August 2019 - tor-commits - lists.torproject.org

[tor/maint-0.3.5] hs: Define INTRODUCE_ACK status code in trunnel
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 590d97bc1065bdb93c70695c91de9c548ef802af Author: David Goulet <dgoulet(a)torproject.org> Date: Thu May 9 12:55:52 2019 -0400 hs: Define INTRODUCE_ACK status code in trunnel Remove the hs_intro_ack_status_t enum and move the value into trunnel. Only use these values from now on in the intro point code. Interestingly enough, the client side also re-define these values in hs_cell.h with the hs_cell_introd_ack_status_t enum. Next commit will fix that and force to use the trunnel ABI. Part of #30454 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/or/hs_intropoint.c | 16 ++++++++-------- src/or/hs_intropoint.h | 7 ------- src/trunnel/hs/cell_introduce1.c | 13 +++++++------ src/trunnel/hs/cell_introduce1.h | 3 +++ src/trunnel/hs/cell_introduce1.trunnel | 9 ++++++++- 5 files changed, 26 insertions(+), 22 deletions(-) diff --git a/src/or/hs_intropoint.c b/src/or/hs_intropoint.c index e0ab27bd3..472e4afe9 100644 --- a/src/or/hs_intropoint.c +++ b/src/or/hs_intropoint.c @@ -336,7 +336,7 @@ hs_intro_received_establish_intro(or_circuit_t *circ, const uint8_t *request, * Return 0 on success else a negative value on error which will close the * circuit. */ static int -send_introduce_ack_cell(or_circuit_t *circ, hs_intro_ack_status_t status) +send_introduce_ack_cell(or_circuit_t *circ, uint16_t status) { int ret = -1; uint8_t *encoded_cell = NULL; @@ -433,7 +433,7 @@ handle_introduce1(or_circuit_t *client_circ, const uint8_t *request, int ret = -1; or_circuit_t *service_circ; trn_cell_introduce1_t *parsed_cell; - hs_intro_ack_status_t status = HS_INTRO_ACK_STATUS_SUCCESS; + uint16_t status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS; tor_assert(client_circ); tor_assert(request); @@ -448,14 +448,14 @@ handle_introduce1(or_circuit_t *client_circ, const uint8_t *request, "Rejecting %s INTRODUCE1 cell. Responding with NACK.", cell_size == -1 ? "invalid" : "truncated"); /* Inform client that the INTRODUCE1 has a bad format. */ - status = HS_INTRO_ACK_STATUS_BAD_FORMAT; + status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT; goto send_ack; } /* Once parsed validate the cell format. */ if (validate_introduce1_parsed_cell(parsed_cell) < 0) { /* Inform client that the INTRODUCE1 has bad format. */ - status = HS_INTRO_ACK_STATUS_BAD_FORMAT; + status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT; goto send_ack; } @@ -472,7 +472,7 @@ handle_introduce1(or_circuit_t *client_circ, const uint8_t *request, "Responding with NACK.", safe_str(b64_key), client_circ->p_circ_id); /* Inform the client that we don't know the requested service ID. */ - status = HS_INTRO_ACK_STATUS_UNKNOWN_ID; + status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID; goto send_ack; } } @@ -485,12 +485,12 @@ handle_introduce1(or_circuit_t *client_circ, const uint8_t *request, log_warn(LD_PROTOCOL, "Unable to send INTRODUCE2 cell to the service."); /* Inform the client that we can't relay the cell. Use the unknown ID * status code since it means that we do not know the service. */ - status = HS_INTRO_ACK_STATUS_UNKNOWN_ID; + status = TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID; goto send_ack; } /* Success! Send an INTRODUCE_ACK success status onto the client circuit. */ - status = HS_INTRO_ACK_STATUS_SUCCESS; + status = TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS; ret = 0; send_ack: @@ -501,7 +501,7 @@ handle_introduce1(or_circuit_t *client_circ, const uint8_t *request, /* Circuit has been closed on failure of transmission. */ goto done; } - if (status != HS_INTRO_ACK_STATUS_SUCCESS) { + if (status != TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS) { /* We just sent a NACK that is a non success status code so close the * circuit because it's not useful to keep it open. Remember, a client can * only send one INTRODUCE1 cell on a circuit. */ diff --git a/src/or/hs_intropoint.h b/src/or/hs_intropoint.h index 014f9339a..1c2cc564a 100644 --- a/src/or/hs_intropoint.h +++ b/src/or/hs_intropoint.h @@ -19,13 +19,6 @@ typedef enum { HS_INTRO_AUTH_KEY_TYPE_ED25519 = 0x02, } hs_intro_auth_key_type_t; -/* INTRODUCE_ACK status code. */ -typedef enum { - HS_INTRO_ACK_STATUS_SUCCESS = 0x0000, - HS_INTRO_ACK_STATUS_UNKNOWN_ID = 0x0001, - HS_INTRO_ACK_STATUS_BAD_FORMAT = 0x0002, -} hs_intro_ack_status_t; - /* Object containing introduction point common data between the service and * the client side. */ typedef struct hs_intropoint_t { diff --git a/src/trunnel/hs/cell_introduce1.c b/src/trunnel/hs/cell_introduce1.c index 358b355cd..b93add64c 100644 --- a/src/trunnel/hs/cell_introduce1.c +++ b/src/trunnel/hs/cell_introduce1.c @@ -519,6 +519,7 @@ trn_cell_introduce_ack_new(void) trn_cell_introduce_ack_t *val = trunnel_calloc(1, sizeof(trn_cell_introduce_ack_t)); if (NULL == val) return NULL; + val->status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT; return val; } @@ -550,7 +551,7 @@ trn_cell_introduce_ack_get_status(const trn_cell_introduce_ack_t *inp) int trn_cell_introduce_ack_set_status(trn_cell_introduce_ack_t *inp, uint16_t val) { - if (! ((val == 0 || val == 1 || val == 2))) { + if (! ((val == TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT || val == TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS || val == TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID))) { TRUNNEL_SET_ERROR_CODE(inp); return -1; } @@ -587,7 +588,7 @@ trn_cell_introduce_ack_check(const trn_cell_introduce_ack_t *obj) return "Object was NULL"; if (obj->trunnel_error_code_) return "A set function failed on this object"; - if (! (obj->status == 0 || obj->status == 1 || obj->status == 2)) + if (! (obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID)) return "Integer out of bounds"; { const char *msg; @@ -606,7 +607,7 @@ trn_cell_introduce_ack_encoded_len(const trn_cell_introduce_ack_t *obj) return -1; - /* Length of u16 status IN [0, 1, 2] */ + /* Length of u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT, TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID] */ result += 2; /* Length of struct trn_cell_extension extensions */ @@ -638,7 +639,7 @@ trn_cell_introduce_ack_encode(uint8_t *output, const size_t avail, const trn_cel trunnel_assert(encoded_len >= 0); #endif - /* Encode u16 status IN [0, 1, 2] */ + /* Encode u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT, TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID] */ trunnel_assert(written <= avail); if (avail - written < 2) goto truncated; @@ -687,11 +688,11 @@ trn_cell_introduce_ack_parse_into(trn_cell_introduce_ack_t *obj, const uint8_t * ssize_t result = 0; (void)result; - /* Parse u16 status IN [0, 1, 2] */ + /* Parse u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT, TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID] */ CHECK_REMAINING(2, truncated); obj->status = trunnel_ntohs(trunnel_get_uint16(ptr)); remaining -= 2; ptr += 2; - if (! (obj->status == 0 || obj->status == 1 || obj->status == 2)) + if (! (obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID)) goto fail; /* Parse struct trn_cell_extension extensions */ diff --git a/src/trunnel/hs/cell_introduce1.h b/src/trunnel/hs/cell_introduce1.h index fa218adc6..1bec014b6 100644 --- a/src/trunnel/hs/cell_introduce1.h +++ b/src/trunnel/hs/cell_introduce1.h @@ -12,6 +12,9 @@ struct trn_cell_extension_st; struct link_specifier_st; #define TRUNNEL_SHA1_LEN 20 #define TRUNNEL_REND_COOKIE_LEN 20 +#define TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS 0 +#define TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID 1 +#define TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT 2 #if !defined(TRUNNEL_OPAQUE) && !defined(TRUNNEL_OPAQUE_TRN_CELL_INTRODUCE1) struct trn_cell_introduce1_st { uint8_t legacy_key_id[TRUNNEL_SHA1_LEN]; diff --git a/src/trunnel/hs/cell_introduce1.trunnel b/src/trunnel/hs/cell_introduce1.trunnel index 574382b16..6d924058f 100644 --- a/src/trunnel/hs/cell_introduce1.trunnel +++ b/src/trunnel/hs/cell_introduce1.trunnel @@ -12,6 +12,11 @@ extern struct link_specifier; const TRUNNEL_SHA1_LEN = 20; const TRUNNEL_REND_COOKIE_LEN = 20; +/* Introduce ACK status code. */ +const TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS = 0x0000; +const TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID = 0x0001; +const TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT = 0x0002; + /* INTRODUCE1 payload. See details in section 3.2.1. */ struct trn_cell_introduce1 { /* Always zeroed. MUST be checked explicitly by the caller. */ @@ -32,7 +37,9 @@ struct trn_cell_introduce1 { /* INTRODUCE_ACK payload. See details in section 3.2.2. */ struct trn_cell_introduce_ack { /* Status of introduction. */ - u16 status IN [0x0000, 0x0001, 0x0002]; + u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, + TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID, + TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT]; /* Extension(s). Reserved fields. */ struct trn_cell_extension extensions;

1 0

[tor/maint-0.3.5] hs: Remove hs_intro_auth_key_type_t enum
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 79cfe2ddd7c030e679104588c7e4842c2ff6b239 Author: David Goulet <dgoulet(a)torproject.org> Date: Thu May 9 13:09:44 2019 -0400 hs: Remove hs_intro_auth_key_type_t enum Like the previous commit about the INTRODUCE_ACK status code, change all auth key type to use the one defined in the trunnel file. Standardize the use of these auth type to a common ABI. Part of #30454 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/or/hs_cell.c | 5 +++-- src/or/hs_intropoint.c | 10 +++++----- src/or/hs_intropoint.h | 7 ------- src/test/test_hs_cell.c | 2 +- src/test/test_hs_intropoint.c | 4 ++-- src/trunnel/hs/cell_introduce1.c | 13 +++++++------ src/trunnel/hs/cell_introduce1.h | 3 +++ src/trunnel/hs/cell_introduce1.trunnel | 9 ++++++++- 8 files changed, 29 insertions(+), 24 deletions(-) diff --git a/src/or/hs_cell.c b/src/or/hs_cell.c index ba80653a7..7bbefe8fd 100644 --- a/src/or/hs_cell.c +++ b/src/or/hs_cell.c @@ -441,7 +441,8 @@ introduce1_set_auth_key(trn_cell_introduce1_t *cell, tor_assert(cell); tor_assert(data); /* There is only one possible type for a non legacy cell. */ - trn_cell_introduce1_set_auth_key_type(cell, HS_INTRO_AUTH_KEY_TYPE_ED25519); + trn_cell_introduce1_set_auth_key_type(cell, + TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519); trn_cell_introduce1_set_auth_key_len(cell, ED25519_PUBKEY_LEN); trn_cell_introduce1_setlen_auth_key(cell, ED25519_PUBKEY_LEN); memcpy(trn_cell_introduce1_getarray_auth_key(cell), @@ -514,7 +515,7 @@ hs_cell_build_establish_intro(const char *circ_nonce, /* Set AUTH_KEY_TYPE: 2 means ed25519 */ trn_cell_establish_intro_set_auth_key_type(cell, - HS_INTRO_AUTH_KEY_TYPE_ED25519); + TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519); /* Set AUTH_KEY and AUTH_KEY_LEN field. Must also set byte-length of * AUTH_KEY to match */ diff --git a/src/or/hs_intropoint.c b/src/or/hs_intropoint.c index 472e4afe9..a12a3210c 100644 --- a/src/or/hs_intropoint.c +++ b/src/or/hs_intropoint.c @@ -75,7 +75,7 @@ verify_establish_intro_cell(const trn_cell_establish_intro_t *cell, /* We only reach this function if the first byte of the cell is 0x02 which * means that auth_key_type is of ed25519 type, hence this check should * always pass. See hs_intro_received_establish_intro(). */ - if (BUG(cell->auth_key_type != HS_INTRO_AUTH_KEY_TYPE_ED25519)) { + if (BUG(cell->auth_key_type != TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519)) { return -1; } @@ -315,10 +315,10 @@ hs_intro_received_establish_intro(or_circuit_t *circ, const uint8_t *request, * ESTABLISH_INTRO and pass it to the appropriate cell handler */ const uint8_t first_byte = request[0]; switch (first_byte) { - case HS_INTRO_AUTH_KEY_TYPE_LEGACY0: - case HS_INTRO_AUTH_KEY_TYPE_LEGACY1: + case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0: + case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1: return rend_mid_establish_intro_legacy(circ, request, request_len); - case HS_INTRO_AUTH_KEY_TYPE_ED25519: + case TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519: return handle_establish_intro(circ, request, request_len); default: log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, @@ -396,7 +396,7 @@ validate_introduce1_parsed_cell(const trn_cell_introduce1_t *cell) /* The auth key of an INTRODUCE1 should be of type ed25519 thus leading to a * known fixed length as well. */ if (trn_cell_introduce1_get_auth_key_type(cell) != - HS_INTRO_AUTH_KEY_TYPE_ED25519) { + TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Rejecting invalid INTRODUCE1 cell auth key type. " "Responding with NACK."); diff --git a/src/or/hs_intropoint.h b/src/or/hs_intropoint.h index 1c2cc564a..1891bffac 100644 --- a/src/or/hs_intropoint.h +++ b/src/or/hs_intropoint.h @@ -12,13 +12,6 @@ #include "crypto_curve25519.h" #include "torcert.h" -/* Authentication key type in an ESTABLISH_INTRO cell. */ -typedef enum { - HS_INTRO_AUTH_KEY_TYPE_LEGACY0 = 0x00, - HS_INTRO_AUTH_KEY_TYPE_LEGACY1 = 0x01, - HS_INTRO_AUTH_KEY_TYPE_ED25519 = 0x02, -} hs_intro_auth_key_type_t; - /* Object containing introduction point common data between the service and * the client side. */ typedef struct hs_intropoint_t { diff --git a/src/test/test_hs_cell.c b/src/test/test_hs_cell.c index 8e15184c2..f754068a0 100644 --- a/src/test/test_hs_cell.c +++ b/src/test/test_hs_cell.c @@ -50,7 +50,7 @@ test_gen_establish_intro_cell(void *arg) /* Check the contents of the cell */ { /* First byte is the auth key type: make sure its correct */ - tt_int_op(buf[0], OP_EQ, HS_INTRO_AUTH_KEY_TYPE_ED25519); + tt_int_op(buf[0], OP_EQ, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519); /* Next two bytes is auth key len */ tt_int_op(ntohs(get_uint16(buf+1)), OP_EQ, ED25519_PUBKEY_LEN); /* Skip to the number of extensions: no extensions */ diff --git a/src/test/test_hs_intropoint.c b/src/test/test_hs_intropoint.c index faa14d901..f348a076f 100644 --- a/src/test/test_hs_intropoint.c +++ b/src/test/test_hs_intropoint.c @@ -138,7 +138,7 @@ helper_create_introduce1_cell(void) { size_t auth_key_len = sizeof(auth_key_kp.pubkey); trn_cell_introduce1_set_auth_key_type(cell, - HS_INTRO_AUTH_KEY_TYPE_ED25519); + TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519); trn_cell_introduce1_set_auth_key_len(cell, auth_key_len); trn_cell_introduce1_setlen_auth_key(cell, auth_key_len); uint8_t *auth_key_ptr = trn_cell_introduce1_getarray_auth_key(cell); @@ -749,7 +749,7 @@ test_introduce1_validation(void *arg) ret = validate_introduce1_parsed_cell(cell); tt_int_op(ret, OP_EQ, -1); /* Reset is to correct value and make sure it's correct. */ - cell->auth_key_type = HS_INTRO_AUTH_KEY_TYPE_ED25519; + cell->auth_key_type = TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519; ret = validate_introduce1_parsed_cell(cell); tt_int_op(ret, OP_EQ, 0); diff --git a/src/trunnel/hs/cell_introduce1.c b/src/trunnel/hs/cell_introduce1.c index b93add64c..1fdb95453 100644 --- a/src/trunnel/hs/cell_introduce1.c +++ b/src/trunnel/hs/cell_introduce1.c @@ -50,6 +50,7 @@ trn_cell_introduce1_new(void) trn_cell_introduce1_t *val = trunnel_calloc(1, sizeof(trn_cell_introduce1_t)); if (NULL == val) return NULL; + val->auth_key_type = TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519; return val; } @@ -121,7 +122,7 @@ trn_cell_introduce1_get_auth_key_type(const trn_cell_introduce1_t *inp) int trn_cell_introduce1_set_auth_key_type(trn_cell_introduce1_t *inp, uint8_t val) { - if (! ((val == 0 || val == 1 || val == 2))) { + if (! ((val == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 || val == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 || val == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1))) { TRUNNEL_SET_ERROR_CODE(inp); return -1; } @@ -295,7 +296,7 @@ trn_cell_introduce1_check(const trn_cell_introduce1_t *obj) return "Object was NULL"; if (obj->trunnel_error_code_) return "A set function failed on this object"; - if (! (obj->auth_key_type == 0 || obj->auth_key_type == 1 || obj->auth_key_type == 2)) + if (! (obj->auth_key_type == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 || obj->auth_key_type == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 || obj->auth_key_type == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1)) return "Integer out of bounds"; if (TRUNNEL_DYNARRAY_LEN(&obj->auth_key) != obj->auth_key_len) return "Length mismatch for auth_key"; @@ -319,7 +320,7 @@ trn_cell_introduce1_encoded_len(const trn_cell_introduce1_t *obj) /* Length of u8 legacy_key_id[TRUNNEL_SHA1_LEN] */ result += TRUNNEL_SHA1_LEN; - /* Length of u8 auth_key_type IN [0, 1, 2] */ + /* Length of u8 auth_key_type IN [TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1] */ result += 1; /* Length of u16 auth_key_len */ @@ -367,7 +368,7 @@ trn_cell_introduce1_encode(uint8_t *output, const size_t avail, const trn_cell_i memcpy(ptr, obj->legacy_key_id, TRUNNEL_SHA1_LEN); written += TRUNNEL_SHA1_LEN; ptr += TRUNNEL_SHA1_LEN; - /* Encode u8 auth_key_type IN [0, 1, 2] */ + /* Encode u8 auth_key_type IN [TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1] */ trunnel_assert(written <= avail); if (avail - written < 1) goto truncated; @@ -451,11 +452,11 @@ trn_cell_introduce1_parse_into(trn_cell_introduce1_t *obj, const uint8_t *input, memcpy(obj->legacy_key_id, ptr, TRUNNEL_SHA1_LEN); remaining -= TRUNNEL_SHA1_LEN; ptr += TRUNNEL_SHA1_LEN; - /* Parse u8 auth_key_type IN [0, 1, 2] */ + /* Parse u8 auth_key_type IN [TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0, TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1] */ CHECK_REMAINING(1, truncated); obj->auth_key_type = (trunnel_get_uint8(ptr)); remaining -= 1; ptr += 1; - if (! (obj->auth_key_type == 0 || obj->auth_key_type == 1 || obj->auth_key_type == 2)) + if (! (obj->auth_key_type == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 || obj->auth_key_type == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 || obj->auth_key_type == TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1)) goto fail; /* Parse u16 auth_key_len */ diff --git a/src/trunnel/hs/cell_introduce1.h b/src/trunnel/hs/cell_introduce1.h index 1bec014b6..c94c7d507 100644 --- a/src/trunnel/hs/cell_introduce1.h +++ b/src/trunnel/hs/cell_introduce1.h @@ -15,6 +15,9 @@ struct link_specifier_st; #define TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS 0 #define TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID 1 #define TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT 2 +#define TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 0 +#define TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1 1 +#define TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 2 #if !defined(TRUNNEL_OPAQUE) && !defined(TRUNNEL_OPAQUE_TRN_CELL_INTRODUCE1) struct trn_cell_introduce1_st { uint8_t legacy_key_id[TRUNNEL_SHA1_LEN]; diff --git a/src/trunnel/hs/cell_introduce1.trunnel b/src/trunnel/hs/cell_introduce1.trunnel index 6d924058f..69da2c113 100644 --- a/src/trunnel/hs/cell_introduce1.trunnel +++ b/src/trunnel/hs/cell_introduce1.trunnel @@ -17,13 +17,20 @@ const TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS = 0x0000; const TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID = 0x0001; const TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT = 0x0002; +/* Authentication key type. */ +const TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 = 0x00; +const TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1 = 0x01; +const TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 = 0x02; + /* INTRODUCE1 payload. See details in section 3.2.1. */ struct trn_cell_introduce1 { /* Always zeroed. MUST be checked explicitly by the caller. */ u8 legacy_key_id[TRUNNEL_SHA1_LEN]; /* Authentication key material. */ - u8 auth_key_type IN [0x00, 0x01, 0x02]; + u8 auth_key_type IN [TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0, + TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1, + TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519]; u16 auth_key_len; u8 auth_key[auth_key_len];

1 0

[tor/maint-0.3.5] Make get_proxy_type() connection-specific
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 5cbd71b977f1c3ae0b9dc0f9e63094941ece015c Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed May 29 11:00:09 2019 -0400 Make get_proxy_type() connection-specific Previously, we were looking at our global settings to see what kind of proxy we had. But doing this would sometimes give us the wrong results when we had ClientTransportPlugin configured but we weren't using it for a particular connection. In several places in the code, we had added checks to see if we were _really_ using a PT or whether we were using a socks proxy, but we had forgotten to do so in at least once case. Instead, since every time we call this function we are asking about a single connection, it is probably best just to make this function connection-specific. Fixes bug 29670; bugfix on 0.2.6.2-alpha. --- changes/bug29670 | 4 ++++ src/core/mainloop/connection.c | 33 +++++++++++++++++++++------------ 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/changes/bug29670 b/changes/bug29670 new file mode 100644 index 000000000..00b0c3332 --- /dev/null +++ b/changes/bug29670 @@ -0,0 +1,4 @@ + o Minor bugfixes (configuration, proxies): + - Fix a bug that prevented us from supporting SOCKS5 proxies that want + authentication along with configued (but unused!) + ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha. diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 7b8dc7f36..29ef26ca5 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -182,7 +182,7 @@ static const char *connection_proxy_state_to_string(int state); static int connection_read_https_proxy_response(connection_t *conn); static void connection_send_socks5_connect(connection_t *conn); static const char *proxy_type_to_string(int proxy_type); -static int get_proxy_type(void); +static int conn_get_proxy_type(const connection_t *conn); const tor_addr_t *conn_get_outbound_address(sa_family_t family, const or_options_t *options, unsigned int conn_type); static void reenable_blocked_connection_init(const or_options_t *options); @@ -2260,18 +2260,27 @@ connection_proxy_state_to_string(int state) return states[state]; } -/** Returns the global proxy type used by tor. Use this function for - * logging or high-level purposes, don't use it to fill the +/** Returns the proxy type used by tor for a single connection, for + * logging or high-level purposes. Don't use it to fill the * <b>proxy_type</b> field of or_connection_t; use the actual proxy * protocol instead.*/ static int -get_proxy_type(void) +conn_get_proxy_type(const connection_t *conn) { const or_options_t *options = get_options(); - if (options->ClientTransportPlugin) - return PROXY_PLUGGABLE; - else if (options->HTTPSProxy) + if (options->ClientTransportPlugin) { + /* If we have plugins configured *and* this addr/port is a known bridge + * with a transport, then we should be PROXY_PLUGGABLE. */ + const transport_t *transport = NULL; + int r; + r = get_transport_by_bridge_addrport(&conn->addr, conn->port, &transport); + if (r == 0 && transport) + return PROXY_PLUGGABLE; + } + + /* In all other cases, we're using a global proxy. */ + if (options->HTTPSProxy) return PROXY_CONNECT; else if (options->Socks4Proxy) return PROXY_SOCKS4; @@ -2358,7 +2367,7 @@ connection_proxy_connect(connection_t *conn, int type) arguments to transmit. If we do, compress all arguments to a single string in 'socks_args_string': */ - if (get_proxy_type() == PROXY_PLUGGABLE) { + if (conn_get_proxy_type(conn) == PROXY_PLUGGABLE) { socks_args_string = pt_get_socks_args_for_proxy_addrport(&conn->addr, conn->port); if (socks_args_string) @@ -2418,7 +2427,7 @@ connection_proxy_connect(connection_t *conn, int type) Socks5ProxyUsername or if we want to pass arguments to our pluggable transport proxy: */ if ((options->Socks5ProxyUsername) || - (get_proxy_type() == PROXY_PLUGGABLE && + (conn_get_proxy_type(conn) == PROXY_PLUGGABLE && (get_socks_args_by_bridge_addrport(&conn->addr, conn->port)))) { /* number of auth methods */ buf[1] = 2; @@ -2611,16 +2620,16 @@ connection_read_proxy_handshake(connection_t *conn) const char *user, *pass; char *socks_args_string = NULL; - if (get_proxy_type() == PROXY_PLUGGABLE) { + if (conn_get_proxy_type(conn) == PROXY_PLUGGABLE) { socks_args_string = pt_get_socks_args_for_proxy_addrport(&conn->addr, conn->port); if (!socks_args_string) { - log_warn(LD_NET, "Could not create SOCKS args string."); + log_warn(LD_NET, "Could not create SOCKS args string for PT."); ret = -1; break; } - log_debug(LD_NET, "SOCKS5 arguments: %s", socks_args_string); + log_debug(LD_NET, "PT SOCKS5 arguments: %s", socks_args_string); tor_assert(strlen(socks_args_string) > 0); tor_assert(strlen(socks_args_string) <= MAX_SOCKS5_AUTH_SIZE_TOTAL);

1 0

[tor/maint-0.3.5] hs: Remove hs_cell_onion_key_type_t enum
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 56908c6f1c63d32bef7011c811976e24156f17d3 Author: David Goulet <dgoulet(a)torproject.org> Date: Wed May 15 15:30:29 2019 -0400 hs: Remove hs_cell_onion_key_type_t enum Unify this with the trunnel ABI so we don't duplicate. Part of #30454 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/or/hs_cell.c | 7 ++++--- src/or/hs_cell.h | 5 ----- src/trunnel/hs/cell_introduce1.c | 14 +++++++------- src/trunnel/hs/cell_introduce1.h | 1 + src/trunnel/hs/cell_introduce1.trunnel | 5 ++++- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/or/hs_cell.c b/src/or/hs_cell.c index 7bbefe8fd..7b7e9379c 100644 --- a/src/or/hs_cell.c +++ b/src/or/hs_cell.c @@ -160,11 +160,12 @@ parse_introduce2_encrypted(const uint8_t *decrypted_data, } if (trn_cell_introduce_encrypted_get_onion_key_type(enc_cell) != - HS_CELL_ONION_KEY_TYPE_NTOR) { + TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR) { log_info(LD_REND, "INTRODUCE2 onion key type is invalid. Got %u but " "expected %u on circuit %u for service %s", trn_cell_introduce_encrypted_get_onion_key_type(enc_cell), - HS_CELL_ONION_KEY_TYPE_NTOR, TO_CIRCUIT(circ)->n_circ_id, + TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR, + TO_CIRCUIT(circ)->n_circ_id, safe_str_client(service->onion_address)); goto err; } @@ -257,7 +258,7 @@ introduce1_set_encrypted_onion_key(trn_cell_introduce_encrypted_t *cell, tor_assert(onion_pk); /* There is only one possible key type for a non legacy cell. */ trn_cell_introduce_encrypted_set_onion_key_type(cell, - HS_CELL_ONION_KEY_TYPE_NTOR); + TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR); trn_cell_introduce_encrypted_set_onion_key_len(cell, CURVE25519_PUBKEY_LEN); trn_cell_introduce_encrypted_setlen_onion_key(cell, CURVE25519_PUBKEY_LEN); memcpy(trn_cell_introduce_encrypted_getarray_onion_key(cell), onion_pk, diff --git a/src/or/hs_cell.h b/src/or/hs_cell.h index ed4af3c5a..49b29a43b 100644 --- a/src/or/hs_cell.h +++ b/src/or/hs_cell.h @@ -16,11 +16,6 @@ * 3.2.2 of the specification). Below this value, the cell must be padded. */ #define HS_CELL_INTRODUCE1_MIN_SIZE 246 -/* Onion key type found in the INTRODUCE1 cell. */ -typedef enum { - HS_CELL_ONION_KEY_TYPE_NTOR = 1, -} hs_cell_onion_key_type_t; - /* This data structure contains data that we need to build an INTRODUCE1 cell * used by the INTRODUCE1 build function. */ typedef struct hs_cell_introduce1_data_t { diff --git a/src/trunnel/hs/cell_introduce1.c b/src/trunnel/hs/cell_introduce1.c index cebfa2867..53b3d299f 100644 --- a/src/trunnel/hs/cell_introduce1.c +++ b/src/trunnel/hs/cell_introduce1.c @@ -723,7 +723,7 @@ trn_cell_introduce_encrypted_new(void) trn_cell_introduce_encrypted_t *val = trunnel_calloc(1, sizeof(trn_cell_introduce_encrypted_t)); if (NULL == val) return NULL; - val->onion_key_type = 1; + val->onion_key_type = TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR; return val; } @@ -827,7 +827,7 @@ trn_cell_introduce_encrypted_get_onion_key_type(const trn_cell_introduce_encrypt int trn_cell_introduce_encrypted_set_onion_key_type(trn_cell_introduce_encrypted_t *inp, uint8_t val) { - if (! ((val == 1))) { + if (! ((val == TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR))) { TRUNNEL_SET_ERROR_CODE(inp); return -1; } @@ -1069,7 +1069,7 @@ trn_cell_introduce_encrypted_check(const trn_cell_introduce_encrypted_t *obj) if (NULL != (msg = trn_cell_extension_check(obj->extensions))) return msg; } - if (! (obj->onion_key_type == 1)) + if (! (obj->onion_key_type == TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR)) return "Integer out of bounds"; if (TRUNNEL_DYNARRAY_LEN(&obj->onion_key) != obj->onion_key_len) return "Length mismatch for onion_key"; @@ -1102,7 +1102,7 @@ trn_cell_introduce_encrypted_encoded_len(const trn_cell_introduce_encrypted_t *o /* Length of struct trn_cell_extension extensions */ result += trn_cell_extension_encoded_len(obj->extensions); - /* Length of u8 onion_key_type IN [1] */ + /* Length of u8 onion_key_type IN [TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR] */ result += 1; /* Length of u16 onion_key_len */ @@ -1166,7 +1166,7 @@ trn_cell_introduce_encrypted_encode(uint8_t *output, const size_t avail, const t goto fail; /* XXXXXXX !*/ written += result; ptr += result; - /* Encode u8 onion_key_type IN [1] */ + /* Encode u8 onion_key_type IN [TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR] */ trunnel_assert(written <= avail); if (avail - written < 1) goto truncated; @@ -1270,11 +1270,11 @@ trn_cell_introduce_encrypted_parse_into(trn_cell_introduce_encrypted_t *obj, con trunnel_assert((size_t)result <= remaining); remaining -= result; ptr += result; - /* Parse u8 onion_key_type IN [1] */ + /* Parse u8 onion_key_type IN [TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR] */ CHECK_REMAINING(1, truncated); obj->onion_key_type = (trunnel_get_uint8(ptr)); remaining -= 1; ptr += 1; - if (! (obj->onion_key_type == 1)) + if (! (obj->onion_key_type == TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR)) goto fail; /* Parse u16 onion_key_len */ diff --git a/src/trunnel/hs/cell_introduce1.h b/src/trunnel/hs/cell_introduce1.h index c94c7d507..986a531ca 100644 --- a/src/trunnel/hs/cell_introduce1.h +++ b/src/trunnel/hs/cell_introduce1.h @@ -18,6 +18,7 @@ struct link_specifier_st; #define TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 0 #define TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1 1 #define TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 2 +#define TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR 1 #if !defined(TRUNNEL_OPAQUE) && !defined(TRUNNEL_OPAQUE_TRN_CELL_INTRODUCE1) struct trn_cell_introduce1_st { uint8_t legacy_key_id[TRUNNEL_SHA1_LEN]; diff --git a/src/trunnel/hs/cell_introduce1.trunnel b/src/trunnel/hs/cell_introduce1.trunnel index bbb091d2b..5911c695a 100644 --- a/src/trunnel/hs/cell_introduce1.trunnel +++ b/src/trunnel/hs/cell_introduce1.trunnel @@ -22,6 +22,9 @@ const TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY0 = 0x00; const TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_LEGACY1 = 0x01; const TRUNNEL_HS_INTRO_AUTH_KEY_TYPE_ED25519 = 0x02; +/* Onion key type. */ +const TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR = 0x01; + /* INTRODUCE1 payload. See details in section 3.2.1. */ struct trn_cell_introduce1 { /* Always zeroed. MUST be checked explicitly by the caller. */ @@ -59,7 +62,7 @@ struct trn_cell_introduce_encrypted { struct trn_cell_extension extensions; /* Onion key material. */ - u8 onion_key_type IN [0x01]; + u8 onion_key_type IN [TRUNNEL_HS_INTRO_ONION_KEY_TYPE_NTOR]; u16 onion_key_len; u8 onion_key[onion_key_len];

1 0

[tor/maint-0.3.5] trunnel: Remove INTRODUCE1 status code IN statement
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 7d3e904a27ac714c33f9b1e14b4d1d18d4042147 Author: David Goulet <dgoulet(a)torproject.org> Date: Wed May 15 15:27:27 2019 -0400 trunnel: Remove INTRODUCE1 status code IN statement We want to support parsing a cell with unknown status code so we are forward compatible. Part of #30454 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/trunnel/hs/cell_introduce1.c | 18 +++--------------- src/trunnel/hs/cell_introduce1.trunnel | 4 +--- 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/src/trunnel/hs/cell_introduce1.c b/src/trunnel/hs/cell_introduce1.c index 1fdb95453..cebfa2867 100644 --- a/src/trunnel/hs/cell_introduce1.c +++ b/src/trunnel/hs/cell_introduce1.c @@ -520,7 +520,6 @@ trn_cell_introduce_ack_new(void) trn_cell_introduce_ack_t *val = trunnel_calloc(1, sizeof(trn_cell_introduce_ack_t)); if (NULL == val) return NULL; - val->status = TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT; return val; } @@ -552,10 +551,6 @@ trn_cell_introduce_ack_get_status(const trn_cell_introduce_ack_t *inp) int trn_cell_introduce_ack_set_status(trn_cell_introduce_ack_t *inp, uint16_t val) { - if (! ((val == TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT || val == TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS || val == TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID))) { - TRUNNEL_SET_ERROR_CODE(inp); - return -1; - } inp->status = val; return 0; } @@ -589,8 +584,6 @@ trn_cell_introduce_ack_check(const trn_cell_introduce_ack_t *obj) return "Object was NULL"; if (obj->trunnel_error_code_) return "A set function failed on this object"; - if (! (obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID)) - return "Integer out of bounds"; { const char *msg; if (NULL != (msg = trn_cell_extension_check(obj->extensions))) @@ -608,7 +601,7 @@ trn_cell_introduce_ack_encoded_len(const trn_cell_introduce_ack_t *obj) return -1; - /* Length of u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT, TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID] */ + /* Length of u16 status */ result += 2; /* Length of struct trn_cell_extension extensions */ @@ -640,7 +633,7 @@ trn_cell_introduce_ack_encode(uint8_t *output, const size_t avail, const trn_cel trunnel_assert(encoded_len >= 0); #endif - /* Encode u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT, TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID] */ + /* Encode u16 status */ trunnel_assert(written <= avail); if (avail - written < 2) goto truncated; @@ -689,12 +682,10 @@ trn_cell_introduce_ack_parse_into(trn_cell_introduce_ack_t *obj, const uint8_t * ssize_t result = 0; (void)result; - /* Parse u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT, TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID] */ + /* Parse u16 status */ CHECK_REMAINING(2, truncated); obj->status = trunnel_ntohs(trunnel_get_uint16(ptr)); remaining -= 2; ptr += 2; - if (! (obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS || obj->status == TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID)) - goto fail; /* Parse struct trn_cell_extension extensions */ result = trn_cell_extension_parse(&obj->extensions, ptr, remaining); @@ -710,9 +701,6 @@ trn_cell_introduce_ack_parse_into(trn_cell_introduce_ack_t *obj, const uint8_t * relay_fail: trunnel_assert(result < 0); return result; - fail: - result = -1; - return result; } ssize_t diff --git a/src/trunnel/hs/cell_introduce1.trunnel b/src/trunnel/hs/cell_introduce1.trunnel index 69da2c113..bbb091d2b 100644 --- a/src/trunnel/hs/cell_introduce1.trunnel +++ b/src/trunnel/hs/cell_introduce1.trunnel @@ -44,9 +44,7 @@ struct trn_cell_introduce1 { /* INTRODUCE_ACK payload. See details in section 3.2.2. */ struct trn_cell_introduce_ack { /* Status of introduction. */ - u16 status IN [TRUNNEL_HS_INTRO_ACK_STATUS_SUCCESS, - TRUNNEL_HS_INTRO_ACK_STATUS_UNKNOWN_ID, - TRUNNEL_HS_INTRO_ACK_STATUS_BAD_FORMAT]; + u16 status; /* Extension(s). Reserved fields. */ struct trn_cell_extension extensions;

1 0

[tor/maint-0.3.5] Merge remote-tracking branch 'tor-github/pr/741' into maint-0.3.5
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit a57e168caa21f9798be85adb56af726da7385810 Merge: 5df0b3662 9b7cdd23d Author: teor <teor(a)torproject.org> Date: Mon Aug 12 09:36:14 2019 +1000 Merge remote-tracking branch 'tor-github/pr/741' into maint-0.3.5 doc/tor.1.txt | 13 +++++++------ src/config/torrc.sample.in | 21 ++++++++++++++++----- 2 files changed, 23 insertions(+), 11 deletions(-)

1 0

[tor/maint-0.3.5] num_bridges_usable(): only count configured bridges.
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 8015979eeba2c8b10fb058318628debf228fb023 Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri May 31 12:19:29 2019 -0400 num_bridges_usable(): only count configured bridges. When this function was implemented, it counted all the entry guards in the bridge set. But this included previously configured bridges, as well as currently configured ones! Instead, only count the _filtered_ bridges (ones that are configured and possibly reachable) as maybe usable. Fixes bug 29875; bugfix on 0.3.0.1-alpha. --- src/feature/client/entrynodes.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c index e543289ce..15ec83059 100644 --- a/src/feature/client/entrynodes.c +++ b/src/feature/client/entrynodes.c @@ -3300,6 +3300,9 @@ num_bridges_usable,(int use_maybe_reachable)) } SMARTLIST_FOREACH_BEGIN(gs->sampled_entry_guards, entry_guard_t *, guard) { + /* Not a bridge, or not one we are configured to be able to use. */ + if (! guard->is_filtered_guard) + continue; /* Definitely not usable */ if (guard->is_reachable == GUARD_REACHABLE_NO) continue;

1 0

[tor/maint-0.3.5] Bug 29034: Cleanup hs circuitmap when purpose changes.
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit a6399da598101d8046cbf7ab2d80051fd8820e2f Author: Mike Perry <mikeperry-git(a)torproject.org> Date: Wed Jun 5 11:50:44 2019 -0700 Bug 29034: Cleanup hs circuitmap when purpose changes. Leave the other rend and hs_ident data around until circuit free, since code may still try to inspect it after marking the circuit for close. The circuitmap is the important thing to clean up, since repurposed intropoints must be removed from this map to ensure validity. --- changes/bug29034 | 5 +++++ src/core/or/circuituse.c | 6 ++++++ 2 files changed, 11 insertions(+) diff --git a/changes/bug29034 b/changes/bug29034 new file mode 100644 index 000000000..e7aa9af00 --- /dev/null +++ b/changes/bug29034 @@ -0,0 +1,5 @@ + o Major bugfixes (Onion service reachability): + - Properly clean up the introduction point map when circuits change purpose + from onion service circuits to pathbias, measurement, or other circuit types. + This should fix some service-side instances of introduction point failure. + Fixes bug 29034; bugfix on 0.3.2.1-alpha. diff --git a/src/core/or/circuituse.c b/src/core/or/circuituse.c index 02bfa15fb..000a7c36d 100644 --- a/src/core/or/circuituse.c +++ b/src/core/or/circuituse.c @@ -3066,6 +3066,12 @@ circuit_change_purpose(circuit_t *circ, uint8_t new_purpose) circ->purpose, circuit_purpose_to_string(new_purpose), new_purpose); + + /* Take specific actions if we are repurposing a hidden service circuit. */ + if (circuit_purpose_is_hidden_service(circ->purpose) && + !circuit_purpose_is_hidden_service(new_purpose)) { + hs_circ_cleanup(circ); + } } old_purpose = circ->purpose;

1 0

[tor/maint-0.3.5] Fix some tests for CL_PORT_NO_STREAM_OPTIONS
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 3c3158f1826826d9b4e8841bc67855cca0fc883b Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri May 31 09:03:16 2019 -0400 Fix some tests for CL_PORT_NO_STREAM_OPTIONS The comment in the tests was correct: this option _was_ inverted wrt SessionGroup=. --- src/test/test_config.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/test/test_config.c b/src/test/test_config.c index c342d8cca..0de6b1291 100644 --- a/src/test/test_config.c +++ b/src/test/test_config.c @@ -4568,16 +4568,14 @@ test_config_parse_port_config__ports__ports_given(void *data) "127.0.0.44", 0, CL_PORT_NO_STREAM_OPTIONS); tt_int_op(ret, OP_EQ, -1); - // TODO: this seems wrong. Shouldn't it be the other way around? - // Potential bug. - // Test failure for a SessionGroup argument with valid value but with stream - // options allowed + // Test failure for a SessionGroup argument with valid value but with no + // stream options allowed config_free_lines(config_port_invalid); config_port_invalid = NULL; SMARTLIST_FOREACH(slout,port_cfg_t *,pf,port_cfg_free(pf)); smartlist_clear(slout); config_port_invalid = mock_config_line("DNSPort", "42 SessionGroup=123"); ret = parse_port_config(slout, config_port_invalid, "DNS", 0, - "127.0.0.44", 0, 0); + "127.0.0.44", 0, CL_PORT_NO_STREAM_OPTIONS); tt_int_op(ret, OP_EQ, -1); // Test failure for more than one SessionGroup argument @@ -4587,7 +4585,7 @@ test_config_parse_port_config__ports__ports_given(void *data) config_port_invalid = mock_config_line("DNSPort", "42 SessionGroup=123 " "SessionGroup=321"); ret = parse_port_config(slout, config_port_invalid, "DNS", 0, - "127.0.0.44", 0, CL_PORT_NO_STREAM_OPTIONS); + "127.0.0.44", 0, 0); tt_int_op(ret, OP_EQ, -1); // Test success with a sessiongroup options @@ -4596,7 +4594,7 @@ test_config_parse_port_config__ports__ports_given(void *data) smartlist_clear(slout); config_port_valid = mock_config_line("DNSPort", "42 SessionGroup=1111122"); ret = parse_port_config(slout, config_port_valid, "DNS", 0, - "127.0.0.44", 0, CL_PORT_NO_STREAM_OPTIONS); + "127.0.0.44", 0, 0); tt_int_op(ret, OP_EQ, 0); tt_int_op(smartlist_len(slout), OP_EQ, 1); port_cfg = (port_cfg_t *)smartlist_get(slout, 0);

1 0

[tor/maint-0.3.5] Consider dir info to have changed when the bridges change
by teor＠torproject.org 12 Aug '19

12 Aug '19

commit 5b3c8865842f3b12d3ea35db19e8feb135bb46dc Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri May 31 11:46:58 2019 -0400 Consider dir info to have changed when the bridges change Otherwise, we won't realize that we haven't got enough bridge information to build circuits. Part of a fix for ticket 29875. --- src/app/config/config.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/app/config/config.c b/src/app/config/config.c index 2a504d306..7f6657db3 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -2412,7 +2412,8 @@ options_act(const or_options_t *old_options) if (!bool_eq(directory_fetches_dir_info_early(options), directory_fetches_dir_info_early(old_options)) || !bool_eq(directory_fetches_dir_info_later(options), - directory_fetches_dir_info_later(old_options))) { + directory_fetches_dir_info_later(old_options)) || + !config_lines_eq(old_options->Bridges, options->Bridges)) { /* Make sure update_router_have_minimum_dir_info() gets called. */ router_dir_info_changed(); /* We might need to download a new consensus status later or sooner than

1 0