aboutsummaryrefslogtreecommitdiff
path: root/src/test/test_protover.c
AgeCommit message (Collapse)Author
2018-10-23Merge branch 'maint-0.3.4' into maint-0.3.5Nick Mathewson
2018-10-23Merge branch 'maint-0.3.3' into maint-0.3.4Nick Mathewson
2018-10-23Merge remote-tracking branch 'onionk/rust-allsupportednull1' into maint-0.3.3Nick Mathewson
2018-09-21Merge branch 'maint-0.3.4'Nick Mathewson
2018-09-21Merge branch 'maint-0.3.3' into maint-0.3.4Nick Mathewson
2018-09-21Merge branch 'maint-0.3.2' into maint-0.3.3Nick Mathewson
2018-09-21Merge branch 'maint-0.2.9' into maint-0.3.2maint-0.3.2Nick Mathewson
2018-09-21rust/protover: fix null deref in protover_all_supported()cypherpunks
Fortunately with the current callers it couldn't happen in practice. Fix on d1820c1516a31a149fc51a9e5126bf899e4c4e08.
2018-09-16Add tortls.h includes to expose critical macro. Fix #27734.Nick Mathewson
2018-09-16When Tor is compiled with NSS, don't claim support for LinkAuth=1Nick Mathewson
Closes ticket 27288
2018-09-14protover: reject invalid protocol namescypherpunks
The spec only allows the characters [A-Za-z0-9-]. Fix on b2b2e1c7f24d9b65059e3d089768d6c49ba4f58f. Fixes #27316; bugfix on 0.2.9.4-alpha.
2018-09-12Merge branch 'maint-0.3.4'Nick Mathewson
2018-09-12Merge branch 'maint-0.3.3' into maint-0.3.4Nick Mathewson
2018-09-12test/protover: remove version zero from testscypherpunks
This isn't legal according to dir-spec.txt. We can write separate tests for it if the spec is changed to make it legal.
2018-09-11Merge remote-tracking branch 'onionk/doublevote1'Nick Mathewson
2018-08-28Merge remote-tracking branch 'onionk/prototest1'Nick Mathewson
2018-08-19test/protover: add double-voting testcypherpunks
2018-08-17test/protover: add test for whitespace parsing bugcypherpunks
2018-08-17test/protover: add test for hyphen parsing bugcypherpunks
2018-07-05Whoops. Protover.[ch] belong in src/core/orNick Mathewson
2018-07-05Fix every include path changed in the previous commit (automated)Nick Mathewson
I am very glad to have written this script.
2018-06-20Run rectify_include_paths.pyNick Mathewson
2018-06-20Update copyrights to 2018.Nick Mathewson
2018-05-22Merge branch 'maint-0.3.3'Nick Mathewson
2018-05-22Make the TROVE-2018-005 fix work with rust.Nick Mathewson
2018-05-22fix wide linesNick Mathewson
2018-05-22protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing.Isis Lovecruft
In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-05-22Merge branch 'trove-2018-005_032' into trove-2018-005_033Nick Mathewson
2018-05-22protover: TROVE-2018-005 Fix potential DoS in protover protocol parsing.Isis Lovecruft
In protover.c, the `expand_protocol_list()` function expands a `smartlist_t` of `proto_entry_t`s to their protocol name concatenated with each version number. For example, given a `proto_entry_t` like so: proto_entry_t *proto = tor_malloc(sizeof(proto_entry_t)); proto_range_t *range = tor_malloc_zero(sizeof(proto_range_t)); proto->name = tor_strdup("DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa"); proto->ranges = smartlist_new(); range->low = 1; range->high = 65536; smartlist_add(proto->ranges, range); (Where `[19KB]` is roughly 19KB of `"a"` bytes.) This would expand in `expand_protocol_list()` to a `smartlist_t` containing 65536 copies of the string, e.g.: "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=1" "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=2" […] "DoSaaaaaaaaaaaaaaaaaaaaaa[19KB]aaa=65535" Thus constituting a potential resource exhaustion attack. The Rust implementation is not subject to this attack, because it instead expands the above string into a `HashMap<String, HashSet<u32>` prior to #24031, and a `HashMap<UnvalidatedProtocol, ProtoSet>` after). Neither Rust version is subject to this attack, because it only stores the `String` once per protocol. (Although a related, but apparently of too minor impact to be usable, DoS bug has been fixed in #24031. [0]) [0]: https://bugs.torproject.org/24031 * ADDS hard limit on protocol name lengths in protover.c and checks in parse_single_entry() and expand_protocol_list(). * ADDS tests to ensure the bug is caught. * FIXES #25517: https://bugs.torproject.org/25517
2018-04-02tests: Run all existing protover tests in both languages.Isis Lovecruft
There's now no difference in these tests w.r.t. the C or Rust: both fail miserably (well, Rust fails with nice descriptive errors, and C gives you a traceback, because, well, C).
2018-04-02tests: Make inline comments in test_protover.c more accurate.Isis Lovecruft
The DoS potential is slightly higher in C now due to some differences to the Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs. Also, the comment about "failing at the splitting stage" in Rust wasn't true, since when we split, we ignore empty chunks (e.g. "1--1" parses into "(1,None),(None,1)" and "None" can't be parsed into an integer). Finally, the comment about "Rust seems to experience an internal error" is only true in debug mode, where u32s are bounds-checked at runtime. In release mode, code expressing the equivalent of this test will error with `Err(ProtoverError::Unparseable)` because 4294967295 is too large.
2018-04-02protover: Change protover_all_supported() to return only unsupported.Isis Lovecruft
Previously, if "Link=1-5" was supported, and you asked protover_all_supported() (or protover::all_supported() in Rust) if it supported "Link=3-999", the C version would return "Link=3-999" and the Rust would return "Link=6-999". These both behave the same now, i.e. both return "Link=6-999".
2018-04-02tests: Run all existing protover tests in both languages.Isis Lovecruft
There's now no difference in these tests w.r.t. the C or Rust: both fail miserably (well, Rust fails with nice descriptive errors, and C gives you a traceback, because, well, C).
2018-04-02tests: Make inline comments in test_protover.c more accurate.Isis Lovecruft
The DoS potential is slightly higher in C now due to some differences to the Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs. Also, the comment about "failing at the splitting stage" in Rust wasn't true, since when we split, we ignore empty chunks (e.g. "1--1" parses into "(1,None),(None,1)" and "None" can't be parsed into an integer). Finally, the comment about "Rust seems to experience an internal error" is only true in debug mode, where u32s are bounds-checked at runtime. In release mode, code expressing the equivalent of this test will error with `Err(ProtoverError::Unparseable)` because 4294967295 is too large.
2018-04-02protover: Change protover_all_supported() to return only unsupported.Isis Lovecruft
Previously, if "Link=1-5" was supported, and you asked protover_all_supported() (or protover::all_supported() in Rust) if it supported "Link=3-999", the C version would return "Link=3-999" and the Rust would return "Link=6-999". These both behave the same now, i.e. both return "Link=6-999".
2018-03-01Merge branch 'maint-0.3.2' into maint-0.3.3Nick Mathewson
2018-03-01Merge branch 'maint-0.3.1' into maint-0.3.2Nick Mathewson
2018-03-01Merge branch 'maint-0.2.9' into maint-0.3.1Nick Mathewson
2018-03-01Protover tests: disable some obsoleted testsNick Mathewson
These were meant to demonstrate old behavior, or old rust behavior. One of them _should_ work in Rust, but won't because of implementation details. We'll fix that up later.
2018-03-01Forbid UINT32_MAX as a protocol versionNick Mathewson
The C code and the rust code had different separate integer overflow bugs here. That suggests that we're better off just forbidding this pathological case. Also, add tests for expected behavior on receiving a bad protocol list in a consensus. Fixes another part of 25249.
2018-03-01Forbid "-0" as a protocol version.Nick Mathewson
Fixes part of 24249; bugfix on 0.2.9.4-alpha.
2018-03-01Add more of Teor's protover tests.Nick Mathewson
These are as Teor wrote them; I've disabled the ones that don't pass yet, with XXXX comments.
2018-03-01Add some protover vote round-trip tests from Teor.Nick Mathewson
I've refactored these to be a separate function, to avoid tricky merge conflicts. Some of these are disabled with "XXXX" comments; they should get fixed moving forward.
2018-01-30Add unit tests for supported protocolsteor
Prevents future regressions like #25070.
2017-11-09Merge branch 'ticket20895'Nick Mathewson
2017-10-27rust implementation of protoverChelsea Holland Komlo
2017-09-11Add a function to check for support for "protocol X or later"Nick Mathewson
Also, add unit tests for this new function and for the regular "does this list include support for protocol X" code.
2017-08-24apply ahf's test_assert_null.cocciNick Mathewson
2017-03-15Run the copyright update script.Nick Mathewson
2016-09-26Rename compute_protover_vote to protover_compute_voteNick Mathewson