January 2013 - tor-commits - lists.torproject.org

[translation/orbot] Update translations for orbot
by translation＠torproject.org 04 Jan '13

04 Jan '13

commit 87835aaf436300a3f1b955dd8748fb4772bee8eb Author: Translation commit bot <translation(a)torproject.org> Date: Fri Jan 4 05:15:09 2013 +0000 Update translations for orbot --- values-es/strings.xml | 16 ++++++++-------- 1 files changed, 8 insertions(+), 8 deletions(-) diff --git a/values-es/strings.xml b/values-es/strings.xml index e0e7ad7..68aba76 100644 --- a/values-es/strings.xml +++ b/values-es/strings.xml @@ -151,12 +151,12 @@ <string name="couldn_t_start_tor_process_">No se pudo iniciar el proceso de Tor: </string> <string name="privoxy_is_running_on_port_">Privoxy (proxy web de filtrado) se está ejecutando en el puerto: </string> <string name="setting_up_port_based_transparent_proxying_">Estableciendo proxyficación transparente por puertos... </string> - <string name="bridge_error">Error del bridge (acceso a la red Tor de publicitación restringida)</string> - <string name="bridge_requires_ip">Para utilizar la funcion bridge (repetidor puente, acceso a Tor de publicitación restringida), debe introducir al menos una dirección IP de bridge.</string> - <string name="send_email_for_bridges">Envie un correo a bridges(a)torproject.org incluyendo una línea con \"get bridges\" por si sólo en el cuerpo del mensaje, desde una cuenta con dominio gmail.com, yahoo.com o yahoo.cn (que soportan DKIM)</string> + <string name="bridge_error">Error de bridge (repetidor puente)</string> + <string name="bridge_requires_ip">Para utilizar la funcion bridge (acceso a Tor de publicitación restringida), debe introducir al menos una dirección IP de bridge.</string> + <string name="send_email_for_bridges">Envie un correo a bridges(a)torproject.org incluyendo en el cuerpo del mensaje una línea sólo con \"get bridges\", desde una cuenta con dominio gmail.com, yahoo.com o yahoo.cn (que soportan DKIM)</string> <string name="error">Error</string> <string name="your_reachableaddresses_settings_caused_an_exception_">¡Sus \'Reglas de direcciones accesibles\' han producido una excepción!</string> - <string name="your_relay_settings_caused_an_exception_">¡La configuración de su repetidor (el nodo de Tor que ejecuta) ha producido una excepción!</string> + <string name="your_relay_settings_caused_an_exception_">¡La configuración de su repetidor ha producido una excepción!</string> <string name="exit_nodes">Nodos de salida</string> <string name="fingerprints_nicks_countries_and_addresses_for_the_last_hop">Reglas de identificación de repetidores de salida de la red Tor, mediante huellas de validación de claves (fingerprints), alias (nicks), códigos de país y direcciones (o rangos)</string> <string name="enter_exit_nodes">Introduzca repetidores de salida</string> @@ -164,11 +164,11 @@ <string name="fingerprints_nicks_countries_and_addresses_to_exclude">Reglas de identificación de repetidores a evitar en la red Tor, mediante huellas de validación de claves (fingerprints), alias (nicks), códigos de país y direcciones (o rangos)</string> <string name="enter_exclude_nodes">Introduzca repetidores a evitar</string> <string name="strict_nodes">Hacer estricta la exclusión de nodos (incluso si hay fallos de comunicación)</string> - <string name="use_only_these_specified_nodes">Usar - sólo - estos nodos especificados</string> - <string name="bridges">Bridges (repetidores puente, accesos a Tor de publicitación restringida) </string> - <string name="use_bridges">Utilizar bridges (prevalece sobre la configuración de nodos de entrada) </string> + <string name="use_only_these_specified_nodes">Usar *sólo* estos nodos especificados</string> + <string name="bridges">Bridges (repetidores puente) </string> + <string name="use_bridges">Usar bridges (prevalece sobre \'Nodos de entrada\') </string> <string name="bridges_obfuscated">Bridges ofuscados (contra el análisis DPI de tráfico) </string> - <string name="enable_alternate_entrance_nodes_into_the_tor_network">Habilita el uso de repetidores puente (bridges, entradas alternativas en la red Tor de publicitación restringida)</string> + <string name="enable_alternate_entrance_nodes_into_the_tor_network">Habilita el uso de nodos alternativos de entrada a la red Tor, de publicitacion restringida (contra censura)</string> <string name="enable_if_configured_bridges_are_obfuscated_bridges">Habilítelo si los bridges (repetidores puente, entradas a Tor de publicitación restringida) de su lista de configuración están ofuscados, encapsulando el tráfico SSL para evitar ser detectados. </string> <string name="ip_address_and_port_of_bridges">Direcciones IP y puertos de los bridges</string> <string name="enter_bridge_addresses">Introduzca direcciones de bridge</string>

1 0

[flashproxy/master] Fix a doc reference.
by dcf＠torproject.org 04 Jan '13

04 Jan '13

commit a0e5706c6bff400ca0fe28d705a5160315b4e52f Author: David Fifield <david(a)bamsoftware.com> Date: Sat Dec 29 05:42:44 2012 -0800 Fix a doc reference. --- facilitator/README | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/facilitator/README b/facilitator/README index d3c5593..8c0ac29 100644 --- a/facilitator/README +++ b/facilitator/README @@ -1,3 +1,3 @@ This directory contains files needed to run a flash proxy facilitator. Normal users don't need any of these files. For instructions on setting -up a facilitator, see doc/faciliator.txt. +up a facilitator, see doc/facilitator-howto.txt.

1 0

[flashproxy/master] Bump poll interval from 10 s to 60 s.
by dcf＠torproject.org 04 Jan '13

04 Jan '13

commit 49de7bf689ee989997a1edbf2414a7bdbc2164f9 Author: David Fifield <david(a)bamsoftware.com> Date: Thu Jan 3 21:01:39 2013 -0800 Bump poll interval from 10 s to 60 s. With recent CCC-related attention we have a lot more proxies (about 150 currently), so no need to poll so fast. --- proxy/flashproxy.js | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/proxy/flashproxy.js b/proxy/flashproxy.js index 19f1c08..8418a5d 100644 --- a/proxy/flashproxy.js +++ b/proxy/flashproxy.js @@ -59,7 +59,7 @@ var DEFAULT_FACILITATOR_URL = "https://tor-facilitator.bamsoftware.com/"; var DEFAULT_MAX_NUM_PROXY_PAIRS = 10; -var DEFAULT_FACILITATOR_POLL_INTERVAL = 10.0; +var DEFAULT_FACILITATOR_POLL_INTERVAL = 60.0; var MIN_FACILITATOR_POLL_INTERVAL = 1.0; /* Bytes per second. Set to undefined to disable limit. */

1 0

[atlas/master] Added instructions for how to run a local Atlas server
by art＠torproject.org 03 Jan '13

03 Jan '13

commit f0eed4f4d4a55dde690844df4985bddef781b127 Author: Peter Evjan <peter.evjan(a)gmail.com> Date: Tue Jan 1 18:06:49 2013 +1100 Added instructions for how to run a local Atlas server --- Readme.rst | 17 +++++++++++++++++ 1 files changed, 17 insertions(+), 0 deletions(-) diff --git a/Readme.rst b/Readme.rst index c5cac71..bb31355 100644 --- a/Readme.rst +++ b/Readme.rst @@ -5,3 +5,20 @@ Tor Status is a web application to discover Tor relays and bridges. It provides information on how relays are configured along with graphics about their past. +Running it +---------- + +You need to have Python and Tornado installed to run the web server locally. The easiest +way of installing Tornado is: + +:: + + sudo easy_install tornado + +Once that is done, you can run the server with the following command: + +:: + + python run.py + +After which, the Atlas site will be available on http://localhost:8888/index.html \ No newline at end of file

1 0

[stem/master] Whitelist support for shell commands
by atagar＠torproject.org 03 Jan '13

03 Jan '13

commit ec1078ccc39af8d154ef2f70781f1a3787be6789 Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Jan 3 09:42:39 2013 -0800 Whitelist support for shell commands Shell commands have at times been the bane of my existance. They live outside the PATH (causing our is_available() to fail), and now it turns out that subprocess.Popen() fails to find them too. In retrospect both make sense but at first both are worthy of some head scratching. Adding a whitelist we can add shell commands to so they'll behave as we expect. --- stem/util/system.py | 30 ++++++++++++++++++++++-------- 1 files changed, 22 insertions(+), 8 deletions(-) diff --git a/stem/util/system.py b/stem/util/system.py index 0b4427e..080b080 100644 --- a/stem/util/system.py +++ b/stem/util/system.py @@ -31,11 +31,18 @@ import stem.util.proc from stem import UNDEFINED, CircStatus from stem.util import log -# Mapping of commands to if they're available or not. This isn't always -# reliable, failing for some special commands. For these the cache is -# prepopulated to skip lookups. +# Mapping of commands to if they're available or not. -CMD_AVAILABLE_CACHE = {"ulimit": True} +CMD_AVAILABLE_CACHE = {} + +# An incomplete listing of commands provided by the shell. Expand this as +# needed. Some noteworthy things about shell commands... +# +# * They're not in the path so is_available() will fail. +# * subprocess.Popen() without the 'shell = True' argument will fail with... +# OSError: [Errno 2] No such file or directory + +SHELL_COMMANDS = ['ulimit'] IS_RUNNING_PS_LINUX = "ps -A co command" IS_RUNNING_PS_BSD = "ps -ao ucomm=" @@ -86,8 +93,9 @@ def is_available(command, cached=True): than one command is present (for instance "ls -a | grep foo") then this just checks the first. - Note that many builtin common commands (like cd and ulimit) aren't in the - PATH so this lookup will fail for them. + Note that shell (like cd and ulimit) aren't in the PATH so this lookup will + try to assume that it's available. This only happends for recognized shell + commands (those in SHELL_COMMANDS). :param str command: command to search for :param bool cached: makes use of available cached results if **True** @@ -98,7 +106,11 @@ def is_available(command, cached=True): if " " in command: command = command.split(" ")[0] - if cached and command in CMD_AVAILABLE_CACHE: + if command in SHELL_COMMANDS: + # we can't actually look it up, so hope the shell really provides it... + + return True + elif cached and command in CMD_AVAILABLE_CACHE: return CMD_AVAILABLE_CACHE[command] else: cmd_exists = False @@ -568,8 +580,10 @@ def call(command, default = UNDEFINED): """ try: + is_shell_command = command.split(" ")[0] in SHELL_COMMANDS + start_time = time.time() - stdout, stderr = subprocess.Popen(command.split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE).communicate() + stdout, stderr = subprocess.Popen(command.split(), stdout = subprocess.PIPE, stderr = subprocess.PIPE, shell = is_shell_command).communicate() stdout, stderr = stdout.strip(), stderr.strip() runtime = time.time() - start_time

1 0

[arm/master] Using stem's system util
by atagar＠torproject.org 03 Jan '13

03 Jan '13

commit 8dbea0fa0c35d9118a7104b35af5088d96ee1db9 Author: Damian Johnson <atagar(a)torproject.org> Date: Thu Jan 3 09:54:00 2013 -0800 Using stem's system util Stem has some (not all) of our system utilities. The most interesting one is the call() function. Stem provides a subprocess based implementation that's pretty simple, while ours was os.popen() based and a tangled mess of hundreds of lines. The reason for that mess was that I wanted to support caching and piped arguments (like "ps -aux | grep tor"). However, we only used the caching at one spot in the *entire* codebase, and the piping on reflection was a bad idea. This is code - we can filter our own results without relying on grep and egrep. This required a few changes to the connection util (the heaviest user of grep) and has a couple points of regression... * The bandwidthStats panel no longer gets cached ps results - we need to figure out a cleaner method for deduplicating those system calls. * We used the runtimes of our system calls to partly calculate arm's cpu usage. This was a bit of a hack but I'm not sure of a better way of including those invocations in our usage. This will require some more thought. --- armrc.sample | 1 - src/cli/graphing/bandwidthStats.py | 10 +- src/cli/logPanel.py | 4 +- src/util/connections.py | 74 +++++++---- src/util/hostnames.py | 6 +- src/util/sysTools.py | 254 +----------------------------------- src/util/torConfig.py | 7 +- src/util/torTools.py | 65 ++++------ src/util/uiTools.py | 12 +- 9 files changed, 99 insertions(+), 334 deletions(-) diff --git a/armrc.sample b/armrc.sample index 5299de4..b5aa31b 100644 --- a/armrc.sample +++ b/armrc.sample @@ -274,7 +274,6 @@ queries.hostnames.poolSize 5 queries.hostnames.useSocketModule false # Caching parameters -cache.sysCalls.size 600 cache.hostnames.size 700000 cache.hostnames.trimSize 200000 cache.logPanel.size 1000 diff --git a/src/cli/graphing/bandwidthStats.py b/src/cli/graphing/bandwidthStats.py index 8a75fff..dd0c293 100644 --- a/src/cli/graphing/bandwidthStats.py +++ b/src/cli/graphing/bandwidthStats.py @@ -9,9 +9,9 @@ import curses import cli.controller from cli.graphing import graphPanel -from util import sysTools, torTools, uiTools +from util import torTools, uiTools -from stem.util import conf, log, str_tools +from stem.util import conf, log, str_tools, system def conf_handler(key, value): if key == "features.graph.bw.accounting.rate": @@ -120,13 +120,15 @@ class BandwidthStats(graphPanel.GraphStats): if orPort == "0": return # gets the uptime (using the same parameters as the header panel to take - # advantage of caching + # advantage of caching) + # TODO: stem dropped system caching support so we'll need to think of + # something else uptime = None queryPid = conn.getMyPid() if queryPid: queryParam = ["%cpu", "rss", "%mem", "etime"] queryCmd = "ps -p %s -o %s" % (queryPid, ",".join(queryParam)) - psCall = sysTools.call(queryCmd, 3600, True) + psCall = system.call(queryCmd, None) if psCall and len(psCall) == 2: stats = psCall[1].strip().split() diff --git a/src/cli/logPanel.py b/src/cli/logPanel.py index 820f295..ecb3109 100644 --- a/src/cli/logPanel.py +++ b/src/cli/logPanel.py @@ -13,7 +13,7 @@ import threading import stem from stem.response import events -from stem.util import conf, log +from stem.util import conf, log, system import popups from version import VERSION @@ -246,7 +246,7 @@ def getLogFileEntries(runlevels, readLimit = None, addLimit = None): lines = [] try: if readLimit: - lines = sysTools.call("tail -n %i %s" % (readLimit, loggingLocation)) + lines = system.call("tail -n %i %s" % (readLimit, loggingLocation)) if not lines: raise IOError() else: logFile = open(loggingLocation, "r") diff --git a/src/util/connections.py b/src/util/connections.py index d633c03..aa2aa2e 100644 --- a/src/util/connections.py +++ b/src/util/connections.py @@ -17,13 +17,12 @@ options that perform even better (thanks to Fabian Keil and Hans Schnehl): - procstat procstat -f <pid> | grep TCP | grep -v 0.0.0.0:0 """ +import re import os import time import threading -from util import sysTools - -from stem.util import conf, enum, log, proc +from stem.util import conf, enum, log, proc, system # enums for connection resolution utilities Resolver = enum.Enum(("PROC", "proc"), @@ -46,13 +45,13 @@ RECREATE_HALTED_RESOLVERS = False # tcp 0 0 127.0.0.1:9051 127.0.0.1:53308 ESTABLISHED 9912/tor # *note: bsd uses a different variant ('-t' => '-p tcp', but worse an # equivilant -p doesn't exist so this can't function) -RUN_NETSTAT = "netstat -np | grep \"ESTABLISHED %s/%s\"" +RUN_NETSTAT = "netstat -np" # n = numeric ports, p = include process, t = tcp sockets, u = udp sockets # output: # ESTAB 0 0 127.0.0.1:9051 127.0.0.1:53308 users:(("tor",9912,20)) # *note: under freebsd this command belongs to a spreadsheet program -RUN_SS = "ss -nptu | grep \"ESTAB.*\\\"%s\\\",%s\"" +RUN_SS = "ss -nptu" # n = prevent dns lookups, P = show port numbers (not names), i = ip only, # -w = no warnings @@ -62,15 +61,15 @@ RUN_SS = "ss -nptu | grep \"ESTAB.*\\\"%s\\\",%s\"" # oddly, using the -p flag via: # lsof lsof -nPi -p <pid> | grep "^<process>.*(ESTABLISHED)" # is much slower (11-28% in tests I ran) -RUN_LSOF = "lsof -wnPi | egrep \"^%s *%s.*((UDP.*)|(\$ESTABLISHED\$))\"" +RUN_LSOF = "lsof -wnPi" # output: # atagar tor 3475 tcp4 127.0.0.1:9051 127.0.0.1:38942 ESTABLISHED # *note: this isn't available by default under ubuntu -RUN_SOCKSTAT = "sockstat | egrep \"%s *%s.*ESTABLISHED\"" +RUN_SOCKSTAT = "sockstat" -RUN_BSD_SOCKSTAT = "sockstat -4c | grep '%s *%s'" -RUN_BSD_PROCSTAT = "procstat -f %s | grep TCP | grep -v 0.0.0.0:0" +RUN_BSD_SOCKSTAT = "sockstat -4c" +RUN_BSD_PROCSTAT = "procstat -f %s" RESOLVERS = [] # connection resolvers available via the singleton constructor RESOLVER_FAILURE_TOLERANCE = 3 # number of subsequent failures before moving on to another resolver @@ -176,9 +175,9 @@ def getPortUsage(port): def getResolverCommand(resolutionCmd, processName, processPid = ""): """ - Provides the command that would be processed for the given resolver type. - This raises a ValueError if either the resolutionCmd isn't recognized or a - pid was requited but not provided. + Provides the command and line filter that would be processed for the given + resolver type. This raises a ValueError if either the resolutionCmd isn't + recognized or a pid was requited but not provided. Arguments: resolutionCmd - command to use in resolving the address @@ -194,13 +193,39 @@ def getResolverCommand(resolutionCmd, processName, processPid = ""): # if the pid was undefined then match any in that field processPid = "[0-9]*" - if resolutionCmd == Resolver.PROC: return "" - elif resolutionCmd == Resolver.NETSTAT: return RUN_NETSTAT % (processPid, processName) - elif resolutionCmd == Resolver.SS: return RUN_SS % (processName, processPid) - elif resolutionCmd == Resolver.LSOF: return RUN_LSOF % (processName, processPid) - elif resolutionCmd == Resolver.SOCKSTAT: return RUN_SOCKSTAT % (processName, processPid) - elif resolutionCmd == Resolver.BSD_SOCKSTAT: return RUN_BSD_SOCKSTAT % (processName, processPid) - elif resolutionCmd == Resolver.BSD_PROCSTAT: return RUN_BSD_PROCSTAT % processPid + no_op_filter = lambda line: True + + if resolutionCmd == Resolver.PROC: return ("", no_op_filter) + elif resolutionCmd == Resolver.NETSTAT: + return ( + RUN_NETSTAT, + lambda line: "ESTABLISHED %s/%s" % (processPid, processName) in line + ) + elif resolutionCmd == Resolver.SS: + return ( + RUN_SS, + lambda line: ("ESTAB" in line) and ("\"%s\",%s" % (processName, processPid) in line) + ) + elif resolutionCmd == Resolver.LSOF: + return ( + RUN_LSOF, + lambda line: re.match("^%s *%s.*((UDP.*)|($ESTABLISHED$))" % (processName, processPid)) + ) + elif resolutionCmd == Resolver.SOCKSTAT: + return ( + RUN_SOCKSTAT, + lambda line: re.match("%s *%s.*ESTABLISHED" % (processName, processPid)) + ) + elif resolutionCmd == Resolver.BSD_SOCKSTAT: + return ( + RUN_BSD_SOCKSTAT, + lambda line: re.match("%s *%s" % (processName, processPid)) + ) + elif resolutionCmd == Resolver.BSD_PROCSTAT: + return ( + RUN_BSD_PROCSTAT % processPid, + lambda line: "TCP" in line and "0.0.0.0:0" not in line + ) else: raise ValueError("Unrecognized resolution type: %s" % resolutionCmd) def getConnections(resolutionCmd, processName, processPid = ""): @@ -232,8 +257,9 @@ def getConnections(resolutionCmd, processName, processPid = ""): else: # Queries a resolution utility (netstat, lsof, etc). This raises an # IOError if the command fails or isn't available. - cmd = getResolverCommand(resolutionCmd, processName, processPid) - results = sysTools.call(cmd) + cmd, cmd_filter = getResolverCommand(resolutionCmd, processName, processPid) + results = system.call(cmd) + results = filter(cmd_filter, results) if not results: raise IOError("No results found using: %s" % cmd) @@ -422,7 +448,7 @@ class ConnectionResolver(threading.Thread): # resolvers. resolverCmd = resolver.replace(" (bsd)", "") - if resolver == Resolver.PROC or sysTools.isAvailable(resolverCmd): + if resolver == Resolver.PROC or system.is_available(resolverCmd): self.defaultResolver = resolver break @@ -501,7 +527,7 @@ class ConnectionResolver(threading.Thread): except (ValueError, IOError), exc: # this logs in a couple of cases: # - special failures noted by getConnections (most cases are already - # logged via sysTools) + # logged via system) # - note fail-overs for default resolution methods if str(exc).startswith("No results found using:"): log.info(exc) @@ -690,7 +716,7 @@ class AppResolver: else: lsofArgs.append("-i tcp:%s" % port) if lsofArgs: - lsofResults = sysTools.call("lsof -nP " + " ".join(lsofArgs)) + lsofResults = system.call("lsof -nP " + " ".join(lsofArgs)) else: lsofResults = None if not lsofResults and self.failureCount != -1: diff --git a/src/util/hostnames.py b/src/util/hostnames.py index d360461..a58eb94 100644 --- a/src/util/hostnames.py +++ b/src/util/hostnames.py @@ -32,9 +32,7 @@ import itertools import Queue import distutils.sysconfig -from util import sysTools - -from stem.util import conf, log +from stem.util import conf, log, system RESOLVER = None # hostname resolver (service is stopped if None) RESOLVER_LOCK = threading.RLock() # regulates assignment to the RESOLVER @@ -233,7 +231,7 @@ def _resolveViaHost(ipAddr): ipAddr - ip address to be resolved """ - hostname = sysTools.call("host %s" % ipAddr)[0].split()[-1:][0] + hostname = system.call("host %s" % ipAddr)[0].split()[-1:][0] if hostname == "reached": # got message: ";; connection timed out; no servers could be reached" diff --git a/src/util/sysTools.py b/src/util/sysTools.py index 8078c1c..af38ced 100644 --- a/src/util/sysTools.py +++ b/src/util/sysTools.py @@ -6,20 +6,9 @@ import os import time import threading -from stem.util import conf, log, proc, str_tools - -# Mapping of commands to if they're available or not. This isn't always -# reliable, failing for some special commands. For these the cache is -# prepopulated to skip lookups. -CMD_AVAILABLE_CACHE = {"ulimit": True} - -# cached system call results, mapping the command issued to the (time, results) tuple -CALL_CACHE = {} -IS_FAILURES_CACHED = True # caches both successful and failed results if true -CALL_CACHE_LOCK = threading.RLock() # governs concurrent modifications of CALL_CACHE +from stem.util import conf, log, proc, str_tools, system PROCESS_NAME_CACHE = {} # mapping of pids to their process names -PWD_CACHE = {} # mapping of pids to their present working directory RESOURCE_TRACKERS = {} # mapping of pids to their resource tracker instances # Runtimes for system calls, used to estimate cpu usage. Entries are tuples of @@ -30,9 +19,11 @@ SAMPLING_PERIOD = 5 # time of the sampling period CONFIG = conf.config_dict("arm", { "queries.resourceUsage.rate": 5, - "cache.sysCalls.size": 600, }) +# TODO: This was a bit of a hack, and one that won't work now that we lack our +# call() method to populate RUNTIMES. + def getSysCpuUsage(): """ Provides an estimate of the cpu usage for system calls made through this @@ -50,35 +41,6 @@ def getSysCpuUsage(): runtimeSum = sum([entry[1] for entry in RUNTIMES]) return runtimeSum / SAMPLING_PERIOD -def isAvailable(command, cached=True): - """ - Checks the current PATH to see if a command is available or not. If a full - call is provided then this just checks the first command (for instance - "ls -a | grep foo" is truncated to "ls"). This returns True if an accessible - executable by the name is found and False otherwise. - - Arguments: - command - command for which to search - cached - this makes use of available cached results if true, otherwise - they're overwritten - """ - - if " " in command: command = command.split(" ")[0] - - if cached and command in CMD_AVAILABLE_CACHE: - return CMD_AVAILABLE_CACHE[command] - else: - cmdExists = False - for path in os.environ["PATH"].split(os.pathsep): - cmdPath = os.path.join(path, command) - - if os.path.exists(cmdPath) and os.access(cmdPath, os.X_OK): - cmdExists = True - break - - CMD_AVAILABLE_CACHE[command] = cmdExists - return cmdExists - def getFileErrorMsg(exc): """ Strips off the error number prefix for file related IOError messages. For @@ -129,7 +91,7 @@ def getProcessName(pid, default = None, cacheFailure = True): # the ps call formats results as: # COMMAND # tor - psCall = call("ps -p %s -o command" % pid) + psCall = system.call("ps -p %s -o command" % pid) if psCall and len(psCall) >= 2 and not " " in psCall[1]: processName, raisedExc = psCall[1].strip(), None @@ -148,210 +110,6 @@ def getProcessName(pid, default = None, cacheFailure = True): PROCESS_NAME_CACHE[pid] = processName return processName -def getPwd(pid): - """ - Provices the working directory of the given process. This raises an IOError - if it can't be determined. - - Arguments: - pid - pid of the process - """ - - if not pid: raise IOError("we couldn't get the pid") - elif pid in PWD_CACHE: return PWD_CACHE[pid] - - # try fetching via the proc contents if available - if proc.is_available(): - try: - pwd = proc.get_cwd(pid) - PWD_CACHE[pid] = pwd - return pwd - except IOError: pass # fall back to pwdx - elif os.uname()[0] in ("Darwin", "FreeBSD", "OpenBSD"): - # BSD neither useres the above proc info nor does it have pwdx. Use lsof to - # determine this instead: - # https://trac.torproject.org/projects/tor/ticket/4236 - # - # ~$ lsof -a -p 75717 -d cwd -Fn - # p75717 - # n/Users/atagar/tor/src/or - - try: - results = call("lsof -a -p %s -d cwd -Fn" % pid) - - if results and len(results) == 2 and results[1].startswith("n/"): - pwd = results[1][1:].strip() - PWD_CACHE[pid] = pwd - return pwd - except IOError, exc: pass - - try: - # pwdx results are of the form: - # 3799: /home/atagar - # 5839: No such process - results = call("pwdx %s" % pid) - if not results: - raise IOError("pwdx didn't return any results") - elif results[0].endswith("No such process"): - raise IOError("pwdx reported no process for pid " + pid) - elif len(results) != 1 or results[0].count(" ") != 1: - raise IOError("we got unexpected output from pwdx") - else: - pwd = results[0][results[0].find(" ") + 1:].strip() - PWD_CACHE[pid] = pwd - return pwd - except IOError, exc: - raise IOError("the pwdx call failed: " + str(exc)) - -def expandRelativePath(path, ownerPid): - """ - Expands relative paths to be an absolute path with reference to a given - process. This raises an IOError if the process pwd is required and can't be - resolved. - - Arguments: - path - path to be expanded - ownerPid - pid of the process to which the path belongs - """ - - if not path or path[0] == "/": return path - else: - if path.startswith("./"): path = path[2:] - processPwd = getPwd(ownerPid) - return "%s/%s" % (processPwd, path) - -def call(command, cacheAge=0, suppressExc=False, quiet=True): - """ - Convenience function for performing system calls, providing: - - suppression of any writing to stdout, both directing stderr to /dev/null - and checking for the existence of commands before executing them - - logging of results (command issued, runtime, success/failure, etc) - - optional exception suppression and caching (the max age for cached results - is a minute) - - Arguments: - command - command to be issued - cacheAge - uses cached results rather than issuing a new request if last - fetched within this number of seconds (if zero then all - caching functionality is skipped) - suppressExc - provides None in cases of failure if True, otherwise IOErrors - are raised - quiet - if True, "2> /dev/null" is appended to all commands - """ - - # caching functionality (fetching and trimming) - if cacheAge > 0: - global CALL_CACHE - - # keeps consistency that we never use entries over a minute old (these - # results are 'dirty' and might be trimmed at any time) - cacheAge = min(cacheAge, 60) - cacheSize = CONFIG["cache.sysCalls.size"] - - # if the cache is especially large then trim old entries - if len(CALL_CACHE) > cacheSize: - CALL_CACHE_LOCK.acquire() - - # checks that we haven't trimmed while waiting - if len(CALL_CACHE) > cacheSize: - # constructs a new cache with only entries less than a minute old - newCache, currentTime = {}, time.time() - - for cachedCommand, cachedResult in CALL_CACHE.items(): - if currentTime - cachedResult[0] < 60: - newCache[cachedCommand] = cachedResult - - # if the cache is almost as big as the trim size then we risk doing this - # frequently, so grow it and log - if len(newCache) > (0.75 * cacheSize): - cacheSize = len(newCache) * 2 - CONFIG["cache.sysCalls.size"] = cacheSize - - log.info("growing system call cache to %i entries" % cacheSize) - - CALL_CACHE = newCache - CALL_CACHE_LOCK.release() - - # checks if we can make use of cached results - if command in CALL_CACHE and time.time() - CALL_CACHE[command][0] < cacheAge: - cachedResults = CALL_CACHE[command][1] - cacheAge = time.time() - CALL_CACHE[command][0] - - if isinstance(cachedResults, IOError): - if IS_FAILURES_CACHED: - log.trace(CONFIG["log.sysCallCached"], "system call (cached failure): %s (age: %0.1f, error: %s)" % (command, cacheAge, cachedResults)) - - if suppressExc: return None - else: raise cachedResults - else: - # flag was toggled after a failure was cached - reissue call, ignoring the cache - return call(command, 0, suppressExc, quiet) - else: - log.trace(CONFIG["log.sysCallCached"], "system call (cached): %s (age: %0.1f)" % (command, cacheAge)) - - return cachedResults - - startTime = time.time() - commandCall, results, errorExc = None, None, None - - # Gets all the commands involved, taking piping into consideration. If the - # pipe is quoted (ie, echo "an | example") then it's ignored. - - commandComp = [] - for component in command.split("|"): - if not commandComp or component.count("\"") % 2 == 0: - commandComp.append(component) - else: - # pipe is within quotes - commandComp[-1] += "|" + component - - # preprocessing for the commands to prevent anything going to stdout - for i in range(len(commandComp)): - subcommand = commandComp[i].strip() - - if not isAvailable(subcommand): errorExc = IOError("'%s' is unavailable" % subcommand.split(" ")[0]) - if quiet: commandComp[i] = "%s 2> /dev/null" % subcommand - - # processes the system call - if not errorExc: - try: - commandCall = os.popen(" | ".join(commandComp)) - results = commandCall.readlines() - except IOError, exc: - errorExc = exc - - # make sure sys call is closed - if commandCall: commandCall.close() - - if errorExc: - # log failure and either provide None or re-raise exception - log.info("system call (failed): %s (error: %s)" % (command, str(errorExc))) - - if cacheAge > 0 and IS_FAILURES_CACHED: - CALL_CACHE_LOCK.acquire() - CALL_CACHE[command] = (time.time(), errorExc) - CALL_CACHE_LOCK.release() - - if suppressExc: return None - else: raise errorExc - else: - # log call information and if we're caching then save the results - currentTime = time.time() - runtime = currentTime - startTime - log.debug("system call: %s (runtime: %0.2f)" % (command, runtime)) - - # append the runtime, and remove any outside of the sampling period - RUNTIMES.append((currentTime, runtime)) - while RUNTIMES and currentTime - RUNTIMES[0][0] > SAMPLING_PERIOD: - RUNTIMES.pop(0) - - if cacheAge > 0: - CALL_CACHE_LOCK.acquire() - CALL_CACHE[command] = (time.time(), results) - CALL_CACHE_LOCK.release() - - return results - def getResourceTracker(pid, noSpawn = False): """ Provides a running singleton ResourceTracker instance for the given pid. @@ -489,7 +247,7 @@ class ResourceTracker(threading.Thread): # TIME ELAPSED RSS %MEM # 0:04.40 37:57 18772 0.9 - psCall = call("ps -p %s -o cputime,etime,rss,%%mem" % self.processPid) + psCall = system.call("ps -p %s -o cputime,etime,rss,%%mem" % self.processPid) isSuccessful = False if psCall and len(psCall) >= 2: diff --git a/src/util/torConfig.py b/src/util/torConfig.py index 57a9d05..a26cced 100644 --- a/src/util/torConfig.py +++ b/src/util/torConfig.py @@ -11,7 +11,7 @@ import stem.version from util import sysTools, torTools, uiTools -from stem.util import conf, enum, log, str_tools +from stem.util import conf, enum, log, str_tools, system def conf_handler(key, value): if key == "config.important": @@ -176,7 +176,7 @@ def loadOptionDescriptions(loadPath = None, checkVersion = True): CONFIG_DESCRIPTIONS.clear() raise IOError("input file format is invalid") else: - manCallResults = sysTools.call("man tor") + manCallResults = system.call("man tor") if not manCallResults: raise IOError("man page not found") @@ -347,7 +347,8 @@ def getConfigLocation(): if not configLocation: raise IOError("unable to query the torrc location") try: - return torPrefix + sysTools.expandRelativePath(configLocation, torPid) + torCwd = system.get_cwd(torPid) + return torPrefix + system.expand_path(configLocation, torCwd) except IOError, exc: raise IOError("querying tor's pwd failed because %s" % exc) diff --git a/src/util/torTools.py b/src/util/torTools.py index 73121c5..d82e7cd 100644 --- a/src/util/torTools.py +++ b/src/util/torTools.py @@ -7,7 +7,6 @@ import os import pwd import time import math -import socket import thread import threading import Queue @@ -16,9 +15,9 @@ import stem import stem.control import stem.descriptor -from util import connections, sysTools +from util import connections -from stem.util import conf, enum, log, proc, str_tools +from stem.util import conf, enum, log, proc, str_tools, system # enums for tor's controller state: # INIT - attached to a new controller @@ -111,7 +110,7 @@ def getPid(controlPort=9051, pidFilePath=None): # - tor is running under a different name # - there are multiple instances of tor try: - results = sysTools.call("pgrep -x tor") + results = system.call("pgrep -x tor") if len(results) == 1 and len(results[0].split()) == 1: pid = results[0].strip() if pid.isdigit(): return pid @@ -121,7 +120,7 @@ def getPid(controlPort=9051, pidFilePath=None): # - tor's running under a different name # - there's multiple instances of tor try: - results = sysTools.call("pidof tor") + results = system.call("pidof tor") if len(results) == 1 and len(results[0].split()) == 1: pid = results[0].strip() if pid.isdigit(): return pid @@ -130,7 +129,8 @@ def getPid(controlPort=9051, pidFilePath=None): # attempts to resolve using netstat, failing if: # - tor's being run as a different user due to permissions try: - results = sysTools.call("netstat -npl | grep 127.0.0.1:%i" % controlPort) + results = system.call("netstat -npl") + results = filter(lambda line: "127.0.0.1:%i" % controlPort in line, results) if len(results) == 1: results = results[0].split()[6] # process field (ex. "7184/tor") @@ -142,7 +142,7 @@ def getPid(controlPort=9051, pidFilePath=None): # - tor's running under a different name # - there's multiple instances of tor try: - results = sysTools.call("ps -o pid -C tor") + results = system.call("ps -o pid -C tor") if len(results) == 2: pid = results[1].strip() if pid.isdigit(): return pid @@ -157,7 +157,9 @@ def getPid(controlPort=9051, pidFilePath=None): # TODO: the later two issues could be solved by filtering for the control # port IP address instead of the process name. try: - results = sysTools.call("sockstat -4l -P tcp -p %i | grep tor" % controlPort) + results = system.call("sockstat -4l -P tcp -p %i" % controlPort) + results = filter(lambda line: "tor" in line, results) + if len(results) == 1 and len(results[0].split()) == 7: pid = results[0].split()[2] if pid.isdigit(): return pid @@ -169,7 +171,9 @@ def getPid(controlPort=9051, pidFilePath=None): # - there's multiple instances of tor try: - results = sysTools.call("ps axc | egrep \" tor$\"") + results = system.call("ps axc") + results = filter(lambda line: line.endswith(" tor"), results) + if len(results) == 1 and len(results[0].split()) > 0: pid = results[0].split()[0] if pid.isdigit(): return pid @@ -183,7 +187,8 @@ def getPid(controlPort=9051, pidFilePath=None): # same control port on different addresses. try: - results = sysTools.call("lsof -wnPi | egrep \"^tor.*:%i\"" % controlPort) + results = system.call("lsof -wnPi") + results = filter(lambda line: line.startswith("tor.*:%i" % controlPort), results) # This can result in multiple entries with the same pid (from the query # itself). Checking all lines to see if they're in agreement about the pid. @@ -203,29 +208,6 @@ def getPid(controlPort=9051, pidFilePath=None): return None -def getBsdJailId(): - """ - Get the FreeBSD jail id for the monitored Tor process. - """ - - # Output when called from a FreeBSD jail or when Tor isn't jailed: - # JID - # 0 - # - # Otherwise it's something like: - # JID - # 1 - - torPid = getConn().getMyPid() - psOutput = sysTools.call("ps -p %s -o jid" % torPid) - - if len(psOutput) == 2 and len(psOutput[1].split()) == 1: - jid = psOutput[1].strip() - if jid.isdigit(): return int(jid) - - log.warn("Failed to figure out the FreeBSD jail id. Assuming 0.") - return 0 - def isTorRunning(): """ Simple check for if a tor process is running. If this can't be determined @@ -250,9 +232,9 @@ def isTorRunning(): if os.uname()[0] in ("Darwin", "FreeBSD", "OpenBSD"): primaryResolver, secondaryResolver = secondaryResolver, primaryResolver - commandResults = sysTools.call(primaryResolver) + commandResults = system.call(primaryResolver) if not commandResults: - commandResults = sysTools.call(secondaryResolver) + commandResults = system.call(secondaryResolver) if commandResults: for cmd in commandResults: @@ -1261,7 +1243,7 @@ class Controller: # - only provide an error if Tor fails to log a sighup # - provide the error message associated with the tor pid (others # would be a red herring) - if not sysTools.isAvailable("pkill"): + if not system.is_available("pkill"): raise IOError("pkill command is unavailable") self._isReset = False @@ -1649,7 +1631,7 @@ class Controller: # fall back to querying via ps if not result: - psResults = sysTools.call("ps -o user %s" % myPid) + psResults = system.call("ps -o user %s" % myPid) if psResults and len(psResults) >= 2: result = psResults[1].strip() elif key == "fdLimit": # provides -1 if the query fails @@ -1669,7 +1651,7 @@ class Controller: result = (8192, True) else: # uses ulimit to estimate (-H is for hard limit, which is what tor uses) - ulimitResults = sysTools.call("ulimit -Hn") + ulimitResults = system.call("ulimit -Hn") if ulimitResults: ulimit = ulimitResults[0].strip() @@ -1681,12 +1663,13 @@ class Controller: # adjusts the prefix path to account for jails under FreeBSD (many # thanks to Fabian Keil!) if not prefixPath and os.uname()[0] == "FreeBSD": - jid = getBsdJailId() + torPid = getConn().getMyPid() + jid = system.get_bsd_jail_id() if jid != 0: # Output should be something like: # JID IP Address Hostname Path # 1 10.0.0.2 tor-jail /usr/jails/tor-jail - jlsOutput = sysTools.call("jls -j %s" % jid) + jlsOutput = system.call("jls -j %s" % jid) if len(jlsOutput) == 2 and len(jlsOutput[1].split()) == 4: prefixPath = jlsOutput[1].split()[3] @@ -1717,7 +1700,7 @@ class Controller: if not result: # if we're either not using proc or it fails then try using ps try: - psCall = sysTools.call("ps -p %s -o etime" % myPid) + psCall = system.call("ps -p %s -o etime" % myPid) if psCall and len(psCall) >= 2: etimeEntry = psCall[1].strip() diff --git a/src/util/uiTools.py b/src/util/uiTools.py index d93af73..2aac55a 100644 --- a/src/util/uiTools.py +++ b/src/util/uiTools.py @@ -11,7 +11,7 @@ import curses from curses.ascii import isprint -from stem.util import conf, enum, log +from stem.util import conf, enum, log, system # colors curses can handle COLOR_LIST = {"red": curses.COLOR_RED, "green": curses.COLOR_GREEN, @@ -102,8 +102,6 @@ def isUnicodeAvailable(): global IS_UNICODE_SUPPORTED if IS_UNICODE_SUPPORTED == None: - import sysTools - if CONFIG["features.printUnicode"]: # Checks if our LANG variable is unicode. This is what will be respected # when printing multi-byte characters after calling... @@ -485,10 +483,10 @@ def _isWideCharactersAvailable(): # /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 111.1.6) libDependencyLines = None - if sysTools.isAvailable("ldd"): - libDependencyLines = sysTools.call("ldd %s" % cursesLib) - elif sysTools.isAvailable("otool"): - libDependencyLines = sysTools.call("otool -L %s" % cursesLib) + if system.is_available("ldd"): + libDependencyLines = system.call("ldd %s" % cursesLib) + elif system.is_available("otool"): + libDependencyLines = system.call("otool -L %s" % cursesLib) if libDependencyLines: for line in libDependencyLines:

1 0

[tor/master] Whoops; make that unit test actually pass :/
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit dffc8e359bcfeb00813a3afde6aa2328f6a6a476 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jan 3 12:45:50 2013 -0500 Whoops; make that unit test actually pass :/ --- src/test/test_crypto.c | 11 +++++++---- 1 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index 9c69f31..67d2b83 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -1016,6 +1016,7 @@ test_crypto_curve25519_persist(void *arg) char *content = NULL; const char *cp; struct stat st; + size_t taglen; (void)arg; @@ -1034,9 +1035,11 @@ test_crypto_curve25519_persist(void *arg) content = read_file_to_str(fname, RFTS_BIN, &st); tt_assert(content); - tt_assert(!strcmpstart(content, "== c25519v1: testing ==")); - cp = content + strlen("== c25519v1: testing =="); - tt_int_op(st.st_size, ==, 64 + strlen("== c25519v1: testing ==")); + taglen = strlen("== c25519v1: testing =="); + tt_int_op(st.st_size, ==, 32+CURVE25519_PUBKEY_LEN+CURVE25519_SECKEY_LEN); + tt_assert(fast_memeq(content, "== c25519v1: testing ==", taglen)); + tt_assert(tor_mem_is_zero(content+taglen, 32-taglen)); + cp = content + 32; test_memeq(keypair.seckey.secret_key, cp, CURVE25519_SECKEY_LEN); @@ -1050,7 +1053,7 @@ test_crypto_curve25519_persist(void *arg) tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname)); - content[64] ^= 0xff; + content[69] ^= 0xff; tt_int_op(0, ==, write_bytes_to_file(fname, content, st.st_size, 1)); tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname));

1 0

[tor/master] Add a unit test for the curve25519 keypair persistence functions
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 27ac306deb19cd45496cff839c6caccb9e81d37c Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jan 3 12:38:44 2013 -0500 Add a unit test for the curve25519 keypair persistence functions --- src/test/test_crypto.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 55 insertions(+), 0 deletions(-) diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index 1cd09e2..9c69f31 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -9,6 +9,7 @@ #include "or.h" #include "test.h" #include "aes.h" +#include "util.h" #ifdef CURVE25519_ENABLED #include "crypto_curve25519.h" #endif @@ -1005,6 +1006,59 @@ test_crypto_curve25519_wrappers(void *arg) done: ; } + +static void +test_crypto_curve25519_persist(void *arg) +{ + curve25519_keypair_t keypair, keypair2; + char *fname = tor_strdup(get_fname("curve25519_keypair")); + char *tag = NULL; + char *content = NULL; + const char *cp; + struct stat st; + + (void)arg; + + tt_int_op(0,==,curve25519_keypair_generate(&keypair, 0)); + + tt_int_op(0,==,curve25519_keypair_write_to_file(&keypair, fname, "testing")); + tt_int_op(0,==,curve25519_keypair_read_from_file(&keypair2, &tag, fname)); + tt_str_op(tag,==,"testing"); + + test_memeq(keypair.pubkey.public_key, + keypair2.pubkey.public_key, + CURVE25519_PUBKEY_LEN); + test_memeq(keypair.seckey.secret_key, + keypair2.seckey.secret_key, + CURVE25519_SECKEY_LEN); + + content = read_file_to_str(fname, RFTS_BIN, &st); + tt_assert(content); + tt_assert(!strcmpstart(content, "== c25519v1: testing ==")); + cp = content + strlen("== c25519v1: testing =="); + tt_int_op(st.st_size, ==, 64 + strlen("== c25519v1: testing ==")); + test_memeq(keypair.seckey.secret_key, + cp, + CURVE25519_SECKEY_LEN); + cp += CURVE25519_SECKEY_LEN; + test_memeq(keypair.pubkey.public_key, + cp, + CURVE25519_SECKEY_LEN); + + tor_free(fname); + fname = tor_strdup(get_fname("bogus_keypair")); + + tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname)); + + content[64] ^= 0xff; + tt_int_op(0, ==, write_bytes_to_file(fname, content, st.st_size, 1)); + tt_int_op(-1, ==, curve25519_keypair_read_from_file(&keypair2, &tag, fname)); + + done: + tor_free(fname); + tor_free(content); +} + #endif static void * @@ -1043,6 +1097,7 @@ struct testcase_t crypto_tests[] = { #ifdef CURVE25519_ENABLED { "curve25519_impl", test_crypto_curve25519_impl, 0, NULL, NULL }, { "curve25519_wrappers", test_crypto_curve25519_wrappers, 0, NULL, NULL }, + { "curve25519_persist", test_crypto_curve25519_persist, 0, NULL, NULL }, #endif END_OF_TESTCASES };

1 0

[tor/master] Refactor the CREATE_FAST handshake code to match the others.
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 5fa1c7484cba293e6467acbca06a4143ce9da68d Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 4 16:51:31 2012 -0500 Refactor the CREATE_FAST handshake code to match the others. --- src/or/circuitbuild.c | 11 +++++++---- src/or/circuitlist.c | 2 ++ src/or/onion_fast.c | 26 ++++++++++++++++++++++++-- src/or/onion_fast.h | 16 ++++++++++++++-- src/or/or.h | 3 ++- 5 files changed, 49 insertions(+), 9 deletions(-) diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 33a1351..b6cf125 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -645,11 +645,14 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) * new OR: we can be speedy and use CREATE_FAST to save an RSA operation * and a DH operation. */ cell_type = CELL_CREATE_FAST; + memset(payload, 0, sizeof(payload)); - crypto_rand((char*) circ->cpath->fast_handshake_state, - sizeof(circ->cpath->fast_handshake_state)); - memcpy(payload, circ->cpath->fast_handshake_state, - sizeof(circ->cpath->fast_handshake_state)); + if (fast_onionskin_create(&circ->cpath->fast_handshake_state, + (uint8_t *)payload) < 0) { + log_warn(LD_CIRC,"onion_skin_create FAST (first hop) failed."); + return - END_CIRC_REASON_INTERNAL; + } + note_request("cell: create fast", 1); } diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index abb8395..2c17fd2 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -23,6 +23,7 @@ #include "networkstatus.h" #include "nodelist.h" #include "onion.h" +#include "onion_fast.h" #include "relay.h" #include "rendclient.h" #include "rendcommon.h" @@ -744,6 +745,7 @@ circuit_free_cpath_node(crypt_path_t *victim) crypto_digest_free(victim->f_digest); crypto_digest_free(victim->b_digest); crypto_dh_free(victim->dh_handshake_state); + fast_handshake_state_free(victim->fast_handshake_state); extend_info_free(victim->extend_info); memwipe(victim, 0xBB, sizeof(crypt_path_t)); /* poison memory */ diff --git a/src/or/onion_fast.c b/src/or/onion_fast.c index 8d09de7..f33b048 100644 --- a/src/or/onion_fast.c +++ b/src/or/onion_fast.c @@ -12,6 +12,28 @@ #include "or.h" #include "onion_fast.h" +/**DOCDOC*/ +void +fast_handshake_state_free(fast_handshake_state_t *victim) +{ + if (! victim) + return; + memwipe(victim, 0, sizeof(fast_handshake_state_t)); + tor_free(victim); +} + +/** DOCDOC */ +int +fast_onionskin_create(fast_handshake_state_t **handshake_state_out, + uint8_t *handshake_out) +{ + fast_handshake_state_t *s; + *handshake_state_out = s =tor_malloc(sizeof(fast_handshake_state_t)); + crypto_rand((char*)s->state, sizeof(s->state)); + memcpy(handshake_out, s->state, DIGEST_LEN); + return 0; +} + /** Implement the server side of the CREATE_FAST abbreviated handshake. The * client has provided DIGEST_LEN key bytes in key_in ("x"). We * generate a reply of DIGEST_LEN*2 bytes in key_out, consisting of a @@ -63,7 +85,7 @@ fast_server_handshake(const uint8_t *key_in, /* DIGEST_LEN bytes */ * and protected by TLS). */ int -fast_client_handshake(const uint8_t *handshake_state,/*DIGEST_LEN bytes*/ +fast_client_handshake(const fast_handshake_state_t *handshake_state, const uint8_t *handshake_reply_out,/*DIGEST_LEN*2 bytes*/ uint8_t *key_out, size_t key_out_len) @@ -73,7 +95,7 @@ fast_client_handshake(const uint8_t *handshake_state,/*DIGEST_LEN bytes*/ size_t out_len; int r = -1; - memcpy(tmp, handshake_state, DIGEST_LEN); + memcpy(tmp, handshake_state->state, DIGEST_LEN); memcpy(tmp+DIGEST_LEN, handshake_reply_out, DIGEST_LEN); out_len = key_out_len+DIGEST_LEN; out = tor_malloc(out_len); diff --git a/src/or/onion_fast.h b/src/or/onion_fast.h index 5c9d59e..2d652cc 100644 --- a/src/or/onion_fast.h +++ b/src/or/onion_fast.h @@ -12,12 +12,24 @@ #ifndef TOR_ONION_FAST_H #define TOR_ONION_FAST_H -int fast_server_handshake(const uint8_t *key_in, +#define CREATE_FAST_LEN DIGEST_LEN +#define CREATED_FAST_LEN DIGEST_LEN*2 + +typedef struct fast_handshake_state_t { + uint8_t state[DIGEST_LEN]; +} fast_handshake_state_t; + +void fast_handshake_state_free(fast_handshake_state_t *victim); + +int fast_onionskin_create(fast_handshake_state_t **handshake_state_out, + uint8_t *handshake_out); + +int fast_server_handshake(const uint8_t *message_in, uint8_t *handshake_reply_out, uint8_t *key_out, size_t key_out_len); -int fast_client_handshake(const uint8_t *handshake_state, +int fast_client_handshake(const fast_handshake_state_t *handshake_state, const uint8_t *handshake_reply_out, uint8_t *key_out, size_t key_out_len); diff --git a/src/or/or.h b/src/or/or.h index 219336b..6fada77 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2524,6 +2524,7 @@ typedef enum { #define CRYPT_PATH_MAGIC 0x70127012u +struct fast_handshake_state_t; /** Holds accounting information for a single step in the layered encryption * performed by a circuit. Used only at the client edge of a circuit. */ typedef struct crypt_path_t { @@ -2550,7 +2551,7 @@ typedef struct crypt_path_t { * authentication, secrecy, and integrity we need, and we're already * distinguishable from an OR. */ - uint8_t fast_handshake_state[DIGEST_LEN]; + struct fast_handshake_state_t *fast_handshake_state; /** Negotiated key material shared with the OR at this step. */ char handshake_digest[DIGEST_LEN];/* KH in tor-spec.txt */

1 0

[tor/master] Don't check create cells too much when we're relaying them
by nickm＠torproject.org 03 Jan '13

03 Jan '13

commit 5c68a1efaa9511baf2a2af0a49946e0a2de9e246 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Dec 6 00:21:24 2012 -0500 Don't check create cells too much when we're relaying them We want to sanity-check our own create cells carefully, and other people's loosely. --- src/or/circuitbuild.c | 21 ++++++++++++--------- src/or/onion.c | 21 +++++++++++++++++---- src/or/onion.h | 1 + src/test/test_cell_formats.c | 3 ++- 4 files changed, 32 insertions(+), 14 deletions(-) diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 43ad9f4..b7ab47f 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -55,7 +55,8 @@ static channel_t * channel_connect_for_circuit(const tor_addr_t *addr, uint16_t port, const char *id_digest); static int circuit_deliver_create_cell(circuit_t *circ, - const create_cell_t *create_cell); + const create_cell_t *create_cell, + int relayed); static int onion_pick_cpath_exit(origin_circuit_t *circ, extend_info_t *exit); static crypt_path_t *onion_next_hop_in_cpath(crypt_path_t *cpath); static int onion_extend_cpath(origin_circuit_t *circ); @@ -474,7 +475,7 @@ circuit_n_chan_done(channel_t *chan, int status) } else { /* pull the create cell out of circ->n_chan_create_cell, and send it */ tor_assert(circ->n_chan_create_cell); - if (circuit_deliver_create_cell(circ, circ->n_chan_create_cell)<0) { + if (circuit_deliver_create_cell(circ, circ->n_chan_create_cell, 1)<0) { circuit_mark_for_close(circ, END_CIRC_REASON_RESOURCELIMIT); continue; } @@ -491,14 +492,16 @@ circuit_n_chan_done(channel_t *chan, int status) * for the outgoing * circuit circ, and deliver a cell of type cell_type * (either CELL_CREATE or CELL_CREATE_FAST) with payload payload - * to this circuit. DOCDOC payload_len + * to this circuit. DOCDOC new arguments * Return -1 if we failed to find a suitable circid, else return 0. */ static int -circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell) +circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell, + int relayed) { cell_t cell; circid_t id; + int r; tor_assert(circ); tor_assert(circ->n_chan); @@ -516,7 +519,9 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell) circuit_set_n_circid_chan(circ, id, circ->n_chan); memset(&cell, 0, sizeof(cell_t)); - if (create_cell_format(&cell, create_cell) < 0) { + r = relayed ? create_cell_format_relayed(&cell, create_cell) + : create_cell_format(&cell, create_cell); + if (r < 0) { log_warn(LD_CIRC,"Couldn't format create cell"); return -1; } @@ -657,7 +662,7 @@ circuit_send_next_onion_skin(origin_circuit_t *circ) } cc.handshake_len = len; - if (circuit_deliver_create_cell(TO_CIRCUIT(circ), &cc) < 0) + if (circuit_deliver_create_cell(TO_CIRCUIT(circ), &cc, 0) < 0) return - END_CIRC_REASON_RESOURCELIMIT; circ->cpath->state = CPATH_STATE_AWAITING_KEYS; @@ -901,8 +906,6 @@ circuit_extend(cell_t *cell, circuit_t *circ) &ec.orport_ipv4.addr, ec.orport_ipv4.port); - /* XXXX Make sure we can eventually deliver create cell with weird - * content */ circ->n_chan_create_cell = tor_memdup(&ec.create_cell, sizeof(ec.create_cell)); @@ -933,7 +936,7 @@ circuit_extend(cell_t *cell, circuit_t *circ) "n_chan is %s", channel_get_canonical_remote_descr(n_chan)); - if (circuit_deliver_create_cell(circ, &ec.create_cell) < 0) + if (circuit_deliver_create_cell(circ, &ec.create_cell, 1) < 0) return -1; return 0; } diff --git a/src/or/onion.c b/src/or/onion.c index 753ddcf..b42a66c 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -808,13 +808,14 @@ extended_cell_parse(extended_cell_t *cell_out, /** Fill cell_out with a correctly formatted version of the * CREATE{,_FAST,2} cell in cell_in. Return 0 on success, -1 on - * failure. */ -int -create_cell_format(cell_t *cell_out, const create_cell_t *cell_in) + * failure. This is a cell we didn't originate if relayed is true. */ +static int +create_cell_format_impl(cell_t *cell_out, const create_cell_t *cell_in, + int relayed) { uint8_t *p; size_t space; - if (check_create_cell(cell_in, 0) < 0) + if (check_create_cell(cell_in, relayed) < 0) return -1; memset(cell_out->payload, 0, sizeof(cell_out->payload)); @@ -848,6 +849,18 @@ create_cell_format(cell_t *cell_out, const create_cell_t *cell_in) return 0; } +int +create_cell_format(cell_t *cell_out, const create_cell_t *cell_in) +{ + return create_cell_format_impl(cell_out, cell_in, 0); +} + +int +create_cell_format_relayed(cell_t *cell_out, const create_cell_t *cell_in) +{ + return create_cell_format_impl(cell_out, cell_in, 1); +} + /** Fill cell_out with a correctly formatted version of the * CREATED{,_FAST,2} cell in cell_in. Return 0 on success, -1 on * failure. */ diff --git a/src/or/onion.h b/src/or/onion.h index 36cb761..e408139 100644 --- a/src/or/onion.h +++ b/src/or/onion.h @@ -106,6 +106,7 @@ int extended_cell_parse(extended_cell_t *cell_out, uint8_t command, const uint8_t *payload_in, size_t payload_len); int create_cell_format(cell_t *cell_out, const create_cell_t *cell_in); +int create_cell_format_relayed(cell_t *cell_out, const create_cell_t *cell_in); int created_cell_format(cell_t *cell_out, const created_cell_t *cell_in); int extend_cell_format(uint8_t *command_out, uint16_t *len_out, uint8_t *payload_out, const extend_cell_t *cell_in); diff --git a/src/test/test_cell_formats.c b/src/test/test_cell_formats.c index bdbc555..932124c 100644 --- a/src/test/test_cell_formats.c +++ b/src/test/test_cell_formats.c @@ -651,7 +651,7 @@ test_cfmt_extend_cells(void *arg) tt_int_op(p2_cmd, ==, RELAY_COMMAND_EXTEND); tt_int_op(p2_len, ==, 26+TAP_ONIONSKIN_CHALLENGE_LEN); test_memeq(p2, p, RELAY_PAYLOAD_SIZE); - tt_int_op(0, ==, create_cell_format(&cell, cc)); + tt_int_op(0, ==, create_cell_format_relayed(&cell, cc)); /* Now let's do a minimal ntor EXTEND2 cell. */ memset(&ec, 0xff, sizeof(ec)); @@ -721,6 +721,7 @@ test_cfmt_extend_cells(void *arg) /* Now the handshake prologue */ "01050063"); test_memeq(p2+1+8+22+4, b, 99+20); + tt_int_op(0, ==, create_cell_format_relayed(&cell, cc)); /* == Now try parsing some junk */

1 0