeckmann
If tor is compiled on a system with neither vasprintf nor _vscprintf, the fallback implementation exposes a logic flaw which prevents proper usage of strings longer than 127 characters: * tor_vsnprintf returns -1 if supplied buffer is not large enough, but tor_vasprintf uses this function to retrieve required length * the result of tor_vsnprintf is not properly checked for negative return values Both aspects together could in theory lead to exposure of uninitialized stack memory in the resulting string. This requires an invalid format string or data that exceeds integer limitations. Fortunately tor is not even able to run with this implementation because it runs into asserts early on during startup. Also the unit tests fail during a "make check" run. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> [backported to 0.2.9 by nickm]
2019-04-04Do not cache bogus results from classifying client ciphersNick Mathewson
When classifying a client's selection of TLS ciphers, if the client ciphers are not yet available, do not cache the result. Previously, we had cached the unavailability of the cipher list and never looked again, which in turn led us to assume that the client only supported the ancient V1 link protocol. This, in turn, was causing Stem integration tests to stall in some cases. Fixes bug 30021; bugfix on 0.2.4.8-alpha.
2019-03-08Make tor_addr_is_internal_() RFC6598 (Carrier Grade NAT) awareNeel Chauhan
Fixes 28525.
2018-11-15Windows: fix uname on recent Windows versionsteor
Correctly identify Windows 8.1, Windows 10, and Windows Server 2008 and later from their NT versions. On recent Windows versions, the GetVersionEx() function may report an earlier Windows version than the running OS. To avoid user confusion, add "[or later]" to Tor's version string on affected versions of Windows. Remove Windows versions that were never supported by the GetVersionEx() function. Stop duplicating the latest Windows version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly.
2018-11-12Fix a compiler warning in aes.c.Nick Mathewson
Apparently some freebsd compilers can't tell that 'c' will never be used uninitialized. Fixes bug 28413; bugfix on 0.2.9.3-alpha when we added support for longer AES keys to this function.
2018-11-11Fix a bug in usage of SSL_set1_groups_list()Nick Mathewson
Apparently, even though the manpage says it returns an int, it can return a long instead and cause a warning. Bug not in any released Tor. Part of #28399
2018-11-09Always declare groups when building with openssl 1.1.1 APIsNick Mathewson
Failing to do on clients was causing TLS 1.3 negotiation to fail. Fixes bug 28245; bugfix on 0.2.9.15, when we added TLS 1.3 support.
2018-10-15Fix make check-spaces.Nick Mathewson
2018-10-15Explain a bit more about branch prediction in the unit-test caseNick Mathewson
2018-09-14Revise our assertion and bug macros to work with -WparenthesesNick Mathewson
On GCC and Clang, there's a feature to warn you about bad conditionals like "if (a = b)", which should be "if (a == b)". However, they don't warn you if there are extra parentheses around "a = b". Unfortunately, the tor_assert() macro and all of its kin have been passing their inputs through stuff like PREDICT_UNLIKELY(expr) or PREDICT_UNLIKELY(!(expr)), both of which expand to stuff with more parentheses around "expr", thus suppressing these warnings. To fix this, this patch introduces new macros that do not wrap expr. They're only used when GCC or Clang is enabled (both define __GNUC__), since they require GCC's "({statement expression})" syntax extension. They're only used when we're building the unit-test variant of the object files, since they suppress the branch-prediction hints. I've confirmed that tor_assert(), tor_assert_nonfatal(), tor_assert_nonfatal_once(), BUG(), and IF_BUG_ONCE() all now give compiler warnings when their argument is an assignment expression. Fixes bug 27709. Bugfix on 0.0.6, where we first introduced the "tor_assert()" macro.
2018-09-07Tell openssl to build its TLS contexts with security level 1Nick Mathewson
Fixes bug 27344, where we'd break compatibility with old tors by rejecting RSA1024 and DH1024.
2018-09-07Windows: Silence a spurious warning in the GetAdaptersAddresses castteor
GetProcAddress() returns FARPROC, which is (long long int(*)()) on 64-bit Windows: https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx But GetAdaptersAddresses() is (long unsigned int(*)()), on both 32-bit and 64-bit Windows: https://docs.microsoft.com/en-us/windows/desktop/api/iphlpapi/nf-iphlpapi-getadaptersaddresses So gcc 8 issues a spurious "incompatible function pointer" warning about the cast to GetAdaptersAddresses_fn_t. Silence this warning by casting to a void function pointer, before the cast to GetAdaptersAddresses_fn_t. This issue is already fixed by 26481 in 0.3.5 and later, by removing the lookup and cast. Fixes bug 27465; bugfix on 0.2.3.11-alpha.
2018-08-20Use our x509 wrapper code in tor_tls_cert_matches_key()Nick Mathewson
This allows us to mock our own tor_tls_get_peer_certificate() function in order to test ..cert_matches_key(), which will in turn allow us to simplify test_tortls_cert_matches_key() considerably. Prep work for the fix for 27226.
2018-08-08Fix crash when calling openat with sandbox enabled #25440Daniel Pinto
The seccomp rule for the openat syscall checks for the AT_FDCWD constant. Because this constant is usually a negative value, a cast to unsigned int is necessary to make sure it does not get converted to uint64_t used by seccomp. More info on: https://github.com/seccomp/libseccomp/issues/69#issuecomment-273805980
2018-05-16Return -1 from our PEM password callbackNick Mathewson
Apparently, contrary to its documentation, this is how OpenSSL now wants us to report an error. Fixes bug 26116; bugfix on 0.2.5.16.
2018-04-23Permit the nanosleep system call in the seccomp2 callboxNick Mathewson
Fixes bug 24969; bugfix on 0.2.5.1-alpha when the sandbox was introduced.
2018-04-16Fix an LCOV exclusion pattern in address.cNick Mathewson
2018-03-20Remove sb_poll check: all poll() calls are ok.Nick Mathewson
2018-03-20Add the poll() syscall as permitted by the sandboxNick Mathewson
Apparently, sometimes getpwnam will call this. Fixes bug 25513.
2018-02-16Merge remote-tracking branch 'dgoulet/ticket24902_029_05' into maint-0.2.9Nick Mathewson
2018-02-12Have tor_addr hashes return a randomized hash for AF_UNSPEC.Nick Mathewson
We don't expect this to come up very much, but we may as well make sure that the value isn't predictable (as we do for the other addresses) in case the issue ever comes up. Spotted by teor.
2018-02-12Fix a typo in an address_set.c comment.Nick Mathewson
2018-02-11Merge remote-tracking branch 'public/bug24198_029' into maint-0.2.9Nick Mathewson
2018-02-11Merge branch 'ticket24315_029' into maint-0.2.9Nick Mathewson
2018-02-11Merge remote-tracking branch 'public/bug21074_029' into maint-0.2.9Nick Mathewson
2018-02-08Merge branch 'ticket25183_029_01' into ticket24902_029_05David Goulet
2018-02-08Function to add an ipv4 address to an address_setNick Mathewson
This is a convenience function, so callers don't need to wrap the IPv4 address.
2018-02-08Add an address-set backend using a bloom filter.Nick Mathewson
We're going to need this to make our anti-DoS code (see 24902) more robust.
2018-01-30dos: Initial code of Denial of Service mitigationDavid Goulet
This commit introduces the src/or/dos.{c|h} files that contains the code for the Denial of Service mitigation subsystem. It currently contains basic functions to initialize and free the subsystem. They are used at this commit. The torrc options and consensus parameters are defined at this commit and getters are implemented. Signed-off-by: David Goulet <dgoulet@torproject.org>
2018-01-23Make Tor support TLS1.3 ciphers with OpenSSL 1.1.1Nick Mathewson
Without this patch, not only will TLS1.3 not work with Tor, but OpenSSL 1.1.1 with TLS1.3 enabled won't build any connections at all: It requires that either TLS1.3 be disabled, or some TLS1.3 ciphersuites be listed. Closes ticket 24978.
2018-01-17Add a cast to avoid a signed/unsigned comparisonNick Mathewson
2018-01-04Don't treat a setrlimit failure as fatal.Nick Mathewson
Fixes bug 21074; bugfix on 4689243242e2e12 in 0.0.9rc5 when we started doing setrlimit() in the first place.
2017-11-30Merge branch 'maint-0.2.8' into maint-0.2.9Nick Mathewson
2017-11-30Merge branch 'maint-0.2.5' into maint-0.2.8Nick Mathewson
2017-11-27Avoid asking for passphrase on junky PEM inputNick Mathewson
Fixes bug 24246 and TROVE-2017-011. This bug is so old, it's in Matej's code. Seems to have been introduced with e01522bbed6eea.
2017-11-16Check the libc version to decide whether to allow openat.Nick Mathewson
2017-11-16Make our seccomp2 sandbox handle Glibc 2.26Nick Mathewson
There are three changes here: * We need to allow epoll_pwait. * We need to allow PF_NETLINK sockets to be opened with SOCK_CLOEXEC. * We need to use openat() instead of open(). Note that this fix is not complete, since the openat() change is turned off. The next commit will make the openat() change happen when we're running glibc 2.26 or later. Fix for 24315.
2017-11-16Permit kill(pid, 0) in the seccomp2 sandbox.Nick Mathewson
We don't want to allow general signals to be sent, but there's no problem sending a kill(0) to probe whether a process is there. Fixes bug 24198; bugfix on 0.2.5.1-alpha when the seccomp2 sandbox was introduced.
2017-09-12One more implicit fallthrough warning to fix on GCC 7Nick Mathewson
2017-09-11Fix mixed-sign comparison warning in fix for 22797.Nick Mathewson
2017-09-11Merge branch 'teor-bug22797-025' into maint-0.2.9Nick Mathewson
2017-07-27Merge remote-tracking branch 'public/bug20247_029' into maint-0.2.9Nick Mathewson
2017-07-26Fix build warnings from Coverity related to our BUG macroNick Mathewson
In the Linux kernel, the BUG() macro causes an instant panic. Our BUG() macro is different, however: it generates a nonfatal assertion failure, and is usable as an expression. Additionally, this patch tells util_bug.h to make all assertion failures into fatal conditions when we're building with a static analysis tool, so that the analysis tool can look for instances where they're reachable. Fixes bug 23030.