August 2018 - tor-commits - lists.torproject.org

[translation/support-portal] Update translations for support-portal
by translation＠torproject.org 30 Aug '18

30 Aug '18

commit 19700bed57a7a3a95cb6fc560a7685aec14c9b8d Author: Translation commit bot <translation(a)torproject.org> Date: Thu Aug 30 12:48:49 2018 +0000 Update translations for support-portal --- contents+de.po | 42 +++++++++++++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/contents+de.po b/contents+de.po index 7df6e9073..34ff5651b 100644 --- a/contents+de.po +++ b/contents+de.po @@ -345,21 +345,24 @@ msgid "" "We feel that talking openly … [View More]about our funders and funding model is the best " "way to maintain trust with our community." msgstr "" +"Wir haben den Eindruck, dass transparent mit Spenden und " +"Finanzierungsmöglichkeit umzugehen, am besten ist, um das Vertrauen unserer " +"Gemeinschaft zu stärken." #: http//localhost/censorship/censorship-4/ #: (content/censorship/censorship-4/contents+en.lrquestion.seo_slug) msgid "cant-connect-to-tor-browser" -msgstr "" +msgstr "kann-mich-nicht-mit-tor-browser-verbinden" #: http//localhost/https/https-1/ #: (content/https/https-1/contents+en.lrquestion.description) msgid "<div class=\"row\">" -msgstr "" +msgstr "<div class=\"row\">" #: http//localhost/onionservices/onionservices-1/ #: (content/onionservices/onionservices-1/contents+en.lrquestion.seo_slug) msgid "accessing-websites-that-are-only-accessible-over-tor" -msgstr "" +msgstr "auf-webseiten-zugreifen-die-nur-mit-tor-erreichbar-sind" #: http//localhost/censorship/censorship-5/ #: (content/censorship/censorship-5/contents+en.lrquestion.description) @@ -367,6 +370,8 @@ msgid "" "Tor requires an accurate clock to work: please check your time, timezone, " "and date settings." msgstr "" +"Damit Tor funktioniert, benötigt es eine korrekt eingestellte Uhr: Bitte " +"überprüfe deine Uhrzeit, Zeitzone und Datumseinstellungen." #: http//localhost/misc/misc-4/ #: (content/misc/misc-4/contents+en.lrquestion.description) @@ -375,6 +380,9 @@ msgid "" "href=\"https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea\">blog" " post on the subject</a>." msgstr "" +"Für weitere Details siehe unseren <a " +"href=\"https://blog.torproject.org/bittorrent-over-tor-isnt-good-" +"idea\">Blogbeitrag darüber</a>." #: http//localhost/tbb/tbb-8/ #: (content/tbb/tbb-8/contents+en.lrquestion.seo_slug) @@ -390,6 +398,11 @@ msgid "" "href=\"https://blog.torproject.org/category/tags/form-990\">blog " "posts</a> on our financial reports." msgstr "" +"Siehe die <a " +"href=\"https://www.torproject.org/about/sponsors.html.en\">Liste unserer " +"Sponsoren</a> und eine Serie von <a " +"href=\"https://blog.torproject.org/category/tags/form-990\">Blogeinträgen</a>" +" mit finanziellen Berichten." #: http//localhost/operators/operators-3/ #: (content/operators/operators-3/contents+en.lrquestion.description) @@ -399,7 +412,7 @@ msgstr "RunAsDaemon 1" #: http//localhost/operators/operators-4/ #: (content/operators/operators-4/contents+en.lrquestion.seo_slug) msgid "using-correct-packages" -msgstr "" +msgstr "benutze-korrekte-pakete" #: http//localhost/tbb/tbb-17/ #: (content/tbb/tbb-17/contents+en.lrquestion.description) @@ -437,7 +450,7 @@ msgstr "* Deutsch (de)" #: http//localhost/operators/operators-3/ #: (content/operators/operators-3/contents+en.lrquestion.seo_slug) msgid "how-do-i-run-a-middle-or-guard-on-freebsd" -msgstr "" +msgstr "wie-betreibe-ich-ein-relay-auf-freebsd" #: http//localhost/misc/misc-15/ #: (content/misc/misc-15/contents+en.lrquestion.description) @@ -477,6 +490,12 @@ msgid "" "href=\"https://guardianproject.info/apps/orbot/\">Orbot</a> and " "<a href=\"https://guardianproject.info/apps/orfox/\">Orfox</a>." msgstr "" +"Für <a " +"href=\"https://www.torproject.org/docs/android.html.en\">Android</a> " +"bietet <a href=\"https://guardianproject.info/\">The Guardian " +"Project</a> die Tor-Anwendungen <a " +"href=\"https://guardianproject.info/apps/orbot/\">Orbot</a> und " +"<a href=\"https://guardianproject.info/apps/orfox/\">Orfox</a>." #: http//localhost/faq/faq-5/ #: (content/faq/faq-5/contents+en.lrquestion.seo_slug) @@ -500,6 +519,8 @@ msgstr "" msgid "" "* Make sure tor starts on boot by running \"sysrc tor_enable=YES\" (as root)" msgstr "" +"* Stelle sicher, dass Tor beim Hochfahren startet mit \"sysrc " +"tor_enable=YES\" (als root)" #: http//localhost/connecting/connecting-3/ #: (content/connecting/connecting-3/contents+en.lrquestion.description) @@ -509,6 +530,8 @@ msgid "" "There may be a temporary connection issue, or the site operators may have " "allowed it to go offline without warning." msgstr "" +"Eventuell gibt es ein vorübergehendes Verbindungsproblem, oder die " +"Webseitenbetreiber haben die Seite ohne Warnung vom Netz genommen." #: http//localhost/misc/misc-10/ #: (content/misc/misc-10/contents+en.lrquestion.description) @@ -578,6 +601,8 @@ msgid "" "Many exit nodes are configured to block certain types of file sharing " "traffic, such as bittorrent." msgstr "" +"Viele Austritts-Knoten sind so konfiguriert, Filesharing mit z.B. bittorrent" +" zu blockieren." #: http//localhost/tbb/tbb-21/ #: (content/tbb/tbb-21/contents+en.lrquestion.description) @@ -591,12 +616,12 @@ msgstr "" #: http//localhost/operators/operators-3/ #: (content/operators/operators-3/contents+en.lrquestion.description) msgid "* Run \"pkg install tor\" (as root)." -msgstr "" +msgstr "* Führe \"pkg install tor\" als root aus." #: http//localhost/misc/misc-15/ #: (content/misc/misc-15/contents+en.lrquestion.seo_slug) msgid "donate-tor-project" -msgstr "" +msgstr "spende-an-tor-project" #: http//localhost/connecting/connecting-2/ #: (content/connecting/connecting-2/contents+en.lrquestion.description) @@ -638,6 +663,9 @@ msgid "" "See our page on <a href=\"https://www.torproject.org/docs/pluggable-" "transports.html.en\">pluggable transports</a> for more info." msgstr "" +"Siehe unsere Seite über <a href=\"https://www.torproject.org/docs" +"/pluggable-transports.html.en\">Pluggable Transports</a> für weitere " +"Informationen." #: http//localhost/connecting/connecting-3/ #: (content/connecting/connecting-3/contents+en.lrquestion.description) [View Less]

1 0

[translation/support-portal] Update translations for support-portal
by translation＠torproject.org 30 Aug '18

30 Aug '18

commit df43da9bc03b203e601d21d9bdb9375a2ec0570b Author: Translation commit bot <translation(a)torproject.org> Date: Thu Aug 30 12:18:48 2018 +0000 Update translations for support-portal --- contents+de.po | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/contents+de.po b/contents+de.po index 80cd013e4..7df6e9073 100644 --- a/contents+de.po +++ b/contents+de.po @@ -221,6 +221,8 @@ msgid "" "These services use the special-use tld .onion (instead of " … [View More] ".com,.net,.org,etc..) and are only accessible through the Tor network." msgstr "" +"Diese Dienste benutzen die besondere Top Level Domain .onion (an Stelle von " +".com, .net, .org, etc.) und sind nur über Tor erreichbar." #: http//localhost/tbb/tbb-7/ (content/tbb/tbb-7/contents+en.lrquestion.title) #: http//localhost/censorship/censorship-2/ @@ -238,7 +240,7 @@ msgstr "Speichert Tor Protokolle?" #: http//localhost/censorship/censorship-7/ #: (content/censorship/censorship-7/contents+en.lrquestion.seo_slug) msgid "what-is-a-bridge" -msgstr "" +msgstr "was-ist-eine-bruecke" #: http//localhost/tbb/tbb-10/ #: (content/tbb/tbb-10/contents+en.lrquestion.description) @@ -264,6 +266,9 @@ msgid "" "After a few hours (to give it enough time to propagate), you can query Atlas" " to see whether your relay has successfully registered in the network." msgstr "" +"Nach einigen Stunden (wenn es Zeit hatte, sich bekannt zu machen), kannst du" +" auf der Metrics-Webseite nachsehen, ob sich dein Relay erfolgreich im " +"Netzwerk registriert hat." #: http//localhost/misc/misc-12/ #: (content/misc/misc-12/contents+en.lrquestion.description) @@ -271,6 +276,9 @@ msgid "" "For sharing files through Tor, <a " "href=\"https://onionshare.org/\">OnionShare</a> is a good option." msgstr "" +"Um Dateien über Tor zu teilen, <a " +"href=\"https://onionshare.org/\">OnionShare</a> ist eine gute " +"Möglichkeit." #: http//localhost/operators/operators-7/ #: (content/operators/operators-7/contents+en.lrquestion.description) @@ -313,6 +321,9 @@ msgid "" "* Look for a log entry in /var/log/syslog such as \"Self-testing indicates " "your ORPort is reachable from the outside. Excellent.\"" msgstr "" +"* Suche nach Log-Einträgen in /var/log/syslog wie \"Self-testing indicates " +"your ORPort is reachable from the outside. Excellent.\" (Dein ORPort scheint" +" von außerhalb erreichbar zu sein. Exzellent.)" #: http//localhost/misc/misc-5/ #: (content/misc/misc-5/contents+en.lrquestion.title) [View Less]

1 0

[translation/support-portal] Update translations for support-portal
by translation＠torproject.org 30 Aug '18

30 Aug '18

commit 28ff8b12385bf5d8584519becef330bc7191b2ea Author: Translation commit bot <translation(a)torproject.org> Date: Thu Aug 30 02:49:25 2018 +0000 Update translations for support-portal --- contents+de.po | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contents+de.po b/contents+de.po index 76ef9550b..80cd013e4 100644 --- a/contents+de.po +++ b/contents+de.po @@ -95,12 +95,12 @@ msgstr "" #: http//localhost/operators/operators-3/ #: (content/operators/… [View More]

1 0

[tor-browser/tor-browser-60.1.0esr-8.0-1] Bug 26670: Make canvas permission respect FPI
by gk＠torproject.org 29 Aug '18

29 Aug '18

commit 79db24856a23ec7ae1f6d8cf46919a499ae5bb9f Author: Arthur Edelstein <arthuredelstein(a)gmail.com> Date: Wed Aug 29 09:56:57 2018 -0700 Bug 26670: Make canvas permission respect FPI --- browser/base/content/browser.js | 21 ++++++++++++--------- dom/canvas/CanvasUtils.cpp | 23 ++++++++++++++++------- dom/ipc/PBrowser.ipdl | 4 ++-- dom/ipc/TabParent.cpp | 4 ++-- dom/ipc/TabParent.h | 2 +- 5 files changed, 33 insertions(+), 21 … [View More]deletions(-) diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js index fbfbf3e809ca..443619533567 100644 --- a/browser/base/content/browser.js +++ b/browser/base/content/browser.js @@ -6824,7 +6824,7 @@ var CanvasPermissionPromptHelper = { }, // aSubject is an nsIBrowser (e10s) or an nsIDOMWindow (non-e10s). - // aData is an URL string. + // aData is an Origin string. observe(aSubject, aTopic, aData) { if (aTopic != this._permissionsPrompt) { return; @@ -6838,7 +6838,6 @@ var CanvasPermissionPromptHelper = { browser = aSubject.QueryInterface(Ci.nsIBrowser); } - let uri = Services.io.newURI(aData); if (gBrowser.selectedBrowser !== browser) { // Must belong to some other window. return; @@ -6846,17 +6845,21 @@ var CanvasPermissionPromptHelper = { let message = gNavigatorBundle.getFormattedString("canvas.siteprompt", ["<>"], 1); - function setCanvasPermission(aURI, aPerm, aPersistent) { - Services.perms.add(aURI, "canvas", aPerm, - aPersistent ? Ci.nsIPermissionManager.EXPIRE_NEVER - : Ci.nsIPermissionManager.EXPIRE_SESSION); + let principal = Services.scriptSecurityManager + .createCodebasePrincipalFromOrigin(aData); + + function setCanvasPermission(aPerm, aPersistent) { + Services.perms.addFromPrincipal( + principal, "canvas", aPerm, + aPersistent ? Ci.nsIPermissionManager.EXPIRE_NEVER + : Ci.nsIPermissionManager.EXPIRE_SESSION); } let mainAction = { label: gNavigatorBundle.getString("canvas.allow"), accessKey: gNavigatorBundle.getString("canvas.allow.accesskey"), callback(state) { - setCanvasPermission(uri, Ci.nsIPermissionManager.ALLOW_ACTION, + setCanvasPermission(Ci.nsIPermissionManager.ALLOW_ACTION, state && state.checkboxChecked); } }; @@ -6865,7 +6868,7 @@ var CanvasPermissionPromptHelper = { label: gNavigatorBundle.getString("canvas.notAllow"), accessKey: gNavigatorBundle.getString("canvas.notAllow.accesskey"), callback(state) { - setCanvasPermission(uri, Ci.nsIPermissionManager.DENY_ACTION, + setCanvasPermission(Ci.nsIPermissionManager.DENY_ACTION, state && state.checkboxChecked); } }]; @@ -6881,7 +6884,7 @@ var CanvasPermissionPromptHelper = { let options = { checkbox, - name: uri.asciiHost, + name: principal.URI.host, learnMoreURL: Services.urlFormatter.formatURLPref("app.support.baseURL") + "fingerprint-permission", }; PopupNotifications.show(browser, aTopic, message, this._notificationIcon, diff --git a/dom/canvas/CanvasUtils.cpp b/dom/canvas/CanvasUtils.cpp index 0a8d7f0e2e59..ca8d91d92181 100644 --- a/dom/canvas/CanvasUtils.cpp +++ b/dom/canvas/CanvasUtils.cpp @@ -58,8 +58,13 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx) // Documents with system principal can always extract canvas data. nsPIDOMWindowOuter *win = aDocument->GetWindow(); nsCOMPtr<nsIScriptObjectPrincipal> sop(do_QueryInterface(win)); - if (sop && nsContentUtils::IsSystemPrincipal(sop->GetPrincipal())) { - return true; + if (!sop) { + return false; + } + + nsCOMPtr<nsIPrincipal> principal(sop->GetPrincipal()); + if (principal && nsContentUtils::IsSystemPrincipal(principal)) { + return true; } // Always give permission to chrome scripts (e.g. Page Inspector). @@ -127,9 +132,9 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx) // Check if the site has permission to extract canvas data. // Either permit or block extraction if a stored permission setting exists. uint32_t permission; - rv = permissionManager->TestPermission(topLevelDocURI, - PERMISSION_CANVAS_EXTRACT_DATA, - &permission); + rv = permissionManager->TestPermissionFromPrincipal(principal, + PERMISSION_CANVAS_EXTRACT_DATA, + &permission); NS_ENSURE_SUCCESS(rv, false); switch (permission) { case nsIPermissionManager::ALLOW_ACTION: @@ -165,16 +170,20 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx) nsContentUtils::LogMessageToConsole(message.get()); // Prompt the user (asynchronous). + nsAutoCString origin; + rv = principal->GetOrigin(origin); + NS_ENSURE_SUCCESS(rv, false); + if (XRE_IsContentProcess()) { TabChild* tabChild = TabChild::GetFrom(win); if (tabChild) { - tabChild->SendShowCanvasPermissionPrompt(topLevelDocURISpec); + tabChild->SendShowCanvasPermissionPrompt(origin); } } else { nsCOMPtr<nsIObserverService> obs = mozilla::services::GetObserverService(); if (obs) { obs->NotifyObservers(win, TOPIC_CANVAS_PERMISSIONS_PROMPT, - NS_ConvertUTF8toUTF16(topLevelDocURISpec).get()); + NS_ConvertUTF8toUTF16(origin).get()); } } diff --git a/dom/ipc/PBrowser.ipdl b/dom/ipc/PBrowser.ipdl index 024ebc5b6cf7..118eaf15af1f 100644 --- a/dom/ipc/PBrowser.ipdl +++ b/dom/ipc/PBrowser.ipdl @@ -579,9 +579,9 @@ parent: * This function is used to notify the parent that it should display a * canvas permission prompt. * - * @param aFirstPartyURI first party of the tab that is requesting access. + * @param aOrigin origin string of the document that is requesting access. */ - async ShowCanvasPermissionPrompt(nsCString aFirstPartyURI); + async ShowCanvasPermissionPrompt(nsCString aOrigin); child: /** diff --git a/dom/ipc/TabParent.cpp b/dom/ipc/TabParent.cpp index 86bb854962be..d8f4567626e1 100644 --- a/dom/ipc/TabParent.cpp +++ b/dom/ipc/TabParent.cpp @@ -3567,7 +3567,7 @@ TabParent::RecvLookUpDictionary(const nsString& aText, } mozilla::ipc::IPCResult -TabParent::RecvShowCanvasPermissionPrompt(const nsCString& aFirstPartyURI) +TabParent::RecvShowCanvasPermissionPrompt(const nsCString& aOrigin) { nsCOMPtr<nsIBrowser> browser = do_QueryInterface(mFrameElement); if (!browser) { @@ -3580,7 +3580,7 @@ TabParent::RecvShowCanvasPermissionPrompt(const nsCString& aFirstPartyURI) return IPC_FAIL_NO_REASON(this); } nsresult rv = os->NotifyObservers(browser, "canvas-permissions-prompt", - NS_ConvertUTF8toUTF16(aFirstPartyURI).get()); + NS_ConvertUTF8toUTF16(aOrigin).get()); if (NS_FAILED(rv)) { return IPC_FAIL_NO_REASON(this); } diff --git a/dom/ipc/TabParent.h b/dom/ipc/TabParent.h index 7d62663835d7..6f3d6de10c10 100644 --- a/dom/ipc/TabParent.h +++ b/dom/ipc/TabParent.h @@ -631,7 +631,7 @@ protected: virtual mozilla::ipc::IPCResult RecvGetTabCount(uint32_t* aValue) override; - virtual mozilla::ipc::IPCResult RecvShowCanvasPermissionPrompt(const nsCString& aFirstPartyURI) override; + virtual mozilla::ipc::IPCResult RecvShowCanvasPermissionPrompt(const nsCString& aOrigin) override; ContentCacheInParent mContentCache; [View Less]

1 0

[translation/tba-android_stringsdtd] Update translations for tba-android_stringsdtd
by translation＠torproject.org 29 Aug '18

29 Aug '18

commit 710f53db349bf9a6d65c9167203655b72bef1457 Author: Translation commit bot <translation(a)torproject.org> Date: Wed Aug 29 21:16:44 2018 +0000 Update translations for tba-android_stringsdtd --- lt/android_strings.dtd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lt/android_strings.dtd b/lt/android_strings.dtd index 3888dda2d..698fc4031 100644 --- a/lt/android_strings.dtd +++ b/lt/android_strings.dtd @@ -391,7 +391,7 @@ <!ENTITY pref_vendor_feedback "… [View More]

1 0

[tor-browser/tor-browser-60.1.0esr-8.0-1] fixup! TB4: Tor Browser's Firefox preference overrides.
by gk＠torproject.org 29 Aug '18

29 Aug '18

commit 3c6862f6cc8a7dc59b9eba41638100638ecb33b0 Author: Georg Koppen <gk(a)torproject.org> Date: Tue Aug 28 21:51:27 2018 +0000 fixup! TB4: Tor Browser's Firefox preference overrides. Disable wasm for now until we have it properly reviewed in #21549. --- browser/app/profile/000-tor-browser.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js index 17c9d614b61c..2b5ebe8cf949 100644 --- a/… [View More]

1 0

[tor-browser/tor-browser-60.1.0esr-8.0-1] fixup! TB4: Tor Browser's Firefox preference overrides.
by gk＠torproject.org 29 Aug '18

29 Aug '18

commit d7442e6576b00951a7e60b97cb3308da17caa996 Author: Georg Koppen <gk(a)torproject.org> Date: Tue Aug 28 21:57:47 2018 +0000 fixup! TB4: Tor Browser's Firefox preference overrides. Disable WebVR for now until we have it properly audited in #21607. --- browser/app/profile/000-tor-browser.js | 1 + 1 file changed, 1 insertion(+) diff --git a/browser/app/profile/000-tor-browser.js b/browser/app/profile/000-tor-browser.js index 46c56ea0cede..17c9d614b61c 100644 --- a/… [View More]

1 0

[tor-browser/tor-browser-60.1.0esr-8.0-1] squash! Bug 4234: Use the Firefox Update Process for Tor Browser.
by gk＠torproject.org 29 Aug '18

29 Aug '18

commit 7b269d1c44ba383444a1bfed3acb67ab3cac5071 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Aug 22 13:51:29 2018 -0400 squash! Bug 4234: Use the Firefox Update Process for Tor Browser. Also fix bug 27221: purge the startup cache if the Tor Browser version changed (even if the Firefox version and build ID did not change), e.g., after a minor Tor Browser update. --- toolkit/xre/nsAppRunner.cpp | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff … [View More]

1 0

[tor/master] Changes for 27246
by nickm＠torproject.org 29 Aug '18

29 Aug '18

commit 7f1895c39a860437f4a1ec830f26d7d568facb63 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Aug 29 15:02:59 2018 -0400 Changes for 27246 --- changes/ticket27246 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/changes/ticket27246 b/changes/ticket27246 new file mode 100644 index 000000000..c0d665d4c --- /dev/null +++ b/changes/ticket27246 @@ -0,0 +1,4 @@ + o Minor features (memory usage): + - When not using them, store legacy TAP public onion keys in + … [View More]

1 0

[tor/master] router: Keep RSA onion public key in ASN.1 format
by nickm＠torproject.org 29 Aug '18

29 Aug '18

commit 2f6bc74914d60b62b8e61904aae16c84c2b1181d Author: David Goulet <dgoulet(a)torproject.org> Date: Thu Aug 23 14:05:42 2018 -0400 router: Keep RSA onion public key in ASN.1 format The OpenSSL "RSA" object is currently 408 bytes compares to the ASN.1 encoding which is 140 for a 1024 RSA key. We save 268 bytes per descriptor (routerinfo_t) *and* microdescriptor (microdesc_t). Scaling this to 6000 relays, and considering client usually only have … [View More]microdescriptors, we save 1.608 MB of RAM which is considerable for mobile client. This commit makes it that we keep the RSA onion public key (used for TAP handshake) in ASN.1 format instead of an OpenSSL RSA object. Changes is done in both routerinfo_t and microdesc_t. Closes #27246 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/core/or/circuitbuild.c | 21 ++++++++----- src/feature/dirauth/dirvote.c | 5 ++- src/feature/nodelist/microdesc.c | 2 +- src/feature/nodelist/microdesc_st.h | 6 ++-- src/feature/nodelist/nodelist.c | 31 +++++++++++++++++++ src/feature/nodelist/nodelist.h | 1 + src/feature/nodelist/routerinfo_st.h | 5 ++- src/feature/nodelist/routerlist.c | 5 +-- src/feature/nodelist/routerparse.c | 16 +++++++--- src/feature/relay/router.c | 60 +++++++++++++++++++++++++++++++++--- src/feature/relay/router.h | 4 +++ src/test/test_dir.c | 14 ++++++--- src/test/test_hs_service.c | 4 +-- src/test/test_router.c | 8 +++-- 14 files changed, 149 insertions(+), 33 deletions(-) diff --git a/src/core/or/circuitbuild.c b/src/core/or/circuitbuild.c index e22ddabde..670d21c85 100644 --- a/src/core/or/circuitbuild.c +++ b/src/core/or/circuitbuild.c @@ -2864,6 +2864,8 @@ extend_info_new(const char *nickname, extend_info_t * extend_info_from_node(const node_t *node, int for_direct_connect) { + crypto_pk_t *rsa_pubkey = NULL; + extend_info_t *info = NULL; tor_addr_port_t ap; int valid_addr = 0; @@ -2911,25 +2913,28 @@ extend_info_from_node(const node_t *node, int for_direct_connect) /* Retrieve the curve25519 pubkey. */ const curve25519_public_key_t *curve_pubkey = node_get_curve25519_onion_key(node); + rsa_pubkey = node_get_rsa_onion_key(node); - if (valid_addr && node->ri) - return extend_info_new(node->ri->nickname, + if (valid_addr && node->ri) { + info = extend_info_new(node->ri->nickname, node->identity, ed_pubkey, - node->ri->onion_pkey, + rsa_pubkey, curve_pubkey, &ap.addr, ap.port); - else if (valid_addr && node->rs && node->md) - return extend_info_new(node->rs->nickname, + } else if (valid_addr && node->rs && node->md) { + info = extend_info_new(node->rs->nickname, node->identity, ed_pubkey, - node->md->onion_pkey, + rsa_pubkey, curve_pubkey, &ap.addr, ap.port); - else - return NULL; + } + + crypto_pk_free(rsa_pubkey); + return info; } /** Release storage held by an extend_info_t struct. */ diff --git a/src/feature/dirauth/dirvote.c b/src/feature/dirauth/dirvote.c index 6477f34ba..553b375e1 100644 --- a/src/feature/dirauth/dirvote.c +++ b/src/feature/dirauth/dirvote.c @@ -3754,8 +3754,10 @@ dirvote_create_microdescriptor(const routerinfo_t *ri, int consensus_method) size_t keylen; smartlist_t *chunks = smartlist_new(); char *output = NULL; + crypto_pk_t *rsa_pubkey = router_get_rsa_onion_pkey(ri->onion_pkey, + ri->onion_pkey_len); - if (crypto_pk_write_public_key_to_string(ri->onion_pkey, &key, &keylen)<0) + if (crypto_pk_write_public_key_to_string(rsa_pubkey, &key, &keylen)<0) goto done; summary = policy_summarize(ri->exit_policy, AF_INET); if (ri->declared_family) @@ -3826,6 +3828,7 @@ dirvote_create_microdescriptor(const routerinfo_t *ri, int consensus_method) } done: + crypto_pk_free(rsa_pubkey); tor_free(output); tor_free(key); tor_free(summary); diff --git a/src/feature/nodelist/microdesc.c b/src/feature/nodelist/microdesc.c index d9630b4f1..aa5e6b1db 100644 --- a/src/feature/nodelist/microdesc.c +++ b/src/feature/nodelist/microdesc.c @@ -874,7 +874,7 @@ microdesc_free_(microdesc_t *md, const char *fname, int lineno) //tor_assert(md->held_by_nodes == 0); if (md->onion_pkey) - crypto_pk_free(md->onion_pkey); + tor_free(md->onion_pkey); tor_free(md->onion_curve25519_pkey); tor_free(md->ed25519_identity_pkey); if (md->body && md->saved_location != SAVED_IN_CACHE) diff --git a/src/feature/nodelist/microdesc_st.h b/src/feature/nodelist/microdesc_st.h index e9dc3e017..40b562f26 100644 --- a/src/feature/nodelist/microdesc_st.h +++ b/src/feature/nodelist/microdesc_st.h @@ -53,8 +53,10 @@ struct microdesc_t { /* Fields in the microdescriptor. */ - /** As routerinfo_t.onion_pkey */ - crypto_pk_t *onion_pkey; + /* Public RSA key for onions in ASN.1 encoded. */ + char *onion_pkey; + size_t onion_pkey_len; + /** As routerinfo_t.onion_curve25519_pkey */ struct curve25519_public_key_t *onion_curve25519_pkey; /** Ed25519 identity key, if included. */ diff --git a/src/feature/nodelist/nodelist.c b/src/feature/nodelist/nodelist.c index 75a08fe75..1a123f1ce 100644 --- a/src/feature/nodelist/nodelist.c +++ b/src/feature/nodelist/nodelist.c @@ -1761,6 +1761,37 @@ node_get_curve25519_onion_key(const node_t *node) return NULL; } +/* Return a newly allocacted RSA onion public key taken from the given node. + * + * Return NULL if node is NULL or no RSA onion public key can be found. It is + * the caller responsability to free the returned object. */ +crypto_pk_t * +node_get_rsa_onion_key(const node_t *node) +{ + crypto_pk_t *pk = NULL; + const char *onion_pkey; + size_t onion_pkey_len; + + if (!node) { + goto end; + } + + if (node->ri) { + onion_pkey = node->ri->onion_pkey; + onion_pkey_len = node->ri->onion_pkey_len; + } else if (node->rs && node->md) { + onion_pkey = node->md->onion_pkey; + onion_pkey_len = node->md->onion_pkey_len; + } else { + /* No descriptor or microdescriptor. */ + goto end; + } + pk = router_get_rsa_onion_pkey(onion_pkey, onion_pkey_len); + + end: + return pk; +} + /** Refresh the country code of ri. This function MUST be called on * each router when the GeoIP database is reloaded, and on all new routers. */ void diff --git a/src/feature/nodelist/nodelist.h b/src/feature/nodelist/nodelist.h index ed3a54297..cf7658cf9 100644 --- a/src/feature/nodelist/nodelist.h +++ b/src/feature/nodelist/nodelist.h @@ -95,6 +95,7 @@ void node_get_pref_ipv6_dirport(const node_t *node, tor_addr_port_t *ap_out); int node_has_curve25519_onion_key(const node_t *node); const struct curve25519_public_key_t *node_get_curve25519_onion_key( const node_t *node); +crypto_pk_t *node_get_rsa_onion_key(const node_t *node); MOCK_DECL(smartlist_t *, nodelist_get_list, (void)); diff --git a/src/feature/nodelist/routerinfo_st.h b/src/feature/nodelist/routerinfo_st.h index ca8fd40e3..18ea0fade 100644 --- a/src/feature/nodelist/routerinfo_st.h +++ b/src/feature/nodelist/routerinfo_st.h @@ -27,7 +27,10 @@ struct routerinfo_t { tor_addr_t ipv6_addr; uint16_t ipv6_orport; - crypto_pk_t *onion_pkey; /**< Public RSA key for onions. */ + /* Public RSA key for onions in ASN.1 encoded. */ + char *onion_pkey; + size_t onion_pkey_len; + crypto_pk_t *identity_pkey; /**< Public RSA key for signing. */ /** Public curve25519 key for onions */ struct curve25519_public_key_t *onion_curve25519_pkey; diff --git a/src/feature/nodelist/routerlist.c b/src/feature/nodelist/routerlist.c index 8b54329da..bcc5c1f07 100644 --- a/src/feature/nodelist/routerlist.c +++ b/src/feature/nodelist/routerlist.c @@ -3217,7 +3217,7 @@ routerinfo_free_(routerinfo_t *router) tor_free(router->protocol_list); tor_free(router->contact_info); if (router->onion_pkey) - crypto_pk_free(router->onion_pkey); + tor_free(router->onion_pkey); tor_free(router->onion_curve25519_pkey); if (router->identity_pkey) crypto_pk_free(router->identity_pkey); @@ -5498,7 +5498,8 @@ router_differences_are_cosmetic(const routerinfo_t *r1, const routerinfo_t *r2) r1->ipv6_orport != r2->ipv6_orport || r1->dir_port != r2->dir_port || r1->purpose != r2->purpose || - !crypto_pk_eq_keys(r1->onion_pkey, r2->onion_pkey) || + r1->onion_pkey_len != r2->onion_pkey_len || + !tor_memeq(r1->onion_pkey, r2->onion_pkey, r1->onion_pkey_len) || !crypto_pk_eq_keys(r1->identity_pkey, r2->identity_pkey) || strcasecmp(r1->platform, r2->platform) || (r1->contact_info && !r2->contact_info) || /* contact_info is optional */ diff --git a/src/feature/nodelist/routerparse.c b/src/feature/nodelist/routerparse.c index 166806e9c..587966210 100644 --- a/src/feature/nodelist/routerparse.c +++ b/src/feature/nodelist/routerparse.c @@ -1535,6 +1535,7 @@ router_parse_entry_from_string(const char *s, const char *end, /* Do not set this to '1' until we have parsed everything that we intend to * parse that's covered by the hash. */ int can_dl_again = 0; + crypto_pk_t *rsa_pubkey = NULL; tor_assert(!allow_annotations || !prepend_annotations); @@ -1717,8 +1718,9 @@ router_parse_entry_from_string(const char *s, const char *end, "Relay's onion key had invalid exponent."); goto err; } - router->onion_pkey = tok->key; - tok->key = NULL; /* Prevent free */ + router_set_rsa_onion_pkey(tok->key, &router->onion_pkey, + &router->onion_pkey_len); + crypto_pk_free(tok->key); if ((tok = find_opt_by_keyword(tokens, K_ONION_KEY_NTOR))) { curve25519_public_key_t k; @@ -1890,10 +1892,12 @@ router_parse_entry_from_string(const char *s, const char *end, goto err; } + rsa_pubkey = router_get_rsa_onion_pkey(router->onion_pkey, + router->onion_pkey_len); if (check_tap_onion_key_crosscert( (const uint8_t*)cc_tap_tok->object_body, (int)cc_tap_tok->object_size, - router->onion_pkey, + rsa_pubkey, &cert->signing_key, (const uint8_t*)router->cache_info.identity_digest)<0) { log_warn(LD_DIR, "Incorrect TAP cross-verification"); @@ -2058,6 +2062,7 @@ router_parse_entry_from_string(const char *s, const char *end, routerinfo_free(router); router = NULL; done: + crypto_pk_free(rsa_pubkey); tor_cert_free(ntor_cc_cert); if (tokens) { SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t)); @@ -4752,8 +4757,9 @@ microdescs_parse_from_string(const char *s, const char *eos, "Relay's onion key had invalid exponent."); goto next; } - md->onion_pkey = tok->key; - tok->key = NULL; + router_set_rsa_onion_pkey(tok->key, &md->onion_pkey, + &md->onion_pkey_len); + crypto_pk_free(tok->key); if ((tok = find_opt_by_keyword(tokens, K_ONION_KEY_NTOR))) { curve25519_public_key_t k; diff --git a/src/feature/relay/router.c b/src/feature/relay/router.c index e4ec01af2..ad97d534c 100644 --- a/src/feature/relay/router.c +++ b/src/feature/relay/router.c @@ -1464,6 +1464,8 @@ router_should_advertise_begindir(const or_options_t *options, static extend_info_t * extend_info_from_router(const routerinfo_t *r) { + crypto_pk_t *rsa_pubkey; + extend_info_t *info; tor_addr_port_t ap; tor_assert(r); @@ -1477,10 +1479,13 @@ extend_info_from_router(const routerinfo_t *r) ed_id_key = NULL; router_get_prim_orport(r, &ap); - return extend_info_new(r->nickname, r->cache_info.identity_digest, + rsa_pubkey = router_get_rsa_onion_pkey(r->onion_pkey, r->onion_pkey_len); + info = extend_info_new(r->nickname, r->cache_info.identity_digest, ed_id_key, - r->onion_pkey, r->onion_curve25519_pkey, + rsa_pubkey, r->onion_curve25519_pkey, &ap.addr, ap.port); + crypto_pk_free(rsa_pubkey); + return info; } /**See if we currently believe our ORPort or DirPort to be @@ -2313,8 +2318,10 @@ router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e) ri->supports_tunnelled_dir_requests = directory_permits_begindir_requests(options); ri->cache_info.published_on = time(NULL); - ri->onion_pkey = crypto_pk_dup_key(get_onion_key()); /* must invoke from - * main thread */ + /* get_onion_key() must invoke from main thread */ + router_set_rsa_onion_pkey(get_onion_key(), &ri->onion_pkey, + &ri->onion_pkey_len); + ri->onion_curve25519_pkey = tor_memdup(&get_current_curve25519_keypair()->pubkey, sizeof(curve25519_public_key_t)); @@ -2849,6 +2856,7 @@ router_dump_router_to_string(routerinfo_t *router, { char *address = NULL; char *onion_pkey = NULL; /* Onion key, PEM-encoded. */ + crypto_pk_t *rsa_pubkey = NULL; char *identity_pkey = NULL; /* Identity key, PEM-encoded. */ char digest[DIGEST256_LEN]; char published[ISO_TIME_LEN+1]; @@ -2915,7 +2923,9 @@ router_dump_router_to_string(routerinfo_t *router, } /* PEM-encode the onion key */ - if (crypto_pk_write_public_key_to_string(router->onion_pkey, + rsa_pubkey = router_get_rsa_onion_pkey(router->onion_pkey, + router->onion_pkey_len); + if (crypto_pk_write_public_key_to_string(rsa_pubkey, &onion_pkey,&onion_pkeylen)<0) { log_warn(LD_BUG,"write onion_pkey to string failed!"); goto err; @@ -3200,6 +3210,7 @@ router_dump_router_to_string(routerinfo_t *router, SMARTLIST_FOREACH(chunks, char *, cp, tor_free(cp)); smartlist_free(chunks); } + crypto_pk_free(rsa_pubkey); tor_free(address); tor_free(family_line); tor_free(onion_pkey); @@ -3827,3 +3838,42 @@ router_get_all_orports(const routerinfo_t *ri) fake_node.ri = (routerinfo_t *)ri; return node_get_all_orports(&fake_node); } + +/* From the given RSA key object, convert it to ASN-1 encoded format and set + * the newly allocated object in onion_pkey_out. The length of the key is set + * in onion_pkey_len_out. */ +void +router_set_rsa_onion_pkey(const crypto_pk_t *pk, char **onion_pkey_out, + size_t *onion_pkey_len_out) +{ + int len; + char buf[1024]; + + tor_assert(pk); + tor_assert(onion_pkey_out); + tor_assert(onion_pkey_len_out); + + len = crypto_pk_asn1_encode(pk, buf, sizeof(buf)); + if (BUG(len < 0)) { + goto done; + } + + *onion_pkey_out = tor_memdup(buf, len); + *onion_pkey_len_out = len; + + done: + return; +} + +/* From an ASN-1 encoded onion pkey, return a newly allocated RSA key object. + * It is the caller responsability to free the returned object. + * + * Return NULL if the pkey is NULL, malformed or if the length is 0. */ +crypto_pk_t * +router_get_rsa_onion_pkey(const char *pkey, size_t pkey_len) +{ + if (!pkey || pkey_len == 0) { + return NULL; + } + return crypto_pk_asn1_decode(pkey, pkey_len); +} diff --git a/src/feature/relay/router.h b/src/feature/relay/router.h index 51ac36579..cf0d27a45 100644 --- a/src/feature/relay/router.h +++ b/src/feature/relay/router.h @@ -45,6 +45,10 @@ void v3_authority_check_key_expiry(void); int get_onion_key_lifetime(void); int get_onion_key_grace_period(void); +crypto_pk_t *router_get_rsa_onion_pkey(const char *pkey, size_t pkey_len); +void router_set_rsa_onion_pkey(const crypto_pk_t *pk, char **onion_pkey_out, + size_t *onion_pkey_len); + di_digest256_map_t *construct_ntor_key_map(void); void ntor_key_map_free_(di_digest256_map_t *map); #define ntor_key_map_free(map) \ diff --git a/src/test/test_dir.c b/src/test/test_dir.c index c2f3f5297..723799ee8 100644 --- a/src/test/test_dir.c +++ b/src/test/test_dir.c @@ -166,7 +166,7 @@ test_dir_formats(void *arg) r1->supports_tunnelled_dir_requests = 1; tor_addr_parse(&r1->ipv6_addr, "1:2:3:4::"); r1->ipv6_orport = 9999; - r1->onion_pkey = crypto_pk_dup_key(pk1); + router_set_rsa_onion_pkey(pk1, &r1->onion_pkey, &r1->onion_pkey_len); /* Fake just enough of an ntor key to get by */ curve25519_keypair_t r1_onion_keypair; curve25519_keypair_generate(&r1_onion_keypair, 0); @@ -209,7 +209,7 @@ test_dir_formats(void *arg) r2->or_port = 9005; r2->dir_port = 0; r2->supports_tunnelled_dir_requests = 1; - r2->onion_pkey = crypto_pk_dup_key(pk2); + router_set_rsa_onion_pkey(pk2, &r2->onion_pkey, &r2->onion_pkey_len); curve25519_keypair_t r2_onion_keypair; curve25519_keypair_generate(&r2_onion_keypair, 0); r2->onion_curve25519_pkey = tor_memdup(&r2_onion_keypair.pubkey, @@ -302,7 +302,10 @@ test_dir_formats(void *arg) tt_int_op(rp1->bandwidthrate,OP_EQ, r1->bandwidthrate); tt_int_op(rp1->bandwidthburst,OP_EQ, r1->bandwidthburst); tt_int_op(rp1->bandwidthcapacity,OP_EQ, r1->bandwidthcapacity); - tt_int_op(crypto_pk_cmp_keys(rp1->onion_pkey, pk1), OP_EQ, 0); + crypto_pk_t *onion_pkey = router_get_rsa_onion_pkey(rp1->onion_pkey, + rp1->onion_pkey_len); + tt_int_op(crypto_pk_cmp_keys(onion_pkey, pk1), OP_EQ, 0); + crypto_pk_free(onion_pkey); tt_int_op(crypto_pk_cmp_keys(rp1->identity_pkey, pk2), OP_EQ, 0); tt_assert(rp1->supports_tunnelled_dir_requests); //tt_assert(rp1->exit_policy == NULL); @@ -419,7 +422,10 @@ test_dir_formats(void *arg) tt_mem_op(rp2->onion_curve25519_pkey->public_key,OP_EQ, r2->onion_curve25519_pkey->public_key, CURVE25519_PUBKEY_LEN); - tt_int_op(crypto_pk_cmp_keys(rp2->onion_pkey, pk2), OP_EQ, 0); + onion_pkey = router_get_rsa_onion_pkey(rp2->onion_pkey, + rp2->onion_pkey_len); + tt_int_op(crypto_pk_cmp_keys(onion_pkey, pk2), OP_EQ, 0); + crypto_pk_free(onion_pkey); tt_int_op(crypto_pk_cmp_keys(rp2->identity_pkey, pk1), OP_EQ, 0); tt_assert(rp2->supports_tunnelled_dir_requests); diff --git a/src/test/test_hs_service.c b/src/test/test_hs_service.c index ad0b3ab34..f8a465629 100644 --- a/src/test/test_hs_service.c +++ b/src/test/test_hs_service.c @@ -1238,7 +1238,7 @@ test_build_update_descriptors(void *arg) tt_int_op(ret, OP_EQ, 0); ri.onion_curve25519_pkey = tor_malloc_zero(sizeof(curve25519_public_key_t)); - ri.onion_pkey = crypto_pk_new(); + ri.onion_pkey = tor_malloc_zero(140); curve25519_public_key_generate(ri.onion_curve25519_pkey, &curve25519_secret_key); memset(ri.cache_info.identity_digest, 'A', DIGEST_LEN); @@ -1264,7 +1264,7 @@ test_build_update_descriptors(void *arg) update_all_descriptors(now); tor_free(node->ri->onion_curve25519_pkey); /* Avoid memleak. */ tor_free(node->ri->cache_info.signing_key_cert); - crypto_pk_free(node->ri->onion_pkey); + tor_free(node->ri->onion_pkey); expect_log_msg_containing("just picked 1 intro points and wanted 3 for next " "descriptor. It currently has 0 intro points. " "Launching ESTABLISH_INTRO circuit shortly."); diff --git a/src/test/test_router.c b/src/test/test_router.c index c6a2452c8..613ec0402 100644 --- a/src/test/test_router.c +++ b/src/test/test_router.c @@ -49,7 +49,8 @@ NS(router_get_my_routerinfo)(void) mock_routerinfo->platform = tor_strdup("unittest"); mock_routerinfo->cache_info.published_on = now; mock_routerinfo->identity_pkey = crypto_pk_dup_key(ident_key); - mock_routerinfo->onion_pkey = crypto_pk_dup_key(tap_key); + router_set_rsa_onion_pkey(tap_key, &mock_routerinfo->onion_pkey, + &mock_routerinfo->onion_pkey_len); mock_routerinfo->bandwidthrate = 9001; mock_routerinfo->bandwidthburst = 9002; } @@ -89,11 +90,14 @@ test_router_dump_router_to_string_no_bridge_distribution_method(void *arg) /* Generate our server descriptor and ensure that the substring * "bridge-distribution-request any" occurs somewhere within it. */ + crypto_pk_t *onion_pkey = router_get_rsa_onion_pkey(router->onion_pkey, + router->onion_pkey_len); desc = router_dump_router_to_string(router, router->identity_pkey, - router->onion_pkey, + onion_pkey, &ntor_keypair, &signing_keypair); + crypto_pk_free(onion_pkey); tt_ptr_op(desc, !=, NULL); found = strstr(desc, needle); tt_ptr_op(found, !=, NULL); [View Less]

1 0