sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'maint-0.2.2' into release-0.2.2

This commit is contained in:
Roger Dingledine 2011-02-12 05:01:56 -05:00
parent 19cbb741e8 9b745cdbf9
commit d009160c73
35 changed files with 3718 additions and 1879 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
changes/bug1074-part2 Normal file
View File

@ -0,0 +1,6 @@
o Major bugfixes:
- Stop sending a CLOCK_SKEW controller status event whenever
we fetch directory information from a relay that has a wrong clock.
Instead, only inform the controller when it's a trusted authority
that claims our clock is wrong. Bugfix on tor-0.1.2.6-alpha;
fixes the other half of bug 1074.

4
changes/bug2004 Normal file
View File

@ -0,0 +1,4 @@
o Minor features
- Log less aggressively about circuit timeout changes, and improve some
other circuit timeout messages. Resolves bug 2004.

4
changes/bug2181 Normal file
View File

@ -0,0 +1,4 @@
o Minor features
- Log a little more clearly about the times at which we're no longer
accepting new connections. Resolves bug 2181.

6
changes/bug2203 Normal file
View File

@ -0,0 +1,6 @@
o Minor bugfixes:
- Clients should not weight BadExit nodes as Exits in their node
selection. Similarly, directory authorities should not count
BadExit bandwidth as Exit bandwidth when computing bandwidth-weights.
Bugfix on 0.2.2.10-alpha; fixes bug 2203.

15
changes/bug2279 Normal file
View File

@ -0,0 +1,15 @@
o Minor bugfixes
- Avoid a double mark-for-free warning when failing to attach a
transparent proxy connection. Fixes bug 2279. Bugfix on
Tor 0.1.2.1 alpha.
o Minor features
- Detect attempts at the client side to open connections to private
IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with a randomly
chosen exit node. Attempts to do so are always ill-defined, generally
prevented by exit policies, and usually in error. This will also
help to detect loops in transparent proxy configurations. You can
disable this feature by setting "ClientRejectInternalAddresses 0"
in your torrc.

5
changes/bug2358 Normal file
View File

@ -0,0 +1,5 @@
o Minor features
- Enable Address Space Layout Randomization (ASLR) and Data Execution
Prevention (DEP) by default on Windows to make it harder for
attackers to exploit vulnerabilities. Patch from John Brooks.

8
changes/bug2378 Normal file
View File

@ -0,0 +1,8 @@
o Minor bugfixes
- Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378;
found by "cypherpunks". This bug was introduced before the
first Tor release, in svn commit r110.
o Minor code simplifications and refactorings
- Always treat failure to allocate an RSA key as an unrecoverable
allocation error.

6
changes/bug2408 Normal file
View File

@ -0,0 +1,6 @@
o Major bugfixes
- Ignore and warn about "PublishServerDescriptor hidserv" torrc
options. The 'hidserv' argument never controlled publication
of hidden service descriptors. Bugfix on 0.2.0.1-alpha.

4
changes/bug2409 Normal file
View File

@ -0,0 +1,4 @@
o Minor bugfixes
- Resolve a bug in verifying signatures of directory objects
with digests longer than SHA1. Bugfix on 0.2.2.20-alpha;
fixes bug 2409; found by "piebeer".

5
changes/bug2450 Normal file
View File

@ -0,0 +1,5 @@
o Minor bugfixes:
- Country codes aren't supported in EntryNodes until 0.2.3.x.
Don't mention them in the manpage. Fixes bug 2450, issue
spotted by keb and G-Lo.

5
changes/bug2470 Normal file
View File

@ -0,0 +1,5 @@
o Major bugfixes:
- If relays set RelayBandwidthBurst but not RelayBandwidthRate,
Tor would ignore their RelayBandwidthBurst setting,
potentially using more bandwidth than expected. Bugfix on
0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.

3
changes/geoip-feb2011 Normal file
View File

@ -0,0 +1,3 @@
o Minor features:
- Update to the February 1 2011 Maxmind GeoLite Country database.

14
configure.in
View File

@ -848,6 +848,20 @@ AC_SUBST(BINDIR)
LOCALSTATEDIR=`eval echo $localstatedir`
AC_SUBST(LOCALSTATEDIR)
if test "$bwin32" = true; then
# Test if the linker supports the --nxcompat and --dynamicbase options
# for Windows
save_LDFLAGS="$LDFLAGS"
LDFLAGS="-Wl,--nxcompat -Wl,--dynamicbase"
AC_MSG_CHECKING([whether the linker supports DllCharacteristics])
AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
[AC_MSG_RESULT([yes])]
[save_LDFLAGS="$save_LDFLAGS $LDFLAGS"],
[AC_MSG_RESULT([no])]
)
LDFLAGS="$save_LDFLAGS"
fi
# Set CFLAGS _after_ all the above checks, since our warnings are stricter
# than autoconf's macros like.
if test "$GCC" = yes; then

18
contrib/tor-exit-notice.html
View File

@ -32,7 +32,7 @@ Tor Exit Router</p>
Most likely you are accessing this website because you had some issue with
the traffic coming from this IP. This router is part of the <a
href="https://www.torproject.org/">Tor Anonymity Network</a>, which is
dedicated to <a href="https://www.torproject.org/overview.html">providing
dedicated to <a href="https://www.torproject.org/about/overview">providing
privacy</a> to people who need it most: average computer users. This
router IP should be generating no other traffic, unless it has been
compromised.</p>
@ -42,19 +42,19 @@ compromised.</p>
and serve it locally -->
<p style="text-align:center">
<a href="https://www.torproject.org/overview.html">
<a href="https://www.torproject.org/about/overview">
<img src="https://www.torproject.org/images/how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"/>
</a></p>
<p>
Tor sees use by <a href="https://www.torproject.org/torusers.html">many
Tor sees use by <a href="https://www.torproject.org/about/torusers">many
important segments of the population</a>, including whistle blowers,
journalists, Chinese dissidents skirting the Great Firewall and oppressive
censorship, abuse victims, stalker targets, the US military, and law
enforcement, just to name a few. While Tor is not designed for malicious
computer users, it is true that they can use the network for malicious ends.
In reality however, the actual amount of <a
href="https://www.torproject.org/faq-abuse.html">abuse</a> is quite low. This
href="https://www.torproject.org/docs/faq-abuse">abuse</a> is quite low. This
is largely because criminals and hackers have significantly better access to
privacy and anonymity than do the regular users whom they prey upon. Criminals
can and do <a
@ -108,15 +108,15 @@ equipment, in accordance with <a
href="http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html">DMCA
"safe harbor" provisions</a>. In other words, you will have just as much luck
sending a takedown notice to the Internet backbone providers. Please consult
<a href="https://www.torproject.org/eff/tor-dmca-response.html">EFF's prepared
<a href="https://www.torproject.org/eff/tor-dmca-response">EFF's prepared
response</a> for more information on this matter.</p>
<p>For more information, please consult the following documentation:</p>
<ol>
<li><a href="https://www.torproject.org/overview.html">Tor Overview</a></li>
<li><a href="https://www.torproject.org/faq-abuse.html">Tor Abuse FAQ</a></li>
<li><a href="https://www.torproject.org/eff/tor-legal-faq.html">Tor Legal FAQ</a></li>
<li><a href="https://www.torproject.org/about/overview">Tor Overview</a></li>
<li><a href="https://www.torproject.org/docs/faq-abuse">Tor Abuse FAQ</a></li>
<li><a href="https://www.torproject.org/eff/tor-legal-faq">Tor Legal FAQ</a></li>
</ol>
<p>
@ -134,7 +134,7 @@ the Tor network if you so desire. The Tor project provides a <a
href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">web service</a>
to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a
specified IP:port combination, and an official <a
href="https://www.torproject.org/tordnsel/">DNSRBL</a> is also available to
href="https://www.torproject.org/tordnsel/dist/">DNSRBL</a> is also available to
determine if a given IP address is actually a Tor exit server. Please
be considerate
when using these options. It would be unfortunate to deny all Tor users access

6
doc/spec/control-spec.txt
View File

@ -1070,7 +1070,8 @@
Reason = "MISC" / "RESOLVEFAILED" / "CONNECTREFUSED" /
"EXITPOLICY" / "DESTROY" / "DONE" / "TIMEOUT" /
"NOROUTE" / "HIBERNATING" / "INTERNAL"/ "RESOURCELIMIT" /
"CONNRESET" / "TORPROTOCOL" / "NOTDIRECTORY" / "END"
"CONNRESET" / "TORPROTOCOL" / "NOTDIRECTORY" / "END" /
"PRIVATE_ADDR"
The "REASON" field is provided only for FAILED, CLOSED, and DETACHED
events, and only if extended events are enabled (see 3.19). Clients MUST
@ -1079,7 +1080,10 @@
END (We received a RELAY_END cell from the other side of this
stream.)
PRIVATE_ADDR (The client tried to connect to a private address like
127.0.0.1 or 10.0.0.1 over Tor.)
[XXXX document more. -NM]
The "REMOTE_REASON" field is provided only when we receive a RELAY_END
cell, and only if extended events are enabled. It contains the actual

5
doc/spec/dir-spec.txt
View File

@ -1618,6 +1618,11 @@
* If consensus-method 7 or later is in use, the params line is
included in the output.
* If the consensus method is under 11, bad exits are considered as
possible exits when computing bandwidth weights. Otherwise, if
method 11 or later is in use, any router that is determined to get
the BadExit flag doesn't count when we're calculating weights.
The signatures at the end of a consensus document are sorted in
ascending order by identity digest.

27
doc/tor.1.txt
View File

@ -471,7 +471,7 @@ The following options are useful only for clients (that is, if
list.
**EntryNodes** __node__,__node__,__...__::
A list of identity fingerprints, nicknames, country codes and address
A list of identity fingerprints, nicknames and address
patterns of nodes to use for the first hop in normal circuits. These are
treated only as preferences unless StrictNodes (see below) is also set.
@ -654,8 +654,9 @@ The following options are useful only for clients (that is, if
can leak your location to attackers. (Default: 1)
**VirtualAddrNetwork** __Address__/__bits__::
When a controller asks for a virtual (unused) address with the MAPADDRESS
command, Tor picks an unassigned address from this range. (Default:
When Tor needs to assign a virtual (unused) address because of a MAPADDRESS
command from the controller or the AutomapHostsOnResolve feature, Tor
picks an unassigned address from this range. (Default:
127.192.0.0/10) +
+
When providing proxy server service to a network of computers using a tool
@ -731,6 +732,12 @@ The following options are useful only for clients (that is, if
192.168.0.1). This option prevents certain browser-based attacks; don't
turn it off unless you know what you're doing. (Default: 1).
**ClientRejectInternalAddresses** **0**|**1**::
If true, Tor does not try to fulfill requests to connect to an internal
address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
specifically requested__ (for example, via a .exit hostname, or a
controller request). (Default: 1).
**DownloadExtraInfo** **0**|**1**::
If true, Tor downloads and caches "extra-info" documents. These documents
contain information about servers other than the information in their
@ -875,9 +882,9 @@ is non-zero):
specified in ORPort. (Default: 0.0.0.0) This directive can be specified
multiple times to bind to multiple addresses/ports.
**PublishServerDescriptor** **0**|**1**|**v1**|**v2**|**v3**|**bridge**|**hidserv**,**...**::
**PublishServerDescriptor** **0**|**1**|**v1**|**v2**|**v3**|**bridge**,**...**::
This option specifies which descriptors Tor will publish when acting as
a relay or hidden service. You can
a relay. You can
choose multiple arguments, separated by commas.
+
If this option is set to 0, Tor will not publish its
@ -885,7 +892,7 @@ is non-zero):
out your server, or if you're using a Tor controller that handles directory
publishing for you.) Otherwise, Tor will publish its descriptors of all
type(s) specified. The default is "1",
which means "if running as a server or a hidden service, publish the
which means "if running as a server, publish the
appropriate descriptors to the authorities".
**ShutdownWaitLength** __NUM__::
@ -900,7 +907,9 @@ is non-zero):
period, or receive more than that number in the period. For example, with
AccountingMax set to 1 GB, a server could send 900 MB and receive 800 MB
and continue running. It will only hibernate once one of the two reaches 1
GB. When the number of bytes is exhausted, Tor will hibernate until some
GB. When the number of bytes gets low, Tor will stop accepting new
connections and circuits. When the number of bytes
is exhausted, Tor will hibernate until some
time in the next accounting period. To prevent all servers from waking at
the same time, Tor will also wait until a random point in each period
before waking up. If you have bandwidth cost issues, enabling hibernation
@ -1060,7 +1069,8 @@ if DirPort is non-zero):
**HSAuthoritativeDir** **0**|**1**::
When this option is set in addition to **AuthoritativeDirectory**, Tor also
accepts and serves hidden service descriptors. (Default: 0)
accepts and serves v0 hidden service descriptors,
which are produced and used by Tor 0.2.1.x and older. (Default: 0)
**HidServDirectoryV2** **0**|**1**::
When this option is set, Tor accepts and serves v2 hidden service
@ -1267,6 +1277,7 @@ The following options are used for running a testing Tor network.
AuthDirMaxServersPerAddr 0
AuthDirMaxServersPerAuthAddr 0
ClientDNSRejectInternalAddresses 0
ClientRejectInternalAddresses 0
ExitPolicyRejectPrivate 0
V3AuthVotingInterval 5 minutes
V3AuthVoteDelay 20 seconds

7
src/common/compat.c
View File

@ -676,7 +676,10 @@ struct tor_lockfile_t {
*
* (Implementation note: because we need to fall back to fcntl on some
* platforms, these locks are per-process, not per-thread. If you want
* to do in-process locking, use tor_mutex_t like a normal person.)
* to do in-process locking, use tor_mutex_t like a normal person.
* On Windows, when <b>blocking</b> is true, the maximum time that
* is actually waited is 10 seconds, after which NULL is returned
* and <b>locked_out</b> is set to 1.)
*/
tor_lockfile_t *
tor_lockfile_lock(const char *filename, int blocking, int *locked_out)
@ -696,7 +699,7 @@ tor_lockfile_lock(const char *filename, int blocking, int *locked_out)
#ifdef WIN32
_lseek(fd, 0, SEEK_SET);
if (_locking(fd, blocking ? _LK_LOCK : _LK_NBLCK, 1) < 0) {
if (errno != EDEADLOCK)
if (errno != EACCESS && errno != EDEADLOCK)
log_warn(LD_FS,"Couldn't lock \"%s\": %s", filename, strerror(errno));
else
*locked_out = 1;

19
src/common/crypto.c
View File

@ -326,17 +326,6 @@ _crypto_new_pk_env_rsa(RSA *rsa)
return env;
}
/** used by tortls.c: wrap the RSA from an evp_pkey in a crypto_pk_env_t.
* returns NULL if this isn't an RSA key. */
crypto_pk_env_t *
_crypto_new_pk_env_evp_pkey(EVP_PKEY *pkey)
{
RSA *rsa;
if (!(rsa = EVP_PKEY_get1_RSA(pkey)))
return NULL;
return _crypto_new_pk_env_rsa(rsa);
}
/** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a
* crypto_pk_env_t. */
RSA *
@ -390,7 +379,7 @@ crypto_new_pk_env(void)
RSA *rsa;
rsa = RSA_new();
if (!rsa) return NULL;
tor_assert(rsa);
return _crypto_new_pk_env_rsa(rsa);
}
@ -535,6 +524,8 @@ crypto_pk_read_private_key_from_string(crypto_pk_env_t *env,
/* Create a read-only memory BIO, backed by the string 's' */
b = BIO_new_mem_buf((char*)s, (int)len);
if (!b)
return -1;
if (env->key)
RSA_free(env->key);
@ -595,6 +586,8 @@ crypto_pk_write_key_to_string_impl(crypto_pk_env_t *env, char **dest,
tor_assert(dest);
b = BIO_new(BIO_s_mem()); /* Create a memory BIO */
if (!b)
return -1;
/* Now you can treat b as if it were a file. Just use the
* PEM_*_bio_* functions instead of the non-bio variants.
@ -662,6 +655,8 @@ crypto_pk_read_public_key_from_string(crypto_pk_env_t *env, const char *src,
tor_assert(len<INT_MAX);
b = BIO_new(BIO_s_mem()); /* Create a memory BIO */
if (!b)
return -1;
BIO_write(b, src, (int)len);

1
src/common/crypto.h
View File

@ -249,7 +249,6 @@ struct evp_pkey_st;
struct dh_st;
struct rsa_st *_crypto_pk_env_get_rsa(crypto_pk_env_t *env);
crypto_pk_env_t *_crypto_new_pk_env_rsa(struct rsa_st *rsa);
crypto_pk_env_t *_crypto_new_pk_env_evp_pkey(struct evp_pkey_st *pkey);
struct evp_pkey_st *_crypto_pk_env_get_evp_pkey(crypto_pk_env_t *env,
int private);
struct dh_st *_crypto_dh_env_get_dh(crypto_dh_env_t *dh);

1
src/common/tortls.c
View File

@ -808,6 +808,7 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
goto error;
{
crypto_dh_env_t *dh = crypto_dh_new(DH_TYPE_TLS);
tor_assert(dh);
SSL_CTX_set_tmp_dh(result->ctx, _crypto_dh_env_get_dh(dh));
crypto_dh_free(dh);
}

5232
src/config/geoip
View File

File diff suppressed because it is too large Load Diff

92
src/or/circuitbuild.c
View File

@ -99,6 +99,15 @@ static int onion_append_hop(crypt_path_t **head_ptr, extend_info_t *choice);
static void entry_guards_changed(void);
/**
* This function decides if CBT learning should be disabled. It returns
* true if one or more of the following four conditions are met:
*
* 1. If the cbtdisabled consensus parameter is set.
* 2. If the torrc option LearnCircuitBuildTimeout is false.
* 3. If we are a directory authority
* 4. If we fail to write circuit build time history to our state file.
*/
static int
circuit_build_times_disabled(void)
{
@ -125,6 +134,13 @@ circuit_build_times_disabled(void)
}
}
/**
* Retrieve and bounds-check the cbtmaxtimeouts consensus paramter.
*
* Effect: When this many timeouts happen in the last 'cbtrecentcount'
* circuit attempts, the client should discard all of its history and
* begin learning a fresh timeout value.
*/
static int32_t
circuit_build_times_max_timeouts(void)
{
@ -134,6 +150,15 @@ circuit_build_times_max_timeouts(void)
CBT_MAX_MAX_RECENT_TIMEOUT_COUNT);
}
/**
* Retrieve and bounds-check the cbtnummodes consensus paramter.
*
* Effect: This value governs how many modes to use in the weighted
* average calculation of Pareto parameter Xm. A value of 3 introduces
* some bias (2-5% of CDF) under ideal conditions, but allows for better
* performance in the event that a client chooses guard nodes of radically
* different performance characteristics.
*/
static int32_t
circuit_build_times_default_num_xm_modes(void)
{
@ -144,6 +169,12 @@ circuit_build_times_default_num_xm_modes(void)
return num;
}
/**
* Retrieve and bounds-check the cbtmincircs consensus paramter.
*
* Effect: This is the minimum number of circuits to build before
* computing a timeout.
*/
static int32_t
circuit_build_times_min_circs_to_observe(void)
{
@ -162,6 +193,12 @@ circuit_build_times_enough_to_compute(circuit_build_times_t *cbt)
return cbt->total_build_times >= circuit_build_times_min_circs_to_observe();
}
/**
* Retrieve and bounds-check the cbtquantile consensus paramter.
*
* Effect: This is the position on the quantile curve to use to set the
* timeout value. It is a percent (10-99).
*/
double
circuit_build_times_quantile_cutoff(void)
{
@ -181,6 +218,13 @@ circuit_build_times_get_bw_scale(networkstatus_t *ns)
BW_MAX_WEIGHT_SCALE);
}
/**
* Retrieve and bounds-check the cbtclosequantile consensus paramter.
*
* Effect: This is the position on the quantile curve to use to set the
* timeout value to use to actually close circuits. It is a percent
* (0-99).
*/
static double
circuit_build_times_close_quantile(void)
{
@ -199,6 +243,13 @@ circuit_build_times_close_quantile(void)
return param / 100.0;
}
/**
* Retrieve and bounds-check the cbttestfreq consensus paramter.
*
* Effect: Describes how often in seconds to build a test circuit to
* gather timeout values. Only applies if less than 'cbtmincircs'
* have been recorded.
*/
static int32_t
circuit_build_times_test_frequency(void)
{
@ -209,6 +260,13 @@ circuit_build_times_test_frequency(void)
return num;
}
/**
* Retrieve and bounds-check the cbtmintimeout consensus paramter.
*
* Effect: This is the minimum allowed timeout value in milliseconds.
* The minimum is to prevent rounding to 0 (we only check once
* per second).
*/
static int32_t
circuit_build_times_min_timeout(void)
{
@ -219,6 +277,12 @@ circuit_build_times_min_timeout(void)
return num;
}
/**
* Retrieve and bounds-check the cbtinitialtimeout consensus paramter.
*
* Effect: This is the timeout value to use before computing a timeout,
* in milliseconds.
*/
int32_t
circuit_build_times_initial_timeout(void)
{
@ -235,6 +299,13 @@ circuit_build_times_initial_timeout(void)
return param;
}
/**
* Retrieve and bounds-check the cbtrecentcount consensus paramter.
*
* Effect: This is the number of circuit build times to keep track of
* for deciding if we hit cbtmaxtimeouts and need to reset our state
* and learn a new timeout.
*/
static int32_t
circuit_build_times_recent_circuit_count(networkstatus_t *ns)
{
@ -258,8 +329,9 @@ circuit_build_times_new_consensus_params(circuit_build_times_t *cbt,
if (num > 0 && num != cbt->liveness.num_recent_circs) {
int8_t *recent_circs;
log_notice(LD_CIRC, "Changing recent timeout size from %d to %d",
cbt->liveness.num_recent_circs, num);
log_notice(LD_CIRC, "The Tor Directory Consensus has changed how many "
"circuits we must track to detect network failures from %d "
"to %d.", cbt->liveness.num_recent_circs, num);
tor_assert(cbt->liveness.timeouts_after_firsthop);
@ -588,12 +660,14 @@ circuit_build_times_update_state(circuit_build_times_t *cbt,
static void
circuit_build_times_shuffle_and_store_array(circuit_build_times_t *cbt,
build_time_t *raw_times,
int num_times)
uint32_t num_times)
{
int n = num_times;
uint32_t n = num_times;
if (num_times > CBT_NCIRCUITS_TO_OBSERVE) {
log_notice(LD_CIRC, "Decreasing circuit_build_times size from %d to %d",
num_times, CBT_NCIRCUITS_TO_OBSERVE);
log_notice(LD_CIRC, "The number of circuit times that this Tor version "
"uses to calculate build times is less than the number stored "
"in your state file. Decreasing the circuit time history from "
"%d to %d.", num_times, CBT_NCIRCUITS_TO_OBSERVE);
}
/* This code can only be run on a compact array */
@ -1074,7 +1148,7 @@ circuit_build_times_network_close(circuit_build_times_t *cbt,
if (cbt->liveness.nonlive_timeouts == 1) {
log_notice(LD_CIRC,
"Tor has not observed any network activity for the past %d "
"seconds. Disabling circuit build timeout code.",
"seconds. Disabling circuit build timeout recording.",
(int)(now - cbt->liveness.network_last_live));
} else {
log_info(LD_CIRC,
@ -1158,7 +1232,7 @@ circuit_build_times_network_check_changed(circuit_build_times_t *cbt)
control_event_buildtimeout_set(cbt, BUILDTIMEOUT_SET_EVENT_RESET);
log_notice(LD_CIRC,
"Network connection speed appears to have changed. Resetting "
"Your network connection speed appears to have changed. Resetting "
"timeout to %lds after %d timeouts and %d buildtimes.",
tor_lround(cbt->timeout_ms/1000), timeout_count,
total_build_times);
@ -1296,7 +1370,7 @@ circuit_build_times_set_timeout_worker(circuit_build_times_t *cbt)
}
if (max_time < INT32_MAX/2 && cbt->close_ms > 2*max_time) {
log_notice(LD_CIRC,
log_info(LD_CIRC,
"Circuit build measurement period of %dms is more than twice "
"the maximum build time we have ever observed. Capping it to "
"%dms.", (int)cbt->close_ms, 2*max_time);

14
src/or/config.c
View File

@ -195,6 +195,7 @@ static config_var_t _option_vars[] = {
V(CircuitStreamTimeout, INTERVAL, "0"),
V(CircuitPriorityHalflife, DOUBLE, "-100.0"), /*negative:'Use default'*/
V(ClientDNSRejectInternalAddresses, BOOL,"1"),
V(ClientRejectInternalAddresses, BOOL, "1"),
V(ClientOnly, BOOL, "0"),
V(ConsensusParams, STRING, NULL),
V(ConnLimit, UINT, "1000"),
@ -405,6 +406,7 @@ static config_var_t testing_tor_network_defaults[] = {
V(AuthDirMaxServersPerAddr, UINT, "0"),
V(AuthDirMaxServersPerAuthAddr,UINT, "0"),
V(ClientDNSRejectInternalAddresses, BOOL,"0"),
V(ClientRejectInternalAddresses, BOOL, "0"),
V(ExitPolicyRejectPrivate, BOOL, "0"),
V(V3AuthVotingInterval, INTERVAL, "5 minutes"),
V(V3AuthVoteDelay, INTERVAL, "20 seconds"),
@ -2839,7 +2841,9 @@ compute_publishserverdescriptor(or_options_t *options)
else if (!strcasecmp(string, "bridge"))
*auth |= BRIDGE_AUTHORITY;
else if (!strcasecmp(string, "hidserv"))
*auth |= HIDSERV_AUTHORITY;
log_warn(LD_CONFIG,
"PublishServerDescriptor hidserv is invalid. See "
"PublishHidServDescriptors.");
else if (!strcasecmp(string, "") || !strcmp(string, "0"))
/* no authority */;
else
@ -3343,6 +3347,11 @@ options_validate(or_options_t *old_options, or_options_t *options,
"PerConnBWBurst", msg) < 0)
return -1;
if (options->RelayBandwidthRate && !options->RelayBandwidthBurst)
options->RelayBandwidthBurst = options->RelayBandwidthRate;
if (options->RelayBandwidthBurst && !options->RelayBandwidthRate)
options->RelayBandwidthRate = options->RelayBandwidthBurst;
if (server_mode(options)) {
if (options->BandwidthRate < ROUTER_REQUIRED_MIN_BANDWIDTH) {
tor_asprintf(msg,
@ -3371,9 +3380,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
}
}
if (options->RelayBandwidthRate && !options->RelayBandwidthBurst)
options->RelayBandwidthBurst = options->RelayBandwidthRate;
if (options->RelayBandwidthRate > options->RelayBandwidthBurst)
REJECT("RelayBandwidthBurst must be at least equal "
"to RelayBandwidthRate.");

5
src/or/connection.c
View File

@ -1178,7 +1178,8 @@ connection_handle_listener_read(connection_t *conn, int new_type)
}
if (connection_init_accepted_conn(newconn, conn->type) < 0) {
connection_mark_for_close(newconn);
if (! conn->marked_for_close)
connection_mark_for_close(newconn);
return 0;
}
return 0;
@ -1204,9 +1205,11 @@ connection_init_accepted_conn(connection_t *conn, uint8_t listener_type)
conn->state = AP_CONN_STATE_SOCKS_WAIT;
break;
case CONN_TYPE_AP_TRANS_LISTENER:
TO_EDGE_CONN(conn)->is_transparent_ap = 1;
conn->state = AP_CONN_STATE_CIRCUIT_WAIT;
return connection_ap_process_transparent(TO_EDGE_CONN(conn));
case CONN_TYPE_AP_NATD_LISTENER:
TO_EDGE_CONN(conn)->is_transparent_ap = 1;
conn->state = AP_CONN_STATE_NATD_WAIT;
break;
}

22
src/or/connection_edge.c
View File

@ -1659,6 +1659,28 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
return -1;
}
if (options->ClientRejectInternalAddresses &&
!conn->use_begindir && !conn->chosen_exit_name && !circ) {
tor_addr_t addr;
if (tor_addr_from_str(&addr, socks->address) >= 0 &&
tor_addr_is_internal(&addr, 0)) {
/* If this is an explicit private address with no chosen exit node,
* then we really don't want to try to connect to it. That's
* probably an error. */
if (conn->is_transparent_ap) {
log_warn(LD_NET,
"Rejecting request for anonymous connection to private "
"address %s on a TransPort or NATDPort. Possible loop "
"in your NAT rules?", safe_str_client(socks->address));
} else {
log_warn(LD_NET,
"Rejecting SOCKS request for anonymous connection to "
"private address %s", safe_str_client(socks->address));
}
connection_mark_unattached_ap(conn, END_STREAM_REASON_PRIVATE_ADDR);
return -1;
}
}
if (!conn->use_begindir && !conn->chosen_exit_name && !circ) {
/* see if we can find a suitable enclave exit */

7
src/or/directory.c
View File

@ -1527,9 +1527,10 @@ connection_dir_client_reached_eof(dir_connection_t *conn)
delta>0 ? "ahead" : "behind", dbuf,
delta>0 ? "behind" : "ahead");
skewed = 1; /* don't check the recommended-versions line */
control_event_general_status(trusted ? LOG_WARN : LOG_NOTICE,
"CLOCK_SKEW SKEW=%ld SOURCE=DIRSERV:%s:%d",
delta, conn->_base.address, conn->_base.port);
if (trusted)
control_event_general_status(LOG_WARN,
"CLOCK_SKEW SKEW=%ld SOURCE=DIRSERV:%s:%d",
delta, conn->_base.address, conn->_base.port);
} else {
log_debug(LD_HTTP, "Time on received directory is within tolerance; "
"we are %ld seconds skewed. (That's okay.)", delta);

11
src/or/dirvote.c
View File

@ -50,7 +50,7 @@ static int dirvote_publish_consensus(void);
static char *make_consensus_method_list(int low, int high, const char *sep);
/** The highest consensus method that we currently support. */
#define MAX_SUPPORTED_CONSENSUS_METHOD 10
#define MAX_SUPPORTED_CONSENSUS_METHOD 11
/** Lowest consensus method that contains a 'directory-footer' marker */
#define MIN_METHOD_FOR_FOOTER 9
@ -1693,7 +1693,7 @@ networkstatus_compute_consensus(smartlist_t *votes,
const char *chosen_name = NULL;
int exitsummary_disagreement = 0;
int is_named = 0, is_unnamed = 0, is_running = 0;
int is_guard = 0, is_exit = 0;
int is_guard = 0, is_exit = 0, is_bad_exit = 0;
int naming_conflict = 0;
int n_listing = 0;
int i;
@ -1819,6 +1819,8 @@ networkstatus_compute_consensus(smartlist_t *votes,
is_guard = 1;
else if (!strcmp(fl, "Running"))
is_running = 1;
else if (!strcmp(fl, "BadExit"))
is_bad_exit = 1;
}
}
});
@ -1845,6 +1847,11 @@ networkstatus_compute_consensus(smartlist_t *votes,
rs_out.bandwidth = median_uint32(bandwidths, num_bandwidths);
}
/* Fix bug 2203: Do not count BadExit nodes as Exits for bw weights */
if (consensus_method >= 11) {
is_exit = is_exit && !is_bad_exit;
}
if (consensus_method >= MIN_METHOD_FOR_BW_WEIGHTS) {
if (rs_out.has_bandwidth) {
T += rs_out.bandwidth;

6
src/or/hibernate.c
View File

@ -783,7 +783,8 @@ hibernate_begin(hibernate_state_t new_state, time_t now)
/* XXX upload rendezvous service descriptors with no intro points */
if (new_state == HIBERNATE_STATE_EXITING) {
log_notice(LD_GENERAL,"Interrupt: will shut down in %d seconds. Interrupt "
log_notice(LD_GENERAL,"Interrupt: we have stopped accepting new "
"connections, and will shut down in %d seconds. Interrupt "
"again to exit now.", options->ShutdownWaitLength);
shutdown_time = time(NULL) + options->ShutdownWaitLength;
} else { /* soft limit reached */
@ -940,7 +941,8 @@ consider_hibernation(time_t now)
if (hibernate_state == HIBERNATE_STATE_LIVE) {
if (hibernate_soft_limit_reached()) {
log_notice(LD_ACCT,
"Bandwidth soft limit reached; commencing hibernation.");
"Bandwidth soft limit reached; commencing hibernation. "
"No new conncetions will be accepted");
hibernate_begin(HIBERNATE_STATE_LOWBANDWIDTH, now);
} else if (accounting_enabled && now < interval_wakeup_time) {
format_local_iso_time(buf,interval_wakeup_time);

13
src/or/main.c
View File

@ -2194,6 +2194,19 @@ tor_main(int argc, char *argv[])
}
#endif
#ifdef MS_WINDOWS
/* Call SetProcessDEPPolicy to permanently enable DEP.
The function will not resolve on earlier versions of Windows,
and failure is not dangerous. */
HMODULE hMod = GetModuleHandleA("Kernel32.dll");
if (hMod) {
typedef BOOL (WINAPI *PSETDEP)(DWORD);
PSETDEP setdeppolicy = (PSETDEP)GetProcAddress(hMod,
"SetProcessDEPPolicy");
if (setdeppolicy) setdeppolicy(1); /* PROCESS_DEP_ENABLE */
}
#endif
update_approx_time(time(NULL));
tor_threads_init();
init_logging();

4
src/or/onion.c
View File

@ -259,6 +259,10 @@ onion_skin_server_handshake(const char *onion_skin, /*ONIONSKIN_CHALLENGE_LEN*/
}
dh = crypto_dh_new(DH_TYPE_CIRCUIT);
if (!dh) {
log_warn(LD_BUG, "Couldn't allocate DH key");
goto err;
}
if (crypto_dh_get_public(dh, handshake_reply_out, DH_KEY_LEN)) {
log_info(LD_GENERAL, "crypto_dh_get_public failed.");
goto err;

11
src/or/or.h
View File

@ -583,6 +583,9 @@ typedef enum {
/** This is a connection on the NATD port, and the destination IP:Port was
* either ill-formed or out-of-range. */
#define END_STREAM_REASON_INVALID_NATD_DEST 261
/** The target address is in a private network (like 127.0.0.1 or 10.0.0.1);
* you don't want to do that over a randomly chosen exit */
#define END_STREAM_REASON_PRIVATE_ADDR 262
/** Bitwise-and this value with endreason to mask out all flags. */
#define END_STREAM_REASON_MASK 511
@ -1170,6 +1173,10 @@ typedef struct edge_connection_t {
* zero, abandon the associated mapaddress. */
unsigned int chosen_exit_retries:3;
/** True iff this is an AP connection that came from a transparent or
* NATd connection */
unsigned int is_transparent_ap:1;
/** If this is a DNSPort connection, this field holds the pending DNS
* request that we're going to try to answer. */
struct evdns_server_request *dns_server_request;
@ -2749,6 +2756,10 @@ typedef struct {
* Helps avoid some cross-site attacks. */
int ClientDNSRejectInternalAddresses;
/** If true, do not accept any requests to connect to internal addresses
* over randomly chosen exits. */
int ClientRejectInternalAddresses;
/** The length of time that we think a consensus should be fresh. */
int V3AuthVotingInterval;
/** The length of time we think it will take to distribute votes. */

5
src/or/reasons.c
View File

@ -40,6 +40,8 @@ stream_end_reason_to_control_string(int reason)
case END_STREAM_REASON_NET_UNREACHABLE: return "NET_UNREACHABLE";
case END_STREAM_REASON_SOCKSPROTOCOL: return "SOCKS_PROTOCOL";
case END_STREAM_REASON_PRIVATE_ADDR: return "PRIVATE_ADDR";
default: return NULL;
}
}
@ -125,6 +127,9 @@ stream_end_reason_to_socks5_response(int reason)
return SOCKS5_NET_UNREACHABLE;
case END_STREAM_REASON_SOCKSPROTOCOL:
return SOCKS5_GENERAL_ERROR;
case END_STREAM_REASON_PRIVATE_ADDR:
return SOCKS5_GENERAL_ERROR;
default:
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Reason for ending (%d) not recognized; "

4
src/or/routerlist.c
View File

@ -1722,7 +1722,7 @@ smartlist_choose_by_bandwidth_weights(smartlist_t *sl,
double weight = 1;
if (statuses) {
routerstatus_t *status = smartlist_get(sl, i);
is_exit = status->is_exit;
is_exit = status->is_exit && !status->is_bad_exit;
is_guard = status->is_possible_guard;
is_dir = (status->dir_port != 0);
if (!status->has_bandwidth) {
@ -1742,7 +1742,7 @@ smartlist_choose_by_bandwidth_weights(smartlist_t *sl,
routerinfo_t *router = smartlist_get(sl, i);
rs = router_get_consensus_status_by_id(
router->cache_info.identity_digest);
is_exit = router->is_exit;
is_exit = router->is_exit && !router->is_bad_exit;
is_guard = router->is_possible_guard;
is_dir = (router->dir_port != 0);
if (rs && rs->has_bandwidth) {

2
src/or/routerparse.c
View File

@ -1088,7 +1088,7 @@ check_signature_token(const char *digest,
signed_digest = tor_malloc(keysize);
if (crypto_pk_public_checksig(pkey, signed_digest, keysize,
tok->object_body, tok->object_size)
< DIGEST_LEN) {
< digest_len) {
log_warn(LD_DIR, "Error reading %s: invalid signature.", doctype);
tor_free(signed_digest);
return -1;