[tor-commits] [tor/master] HSDir flag now requires the Stable flag

[nickm]

commit 6785f0b65a106561a36239d89140bf18be3d7c6c
Author: David Goulet dgou...@ev0ke.net
Date:   Mon May 11 11:27:30 2015 -0400

HSDir flag now requires the Stable flag

Fixes #8243
---
 changes/ticket8243 |7 +++
 src/or/dirserv.c   |6 --
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/changes/ticket8243 b/changes/ticket8243
new file mode 100644
index 000..8946a21
--- /dev/null
+++ b/changes/ticket8243
@@ -0,0 +1,7 @@
+  o Minor feature:
+- The HSDir flag given by authorities now requires the Stable flag. For
+  the current network, this results in going from 2887 to 2806 HSDirs.
+  Also, it makes it harder for an attacker to launch a sybil attack by
+  raising the effort for a relay to become Stable which takes at the
+  very least 7 days to do so and by keeping the 96 hours uptime
+  requirement for HSDir. Implements ticket #8243.
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index a024be8..65bfafb 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -1278,8 +1278,9 @@ dirserv_thinks_router_is_unreliable(time_t now,
 }
 
 /** Return true iff brouter/b should be assigned the HSDir flag.
- * Right now this means it advertises support for it, it has a high
- * uptime, it has a DirPort open, and it's currently considered Running.
+ * Right now this means it advertises support for it, it has a high uptime,
+ * it has a DirPort open, it has the Stable flag and it's currently
+ * considered Running.
  *
  * This function needs to be called after router-\is_running has
  * been set.
@@ -1306,6 +1307,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t 
*router,
 uptime = real_uptime(router, now);
 
   return (router-wants_to_be_hs_dir  router-dir_port 
+  node-is_stable 
   uptime = get_options()-MinUptimeHidServDirectoryV2 
   router_is_active(router, node, now));
 }



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] Merge remote-tracking branch 'origin/maint-0.2.6'

[nickm]

commit c0c0a6085e7e6395e4f5819ba47076786ae2f2b0
Merge: 2f67a6e 6785f0b
Author: Nick Mathewson ni...@torproject.org
Date:   Mon Jun 8 10:33:38 2015 -0400

Merge remote-tracking branch 'origin/maint-0.2.6'

 changes/ticket8243 |7 +++
 src/or/dirserv.c   |6 --
 2 files changed, 11 insertions(+), 2 deletions(-)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/maint-0.2.6] HSDir flag now requires the Stable flag

[nickm]

commit 6785f0b65a106561a36239d89140bf18be3d7c6c
Author: David Goulet dgou...@ev0ke.net
Date:   Mon May 11 11:27:30 2015 -0400

HSDir flag now requires the Stable flag

Fixes #8243
---
 changes/ticket8243 |7 +++
 src/or/dirserv.c   |6 --
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/changes/ticket8243 b/changes/ticket8243
new file mode 100644
index 000..8946a21
--- /dev/null
+++ b/changes/ticket8243
@@ -0,0 +1,7 @@
+  o Minor feature:
+- The HSDir flag given by authorities now requires the Stable flag. For
+  the current network, this results in going from 2887 to 2806 HSDirs.
+  Also, it makes it harder for an attacker to launch a sybil attack by
+  raising the effort for a relay to become Stable which takes at the
+  very least 7 days to do so and by keeping the 96 hours uptime
+  requirement for HSDir. Implements ticket #8243.
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index a024be8..65bfafb 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -1278,8 +1278,9 @@ dirserv_thinks_router_is_unreliable(time_t now,
 }
 
 /** Return true iff brouter/b should be assigned the HSDir flag.
- * Right now this means it advertises support for it, it has a high
- * uptime, it has a DirPort open, and it's currently considered Running.
+ * Right now this means it advertises support for it, it has a high uptime,
+ * it has a DirPort open, it has the Stable flag and it's currently
+ * considered Running.
  *
  * This function needs to be called after router-\is_running has
  * been set.
@@ -1306,6 +1307,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t 
*router,
 uptime = real_uptime(router, now);
 
   return (router-wants_to_be_hs_dir  router-dir_port 
+  node-is_stable 
   uptime = get_options()-MinUptimeHidServDirectoryV2 
   router_is_active(router, node, now));
 }

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] Merge branch 'maint-0.2.6' into release-0.2.6

[nickm]

commit 602e328dc33fec8eec976e497e04db810382b8b9
Merge: 2fe3afc 6785f0b
Author: Nick Mathewson ni...@torproject.org
Date:   Mon Jun 8 10:42:25 2015 -0400

Merge branch 'maint-0.2.6' into release-0.2.6

 changes/bug16030|3 +++
 changes/bug16164|4 
 changes/bug16212|5 +
 changes/bug16244|7 +++
 changes/bug16247|5 +
 changes/ticket8243  |7 +++
 configure.ac|2 +-
 src/common/sandbox.c|   12 
 src/or/connection.c |4 ++--
 src/or/dirserv.c|6 --
 src/or/main.c   |2 +-
 src/test/test_channel.c |2 +-
 12 files changed, 52 insertions(+), 7 deletions(-)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] Start changelog for 0.2.6.9 (lintchanges, sortchanges, formatchangelog).

[nickm]

commit 41db4bffd69f7de99c2381d56de8c3b6e348fd79
Author: Nick Mathewson ni...@torproject.org
Date:   Mon Jun 8 10:50:54 2015 -0400

Start changelog for 0.2.6.9 (lintchanges, sortchanges, formatchangelog).
---
 ChangeLog  |   36 
 changes/bug16030   |3 ---
 changes/bug16164   |4 
 changes/bug16212   |5 -
 changes/bug16244   |7 ---
 changes/bug16247   |5 -
 changes/ticket8243 |7 ---
 7 files changed, 36 insertions(+), 31 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 8135c78..0670977 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,39 @@
+Changes in version 0.2.6.9 - 2015-06-??
+  Blurb goes here.
+
+  o Major bugfixes (client-side privacy):
+- Properly separate out each SOCKSPort when applying stream
+  isolation. The error occured because each port's session group was
+  being overwritten by a default value. Fixes bug 16247; bugfix on
+  0.2.6.3-alpha. Patch by jojelino.
+
+  o Minor feature (directory aurhorities, security):
+- The HSDir flag given by authorities now requires the Stable flag.
+  For the current network, this results in going from 2887 to 2806
+  HSDirs. Also, it makes it harder for an attacker to launch a sybil
+  attack by raising the effort for a relay to become Stable which
+  takes at the very least 7 days to do so and by keeping the 96
+  hours uptime requirement for HSDir. Implements ticket 8243.
+
+  o Minor bugfixes (compilation):
+- Build with --enable-systemd correctly when libsystemd is
+  installed, but systemd is not. Fixes bug 16164; bugfix on
+  0.2.6.3-alpha. Patch from Peter Palfrader.
+
+  o Minor bugfixes (Linux seccomp2 sandbox):
+- Fix sandboxing to work when running as a relay again. This
+  includes correctly allowing renaming secret_id_key and allowing
+  the eventfd2 and futex syscalls. Fixes bug 16244; bugfix on
+  0.2.6.1-alpha. Patch by Peter Palfrader.
+- Allow systemd connections to work with the Linux seccomp2 sandbox
+  code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
+  Peter Palfrader.
+
+  o Minor bugfixes (tests):
+- Fix a crash in the unit tests on MSVC2013. Fixes bug 16030; bugfix
+  on 0.2.6.2-alpha. Patch from NewEraCracker.
+
+
 Changes in version 0.2.6.8 - 2015-05-21
   Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and
   fixes an authority-side bug in assigning the HSDir flag. All directory
diff --git a/changes/bug16030 b/changes/bug16030
deleted file mode 100644
index c14fd62..000
--- a/changes/bug16030
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (tests):
-- Fix a crash in the unit tests on MSVC2013.  Fixes bug 16030; bugfix on
-  0.2.6.2-alpha.  Patch from NewEraCracker.
\ No newline at end of file
diff --git a/changes/bug16164 b/changes/bug16164
deleted file mode 100644
index fbb383c..000
--- a/changes/bug16164
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-- Build with --enable-systemd correctly when libsystemd is installed,
-  but systemd is not. Fixes bug 16164, bugfix on 0.2.6.3-alpha. Patch
-  from Peter Palfrader.
diff --git a/changes/bug16212 b/changes/bug16212
deleted file mode 100644
index bc12463..000
--- a/changes/bug16212
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (sandbox, systemd):
-- Allow systemd connections to work with the Linux seccomp2 sandbox
-  code.  Fixes bug 16212; bugfix on 0.2.6.2-alpha.
-  Patch by Peter Palfrader.
-
diff --git a/changes/bug16244 b/changes/bug16244
deleted file mode 100644
index 00bc557..000
--- a/changes/bug16244
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes (sandbox, relay):
-- Fix sandboxing to work when running as a relay again.  This
-  includes correctly allowing renaming secret_id_key and
-  allowing the eventfd2 and futex syscalls.
-  Fixes bug 16244; bugfix on 0.2.6.1-alpha.
-  Patch by Peter Palfrader.
-
diff --git a/changes/bug16247 b/changes/bug16247
deleted file mode 100644
index 9464b1c..000
--- a/changes/bug16247
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (client-side privacy):
-- Properly separate out each SOCKSPort when applying stream isolation.
-  The error occured because each port's session group was being
-  overwritten by a default value. Fixes bug 16247; bugfix on
-  0.2.6.3-alpha. Patch by jojelino.
diff --git a/changes/ticket8243 b/changes/ticket8243
deleted file mode 100644
index 8946a21..000
--- a/changes/ticket8243
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor feature:
-- The HSDir flag given by authorities now requires the Stable flag. For
-  the current network, this results in going from 2887 to 2806 HSDirs.
-  Also, it makes it harder for an attacker to launch a sybil attack by
-  raising the effort for a relay to become Stable which takes at the
-  very least 7 days to do so and by keeping the 96 hours 

[tor-commits] [tor/release-0.2.6] Fix unit tests on MSVC2013.

[nickm]

commit 8ca3773f686c43328f3c05a35d4d0e61a30b980c
Author: Nick Mathewson ni...@torproject.org
Date:   Tue May 26 10:24:21 2015 -0400

Fix unit tests on MSVC2013.

Patch from NewEraCracker.  Fixes bug16030; bugfix on 0.2.6.2-alpha.
---
 changes/bug16030|3 +++
 src/test/test_channel.c |2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/changes/bug16030 b/changes/bug16030
new file mode 100644
index 000..c14fd62
--- /dev/null
+++ b/changes/bug16030
@@ -0,0 +1,3 @@
+  o Minor bugfixes (tests):
+- Fix a crash in the unit tests on MSVC2013.  Fixes bug 16030; bugfix on
+  0.2.6.2-alpha.  Patch from NewEraCracker.
\ No newline at end of file
diff --git a/src/test/test_channel.c b/src/test/test_channel.c
index 6cf6649..e11ac3f 100644
--- a/src/test/test_channel.c
+++ b/src/test/test_channel.c
@@ -420,6 +420,7 @@ new_fake_channel(void)
 
   chan-close = chan_test_close;
   chan-get_overhead_estimate = chan_test_get_overhead_estimate;
+  chan-get_remote_descr = chan_test_get_remote_descr;
   chan-num_bytes_queued = chan_test_num_bytes_queued;
   chan-num_cells_writeable = chan_test_num_cells_writeable;
   chan-write_cell = chan_test_write_cell;
@@ -615,7 +616,6 @@ test_channel_dumpstats(void *arg)
   /* Test channel_dump_statistics */
   ch-describe_transport = chan_test_describe_transport;
   ch-dumpstats = chan_test_dumpstats;
-  ch-get_remote_descr = chan_test_get_remote_descr;
   ch-is_canonical = chan_test_is_canonical;
   old_count = test_dumpstats_calls;
   channel_dump_statistics(ch, LOG_DEBUG);



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [torspec/master] actually add proposal 245

[nickm]

commit 3605bcf15635a9a5a7f034887944091514f70ee8
Author: Nick Mathewson ni...@torproject.org
Date:   Mon Jun 8 11:21:57 2015 -0400

actually add proposal 245
---
 proposals/245-tap-out.txt |   96 +
 1 file changed, 96 insertions(+)

diff --git a/proposals/245-tap-out.txt b/proposals/245-tap-out.txt
new file mode 100644
index 000..27d73ab
--- /dev/null
+++ b/proposals/245-tap-out.txt
@@ -0,0 +1,96 @@
+Filename: 245-tap-out.txt
+Title: Deprecating and removing the TAP circuit extension protocol
+Author: Nick Mathewson
+Created: 2015-06-02
+Status: Draft
+
+0. Introduction
+
+  This proposal describes a series of steps necessary for deprecating
+  TAP without breaking functionality.
+
+  TAP is the original protocol for one-way authenticated key negotiation
+  used by Tor.  Before Tor version 0.2.4, it was the only supported
+  protocol.  Its key length is unpleasantly short, however, and it had
+  some design warts.  Moreover, it had no name, until Ian Goldberg wrote
+  a paper about the design warts.
+
+  Why deprecate and remove it?  Because ntor is better in basically
+  every way.  It's actually got a proper security proof, the key
+  strength seems to be 20th-century secure, and so on.  Meanwhile, TAP
+  is lingering as a zombie, taking up space in descriptors and
+  microdescriptors.
+
+1. TAP is still in (limited) use today for hidden service hops.
+
+  The original hidden service protocol only describes a way to tell
+  clients and servers about an introduction point's or a rendezvous
+  point's TAP onion key.
+
+  We can do a bit better (see section 4), but we can't break TAP
+  completely until current clients and hidden services are obsolete.
+
+2. The step-by-step process.
+
+  Step 1. Adjust the parsing algorithm for descriptors and microdescriptors
+  on servers so that it accepts MDs without a TAP key.  See section 3 below.
+  Target: 0.2.7.
+
+  Step 1b. Optionally, when connecting to a known IP/RP, extend by ntor.
+  (See section 4 below.)
+
+  Step 2. Wait until proposal 224 is implemented.  (Clients and hidden
+  services implementing 224 won't need TAP for anything.)
+
+  Step 3. Begin throttling TAP answers even more aggressively at relays.
+  Target: prop224 is stable.
+
+  Step 4. Wait until all versions of Tor without prop224 support are
+  obsolete/deprecated.
+
+  Step 5. Stop generating TAP keys; stop answering TAP requests; stop
+  advertising TAP keys in descriptors; stop including them in
+  microdescriptors.
+  Target: prop224 has been stable for 12-18 months, and 0.2.7 has been stable
+  for 2-3 years.
+
+
+3. Accepting descriptors without TAP keys. (Step 1)
+
+  Our microdescriptor parsing code uses the string onion-key at the
+  start of the line to identify the boundary between microdescriptors,
+  so we can't remove it entirely.  Instead, we will make the body
+  optional.
+
+  We will make the following changes to dir-spec:
+
+   - In router descriptors, make the onion-key field at most once
+ instead of exactly once.
+
+   - In microdescriptors, make the body of onion-key optional.
+
+  Until Step 4, authorities MUST still reject any descriptor without a
+  TAP key.
+
+  If we do step 1 before proposal 224 is implemented, we'll need to make
+  sure that we never choose a relay without a TAP key as an introduction
+  point or a rendezvous point.
+
+4. Avoiding TAP earlier for HS usage (Step 1b)
+
+  We could begin to move more circuits off TAP now by adjusting our
+  behavior for extending circuits to Introduction Points and Rendezvous
+  Points.  The new rule would be:
+
+ If you've been told to extend to an IP/RP, and you know a directory
+ entry for that relay (matching by identity), you extend using the
+ node_t you have instead.
+
+  This would improve cryptographic security a bit, at the expense of
+  making it possible to probe for whether a given hidden service has an
+  up-to-date consensus or not, and learn whether each client has an
+  up-to-date consensus or not. We need to figure out whether that
+  enables an attack.
+
+  (For reference, the functions to patch would be
+  rend_client_get_random_intro_impl and find_rp_for_intro.)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] Fix --enable-systemd builds on systems with libsystemd but not systemd

[nickm]

commit 08e8c21b1f0acac5e023d05d59f175f2f5716288
Author: Nick Mathewson ni...@torproject.org
Date:   Tue May 26 09:39:53 2015 -0400

Fix --enable-systemd builds on systems with libsystemd but not systemd

Fixes bug 16164; bugfix on 0.2.6.3-alpha. Patch from Peter Palfrader.
---
 changes/bug16164 |4 
 configure.ac |2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/changes/bug16164 b/changes/bug16164
new file mode 100644
index 000..fbb383c
--- /dev/null
+++ b/changes/bug16164
@@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation):
+- Build with --enable-systemd correctly when libsystemd is installed,
+  but systemd is not. Fixes bug 16164, bugfix on 0.2.6.3-alpha. Patch
+  from Peter Palfrader.
diff --git a/configure.ac b/configure.ac
index 81ef2c7..156bb3f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,7 +131,7 @@ if test x$have_systemd = xyes; then
 AC_DEFINE(HAVE_SYSTEMD,1,[Have systemd])
 TOR_SYSTEMD_CFLAGS=${SYSTEMD_CFLAGS}
 TOR_SYSTEMD_LIBS=${SYSTEMD_LIBS}
-PKG_CHECK_MODULES(SYSTEMD209, [systemd = 209],
+PKG_CHECK_MODULES(LIBSYSTEMD209, [libsystemd = 209],
  [AC_DEFINE(HAVE_SYSTEMD_209,1,[Have systemd v209 or more])], [])
 fi
 AC_SUBST(TOR_SYSTEMD_CFLAGS)



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] Set session_group after the port's data structure has been populated.

[nickm]

commit f2ff8145820243a05803367d31c8b34e03048706
Author: Yawning Angel yawn...@schwanenlied.me
Date:   Thu Jun 4 13:53:35 2015 +

Set session_group after the port's data structure has been populated.

Fixes #16247, patch by jojelino.
---
 changes/bug16247|5 +
 src/or/connection.c |4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/changes/bug16247 b/changes/bug16247
new file mode 100644
index 000..9464b1c
--- /dev/null
+++ b/changes/bug16247
@@ -0,0 +1,5 @@
+  o Minor bugfixes (client-side privacy):
+- Properly separate out each SOCKSPort when applying stream isolation.
+  The error occured because each port's session group was being
+  overwritten by a default value. Fixes bug 16247; bugfix on
+  0.2.6.3-alpha. Patch by jojelino.
diff --git a/src/or/connection.c b/src/or/connection.c
index 7db0238..721ee20 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1284,6 +1284,8 @@ connection_listener_new(const struct sockaddr 
*listensockaddr,
   conn-port = gotPort;
   tor_addr_copy(conn-addr, addr);
 
+  memcpy(lis_conn-entry_cfg, port_cfg-entry_cfg, sizeof(entry_port_cfg_t));
+
   if (port_cfg-entry_cfg.isolation_flags) {
 lis_conn-entry_cfg.isolation_flags = port_cfg-entry_cfg.isolation_flags;
 if (port_cfg-entry_cfg.session_group = 0) {
@@ -1299,8 +1301,6 @@ connection_listener_new(const struct sockaddr 
*listensockaddr,
 }
   }
 
-  memcpy(lis_conn-entry_cfg, port_cfg-entry_cfg, sizeof(entry_port_cfg_t));
-
   if (type != CONN_TYPE_AP_LISTENER) {
 lis_conn-entry_cfg.ipv4_traffic = 1;
 lis_conn-entry_cfg.ipv6_traffic = 1;



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] Fix sandboxing to work when running as a relay

[nickm]

commit a68e5323f809056cae9fcefc06357f9646595d89
Author: Peter Palfrader pe...@palfrader.org
Date:   Tue Jun 2 20:06:49 2015 +0200

Fix sandboxing to work when running as a relay

This includes correctly allowing renaming secret_id_key and allowing the
eventfd2 and futex syscalls.  Fixes bug 16244; bugfix on 0.2.6.1-alpha.
---
 changes/bug16244 |7 +++
 src/common/sandbox.c |2 ++
 src/or/main.c|2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/changes/bug16244 b/changes/bug16244
new file mode 100644
index 000..00bc557
--- /dev/null
+++ b/changes/bug16244
@@ -0,0 +1,7 @@
+  o Minor bugfixes (sandbox, relay):
+- Fix sandboxing to work when running as a relay again.  This
+  includes correctly allowing renaming secret_id_key and
+  allowing the eventfd2 and futex syscalls.
+  Fixes bug 16244; bugfix on 0.2.6.1-alpha.
+  Patch by Peter Palfrader.
+
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index a32bd0d..cdb4521 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -129,11 +129,13 @@ static int filter_nopar_gen[] = {
 SCMP_SYS(clone),
 SCMP_SYS(epoll_create),
 SCMP_SYS(epoll_wait),
+SCMP_SYS(eventfd2),
 SCMP_SYS(fcntl),
 SCMP_SYS(fstat),
 #ifdef __NR_fstat64
 SCMP_SYS(fstat64),
 #endif
+SCMP_SYS(futex),
 SCMP_SYS(getdents64),
 SCMP_SYS(getegid),
 #ifdef __NR_getegid32
diff --git a/src/or/main.c b/src/or/main.c
index d0fe8cb..8aa9a15 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2984,7 +2984,7 @@ sandbox_init_filter(void)
   // orport
   if (server_mode(get_options())) {
 
-OPEN_DATADIR2_SUFFIX(keys, secret_id_key, tmp);
+OPEN_DATADIR2_SUFFIX(keys, secret_id_key, .tmp);
 OPEN_DATADIR2_SUFFIX(keys, secret_onion_key, .tmp);
 OPEN_DATADIR2_SUFFIX(keys, secret_onion_key_ntor, .tmp);
 OPEN_DATADIR2(keys, secret_id_key.old);



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] Fix sandbox use with systemd. bug 16212.

[nickm]

commit 97330ced0c2e0eeae9bb2bc576bb72190237819d
Author: Nick Mathewson ni...@torproject.org
Date:   Thu May 28 14:05:46 2015 -0400

Fix sandbox use with systemd. bug 16212.
---
 changes/bug16212 |5 +
 src/common/sandbox.c |   10 ++
 2 files changed, 15 insertions(+)

diff --git a/changes/bug16212 b/changes/bug16212
new file mode 100644
index 000..bc12463
--- /dev/null
+++ b/changes/bug16212
@@ -0,0 +1,5 @@
+  o Minor bugfixes (sandbox, systemd):
+- Allow systemd connections to work with the Linux seccomp2 sandbox
+  code.  Fixes bug 16212; bugfix on 0.2.6.2-alpha.
+  Patch by Peter Palfrader.
+
diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index 49316c6..a32bd0d 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -170,6 +170,7 @@ static int filter_nopar_gen[] = {
 SCMP_SYS(read),
 SCMP_SYS(rt_sigreturn),
 SCMP_SYS(sched_getaffinity),
+SCMP_SYS(sendmsg),
 SCMP_SYS(set_robust_list),
 #ifdef __NR_sigreturn
 SCMP_SYS(sigreturn),
@@ -547,6 +548,15 @@ sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
   SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM),
   SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+return rc;
+
+  rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
+  SCMP_CMP(0, SCMP_CMP_EQ, PF_UNIX),
+  SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM),
+  SCMP_CMP(2, SCMP_CMP_EQ, 0));
+  if (rc)
+return rc;
 
   rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket),
   SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK),



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/release-0.2.6] HSDir flag now requires the Stable flag

[nickm]

commit 6785f0b65a106561a36239d89140bf18be3d7c6c
Author: David Goulet dgou...@ev0ke.net
Date:   Mon May 11 11:27:30 2015 -0400

HSDir flag now requires the Stable flag

Fixes #8243
---
 changes/ticket8243 |7 +++
 src/or/dirserv.c   |6 --
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/changes/ticket8243 b/changes/ticket8243
new file mode 100644
index 000..8946a21
--- /dev/null
+++ b/changes/ticket8243
@@ -0,0 +1,7 @@
+  o Minor feature:
+- The HSDir flag given by authorities now requires the Stable flag. For
+  the current network, this results in going from 2887 to 2806 HSDirs.
+  Also, it makes it harder for an attacker to launch a sybil attack by
+  raising the effort for a relay to become Stable which takes at the
+  very least 7 days to do so and by keeping the 96 hours uptime
+  requirement for HSDir. Implements ticket #8243.
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index a024be8..65bfafb 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -1278,8 +1278,9 @@ dirserv_thinks_router_is_unreliable(time_t now,
 }
 
 /** Return true iff brouter/b should be assigned the HSDir flag.
- * Right now this means it advertises support for it, it has a high
- * uptime, it has a DirPort open, and it's currently considered Running.
+ * Right now this means it advertises support for it, it has a high uptime,
+ * it has a DirPort open, it has the Stable flag and it's currently
+ * considered Running.
  *
  * This function needs to be called after router-\is_running has
  * been set.
@@ -1306,6 +1307,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t 
*router,
 uptime = real_uptime(router, now);
 
   return (router-wants_to_be_hs_dir  router-dir_port 
+  node-is_stable 
   uptime = get_options()-MinUptimeHidServDirectoryV2 
   router_is_active(router, node, now));
 }



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] Edit contrib/README to document the contrib/clang directory

[nickm]

commit 7f3b15a8ec119f696f666dc2d98e25d71c69e19c
Author: teor teor2...@gmail.com
Date:   Sat Jun 6 07:56:41 2015 +1000

Edit contrib/README to document the contrib/clang directory
---
 contrib/README |7 +++
 1 file changed, 7 insertions(+)

diff --git a/contrib/README b/contrib/README
index 07c6f77..3a94bb5 100644
--- a/contrib/README
+++ b/contrib/README
@@ -11,6 +11,13 @@ add-tor is an old script to manipulate the approved-routers 
file.
 nagios-check-tor-authority-cert is a nagios script to check when Tor
 authority certificates are expired or nearly expired.
 
+clang/ -- Files for use with the clang compiler
+---
+
+sanitize_blacklist.txt is used to build Tor with clang's dynamic
+AddressSanitizer and UndefinedBehaviorSanitizer. It contains detailed
+instructions on configuration, build, and testing with clang's sanitizers.
+
 client-tools/ -- Tools for use with Tor clients
 ---
 



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] Merge remote-tracking branch 'teor/feature15817-clang-sanitizers'

[nickm]

commit 64bdf040f021ca3ccb661c4056ee857e2ed44a4e
Merge: c0c0a60 7f3b15a
Author: Nick Mathewson ni...@torproject.org
Date:   Mon Jun 8 10:57:25 2015 -0400

Merge remote-tracking branch 'teor/feature15817-clang-sanitizers'

 changes/feature15817-clang-sanitizers |7 +++
 contrib/README|7 +++
 contrib/clang/sanitize_blacklist.txt  |   89 +
 doc/HACKING   |   26 ++
 4 files changed, 129 insertions(+)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] Add instructions for clang sanitizers, static analyzer, and coverity

[nickm]

commit bc0a9843e5cd8ed407e79d7f7e7b5404210924c4
Author: teor teor2...@gmail.com
Date:   Sat Jun 6 04:04:23 2015 +1000

Add instructions for clang sanitizers, static analyzer, and coverity

Document use of coverity, clang static analyzer, and clang dynamic
undefined behavior and address sanitizers in doc/HACKING.

Add clang dynamic sanitizer blacklist in
contrib/clang/sanitizer_blacklist.txt to exempt known undefined
behavior. Include detailed usage instructions in this blacklist file.

Patch by teor.
---
 changes/feature15817-clang-sanitizers |7 +++
 contrib/clang/sanitize_blacklist.txt  |   89 +
 doc/HACKING   |   26 ++
 3 files changed, 122 insertions(+)

diff --git a/changes/feature15817-clang-sanitizers 
b/changes/feature15817-clang-sanitizers
new file mode 100644
index 000..8bdf061
--- /dev/null
+++ b/changes/feature15817-clang-sanitizers
@@ -0,0 +1,7 @@
+  o Minor enhancements (correctness, testing):
+- Document use of coverity, clang static analyzer, and clang dynamic
+  undefined behavior and address sanitizers in doc/HACKING.
+  Add clang dynamic sanitizer blacklist in
+  contrib/clang/sanitizer_blacklist.txt to exempt known undefined
+  behavior. Include detailed usage instructions in the blacklist.
+  Patch by teor.
diff --git a/contrib/clang/sanitize_blacklist.txt 
b/contrib/clang/sanitize_blacklist.txt
new file mode 100644
index 000..d4f6cf6
--- /dev/null
+++ b/contrib/clang/sanitize_blacklist.txt
@@ -0,0 +1,89 @@
+# clang sanitizer special case list
+# syntax specified in http://clang.llvm.org/docs/SanitizerSpecialCaseList.html
+# for more info see http://clang.llvm.org/docs/AddressSanitizer.html
+
+# usage:
+# 1. configure tor build:
+#./configure \
+#CC=clang \
+#CFLAGS=-fsanitize-blacklist=contrib/clang/sanitize_blacklist.txt 
-fsanitize=undefined -fsanitize=address -fno-sanitize-recover=all 
-fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-inline \
+#LDFLAGS=-fsanitize=address \
+#--disable-gcc-hardening
+# and any other flags required to build tor on your OS.
+#
+# 2. build tor:
+#make
+#
+# 3. test tor:
+#ASAN_OPTIONS=allow_user_segv_handler=1 make test
+#ASAN_OPTIONS=allow_user_segv_handler=1 make check
+#make test-network # requires chutney
+#
+# 4. the tor binary is now instrumented with clang sanitizers,
+#and can be run just like a standard tor binary
+
+# Compatibility:
+# This blacklist has been tested with clang 3.7's UndefinedBehaviorSanitizer
+# and AddressSanitizer on OS X 10.10 Yosemite, with all tests passing
+# on both x86_64 and i386 (using CC=clang -arch i386)
+# It has not been tested with ThreadSanitizer or MemorySanitizer
+# Success report and patches for other sanitizers or OSs are welcome
+
+# Configuration Flags:
+# -fno-sanitize-recover=all
+# causes clang to crash on undefined behavior, rather than printing
+# a warning and continuing (the AddressSanitizer always crashes)
+# -fno-omit-frame-pointer -fno-optimize-sibling-calls -fno-inline
+# make clang backtraces easier to read
+# --disable-gcc-hardening
+# disables warnings about the redefinition of _FORTIFY_SOURCE
+# (it conflicts with the sanitizers)
+
+# Turning the sanitizers off for particular functions:
+# (Unfortunately, exempting functions doesn't work for the blacklisted
+# functions below, and we can't turn the code off because it's essential)
+#
+# #if defined(__has_feature)
+# #if __has_feature(address_sanitizer)
+# /* tell clang AddressSanitizer not to instrument this function */
+# #define NOASAN __attribute__((no_sanitize_address))
+# #define _CLANG_ASAN_
+# #else
+# #define NOASAN
+# #endif
+# #else
+# #define NOASAN
+# #endif
+#
+# /* Telling AddressSanitizer to not instrument a function */
+# void func(void) NOASAN;
+#
+# /* Including or excluding sections of code */
+# #ifdef _CLANG_ASAN_
+# /* code that only runs under address sanitizer */
+# #else
+# /* code that doesn't run under address sanitizer */
+# #endif
+
+# Blacklist Entries:
+
+# we need to allow the tor bt handler to catch SIGSEGV
+# otherwise address sanitizer munges the expected output and the test fails
+# we can do this by setting an environmental variable
+# See https://code.google.com/p/address-sanitizer/wiki/Flags
+# ASAN_OPTIONS=allow_user_segv_handler=1
+
+# test-memwipe.c checks if a freed buffer was properly wiped
+fun:vmemeq
+fun:check_a_buffer
+
+# test_bt_cl.c stores to a NULL pointer to trigger a crash
+fun:crash
+
+# curve25519-donna.c left-shifts 1 bits into and past the sign bit of signed
+# integers. Until #13538 is resolved, we can exempt the entire file from all
+# analysis under clang's undefined behavior sanitizer.
+# This may be overkill, but it works, and is easier than listing every
+# function in the file.
+# Note that x86_64 uses curve25519-donna-c64.c instead of curve25519-donna.c