| Age | Commit message (Collapse) | Author |
|---|
|
the sz_out param is set to what was read (i.e not including the final
NULL the function adds for convenience), but could be understood to
be set to what was read+1 (including the NULL terminator)
|
|
it's believed most libc already have those, but just in case, it can't
hurt
|
|
|
|
|
|
Fixes #40874
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
add metrics counter for BUG() reached
Closes #40839
See merge request tpo/core/tor!760
|
|
Fix sandbox on AArch64, RISC-V
Closes #24454
See merge request tpo/core/tor!446
|
|
|
|
|
|
|
|
|
|
See: tpo/core/tor#40815.
|
|
This patch causes `tor_compress_is_compression_bomb()` to emit a
warning-level log message that lets us learn the potential ratio of the
input to output buffer sizes. Hopefully, this will give us a bit of a
better idea whether the compression bomb ratio needs some tuning.
See: tpo/core/tor#40739.
|
|
|
|
With LibreSSL-3.8.1 these engines are no long available causing a build
failure, but LibreSSL correctly defines OPENSSL_NO_ENGINE as part of its
opensslfeatures.h. However Tor includes crypto_openssl_mgt.h before any
of the openssl includes which would define OPENSSL_NO_ENGINE and then
fails to define DISABLE_ENGINES.
As the define is used in only a single .c file it is best to move it
there.
Signed-off-by: orbea <orbea@riseup.net>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Considering a compression bomb before looking for errors led to false negative
log warnings. Instead, it is possible the work failed for whatever reasons
which is not indicative of a compression bomb.
Fixes #40739
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
This is a change intended for 0.4.7 maintenance as well as main.
The CI builds use Debian Buster which is now end of life, and I was
experiencing inconsistent CI failures with accessing its security update
server. I wanted to update CI to a distro that isn't EOL, and Bullseye
is the current stable release of Debian.
This opened up a small can of worms that this commit also deals with.
In particular there's a docker engine bug that we work around by
removing the docker-specific apt cleanup script if it exists, and
there's a new incompatibility between tracing and sandbox support.
The tracing/sandbox incompatibility itself had two parts:
- The membarrier() syscall is used to deliver inter-processor
synchronization events, and the external "userspace-rcu"
data structure library would make assumptions that if membarrier
is available at initialization it always will be. This caused
segfaults in some cases when running trace + sandbox. Resolved this
by allowing membarrier entirely, in the sandbox.
- userspace-rcu also assumes it can block signals, and fails
hard if this can't be done. We already include a similar carveout
to allow this in the sandbox for fragile-hardening, so I extended
that to cover tracing as well.
Addresses issue #40799
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
Skip a warning using EC_GFp_nist_method() which was removed in LibreSSL
3.8.
Based on a patch from OpenBSD.
https://github.com/openbsd/ports/commit/33fe251a08cb11f30ce6094a2e0759c3bb63ed16
These functions are deprecated since OpenSSL 3.0.
https://www.openssl.org/docs/man3.1/man3/EC_GFp_nist_method.html
|
|
This started as a response to ticket #40792 where Coverity is
complaining about a potential year 2038 bug where we cast time_t from
approx_time() to uint32_t for use in token_bucket_ctr.
There was a larger can of worms though, since token_bucket really
doesn't want to be using wallclock time here. I audited the call sites
for approx_time() and changed any that used a 32-bit cast or made
inappropriate use of wallclock time. Things like certificate lifetime,
consensus intervals, etc. need wallclock time. Measurements of rates
over time, however, are better served with a monotonic timer that does
not try and sync with wallclock ever.
Looking closer at token_bucket, its design is a bit odd because it was
initially intended for use with tick units but later forked into
token_bucket_rw which uses ticks to count bytes per second, and
token_bucket_ctr which uses seconds to count slower events. The rates
represented by either token bucket can't be lower than 1 per second, so
the slower timer in 'ctr' is necessary to represent the slower rates of
things like connections or introduction packets or rendezvous attempts.
I considered modifying token_bucket to use 64-bit timestamps overall
instead of 32-bit, but that seemed like an unnecessarily invasive change
that would grant some peace of mind but probably not help much. I was
more interested in removing the dependency on wallclock time. The
token_bucket_rw timer already uses monotonic time. This patch converts
token_bucket_ctr to use monotonic time as well. It introduces a new
monotime_coarse_absolute_sec(), which is currently the same as nsec
divided by a billion but could be optimized easily if we ever need to.
This patch also might fix a rollover bug.. I haven't tested this
extensively but I don't think the previous version of the rollover code
on either token bucket was correct, and I would expect it to get stuck
after the first rollover.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
This fixes a failure that was showing up on i386 Debian hosts
with sandboxing enabled, now that cpuworker is enabled on clients.
We already had allowances for creating threads and creating stacks
in the sandbox, but prot_none (probably used for a stack guard)
was not allowed so thread creation failed.
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
We mark the intro circuit with a new flag saying that the pow is
in the cpuworker queue. When the cpuworker comes back, it either
has a solution, in which case we proceed with sending the intro1
cell, or it has no solution, in which case we unmark the intro
circuit and let the whole process restart on the next iteration of
connection_ap_handshake_attach_circuit().
|
|
This will enable us to add e.g. circuit build metrics (#40717).
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
|
|
|
|
This adds a `reason` label to the `hs_intro_rejected_intro_req_count` and
`hs_rdv_error_count` metrics introduced in #40755.
Metric look up and intialization is now more a bit more involved. This may be
fine for now, but it will become unwieldy if/when we add more labels (and as
such will need to be refactored).
Also, in the future, we may want to introduce finer grained `reason` labels.
For example, the `invalid_introduce2` label actually covers multiple types of
errors that can happen during the processing of an INTRODUCE2 cell (such as
cell parse errors, replays, decryption errors).
Signed-off-by: Gabriela Moldovan <gabi@torproject.org>
|
|
detection false positive.
|
|
|
|
|
|
Add new liblzma enums (LZMA_SEEK_NEEDED and LZMA_RET_INTERNAL*)
conditional to the API version they arrived in. The first stable
version of liblzma this affects is 5.4.0
Fixes #40741
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
Add new liblzma enums (LZMA_SEEK_NEEDED and LZMA_RET_INTERNAL*)
conditional to the API version they arrived in. The first stable
version of liblzma this affects is 5.4.0
Fixes #40741
Signed-off-by: Micah Elizabeth Scott <beth@torproject.org>
|
|
Fixes #40743
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
* the || is not possible with #ifdef statement;
* here the #ifdef turns into '#if defined()'.
|
|
|
|
We cap our number of CPU worker threads to at least 2 even if we have a
single core. But also, before we used to always add one extra thread
regardless of the number of core.
This meant that we were off when re-using the get_num_cpus() function
when calculating our onionskin work overhead because we were always off
by one.
This commit makes it that we always use the number of thread our actual
thread pool was configured with.
Fixes #40719
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Until now, there was this magic number (64) used as the maximum number
of tasks a CPU worker can take at once.
This commit makes it a consensus parameter so our future selves can
think of a better value depending on network conditions.
Part of #40704
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Part of #40708.
|
|
|
|
Part of #40708
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
Part of #40708
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
while here also reflect the check for __NETBSD_SOURCE on
tor_libc_get_version_str
|
|
|
|
|
|
* defined by __NetBSD_Version__ on <sys/param.h> too.
|
|
* __NETBSD_SOURCE was used here to verify if we are running on NetBSD
|
