aboutsummaryrefslogtreecommitdiff
path: root/src/or/dirvote.c
AgeCommit message (Collapse)Author
2015-01-10More documentation for proposal 227 workNick Mathewson
2015-01-10Implement proposal 227-vote-on-package-fingerprints.txtNick Mathewson
This implementation includes tests and a little documentation.
2015-01-02Bump copyright dates to 2015, in case someday this matters.Nick Mathewson
2014-12-26Improve a notice message in dirvote.c. (Roger asked for this.)Nick Mathewson
2014-12-24Allow consensus interval of 10 seconds when testingteor
Decrease minimum consensus interval to 10 seconds when TestingTorNetwork is set. (Or 5 seconds for the first consensus.) Fix code that assumes larger interval values. This assists in quickly bootstrapping a testing Tor network. Fixes bugs 13718 & 13823.
2014-11-02Apply new calloc coccinelle patchNick Mathewson
2014-10-28Add another year to our copyright dates.Nick Mathewson
Because in 95 years, we or our successors will surely care about enforcing the BSD license terms on this code. Right?
2014-10-13Treat unparseable (micro)descriptors and extrainfos as undownloadableNick Mathewson
One pain point in evolving the Tor design and implementing has been adding code that makes clients reject directory documents that they previously would have accepted, if those descriptors actually exist. When this happened, the clients would get the document, reject it, and then decide to try downloading it again, ad infinitum. This problem becomes particularly obnoxious with authorities, since if some authorities accept a descriptor that others don't, the ones that don't accept it would go crazy trying to re-fetch it over and over. (See for example ticket #9286.) This patch tries to solve this problem by tracking, if a descriptor isn't parseable, what its digest was, and whether it is invalid because of some flaw that applies to the portion containing the digest. (This excludes RSA signature problems: RSA signatures aren't included in the digest. This means that a directory authority can still put another directory authority into a loop by mentioning a descriptor, and then serving that descriptor with an invalid RSA signatures. But that would also make the misbehaving directory authority get DoSed by the server it's attacking, so it's not much of an issue.) We already have a mechanism to mark something undownloadable with downloadstatus_mark_impossible(); we use that here for microdescriptors, extrainfos, and router descriptors. Unit tests to follow in another patch. Closes ticket #11243.
2014-09-28Stop spurious clang shallow analysis null pointer errorsteor
Avoid 4 null pointer errors under clang shallow analysis (the default when building under Xcode) by using tor_assert() to prove that the pointers aren't null. Resolves issue 13284 via minor code refactoring.
2014-09-02Merge remote-tracking branch 'origin/maint-0.2.5'Nick Mathewson
2014-09-02Fix a number of clang analyzer false-positivesNick Mathewson
Most of these are in somewhat non-obvious code where it is probably a good idea to initialize variables and add extra assertions anyway. Closes 13036. Patches from "teor".
2014-08-26Merge remote-tracking branch 'public/bug10163'Nick Mathewson
2014-08-25Remove the assigned-but-unused chosen_named_idx local variableNick Mathewson
It had been used in consensus method 1. But now that 13 is the minimum (see #10163), we don't need it around. Found by sysrqb.
2014-08-21Mark one use of networkstatus_check_document_signature as (void)Nick Mathewson
Also explain why we aren't checking its return value. [CID 1198197]
2014-08-21remove meaningless checks for chunks==NULL in dirserv stuffNick Mathewson
Also, make it clearer that chunks cannot be NULL [CID 1031750, 1031751]
2014-08-15Remove implementation code for all pre-13 consensus methods.Nick Mathewson
Also remove a test for the way that we generated parameter votes before consensus method 12.
2014-08-15Remove support for generating consensuses with methods <= 9.Nick Mathewson
The last patch disabled these; this one removes the code to implement them.
2014-08-15No longer advertise or negotiate any consensus method before 13.Nick Mathewson
Implements proposal 215; closes ticket 10163. Why? From proposal 215: Consensus method 1 is no longer viable for the Tor network. It doesn't result in a microdescriptor consensus, and omits other fields that clients need in order to work well. Consensus methods under 12 have security issues, since they let a single authority set a consensus parameter. ... For example, while Tor 0.2.4.x is under development, authorities should really not be running anything before Tor 0.2.3.x. Tor 0.2.3.x has supported consensus method 13 since 0.2.3.21-rc, so it's okay for 0.2.4.x to require 13 as the minimum method. We even might go back to method 12, since the worst outcome of not using 13 would be some warnings in client logs. Consensus method 12 was a security improvement, so we don't want to roll back before that.
2014-08-13Apply coccinelle script to replace malloc(a*b)->calloc(a,b)Nick Mathewson
2014-05-06Future-proof "id" lines against proposal 220.Nick Mathewson
2014-05-05Consensus method 18: Add a base64 ID digest to the microdescNick Mathewson
This is a stopgap measure to make sure that microdescriptors never collide; see bug 11743.
2013-12-17Merge remote-tracking branch 'origin/maint-0.2.4'Nick Mathewson
Conflicts: src/or/microdesc.c Conflict because one change was on line adjacent to line where 01206893 got fixed.
2013-12-17Merge remote-tracking branch 'public/bug10409_023' into maint-0.2.4Nick Mathewson
2013-12-16Avoid free()ing from an mmap on corrupted microdesc cacheNick Mathewson
The 'body' field of a microdesc_t holds a strdup()'d value if the microdesc's saved_location field is SAVED_IN_JOURNAL or SAVED_NOWHERE, and holds a pointer to the middle of an mmap if the microdesc is SAVED_IN_CACHE. But we weren't setting that field until a while after we parsed the microdescriptor, which left an interval where microdesc_free() would try to free() the middle of the mmap(). This patch also includes a regression test. This is a fix for #10409; bugfix on 0.2.2.6-alpha.
2013-09-01Added no_tempfile parameter to write_chunks_to_file to do non-atomic writes. ↵Kevin Butler
Implements #1376.
2013-07-10Completely refactor how FILENAME_PRIVATE worksNick Mathewson
We previously used FILENAME_PRIVATE identifiers mostly for identifiers exposed only to the unit tests... but also for identifiers exposed to the benchmarker, and sometimes for identifiers exposed to a similar module, and occasionally for no really good reason at all. Now, we use FILENAME_PRIVATE identifiers for identifiers shared by Tor and the unit tests. They should be defined static when we aren't building the unit test, and globally visible otherwise. (The STATIC macro will keep us honest here.) For identifiers used only by the unit tests and never by Tor at all, on the other hand, we wrap them in #ifdef TOR_UNIT_TESTS. This is not the motivating use case for the split test/non-test build system; it's just a test example to see how it works, and to take a chance to clean up the code a little.
2013-07-08Merge remote-tracking branch 'origin/maint-0.2.4'Nick Mathewson
2013-07-08Add a comment and a check for why flag indices will be <= 63Nick Mathewson
2013-07-03FIx undefined behavior in dirvote.cNick Mathewson
Fix a bug in the voting algorithm that could yield incorrect results when a non-naming authority declared too many flags. Fixes bug 9200; bugfix on 0.2.0.3-alpha. Found by coverity scan.
2013-06-08Add support for offsetting the voting interval in order to bootstrap faster.Linus Nordberg
A new option TestingV3AuthVotingStartOffset is added which offsets the starting time of the voting interval. This is possible only when TestingTorNetwork is set. This patch makes run_scheduled_events() check for new consensus downloads every second when TestingTorNetwork, instead of every minute. This should be fine, see #8532 for reasoning. This patch also brings MIN_VOTE_SECONDS and MIN_DIST_SECONDS down from 20 to 2 seconds, unconditionally. This makes sanity checking of misconfiguration slightly less sane. Addresses #8532.
2013-05-10Merge bug5595-v2-squashed into maint-0.2.4Andrea Shepard
2013-05-09When downloading certificates, distinguish requesting by identity digest ↵Andrea Shepard
from requesting by ID digest, signing key pair; fixes bug 5595
2013-04-18Merge branch 'less_charbuf_rebased' into maint-0.2.4Nick Mathewson
Conflicts: src/or/dirserv.c src/or/dirserv.h src/test/test_dir.c
2013-04-18Remove some now-needless length definesNick Mathewson
2013-04-18Refactor dirobj signature generationNick Mathewson
Now we can compute the hash and signature of a dirobj before concatenating the smartlist, and we don't need to play silly games with sigbuf and realloc any more.
2013-04-18Refactor routerstatus_format_entry to avoid character-buffersNick Mathewson
2013-04-14Rename all fields which measure bw in kb to end with _kbNick Mathewson
2013-03-29Bug 8419: Apply the badexit fix from #2203 to validatio tooMike Perry
This was causing dirauths to emit flag weight validation warns if there was a sufficiently large amount of badexit bandwidth to make a difference in flag weight results.
2013-02-20Refactor format_networkstatus_vote to avoid preallocating a buffer.Nick Mathewson
This saves a lot of "are we about to overrun the buffer?" checking, and unmoots a bunch of "did we allocate enough" discussion.
2013-02-19Merge branch 'bug2286_unit_test_squashed'Nick Mathewson
2013-02-19Refactor storing of measured_bw versus Unmeasured=1.Nick Mathewson
This patch moves the measured_bw field and the has_measured_bw field into vote_routerstatus_t, since only votes have 'Measured=XX' set on their weight line. I also added a new bw_is_unmeasured flag to routerstatus_t to represent the Unmeasured=1 flag on a w line. Previously, I was using has_measured_bw for this, which was quite incorrect: has_measured_bw means that the measured_bw field is set, and it's probably a mistake to have it serve double duty as meaning that 'baandwidth' represents a measured value. While making this change,I also found a harmless but stupid bug in dirserv_read_measured_bandwidths: It assumes that it's getting a smartlist of routerstatus_t, when really it's getting a smartlist of vote_routerstatus_t. C's struct layout rules mean that we could never actually get an error because of that, but it's still quite incorrect. I fixed that, and in the process needed to add two more sorting and searching helpers. Finally, I made the Unmeasured=1 flag get parsed. We don't use it for anything yet, but someday we might. This isn't complete yet -- the new 2286 unit test doesn't build.
2013-02-19Add unit test for unmeasured bandwidth clipping in consensusAndrea Shepard
2013-02-19Note some annoyinc copy-and-paste codeNick Mathewson
2013-02-19Tweak consensus method 17 based on arma's commentsNick Mathewson
Instead of capping whenever a router has fewer than 3 measurements, we cap whenever a router has fewer than 3 measurements *AND* there are at least 3 authorities publishing measured bandwidths. We also generate bandwidth lines with a new "Unmeasured=1" flag, meaning that we didn't have enough observations for a node to use measured bandwidth values in the authority's input, whether we capped it or not.
2013-02-11Fix two more coverity-spotted leaks in master.Nick Mathewson
One is a probably-impossible leak if we fail to sign a consensus; another occurs when we can't look up the user we're trying to chown our sockets to.
2013-02-08Add doxygen for bug8158 functionsNick Mathewson
2013-02-08Coalesce identical adjacent microdescriptor vote lines.Nick Mathewson
2013-02-08Refactor generating the m lines in a vote into its own functionNick Mathewson
2013-02-07Merge remote-tracking branch 'public/bug7816_024'Nick Mathewson
2013-02-05New consensus method: clip the maximum votable unmeasured bwNick Mathewson
If we're deciding on a node's bandwidth based on "Bandwidth=" declarations, clip it to "20" or to the maxunmeasuredbw parameter, if it's voted on. This adds a new consensus method. This is "part A" of bug 2286