Merge branch 'maint-0.2.5' into release-0.2.5

2016-01-07 09:47:44 -08:00 · 2016-01-07 09:47:44 -08:00 · 01d5921435
parent c79976bc9b 9ca329581a
commit 01d5921435
19 changed files with 23716 additions and 11458 deletions
--- a/changes/bug15823
+++ b/changes/bug15823
@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service):
+    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
+      on a client authorized hidden service. Fixes bug 15823; bugfix
+      on 0.2.1.6-alpha.
--- a/changes/bug16360-failed-crypto-early-init
+++ b/changes/bug16360-failed-crypto-early-init
@ -0,0 +1,7 @@
+  o Minor bugfixes (crypto error-handling):
+    - If crypto_early_init fails, a typo in a return value from tor_init
+      means that tor_main continues running, rather than returning
+      an error value.
+      Fixes bug 16360; bugfix on d3fb846d8c98 in 0.2.5.2-alpha,
+      introduced when implementing #4900.
+      Patch by "teor".
--- a/changes/bug17772
+++ b/changes/bug17772
@ -0,0 +1,7 @@
+  o Major bugfixes (guard selection):
+    - Actually look at the Guard flag when selecting a new directory
+      guard. When we implemented the directory guard design, we
+      accidentally started treating all relays as if they have the Guard
+      flag during guard selection, leading to weaker anonymity and worse
+      performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered
+      by Mohsen Imani.
--- a/changes/bug17781
+++ b/changes/bug17781
@ -0,0 +1,3 @@
+  o Compilation fixes:
+    - Fix a compilation warning with Clang 3.6: Do not check the
+      presence of an address which can never be NULL. Fixes bug 17781.
--- a/changes/bug17906
+++ b/changes/bug17906
@ -0,0 +1,4 @@
+  o Minor features (authorities):
+    - Update the V3 identity key for dannenberg, it was changed on
+      18 November 2015.
+      Closes task #17906. Patch by "teor".
--- a/changes/geoip-december2015
+++ b/changes/geoip-december2015
@ -0,0 +1,4 @@
+  o Minor features:
+    - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
+      Country database.
+
--- a/changes/geoip-january2016
+++ b/changes/geoip-january2016
@ -0,0 +1,4 @@
+  o Minor features:
+    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
+      Country database.
+
--- a/changes/geoip-july2015
+++ b/changes/geoip-july2015
@ -0,0 +1,3 @@
+  o Minor features:
+    - Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database.
+
--- a/changes/geoip-june2015
+++ b/changes/geoip-june2015
@ -0,0 +1,3 @@
+  o Minor features:
+    - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
+
--- a/changes/geoip-october2015
+++ b/changes/geoip-october2015
@ -0,0 +1,3 @@
+  o Minor features:
+    - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database.
+
--- a/changes/geoip-september2015
+++ b/changes/geoip-september2015
@ -0,0 +1,3 @@
+  o Minor features:
+    - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database.
+
--- a/changes/geoip6-june2015
+++ b/changes/geoip6-june2015
@ -0,0 +1,3 @@
+  o Minor features:
+    - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
+
--- a/src/config/geoip
+++ b/src/config/geoip
--- a/src/config/geoip6
+++ b/src/config/geoip6
--- a/src/or/config.c
+++ b/src/or/config.c
@ -862,7 +862,7 @@ add_default_trusted_dir_authorities(dirinfo_type_t type)
      "v3ident=ED03BB616EB2F60BEC80151114BB25CEF515B226 "
      "131.188.40.189:80 F204 4413 DAC2 E02E 3D6B CF47 35A1 9BCA 1DE9 7281",
    "dannenberg orport=443 "
-      "v3ident=585769C78764D58426B8B52B6651A5A71137189A "
+      "v3ident=0232AF901C31A04EE9848595AF9BB7620D4C5B2E "
      "193.23.244.244:80 7BE6 83E6 5D48 1413 21C5 ED92 F075 C553 64AC 7123",
    "urras orport=80 v3ident=80550987E1D626E3EBA5E5E75A458DE0626D088C "
      "208.83.223.34:443 0AD3 FA88 4D18 F89E EA2D 89C0 1937 9E0E 7FD9 4417",
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@ -744,7 +744,7 @@ connection_ap_fail_onehop(const char *failed_digest,
      /* we don't know the digest; have to compare addr:port */
      tor_addr_t addr;
      if (!build_state || !build_state->chosen_exit ||
-          !entry_conn->socks_request || !entry_conn->socks_request->address)
+          !entry_conn->socks_request)
        continue;
      if (tor_addr_parse(&addr, entry_conn->socks_request->address)<0 ||
          !tor_addr_eq(&build_state->chosen_exit->addr, &addr) ||
--- a/src/or/main.c
+++ b/src/or/main.c
@ -2346,7 +2346,7 @@ tor_init(int argc, char *argv[])
  /* Set up the crypto nice and early */
  if (crypto_early_init() < 0) {
    log_err(LD_GENERAL, "Unable to initialize the crypto subsystem!");
-    return 1;
+    return -1;
  }

  /* Initialize the history structures. */
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@ -969,11 +969,13 @@ rend_service_requires_uptime(rend_service_t *service)
  return 0;
 }

-/** Check client authorization of a given <b>descriptor_cookie</b> for
- * <b>service</b>. Return 1 for success and 0 for failure. */
+/** Check client authorization of a given <b>descriptor_cookie</b> of
+ * length <b>cookie_len</b> for <b>service</b>. Return 1 for success
+ * and 0 for failure. */
 static int
 rend_check_authorization(rend_service_t *service,
-                         const char *descriptor_cookie)
+                         const char *descriptor_cookie,
+                         size_t cookie_len)
 {
  rend_authorized_client_t *auth_client = NULL;
  tor_assert(service);
@ -984,6 +986,13 @@ rend_check_authorization(rend_service_t *service,
    return 0;
  }

+  if (cookie_len != REND_DESC_COOKIE_LEN) {
+    log_info(LD_REND, "Descriptor cookie is %lu bytes, but we expected "
+                      "%lu bytes. Dropping cell.",
+             (unsigned long)cookie_len, (unsigned long)REND_DESC_COOKIE_LEN);
+    return 0;
+  }
+
  /* Look up client authorization by descriptor cookie. */
  SMARTLIST_FOREACH(service->clients, rend_authorized_client_t *, client, {
    if (tor_memeq(client->descriptor_cookie, descriptor_cookie,
@ -1330,7 +1339,8 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
  if (service->clients) {
    if (parsed_req->version == 3 && parsed_req->u.v3.auth_len > 0) {
      if (rend_check_authorization(service,
-                                   (const char*)parsed_req->u.v3.auth_data)) {
+                                   (const char*)parsed_req->u.v3.auth_data,
+                                   parsed_req->u.v3.auth_len)) {
        log_info(LD_REND, "Authorization data in INTRODUCE2 cell are valid.");
      } else {
        log_info(LD_REND, "The authorization data that are contained in "
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@ -1459,8 +1459,14 @@ router_pick_directory_server_impl(dirinfo_type_t type, int flags)
    if ((type & MICRODESC_DIRINFO) && !is_trusted &&
        !node->rs->version_supports_microdesc_cache)
      continue;
-    if (for_guard && node->using_as_guard)
-      continue; /* Don't make the same node a guard twice. */
+    /* Don't make the same node a guard twice */
+    if (for_guard && node->using_as_guard) {
+      continue;
+    }
+    /* Ensure that a directory guard is actually a guard node. */
+    if (for_guard && !node->is_possible_guard) {
+      continue;
+    }
    if (try_excluding &&
        routerset_contains_routerstatus(options->ExcludeNodes, status,
                                        country)) {