September 2016 - tor-commits - lists.torproject.org

[tor/master] Refactor crypto init to use existing options variable
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 831cf6d1d8a01e0538a4f1eeadc99455237325fb Author: teor (Tim Wilson-Brown) <teor2345(a)gmail.com> Date: Thu Jul 14 14:08:23 2016 +1000 Refactor crypto init to use existing options variable --- src/or/main.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/or/main.c b/src/or/main.c index 76f9f38..48c9f57 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2858,9 +2858,9 @@ tor_init(int argc, char *argv[]) "and you probably shouldn't."); #endif - if (crypto_global_init(get_options()->HardwareAccel, - get_options()->AccelName, - get_options()->AccelDir)) { + if (crypto_global_init(options->HardwareAccel, + options->AccelName, + options->AccelDir)) { log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting."); return -1; }

1 0

[tor/master] When LearnCircuitBuildTimeout is disabled by other options, be quieter
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit c43211fd6cbb82a8016fcc0f81b309c6172e93d2 Author: teor <teor2345(a)gmail.com> Date: Mon Sep 5 15:11:45 2016 +1000 When LearnCircuitBuildTimeout is disabled by other options, be quieter --- src/or/config.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index f7f1f57..d56d9f6 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -3465,8 +3465,18 @@ options_validate(or_options_t *old_options, or_options_t *options, RECOMMENDED_MIN_CIRCUIT_BUILD_TIMEOUT ); } else if (!options->LearnCircuitBuildTimeout && !options->CircuitBuildTimeout) { - log_notice(LD_CONFIG, "You disabled LearnCircuitBuildTimeout, but didn't " - "a CircuitBuildTimeout. I'll pick a plausible default."); + int severity = LOG_NOTICE; + /* Be a little quieter if we've deliberately disabled + * LearnCircuitBuildTimeout. */ + if (options->OnionServiceSingleHopMode) { + severity = LOG_INFO; +#ifdef ENABLE_TOR2WEB_MODE + } else if (options->Tor2webMode) { + severity = LOG_INFO; +#endif + } + log_fn(severity, LD_CONFIG, "You disabled LearnCircuitBuildTimeout, but " + "didn't a CircuitBuildTimeout. I'll pick a plausible default."); } if (options->PathBiasNoticeRate > 1.0) {

1 0

[tor/master] Allow the unit tests to pass a service list to rend_service_load_all_keys
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 65b2d34c9cb3434c26be71de6f725244444824a7 Author: teor <teor2345(a)gmail.com> Date: Wed Sep 7 13:24:43 2016 +1000 Allow the unit tests to pass a service list to rend_service_load_all_keys --- src/or/rendservice.c | 20 ++++++++++++++++---- src/or/rendservice.h | 2 +- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/src/or/rendservice.c b/src/or/rendservice.c index ed89268..c91cd50 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1153,12 +1153,24 @@ rend_service_poison_new_single_onion_dirs(const smartlist_t *service_list) } /** Load and/or generate private keys for all hidden services, possibly - * including keys for client authorization. Return 0 on success, -1 on - * failure. */ + * including keys for client authorization. + * If a service_list is provided, treat it as the list of hidden + * services (used in unittests). Otherwise, require that rend_service_list is + * not NULL. + * Return 0 on success, -1 on failure. */ int -rend_service_load_all_keys(void) +rend_service_load_all_keys(const smartlist_t *service_list) { - SMARTLIST_FOREACH_BEGIN(rend_service_list, rend_service_t *, s) { + const smartlist_t *s_list; + /* If no special service list is provided, then just use the global one. */ + if (!service_list) { + tor_assert(rend_service_list); + s_list = rend_service_list; + } else { + s_list = service_list; + } + + SMARTLIST_FOREACH_BEGIN(s_list, rend_service_t *, s) { if (s->private_key) continue; log_info(LD_REND, "Loading hidden-service keys from \"%s\"", diff --git a/src/or/rendservice.h b/src/or/rendservice.h index 0cf448e..ec32262 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -123,7 +123,7 @@ STATIC void rend_service_free(rend_service_t *service); int num_rend_services(void); int rend_config_services(const or_options_t *options, int validate_only); -int rend_service_load_all_keys(void); +int rend_service_load_all_keys(const smartlist_t *service_list); void rend_services_add_filenames_to_lists(smartlist_t *open_lst, smartlist_t *stat_lst); void rend_consider_services_intro_points(void);

1 0

[tor/master] Make Single Onion Service intro points respect ReachableAddresses
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 75ebbed5576d402ef2929ee043ab2170bff5cc2b Author: teor <teor2345(a)gmail.com> Date: Thu Aug 18 13:19:22 2016 +1000 Make Single Onion Service intro points respect ReachableAddresses --- src/or/or.h | 3 +- src/or/rendservice.c | 102 ++++++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 91 insertions(+), 14 deletions(-) diff --git a/src/or/or.h b/src/or/or.h index dd3ab8a..12459dd 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -5077,7 +5077,8 @@ typedef struct rend_encoded_v2_service_descriptor_t { * the service side) and in rend_service_descriptor_t (on both the * client and service side). */ typedef struct rend_intro_point_t { - extend_info_t *extend_info; /**< Extend info of this introduction point. */ + extend_info_t *extend_info; /**< Extend info for connecting to this + * introduction point via a multi-hop path. */ crypto_pk_t *intro_key; /**< Introduction key that replaces the service * key, if this descriptor is V2. */ diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 0ba9205..8b96f77 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1581,13 +1581,25 @@ static int rend_service_use_direct_connection(const or_options_t* options, const extend_info_t* ei) { - /* The prefer_ipv6 argument to fascist_firewall_allows_address_addr is + /* We'll connect directly all reachable addresses, whether preferred or not. + * The prefer_ipv6 argument to fascist_firewall_allows_address_addr is * ignored, because pref_only is 0. */ - return (rend_service_allow_direct_connection(options) && + return (rend_service_allow_non_anonymous_connection(options) && fascist_firewall_allows_address_addr(&ei->addr, ei->port, FIREWALL_OR_CONNECTION, 0, 0)); } +/* Like rend_service_use_direct_connection, but to a node. */ +static int +rend_service_use_direct_connection_node(const or_options_t* options, + const node_t* node) +{ + /* We'll connect directly all reachable addresses, whether preferred or not. + */ + return (rend_service_allow_non_anonymous_connection(options) && + fascist_firewall_allows_node(node, FIREWALL_OR_CONNECTION, 0)); +} + /****** * Handle cells ******/ @@ -2797,29 +2809,71 @@ rend_service_launch_establish_intro(rend_service_t *service, { origin_circuit_t *launched; int flags = CIRCLAUNCH_NEED_UPTIME|CIRCLAUNCH_IS_INTERNAL; - - if (rend_service_allow_direct_connection(get_options())) { - flags = flags | CIRCLAUNCH_ONEHOP_TUNNEL; + const or_options_t *options = get_options(); + extend_info_t *launch_ei = intro->extend_info; + extend_info_t *direct_ei = NULL; + + /* Are we in single onion mode? */ + if (rend_service_allow_non_anonymous_connection(options)) { + /* Do we have a descriptor for the node? + * We've either just chosen it from the consensus, or we've just reviewed + * our intro points to see which ones are still valid, and deleted the ones + * that aren't in the consensus any more. */ + const node_t *node = node_get_by_id(launch_ei->identity_digest); + if (BUG(!node)) { + /* The service has kept an intro point after it went missing from the + * consensus. If we did anything else here, it would be a consensus + * distinguisher. Which are less of an issue for single onion services, + * but still a bug. */ + return -1; + } + /* Can we connect to the node directly? If so, replace launch_ei + * (a multi-hop extend_info) with one suitable for direct connection. */ + if (rend_service_use_direct_connection_node(options, node)) { + direct_ei = extend_info_from_node(node, 1); + if (BUG(!direct_ei)) { + /* rend_service_use_direct_connection_node and extend_info_from_node + * disagree about which addresses on this node are permitted. This + * should never happen. Avoiding the connection is a safe response. */ + return -1; + } + flags = flags | CIRCLAUNCH_ONEHOP_TUNNEL; + launch_ei = direct_ei; + } } + /* launch_ei is either intro->extend_info, or has been replaced with a valid + * extend_info for single onion service direct connection. */ + tor_assert(launch_ei); + /* We must have the same intro when making a direct connection. */ + tor_assert(tor_memeq(intro->extend_info->identity_digest, + launch_ei->identity_digest, + DIGEST_LEN)); log_info(LD_REND, - "Launching circuit to introduction point %s for service %s", + "Launching circuit to introduction point %s%s%s for service %s", safe_str_client(extend_info_describe(intro->extend_info)), + direct_ei ? " via direct address " : "", + direct_ei ? safe_str_client(extend_info_describe(direct_ei)) : "", service->service_id); rep_hist_note_used_internal(time(NULL), 1, 0); ++service->n_intro_circuits_launched; launched = circuit_launch_by_extend_info(CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, - intro->extend_info, flags); + launch_ei, flags); if (!launched) { log_info(LD_REND, - "Can't launch circuit to establish introduction at %s.", - safe_str_client(extend_info_describe(intro->extend_info))); + "Can't launch circuit to establish introduction at %s%s%s.", + safe_str_client(extend_info_describe(intro->extend_info)), + direct_ei ? " via direct address " : "", + direct_ei ? safe_str_client(extend_info_describe(direct_ei)) : "" + ); + extend_info_free(direct_ei); return -1; } - /* We must have the same exit node even if cannibalized. */ + /* We must have the same exit node even if cannibalized or direct connection. + */ tor_assert(tor_memeq(intro->extend_info->identity_digest, launched->build_state->chosen_exit->identity_digest, DIGEST_LEN)); @@ -2830,6 +2884,7 @@ rend_service_launch_establish_intro(rend_service_t *service, launched->intro_key = crypto_pk_dup_key(intro->intro_key); if (launched->base_.state == CIRCUIT_STATE_OPEN) rend_service_intro_has_opened(launched); + extend_info_free(direct_ei); return 0; } @@ -3669,6 +3724,9 @@ rend_consider_services_intro_points(void) int i; time_t now; const or_options_t *options = get_options(); + /* Are we in single onion mode? */ + const int allow_direct = rend_service_allow_non_anonymous_connection( + get_options()); /* List of nodes we need to _exclude_ when choosing a new node to * establish an intro point to. */ smartlist_t *exclude_nodes; @@ -3764,8 +3822,24 @@ rend_consider_services_intro_points(void) router_crn_flags_t flags = CRN_NEED_UPTIME|CRN_NEED_DESC; if (get_options()->AllowInvalid_ & ALLOW_INVALID_INTRODUCTION) flags |= CRN_ALLOW_INVALID; + router_crn_flags_t direct_flags = flags; + direct_flags |= CRN_PREF_ADDR; + direct_flags |= CRN_DIRECT_CONN; + node = router_choose_random_node(exclude_nodes, - options->ExcludeNodes, flags); + options->ExcludeNodes, + allow_direct ? direct_flags : flags); + /* If we are in single onion mode, retry node selection for a 3-hop + * path */ + if (allow_direct && !node) { + log_info(LD_REND, + "Unable to find an intro point that we can connect to " + "directly for %s, falling back to a 3-hop path.", + safe_str_client(service->service_id)); + node = router_choose_random_node(exclude_nodes, + options->ExcludeNodes, flags); + } + if (!node) { log_warn(LD_REND, "We only have %d introduction points established for %s; " @@ -3779,8 +3853,10 @@ rend_consider_services_intro_points(void) * pick it again in the next iteration. */ smartlist_add(exclude_nodes, (void*)node); intro = tor_malloc_zero(sizeof(rend_intro_point_t)); - intro->extend_info = extend_info_from_node(node, - rend_service_allow_direct_connection(options)); + /* extend_info is for clients, so we want the multi-hop primary ORPort, + * even if we are a single onion service and intend to connect to it + * directly ourselves. */ + intro->extend_info = extend_info_from_node(node, 0); intro->intro_key = crypto_pk_new(); const int fail = crypto_pk_generate_key(intro->intro_key); tor_assert(!fail);

1 0

[tor/master] Fix a typo in the LearnCircuitBuildTimeout disabled log message
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 4d9d2553baa6856b1d85ec26baa1ac3d2c24832a Author: teor <teor2345(a)gmail.com> Date: Mon Sep 5 15:12:48 2016 +1000 Fix a typo in the LearnCircuitBuildTimeout disabled log message --- src/or/config.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/or/config.c b/src/or/config.c index d56d9f6..36b2062 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -3468,15 +3468,12 @@ options_validate(or_options_t *old_options, or_options_t *options, int severity = LOG_NOTICE; /* Be a little quieter if we've deliberately disabled * LearnCircuitBuildTimeout. */ - if (options->OnionServiceSingleHopMode) { + if (circuit_build_times_disabled()) { severity = LOG_INFO; -#ifdef ENABLE_TOR2WEB_MODE - } else if (options->Tor2webMode) { - severity = LOG_INFO; -#endif } log_fn(severity, LD_CONFIG, "You disabled LearnCircuitBuildTimeout, but " - "didn't a CircuitBuildTimeout. I'll pick a plausible default."); + "didn't specify a CircuitBuildTimeout. I'll pick a plausible " + "default."); } if (options->PathBiasNoticeRate > 1.0) {

1 0

[tor/master] Use CircuitBuildTimeout whenever circuit_build_times_disabled is true
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 0285f4f34d72b2b77f36fd55fa46216f6b54efc4 Author: teor <teor2345(a)gmail.com> Date: Tue Sep 6 15:58:30 2016 +1000 Use CircuitBuildTimeout whenever circuit_build_times_disabled is true Previously, we checked LearnCircuitBuildTimeout directly. Fixes bug #20073 in commit 5b0b51ca3 on tor 0.2.4.12-alpha. --- changes/feature17178 | 3 +++ src/or/circuitstats.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/changes/feature17178 b/changes/feature17178 index 2bd2049..df6aae3 100644 --- a/changes/feature17178 +++ b/changes/feature17178 @@ -18,3 +18,6 @@ - Prevent Tor2web clients running hidden services, these services are not anonymous due to the one-hop client paths. Fixes bug #19678. Patch by teor. + o Minor bug fixes (circuits): + - Use CircuitBuildTimeout whenever LearnCircuitBuildTimeout is disabled. + Fixes bug #19678 in commit 5b0b51ca3 in 0.2.4.12-alpha. Patch by teor. diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c index fe8860e..296f852 100644 --- a/src/or/circuitstats.c +++ b/src/or/circuitstats.c @@ -489,7 +489,7 @@ circuit_build_times_get_initial_timeout(void) */ if (!unit_tests && get_options()->CircuitBuildTimeout) { timeout = get_options()->CircuitBuildTimeout*1000; - if (get_options()->LearnCircuitBuildTimeout && + if (!circuit_build_times_disabled() && timeout < circuit_build_times_min_timeout()) { log_warn(LD_CIRC, "Config CircuitBuildTimeout too low. Setting to %ds", circuit_build_times_min_timeout()/1000);

1 0

[tor/master] Refactor UseEntryNodes so the original configured value is preserved
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 41f96078c23e3ef1c39a853841332cac3e133a94 Author: teor <teor2345(a)gmail.com> Date: Tue Sep 6 16:22:07 2016 +1000 Refactor UseEntryNodes so the original configured value is preserved Parse the value to UseEntryNodes_option, then set UseEntryNodes before validating options. This way, Authorities, Tor2web, and Single Onion Services don't write spurious "UseEntryNodes 0" lines to their configs. Document the fact that these tor configurations ignore UseEntryNodes in the manual page. Also reorder options validation so we modify UseEntryNodes first, then check its value against EntryNodes. And silence a warning about disabled UseEntryNodes for hidden services when we're actually in non-anonymous single onion service mode. --- changes/feature17178 | 7 +++++++ doc/tor.1.txt | 4 +++- src/or/config.c | 19 +++++++++++++------ src/or/or.h | 12 ++++++++++-- 4 files changed, 33 insertions(+), 9 deletions(-) diff --git a/changes/feature17178 b/changes/feature17178 index df6aae3..060b85a 100644 --- a/changes/feature17178 +++ b/changes/feature17178 @@ -21,3 +21,10 @@ o Minor bug fixes (circuits): - Use CircuitBuildTimeout whenever LearnCircuitBuildTimeout is disabled. Fixes bug #19678 in commit 5b0b51ca3 in 0.2.4.12-alpha. Patch by teor. + o Minor bug fixes (options): + - Stop changing the configured value of UseEntryGuards on authorities + and Tor2web clients. + Fixes bug #20074 in commits 51fc6799 in tor-0.1.1.16-rc and + acda1735 in tor-0.2.4.3-alpha. Patch by teor. + - Check the consistency of UseEntryGuards and EntryNodes more reliably. + Fixes bug #20074 in commit 686aaa5c in tor-0.2.4.12-alpha. Patch by teor. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index bd25a61..f353637 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1184,7 +1184,9 @@ The following options are useful only for clients (that is, if If this option is set to 1, we pick a few long-term entry servers, and try to stick with them. This is desirable because constantly changing servers increases the odds that an adversary who owns some servers will observe a - fraction of your paths. (Default: 1) + fraction of your paths. Entry Guards can not be used by Directory + Authorities, Single Onion Services, and Tor2web clients. In these cases, + the this option is ignored. (Default: 1) [[UseEntryGuardsAsDirGuards]] **UseEntryGuardsAsDirGuards** **0**|**1**:: If this option is set to 1, and UseEntryGuards is also set to 1, diff --git a/src/or/config.c b/src/or/config.c index 36b2062..48f1ab9 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -437,7 +437,7 @@ static config_var_t option_vars_[] = { OBSOLETE("TunnelDirConns"), V(UpdateBridgesFromAuthority, BOOL, "0"), V(UseBridges, BOOL, "0"), - V(UseEntryGuards, BOOL, "1"), + VAR("UseEntryGuards", BOOL, UseEntryGuards_option, "1"), V(UseEntryGuardsAsDirGuards, BOOL, "1"), V(UseGuardFraction, AUTOBOOL, "auto"), V(UseMicrodescriptors, AUTOBOOL, "auto"), @@ -2926,6 +2926,12 @@ options_validate(or_options_t *old_options, or_options_t *options, tor_assert(msg); *msg = NULL; + /* Set UseEntryGuards from the configured value, before we check it below. + * We change UseEntryGuards whenn it's incompatible with other options, + * but leave UseEntryGuards_option with the original value. + * Always use the value of UseEntryGuards, not UseEntryGuards_option. */ + options->UseEntryGuards = options->UseEntryGuards_option; + warn_about_relative_paths(options); if (server_mode(options) && @@ -3301,10 +3307,6 @@ options_validate(or_options_t *old_options, or_options_t *options, if (options->UseBridges && options->EntryNodes) REJECT("You cannot set both UseBridges and EntryNodes."); - if (options->EntryNodes && !options->UseEntryGuards) { - REJECT("If EntryNodes is set, UseEntryGuards must be enabled."); - } - options->MaxMemInQueues = compute_real_max_mem_in_queues(options->MaxMemInQueues_raw, server_mode(options)); @@ -3419,8 +3421,13 @@ options_validate(or_options_t *old_options, or_options_t *options, REJECT("Tor2webRendezvousPoints cannot be set without Tor2webMode."); } + if (options->EntryNodes && !options->UseEntryGuards) { + REJECT("If EntryNodes is set, UseEntryGuards must be enabled."); + } + if (!(options->UseEntryGuards) && - (options->RendConfigLines != NULL)) { + (options->RendConfigLines != NULL) && + !rend_service_non_anonymous_mode_enabled(options)) { log_warn(LD_CONFIG, "UseEntryGuards is disabled, but you have configured one or more " "hidden services on this Tor instance. Your hidden services " diff --git a/src/or/or.h b/src/or/or.h index 12459dd..7104a5c 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3963,8 +3963,16 @@ typedef struct { int TokenBucketRefillInterval; char *AccelName; /**< Optional hardware acceleration engine name. */ char *AccelDir; /**< Optional hardware acceleration engine search dir. */ - int UseEntryGuards; /**< Boolean: Do we try to enter from a smallish number - * of fixed nodes? */ + + /** Boolean: Do we try to enter from a smallish number + * of fixed nodes? */ + int UseEntryGuards_option; + /** Internal variable to remember whether we're actually acting on + * UseEntryGuards_option -- when we're a non-anonymous Tor2web client or + * Single Onion Service, it is alwasy false, otherwise we use the value of + * UseEntryGuards_option. */ + int UseEntryGuards; + int NumEntryGuards; /**< How many entry guards do we try to establish? */ int UseEntryGuardsAsDirGuards; /** Boolean: Do we try to get directory info * from a smallish number of fixed nodes? */

1 0

[tor/master] Ephemeral Single Onion Services must have the NonAnonymous ADD_ONION flag
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit a00fee2f5467bf0fbc425d49787a822283e8451e Author: teor <teor2345(a)gmail.com> Date: Wed Sep 7 15:24:47 2016 +1000 Ephemeral Single Onion Services must have the NonAnonymous ADD_ONION flag Tor checks that the flag matches the configured onion service anonymity. Tor refuses to create unflagged onion service using ADD_ONION, if they would be non-anonymous. The error is: 512 Tor is in non-anonymous onion mode Similarly, if the NonAnonymous flag is present, and Tor has the default anonymous onion config: 512 Tor is in anonymous onion mode --- src/or/control.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/or/control.c b/src/or/control.c index 1337af4..8f3909b 100644 --- a/src/or/control.c +++ b/src/or/control.c @@ -4249,6 +4249,8 @@ handle_control_add_onion(control_connection_t *conn, int max_streams = 0; int max_streams_close_circuit = 0; rend_auth_type_t auth_type = REND_NO_AUTH; + /* Default to anonymous if no flag is given */ + int non_anonymous = 0; for (size_t i = 1; i < arg_len; i++) { static const char *port_prefix = "Port="; static const char *flags_prefix = "Flags="; @@ -4285,11 +4287,17 @@ handle_control_add_onion(control_connection_t *conn, * * 'MaxStreamsCloseCircuit' - Close the circuit if MaxStreams is * exceeded. * * 'BasicAuth' - Client authorization using the 'basic' method. + * * 'NonAnonymous' - Add a non-anonymous Single Onion Service. If this + * flag is present, OnionServiceSingleHopMode and + * OnionServiceNonAnonymousMode must both be 1. If + * this flag is absent, both these options must be + * 0. */ static const char *discard_flag = "DiscardPK"; static const char *detach_flag = "Detach"; static const char *max_s_close_flag = "MaxStreamsCloseCircuit"; static const char *basicauth_flag = "BasicAuth"; + static const char *non_anonymous_flag = "NonAnonymous"; smartlist_t *flags = smartlist_new(); int bad = 0; @@ -4310,6 +4318,8 @@ handle_control_add_onion(control_connection_t *conn, max_streams_close_circuit = 1; } else if (!strcasecmp(flag, basicauth_flag)) { auth_type = REND_BASIC_AUTH; + } else if (!strcasecmp(flag, non_anonymous_flag)) { + non_anonymous = 1; } else { connection_printf_to_buf(conn, "512 Invalid 'Flags' argument: %s\r\n", @@ -4378,6 +4388,17 @@ handle_control_add_onion(control_connection_t *conn, smartlist_len(auth_clients) > 16)) { connection_printf_to_buf(conn, "512 Too many auth clients\r\n"); goto out; + } else if (non_anonymous != rend_service_allow_non_anonymous_connection( + get_options())) { + /* If we failed, and non-anonymous is set, Tor must be in anonymous mode. + * The error message changes based on the current Tor config: + * 512 Tor is in anonymous onion mode + * 512 Tor is in non-anonymous onion mode + * (I've deliberately written them out in full here to aid searchability.) + */ + connection_printf_to_buf(conn, "512 Tor is in %sanonymous onion mode\r\n", + non_anonymous ? "" : "non-"); + goto out; } /* Parse the "keytype:keyblob" argument. */

1 0

[tor/master] Refactor the hidden service code to use rend_service_path
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit a4f46ff8ba43b1e635bc5a8543b9354e6de02e14 Author: teor <teor2345(a)gmail.com> Date: Wed Sep 7 13:29:07 2016 +1000 Refactor the hidden service code to use rend_service_path And make consequential changes to make it less error-prone. No behaviour change. --- src/or/rendservice.c | 113 +++++++++++++++++++++++++++------------------------ src/or/rendservice.h | 1 + 2 files changed, 61 insertions(+), 53 deletions(-) diff --git a/src/or/rendservice.c b/src/or/rendservice.c index c91cd50..04894dd 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -108,6 +108,14 @@ struct rend_service_port_config_s { * rendezvous point before giving up? */ #define MAX_REND_TIMEOUT 30 +/* Hidden service directory file names: + * new file names should be added to rend_service_add_filenames_to_list() + * for sandboxing purposes. */ +static const char *private_key_fname = "private_key"; +static const char *hostname_fname = "hostname"; +static const char *client_keys_fname = "client_keys"; +static const char *sos_poison_fname = "onion_service_non_anonymous"; + /** Returns a escaped string representation of the service, s. */ static const char * @@ -950,23 +958,32 @@ rend_service_update_descriptor(rend_service_t *service) } } -static const char *sos_poison_fname = "non_anonymous_hidden_service"; - -/* Allocate and return a string containing the path to the single onion - * poison file in service. - * The caller must free this path. - * Returns NULL if there is no directory for service. */ +/* Allocate and return a string containing the path to file_name in + * service->directory. Asserts that service has a directory. + * This function will never return NULL. + * The caller must free this path. */ static char * -sos_poison_path(const rend_service_t *service) +rend_service_path(const rend_service_t *service, const char *file_name) { - char *poison_path; + char *file_path = NULL; tor_assert(service->directory); - tor_asprintf(&poison_path, "%s%s%s", - service->directory, PATH_SEPARATOR, sos_poison_fname); + /* Can never fail: asserts rather than leaving file_path NULL. */ + tor_asprintf(&file_path, "%s%s%s", + service->directory, PATH_SEPARATOR, file_name); + + return file_path; +} - return poison_path; +/* Allocate and return a string containing the path to the single onion + * service poison file in service->directory. Asserts that service has a + * directory. + * The caller must free this path. */ +STATIC char * +rend_service_sos_poison_path(const rend_service_t *service) +{ + return rend_service_path(service, sos_poison_fname); } /** Return True if hidden services service> has been poisoned by single @@ -981,8 +998,7 @@ service_is_single_onion_poisoned(const rend_service_t *service) return 0; } - poison_fname = sos_poison_path(service); - tor_assert(poison_fname); + poison_fname = rend_service_sos_poison_path(service); fstatus = file_status(poison_fname); tor_free(poison_fname); @@ -1076,7 +1092,7 @@ poison_new_single_onion_hidden_service_dir(const rend_service_t *service) return -1; } - poison_fname = sos_poison_path(service); + poison_fname = rend_service_sos_poison_path(service); switch (file_status(poison_fname)) { case FN_DIR: @@ -1190,12 +1206,10 @@ rend_service_add_filenames_to_list(smartlist_t *lst, const rend_service_t *s) tor_assert(lst); tor_assert(s); tor_assert(s->directory); - smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"private_key", - s->directory); - smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"hostname", - s->directory); - smartlist_add_asprintf(lst, "%s"PATH_SEPARATOR"client_keys", - s->directory); + smartlist_add(lst, rend_service_path(s, private_key_fname)); + smartlist_add(lst, rend_service_path(s, hostname_fname)); + smartlist_add(lst, rend_service_path(s, client_keys_fname)); + smartlist_add(lst, rend_service_sos_poison_path(s)); } /** Add to open_lst every filename used by a configured hidden service, @@ -1239,7 +1253,7 @@ rend_service_derive_key_digests(struct rend_service_t *s) static int rend_service_load_keys(rend_service_t *s) { - char fname[512]; + char *fname = NULL; char buf[128]; cpd_check_t check_opts = CPD_CREATE; @@ -1248,7 +1262,7 @@ rend_service_load_keys(rend_service_t *s) } /* Check/create directory */ if (check_private_dir(s->directory, check_opts, get_options()->User) < 0) { - return -1; + goto err; } #ifndef _WIN32 if (s->dir_group_readable) { @@ -1260,34 +1274,23 @@ rend_service_load_keys(rend_service_t *s) #endif /* Load key */ - if (strlcpy(fname,s->directory,sizeof(fname)) >= sizeof(fname) || - strlcat(fname,PATH_SEPARATOR"private_key",sizeof(fname)) - >= sizeof(fname)) { - log_warn(LD_CONFIG, "Directory name too long to store key file: \"%s\".", - s->directory); - return -1; - } + fname = rend_service_path(s, private_key_fname); s->private_key = init_key_from_file(fname, 1, LOG_ERR, 0); + if (!s->private_key) - return -1; + goto err; if (rend_service_derive_key_digests(s) < 0) - return -1; + goto err; + tor_free(fname); /* Create service file */ - if (strlcpy(fname,s->directory,sizeof(fname)) >= sizeof(fname) || - strlcat(fname,PATH_SEPARATOR"hostname",sizeof(fname)) - >= sizeof(fname)) { - log_warn(LD_CONFIG, "Directory name too long to store hostname file:" - " \"%s\".", s->directory); - return -1; - } + fname = rend_service_path(s, hostname_fname); tor_snprintf(buf, sizeof(buf),"%s.onion\n", s->service_id); if (write_str_to_file(fname,buf,0)<0) { log_warn(LD_CONFIG, "Could not write onion address to hostname file."); - memwipe(buf, 0, sizeof(buf)); - return -1; + goto err; } #ifndef _WIN32 if (s->dir_group_readable) { @@ -1298,15 +1301,21 @@ rend_service_load_keys(rend_service_t *s) } #endif - memwipe(buf, 0, sizeof(buf)); - /* If client authorization is configured, load or generate keys. */ if (s->auth_type != REND_NO_AUTH) { - if (rend_service_load_auth_keys(s, fname) < 0) - return -1; + if (rend_service_load_auth_keys(s, fname) < 0) { + goto err; + } } - return 0; + int r = 0; + goto done; + err: + r = -1; + done: + memwipe(buf, 0, sizeof(buf)); + tor_free(fname); + return r; } /** Load and/or generate client authorization keys for the hidden service @@ -1316,7 +1325,7 @@ static int rend_service_load_auth_keys(rend_service_t *s, const char *hfname) { int r = 0; - char cfname[512]; + char *cfname = NULL; char *client_keys_str = NULL; strmap_t *parsed_clients = strmap_new(); FILE *cfile, *hfile; @@ -1326,12 +1335,7 @@ rend_service_load_auth_keys(rend_service_t *s, const char *hfname) char buf[1500]; /* Load client keys and descriptor cookies, if available. */ - if (tor_snprintf(cfname, sizeof(cfname), "%s"PATH_SEPARATOR"client_keys", - s->directory)<0) { - log_warn(LD_CONFIG, "Directory name too long to store client keys " - "file: \"%s\".", s->directory); - goto err; - } + cfname = rend_service_path(s, client_keys_fname); client_keys_str = read_file_to_str(cfname, RFTS_IGNORE_MISSING, NULL); if (client_keys_str) { if (rend_parse_client_keys(parsed_clients, client_keys_str) < 0) { @@ -1485,7 +1489,10 @@ rend_service_load_auth_keys(rend_service_t *s, const char *hfname) } strmap_free(parsed_clients, rend_authorized_client_strmap_item_free); - memwipe(cfname, 0, sizeof(cfname)); + if (cfname) { + memwipe(cfname, 0, sizeof(cfname)); + tor_free(cfname); + } /* Clear stack buffers that held key-derived material. */ memwipe(buf, 0, sizeof(buf)); diff --git a/src/or/rendservice.h b/src/or/rendservice.h index ec32262..630191e 100644 --- a/src/or/rendservice.h +++ b/src/or/rendservice.h @@ -118,6 +118,7 @@ typedef struct rend_service_t { } rend_service_t; STATIC void rend_service_free(rend_service_t *service); +STATIC char *rend_service_sos_poison_path(const rend_service_t *service); #endif

1 0

[tor/master] Fix a memory leak in options/validate__single_onion
by nickm＠torproject.org 13 Sep '16

13 Sep '16

commit 831649f56eed00728b58c2be27a250df69c99600 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Sep 13 10:40:42 2016 -0400 Fix a memory leak in options/validate__single_onion --- src/test/test_options.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/test/test_options.c b/src/test/test_options.c index 1439f95..31a916f 100644 --- a/src/test/test_options.c +++ b/src/test/test_options.c @@ -2868,6 +2868,7 @@ test_options_validate__single_onion(void *ignored) tt_str_op(msg, OP_EQ, "HiddenServiceNonAnonymousMode does not provide any " "server anonymity. It must be used with " "HiddenServiceSingleHopMode set to 1."); + tor_free(msg); free_options_test_data(tdata); tdata = get_options_test_data(TEST_OPTIONS_DEFAULT_VALUES

1 0