| Age | Commit message (Collapse) | Author |
|---|
|
|
|
no actual changes in behavior
|
|
Fix an "off by 2" error in counting rendezvous failures on the onion
service side.
While we thought we would stop the rendezvous attempt after one failed
circuit, we were actually making three circuit attempts before giving up.
Fixes bug 24895; bugfix on 0.0.6.
|
|
|
|
|
|
Fixes bug 24480; bugfix on 0.2.5.16.
|
|
|
|
|
|
TROVE-2017-13. Severity: High.
In the unlikely case that a hidden service could be missing intro circuit(s),
that it didn't have enough directory information to open new circuits and that
an intro point was about to expire, a use-after-free is possible because of
the intro point object being both in the retry list and expiring list at the
same time.
The intro object would get freed after the circuit failed to open and then
access a second time when cleaned up from the expiring list.
Fixes #24313
|
|
This is a regression; we should have been checking only the
public-key encrypted portion. Fixes bug 24244, TROVE-2017-009, and
CVE-2017-8819.
|
|
|
|
Fixes bug 23490; bugfix on 0.2.7.2-alpha.
TROVE-2017-008
CVE-2017-0380
|
|
Instead, refuse to start tor if any hidden service key has been used in
a different hidden service anonymity mode.
Fixes bug 20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf.
The original single onion service poisoning code checked poisoning state
in options_validate, and poisoned in options_act. This was problematic,
because the global array of hidden services had not been populated in
options_validate (and there were ordrering issues with hidden service
directory creation).
This patch fixes this issue in rend_service_check_dir_and_add, which:
* creates the directory, or checks permissions on an existing directory, then
* checks the poisoning state of the directory, then
* poisons the directory.
When validating, only the permissions checks and the poisoning state checks
are perfomed (the directory is not modified).
|
|
Add extra logging and extra validity checks for hidden services.
|
|
Make the function flatter, and prepare for #20559.
No behaviour change.
|
|
Put that code in rend_service_check_dir_and_add.
No behaviour change.
This is a defence in depth measure against similar bugs to 20529.
|
|
(We only create HS directories if we are acting on the config.)
Log a BUG warning if the directories aren't present immediately before they
are used, then fail.
|
|
Fixup on both:
* Refactor, adding a create argument... and
* Check every hidden service directory's permissions...
|
|
Previously, we would only check the last hidden service directory.
Fixes #20529, bugfix on ticket 13942 commit 85bfad1 in 0.2.6.2-alpha.
|
|
Comment changes only
|
|
|
|
check_private_dir already does this for existing directories.
|
|
It used to be rend_service_check_and_create_private_dir, which always
created the directory.
No behaviour change.
|
|
(Also, refactor the code to create a hidden service directory into a
separate funcion, so we don't have to duplicate it.)
Fixes bug 20484; bugfix on 0.2.9.3-alpha.
|
|
|
|
Feature 18753 -- all this to allow spaces.
|
|
Bugfix on a4f46ff8ba43b1e635bc5a8543b9354e6de02e14. Found by Coverity.
|
|
|
|
And make consequential line-length adjustments.
|
|
* Check consistency between the two single onion torrc options
* Use the more relevant option each time we check for single onion mode
* Clarify log messages
* Clarify comments
* Otherwise, no behaviour change
|
|
And make consequential changes to make it less error-prone.
No behaviour change.
|
|
|
|
|
|
|
|
Add experimental OnionServiceSingleHopMode and
OnionServiceNonAnonymousMode options. When both are set to 1, every
hidden service on a tor instance becomes a non-anonymous Single Onion
Service. Single Onions make one-hop (direct) connections to their
introduction and renzedvous points. One-hop circuits make Single Onion
servers easily locatable, but clients remain location-anonymous.
This is compatible with the existing hidden service implementation, and
works on the current tor network without any changes to older relays or
clients.
Implements proposal #260, completes ticket #17178. Patch by teor & asn.
squash! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Implement Prop #260: Single Onion Services
Redesign single onion service poisoning.
When in OnionServiceSingleHopMode, each hidden service key is poisoned
(marked as non-anonymous) on creation by creating a poison file in the
hidden service directory.
Existing keys are considered non-anonymous if this file exists, and
anonymous if it does not.
Tor refuses to launch in OnionServiceSingleHopMode if any existing keys
are anonymous. Similarly, it refuses to launch in anonymous client mode
if any existing keys are non-anonymous.
Rewrite the unit tests to match and be more comprehensive.
Adds a bonus unit test for rend_service_load_all_keys().
|
|
Also check that the port list exists before freeing it.
Patch by asn.
|
|
|
|
|
|
|
|
It always returns 0. It should be replaced with the Single
Onion version from #17178 when both are merged.
|
|
This is a partial fix for 18902.
|
|
|
|
descriptor
|
|
When deleting an ephemeral HS, we were only iterating on circuit with an
OPEN state. However, it could be possible that an intro point circuit didn't
reached the open state yet.
This commit makes it that we close the circuit regardless of its state
except if it was already marked for close.
Fixes #18604
Signed-off-by: David Goulet <dgoulet@torproject.org>
|
|
|
|
Closes ticket 18761.
Also fix a whitespace issue.
|
|
|
|
|
|
|
|
Tor stores client authorization cookies in two slightly different forms.
The service's client_keys file has the standard base64-encoded cookie,
including two chars of padding. The hostname file and the client remove
the two padding chars, and store an auth type flag in the unused bits.
The distinction makes no sense. Refactor all decoding to use the same
function, which will accept either form, and use a helper function for
encoding the truncated format.
|
