Merge branch 'maint-0.2.2' into release-0.2.2

changes/bug5283

@@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - Fix an edge case where if we fetch or publish a hidden service
+      descriptor, we might build a 4-hop circuit and then use that circuit
+      for exiting afterwards -- even if the new last hop doesn't obey our
+      ExitNodes config option. Fixes bug 5283; bugfix on 0.2.0.10-alpha.
+

changes/bug5969_022

@@ -0,0 +1,7 @@
+  o Minor bugfixes
+    - Fix a build warning with Clang 3.1 related to our use of vasprint.
+      Fix for bug 5969. Bugfix on 0.2.2.11-alpha.
+
+  o Compilation improvements:
+    - Tell GCC and Clang to check for any errors in format strings passed
+      to the tor_v*(print|scan)f functions.

changes/bug6007

@@ -0,0 +1,5 @@
+  o Major bugfixes (security):
+    - When waiting for a client to renegotiate, don't allow it to add
+      any bytes to the input buffer. This fixes a DoS issue. Fix for
+      bugs 6007 and 5934; bugfix on 0.2.0.20-rc.
+

changes/bug6033

@@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - Work around a bug in OpenSSL that broke renegotiation with
+      TLS 1.1 and TLS 1.2.  Without this workaround, all attempts
+      to speak the v2 Tor network protocol when both sides were
+      using OpenSSL 1.0.1 would fail.  Fix for bug 6033, which is
+      not a bug in Tor.

src/common/compat.h

@@ -261,11 +261,12 @@ void tor_munmap_file(tor_mmap_t *handle) ATTR_NONNULL((1));
 int tor_snprintf(char *str, size_t size, const char *format, ...)
   CHECK_PRINTF(3,4) ATTR_NONNULL((1,3));
 int tor_vsnprintf(char *str, size_t size, const char *format, va_list args)
-  ATTR_NONNULL((1,3));
+  CHECK_PRINTF(3,0) ATTR_NONNULL((1,3));
 
 int tor_asprintf(char **strp, const char *fmt, ...)
   CHECK_PRINTF(2,3);
-int tor_vasprintf(char **strp, const char *fmt, va_list args);
+int tor_vasprintf(char **strp, const char *fmt, va_list args)
+  CHECK_PRINTF(2,0);
 
 const void *tor_memmem(const void *haystack, size_t hlen, const void *needle,
                        size_t nlen)  ATTR_PURE ATTR_NONNULL((1,3));

src/common/log.c

@@ -137,6 +137,13 @@ static void close_log(logfile_t *victim);
 
 static char *domain_to_string(log_domain_mask_t domain,
                              char *buf, size_t buflen);
+static INLINE char *format_msg(char *buf, size_t buf_len,
+           log_domain_mask_t domain, int severity, const char *funcname,
+           const char *format, va_list ap, size_t *msg_len_out)
+  CHECK_PRINTF(6,0);
+static void logv(int severity, log_domain_mask_t domain, const char *funcname,
+                 const char *format, va_list ap)
+  CHECK_PRINTF(4,0);
 
 /** Name of the application: used to generate the message we write at the
  * start of each new log. */

src/common/tortls.c

@@ -790,6 +790,21 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime,
     goto error;
   SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2);
 
+  /* Disable TLS1.1 and TLS1.2 if they exist.  We need to do this to
+   * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1
+   * June 2012), wherein renegotiating while using one of these TLS
+   * protocols will cause the client to send a TLS 1.0 ServerHello
+   * rather than a ServerHello written with the appropriate protocol
+   * version.  Once some version of OpenSSL does TLS1.1 and TLS1.2
+   * renegotiation properly, we can turn them back on when built with
+   * that version. */
+#ifdef SSL_OP_NO_TLSv1_2
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_2);
+#endif
+#ifdef SSL_OP_NO_TLSv1_1
+  SSL_CTX_set_options(result->ctx, SSL_OP_NO_TLSv1_1);
+#endif
+
   if (
 #ifdef DISABLE_SSL3_HANDSHAKE
       1 ||

src/common/util.h

@@ -211,7 +211,11 @@ const char *escaped(const char *string);
 struct smartlist_t;
 void wrap_string(struct smartlist_t *out, const char *string, size_t width,
                  const char *prefix0, const char *prefixRest);
-int tor_vsscanf(const char *buf, const char *pattern, va_list ap);
+int tor_vsscanf(const char *buf, const char *pattern, va_list ap)
+#ifdef __GNUC__
+  __attribute__((format(scanf, 2, 0)))
+#endif
+  ;
 int tor_sscanf(const char *buf, const char *pattern, ...)
 #ifdef __GNUC__
   __attribute__((format(scanf, 2, 3)))

src/or/circuituse.c

@@ -1229,7 +1229,13 @@ circuit_get_open_circ_or_launch(edge_connection_t *conn,
   need_uptime = !conn->want_onehop && !conn->use_begindir &&
                 smartlist_string_num_isin(options->LongLivedPorts,
                                           conn->socks_request->port);
-  need_internal = desired_circuit_purpose != CIRCUIT_PURPOSE_C_GENERAL;
+
+  if (desired_circuit_purpose != CIRCUIT_PURPOSE_C_GENERAL)
+    need_internal = 1;
+  else if (conn->use_begindir || conn->want_onehop)
+    need_internal = 1;
+  else
+    need_internal = 0;
 
   circ = circuit_get_best(conn, 1, desired_circuit_purpose,
                           need_uptime, need_internal);

src/or/connection_or.c

@@ -209,7 +209,12 @@ connection_or_reached_eof(or_connection_t *conn)
 int
 connection_or_process_inbuf(or_connection_t *conn)
 {
-  int ret;
+  /** Don't let the inbuf of a nonopen OR connection grow beyond this many
+   * bytes: it's either a broken client, a non-Tor client, or a DOS
+   * attempt. */
+#define MAX_OR_INBUF_WHEN_NONOPEN 0
+
+  int ret = 0;
   tor_assert(conn);
 
   switch (conn->_base.state) {
@@ -231,8 +236,21 @@ connection_or_process_inbuf(or_connection_t *conn)
     case OR_CONN_STATE_OR_HANDSHAKING:
       return connection_or_process_cells_from_inbuf(conn);
     default:
-      return 0; /* don't do anything */
+      break; /* don't do anything */
   }
+
+  if (buf_datalen(conn->_base.inbuf) > MAX_OR_INBUF_WHEN_NONOPEN) {
+    log_fn(LOG_PROTOCOL_WARN, LD_NET, "Accumulated too much data (%d bytes) "
+	   "on nonopen OR connection %s %s:%u in state %s; closing.",
+	   (int)buf_datalen(conn->_base.inbuf),
+	   connection_or_nonopen_was_started_here(conn) ? "to" : "from",
+	   conn->_base.address, conn->_base.port,
+	   conn_state_to_string(conn->_base.type, conn->_base.state));
+    connection_mark_for_close(TO_CONN(conn));
+    ret = -1;
+  }
+
+  return ret;
 }
 
 /** When adding cells to an OR connection's outbuf, keep adding until the

src/or/control.c

@@ -126,6 +126,13 @@ typedef int event_format_t;
 static void connection_printf_to_buf(control_connection_t *conn,
                                      const char *format, ...)
   CHECK_PRINTF(2,3);
+static void send_control_event_impl(uint16_t event, event_format_t which,
+                                    const char *format, va_list ap)
+  CHECK_PRINTF(3,0);
+static int control_event_status(int type, int severity, const char *format,
+                                va_list args)
+  CHECK_PRINTF(3,0);
+
 static void send_control_done(control_connection_t *conn);
 static void send_control_event(uint16_t event, event_format_t which,
                                const char *format, ...)
@@ -3918,6 +3925,7 @@ control_event_my_descriptor_changed(void)
 static int
 control_event_status(int type, int severity, const char *format, va_list args)
 {
+  char *user_buf = NULL;
   char format_buf[160];
   const char *status, *sev;
 
@@ -3949,13 +3957,15 @@ control_event_status(int type, int severity, const char *format, va_list args)
       log_warn(LD_BUG, "Unrecognized status severity %d", severity);
       return -1;
   }
-  if (tor_snprintf(format_buf, sizeof(format_buf), "650 %s %s %s\r\n",
-                   status, sev, format)<0) {
+  if (tor_snprintf(format_buf, sizeof(format_buf), "650 %s %s\r\n",
+                   status, sev)<0) {
     log_warn(LD_BUG, "Format string too long.");
     return -1;
   }
+  tor_vasprintf(&user_buf, format, args);
 
-  send_control_event_impl(type, ALL_FORMATS, format_buf, args);
+  send_control_event(type, ALL_FORMATS, "%s %s", format_buf, user_buf);
+  tor_free(user_buf);
   return 0;
 }