[tor-commits] [tor/master] HSDir flag now requires the Stable flag
commit 6785f0b65a106561a36239d89140bf18be3d7c6c Author: David Goulet dgou...@ev0ke.net Date: Mon May 11 11:27:30 2015 -0400 HSDir flag now requires the Stable flag Fixes #8243 --- changes/ticket8243 |7 +++ src/or/dirserv.c |6 -- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/changes/ticket8243 b/changes/ticket8243 new file mode 100644 index 000..8946a21 --- /dev/null +++ b/changes/ticket8243 @@ -0,0 +1,7 @@ + o Minor feature: +- The HSDir flag given by authorities now requires the Stable flag. For + the current network, this results in going from 2887 to 2806 HSDirs. + Also, it makes it harder for an attacker to launch a sybil attack by + raising the effort for a relay to become Stable which takes at the + very least 7 days to do so and by keeping the 96 hours uptime + requirement for HSDir. Implements ticket #8243. diff --git a/src/or/dirserv.c b/src/or/dirserv.c index a024be8..65bfafb 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1278,8 +1278,9 @@ dirserv_thinks_router_is_unreliable(time_t now, } /** Return true iff brouter/b should be assigned the HSDir flag. - * Right now this means it advertises support for it, it has a high - * uptime, it has a DirPort open, and it's currently considered Running. + * Right now this means it advertises support for it, it has a high uptime, + * it has a DirPort open, it has the Stable flag and it's currently + * considered Running. * * This function needs to be called after router-\is_running has * been set. @@ -1306,6 +1307,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t *router, uptime = real_uptime(router, now); return (router-wants_to_be_hs_dir router-dir_port + node-is_stable uptime = get_options()-MinUptimeHidServDirectoryV2 router_is_active(router, node, now)); } ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/master] Merge remote-tracking branch 'origin/maint-0.2.6'
commit c0c0a6085e7e6395e4f5819ba47076786ae2f2b0 Merge: 2f67a6e 6785f0b Author: Nick Mathewson ni...@torproject.org Date: Mon Jun 8 10:33:38 2015 -0400 Merge remote-tracking branch 'origin/maint-0.2.6' changes/ticket8243 |7 +++ src/or/dirserv.c |6 -- 2 files changed, 11 insertions(+), 2 deletions(-) ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/maint-0.2.6] HSDir flag now requires the Stable flag
commit 6785f0b65a106561a36239d89140bf18be3d7c6c Author: David Goulet dgou...@ev0ke.net Date: Mon May 11 11:27:30 2015 -0400 HSDir flag now requires the Stable flag Fixes #8243 --- changes/ticket8243 |7 +++ src/or/dirserv.c |6 -- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/changes/ticket8243 b/changes/ticket8243 new file mode 100644 index 000..8946a21 --- /dev/null +++ b/changes/ticket8243 @@ -0,0 +1,7 @@ + o Minor feature: +- The HSDir flag given by authorities now requires the Stable flag. For + the current network, this results in going from 2887 to 2806 HSDirs. + Also, it makes it harder for an attacker to launch a sybil attack by + raising the effort for a relay to become Stable which takes at the + very least 7 days to do so and by keeping the 96 hours uptime + requirement for HSDir. Implements ticket #8243. diff --git a/src/or/dirserv.c b/src/or/dirserv.c index a024be8..65bfafb 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1278,8 +1278,9 @@ dirserv_thinks_router_is_unreliable(time_t now, } /** Return true iff brouter/b should be assigned the HSDir flag. - * Right now this means it advertises support for it, it has a high - * uptime, it has a DirPort open, and it's currently considered Running. + * Right now this means it advertises support for it, it has a high uptime, + * it has a DirPort open, it has the Stable flag and it's currently + * considered Running. * * This function needs to be called after router-\is_running has * been set. @@ -1306,6 +1307,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t *router, uptime = real_uptime(router, now); return (router-wants_to_be_hs_dir router-dir_port + node-is_stable uptime = get_options()-MinUptimeHidServDirectoryV2 router_is_active(router, node, now)); } ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] Merge branch 'maint-0.2.6' into release-0.2.6
commit 602e328dc33fec8eec976e497e04db810382b8b9 Merge: 2fe3afc 6785f0b Author: Nick Mathewson ni...@torproject.org Date: Mon Jun 8 10:42:25 2015 -0400 Merge branch 'maint-0.2.6' into release-0.2.6 changes/bug16030|3 +++ changes/bug16164|4 changes/bug16212|5 + changes/bug16244|7 +++ changes/bug16247|5 + changes/ticket8243 |7 +++ configure.ac|2 +- src/common/sandbox.c| 12 src/or/connection.c |4 ++-- src/or/dirserv.c|6 -- src/or/main.c |2 +- src/test/test_channel.c |2 +- 12 files changed, 52 insertions(+), 7 deletions(-) ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] Start changelog for 0.2.6.9 (lintchanges, sortchanges, formatchangelog).
commit 41db4bffd69f7de99c2381d56de8c3b6e348fd79 Author: Nick Mathewson ni...@torproject.org Date: Mon Jun 8 10:50:54 2015 -0400 Start changelog for 0.2.6.9 (lintchanges, sortchanges, formatchangelog). --- ChangeLog | 36 changes/bug16030 |3 --- changes/bug16164 |4 changes/bug16212 |5 - changes/bug16244 |7 --- changes/bug16247 |5 - changes/ticket8243 |7 --- 7 files changed, 36 insertions(+), 31 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8135c78..0670977 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,39 @@ +Changes in version 0.2.6.9 - 2015-06-?? + Blurb goes here. + + o Major bugfixes (client-side privacy): +- Properly separate out each SOCKSPort when applying stream + isolation. The error occured because each port's session group was + being overwritten by a default value. Fixes bug 16247; bugfix on + 0.2.6.3-alpha. Patch by jojelino. + + o Minor feature (directory aurhorities, security): +- The HSDir flag given by authorities now requires the Stable flag. + For the current network, this results in going from 2887 to 2806 + HSDirs. Also, it makes it harder for an attacker to launch a sybil + attack by raising the effort for a relay to become Stable which + takes at the very least 7 days to do so and by keeping the 96 + hours uptime requirement for HSDir. Implements ticket 8243. + + o Minor bugfixes (compilation): +- Build with --enable-systemd correctly when libsystemd is + installed, but systemd is not. Fixes bug 16164; bugfix on + 0.2.6.3-alpha. Patch from Peter Palfrader. + + o Minor bugfixes (Linux seccomp2 sandbox): +- Fix sandboxing to work when running as a relay again. This + includes correctly allowing renaming secret_id_key and allowing + the eventfd2 and futex syscalls. Fixes bug 16244; bugfix on + 0.2.6.1-alpha. Patch by Peter Palfrader. +- Allow systemd connections to work with the Linux seccomp2 sandbox + code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by + Peter Palfrader. + + o Minor bugfixes (tests): +- Fix a crash in the unit tests on MSVC2013. Fixes bug 16030; bugfix + on 0.2.6.2-alpha. Patch from NewEraCracker. + + Changes in version 0.2.6.8 - 2015-05-21 Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and fixes an authority-side bug in assigning the HSDir flag. All directory diff --git a/changes/bug16030 b/changes/bug16030 deleted file mode 100644 index c14fd62..000 --- a/changes/bug16030 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (tests): -- Fix a crash in the unit tests on MSVC2013. Fixes bug 16030; bugfix on - 0.2.6.2-alpha. Patch from NewEraCracker. \ No newline at end of file diff --git a/changes/bug16164 b/changes/bug16164 deleted file mode 100644 index fbb383c..000 --- a/changes/bug16164 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): -- Build with --enable-systemd correctly when libsystemd is installed, - but systemd is not. Fixes bug 16164, bugfix on 0.2.6.3-alpha. Patch - from Peter Palfrader. diff --git a/changes/bug16212 b/changes/bug16212 deleted file mode 100644 index bc12463..000 --- a/changes/bug16212 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (sandbox, systemd): -- Allow systemd connections to work with the Linux seccomp2 sandbox - code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. - Patch by Peter Palfrader. - diff --git a/changes/bug16244 b/changes/bug16244 deleted file mode 100644 index 00bc557..000 --- a/changes/bug16244 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (sandbox, relay): -- Fix sandboxing to work when running as a relay again. This - includes correctly allowing renaming secret_id_key and - allowing the eventfd2 and futex syscalls. - Fixes bug 16244; bugfix on 0.2.6.1-alpha. - Patch by Peter Palfrader. - diff --git a/changes/bug16247 b/changes/bug16247 deleted file mode 100644 index 9464b1c..000 --- a/changes/bug16247 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (client-side privacy): -- Properly separate out each SOCKSPort when applying stream isolation. - The error occured because each port's session group was being - overwritten by a default value. Fixes bug 16247; bugfix on - 0.2.6.3-alpha. Patch by jojelino. diff --git a/changes/ticket8243 b/changes/ticket8243 deleted file mode 100644 index 8946a21..000 --- a/changes/ticket8243 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor feature: -- The HSDir flag given by authorities now requires the Stable flag. For - the current network, this results in going from 2887 to 2806 HSDirs. - Also, it makes it harder for an attacker to launch a sybil attack by - raising the effort for a relay to become Stable which takes at the - very least 7 days to do so and by keeping the 96 hours
[tor-commits] [tor/release-0.2.6] Fix unit tests on MSVC2013.
commit 8ca3773f686c43328f3c05a35d4d0e61a30b980c Author: Nick Mathewson ni...@torproject.org Date: Tue May 26 10:24:21 2015 -0400 Fix unit tests on MSVC2013. Patch from NewEraCracker. Fixes bug16030; bugfix on 0.2.6.2-alpha. --- changes/bug16030|3 +++ src/test/test_channel.c |2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/changes/bug16030 b/changes/bug16030 new file mode 100644 index 000..c14fd62 --- /dev/null +++ b/changes/bug16030 @@ -0,0 +1,3 @@ + o Minor bugfixes (tests): +- Fix a crash in the unit tests on MSVC2013. Fixes bug 16030; bugfix on + 0.2.6.2-alpha. Patch from NewEraCracker. \ No newline at end of file diff --git a/src/test/test_channel.c b/src/test/test_channel.c index 6cf6649..e11ac3f 100644 --- a/src/test/test_channel.c +++ b/src/test/test_channel.c @@ -420,6 +420,7 @@ new_fake_channel(void) chan-close = chan_test_close; chan-get_overhead_estimate = chan_test_get_overhead_estimate; + chan-get_remote_descr = chan_test_get_remote_descr; chan-num_bytes_queued = chan_test_num_bytes_queued; chan-num_cells_writeable = chan_test_num_cells_writeable; chan-write_cell = chan_test_write_cell; @@ -615,7 +616,6 @@ test_channel_dumpstats(void *arg) /* Test channel_dump_statistics */ ch-describe_transport = chan_test_describe_transport; ch-dumpstats = chan_test_dumpstats; - ch-get_remote_descr = chan_test_get_remote_descr; ch-is_canonical = chan_test_is_canonical; old_count = test_dumpstats_calls; channel_dump_statistics(ch, LOG_DEBUG); ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [torspec/master] actually add proposal 245
commit 3605bcf15635a9a5a7f034887944091514f70ee8 Author: Nick Mathewson ni...@torproject.org Date: Mon Jun 8 11:21:57 2015 -0400 actually add proposal 245 --- proposals/245-tap-out.txt | 96 + 1 file changed, 96 insertions(+) diff --git a/proposals/245-tap-out.txt b/proposals/245-tap-out.txt new file mode 100644 index 000..27d73ab --- /dev/null +++ b/proposals/245-tap-out.txt @@ -0,0 +1,96 @@ +Filename: 245-tap-out.txt +Title: Deprecating and removing the TAP circuit extension protocol +Author: Nick Mathewson +Created: 2015-06-02 +Status: Draft + +0. Introduction + + This proposal describes a series of steps necessary for deprecating + TAP without breaking functionality. + + TAP is the original protocol for one-way authenticated key negotiation + used by Tor. Before Tor version 0.2.4, it was the only supported + protocol. Its key length is unpleasantly short, however, and it had + some design warts. Moreover, it had no name, until Ian Goldberg wrote + a paper about the design warts. + + Why deprecate and remove it? Because ntor is better in basically + every way. It's actually got a proper security proof, the key + strength seems to be 20th-century secure, and so on. Meanwhile, TAP + is lingering as a zombie, taking up space in descriptors and + microdescriptors. + +1. TAP is still in (limited) use today for hidden service hops. + + The original hidden service protocol only describes a way to tell + clients and servers about an introduction point's or a rendezvous + point's TAP onion key. + + We can do a bit better (see section 4), but we can't break TAP + completely until current clients and hidden services are obsolete. + +2. The step-by-step process. + + Step 1. Adjust the parsing algorithm for descriptors and microdescriptors + on servers so that it accepts MDs without a TAP key. See section 3 below. + Target: 0.2.7. + + Step 1b. Optionally, when connecting to a known IP/RP, extend by ntor. + (See section 4 below.) + + Step 2. Wait until proposal 224 is implemented. (Clients and hidden + services implementing 224 won't need TAP for anything.) + + Step 3. Begin throttling TAP answers even more aggressively at relays. + Target: prop224 is stable. + + Step 4. Wait until all versions of Tor without prop224 support are + obsolete/deprecated. + + Step 5. Stop generating TAP keys; stop answering TAP requests; stop + advertising TAP keys in descriptors; stop including them in + microdescriptors. + Target: prop224 has been stable for 12-18 months, and 0.2.7 has been stable + for 2-3 years. + + +3. Accepting descriptors without TAP keys. (Step 1) + + Our microdescriptor parsing code uses the string onion-key at the + start of the line to identify the boundary between microdescriptors, + so we can't remove it entirely. Instead, we will make the body + optional. + + We will make the following changes to dir-spec: + + - In router descriptors, make the onion-key field at most once + instead of exactly once. + + - In microdescriptors, make the body of onion-key optional. + + Until Step 4, authorities MUST still reject any descriptor without a + TAP key. + + If we do step 1 before proposal 224 is implemented, we'll need to make + sure that we never choose a relay without a TAP key as an introduction + point or a rendezvous point. + +4. Avoiding TAP earlier for HS usage (Step 1b) + + We could begin to move more circuits off TAP now by adjusting our + behavior for extending circuits to Introduction Points and Rendezvous + Points. The new rule would be: + + If you've been told to extend to an IP/RP, and you know a directory + entry for that relay (matching by identity), you extend using the + node_t you have instead. + + This would improve cryptographic security a bit, at the expense of + making it possible to probe for whether a given hidden service has an + up-to-date consensus or not, and learn whether each client has an + up-to-date consensus or not. We need to figure out whether that + enables an attack. + + (For reference, the functions to patch would be + rend_client_get_random_intro_impl and find_rp_for_intro.) ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] Fix --enable-systemd builds on systems with libsystemd but not systemd
commit 08e8c21b1f0acac5e023d05d59f175f2f5716288 Author: Nick Mathewson ni...@torproject.org Date: Tue May 26 09:39:53 2015 -0400 Fix --enable-systemd builds on systems with libsystemd but not systemd Fixes bug 16164; bugfix on 0.2.6.3-alpha. Patch from Peter Palfrader. --- changes/bug16164 |4 configure.ac |2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/changes/bug16164 b/changes/bug16164 new file mode 100644 index 000..fbb383c --- /dev/null +++ b/changes/bug16164 @@ -0,0 +1,4 @@ + o Minor bugfixes (compilation): +- Build with --enable-systemd correctly when libsystemd is installed, + but systemd is not. Fixes bug 16164, bugfix on 0.2.6.3-alpha. Patch + from Peter Palfrader. diff --git a/configure.ac b/configure.ac index 81ef2c7..156bb3f 100644 --- a/configure.ac +++ b/configure.ac @@ -131,7 +131,7 @@ if test x$have_systemd = xyes; then AC_DEFINE(HAVE_SYSTEMD,1,[Have systemd]) TOR_SYSTEMD_CFLAGS=${SYSTEMD_CFLAGS} TOR_SYSTEMD_LIBS=${SYSTEMD_LIBS} -PKG_CHECK_MODULES(SYSTEMD209, [systemd = 209], +PKG_CHECK_MODULES(LIBSYSTEMD209, [libsystemd = 209], [AC_DEFINE(HAVE_SYSTEMD_209,1,[Have systemd v209 or more])], []) fi AC_SUBST(TOR_SYSTEMD_CFLAGS) ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] Set session_group after the port's data structure has been populated.
commit f2ff8145820243a05803367d31c8b34e03048706 Author: Yawning Angel yawn...@schwanenlied.me Date: Thu Jun 4 13:53:35 2015 + Set session_group after the port's data structure has been populated. Fixes #16247, patch by jojelino. --- changes/bug16247|5 + src/or/connection.c |4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/changes/bug16247 b/changes/bug16247 new file mode 100644 index 000..9464b1c --- /dev/null +++ b/changes/bug16247 @@ -0,0 +1,5 @@ + o Minor bugfixes (client-side privacy): +- Properly separate out each SOCKSPort when applying stream isolation. + The error occured because each port's session group was being + overwritten by a default value. Fixes bug 16247; bugfix on + 0.2.6.3-alpha. Patch by jojelino. diff --git a/src/or/connection.c b/src/or/connection.c index 7db0238..721ee20 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -1284,6 +1284,8 @@ connection_listener_new(const struct sockaddr *listensockaddr, conn-port = gotPort; tor_addr_copy(conn-addr, addr); + memcpy(lis_conn-entry_cfg, port_cfg-entry_cfg, sizeof(entry_port_cfg_t)); + if (port_cfg-entry_cfg.isolation_flags) { lis_conn-entry_cfg.isolation_flags = port_cfg-entry_cfg.isolation_flags; if (port_cfg-entry_cfg.session_group = 0) { @@ -1299,8 +1301,6 @@ connection_listener_new(const struct sockaddr *listensockaddr, } } - memcpy(lis_conn-entry_cfg, port_cfg-entry_cfg, sizeof(entry_port_cfg_t)); - if (type != CONN_TYPE_AP_LISTENER) { lis_conn-entry_cfg.ipv4_traffic = 1; lis_conn-entry_cfg.ipv6_traffic = 1; ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] Fix sandboxing to work when running as a relay
commit a68e5323f809056cae9fcefc06357f9646595d89 Author: Peter Palfrader pe...@palfrader.org Date: Tue Jun 2 20:06:49 2015 +0200 Fix sandboxing to work when running as a relay This includes correctly allowing renaming secret_id_key and allowing the eventfd2 and futex syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. --- changes/bug16244 |7 +++ src/common/sandbox.c |2 ++ src/or/main.c|2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/changes/bug16244 b/changes/bug16244 new file mode 100644 index 000..00bc557 --- /dev/null +++ b/changes/bug16244 @@ -0,0 +1,7 @@ + o Minor bugfixes (sandbox, relay): +- Fix sandboxing to work when running as a relay again. This + includes correctly allowing renaming secret_id_key and + allowing the eventfd2 and futex syscalls. + Fixes bug 16244; bugfix on 0.2.6.1-alpha. + Patch by Peter Palfrader. + diff --git a/src/common/sandbox.c b/src/common/sandbox.c index a32bd0d..cdb4521 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -129,11 +129,13 @@ static int filter_nopar_gen[] = { SCMP_SYS(clone), SCMP_SYS(epoll_create), SCMP_SYS(epoll_wait), +SCMP_SYS(eventfd2), SCMP_SYS(fcntl), SCMP_SYS(fstat), #ifdef __NR_fstat64 SCMP_SYS(fstat64), #endif +SCMP_SYS(futex), SCMP_SYS(getdents64), SCMP_SYS(getegid), #ifdef __NR_getegid32 diff --git a/src/or/main.c b/src/or/main.c index d0fe8cb..8aa9a15 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2984,7 +2984,7 @@ sandbox_init_filter(void) // orport if (server_mode(get_options())) { -OPEN_DATADIR2_SUFFIX(keys, secret_id_key, tmp); +OPEN_DATADIR2_SUFFIX(keys, secret_id_key, .tmp); OPEN_DATADIR2_SUFFIX(keys, secret_onion_key, .tmp); OPEN_DATADIR2_SUFFIX(keys, secret_onion_key_ntor, .tmp); OPEN_DATADIR2(keys, secret_id_key.old); ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] Fix sandbox use with systemd. bug 16212.
commit 97330ced0c2e0eeae9bb2bc576bb72190237819d Author: Nick Mathewson ni...@torproject.org Date: Thu May 28 14:05:46 2015 -0400 Fix sandbox use with systemd. bug 16212. --- changes/bug16212 |5 + src/common/sandbox.c | 10 ++ 2 files changed, 15 insertions(+) diff --git a/changes/bug16212 b/changes/bug16212 new file mode 100644 index 000..bc12463 --- /dev/null +++ b/changes/bug16212 @@ -0,0 +1,5 @@ + o Minor bugfixes (sandbox, systemd): +- Allow systemd connections to work with the Linux seccomp2 sandbox + code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. + Patch by Peter Palfrader. + diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 49316c6..a32bd0d 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -170,6 +170,7 @@ static int filter_nopar_gen[] = { SCMP_SYS(read), SCMP_SYS(rt_sigreturn), SCMP_SYS(sched_getaffinity), +SCMP_SYS(sendmsg), SCMP_SYS(set_robust_list), #ifdef __NR_sigreturn SCMP_SYS(sigreturn), @@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), SCMP_CMP(2, SCMP_CMP_EQ, 0)); + if (rc) +return rc; + + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), + SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM), + SCMP_CMP(2, SCMP_CMP_EQ, 0)); + if (rc) +return rc; rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/release-0.2.6] HSDir flag now requires the Stable flag
commit 6785f0b65a106561a36239d89140bf18be3d7c6c Author: David Goulet dgou...@ev0ke.net Date: Mon May 11 11:27:30 2015 -0400 HSDir flag now requires the Stable flag Fixes #8243 --- changes/ticket8243 |7 +++ src/or/dirserv.c |6 -- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/changes/ticket8243 b/changes/ticket8243 new file mode 100644 index 000..8946a21 --- /dev/null +++ b/changes/ticket8243 @@ -0,0 +1,7 @@ + o Minor feature: +- The HSDir flag given by authorities now requires the Stable flag. For + the current network, this results in going from 2887 to 2806 HSDirs. + Also, it makes it harder for an attacker to launch a sybil attack by + raising the effort for a relay to become Stable which takes at the + very least 7 days to do so and by keeping the 96 hours uptime + requirement for HSDir. Implements ticket #8243. diff --git a/src/or/dirserv.c b/src/or/dirserv.c index a024be8..65bfafb 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1278,8 +1278,9 @@ dirserv_thinks_router_is_unreliable(time_t now, } /** Return true iff brouter/b should be assigned the HSDir flag. - * Right now this means it advertises support for it, it has a high - * uptime, it has a DirPort open, and it's currently considered Running. + * Right now this means it advertises support for it, it has a high uptime, + * it has a DirPort open, it has the Stable flag and it's currently + * considered Running. * * This function needs to be called after router-\is_running has * been set. @@ -1306,6 +1307,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t *router, uptime = real_uptime(router, now); return (router-wants_to_be_hs_dir router-dir_port + node-is_stable uptime = get_options()-MinUptimeHidServDirectoryV2 router_is_active(router, node, now)); } ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/master] Edit contrib/README to document the contrib/clang directory
commit 7f3b15a8ec119f696f666dc2d98e25d71c69e19c Author: teor teor2...@gmail.com Date: Sat Jun 6 07:56:41 2015 +1000 Edit contrib/README to document the contrib/clang directory --- contrib/README |7 +++ 1 file changed, 7 insertions(+) diff --git a/contrib/README b/contrib/README index 07c6f77..3a94bb5 100644 --- a/contrib/README +++ b/contrib/README @@ -11,6 +11,13 @@ add-tor is an old script to manipulate the approved-routers file. nagios-check-tor-authority-cert is a nagios script to check when Tor authority certificates are expired or nearly expired. +clang/ -- Files for use with the clang compiler +--- + +sanitize_blacklist.txt is used to build Tor with clang's dynamic +AddressSanitizer and UndefinedBehaviorSanitizer. It contains detailed +instructions on configuration, build, and testing with clang's sanitizers. + client-tools/ -- Tools for use with Tor clients --- ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/master] Merge remote-tracking branch 'teor/feature15817-clang-sanitizers'
commit 64bdf040f021ca3ccb661c4056ee857e2ed44a4e Merge: c0c0a60 7f3b15a Author: Nick Mathewson ni...@torproject.org Date: Mon Jun 8 10:57:25 2015 -0400 Merge remote-tracking branch 'teor/feature15817-clang-sanitizers' changes/feature15817-clang-sanitizers |7 +++ contrib/README|7 +++ contrib/clang/sanitize_blacklist.txt | 89 + doc/HACKING | 26 ++ 4 files changed, 129 insertions(+) ___ tor-commits mailing list tor-commits@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
[tor-commits] [tor/master] Add instructions for clang sanitizers, static analyzer, and coverity
commit bc0a9843e5cd8ed407e79d7f7e7b5404210924c4 Author: teor teor2...@gmail.com Date: Sat Jun 6 04:04:23 2015 +1000 Add instructions for clang sanitizers, static analyzer, and coverity Document use of coverity, clang static analyzer, and clang dynamic undefined behavior and address sanitizers in doc/HACKING. Add clang dynamic sanitizer blacklist in contrib/clang/sanitizer_blacklist.txt to exempt known undefined behavior. Include detailed usage instructions in this blacklist file. Patch by teor. --- changes/feature15817-clang-sanitizers |7 +++ contrib/clang/sanitize_blacklist.txt | 89 + doc/HACKING | 26 ++ 3 files changed, 122 insertions(+) diff --git a/changes/feature15817-clang-sanitizers b/changes/feature15817-clang-sanitizers new file mode 100644 index 000..8bdf061 --- /dev/null +++ b/changes/feature15817-clang-sanitizers @@ -0,0 +1,7 @@ + o Minor enhancements (correctness, testing): +- Document use of coverity, clang static analyzer, and clang dynamic + undefined behavior and address sanitizers in doc/HACKING. + Add clang dynamic sanitizer blacklist in + contrib/clang/sanitizer_blacklist.txt to exempt known undefined + behavior. Include detailed usage instructions in the blacklist. + Patch by teor. diff --git a/contrib/clang/sanitize_blacklist.txt b/contrib/clang/sanitize_blacklist.txt new file mode 100644 index 000..d4f6cf6 --- /dev/null +++ b/contrib/clang/sanitize_blacklist.txt @@ -0,0 +1,89 @@ +# clang sanitizer special case list +# syntax specified in http://clang.llvm.org/docs/SanitizerSpecialCaseList.html +# for more info see http://clang.llvm.org/docs/AddressSanitizer.html + +# usage: +# 1. configure tor build: +#./configure \ +#CC=clang \ +#CFLAGS=-fsanitize-blacklist=contrib/clang/sanitize_blacklist.txt -fsanitize=undefined -fsanitize=address -fno-sanitize-recover=all -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-inline \ +#LDFLAGS=-fsanitize=address \ +#--disable-gcc-hardening +# and any other flags required to build tor on your OS. +# +# 2. build tor: +#make +# +# 3. test tor: +#ASAN_OPTIONS=allow_user_segv_handler=1 make test +#ASAN_OPTIONS=allow_user_segv_handler=1 make check +#make test-network # requires chutney +# +# 4. the tor binary is now instrumented with clang sanitizers, +#and can be run just like a standard tor binary + +# Compatibility: +# This blacklist has been tested with clang 3.7's UndefinedBehaviorSanitizer +# and AddressSanitizer on OS X 10.10 Yosemite, with all tests passing +# on both x86_64 and i386 (using CC=clang -arch i386) +# It has not been tested with ThreadSanitizer or MemorySanitizer +# Success report and patches for other sanitizers or OSs are welcome + +# Configuration Flags: +# -fno-sanitize-recover=all +# causes clang to crash on undefined behavior, rather than printing +# a warning and continuing (the AddressSanitizer always crashes) +# -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-inline +# make clang backtraces easier to read +# --disable-gcc-hardening +# disables warnings about the redefinition of _FORTIFY_SOURCE +# (it conflicts with the sanitizers) + +# Turning the sanitizers off for particular functions: +# (Unfortunately, exempting functions doesn't work for the blacklisted +# functions below, and we can't turn the code off because it's essential) +# +# #if defined(__has_feature) +# #if __has_feature(address_sanitizer) +# /* tell clang AddressSanitizer not to instrument this function */ +# #define NOASAN __attribute__((no_sanitize_address)) +# #define _CLANG_ASAN_ +# #else +# #define NOASAN +# #endif +# #else +# #define NOASAN +# #endif +# +# /* Telling AddressSanitizer to not instrument a function */ +# void func(void) NOASAN; +# +# /* Including or excluding sections of code */ +# #ifdef _CLANG_ASAN_ +# /* code that only runs under address sanitizer */ +# #else +# /* code that doesn't run under address sanitizer */ +# #endif + +# Blacklist Entries: + +# we need to allow the tor bt handler to catch SIGSEGV +# otherwise address sanitizer munges the expected output and the test fails +# we can do this by setting an environmental variable +# See https://code.google.com/p/address-sanitizer/wiki/Flags +# ASAN_OPTIONS=allow_user_segv_handler=1 + +# test-memwipe.c checks if a freed buffer was properly wiped +fun:vmemeq +fun:check_a_buffer + +# test_bt_cl.c stores to a NULL pointer to trigger a crash +fun:crash + +# curve25519-donna.c left-shifts 1 bits into and past the sign bit of signed +# integers. Until #13538 is resolved, we can exempt the entire file from all +# analysis under clang's undefined behavior sanitizer. +# This may be overkill, but it works, and is easier than listing every +# function in the file. +# Note that x86_64 uses curve25519-donna-c64.c instead of curve25519-donna.c