Merge branch 'maint-0.2.4' into release-0.2.4
This commit is contained in:
commit
8fd9644f17
|
@ -0,0 +1,5 @@
|
||||||
|
o Normal bugfixes:
|
||||||
|
- Always call circuit_n_chan_done(chan, 0) from channel_closed(), so we
|
||||||
|
can't leak pending circuits in some cases where
|
||||||
|
run_connection_housekeeping() calls connection_or_close_normally().
|
||||||
|
Fixes bug #9776; bugfix on 0.2.4.17.
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Update to the September 4 2013 Maxmind GeoLite Country database.
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
o Minor features (security, timestamp avoidance, proposal 222):
|
||||||
|
- Clients no longer send timestamps in their NETINFO cells. These were
|
||||||
|
not used for anything, and they provided one small way for clients
|
||||||
|
to be distinguished from each other as they moved from network to
|
||||||
|
network or behind NAT. Implements part of proposal 222.
|
||||||
|
- Clients now round timestamps in INTRODUCE cells down to the nearest
|
||||||
|
10 minutes. If a new Support022HiddenServices option is set to 0,
|
||||||
|
or if it's set to "auto" and the feature is disabled in the consensus,
|
||||||
|
the timestamp is sent as 0 instead. Implements part of proposal 222.
|
||||||
|
- Stop sending timestamps in AUTHENTICATE cells. This is not such
|
||||||
|
a big deal from a security point of view, but it achieves no actual
|
||||||
|
good purpose, and isn't needed. Implements part of proposal 222.
|
||||||
|
- Reduce down accuracy of timestamps in hidden service descriptors.
|
||||||
|
Implements part of proposal 222.
|
|
@ -358,7 +358,8 @@ GENERAL OPTIONS
|
||||||
|
|
||||||
**DisableDebuggerAttachment** **0**|**1**::
|
**DisableDebuggerAttachment** **0**|**1**::
|
||||||
If set to 1, Tor will attempt to prevent basic debugging attachment attempts
|
If set to 1, Tor will attempt to prevent basic debugging attachment attempts
|
||||||
by other processes. It has no impact for users who wish to attach if they
|
by other processes. This may also keep Tor from generating core files if
|
||||||
|
it crashes. It has no impact for users who wish to attach if they
|
||||||
have CAP_SYS_PTRACE or if they are root. We believe that this feature
|
have CAP_SYS_PTRACE or if they are root. We believe that this feature
|
||||||
works on modern Gnu/Linux distributions, and that it may also work on *BSD
|
works on modern Gnu/Linux distributions, and that it may also work on *BSD
|
||||||
systems (untested). Some modern Gnu/Linux systems such as Ubuntu have the
|
systems (untested). Some modern Gnu/Linux systems such as Ubuntu have the
|
||||||
|
@ -1337,6 +1338,15 @@ The following options are useful only for clients (that is, if
|
||||||
Tor will use a default value chosen by the directory
|
Tor will use a default value chosen by the directory
|
||||||
authorities. (Default: -1.)
|
authorities. (Default: -1.)
|
||||||
|
|
||||||
|
**Support022HiddenServices** **0**|**1**|**auto**::
|
||||||
|
Tor hidden services running versions before 0.2.3.x required clients to
|
||||||
|
send timestamps, which can potentially be used to distinguish clients
|
||||||
|
whose view of the current time is skewed. If this option is set to 0, we
|
||||||
|
do not send this timestamp, and hidden services on obsolete Tor versions
|
||||||
|
will not work. If this option is set to 1, we send the timestamp. If
|
||||||
|
this optoin is "auto", we take a recommendation from the latest consensus
|
||||||
|
document. (Default: auto)
|
||||||
|
|
||||||
|
|
||||||
SERVER OPTIONS
|
SERVER OPTIONS
|
||||||
--------------
|
--------------
|
||||||
|
|
12806
src/config/geoip
12806
src/config/geoip
File diff suppressed because it is too large
Load Diff
|
@ -1292,11 +1292,10 @@ channel_closed(channel_t *chan)
|
||||||
if (chan->state == CHANNEL_STATE_CLOSED ||
|
if (chan->state == CHANNEL_STATE_CLOSED ||
|
||||||
chan->state == CHANNEL_STATE_ERROR) return;
|
chan->state == CHANNEL_STATE_ERROR) return;
|
||||||
|
|
||||||
if (chan->reason_for_closing == CHANNEL_CLOSE_FOR_ERROR) {
|
/* Inform any pending (not attached) circs that they should
|
||||||
/* Inform any pending (not attached) circs that they should
|
* give up. */
|
||||||
* give up. */
|
circuit_n_chan_done(chan, 0);
|
||||||
circuit_n_chan_done(chan, 0);
|
|
||||||
}
|
|
||||||
/* Now close all the attached circuits on it. */
|
/* Now close all the attached circuits on it. */
|
||||||
circuit_unlink_all_from_channel(chan, END_CIRC_REASON_CHANNEL_CLOSED);
|
circuit_unlink_all_from_channel(chan, END_CIRC_REASON_CHANNEL_CLOSED);
|
||||||
|
|
||||||
|
|
|
@ -388,6 +388,7 @@ static config_var_t option_vars_[] = {
|
||||||
V(SSLKeyLifetime, INTERVAL, "0"),
|
V(SSLKeyLifetime, INTERVAL, "0"),
|
||||||
OBSOLETE("StatusFetchPeriod"),
|
OBSOLETE("StatusFetchPeriod"),
|
||||||
V(StrictNodes, BOOL, "0"),
|
V(StrictNodes, BOOL, "0"),
|
||||||
|
V(Support022HiddenServices, AUTOBOOL, "auto"),
|
||||||
OBSOLETE("SysLog"),
|
OBSOLETE("SysLog"),
|
||||||
V(TestSocks, BOOL, "0"),
|
V(TestSocks, BOOL, "0"),
|
||||||
OBSOLETE("TestVia"),
|
OBSOLETE("TestVia"),
|
||||||
|
|
|
@ -1160,6 +1160,16 @@ connection_or_connect(const tor_addr_t *_addr, uint16_t port,
|
||||||
|
|
||||||
/** Mark orconn for close and transition the associated channel, if any, to
|
/** Mark orconn for close and transition the associated channel, if any, to
|
||||||
* the closing state.
|
* the closing state.
|
||||||
|
*
|
||||||
|
* It's safe to call this and connection_or_close_for_error() any time, and
|
||||||
|
* channel layer will treat it as a connection closing for reasons outside
|
||||||
|
* its control, like the remote end closing it. It can also be a local
|
||||||
|
* reason that's specific to connection_t/or_connection_t rather than
|
||||||
|
* the channel mechanism, such as expiration of old connections in
|
||||||
|
* run_connection_housekeeping(). If you want to close a channel_t
|
||||||
|
* from somewhere that logically works in terms of generic channels
|
||||||
|
* rather than connections, use channel_mark_for_close(); see also
|
||||||
|
* the comment on that function in channel.c.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
void
|
void
|
||||||
|
@ -2051,8 +2061,9 @@ connection_or_send_netinfo(or_connection_t *conn)
|
||||||
memset(&cell, 0, sizeof(cell_t));
|
memset(&cell, 0, sizeof(cell_t));
|
||||||
cell.command = CELL_NETINFO;
|
cell.command = CELL_NETINFO;
|
||||||
|
|
||||||
/* Timestamp. */
|
/* Timestamp, if we're a relay. */
|
||||||
set_uint32(cell.payload, htonl((uint32_t)now));
|
if (public_server_mode(get_options()) || ! conn->is_outgoing)
|
||||||
|
set_uint32(cell.payload, htonl((uint32_t)now));
|
||||||
|
|
||||||
/* Their address. */
|
/* Their address. */
|
||||||
out = cell.payload + 4;
|
out = cell.payload + 4;
|
||||||
|
@ -2286,19 +2297,11 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn,
|
||||||
if (server)
|
if (server)
|
||||||
return V3_AUTH_FIXED_PART_LEN; // ptr-out
|
return V3_AUTH_FIXED_PART_LEN; // ptr-out
|
||||||
|
|
||||||
/* Time: 8 octets. */
|
/* 8 octets were reserved for the current time, but we're trying to get out
|
||||||
{
|
* of the habit of sending time around willynilly. Fortunately, nothing
|
||||||
uint64_t now = time(NULL);
|
* checks it. That's followed by 16 bytes of nonce. */
|
||||||
if ((time_t)now < 0)
|
crypto_rand((char*)ptr, 24);
|
||||||
return -1;
|
ptr += 24;
|
||||||
set_uint32(ptr, htonl((uint32_t)(now>>32)));
|
|
||||||
set_uint32(ptr+4, htonl((uint32_t)now));
|
|
||||||
ptr += 8;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Nonce: 16 octets. */
|
|
||||||
crypto_rand((char*)ptr, 16);
|
|
||||||
ptr += 16;
|
|
||||||
|
|
||||||
tor_assert(ptr - out == V3_AUTH_BODY_LEN);
|
tor_assert(ptr - out == V3_AUTH_BODY_LEN);
|
||||||
|
|
||||||
|
|
|
@ -4099,6 +4099,9 @@ typedef struct {
|
||||||
|
|
||||||
/** How long (seconds) do we keep a guard before picking a new one? */
|
/** How long (seconds) do we keep a guard before picking a new one? */
|
||||||
int GuardLifetime;
|
int GuardLifetime;
|
||||||
|
|
||||||
|
/** Should we send the timestamps that pre-023 hidden services want? */
|
||||||
|
int Support022HiddenServices;
|
||||||
} or_options_t;
|
} or_options_t;
|
||||||
|
|
||||||
/** Persistent state for an onion router, as saved to disk. */
|
/** Persistent state for an onion router, as saved to disk. */
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
#include "connection_edge.h"
|
#include "connection_edge.h"
|
||||||
#include "directory.h"
|
#include "directory.h"
|
||||||
#include "main.h"
|
#include "main.h"
|
||||||
|
#include "networkstatus.h"
|
||||||
#include "nodelist.h"
|
#include "nodelist.h"
|
||||||
#include "relay.h"
|
#include "relay.h"
|
||||||
#include "rendclient.h"
|
#include "rendclient.h"
|
||||||
|
@ -127,6 +128,16 @@ rend_client_reextend_intro_circuit(origin_circuit_t *circ)
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Return true iff we should send timestamps in our INTRODUCE1 cells */
|
||||||
|
static int
|
||||||
|
rend_client_should_send_timestamp(void)
|
||||||
|
{
|
||||||
|
if (get_options()->Support022HiddenServices >= 0)
|
||||||
|
return get_options()->Support022HiddenServices;
|
||||||
|
|
||||||
|
return networkstatus_get_param(NULL, "Support022HiddenServices", 1, 0, 1);
|
||||||
|
}
|
||||||
|
|
||||||
/** Called when we're trying to connect an ap conn; sends an INTRODUCE1 cell
|
/** Called when we're trying to connect an ap conn; sends an INTRODUCE1 cell
|
||||||
* down introcirc if possible.
|
* down introcirc if possible.
|
||||||
*/
|
*/
|
||||||
|
@ -238,7 +249,14 @@ rend_client_send_introduction(origin_circuit_t *introcirc,
|
||||||
REND_DESC_COOKIE_LEN);
|
REND_DESC_COOKIE_LEN);
|
||||||
v3_shift += 2+REND_DESC_COOKIE_LEN;
|
v3_shift += 2+REND_DESC_COOKIE_LEN;
|
||||||
}
|
}
|
||||||
set_uint32(tmp+v3_shift+1, htonl((uint32_t)time(NULL)));
|
if (rend_client_should_send_timestamp()) {
|
||||||
|
uint32_t now = (uint32_t)time(NULL);
|
||||||
|
now += 300;
|
||||||
|
now -= now % 600;
|
||||||
|
set_uint32(tmp+v3_shift+1, htonl(now));
|
||||||
|
} else {
|
||||||
|
set_uint32(tmp+v3_shift+1, 0);
|
||||||
|
}
|
||||||
v3_shift += 4;
|
v3_shift += 4;
|
||||||
} /* if version 2 only write version number */
|
} /* if version 2 only write version number */
|
||||||
else if (entry->parsed->protocols & (1<<2)) {
|
else if (entry->parsed->protocols & (1<<2)) {
|
||||||
|
|
|
@ -593,6 +593,7 @@ rend_service_update_descriptor(rend_service_t *service)
|
||||||
d = service->desc = tor_malloc_zero(sizeof(rend_service_descriptor_t));
|
d = service->desc = tor_malloc_zero(sizeof(rend_service_descriptor_t));
|
||||||
d->pk = crypto_pk_dup_key(service->private_key);
|
d->pk = crypto_pk_dup_key(service->private_key);
|
||||||
d->timestamp = time(NULL);
|
d->timestamp = time(NULL);
|
||||||
|
d->timestamp -= d->timestamp % 3600; /* Round down to nearest hour */
|
||||||
d->intro_nodes = smartlist_new();
|
d->intro_nodes = smartlist_new();
|
||||||
/* Support intro protocols 2 and 3. */
|
/* Support intro protocols 2 and 3. */
|
||||||
d->protocols = (1 << 2) + (1 << 3);
|
d->protocols = (1 << 2) + (1 << 3);
|
||||||
|
|
Loading…
Reference in New Issue