June 2017 - tor-commits - lists.torproject.org

[tor/maint-0.3.0] Fix undefined behavior in geoip_parse_entry().
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit e3ebae48040b9ed3946e65dbc6a24e8f5e48ff6b Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jun 5 10:09:39 2017 -0400 Fix undefined behavior in geoip_parse_entry(). Fixes bug 22490; bugfix on 6a241ff3ffe7dc1 in 0.2.4.6-alpha. Found by teor using clang-5.0's AddressSanitizer stack-use-after-scope. --- changes/bug22490 | 3 +++ src/or/geoip.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/changes/bug22490 b/changes/bug22490 new file mode 100644 index 0000000..244dd50 --- /dev/null +++ b/changes/bug22490 @@ -0,0 +1,3 @@ + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. diff --git a/src/or/geoip.c b/src/or/geoip.c index e2e98e8..4abd519 100644 --- a/src/or/geoip.c +++ b/src/or/geoip.c @@ -145,6 +145,7 @@ geoip_parse_entry(const char *line, sa_family_t family) if (*line == '#') return 0; + char buf[512]; if (family == AF_INET) { unsigned int low, high; if (tor_sscanf(line,"%u,%u,%2s", &low, &high, c) == 3 || @@ -155,7 +156,6 @@ geoip_parse_entry(const char *line, sa_family_t family) goto fail; country = c; } else { /* AF_INET6 */ - char buf[512]; char *low_str, *high_str; struct in6_addr low, high; char *strtok_state;

1 0

[tor/maint-0.2.9] Merge branch 'maint-0.2.6' into maint-0.2.7-redux
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 3f2d1f7f0730a17b81d2fb94df9b6a5b8b277893 Merge: 71dd1d7 9ea3d08 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jun 5 12:00:41 2017 -0400 Merge branch 'maint-0.2.6' into maint-0.2.7-redux changes/bug22490 | 3 +++ src/or/geoip.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-)

1 0

[tor/maint-0.2.9] Merge branch 'maint-0.2.5' into maint-0.2.6
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 9ea3d0877a5be2762cfcb4d7c2015e5ec43a2055 Merge: 159ddf6 1a540b5 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jun 5 12:00:27 2017 -0400 Merge branch 'maint-0.2.5' into maint-0.2.6 changes/bug22490 | 3 +++ src/or/geoip.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-)

1 0

[tor/release-0.3.0] Merge branch 'maint-0.3.0' into release-0.3.0
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 10c33a6af248fa50b42b52fe81b98546a00f442c Merge: 2ab1de9 41ed9e9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jun 5 09:51:48 2017 -0400 Merge branch 'maint-0.3.0' into release-0.3.0 changes/bug22466_regenerate | 8 ++++++++ src/or/routerkeys.c | 15 ++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-)

1 0

[tor/master] Use tor_assert_nonfatal() to try to detect #22466
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit f2068ef8626302f7dce44bf206c4e83d4af7abba Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 1 09:42:32 2017 -0400 Use tor_assert_nonfatal() to try to detect #22466 --- changes/bug22466_diagnostic | 4 ++++ src/or/routerkeys.c | 4 ++++ src/or/torcert.c | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/changes/bug22466_diagnostic b/changes/bug22466_diagnostic new file mode 100644 index 0000000..0286c65 --- /dev/null +++ b/changes/bug22466_diagnostic @@ -0,0 +1,4 @@ + o Minor features (diagnostic): + - Add logging messages to try to diagnose a rare bug that seems + to generate RSA->Ed25519 cross-certificates dated in the 1970s. + Diagnostic for bug 22466. diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 6259e3f..e2053ef 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -685,6 +685,10 @@ load_ed_keys(const or_options_t *options, time_t now) tor_cert_t *sign_cert = NULL; tor_cert_t *auth_cert = NULL; + // It is later than 1972, since otherwise there would be no C compilers. + // (Try to diagnose #22466.) + tor_assert_nonfatal(now >= 2 * 365 * 86400); + #define FAIL(msg) do { \ log_warn(LD_OR, (msg)); \ goto err; \ diff --git a/src/or/torcert.c b/src/or/torcert.c index c58f3da..edc5200 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -302,6 +302,10 @@ tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, time_t expires, uint8_t **cert) { + // It is later than 1985, since otherwise there would be no C89 + // compilers. (Try to diagnose #22466.) + tor_assert_nonfatal(expires >= 15 * 365 * 86400); + uint8_t *res; rsa_ed_crosscert_t *cc = rsa_ed_crosscert_new();

1 0

[tor/release-0.3.0] Regenerate RSA->ed25519 identity crosscertificate as needed
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 41ed9e978b77080c027e50ed831370efbeeeac37 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 1 10:04:52 2017 -0400 Regenerate RSA->ed25519 identity crosscertificate as needed --- changes/bug22466_regenerate | 8 ++++++++ src/or/routerkeys.c | 15 ++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/changes/bug22466_regenerate b/changes/bug22466_regenerate new file mode 100644 index 0000000..8dbda89 --- /dev/null +++ b/changes/bug22466_regenerate @@ -0,0 +1,8 @@ + o Minor bugfixes (link handshake): + - Lower the lifetime of the RSA->Ed25519 cross-certificate to + six months, and regenerate it when it is within one month of expiring. + Previously, we had generated this certificate at startup with + a ten-year lifetime, but that could lead to weird behavior when + Tor was started with a grossly inaccurate clock. Mitigates + bug 22466; mitigation on 0.3.0.1-alpha. + diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 6259e3f..611ac91 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -668,6 +668,7 @@ static tor_cert_t *auth_key_cert = NULL; static uint8_t *rsa_ed_crosscert = NULL; static size_t rsa_ed_crosscert_len = 0; +static time_t rsa_ed_crosscert_expiration = 0; /** * Running as a server: load, reload, or refresh our ed25519 keys and @@ -699,8 +700,10 @@ load_ed_keys(const or_options_t *options, time_t now) tor_cert_free(cert); \ cert = (newval); \ } while (0) +#define HAPPENS_SOON(when, interval) \ + ((when) < now + (interval)) #define EXPIRES_SOON(cert, interval) \ - (!(cert) || (cert)->valid_until < now + (interval)) + (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval))) /* XXXX support encrypted identity keys fully */ @@ -899,14 +902,19 @@ load_ed_keys(const or_options_t *options, time_t now) if (options->command == CMD_KEYGEN) goto end; - if (!rsa_ed_crosscert && server_mode(options)) { + if (server_mode(options) && + (!rsa_ed_crosscert || + HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) { uint8_t *crosscert; + time_t expiration = now+6*30*86400; /* 6 months in the future. */ ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey, get_server_identity_key(), - now+10*365*86400,/*XXXX*/ + expiration, &crosscert); + tor_free(rsa_ed_crosscert); rsa_ed_crosscert_len = crosscert_len; rsa_ed_crosscert = crosscert; + rsa_ed_crosscert_expiration = expiration; } if (!current_auth_key || @@ -1038,6 +1046,7 @@ should_make_new_ed_keys(const or_options_t *options, const time_t now) } #undef EXPIRES_SOON +#undef HAPPENS_SOON #ifdef TOR_UNIT_TESTS /* Helper for unit tests: populate the ed25519 keys without saving or

1 0

[tor/master] Merge branch 'bug22466_diagnostic_030'
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 26d9fffae428a186e92ffa53053da76bea519fec Merge: be741d7 f2068ef Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jun 5 09:52:09 2017 -0400 Merge branch 'bug22466_diagnostic_030' changes/bug22466_diagnostic | 4 ++++ src/or/routerkeys.c | 4 ++++ src/or/torcert.c | 4 ++++ 3 files changed, 12 insertions(+)

1 0

[tor/master] Merge branch 'maint-0.3.0'
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit be741d7e63b06fe103caab3db4b64ada45bd6bae Merge: 1763aa0 41ed9e9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jun 5 09:51:57 2017 -0400 Merge branch 'maint-0.3.0' changes/bug22466_regenerate | 8 ++++++++ src/or/routerkeys.c | 15 ++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-)

1 0

[tor/maint-0.3.0] Regenerate RSA->ed25519 identity crosscertificate as needed
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 41ed9e978b77080c027e50ed831370efbeeeac37 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 1 10:04:52 2017 -0400 Regenerate RSA->ed25519 identity crosscertificate as needed --- changes/bug22466_regenerate | 8 ++++++++ src/or/routerkeys.c | 15 ++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/changes/bug22466_regenerate b/changes/bug22466_regenerate new file mode 100644 index 0000000..8dbda89 --- /dev/null +++ b/changes/bug22466_regenerate @@ -0,0 +1,8 @@ + o Minor bugfixes (link handshake): + - Lower the lifetime of the RSA->Ed25519 cross-certificate to + six months, and regenerate it when it is within one month of expiring. + Previously, we had generated this certificate at startup with + a ten-year lifetime, but that could lead to weird behavior when + Tor was started with a grossly inaccurate clock. Mitigates + bug 22466; mitigation on 0.3.0.1-alpha. + diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 6259e3f..611ac91 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -668,6 +668,7 @@ static tor_cert_t *auth_key_cert = NULL; static uint8_t *rsa_ed_crosscert = NULL; static size_t rsa_ed_crosscert_len = 0; +static time_t rsa_ed_crosscert_expiration = 0; /** * Running as a server: load, reload, or refresh our ed25519 keys and @@ -699,8 +700,10 @@ load_ed_keys(const or_options_t *options, time_t now) tor_cert_free(cert); \ cert = (newval); \ } while (0) +#define HAPPENS_SOON(when, interval) \ + ((when) < now + (interval)) #define EXPIRES_SOON(cert, interval) \ - (!(cert) || (cert)->valid_until < now + (interval)) + (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval))) /* XXXX support encrypted identity keys fully */ @@ -899,14 +902,19 @@ load_ed_keys(const or_options_t *options, time_t now) if (options->command == CMD_KEYGEN) goto end; - if (!rsa_ed_crosscert && server_mode(options)) { + if (server_mode(options) && + (!rsa_ed_crosscert || + HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) { uint8_t *crosscert; + time_t expiration = now+6*30*86400; /* 6 months in the future. */ ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey, get_server_identity_key(), - now+10*365*86400,/*XXXX*/ + expiration, &crosscert); + tor_free(rsa_ed_crosscert); rsa_ed_crosscert_len = crosscert_len; rsa_ed_crosscert = crosscert; + rsa_ed_crosscert_expiration = expiration; } if (!current_auth_key || @@ -1038,6 +1046,7 @@ should_make_new_ed_keys(const or_options_t *options, const time_t now) } #undef EXPIRES_SOON +#undef HAPPENS_SOON #ifdef TOR_UNIT_TESTS /* Helper for unit tests: populate the ed25519 keys without saving or

1 0

[tor/master] Regenerate RSA->ed25519 identity crosscertificate as needed
by nickm＠torproject.org 05 Jun '17

05 Jun '17

commit 41ed9e978b77080c027e50ed831370efbeeeac37 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 1 10:04:52 2017 -0400 Regenerate RSA->ed25519 identity crosscertificate as needed --- changes/bug22466_regenerate | 8 ++++++++ src/or/routerkeys.c | 15 ++++++++++++--- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/changes/bug22466_regenerate b/changes/bug22466_regenerate new file mode 100644 index 0000000..8dbda89 --- /dev/null +++ b/changes/bug22466_regenerate @@ -0,0 +1,8 @@ + o Minor bugfixes (link handshake): + - Lower the lifetime of the RSA->Ed25519 cross-certificate to + six months, and regenerate it when it is within one month of expiring. + Previously, we had generated this certificate at startup with + a ten-year lifetime, but that could lead to weird behavior when + Tor was started with a grossly inaccurate clock. Mitigates + bug 22466; mitigation on 0.3.0.1-alpha. + diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 6259e3f..611ac91 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -668,6 +668,7 @@ static tor_cert_t *auth_key_cert = NULL; static uint8_t *rsa_ed_crosscert = NULL; static size_t rsa_ed_crosscert_len = 0; +static time_t rsa_ed_crosscert_expiration = 0; /** * Running as a server: load, reload, or refresh our ed25519 keys and @@ -699,8 +700,10 @@ load_ed_keys(const or_options_t *options, time_t now) tor_cert_free(cert); \ cert = (newval); \ } while (0) +#define HAPPENS_SOON(when, interval) \ + ((when) < now + (interval)) #define EXPIRES_SOON(cert, interval) \ - (!(cert) || (cert)->valid_until < now + (interval)) + (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval))) /* XXXX support encrypted identity keys fully */ @@ -899,14 +902,19 @@ load_ed_keys(const or_options_t *options, time_t now) if (options->command == CMD_KEYGEN) goto end; - if (!rsa_ed_crosscert && server_mode(options)) { + if (server_mode(options) && + (!rsa_ed_crosscert || + HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) { uint8_t *crosscert; + time_t expiration = now+6*30*86400; /* 6 months in the future. */ ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey, get_server_identity_key(), - now+10*365*86400,/*XXXX*/ + expiration, &crosscert); + tor_free(rsa_ed_crosscert); rsa_ed_crosscert_len = crosscert_len; rsa_ed_crosscert = crosscert; + rsa_ed_crosscert_expiration = expiration; } if (!current_auth_key || @@ -1038,6 +1046,7 @@ should_make_new_ed_keys(const or_options_t *options, const time_t now) } #undef EXPIRES_SOON +#undef HAPPENS_SOON #ifdef TOR_UNIT_TESTS /* Helper for unit tests: populate the ed25519 keys without saving or

1 0