February 2020 - tor-commits - lists.torproject.org

[tor/master] mainloop: Modernize a bit connection_dir_is_global_write_low()
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit 872f95ca0603ac96d77b886ff67aba63941547a9 Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Jan 28 08:55:20 2020 -0500 mainloop: Modernize a bit connection_dir_is_global_write_low() Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/core/mainloop/connection.c | 21 ++++++++++++--------- src/core/mainloop/connection.h | 4 ++-- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index 9a07a62c2..a157c0f3f 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3051,7 +3051,7 @@ connection_mark_all_noncontrol_connections(void) * uses pluggable transports, since we should then limit it even if it * comes from an internal IP address. */ static int -connection_is_rate_limited(connection_t *conn) +connection_is_rate_limited(const connection_t *conn) { const or_options_t *options = get_options(); if (conn->linked) @@ -3190,7 +3190,10 @@ connection_bucket_write_limit(connection_t *conn, time_t now) * shouldn't send <b>attempt</b> bytes of low-priority directory stuff * out to <b>conn</b>. * - * There are a lot of parameters we could use here: + * If we are a directory authority, always answer dir requests thus true is + * always returned. + * + * Note: There are a lot of parameters we could use here: * - global_relayed_write_bucket. Low is bad. * - global_write_bucket. Low is bad. * - bandwidthrate. Low is bad. @@ -3202,27 +3205,27 @@ connection_bucket_write_limit(connection_t *conn, time_t now) * mean is "total directory bytes added to outbufs recently", but * that's harder to quantify and harder to keep track of. */ -int -connection_dir_is_global_write_low(connection_t *conn, size_t attempt) +bool +connection_dir_is_global_write_low(const connection_t *conn, size_t attempt) { size_t smaller_bucket = MIN(token_bucket_rw_get_write(&global_bucket), token_bucket_rw_get_write(&global_relayed_bucket)); if (authdir_mode(get_options())) - return 0; /* there's always room to answer v2 if we're an auth dir */ + return false; /* there's always room to answer v2 if we're an auth dir */ if (!connection_is_rate_limited(conn)) - return 0; /* local conns don't get limited */ + return false; /* local conns don't get limited */ if (smaller_bucket < attempt) - return 1; /* not enough space. */ + return true; /* not enough space. */ { const time_t diff = approx_time() - write_buckets_last_empty_at; if (diff <= 1) - return 1; /* we're already hitting our limits, no more please */ + return true; /* we're already hitting our limits, no more please */ } - return 0; + return false; } /** When did we last tell the accounting subsystem about transmitted diff --git a/src/core/mainloop/connection.h b/src/core/mainloop/connection.h index 30cf65e4e..668c74004 100644 --- a/src/core/mainloop/connection.h +++ b/src/core/mainloop/connection.h @@ -196,8 +196,8 @@ void connection_mark_all_noncontrol_listeners(void); void connection_mark_all_noncontrol_connections(void); ssize_t connection_bucket_write_limit(struct connection_t *conn, time_t now); -int connection_dir_is_global_write_low(struct connection_t *conn, - size_t attempt); +bool connection_dir_is_global_write_low(const struct connection_t *conn, + size_t attempt); void connection_bucket_init(void); void connection_bucket_adjust(const or_options_t *options); void connection_bucket_refill_all(time_t now,

1 0

[tor/master] dirauth: Add option AuthDirRejectRequestsUnderLoad
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit 735aa208b1592e166d03ec96e90422293d26b98a Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Feb 11 09:56:44 2020 -0500 dirauth: Add option AuthDirRejectRequestsUnderLoad This controls the previous feature added that makes dirauth send back a 503 error code on non relay connections if under bandwidth pressure. Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- doc/tor.1.txt | 7 +++++++ src/app/config/config.c | 1 + src/app/config/or_options_st.h | 7 +++++++ 3 files changed, 15 insertions(+) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 1504223b8..c7c41e784 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -2925,6 +2925,13 @@ on the public Tor network. before it will treat advertised bandwidths as wholly unreliable. (Default: 500) +[[AuthDirRejectRequestsUnderLoad]] **AuthDirRejectRequestsUnderLoad** **0**|**1**:: + If set, the directory authority will start rejecting directory requests + from non relay connections by sending a 503 error code if it is under + bandwidth pressure (reaching the configured limit if any). Relays will + always tried to be answered even if this is on. (Default: 1) + + HIDDEN SERVICE OPTIONS ---------------------- diff --git a/src/app/config/config.c b/src/app/config/config.c index deda2448b..89ec26f05 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -671,6 +671,7 @@ static const config_var_t option_vars_[] = { OBSOLETE("UseNTorHandshake"), V(User, STRING, NULL), OBSOLETE("UserspaceIOCPBuffers"), + V(AuthDirRejectRequestsUnderLoad, BOOL, "1"), V(AuthDirSharedRandomness, BOOL, "1"), V(AuthDirTestEd25519LinkKeys, BOOL, "1"), OBSOLETE("V1AuthoritativeDirectory"), diff --git a/src/app/config/or_options_st.h b/src/app/config/or_options_st.h index 32dcd9fb1..e6be79701 100644 --- a/src/app/config/or_options_st.h +++ b/src/app/config/or_options_st.h @@ -1008,6 +1008,13 @@ struct or_options_t { */ uint64_t MaxUnparseableDescSizeToLog; + /** Bool (default: 1): Under bandwidth pressure, if set to 1, the authority + * will always answer directory requests from relays but will start sending + * 503 error code for the other connections. If set to 0, all connections + * are considered the same and the authority will try to answer them all + * regardless of bandwidth pressure or not. */ + int AuthDirRejectRequestsUnderLoad; + /** Bool (default: 1): Switch for the shared random protocol. Only * relevant to a directory authority. If off, the authority won't * participate in the protocol. If on (default), a flag is added to the

1 0

[tor/master] dirauth: Resume sending 503 directory error code
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit 6d9113d2f65b6e3142efdaa91a5b4761cd197be8 Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Jan 28 09:39:09 2020 -0500 dirauth: Resume sending 503 directory error code Authorities were never sending back 503 error code because by design they should be able to always answer directory requests regardless of bandwidth capacity. However, that recently backfired because of a large number of requests from unknown source using the DirPort that are _not_ getting their 503 code which overloaded the DirPort leading to the authority to be unable to answer to its fellow authorities. This is not a complete solution to the problem but it will help ease off the load on the authority side by sending back 503 codes *unless* the connection is from a known relay or an authority. Fixes #33029 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- changes/ticket33029 | 5 +++++ src/core/mainloop/connection.c | 17 +++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/changes/ticket33029 b/changes/ticket33029 new file mode 100644 index 000000000..c32ee4ad8 --- /dev/null +++ b/changes/ticket33029 @@ -0,0 +1,5 @@ + o Major bugfixes (directory authority): + - Directory authorities will now send a 503 (not enough bandwidth) code to + clients when under bandwidth pressure. Known relays and other authorities + will always be answered regardless of the bandwidth situation. Fixes bug + 33029; bugfix on 0.1.2.5-alpha. diff --git a/src/core/mainloop/connection.c b/src/core/mainloop/connection.c index a157c0f3f..50cd3810a 100644 --- a/src/core/mainloop/connection.c +++ b/src/core/mainloop/connection.c @@ -3211,8 +3211,21 @@ connection_dir_is_global_write_low(const connection_t *conn, size_t attempt) size_t smaller_bucket = MIN(token_bucket_rw_get_write(&global_bucket), token_bucket_rw_get_write(&global_relayed_bucket)); - if (authdir_mode(get_options())) - return false; /* there's always room to answer v2 if we're an auth dir */ + + /* Special case for authorities (directory only). */ + if (authdir_mode_v3(get_options())) { + /* Are we configured to possibly reject requests under load? */ + if (!get_options()->AuthDirRejectRequestsUnderLoad) { + /* Answer request no matter what. */ + return false; + } + /* Always answer requests from a known relay which includes the other + * authorities. The following looks up the addresses for relays that we + * have their descriptor _and_ any configured trusted directories. */ + if (nodelist_probably_contains_address(&conn->addr)) { + return false; + } + } if (!connection_is_rate_limited(conn)) return false; /* local conns don't get limited */

1 0

[tor/master] test: Add unit test for connection_dir_is_global_write_low()
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit 33414e5494b56f3f677d022bfb4bb1ed99191032 Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Feb 11 10:15:04 2020 -0500 test: Add unit test for connection_dir_is_global_write_low() Part of #33029 Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/feature/nodelist/dirlist.c | 4 +- src/feature/nodelist/dirlist.h | 2 +- src/test/test_address_set.c | 14 ++- src/test/test_bwmgt.c | 209 ++++++++++++++++++++++++++++++++++++++++- 4 files changed, 223 insertions(+), 6 deletions(-) diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index df347889b..749ff06a5 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -66,8 +66,8 @@ add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) /** Go over the trusted directory server list and add their address(es) to the * nodelist address set. This is called everytime a new consensus is set. */ -void -dirlist_add_trusted_addresses(void) +MOCK_IMPL(void, +dirlist_add_trusted_addresses, (void)) { if (!trusted_dir_servers) { return; diff --git a/src/feature/nodelist/dirlist.h b/src/feature/nodelist/dirlist.h index d302ff5f6..d4bdb4ced 100644 --- a/src/feature/nodelist/dirlist.h +++ b/src/feature/nodelist/dirlist.h @@ -44,6 +44,6 @@ void dir_server_add(dir_server_t *ent); void clear_dir_servers(void); void dirlist_free_all(void); -void dirlist_add_trusted_addresses(void); +MOCK_DECL(void, dirlist_add_trusted_addresses, (void)); #endif /* !defined(TOR_DIRLIST_H) */ diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c index fb8408b3c..81dc6dff5 100644 --- a/src/test/test_address_set.c +++ b/src/test/test_address_set.c @@ -4,6 +4,7 @@ #include "core/or/or.h" #include "lib/crypt_ops/crypto_rand.h" #include "core/or/address_set.h" +#include "feature/nodelist/dirlist.h" #include "feature/nodelist/microdesc.h" #include "feature/nodelist/networkstatus.h" #include "feature/nodelist/nodelist.h" @@ -31,6 +32,12 @@ mock_networkstatus_get_latest_consensus_by_flavor(consensus_flavor_t f) return dummy_ns; } +static void +mock_dirlist_add_trusted_addresses(void) +{ + return; +} + /* Number of address a single node_t can have. Default to the production * value. This is to control the size of the bloom filter. */ static int addr_per_node = 2; @@ -98,6 +105,8 @@ test_nodelist(void *arg) mock_networkstatus_get_latest_consensus_by_flavor); MOCK(get_estimated_address_per_node, mock_get_estimated_address_per_node); + MOCK(dirlist_add_trusted_addresses, + mock_dirlist_add_trusted_addresses); dummy_ns = tor_malloc_zero(sizeof(*dummy_ns)); dummy_ns->flavor = FLAV_MICRODESC; @@ -113,7 +122,9 @@ test_nodelist(void *arg) * (the_nodelist->node_addrs) so we will fail the contain test rarely. */ addr_per_node = 1024; - /* No node no nothing. The lookups should be empty. */ + /* No node no nothing. The lookups should be empty. We've mocked the + * dirlist_add_trusted_addresses in order for _no_ authorities to be added + * to the filter else it makes this test to trigger many false positive. */ nodelist_set_consensus(dummy_ns); /* The address set should be empty. */ @@ -167,6 +178,7 @@ test_nodelist(void *arg) UNMOCK(networkstatus_get_latest_consensus); UNMOCK(networkstatus_get_latest_consensus_by_flavor); UNMOCK(get_estimated_address_per_node); + UNMOCK(dirlist_add_trusted_addresses); } struct testcase_t address_set_tests[] = { diff --git a/src/test/test_bwmgt.c b/src/test/test_bwmgt.c index 5a013aa26..e6f028ed7 100644 --- a/src/test/test_bwmgt.c +++ b/src/test/test_bwmgt.c @@ -6,18 +6,67 @@ * \brief tests for bandwidth management / token bucket functions */ +#define CONFIG_PRIVATE +#define CONNECTION_PRIVATE #define TOKEN_BUCKET_PRIVATE #include "core/or/or.h" -#include "test/test.h" +#include "app/config/config.h" +#include "core/mainloop/connection.h" +#include "feature/dircommon/directory.h" +#include "feature/nodelist/microdesc.h" +#include "feature/nodelist/networkstatus.h" +#include "feature/nodelist/nodelist.h" +#include "feature/nodelist/routerlist.h" +#include "lib/crypt_ops/crypto_rand.h" #include "lib/evloop/token_bucket.h" +#include "test/test.h" +#include "test/test_helpers.h" + +#include "app/config/or_options_st.h" +#include "core/or/connection_st.h" +#include "feature/nodelist/microdesc_st.h" +#include "feature/nodelist/networkstatus_st.h" +#include "feature/nodelist/routerinfo_st.h" +#include "feature/nodelist/routerstatus_st.h" // an imaginary time, in timestamp units. Chosen so it will roll over. static const uint32_t START_TS = UINT32_MAX-10; static const int32_t KB = 1024; static const uint32_t GB = (UINT64_C(1) << 30); +static or_options_t mock_options; + +static const or_options_t * +mock_get_options(void) +{ + return &mock_options; +} + +static networkstatus_t *dummy_ns = NULL; +static networkstatus_t * +mock_networkstatus_get_latest_consensus(void) +{ + return dummy_ns; +} + +static networkstatus_t * +mock_networkstatus_get_latest_consensus_by_flavor(consensus_flavor_t f) +{ + tor_assert(f == FLAV_MICRODESC); + return dummy_ns; +} + +/* Number of address a single node_t can have. Default to the production + * value. This is to control the size of the bloom filter. */ +static int addr_per_node = 2; +static int +mock_get_estimated_address_per_node(void) +{ + return addr_per_node; +} + static void test_bwmgt_token_buf_init(void *arg) { @@ -220,8 +269,162 @@ test_bwmgt_token_buf_helpers(void *arg) ; } +static void +test_bwmgt_dir_conn_global_write_low(void *arg) +{ + bool ret; + int addr_family; + connection_t *conn = NULL; + routerstatus_t *rs = NULL; microdesc_t *md = NULL; routerinfo_t *ri = NULL; + tor_addr_t relay_addr; + + (void) arg; + + memset(&mock_options, 0, sizeof(or_options_t)); + MOCK(networkstatus_get_latest_consensus, + mock_networkstatus_get_latest_consensus); + MOCK(networkstatus_get_latest_consensus_by_flavor, + mock_networkstatus_get_latest_consensus_by_flavor); + MOCK(get_estimated_address_per_node, + mock_get_estimated_address_per_node); + + /* + * The following is rather complex but that is what it takes to add a dummy + * consensus with a valid routerlist which will populate our node address + * set that we need to lookup to test the known relay code path. + * + * We MUST do that before we MOCK(get_options) else it is another world of + * complexity. + */ + + /* This will be the address of our relay. */ + tor_addr_parse(&relay_addr, "1.2.3.4"); + + /* We'll now add a relay into our routerlist and see if we let it. */ + dummy_ns = tor_malloc_zero(sizeof(*dummy_ns)); + dummy_ns->flavor = FLAV_MICRODESC; + dummy_ns->routerstatus_list = smartlist_new(); + + md = tor_malloc_zero(sizeof(*md)); + ri = tor_malloc_zero(sizeof(*ri)); + rs = tor_malloc_zero(sizeof(*rs)); + crypto_rand(rs->identity_digest, sizeof(rs->identity_digest)); + crypto_rand(md->digest, sizeof(md->digest)); + memcpy(rs->descriptor_digest, md->digest, DIGEST256_LEN); + + /* Set IP address. */ + rs->addr = tor_addr_to_ipv4h(&relay_addr); + ri->addr = rs->addr; + /* Add the rs to the consensus becoming a node_t. */ + smartlist_add(dummy_ns->routerstatus_list, rs); + + /* Add all configured authorities (hardcoded) before we set the consensus so + * the address set exists. */ + ret = consider_adding_dir_servers(&mock_options, &mock_options); + tt_int_op(ret, OP_EQ, 0); + + /* This will make the nodelist bloom filter very large + * (the_nodelist->node_addrs) so we will fail the contain test rarely. */ + addr_per_node = 1024; + + nodelist_set_consensus(dummy_ns); + + /* Ok, now time to control which options we use. */ + MOCK(get_options, mock_get_options); + + /* Set ourselves as an authoritative dir. */ + mock_options.AuthoritativeDir = 1; + mock_options.V3AuthoritativeDir = 1; + mock_options.UseDefaultFallbackDirs = 0; + + /* This will set our global bucket to 1 byte and thus we will hit the + * banwdith limit in our test. */ + mock_options.BandwidthRate = 1; + mock_options.BandwidthBurst = 1; + + /* Else an IPv4 address screams. */ + mock_options.ClientUseIPv4 = 1; + mock_options.ClientUseIPv6 = 1; + + /* Initialize the global buckets. */ + connection_bucket_init(); + + /* The address "127.0.0.1" is set with this helper. */ + conn = test_conn_get_connection(DIR_CONN_STATE_MIN_, CONN_TYPE_DIR, + DIR_PURPOSE_MIN_); + tt_assert(conn); + + /* First try a non authority non relay IP thus a client but we are not + * configured to reject requests under load so we should get a false value + * that our limit is _not_ low. */ + addr_family = tor_addr_parse(&conn->addr, "1.1.1.1"); + tt_int_op(addr_family, OP_EQ, AF_INET); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 0); + + /* Now, we will reject requests under load so try again a non authority non + * relay IP thus a client. We should get a warning that our limit is too + * low. */ + mock_options.AuthDirRejectRequestsUnderLoad = 1; + + addr_family = tor_addr_parse(&conn->addr, "1.1.1.1"); + tt_int_op(addr_family, OP_EQ, AF_INET); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 1); + + /* Now, lets try with a connection address from moria1. It should always + * pass even though our limit is too low. */ + addr_family = tor_addr_parse(&conn->addr, "128.31.0.39"); + tt_int_op(addr_family, OP_EQ, AF_INET); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 0); + + /* IPv6 testing of gabelmoo. */ + addr_family = tor_addr_parse(&conn->addr, "[2001:638:a000:4140::ffff:189]"); + tt_int_op(addr_family, OP_EQ, AF_INET6); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 0); + + /* Lets retry with a known relay address. It should pass. Possible due to + * our consensus setting above. */ + memcpy(&conn->addr, &relay_addr, sizeof(tor_addr_t)); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 0); + + /* Lets retry with a random IP that is not an authority nor a relay. */ + addr_family = tor_addr_parse(&conn->addr, "1.2.3.4"); + tt_int_op(addr_family, OP_EQ, AF_INET); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 0); + + /* Finally, just make sure it still denies an IP if we are _not_ a v3 + * directory authority. */ + mock_options.V3AuthoritativeDir = 0; + addr_family = tor_addr_parse(&conn->addr, "1.2.3.4"); + tt_int_op(addr_family, OP_EQ, AF_INET); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 1); + + /* Random IPv6 should not be allowed. */ + addr_family = tor_addr_parse(&conn->addr, "[CAFE::ACAB]"); + tt_int_op(addr_family, OP_EQ, AF_INET6); + ret = connection_dir_is_global_write_low(conn, INT_MAX); + tt_int_op(ret, OP_EQ, 1); + + done: + connection_free_minimal(conn); + routerstatus_free(rs); routerinfo_free(ri); microdesc_free(md); + smartlist_clear(dummy_ns->routerstatus_list); + networkstatus_vote_free(dummy_ns); + + UNMOCK(get_estimated_address_per_node); + UNMOCK(networkstatus_get_latest_consensus); + UNMOCK(networkstatus_get_latest_consensus_by_flavor); + UNMOCK(get_options); +} + #define BWMGT(name) \ - { #name, test_bwmgt_ ## name , 0, NULL, NULL } + { #name, test_bwmgt_ ## name , TT_FORK, NULL, NULL } struct testcase_t bwmgt_tests[] = { BWMGT(token_buf_init), @@ -229,5 +432,7 @@ struct testcase_t bwmgt_tests[] = { BWMGT(token_buf_dec), BWMGT(token_buf_refill), BWMGT(token_buf_helpers), + + BWMGT(dir_conn_global_write_low), END_OF_TESTCASES };

1 0

[tor/master] dirauth: Rename function for better clarity
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit 7b4d9fabefa97e1121482ace6bc712cd2b00ff0f Author: David Goulet <dgoulet(a)torproject.org> Date: Thu Feb 6 09:49:00 2020 -0500 dirauth: Rename function for better clarity Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/feature/nodelist/dirlist.c | 2 +- src/feature/nodelist/dirlist.h | 2 +- src/feature/nodelist/nodelist.c | 2 +- src/test/test_address_set.c | 13 +++++++------ 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index 749ff06a5..ccbb37851 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -67,7 +67,7 @@ add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) /** Go over the trusted directory server list and add their address(es) to the * nodelist address set. This is called everytime a new consensus is set. */ MOCK_IMPL(void, -dirlist_add_trusted_addresses, (void)) +dirlist_add_trusted_dir_addresses, (void)) { if (!trusted_dir_servers) { return; diff --git a/src/feature/nodelist/dirlist.h b/src/feature/nodelist/dirlist.h index d4bdb4ced..c49162f1e 100644 --- a/src/feature/nodelist/dirlist.h +++ b/src/feature/nodelist/dirlist.h @@ -44,6 +44,6 @@ void dir_server_add(dir_server_t *ent); void clear_dir_servers(void); void dirlist_free_all(void); -MOCK_DECL(void, dirlist_add_trusted_addresses, (void)); +MOCK_DECL(void, dirlist_add_trusted_dir_addresses, (void)); #endif /* !defined(TOR_DIRLIST_H) */ diff --git a/src/feature/nodelist/nodelist.c b/src/feature/nodelist/nodelist.c index 34214880d..9191173c3 100644 --- a/src/feature/nodelist/nodelist.c +++ b/src/feature/nodelist/nodelist.c @@ -691,7 +691,7 @@ nodelist_set_consensus(networkstatus_t *ns) } SMARTLIST_FOREACH_END(node); /* Then, add all trusted configured directories. Some might not be in the * consensus so make sure we know them. */ - dirlist_add_trusted_addresses(); + dirlist_add_trusted_dir_addresses(); if (! authdir) { SMARTLIST_FOREACH_BEGIN(the_nodelist->nodes, node_t *, node) { diff --git a/src/test/test_address_set.c b/src/test/test_address_set.c index 81dc6dff5..6e299d779 100644 --- a/src/test/test_address_set.c +++ b/src/test/test_address_set.c @@ -33,7 +33,7 @@ mock_networkstatus_get_latest_consensus_by_flavor(consensus_flavor_t f) } static void -mock_dirlist_add_trusted_addresses(void) +mock_dirlist_add_trusted_dir_addresses(void) { return; } @@ -105,8 +105,8 @@ test_nodelist(void *arg) mock_networkstatus_get_latest_consensus_by_flavor); MOCK(get_estimated_address_per_node, mock_get_estimated_address_per_node); - MOCK(dirlist_add_trusted_addresses, - mock_dirlist_add_trusted_addresses); + MOCK(dirlist_add_trusted_dir_addresses, + mock_dirlist_add_trusted_dir_addresses); dummy_ns = tor_malloc_zero(sizeof(*dummy_ns)); dummy_ns->flavor = FLAV_MICRODESC; @@ -123,8 +123,9 @@ test_nodelist(void *arg) addr_per_node = 1024; /* No node no nothing. The lookups should be empty. We've mocked the - * dirlist_add_trusted_addresses in order for _no_ authorities to be added - * to the filter else it makes this test to trigger many false positive. */ + * dirlist_add_trusted_dir_addresses in order for _no_ authorities to be + * added to the filter else it makes this test to trigger many false + * positive. */ nodelist_set_consensus(dummy_ns); /* The address set should be empty. */ @@ -178,7 +179,7 @@ test_nodelist(void *arg) UNMOCK(networkstatus_get_latest_consensus); UNMOCK(networkstatus_get_latest_consensus_by_flavor); UNMOCK(get_estimated_address_per_node); - UNMOCK(dirlist_add_trusted_addresses); + UNMOCK(dirlist_add_trusted_dir_addresses); } struct testcase_t address_set_tests[] = {

1 0

[tor/master] dirlist: Add configured trusted dir to the nodelist address set
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit bd4f4cb5f0f98f224f0f707c6dd00d2fd8e55a7a Author: David Goulet <dgoulet(a)torproject.org> Date: Tue Jan 28 09:26:28 2020 -0500 dirlist: Add configured trusted dir to the nodelist address set The configured, within the torrc or hardcoded, directory authorities addresses are now added to the nodelist address set. Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- src/feature/nodelist/dirlist.c | 31 +++++++++++++++++++++++++++++++ src/feature/nodelist/dirlist.h | 2 ++ src/feature/nodelist/nodelist.c | 12 +++++++++--- 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index e2a1d6a9f..df347889b 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -49,6 +49,37 @@ static smartlist_t *trusted_dir_servers = NULL; * and all fallback directory servers. */ static smartlist_t *fallback_dir_servers = NULL; +/** Helper: From a given trusted directory entry, add the v4 or/and v6 address + * to the nodelist address set. */ +static void +add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) +{ + tor_assert(dir); + tor_assert(dir->is_authority); + + /* Add IPv4 and then IPv6 if applicable. */ + nodelist_add_addr4_to_address_set(dir->addr); + if (!tor_addr_is_null(&dir->ipv6_addr)) { + nodelist_add_addr6_to_address_set(&dir->ipv6_addr); + } +} + +/** Go over the trusted directory server list and add their address(es) to the + * nodelist address set. This is called everytime a new consensus is set. */ +void +dirlist_add_trusted_addresses(void) +{ + if (!trusted_dir_servers) { + return; + } + + SMARTLIST_FOREACH_BEGIN(trusted_dir_servers, const dir_server_t *, ent) { + if (ent->is_authority) { + add_trusted_dir_to_nodelist_addr_set(ent); + } + } SMARTLIST_FOREACH_END(ent); +} + /** Return the number of directory authorities whose type matches some bit set * in <b>type</b> */ int diff --git a/src/feature/nodelist/dirlist.h b/src/feature/nodelist/dirlist.h index b6dda32d8..d302ff5f6 100644 --- a/src/feature/nodelist/dirlist.h +++ b/src/feature/nodelist/dirlist.h @@ -44,4 +44,6 @@ void dir_server_add(dir_server_t *ent); void clear_dir_servers(void); void dirlist_free_all(void); +void dirlist_add_trusted_addresses(void); + #endif /* !defined(TOR_DIRLIST_H) */ diff --git a/src/feature/nodelist/nodelist.c b/src/feature/nodelist/nodelist.c index 90c655d12..34214880d 100644 --- a/src/feature/nodelist/nodelist.c +++ b/src/feature/nodelist/nodelist.c @@ -633,9 +633,12 @@ nodelist_set_consensus(networkstatus_t *ns) SMARTLIST_FOREACH(the_nodelist->nodes, node_t *, node, node->rs = NULL); - /* Conservatively estimate that every node will have 2 addresses. */ - const int estimated_addresses = smartlist_len(ns->routerstatus_list) * - get_estimated_address_per_node(); + /* Conservatively estimate that every node will have 2 addresses (v4 and + * v6). Then we add the number of configured trusted authorities we have. */ + int estimated_addresses = smartlist_len(ns->routerstatus_list) * + get_estimated_address_per_node(); + estimated_addresses += (get_n_authorities(V3_DIRINFO & BRIDGE_DIRINFO) * + get_estimated_address_per_node()); address_set_free(the_nodelist->node_addrs); the_nodelist->node_addrs = address_set_new(estimated_addresses); @@ -686,6 +689,9 @@ nodelist_set_consensus(networkstatus_t *ns) SMARTLIST_FOREACH_BEGIN(the_nodelist->nodes, node_t *, node) { node_add_to_address_set(node); } SMARTLIST_FOREACH_END(node); + /* Then, add all trusted configured directories. Some might not be in the + * consensus so make sure we know them. */ + dirlist_add_trusted_addresses(); if (! authdir) { SMARTLIST_FOREACH_BEGIN(the_nodelist->nodes, node_t *, node) {

1 0

[tor/master] run "make autostyle"
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit 5149c100ed9116bfce7053afcf73ca7bfa378fe9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Feb 20 08:33:40 2020 -0500 run "make autostyle" --- src/feature/relay/ext_orport.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/feature/relay/ext_orport.c b/src/feature/relay/ext_orport.c index 533400bff..5568dacf1 100644 --- a/src/feature/relay/ext_orport.c +++ b/src/feature/relay/ext_orport.c @@ -685,7 +685,7 @@ connection_or_get_by_ext_or_id(const char *id) return NULL; return digestmap_get(orconn_ext_or_id_map, id); } -#endif +#endif /* defined(TOR_UNIT_TESTS) */ /** Deallocate the global Extended ORPort identifier list */ void

1 0

[tor/master] Move router_reset_reachability() into correct header, add a stub
by nickm＠torproject.org 20 Feb '20

20 Feb '20

commit d559ca3d5aa693e4606e34888048eeda0f5c2e97 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Feb 20 08:36:40 2020 -0500 Move router_reset_reachability() into correct header, add a stub Without this, -O0 builds fail, which is a sign that LTO builds may fail too. --- src/feature/relay/router.h | 1 - src/feature/relay/selftest.h | 4 ++++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/feature/relay/router.h b/src/feature/relay/router.h index 782609d8a..2e07df2e8 100644 --- a/src/feature/relay/router.h +++ b/src/feature/relay/router.h @@ -117,7 +117,6 @@ const char *routerinfo_err_to_string(int err); int routerinfo_err_is_transient(int err); void router_reset_warnings(void); -void router_reset_reachability(void); void router_free_all(void); #ifdef ROUTER_PRIVATE diff --git a/src/feature/relay/selftest.h b/src/feature/relay/selftest.h index c7987cf4a..f3dd698bb 100644 --- a/src/feature/relay/selftest.h +++ b/src/feature/relay/selftest.h @@ -21,6 +21,8 @@ void router_do_reachability_checks(int test_or, int test_dir); void router_orport_found_reachable(void); void router_dirport_found_reachable(void); void router_perform_bandwidth_test(int num_circs, time_t now); +void router_reset_reachability(void); + #else /* !defined(HAVE_MODULE_RELAY) */ #define check_whether_orport_reachable(opts) \ @@ -32,6 +34,8 @@ void router_perform_bandwidth_test(int num_circs, time_t now); STMT_NIL #define router_dirport_found_reachable() \ STMT_NIL +#define router_reset_reachability() \ + STMT_NIL static inline void router_do_reachability_checks(int test_or, int test_dir)

1 0

[tpo/master] Change databag and download template
by hiro＠torproject.org 20 Feb '20

20 Feb '20

commit 5fcd29f27025d7651559d746875214494c11744f Author: hiro <hiro(a)torproject.org> Date: Tue Dec 10 13:14:22 2019 +0100 Change databag and download template --- databags/platforms.ini | 4 ++-- templates/hero-download.html | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/databags/platforms.ini b/databags/platforms.ini index 43306c2..7d0efbe 100644 --- a/databags/platforms.ini +++ b/databags/platforms.ini @@ -1,10 +1,10 @@ [windows] path = windows -label = Microsoft Windows +label = Windows [apple] path = osx -label = Apple OS X +label = OS X [linux] path = linux diff --git a/templates/hero-download.html b/templates/hero-download.html index e142ecb..8628627 100644 --- a/templates/hero-download.html +++ b/templates/hero-download.html @@ -29,7 +29,7 @@ <a class="downloadLink" href="{{ download_link }}"> <i class="text-light fab fa-{{ id }}-png"></i> </a> - <a class="btn btn-primary mt-4" href="{{ download_link }}">{{ _('Download for') }} {{ id }}</a> + <a class="btn btn-primary mt-4" href="{{ download_link }}">{{ _('Download for') }} {{ item.label }}</a> <a class="link" href="{{ sig_link }}"><span class="nick text-white">{{ _('Signature') }}</span></a> </div> </div>

1 0

[tpo/master] Merge changes to download templates
by hiro＠torproject.org 20 Feb '20

20 Feb '20

commit 0308ca518be503b715f3462c2a9650c528453ded Author: hiro <hiro(a)torproject.org> Date: Tue Dec 10 12:58:46 2019 +0100 Merge changes to download templates --- templates/download-android.html | 10 +++++++--- templates/download.html | 2 +- templates/hero-download.html | 22 +++++++++++++--------- templates/navbar-min.html | 19 +++++++++++++++++++ 4 files changed, 40 insertions(+), 13 deletions(-) diff --git a/templates/download-android.html b/templates/download-android.html index bcb8fcc..968a579 100644 --- a/templates/download-android.html +++ b/templates/download-android.html @@ -14,6 +14,13 @@ <div class="row"> <h3 class="mx-auto text-center text-white">{{ _('Protect yourself against tracking, surveillance, and censorship.') }}</h3> </div> + </div> + <div class="d-none d-lg-block col-lg-4"> + <img class="img-fluid p-5" height="auto" src="{{ 'static/images/tor-browser-mobile-window/png/TBAa-onboarding(a)2x.png'|asseturl }}"> + </div> + </div> + <div class="row col-lg-10 mx-auto"> + <div class="col-lg-12 py-5 mt-5"> <div class="row my-5"> <div class="col-xl-6 mx-auto text-center"> {% set t = bag('versions', 'torbrowser-stable') %} @@ -36,9 +43,6 @@ </div> </div> </div> - <div class="d-none d-lg-block col-lg-5 col-md-6"> - <img class="img-fluid p-5 m-5" height="auto" src="{{ 'static/images/tor-browser-mobile-window/png/TBAa-onboarding(a)2x.png'|asseturl }}"> - </div> </div> <div class="row pb-5"> <a class="text-light mx-auto text-center nick" href="https://itunes.apple.com/us/app/onion-browser/id519296448?mt=8">{{ _('Are you an iOS user? We encourage you to try Onion Browser.') }} </a> diff --git a/templates/download.html b/templates/download.html index b5ef03d..27f7192 100644 --- a/templates/download.html +++ b/templates/download.html @@ -11,7 +11,7 @@ </div> <div class="row pl-3 pr-5 text-tpo"> <p class="text-tpo">{{ _('If Tor is not censored, one of the most common reasons Tor won\'t connect is an incorrect system clock. Please make sure it\'s set correctly.') }}</p> - <a href="https://support.torproject.org/{{ this.alt }}" title="{{ _('Support Portal') }}">{{ _('Read other FAQs at our Support Portal') }}</a> + <h6><a href="https://support.torproject.org/{{ this.alt }}" title="{{ _('Support Portal') }}">{{ _('Read other FAQ\'s at our Support Portal') }}</a></h6> </div> </div> <div class="col-sm-6"> diff --git a/templates/hero-download.html b/templates/hero-download.html index a13fb08..e142ecb 100644 --- a/templates/hero-download.html +++ b/templates/hero-download.html @@ -7,7 +7,7 @@ <div class="row p-5 mx-auto"> {% for id, item in bag('platforms').items() %} <div class="col-sm-6 col-md-3 py-3"> - <div class="oval-2 bg-darker mx-auto"> + <div class="oval-2 bg-darker"> {% set alt_l = alt %} {% set t = bag('versions', 'torbrowser-stable') %} {% set download_prefix = '/dist/torbrowser/' + t.version + '/' %} @@ -29,23 +29,27 @@ <a class="downloadLink" href="{{ download_link }}"> <i class="text-light fab fa-{{ id }}-png"></i> </a> - <p><small class="float-left"><a class="btn btn-primary btn-sm nick mx-5 my-4" href="{{ sig_link }}">sig</a></small></p> + <a class="btn btn-primary mt-4" href="{{ download_link }}">{{ _('Download for') }} {{ id }}</a> + <a class="link" href="{{ sig_link }}"><span class="nick text-white">{{ _('Signature') }}</span></a> </div> </div> - {% endfor %} - <div class="col-sm-6 col-md-3 py-3"> - <div class="oval-2 bg-darker mx-auto"> - <a href="#android"> - <i class="text-light fab fa-android-png"></i> - </a> + {% endfor %} + <div class="col-sm-6 col-md-3 py-3"> + <div class="oval-2 bg-darker mx-auto"> + <a href="#android"> + <i class="text-light fab fa-android-png"></i> + </a> + <a class="btn btn-primary mt-4" href="#android">{{ _('Download for Android') }}</a> + </div> </div> - </div> </div> + <div class="row p-5"> <a class="mx-auto text-white py-3 text-center" href="{{ 'languages'|url(alt=this.alt) }}"><u>{{ _('Download in another language or platform') }}</u></a> <a class="mx-auto text-white py-3 text-center" href="{{ 'alpha'|url(alt=this.alt) }}"><u>{{ _('Download the latest alpha build') }}</u></a> <a class="mx-auto text-white py-3 text-center" href="{{ 'tor'|url(alt=this.alt) }}"><u>{{ _('Download Tor Source Code') }}</u></a> </div> + <div class="hidden-sm row p-md-5 justify-content-center window-bg"> <a class="mx-auto text-white text-center py-md-5" href="https://blog.torproject.org/category/tags/tor-browser"><u>{{ _('Read the latest release announcements') }}</u></a> </div> diff --git a/templates/navbar-min.html b/templates/navbar-min.html new file mode 100644 index 0000000..f9d2bc7 --- /dev/null +++ b/templates/navbar-min.html @@ -0,0 +1,19 @@ +{% if not this.color %} +<div class="container-fluid bg-primary"> + <nav class="navbar no-background navbar-expand-lg navbar-dark bg-primary p-2"> +{% elif this.color == 'primary' %} +<div class="container-fluid bg-primary"> + <nav class="navbar no-background navbar-expand-lg navbar-dark bg-primary p-2"> +{% else %} +<div class="container-fluid bg-dark"> + <nav class="navbar no-background navbar-expand-lg navbar-dark bg-dark p-2"> +{% endif %} + + <a class="navbar-brand" href="{{ '/'|url(alt=this.alt) }}"> + <img alt="{{ 'The Tor Project' }}" src="{{ '/static/images/tor-logo(a)2x.png'|asseturl }}" > + <span class="sr-only">Tor Logo</span> + </a> + + </div> + </nav> +</div>

1 0