From cbf9e742368158b927249913b395b3796d847a92 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 6 Mar 2014 09:57:42 -0500 Subject: [PATCH 01/13] Correct the URL in the "a relay on win95???" message This is a fix for 9393; it's not a bugfix on any Tor version per se, but rather on whatever Tor version was current when we reorganized the wiki. --- changes/bug9393 | 4 ++++ src/or/config.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 changes/bug9393 diff --git a/changes/bug9393 b/changes/bug9393 new file mode 100644 index 000000000..9aedd1260 --- /dev/null +++ b/changes/bug9393 @@ -0,0 +1,4 @@ + o Minor bugfixes: + - Give the correct URL in the warning message that we present + when the user is trying to run a Tor relay on an ancient version + of Windows. Fixes bug 9393. diff --git a/src/or/config.c b/src/or/config.c index 3984755dd..ef0294626 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -2319,7 +2319,7 @@ options_validate(or_options_t *old_options, or_options_t *options, !strcmpstart(uname, "Windows Me"))) { log_warn(LD_CONFIG, "Tor is running as a server, but you are " "running %s; this probably won't work. See " - "https://wiki.torproject.org/TheOnionRouter/TorFAQ#ServerOS " + "https://www.torproject.org/docs/faq.html#BestOSForRelay " "for details.", uname); } From db72479eea4b5bbd73d1fa33f4c9e4e4e2b99b04 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 10 Mar 2014 15:01:27 -0400 Subject: [PATCH 02/13] Update ns downloads when we receive a bridge descriptor This prevents long stalls when we're starting with a state file but with no bridge descriptors. Fixes bug 9229. I believe this bug has been present since 0.2.0.3-alpha. --- changes/bug9229 | 5 +++++ src/or/entrynodes.c | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 changes/bug9229 diff --git a/changes/bug9229 b/changes/bug9229 new file mode 100644 index 000000000..ad7fd22c2 --- /dev/null +++ b/changes/bug9229 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Avoid 60-second delays in the bootstrapping process when Tor + is launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. + diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index 2aa063cda..59770fa65 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -2115,8 +2115,12 @@ learned_bridge_descriptor(routerinfo_t *ri, int from_cache) * our entry node list */ entry_guard_register_connect_status(ri->cache_info.identity_digest, 1, 0, now); - if (first) + if (first) { + /* XXXX apparently, this is never called. See bug #9229. */ routerlist_retry_directory_downloads(now); + } + + update_networkstatus_downloads(now); } } } From 9077118ee27e275d495b89a810ee28882c74cf62 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 11 Mar 2014 11:17:46 -0400 Subject: [PATCH 03/13] Remove the unused router_hex_digest_matches When I removed some unused functions in 5bfa373eeeb, this became unused as well. --- src/or/routerlist.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/src/or/routerlist.c b/src/or/routerlist.c index c28de24b6..cb39729ff 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -2591,19 +2591,6 @@ router_is_named(const routerinfo_t *router) tor_memeq(digest, router->cache_info.identity_digest, DIGEST_LEN)); } -/** Return true iff the digest of router's identity key, - * encoded in hexadecimal, matches hexdigest (which is - * optionally prefixed with a single dollar sign). Return false if - * hexdigest is malformed, or it doesn't match. */ -static INLINE int -router_hex_digest_matches(const routerinfo_t *router, const char *hexdigest) -{ - return hex_digest_nickname_matches(hexdigest, - router->cache_info.identity_digest, - router->nickname, - router_is_named(router)); -} - /** Return true iff digest is the digest of the identity key of a * trusted directory matching at least one bit of type. If type * is zero, any authority is okay. */ From a83abcf5ee5cb8fe245bc97e089e082f62921194 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 20 Mar 2014 13:52:50 -0400 Subject: [PATCH 04/13] Fix unittest compilation with --disable-curve25519 This is a fix for 9700, which we already fixed in 0.2.5.x, but which got left in 0.2.4.x. This is a partial backport of a0a855d586d99540277014ccd3 --- changes/bug9700 | 3 +++ src/test/test.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changes/bug9700 diff --git a/changes/bug9700 b/changes/bug9700 new file mode 100644 index 000000000..f59f54cb0 --- /dev/null +++ b/changes/bug9700 @@ -0,0 +1,3 @@ + o Minor bugfixes (compilation): + - Fix a compilation error when compiling with --disable-cuve25519. + Fixes bug 9700; bugfix on 0.2.4.17-rc. diff --git a/src/test/test.c b/src/test/test.c index 4ec879234..c2911d842 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -56,12 +56,12 @@ double fabs(double x); #include "memarea.h" #include "onion.h" #include "onion_tap.h" +#include "onion_ntor.h" #include "policies.h" #include "rephist.h" #include "routerparse.h" #ifdef CURVE25519_ENABLED #include "crypto_curve25519.h" -#include "onion_ntor.h" #endif #ifdef USE_DMALLOC From 24e0b1088acd94ceae3109107fa354b89309e2b7 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 27 Mar 2014 15:34:57 -0400 Subject: [PATCH 05/13] whitespace fix --- src/or/connection_edge.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 3a72110ea..895c0f7f0 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -2088,7 +2088,6 @@ connection_ap_handshake_socks_resolved_addr(entry_connection_t *conn, } } - /** Send an answer to an AP connection that has requested a DNS lookup via * SOCKS. The type should be one of RESOLVED_TYPE_(IPV4|IPV6|HOSTNAME) or -1 * for unreachable; the answer should be in the format specified in the socks From a68e6ea9c0288d82ea10076c551f48d63b3813fc Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 27 Mar 2014 14:58:46 -0400 Subject: [PATCH 06/13] Fix documentation of torrc search order We are searching @CONFDIR@ before $HOME, but the documentation implied otherwise. I screwed this up in f5e86bcd6c06d43ff3af5acd8135bd8b577bc3, when I first documented the $HOME/.torrc possibility. Fix for bug 9213; bugfix on 0.2.3.18-rc. --- changes/bug9213_doc | 5 +++++ doc/tor.1.txt | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 changes/bug9213_doc diff --git a/changes/bug9213_doc b/changes/bug9213_doc new file mode 100644 index 000000000..2f959dd83 --- /dev/null +++ b/changes/bug9213_doc @@ -0,0 +1,5 @@ + o Documentation: + - Correctly document that we search for a system torrc file before + looking in ~/.torrc. Fixes documentation side of 9213; bugfix + on 0.2.3.18-rc. + diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 3f8f6da03..eb9ad6770 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -37,7 +37,7 @@ COMMAND-LINE OPTIONS [[opt-f]] **-f** __FILE__:: Specify a new configuration file to contain further Tor configuration - options. (Default: $HOME/.torrc, or @CONFDIR@/torrc if that file is not + options. (Default: @CONFDIR@/torrc, or $HOME/.torrc if that file is not found) [[opt-defaults-torrc]] **--defaults-torrc** __FILE__:: @@ -2103,6 +2103,9 @@ FILES **@CONFDIR@/torrc**:: The configuration file, which contains "option value" pairs. +**$HOME/.torrc**:: + Fallback location for torrc, if @CONFDIR@/torrc is not found. + **@LOCALSTATEDIR@/lib/tor/**:: The tor process stores keys and other data here. From ab1a679eef77520f072e9933ae125dfcf0c228cf Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 7 Apr 2014 23:29:47 -0400 Subject: [PATCH 07/13] Fix a small memory leak when resolving PTR addresses Fixes bug 11437; bugfix on 0.2.4.7-alpha. Found by coverity; this is CID 1198198. --- changes/bug11437 | 3 +++ src/or/dns.c | 1 + 2 files changed, 4 insertions(+) create mode 100644 changes/bug11437 diff --git a/changes/bug11437 b/changes/bug11437 new file mode 100644 index 000000000..f5117cae9 --- /dev/null +++ b/changes/bug11437 @@ -0,0 +1,3 @@ + o Minor bugfixes: + - Stop leaking memory when we successfully resolve a PTR record. + Fixes bug 11437; bugfix on 0.2.4.7-alpha. diff --git a/src/or/dns.c b/src/or/dns.c index f2b7eecc3..fb1b10d82 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -1352,6 +1352,7 @@ inform_pending_connections(cached_resolve_t *resolve) } resolve->pending_connections = pend->next; tor_free(pend); + tor_free(hostname); } } From 50ad3939242885b1a1a11688abd0c9756631747f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 11 Apr 2014 10:22:14 -0400 Subject: [PATCH 08/13] Code to blacklist authority signing keys (I need a list of actual signing keys to blacklist.) --- changes/bug11464_023 | 5 +++++ src/or/networkstatus.c | 11 +++++++++++ src/or/routerlist.c | 22 ++++++++++++++++++++++ src/or/routerlist.h | 1 + src/or/routerparse.c | 8 ++++++++ 5 files changed, 47 insertions(+) create mode 100644 changes/bug11464_023 diff --git a/changes/bug11464_023 b/changes/bug11464_023 new file mode 100644 index 000000000..a9cd658ab --- /dev/null +++ b/changes/bug11464_023 @@ -0,0 +1,5 @@ + o Major features (security): + - Block every authority signing key that was used on an authority + vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). + (We don't have any evidence that these keys _were_ compromised; + we're doing this to be prudent.) Resolves ticket 11464. diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c index e780eadac..10cc56231 100644 --- a/src/or/networkstatus.c +++ b/src/or/networkstatus.c @@ -453,6 +453,17 @@ networkstatus_check_document_signature(const networkstatus_t *consensus, DIGEST_LEN)) return -1; + if (authority_cert_is_blacklisted(cert)) { + /* We implement blacklisting for authority signing keys by treating + * all their signatures as always bad. That way we don't get into + * crazy loops of dropping and re-fetching signatures. */ + log_warn(LD_DIR, "Ignoring a consensus signature made with deprecated" + " signing key %s", + hex_str(cert->signing_key_digest, DIGEST_LEN)); + sig->bad_signature = 1; + return 0; + } + signed_digest_len = crypto_pk_keysize(cert->signing_key); signed_digest = tor_malloc(signed_digest_len); if (crypto_pk_public_checksig(cert->signing_key, diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 3c39e362d..e993e138e 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -458,6 +458,28 @@ authority_cert_dl_failed(const char *id_digest, int status) download_status_failed(&cl->dl_status, status); } +static const char *BAD_SIGNING_KEYS[] = { + "----------------------------------------", + NULL, +}; + +/** DOCDOC */ +int +authority_cert_is_blacklisted(const authority_cert_t *cert) +{ + char hex_digest[HEX_DIGEST_LEN+1]; + int i; + base16_encode(hex_digest, sizeof(hex_digest), + cert->signing_key_digest, sizeof(cert->signing_key_digest)); + + for (i = 0; BAD_SIGNING_KEYS[i]; ++i) { + if (!strcasecmp(hex_digest, BAD_SIGNING_KEYS[i])) { + return 1; + } + } + return 0; +} + /** Return true iff when we've been getting enough failures when trying to * download the certificate with ID digest id_digest that we're willing * to start bugging the user about it. */ diff --git a/src/or/routerlist.h b/src/or/routerlist.h index 8dcc6eb02..bd55b7b20 100644 --- a/src/or/routerlist.h +++ b/src/or/routerlist.h @@ -25,6 +25,7 @@ void authority_cert_dl_failed(const char *id_digest, int status); void authority_certs_fetch_missing(networkstatus_t *status, time_t now); int router_reload_router_list(void); int authority_cert_dl_looks_uncertain(const char *id_digest); +int authority_cert_is_blacklisted(const authority_cert_t *cert); smartlist_t *router_get_trusted_dir_servers(void); const routerstatus_t *router_pick_directory_server(dirinfo_type_t type, diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 299d07d37..97e0bc8c8 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -3053,6 +3053,14 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, log_warn(LD_DIR,"Mismatch between identities in certificate and vote"); goto err; } + if (ns->type != NS_TYPE_CONSENSUS) { + if (authority_cert_is_blacklisted(ns->cert)) { + log_warn(LD_DIR, "Rejecting vote signature made with blacklisted " + "signing key %s", + hex_str(ns->cert->signing_key_digest, DIGEST_LEN)); + goto err; + } + } voter->address = tor_strdup(tok->args[2]); if (!tor_inet_aton(tok->args[3], &in)) { log_warn(LD_DIR, "Error decoding IP address %s in network-status.", From 46cf63bb42f2818201bc0c39036f2c17e210fcdb Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 14 Apr 2014 16:03:53 -0400 Subject: [PATCH 09/13] Fill in the list of blacklisted signing keys. I used a list of certificate files from arma, and a little script, both at 11464. --- src/or/routerlist.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/or/routerlist.c b/src/or/routerlist.c index e993e138e..7cbf6eff1 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -459,7 +459,18 @@ authority_cert_dl_failed(const char *id_digest, int status) } static const char *BAD_SIGNING_KEYS[] = { - "----------------------------------------", + "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 +// dizum still needs to rotate as of 2014-04-04 +//"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 +// dannenberg still needs to rotate as of 2014-04-04 +//"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 + "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 + "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 + "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01 + "9DCD8E3F1DD1597E2AD476BBA28A1A89F3095227", // Expires 2015-01-16 03:52:30 + "A61682F34B9BB9694AC98491FE1ABBFE61923941", // Expires 2014-06-11 09:25:09 + "B59F6E99C575113650C99F1C425BA7B20A8C071D", // Expires 2014-07-31 13:22:10 + "D27178388FA75B96D37FA36E0B015227DDDBDA51", // Expires 2014-08-04 04:01:57 NULL, }; From 09ed8a5dbb5216caae0055c1608abbc8c76412c9 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 14 Apr 2014 17:58:49 -0400 Subject: [PATCH 10/13] Tweak changes file and comment dates. --- changes/bug11464_023 | 2 +- src/or/routerlist.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/changes/bug11464_023 b/changes/bug11464_023 index a9cd658ab..80c04b21e 100644 --- a/changes/bug11464_023 +++ b/changes/bug11464_023 @@ -1,5 +1,5 @@ o Major features (security): - - Block every authority signing key that was used on an authority + - Block authority signing keys that were used on an authorities vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We don't have any evidence that these keys _were_ compromised; we're doing this to be prudent.) Resolves ticket 11464. diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 7cbf6eff1..a7968beca 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -460,9 +460,9 @@ authority_cert_dl_failed(const char *id_digest, int status) static const char *BAD_SIGNING_KEYS[] = { "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 -// dizum still needs to rotate as of 2014-04-04 +// dizum still needs to rotate as of 2014-04-14 //"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 -// dannenberg still needs to rotate as of 2014-04-04 +// dannenberg still needs to rotate as of 2014-04-14 //"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 From b2106956e0adc0382f033e1a6cd0896a24122d05 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 14 Apr 2014 21:51:30 -0400 Subject: [PATCH 11/13] Don't send uninitialized stack to the controller and say it's a date. Fixes bug 11519, apparently bugfix on 0.2.3.11-alpha. --- changes/bug11519 | 3 +++ src/or/circuituse.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changes/bug11519 diff --git a/changes/bug11519 b/changes/bug11519 new file mode 100644 index 000000000..5c1e6af7e --- /dev/null +++ b/changes/bug11519 @@ -0,0 +1,3 @@ + o Minor bugfixes: + - Avoid sending an garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. diff --git a/src/or/circuituse.c b/src/or/circuituse.c index ade4224fe..7218ecc07 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -1310,7 +1310,7 @@ circuit_launch_by_extend_info(uint8_t purpose, circ = circuit_find_to_cannibalize(purpose, extend_info, flags); if (circ) { uint8_t old_purpose = circ->_base.purpose; - struct timeval old_timestamp_created; + struct timeval old_timestamp_created = circ->_base.timestamp_created; log_info(LD_CIRC,"Cannibalizing circ '%s' for purpose %d (%s)", build_state_get_exit_nickname(circ->build_state), purpose, From 2ce0750d21d04c39a5a948b3d96203d8f68ae7ad Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 16 Apr 2014 13:31:40 -0400 Subject: [PATCH 12/13] Update the authority signing key blacklist Now it only has dannenberg --- src/or/routerlist.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/or/routerlist.c b/src/or/routerlist.c index a7968beca..afa586134 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -460,10 +460,9 @@ authority_cert_dl_failed(const char *id_digest, int status) static const char *BAD_SIGNING_KEYS[] = { "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 -// dizum still needs to rotate as of 2014-04-14 -//"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 -// dannenberg still needs to rotate as of 2014-04-14 -//"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 + "0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 + "57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 +// dannenberg still needs to rotate as of 2014-04-16 "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01 From ef3d7f2f97caf961effd7935dd3231e6bba62ca5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 16 Apr 2014 14:56:49 -0400 Subject: [PATCH 13/13] remove note about dannenberg; it has upgraded. --- src/or/routerlist.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/or/routerlist.c b/src/or/routerlist.c index afa586134..9e59c332a 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -462,7 +462,6 @@ static const char *BAD_SIGNING_KEYS[] = { "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 "0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 "57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 -// dannenberg still needs to rotate as of 2014-04-16 "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01