diff options
93 files changed, 4397 insertions, 970 deletions
@@ -1,3 +1,233 @@ +Changes in version 0.2.5.4-alpha - 2014-04-?? + + o Major features (security): + - Block authority signing keys that were used on an authorities + vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). + (We don't have any evidence that these keys _were_ compromised; + we're doing this to be prudent.) Resolves ticket 11464. + + o Deprecated versions: + - Tor 0.2.2.x has reached end-of-life; it has received no patches or + attention for some while. Directory authorities no longer accept + descriptors from Tor relays running any version of Tor prior to Tor + 0.2.3.16-alpha. Resolves ticket 11149. + + o Major features (relay performance): + - Faster server-side lookups of rendezvous and introduction point + circuits by using hashtables instead of linear searches over all + the circuits. These functions previously accounted between 3 and + 7% of CPU usage on some busy relays. + + o Major features (seccomp2 sandbox): + - Refinements and improvements to the Linux seccomp2 sandbox code: + the sandbox can now run a test network for multiple hours without + crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG, + seeding the Libevent PRNG, using the wrong combination of CLOEXEC and + NONBLOCK at the same place and time, having server keys, being an + authority, receiving a HUP, or using IPv6.) The sandbox is still + experimental, and more bugs will probably turn up. To try it, + enable "Sandbox 1" on a Linux host. + - Strengthen the Linux seccomp2 sandbox code: the sandbox can now + test the arguments for rename(), and blocks _sysctl() entirely. + - When the Linux syscall sandbox finds an illegal system call, it + now tries to log a stack trace before exiting. Resolves ticket + 11465. + + o Major bugfixes (TLS cipher selection): + - Generate the server's preference list for ciphersuites + automatically based on uniform criteria, and considering all + OpenSSL ciphersuites with acceptable strength and forward + secrecy. (The sort order is: prefer AES to 3DES; break ties by + preferring ECDHE to DHE; break ties by preferring GCM to CBC; + break ties by preferring SHA384 to SHA256 to SHA1; and finally, + break ties by preferring AES256 to AES128.) This resolves bugs + #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. + Bugfix on 0.2.4.8-alpha. + + o Major bugfixes (undefined behavior): + - Fix two instances of possible undefined behavior in channeltls.c + that could, under unlucky circumstances, have led to a pointer + overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and + 0.2.3.6-alpha. Reported by "bobnomnom". + - Fix another possibly undefined pointer operations in tor_memmem + fallback implementation. Another case of bug #10363; bugfix on + 0.1.1.1-alpha. + - Fix another possibly undefined pointer operations in the eventdns + fallback implementation. Another case of bug #10363; bugfix on + 0.1.2.1-alpha. + - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some + miscellaneous errors in our tests and codebase. Fix for bug 11232. + Bugfixes on versions back as far as 0.2.1.11-alpha. + + o Minor bugfixes (logging): + - Log only one message when we start logging in an unsafe + way. Previously, we would log as many messages as we had + problems. Fix for #9870; bugfix on 0.2.5.1-alpha. + - Using the Linux syscall sandbox no longer prevents stack-trace + logging on crashes or errors. Fixes part 11465; bugfix on + 0.2.5.1-alpha. + - Only report the first fatal boostrap error on a given OR + connection. This prevents controllers from declaring that a + connection has failed because of "DONE" or other junk reasons. + Fixes bug 10431; bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (closing channels): + - If write_to_buf() in connection_write_to_buf_impl_() ever fails, + check if it's an or_connection_t and correctly call + connection_or_close_for_error() rather than connection_mark_for_close() + directly. Fixes bug #11304; bugfix on 0.2.4.4-alpha. + - When closing all connections on setting DisableNetwork to 1, use + connection_or_close_normally() rather than closing orconns out from + under the channel layer. Fixes bug #11306; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (controller): + - Avoid sending an garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + + o Minor bugfixes (tor-fw-helper): + - Allow tor-fw-helper to build again by adding src/ext to its + CPPFLAGS. Fixes bug 11296; bugfix on 0.2.5.3-alpha. + + o Minor bugfixes (bridges): + - Avoid potential crashes or bad behavior when launching a + server-side managed proxy with ORPort or ExtORPort temporarily + disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. + + o Minor bugfixes (misc): + - Don't re-initialize a second set of openssl mutexes when starting + up. Fixes bug 11726; bugfix on 0.2.5.3-alpha. + + o Minor bugfixes (memory leaks): + - Fix a minor memory leak that occurred when signing a directory + object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. + + o Minor bugfixes (platform-specific): + - Fix compilation on Solaris, which does not have <endian.h>. + Fixes bug 11426; bugfix on 0.2.5.3-alpha. + - When dumping a malformed directory object to disk, save it in binary + mode on windows, not text mode. Fixes bug 11342; bugfix on + 0.2.2.1-alpha. + - When reporting a failure from make_socket_reuseable(), don't + report a warning when we get a failure from an incoming socket + on OSX. Fix for bug 10081. + + o Minor bugfixes (trivial memory leaks): + - Free placeholder entries in our circuit table at exit; fixes + a harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. + - Resolve some memory leaks found by coverity in the unit tests, + on exit in tor-gencert, and on a failure to compute digests + for our own keys when generating a v3 networkstatus vote. + These leaks should never have affected anyone in practice. + + o Minor bugfixes (hidden service): + - Only retry attempts to connect to a chosen rendezvous point 8 times, + not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (bridge client): + - Stop accepting bridge lines containing hostnames. Doing so allowed + clients to perform DNS requests on the hostnames, which was not + sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. + + o Minor bugfixes (exit): + - Stop leaking memory when we successfully resolve a PTR record. + Fixes bug 11437; bugfix on 0.2.4.7-alpha. + + o Minor features (Transparent proxy): + - Support the ipfw firewall interface for transparent proxy support on + FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc. + Resolves ticket 10267; patch from "yurivict". + - Support OpenBSD's divert-to rules with the pf firewall, when + "TransProxyType pf-divert" is specified. This allows Tor to run a + TransPort transparent proxy port on OpenBSD 4.4 or later without + root privileges. See the pf.conf(5) manual page for information on + configuring pf to use divert-to rules. Closes ticket 10896; patch + from Dana Koch. + + o Minor features (security): + - New --enable-expensive-hardening option to turn on security hardening + options that consume nontrivial amounts of CPU and memory. Right now, + this includes AddressSanitizer and UbSan. Closes ticket 11477. + + o Minor features (usability): + - Demote the message that we give when a flushing connection times + out for too long from NOTICE to INFO. It was usually meaningless. + Resolves ticket 5286. + + o Minor features (performance, compatibility): + - Update the list of TLS cipehrsuites that a client advertises + to match those advertised by Firefox 28. This enables selection of + (fast) GCM ciphersuites, disables some strange old ciphers, and + disables the ECDH (not to be confused with ECDHE) ciphersuites. + Resolves ticket 11438. + + + o Minor bugfixes (IPv6): + - When using DNSPort and AutomapHostsOnResolve, respond to AAAA + requests with AAAA automapped answers. Fixes bug 10468; bugfix + on 0.2.4.7-alpha. + + o Minor features (relay): + - If a circuit timed out for at least 3 minutes check if we have a new + external IP address the next time we run our routine checks. If our + IP address has changed, then publish a new descriptor with the new + IP address. Resolves ticket 2454. + - Warn less verbosely when receiving a misformed ESTABLISH_RENDEZVOUS + cell. Fixes ticket 11279. + + o Minor features (controller): + - Make the entire exit policy available from the control port via + GETINFO exit-policy/*. Implements enhancement #7952. Patch from + "rl1987". + + o Minor features (misc): + - Always check return values for unlink, munmap, UnmapViewOfFile; + check strftime return values more often. In some cases all we + can do is report a warning, but this may help prevent deeper + bugs from going unnoticed. Closes ticket 8787. + + o Minor features (bridge client): + - Report a failure to connect to a bridge because its transport + type has no configured pluggable transport as a new type of bootstrap + failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto. + + o Minor features (diagnostic): + - Try harder to diagnose a possible cause of bug 7164, which causes + intermittent "microdesc_free() called but md was still referenced" + warnings. We now log more information about the likely error case, + to try to figure out why we might be cleaning a microdescriptor + as old if it's still referenced by a live node. + + o Documentation: + - Build the torify.1 manpage again. Previously, we were only + trying to build it when also building tor-fw-helper. That's why + we didn't notice that we'd broken the ability to build it. + Fixes bug 11321; bugfix on 0.2.5.1-alpha. + - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug + 11061; bugfix on 0.2.4.7-alpha. + - Correctly document that we search for a system torrc file before + looking in ~/.torrc. Fixes documentation side of 9213; bugfix + on 0.2.3.18-rc. + - Resolve warnings from Doxygen. + + o Code simplifications and refactoring: + - Removing is_internal_IP() function. Resolves ticket 4645. + - Remove unused function circuit_dump_by_chan from circuitlist.c. Closes + issue #9107; patch from "marek". + - Change our use of the ENUM_BF macro to avoid declarations that + confuse Doxygen. + + o Testing: + - New macros in test.h to simplify writting mock-functions for unit + tests. Part of ticket 11507. Patch from Dana Koch. + - Complete tests for the status.c module. Resolves ticket 11507. + Patch from Dana Koch. + + o Removed code: + - Remove all code for the long unused v1 directory protocol. Resolves + ticket 11070. + + + Changes in version 0.2.5.3-alpha - 2014-03-22 Tor 0.2.5.3-alpha includes all the fixes from 0.2.4.21. It contains two new anti-DoS features for Tor relays, resolves a bug that kept diff --git a/changes/11543 b/changes/11543 new file mode 100644 index 000000000..ebc22f775 --- /dev/null +++ b/changes/11543 @@ -0,0 +1,8 @@ + o Minor bugfixes: + + - Improve the warning message when trying to enable the Linux + sandbox code on a Tor built without libseccomp. Instead of + saying "Sandbox is not implemented on this platform", we now + explain that we to need be built with libseccomp. Fixes bug + 11543; bugfix on 0.2.5.1-alpha. + diff --git a/changes/bug10081 b/changes/bug10081 deleted file mode 100644 index 654b83c0b..000000000 --- a/changes/bug10081 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - When reporting a failure from make_socket_reuseable(), don't - report a warning when we get a failure from an incoming socket - on OSX. Fix for bug 10081. - diff --git a/changes/bug10363 b/changes/bug10363 deleted file mode 100644 index 0cdfd9aee..000000000 --- a/changes/bug10363 +++ /dev/null @@ -1,12 +0,0 @@ - o Major bugfixes: - - Fix two instances of possible undefined behavior in channeltls.c - that could, under unlucky circumstances, have led to a pointer - overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and - 0.2.3.6-alpha. Reported by "bobnomnom". - - Fix another possibly undefined pointer operations in tor_memmem - fallback implementation. Another case of bug #10363; bugfix on - 0.1.1.1-alpha. - - Fix another possibly undefined pointer operations in the eventdns - fallback implementation. Another case of bug #10363; bugfix on - 0.1.2.1-alpha. - diff --git a/changes/bug10468 b/changes/bug10468 deleted file mode 100644 index 128eb3ac6..000000000 --- a/changes/bug10468 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When using DNSPort and AutomapHostsOnResolve, respond to AAAA - requests with AAAA automapped answers. Fixes bug 10468; bugfix - on 0.2.4.7-alpha. diff --git a/changes/bug10801 b/changes/bug10801 deleted file mode 100644 index 201bbeab1..000000000 --- a/changes/bug10801 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Stop accepting bridge lines containing hostnames. Doing so allowed - clients to perform DNS requests on the hostnames, which was not - sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. diff --git a/changes/bug11061 b/changes/bug11061 deleted file mode 100644 index 5035e876a..000000000 --- a/changes/bug11061 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation fixes: - - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug - 11061; bugfix on 0.2.4.7-alpha. diff --git a/changes/bug11070 b/changes/bug11070 deleted file mode 100644 index 88fecf979..000000000 --- a/changes/bug11070 +++ /dev/null @@ -1,4 +0,0 @@ - o Removed code: - - Remove all code for the long unused v1 directory protocol. Resolves - ticket 11070. - diff --git a/changes/bug11232 b/changes/bug11232 deleted file mode 100644 index c1a878083..000000000 --- a/changes/bug11232 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some - miscellaneous errors in our tests and codebase. Fix for bug 11232. - Bugfixes on versions back as far as 0.2.1.11-alpha. diff --git a/changes/bug11275 b/changes/bug11275 deleted file mode 100644 index b9b019ff4..000000000 --- a/changes/bug11275 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Fix a minor memory leak that occurred when signing a directory - object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. diff --git a/changes/bug11276 b/changes/bug11276 deleted file mode 100644 index be3753435..000000000 --- a/changes/bug11276 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Don't re-initialize a second set of openssl mutexes when starting - up. Fixes bug 11726; bugfix on 0.2.5.3-alpha. diff --git a/changes/bug11278 b/changes/bug11278 deleted file mode 100644 index 4fa59fc69..000000000 --- a/changes/bug11278 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Free placeholder entries in our circuit table at exit; fixes - a harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. diff --git a/changes/bug11279 b/changes/bug11279 deleted file mode 100644 index 1e9da4118..000000000 --- a/changes/bug11279 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Warn less verbosely when receiving a misformed ESTABLISH_RENDEZVOUS - cell. Fixes ticket 11279. diff --git a/changes/bug11296 b/changes/bug11296 deleted file mode 100644 index 156749761..000000000 --- a/changes/bug11296 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Allow tor-fw-helper to build again by adding src/ext to its - CPPFLAGS. Fixes bug 11296; bugfix on 0.2.5.3-alpha. diff --git a/changes/bug11321 b/changes/bug11321 deleted file mode 100644 index d737a1f37..000000000 --- a/changes/bug11321 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (build): - - Build the torify.1 manpage again. Previously, we were only - trying to build it when also building tor-fw-helper. That's why - we didn't notice that we'd broken the ability to build it. - Fixes bug 11321; bugfix on 0.2.5.1-alpha. diff --git a/changes/bug11342 b/changes/bug11342 deleted file mode 100644 index a52a5515e..000000000 --- a/changes/bug11342 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When dumping a malformed directory object to disk, save it in binary - mode on windows, not text mode. Fixes bug 11342; bugfix on - 0.2.2.1-alpha. diff --git a/changes/bug7164_diagnose_harder b/changes/bug7164_diagnose_harder deleted file mode 100644 index 28c36b658..000000000 --- a/changes/bug7164_diagnose_harder +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features: - - Try harder to diagnose a possible cause of bug 7164, which causes - intermittent "microdesc_free() called but md was still referenced" - warnings. We now log more information about the likely error case, - to try to figure out why we might be cleaning a microdescriptor - as old if it's still referenced by a live node. diff --git a/changes/bug8787 b/changes/bug8787 deleted file mode 100644 index 212844ad2..000000000 --- a/changes/bug8787 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Always check return values for unlink, munmap, UnmapViewOfFile; - check strftime return values more often. In some cases all we - can do is report a warning, but this may help prevent deeper - bugs from going unnoticed. Closes ticket 8787. diff --git a/changes/bug9107 b/changes/bug9107 deleted file mode 100644 index dba166977..000000000 --- a/changes/bug9107 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplifications and refactoring: - - Remove unused function circuit_dump_by_chan from circuitlist.c. Closes - issue #9107; patch from "marek". diff --git a/changes/bug9213_doc b/changes/bug9213_doc deleted file mode 100644 index 2f959dd83..000000000 --- a/changes/bug9213_doc +++ /dev/null @@ -1,5 +0,0 @@ - o Documentation: - - Correctly document that we search for a system torrc file before - looking in ~/.torrc. Fixes documentation side of 9213; bugfix - on 0.2.3.18-rc. - diff --git a/changes/bug9229_025 b/changes/bug9229_025 new file mode 100644 index 000000000..ad7fd22c2 --- /dev/null +++ b/changes/bug9229_025 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Avoid 60-second delays in the bootstrapping process when Tor + is launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. + diff --git a/changes/bug9650 b/changes/bug9650 deleted file mode 100644 index c49cc2420..000000000 --- a/changes/bug9650 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid potential crashes or bad behavior when launching a - server-side managed proxy with ORPort or ExtORPort temporarily - disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. diff --git a/changes/bug9665 b/changes/bug9665 deleted file mode 100644 index d9e58591e..000000000 --- a/changes/bug9665 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Report a failure to connect to a bridge because its transport - type has no configured pluggable transport as a new type of bootstrap - failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto. diff --git a/changes/bug9841 b/changes/bug9841 deleted file mode 100644 index 8b40dda0c..000000000 --- a/changes/bug9841 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (performance): - - - Faster server-side lookups of rendezvous and introduction point - circuits by using hashtables instead of linear searches over all - the circuits. These functions previously accounted between 3 and - 7% of CPU usage on some busy relays. - diff --git a/changes/bug9870 b/changes/bug9870 deleted file mode 100644 index b4b2c2df2..000000000 --- a/changes/bug9870 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - - Log only one message when we start logging in an unsafe - way. Previously, we would log as many messages as we had - problems. Fix for #9870; bugfix on 0.2.5.1-alpha. diff --git a/changes/bug9963 b/changes/bug9963 new file mode 100644 index 000000000..b8b95f2a7 --- /dev/null +++ b/changes/bug9963 @@ -0,0 +1,5 @@ + o Minor features: + - Don't log so many notice-level bootstrapping messages at startup about + downloading descriptors. Previously, we'd log a notice whenever we + learned about more routers. Now, we only log a notice at every 5% of + progress. Fixes bug 9963. diff --git a/changes/cov-leaks b/changes/cov-leaks deleted file mode 100644 index 302d2475c..000000000 --- a/changes/cov-leaks +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Resolve some memory leaks found by coverity in the unit tests, - on exit in tor-gencert, and on a failure to compute digests - for our own keys when generating a v3 networkstatus vote. - These leaks should never have affected anyone in practice. - diff --git a/changes/doxygen_fixes b/changes/doxygen_fixes deleted file mode 100644 index a9add9d62..000000000 --- a/changes/doxygen_fixes +++ /dev/null @@ -1,6 +0,0 @@ - o Documentation: - - Resolve warnings from Doxygen. - - o Code simplification and refactoring: - - Change our use of the ENUM_BF macro to avoid declarations that - confuse Doxygen. diff --git a/changes/require_023 b/changes/require_023 deleted file mode 100644 index f3a5a1417..000000000 --- a/changes/require_023 +++ /dev/null @@ -1,6 +0,0 @@ - o Deprecated versions: - - Tor 0.2.2.x is no longer supported, and has not been for a while. - Directory authorities no longer accept descriptors from - Tor relays running any version of Tor prior to Tor 0.2.3.16-alpha. - Resolves ticket 11149. - diff --git a/changes/ticket11528 b/changes/ticket11528 new file mode 100644 index 000000000..15daad995 --- /dev/null +++ b/changes/ticket11528 @@ -0,0 +1,6 @@ + o Minor features: + - Servers now trust themselves to have a better view than clients of + which TLS ciphersuites to choose. (Thanks to #11513, the server + list is now well-considered, whereas the client list has been + chosen mainly for anti-fingerprinting purposes.) Resolves ticket + 11528. diff --git a/changes/ticket4645 b/changes/ticket4645 deleted file mode 100644 index cc665ba1a..000000000 --- a/changes/ticket4645 +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplifications and refactoring: - - Removing is_internal_IP() function. Resolves ticket 4645. - diff --git a/configure.ac b/configure.ac index 6e4104196..07b23dbcf 100644 --- a/configure.ac +++ b/configure.ac @@ -129,13 +129,13 @@ AC_ARG_ENABLE(gcc-warnings, AC_ARG_ENABLE(gcc-warnings-advisory, AS_HELP_STRING(--enable-gcc-warnings-advisory, [enable verbose warnings, excluding -Werror])) -dnl Adam shostack suggests the following for Windows: -dnl -D_FORTIFY_SOURCE=2 -fstack-protector-all dnl Others suggest '/gs /safeseh /nxcompat /dynamicbase' for non-gcc on Windows -dnl This requires that we use gcc and that we add -O2 to the CFLAGS. AC_ARG_ENABLE(gcc-hardening, AS_HELP_STRING(--disable-gcc-hardening, disable compiler security checks)) +AC_ARG_ENABLE(expensive-hardening, + AS_HELP_STRING(--enable-expensive-hardening, enable more expensive compiler hardening; makes Tor slower)) + dnl Linker hardening options dnl Currently these options are ELF specific - you can't use this with MacOSX AC_ARG_ENABLE(linker-hardening, @@ -435,6 +435,7 @@ AC_CHECK_FUNCS([event_get_version \ event_set_log_callback \ evdns_set_outgoing_bind_address \ evutil_secure_rng_set_urandom_device_file \ + evutil_secure_rng_init \ event_base_loopexit]) AC_CHECK_MEMBERS([struct event.min_heap_idx], , , [#include <event.h> @@ -628,6 +629,12 @@ if test x$enable_gcc_hardening != xno; then fi fi +if test x$enable_expensive_hardening = xyes ; then + TOR_CHECK_CFLAGS([-fsanitize=address]) + TOR_CHECK_CFLAGS([-fsanitize=undefined]) + TOR_CHECK_CFLAGS([-fno-omit-frame-pointer]) +fi + if test x$enable_linker_hardening != xno; then TOR_CHECK_LDFLAGS(-z relro -z now, "$all_ldflags_for_check", "$all_libs_for_check") fi @@ -640,10 +647,11 @@ dnl Now see if we have a -fomit-frame-pointer compiler option. saved_CFLAGS="$CFLAGS" TOR_CHECK_CFLAGS(-fomit-frame-pointer) +F_OMIT_FRAME_POINTER='' if test "$saved_CFLAGS" != "$CFLAGS"; then - F_OMIT_FRAME_POINTER='-fomit-frame-pointer' -else - F_OMIT_FRAME_POINTER='' + if test x$enable_expensive_hardening != xyes ; then + F_OMIT_FRAME_POINTER='-fomit-frame-pointer' + fi fi CFLAGS="$saved_CFLAGS" AC_SUBST(F_OMIT_FRAME_POINTER) diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 1cc8f841c..d1556a554 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1196,20 +1196,29 @@ The following options are useful only for clients (that is, if compatibility, TransListenAddress is only allowed when TransPort is just a port number.) -[[TransProxyType]] **TransProxyTYpe** **default**|**TPROXY**:: +[[TransProxyType]] **TransProxyTYpe** **default**|**TPROXY**|**ipfw**|**pf-divert**:: TransProxyType may only be enabled when there is transparent proxy listener enabled. + - Set this to TPROXY if you wish to be able to use the TPROXY Linux module to - transparently proxy connections that are configured using the TransPort + Set this to "TPROXY" if you wish to be able to use the TPROXY Linux module + to transparently proxy connections that are configured using the TransPort option. This setting lets the listener on the TransPort accept connections for all addresses, even when the TransListenAddress is configured for an internal address. Detailed information on how to configure the TPROXY feature can be found in the Linux kernel source tree in the file Documentation/networking/tproxy.txt. + + Set this option to "ipfw" to use the FreeBSD ipfw interface. + + + On *BSD operating systems when using pf, set this to "pf-divert" to take + advantage of +divert-to+ rules, which do not modify the packets like + +rdr-to+ rules do. Detailed information on how to configure pf to use + +divert-to+ rules can be found in the pf.conf(5) manual page. On OpenBSD, + +divert-to+ is available to use on versions greater than or equal to + OpenBSD 4.4. + + Set this to "default", or leave it unconfigured, to use regular IPTables - on Linux, or to use pf on the *BSD operating systems. + on Linux, or to use pf +rdr-to+ rules on *BSD systems. + (Default: "default".) diff --git a/src/common/backtrace.c b/src/common/backtrace.c index 239c65782..3a073a8ff 100644 --- a/src/common/backtrace.c +++ b/src/common/backtrace.c @@ -5,7 +5,6 @@ #define _GNU_SOURCE 1 #include "orconfig.h" -#include "backtrace.h" #include "compat.h" #include "util.h" #include "torlog.h" @@ -31,6 +30,9 @@ #include <ucontext.h> #endif +#define EXPOSE_CLEAN_BACKTRACE +#include "backtrace.h" + #if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \ defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION) #define USE_BACKTRACE @@ -59,7 +61,7 @@ static tor_mutex_t cb_buf_mutex; * onto the stack. Fortunately, we usually have the program counter in the * ucontext_t structure. */ -static void +void clean_backtrace(void **stack, int depth, const ucontext_t *ctx) { #ifdef PC_FROM_UCONTEXT @@ -165,6 +167,18 @@ install_bt_handler(void) rv = -1; } } + + { + /* Now, generate (but do not log) a backtrace. This ensures that + * libc has pre-loaded the symbols we need to dump things, so that later + * reads won't be denied by the sandbox code */ + char **symbols; + int depth = backtrace(cb_buf, MAX_DEPTH); + symbols = backtrace_symbols(cb_buf, depth); + if (symbols) + free(symbols); + } + return rv; } diff --git a/src/common/backtrace.h b/src/common/backtrace.h index 765436fee..1f4d73339 100644 --- a/src/common/backtrace.h +++ b/src/common/backtrace.h @@ -4,9 +4,18 @@ #ifndef TOR_BACKTRACE_H #define TOR_BACKTRACE_H +#include "orconfig.h" + void log_backtrace(int severity, int domain, const char *msg); int configure_backtrace_handler(const char *tor_version); void clean_up_backtrace_handler(void); +#ifdef EXPOSE_CLEAN_BACKTRACE +#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \ + defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION) +void clean_backtrace(void **stack, int depth, const ucontext_t *ctx); +#endif +#endif + #endif diff --git a/src/common/ciphers.inc b/src/common/ciphers.inc index 137d78b11..ab4ac4072 100644 --- a/src/common/ciphers.inc +++ b/src/common/ciphers.inc @@ -4,86 +4,51 @@ * * This file was automatically generated by get_mozilla_ciphers.py. */ -#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) -#else - XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) -#endif -#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA - CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA) -#else - XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA) -#endif -#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA) -#else - XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA) -#endif -#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA - CIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA) +#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + CIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) #else - XCIPHER(0x0087, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA) + XCIPHER(0xc02b, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) #endif -#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA - CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) +#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + CIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256) #else - XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) + XCIPHER(0xc02f, TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256) #endif -#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA - CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA) +#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + CIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) #else - XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA) + XCIPHER(0xc00a, TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_CBC_SHA) #endif -#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA - CIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA) +#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) #else - XCIPHER(0xc00f, TLS1_TXT_ECDH_RSA_WITH_AES_256_CBC_SHA) + XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) #endif -#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA - CIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA) +#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA + CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA) #else - XCIPHER(0xc005, TLS1_TXT_ECDH_ECDSA_WITH_AES_256_CBC_SHA) + XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA) #endif -#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA - CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA) +#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA + CIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA) #else - XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA) + XCIPHER(0xc014, TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA) #endif -#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA - CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA) +#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA + CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA) #else - XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA) + XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA) #endif #ifdef TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA CIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA) #else XCIPHER(0xc007, TLS1_TXT_ECDHE_ECDSA_WITH_RC4_128_SHA) #endif -#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - CIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) -#else - XCIPHER(0xc009, TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_CBC_SHA) -#endif #ifdef TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA CIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA) #else XCIPHER(0xc011, TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA) #endif -#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA - CIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA) -#else - XCIPHER(0xc013, TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA) -#endif -#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA) -#else - XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA) -#endif -#ifdef TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA - CIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA) -#else - XCIPHER(0x0044, TLS1_TXT_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA) -#endif #ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA CIPHER(0x0033, TLS1_TXT_DHE_RSA_WITH_AES_128_SHA) #else @@ -94,89 +59,63 @@ #else XCIPHER(0x0032, TLS1_TXT_DHE_DSS_WITH_AES_128_SHA) #endif -#ifdef TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA - CIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA) -#else - XCIPHER(0xc00c, TLS1_TXT_ECDH_RSA_WITH_RC4_128_SHA) -#endif -#ifdef TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA - CIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA) -#else - XCIPHER(0xc00e, TLS1_TXT_ECDH_RSA_WITH_AES_128_CBC_SHA) -#endif -#ifdef TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA - CIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA) -#else - XCIPHER(0xc002, TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA) -#endif -#ifdef TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA - CIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA) +#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + CIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA) #else - XCIPHER(0xc004, TLS1_TXT_ECDH_ECDSA_WITH_AES_128_CBC_SHA) + XCIPHER(0x0045, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA) #endif -#ifdef TLS1_TXT_RSA_WITH_SEED_SHA - CIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA) +#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA + CIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) #else - XCIPHER(0x0096, TLS1_TXT_RSA_WITH_SEED_SHA) + XCIPHER(0x0039, TLS1_TXT_DHE_RSA_WITH_AES_256_SHA) #endif -#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA - CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA) +#ifdef TLS1_TXT_DHE_DSS_WITH_AES_256_SHA + CIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA) #else - XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA) + XCIPHER(0x0038, TLS1_TXT_DHE_DSS_WITH_AES_256_SHA) #endif -#ifdef SSL3_TXT_RSA_RC4_128_MD5 - CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5) +#ifdef TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + CIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA) #else - XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5) + XCIPHER(0x0088, TLS1_TXT_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA) #endif -#ifdef SSL3_TXT_RSA_RC4_128_SHA - CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA) +#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA + CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) #else - XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA) + XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) #endif #ifdef TLS1_TXT_RSA_WITH_AES_128_SHA CIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA) #else XCIPHER(0x002f, TLS1_TXT_RSA_WITH_AES_128_SHA) #endif -#ifdef TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA - CIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA) -#else - XCIPHER(0xc008, TLS1_TXT_ECDHE_ECDSA_WITH_DES_192_CBC3_SHA) -#endif -#ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA - CIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA) -#else - XCIPHER(0xc012, TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA) -#endif -#ifdef SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA - CIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) +#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA + CIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA) #else - XCIPHER(0x0016, SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA) + XCIPHER(0x0041, TLS1_TXT_RSA_WITH_CAMELLIA_128_CBC_SHA) #endif -#ifdef SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA - CIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA) +#ifdef TLS1_TXT_RSA_WITH_AES_256_SHA + CIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA) #else - XCIPHER(0x0013, SSL3_TXT_EDH_DSS_DES_192_CBC3_SHA) + XCIPHER(0x0035, TLS1_TXT_RSA_WITH_AES_256_SHA) #endif -#ifdef TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA - CIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA) +#ifdef TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA + CIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA) #else - XCIPHER(0xc00d, TLS1_TXT_ECDH_RSA_WITH_DES_192_CBC3_SHA) + XCIPHER(0x0084, TLS1_TXT_RSA_WITH_CAMELLIA_256_CBC_SHA) #endif -#ifdef TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA - CIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA) +#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA + CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA) #else - XCIPHER(0xc003, TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA) + XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA) #endif -/* No openssl macro found for 0xfeff */ -#ifdef SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA - CIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA) +#ifdef SSL3_TXT_RSA_RC4_128_SHA + CIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA) #else - XCIPHER(0xfeff, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA) + XCIPHER(0x0005, SSL3_TXT_RSA_RC4_128_SHA) #endif -#ifdef SSL3_TXT_RSA_DES_192_CBC3_SHA - CIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA) +#ifdef SSL3_TXT_RSA_RC4_128_MD5 + CIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5) #else - XCIPHER(0x000a, SSL3_TXT_RSA_DES_192_CBC3_SHA) + XCIPHER(0x0004, SSL3_TXT_RSA_RC4_128_MD5) #endif diff --git a/src/common/compat.c b/src/common/compat.c index 04c9d5923..c5945fbd2 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -144,6 +144,7 @@ tor_open_cloexec(const char *path, int flags, unsigned mode) return -1; #endif + log_debug(LD_FS, "Opening %s with flags %x", path, flags); fd = open(path, flags, mode); #ifdef FD_CLOEXEC if (fd >= 0) { @@ -175,6 +176,15 @@ tor_fopen_cloexec(const char *path, const char *mode) return result; } +/** As rename(), but work correctly with the sandbox. */ +int +tor_rename(const char *path_old, const char *path_new) +{ + log_debug(LD_FS, "Renaming %s to %s", path_old, path_new); + return rename(sandbox_intern_string(path_old), + sandbox_intern_string(path_new)); +} + #if defined(HAVE_SYS_MMAN_H) || defined(RUNNING_DOXYGEN) /** Try to create a memory mapping for <b>filename</b> and return it. On * failure, return NULL. Sets errno properly, using ERANGE to mean @@ -799,7 +809,7 @@ int replace_file(const char *from, const char *to) { #ifndef _WIN32 - return rename(from,to); + return tor_rename(from, to); #else switch (file_status(to)) { @@ -814,7 +824,7 @@ replace_file(const char *from, const char *to) errno = EISDIR; return -1; } - return rename(from,to); + return tor_rename(from,to); #endif } diff --git a/src/common/compat.h b/src/common/compat.h index bb88818d8..9a381fb97 100644 --- a/src/common/compat.h +++ b/src/common/compat.h @@ -410,6 +410,7 @@ struct tm *tor_gmtime_r(const time_t *timep, struct tm *result); /* ===== File compatibility */ int tor_open_cloexec(const char *path, int flags, unsigned mode); FILE *tor_fopen_cloexec(const char *path, const char *mode); +int tor_rename(const char *path_old, const char *path_new); int replace_file(const char *from, const char *to); int touch_file(const char *fname); diff --git a/src/common/compat_libevent.c b/src/common/compat_libevent.c index 8525b4a72..74b54bb85 100644 --- a/src/common/compat_libevent.c +++ b/src/common/compat_libevent.c @@ -13,6 +13,8 @@ #include "compat.h" #include "compat_libevent.h" +#include "crypto.h" + #include "util.h" #include "torlog.h" @@ -626,6 +628,23 @@ tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev, } #endif +int +tor_init_libevent_rng(void) +{ + int rv = 0; +#ifdef HAVE_EVUTIL_SECURE_RNG_INIT + char buf[256]; + if (evutil_secure_rng_init() < 0) { + rv = -1; + } + /* Older libevent -- manually initialize the RNG */ + crypto_rand(buf, 32); + evutil_secure_rng_add_bytes(buf, 32); + evutil_secure_rng_get_bytes(buf, sizeof(buf)); +#endif + return rv; +} + #if defined(LIBEVENT_VERSION_NUMBER) && LIBEVENT_VERSION_NUMBER >= V(2,1,1) \ && !defined(TOR_UNIT_TESTS) void diff --git a/src/common/compat_libevent.h b/src/common/compat_libevent.h index f0d1828b7..9ee7b49cf 100644 --- a/src/common/compat_libevent.h +++ b/src/common/compat_libevent.h @@ -89,6 +89,8 @@ int tor_add_bufferevent_to_rate_limit_group(struct bufferevent *bev, struct bufferevent_rate_limit_group *g); #endif +int tor_init_libevent_rng(void); + void tor_gettimeofday_cached(struct timeval *tv); void tor_gettimeofday_cache_clear(void); #ifdef TOR_UNIT_TESTS diff --git a/src/common/crypto.c b/src/common/crypto.c index 8a4ffb694..a247a87d4 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -2471,6 +2471,7 @@ crypto_strongest_rand(uint8_t *out, size_t out_len) return 0; #else for (i = 0; filenames[i]; ++i) { + log_debug(LD_FS, "Opening %s for entropy", filenames[i]); fd = open(sandbox_intern_string(filenames[i]), O_RDONLY, 0); if (fd<0) continue; log_info(LD_CRYPTO, "Reading entropy from \"%s\"", filenames[i]); diff --git a/src/common/gen_linux_syscalls.pl b/src/common/gen_linux_syscalls.pl new file mode 100755 index 000000000..3c64098a0 --- /dev/null +++ b/src/common/gen_linux_syscalls.pl @@ -0,0 +1,37 @@ +#!/usr/bin/perl -w + +use strict; +my %syscalls = (); + +while (<>) { + if (/^#define (__NR_\w+) /) { + $syscalls{$1} = 1; + } +} + +print <<EOL; +/* Automatically generated with + gen_sandbox_syscalls.pl /usr/include/asm/unistd*.h + Do not edit. + */ +static const struct { + int syscall_num; const char *syscall_name; +} SYSCALLS_BY_NUMBER[] = { +EOL + +for my $k (sort keys %syscalls) { + my $name = $k; + $name =~ s/^__NR_//; + print <<EOL; +#ifdef $k + { $k, "$name" }, +#endif +EOL + +} + +print <<EOL + {0, NULL} +}; + +EOL diff --git a/src/common/gen_server_ciphers.py b/src/common/gen_server_ciphers.py new file mode 100755 index 000000000..97ed9d046 --- /dev/null +++ b/src/common/gen_server_ciphers.py @@ -0,0 +1,115 @@ +#!/usr/bin/python +# Copyright 2014, The Tor Project, Inc +# See LICENSE for licensing information + +# This script parses openssl headers to find ciphersuite names, determines +# which ones we should be willing to use as a server, and sorts them according +# to preference rules. +# +# Run it on all the files in your openssl include directory. + +import re +import sys + +EPHEMERAL_INDICATORS = [ "_EDH_", "_DHE_", "_ECDHE_" ] +BAD_STUFF = [ "_DES_40_", "MD5", "_RC4_", "_DES_64_", + "_SEED_", "_CAMELLIA_", "_NULL" ] + +# these never get #ifdeffed. +MANDATORY = [ + "TLS1_TXT_DHE_RSA_WITH_AES_256_SHA", + "TLS1_TXT_DHE_RSA_WITH_AES_128_SHA", + "SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA", +] + +def find_ciphers(filename): + with open(filename) as f: + for line in f: + m = re.search(r'(?:SSL3|TLS1)_TXT_\w+', line) + if m: + yield m.group(0) + +def usable_cipher(ciph): + ephemeral = False + for e in EPHEMERAL_INDICATORS: + if e in ciph: + ephemeral = True + if not ephemeral: + return False + + if "_RSA_" not in ciph: + return False + + for b in BAD_STUFF: + if b in ciph: + return False + return True + +# All fields we sort on, in order of priority. +FIELDS = [ 'cipher', 'fwsec', 'mode', 'digest', 'bitlength' ] +# Map from sorted fields to recognized value in descending order of goodness +FIELD_VALS = { 'cipher' : [ 'AES', 'DES'], + 'fwsec' : [ 'ECDHE', 'DHE' ], + 'mode' : [ 'GCM', 'CBC' ], + 'digest' : [ 'SHA384', 'SHA256', 'SHA' ], + 'bitlength' : [ '256', '128', '192' ], +} + +class Ciphersuite(object): + def __init__(self, name, fwsec, cipher, bitlength, mode, digest): + self.name = name + self.fwsec = fwsec + self.cipher = cipher + self.bitlength = bitlength + self.mode = mode + self.digest = digest + + for f in FIELDS: + assert(getattr(self, f) in FIELD_VALS[f]) + + def sort_key(self): + return tuple(FIELD_VALS[f].index(getattr(self,f)) for f in FIELDS) + + +def parse_cipher(ciph): + m = re.match('(?:TLS1|SSL3)_TXT_(EDH|DHE|ECDHE)_RSA(?:_WITH)?_(AES|DES)_(256|128|192)(|_CBC|_CBC3|_GCM)_(SHA|SHA256|SHA384)$', ciph) + + if not m: + print "/* Couldn't parse %s ! */"%ciph + return None + + fwsec, cipher, bits, mode, digest = m.groups() + if fwsec == 'EDH': + fwsec = 'DHE' + + if mode in [ '_CBC3', '_CBC', '' ]: + mode = 'CBC' + elif mode == '_GCM': + mode = 'GCM' + + return Ciphersuite(ciph, fwsec, cipher, bits, mode, digest) + +ALL_CIPHERS = [] + +for fname in sys.argv[1:]: + ALL_CIPHERS += (parse_cipher(c) + for c in find_ciphers(fname) + if usable_cipher(c) ) + +ALL_CIPHERS.sort(key=Ciphersuite.sort_key) + +for c in ALL_CIPHERS: + if c is ALL_CIPHERS[-1]: + colon = ';' + else: + colon = ' ":"' + + if c.name in MANDATORY: + print " /* Required */" + print ' %s%s'%(c.name,colon) + else: + print "#ifdef %s"%c.name + print ' %s%s'%(c.name,colon) + print "#endif" + + diff --git a/src/common/get_mozilla_ciphers.py b/src/common/get_mozilla_ciphers.py index c7e9a84a0..0636eb365 100644 --- a/src/common/get_mozilla_ciphers.py +++ b/src/common/get_mozilla_ciphers.py @@ -41,12 +41,12 @@ fileA = open(ff('security/manager/ssl/src/nsNSSComponent.cpp'),'r') inCipherSection = False cipherLines = [] for line in fileA: - if line.startswith('static CipherPref CipherPrefs'): + if line.startswith('static const CipherPref sCipherPrefs[]'): # Get the starting boundary of the Cipher Preferences inCipherSection = True elif inCipherSection: line = line.strip() - if line.startswith('{NULL, 0}'): + if line.startswith('{ nullptr, 0}'): # At the ending boundary of the Cipher Prefs break else: @@ -56,12 +56,30 @@ fileA.close() # Parse the lines and put them into a dict ciphers = {} cipher_pref = {} +key_pending = None for line in cipherLines: - m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S*)\s*}', line) + m = re.search(r'^{\s*\"([^\"]+)\",\s*(\S+)\s*(?:,\s*(true|false))?\s*}', line) if m: - key,value = m.groups() - ciphers[key] = value - cipher_pref[value] = key + assert not key_pending + key,value,enabled = m.groups() + if enabled == 'true': + ciphers[key] = value + cipher_pref[value] = key + continue + m = re.search(r'^{\s*\"([^\"]+)\",', line) + if m: + assert not key_pending + key_pending = m.group(1) + continue + m = re.search(r'^\s*(\S+)(?:,\s*(true|false))?\s*}', line) + if m: + assert key_pending + key = key_pending + value,enabled = m.groups() + key_pending = None + if enabled == 'true': + ciphers[key] = value + cipher_pref[value] = key #### # Now find the correct order for the ciphers diff --git a/src/common/include.am b/src/common/include.am index d0ea40ea6..7b2465cd8 100644 --- a/src/common/include.am +++ b/src/common/include.am @@ -103,6 +103,7 @@ COMMONHEADERS = \ src/common/di_ops.h \ src/common/memarea.h \ src/common/mempool.h \ + src/common/linux_syscalls.inc \ src/common/procmon.h \ src/common/sandbox.h \ src/common/testsupport.h \ diff --git a/src/common/linux_syscalls.inc b/src/common/linux_syscalls.inc new file mode 100644 index 000000000..912735660 --- /dev/null +++ b/src/common/linux_syscalls.inc @@ -0,0 +1,1153 @@ +/* Automatically generated with + gen_sandbox_syscalls.pl /usr/include/asm/unistd*.h + Do not edit. + */ +static const struct { + int syscall_num; const char *syscall_name; +} SYSCALLS_BY_NUMBER[] = { +#ifdef __NR__llseek + { __NR__llseek, "_llseek" }, +#endif +#ifdef __NR__newselect + { __NR__newselect, "_newselect" }, +#endif +#ifdef __NR__sysctl + { __NR__sysctl, "_sysctl" }, +#endif +#ifdef __NR_accept + { __NR_accept, "accept" }, +#endif +#ifdef __NR_accept4 + { __NR_accept4, "accept4" }, +#endif +#ifdef __NR_access + { __NR_access, "access" }, +#endif +#ifdef __NR_acct + { __NR_acct, "acct" }, +#endif +#ifdef __NR_add_key + { __NR_add_key, "add_key" }, +#endif +#ifdef __NR_adjtimex + { __NR_adjtimex, "adjtimex" }, +#endif +#ifdef __NR_afs_syscall + { __NR_afs_syscall, "afs_syscall" }, +#endif +#ifdef __NR_alarm + { __NR_alarm, "alarm" }, +#endif +#ifdef __NR_arch_prctl + { __NR_arch_prctl, "arch_prctl" }, +#endif +#ifdef __NR_bdflush + { __NR_bdflush, "bdflush" }, +#endif +#ifdef __NR_bind + { __NR_bind, "bind" }, +#endif +#ifdef __NR_break + { __NR_break, "break" }, +#endif +#ifdef __NR_brk + { __NR_brk, "brk" }, +#endif +#ifdef __NR_capget + { __NR_capget, "capget" }, +#endif +#ifdef __NR_capset + { __NR_capset, "capset" }, +#endif +#ifdef __NR_chdir + { __NR_chdir, "chdir" }, +#endif +#ifdef __NR_chmod + { __NR_chmod, "chmod" }, +#endif +#ifdef __NR_chown + { __NR_chown, "chown" }, +#endif +#ifdef __NR_chown32 + { __NR_chown32, "chown32" }, +#endif +#ifdef __NR_chroot + { __NR_chroot, "chroot" }, +#endif +#ifdef __NR_clock_adjtime + { __NR_clock_adjtime, "clock_adjtime" }, +#endif +#ifdef __NR_clock_getres + { __NR_clock_getres, "clock_getres" }, +#endif +#ifdef __NR_clock_gettime + { __NR_clock_gettime, "clock_gettime" }, +#endif +#ifdef __NR_clock_nanosleep + { __NR_clock_nanosleep, "clock_nanosleep" }, +#endif +#ifdef __NR_clock_settime + { __NR_clock_settime, "clock_settime" }, +#endif +#ifdef __NR_clone + { __NR_clone, "clone" }, +#endif +#ifdef __NR_close + { __NR_close, "close" }, +#endif +#ifdef __NR_connect + { __NR_connect, "connect" }, +#endif +#ifdef __NR_creat + { __NR_creat, "creat" }, +#endif +#ifdef __NR_create_module + { __NR_create_module, "create_module" }, +#endif +#ifdef __NR_delete_module + { __NR_delete_module, "delete_module" }, +#endif +#ifdef __NR_dup + { __NR_dup, "dup" }, +#endif +#ifdef __NR_dup2 + { __NR_dup2, "dup2" }, +#endif +#ifdef __NR_dup3 + { __NR_dup3, "dup3" }, +#endif +#ifdef __NR_epoll_create + { __NR_epoll_create, "epoll_create" }, +#endif +#ifdef __NR_epoll_create1 + { __NR_epoll_create1, "epoll_create1" }, +#endif +#ifdef __NR_epoll_ctl + { __NR_epoll_ctl, "epoll_ctl" }, +#endif +#ifdef __NR_epoll_ctl_old + { __NR_epoll_ctl_old, "epoll_ctl_old" }, +#endif +#ifdef __NR_epoll_pwait + { __NR_epoll_pwait, "epoll_pwait" }, +#endif +#ifdef __NR_epoll_wait + { __NR_epoll_wait, "epoll_wait" }, +#endif +#ifdef __NR_epoll_wait_old + { __NR_epoll_wait_old, "epoll_wait_old" }, +#endif +#ifdef __NR_eventfd + { __NR_eventfd, "eventfd" }, +#endif +#ifdef __NR_eventfd2 + { __NR_eventfd2, "eventfd2" }, +#endif +#ifdef __NR_execve + { __NR_execve, "execve" }, +#endif +#ifdef __NR_exit + { __NR_exit, "exit" }, +#endif +#ifdef __NR_exit_group + { __NR_exit_group, "exit_group" }, +#endif +#ifdef __NR_faccessat + { __NR_faccessat, "faccessat" }, +#endif +#ifdef __NR_fadvise64 + { __NR_fadvise64, "fadvise64" }, +#endif +#ifdef __NR_fadvise64_64 + { __NR_fadvise64_64, "fadvise64_64" }, +#endif +#ifdef __NR_fallocate + { __NR_fallocate, "fallocate" }, +#endif +#ifdef __NR_fanotify_init + { __NR_fanotify_init, "fanotify_init" }, +#endif +#ifdef __NR_fanotify_mark + { __NR_fanotify_mark, "fanotify_mark" }, +#endif +#ifdef __NR_fchdir + { __NR_fchdir, "fchdir" }, +#endif +#ifdef __NR_fchmod + { __NR_fchmod, "fchmod" }, +#endif +#ifdef __NR_fchmodat + { __NR_fchmodat, "fchmodat" }, +#endif +#ifdef __NR_fchown + { __NR_fchown, "fchown" }, +#endif +#ifdef __NR_fchown32 + { __NR_fchown32, "fchown32" }, +#endif +#ifdef __NR_fchownat + { __NR_fchownat, "fchownat" }, +#endif +#ifdef __NR_fcntl + { __NR_fcntl, "fcntl" }, +#endif +#ifdef __NR_fcntl64 + { __NR_fcntl64, "fcntl64" }, +#endif +#ifdef __NR_fdatasync + { __NR_fdatasync, "fdatasync" }, +#endif +#ifdef __NR_fgetxattr + { __NR_fgetxattr, "fgetxattr" }, +#endif +#ifdef __NR_finit_module + { __NR_finit_module, "finit_module" }, +#endif +#ifdef __NR_flistxattr + { __NR_flistxattr, "flistxattr" }, +#endif +#ifdef __NR_flock + { __NR_flock, "flock" }, +#endif +#ifdef __NR_fork + { __NR_fork, "fork" }, +#endif +#ifdef __NR_fremovexattr + { __NR_fremovexattr, "fremovexattr" }, +#endif +#ifdef __NR_fsetxattr + { __NR_fsetxattr, "fsetxattr" }, +#endif +#ifdef __NR_fstat + { __NR_fstat, "fstat" }, +#endif +#ifdef __NR_fstat64 + { __NR_fstat64, "fstat64" }, +#endif +#ifdef __NR_fstatat64 + { __NR_fstatat64, "fstatat64" }, +#endif +#ifdef __NR_fstatfs + { __NR_fstatfs, "fstatfs" }, +#endif +#ifdef __NR_fstatfs64 + { __NR_fstatfs64, "fstatfs64" }, +#endif +#ifdef __NR_fsync + { __NR_fsync, "fsync" }, +#endif +#ifdef __NR_ftime + { __NR_ftime, "ftime" }, +#endif +#ifdef __NR_ftruncate + { __NR_ftruncate, "ftruncate" }, +#endif +#ifdef __NR_ftruncate64 + { __NR_ftruncate64, "ftruncate64" }, +#endif +#ifdef __NR_futex + { __NR_futex, "futex" }, +#endif +#ifdef __NR_futimesat + { __NR_futimesat, "futimesat" }, +#endif +#ifdef __NR_get_kernel_syms + { __NR_get_kernel_syms, "get_kernel_syms" }, +#endif +#ifdef __NR_get_mempolicy + { __NR_get_mempolicy, "get_mempolicy" }, +#endif +#ifdef __NR_get_robust_list + { __NR_get_robust_list, "get_robust_list" }, +#endif +#ifdef __NR_get_thread_area + { __NR_get_thread_area, "get_thread_area" }, +#endif +#ifdef __NR_getcpu + { __NR_getcpu, "getcpu" }, +#endif +#ifdef __NR_getcwd + { __NR_getcwd, "getcwd" }, +#endif +#ifdef __NR_getdents + { __NR_getdents, "getdents" }, +#endif +#ifdef __NR_getdents64 + { __NR_getdents64, "getdents64" }, +#endif +#ifdef __NR_getegid + { __NR_getegid, "getegid" }, +#endif +#ifdef __NR_getegid32 + { __NR_getegid32, "getegid32" }, +#endif +#ifdef __NR_geteuid + { __NR_geteuid, "geteuid" }, +#endif +#ifdef __NR_geteuid32 + { __NR_geteuid32, "geteuid32" }, +#endif +#ifdef __NR_getgid + { __NR_getgid, "getgid" }, +#endif +#ifdef __NR_getgid32 + { __NR_getgid32, "getgid32" }, +#endif +#ifdef __NR_getgroups + { __NR_getgroups, "getgroups" }, +#endif +#ifdef __NR_getgroups32 + { __NR_getgroups32, "getgroups32" }, +#endif +#ifdef __NR_getitimer + { __NR_getitimer, "getitimer" }, +#endif +#ifdef __NR_getpeername + { __NR_getpeername, "getpeername" }, +#endif +#ifdef __NR_getpgid + { __NR_getpgid, "getpgid" }, +#endif +#ifdef __NR_getpgrp + { __NR_getpgrp, "getpgrp" }, +#endif +#ifdef __NR_getpid + { __NR_getpid, "getpid" }, +#endif +#ifdef __NR_getpmsg + { __NR_getpmsg, "getpmsg" }, +#endif +#ifdef __NR_getppid + { __NR_getppid, "getppid" }, +#endif +#ifdef __NR_getpriority + { __NR_getpriority, "getpriority" }, +#endif +#ifdef __NR_getresgid + { __NR_getresgid, "getresgid" }, +#endif +#ifdef __NR_getresgid32 + { __NR_getresgid32, "getresgid32" }, +#endif +#ifdef __NR_getresuid + { __NR_getresuid, "getresuid" }, +#endif +#ifdef __NR_getresuid32 + { __NR_getresuid32, "getresuid32" }, +#endif +#ifdef __NR_getrlimit + { __NR_getrlimit, "getrlimit" }, +#endif +#ifdef __NR_getrusage + { __NR_getrusage, "getrusage" }, +#endif +#ifdef __NR_getsid + { __NR_getsid, "getsid" }, +#endif +#ifdef __NR_getsockname + { __NR_getsockname, "getsockname" }, +#endif +#ifdef __NR_getsockopt + { __NR_getsockopt, "getsockopt" }, +#endif +#ifdef __NR_gettid + { __NR_gettid, "gettid" }, +#endif +#ifdef __NR_gettimeofday + { __NR_gettimeofday, "gettimeofday" }, +#endif +#ifdef __NR_getuid + { __NR_getuid, "getuid" }, +#endif +#ifdef __NR_getuid32 + { __NR_getuid32, "getuid32" }, +#endif +#ifdef __NR_getxattr + { __NR_getxattr, "getxattr" }, +#endif +#ifdef __NR_gtty + { __NR_gtty, "gtty" }, +#endif +#ifdef __NR_idle + { __NR_idle, "idle" }, +#endif +#ifdef __NR_init_module + { __NR_init_module, "init_module" }, +#endif +#ifdef __NR_inotify_add_watch + { __NR_inotify_add_watch, "inotify_add_watch" }, +#endif +#ifdef __NR_inotify_init + { __NR_inotify_init, "inotify_init" }, +#endif +#ifdef __NR_inotify_init1 + { __NR_inotify_init1, "inotify_init1" }, +#endif +#ifdef __NR_inotify_rm_watch + { __NR_inotify_rm_watch, "inotify_rm_watch" }, +#endif +#ifdef __NR_io_cancel + { __NR_io_cancel, "io_cancel" }, +#endif +#ifdef __NR_io_destroy + { __NR_io_destroy, "io_destroy" }, +#endif +#ifdef __NR_io_getevents + { __NR_io_getevents, "io_getevents" }, +#endif +#ifdef __NR_io_setup + { __NR_io_setup, "io_setup" }, +#endif +#ifdef __NR_io_submit + { __NR_io_submit, "io_submit" }, +#endif +#ifdef __NR_ioctl + { __NR_ioctl, "ioctl" }, +#endif +#ifdef __NR_ioperm + { __NR_ioperm, "ioperm" }, +#endif +#ifdef __NR_iopl + { __NR_iopl, "iopl" }, +#endif +#ifdef __NR_ioprio_get + { __NR_ioprio_get, "ioprio_get" }, +#endif +#ifdef __NR_ioprio_set + { __NR_ioprio_set, "ioprio_set" }, +#endif +#ifdef __NR_ipc + { __NR_ipc, "ipc" }, +#endif +#ifdef __NR_kcmp + { __NR_kcmp, "kcmp" }, +#endif +#ifdef __NR_kexec_load + { __NR_kexec_load, "kexec_load" }, +#endif +#ifdef __NR_keyctl + { __NR_keyctl, "keyctl" }, +#endif +#ifdef __NR_kill + { __NR_kill, "kill" }, +#endif +#ifdef __NR_lchown + { __NR_lchown, "lchown" }, +#endif +#ifdef __NR_lchown32 + { __NR_lchown32, "lchown32" }, +#endif +#ifdef __NR_lgetxattr + { __NR_lgetxattr, "lgetxattr" }, +#endif +#ifdef __NR_link + { __NR_link, "link" }, +#endif +#ifdef __NR_linkat + { __NR_linkat, "linkat" }, +#endif +#ifdef __NR_listen + { __NR_listen, "listen" }, +#endif +#ifdef __NR_listxattr + { __NR_listxattr, "listxattr" }, +#endif +#ifdef __NR_llistxattr + { __NR_llistxattr, "llistxattr" }, +#endif +#ifdef __NR_lock + { __NR_lock, "lock" }, +#endif +#ifdef __NR_lookup_dcookie + { __NR_lookup_dcookie, "lookup_dcookie" }, +#endif +#ifdef __NR_lremovexattr + { __NR_lremovexattr, "lremovexattr" }, +#endif +#ifdef __NR_lseek + { __NR_lseek, "lseek" }, +#endif +#ifdef __NR_lsetxattr + { __NR_lsetxattr, "lsetxattr" }, +#endif +#ifdef __NR_lstat + { __NR_lstat, "lstat" }, +#endif +#ifdef __NR_lstat64 + { __NR_lstat64, "lstat64" }, +#endif +#ifdef __NR_madvise + { __NR_madvise, "madvise" }, +#endif +#ifdef __NR_mbind + { __NR_mbind, "mbind" }, +#endif +#ifdef __NR_migrate_pages + { __NR_migrate_pages, "migrate_pages" }, +#endif +#ifdef __NR_mincore + { __NR_mincore, "mincore" }, +#endif +#ifdef __NR_mkdir + { __NR_mkdir, "mkdir" }, +#endif +#ifdef __NR_mkdirat + { __NR_mkdirat, "mkdirat" }, +#endif +#ifdef __NR_mknod + { __NR_mknod, "mknod" }, +#endif +#ifdef __NR_mknodat + { __NR_mknodat, "mknodat" }, +#endif +#ifdef __NR_mlock + { __NR_mlock, "mlock" }, +#endif +#ifdef __NR_mlockall + { __NR_mlockall, "mlockall" }, +#endif +#ifdef __NR_mmap + { __NR_mmap, "mmap" }, +#endif +#ifdef __NR_mmap2 + { __NR_mmap2, "mmap2" }, +#endif +#ifdef __NR_modify_ldt + { __NR_modify_ldt, "modify_ldt" }, +#endif +#ifdef __NR_mount + { __NR_mount, "mount" }, +#endif +#ifdef __NR_move_pages + { __NR_move_pages, "move_pages" }, +#endif +#ifdef __NR_mprotect + { __NR_mprotect, "mprotect" }, +#endif +#ifdef __NR_mpx + { __NR_mpx, "mpx" }, +#endif +#ifdef __NR_mq_getsetattr + { __NR_mq_getsetattr, "mq_getsetattr" }, +#endif +#ifdef __NR_mq_notify + { __NR_mq_notify, "mq_notify" }, +#endif +#ifdef __NR_mq_open + { __NR_mq_open, "mq_open" }, +#endif +#ifdef __NR_mq_timedreceive + { __NR_mq_timedreceive, "mq_timedreceive" }, +#endif +#ifdef __NR_mq_timedsend + { __NR_mq_timedsend, "mq_timedsend" }, +#endif +#ifdef __NR_mq_unlink + { __NR_mq_unlink, "mq_unlink" }, +#endif +#ifdef __NR_mremap + { __NR_mremap, "mremap" }, +#endif +#ifdef __NR_msgctl + { __NR_msgctl, "msgctl" }, +#endif +#ifdef __NR_msgget + { __NR_msgget, "msgget" }, +#endif +#ifdef __NR_msgrcv + { __NR_msgrcv, "msgrcv" }, +#endif +#ifdef __NR_msgsnd + { __NR_msgsnd, "msgsnd" }, +#endif +#ifdef __NR_msync + { __NR_msync, "msync" }, +#endif +#ifdef __NR_munlock + { __NR_munlock, "munlock" }, +#endif +#ifdef __NR_munlockall + { __NR_munlockall, "munlockall" }, +#endif +#ifdef __NR_munmap + { __NR_munmap, "munmap" }, +#endif +#ifdef __NR_name_to_handle_at + { __NR_name_to_handle_at, "name_to_handle_at" }, +#endif +#ifdef __NR_nanosleep + { __NR_nanosleep, "nanosleep" }, +#endif +#ifdef __NR_newfstatat + { __NR_newfstatat, "newfstatat" }, +#endif +#ifdef __NR_nfsservctl + { __NR_nfsservctl, "nfsservctl" }, +#endif +#ifdef __NR_nice + { __NR_nice, "nice" }, +#endif +#ifdef __NR_oldfstat + { __NR_oldfstat, "oldfstat" }, +#endif +#ifdef __NR_oldlstat + { __NR_oldlstat, "oldlstat" }, +#endif +#ifdef __NR_oldolduname + { __NR_oldolduname, "oldolduname" }, +#endif +#ifdef __NR_oldstat + { __NR_oldstat, "oldstat" }, +#endif +#ifdef __NR_olduname + { __NR_olduname, "olduname" }, +#endif +#ifdef __NR_open + { __NR_open, "open" }, +#endif +#ifdef __NR_open_by_handle_at + { __NR_open_by_handle_at, "open_by_handle_at" }, +#endif +#ifdef __NR_openat + { __NR_openat, "openat" }, +#endif +#ifdef __NR_pause + { __NR_pause, "pause" }, +#endif +#ifdef __NR_perf_event_open + { __NR_perf_event_open, "perf_event_open" }, +#endif +#ifdef __NR_personality + { __NR_personality, "personality" }, +#endif +#ifdef __NR_pipe + { __NR_pipe, "pipe" }, +#endif +#ifdef __NR_pipe2 + { __NR_pipe2, "pipe2" }, +#endif +#ifdef __NR_pivot_root + { __NR_pivot_root, "pivot_root" }, +#endif +#ifdef __NR_poll + { __NR_poll, "poll" }, +#endif +#ifdef __NR_ppoll + { __NR_ppoll, "ppoll" }, +#endif +#ifdef __NR_prctl + { __NR_prctl, "prctl" }, +#endif +#ifdef __NR_pread64 + { __NR_pread64, "pread64" }, +#endif +#ifdef __NR_preadv + { __NR_preadv, "preadv" }, +#endif +#ifdef __NR_prlimit64 + { __NR_prlimit64, "prlimit64" }, +#endif +#ifdef __NR_process_vm_readv + { __NR_process_vm_readv, "process_vm_readv" }, +#endif +#ifdef __NR_process_vm_writev + { __NR_process_vm_writev, "process_vm_writev" }, +#endif +#ifdef __NR_prof + { __NR_prof, "prof" }, +#endif +#ifdef __NR_profil + { __NR_profil, "profil" }, +#endif +#ifdef __NR_pselect6 + { __NR_pselect6, "pselect6" }, +#endif +#ifdef __NR_ptrace + { __NR_ptrace, "ptrace" }, +#endif +#ifdef __NR_putpmsg + { __NR_putpmsg, "putpmsg" }, +#endif +#ifdef __NR_pwrite64 + { __NR_pwrite64, "pwrite64" }, +#endif +#ifdef __NR_pwritev + { __NR_pwritev, "pwritev" }, +#endif +#ifdef __NR_query_module + { __NR_query_module, "query_module" }, +#endif +#ifdef __NR_quotactl + { __NR_quotactl, "quotactl" }, +#endif +#ifdef __NR_read + { __NR_read, "read" }, +#endif +#ifdef __NR_readahead + { __NR_readahead, "readahead" }, +#endif +#ifdef __NR_readdir + { __NR_readdir, "readdir" }, +#endif +#ifdef __NR_readlink + { __NR_readlink, "readlink" }, +#endif +#ifdef __NR_readlinkat + { __NR_readlinkat, "readlinkat" }, +#endif +#ifdef __NR_readv + { __NR_readv, "readv" }, +#endif +#ifdef __NR_reboot + { __NR_reboot, "reboot" }, +#endif +#ifdef __NR_recvfrom + { __NR_recvfrom, "recvfrom" }, +#endif +#ifdef __NR_recvmmsg + { __NR_recvmmsg, "recvmmsg" }, +#endif +#ifdef __NR_recvmsg + { __NR_recvmsg, "recvmsg" }, +#endif +#ifdef __NR_remap_file_pages + { __NR_remap_file_pages, "remap_file_pages" }, +#endif +#ifdef __NR_removexattr + { __NR_removexattr, "removexattr" }, +#endif +#ifdef __NR_rename + { __NR_rename, "rename" }, +#endif +#ifdef __NR_renameat + { __NR_renameat, "renameat" }, +#endif +#ifdef __NR_request_key + { __NR_request_key, "request_key" }, +#endif +#ifdef __NR_restart_syscall + { __NR_restart_syscall, "restart_syscall" }, +#endif +#ifdef __NR_rmdir + { __NR_rmdir, "rmdir" }, +#endif +#ifdef __NR_rt_sigaction + { __NR_rt_sigaction, "rt_sigaction" }, +#endif +#ifdef __NR_rt_sigpending + { __NR_rt_sigpending, "rt_sigpending" }, +#endif +#ifdef __NR_rt_sigprocmask + { __NR_rt_sigprocmask, "rt_sigprocmask" }, +#endif +#ifdef __NR_rt_sigqueueinfo + { __NR_rt_sigqueueinfo, "rt_sigqueueinfo" }, +#endif +#ifdef __NR_rt_sigreturn + { __NR_rt_sigreturn, "rt_sigreturn" }, +#endif +#ifdef __NR_rt_sigsuspend + { __NR_rt_sigsuspend, "rt_sigsuspend" }, +#endif +#ifdef __NR_rt_sigtimedwait + { __NR_rt_sigtimedwait, "rt_sigtimedwait" }, +#endif +#ifdef __NR_rt_tgsigqueueinfo + { __NR_rt_tgsigqueueinfo, "rt_tgsigqueueinfo" }, +#endif +#ifdef __NR_sched_get_priority_max + { __NR_sched_get_priority_max, "sched_get_priority_max" }, +#endif +#ifdef __NR_sched_get_priority_min + { __NR_sched_get_priority_min, "sched_get_priority_min" }, +#endif +#ifdef __NR_sched_getaffinity + { __NR_sched_getaffinity, "sched_getaffinity" }, +#endif +#ifdef __NR_sched_getparam + { __NR_sched_getparam, "sched_getparam" }, +#endif +#ifdef __NR_sched_getscheduler + { __NR_sched_getscheduler, "sched_getscheduler" }, +#endif +#ifdef __NR_sched_rr_get_interval + { __NR_sched_rr_get_interval, "sched_rr_get_interval" }, +#endif +#ifdef __NR_sched_setaffinity + { __NR_sched_setaffinity, "sched_setaffinity" }, +#endif +#ifdef __NR_sched_setparam + { __NR_sched_setparam, "sched_setparam" }, +#endif +#ifdef __NR_sched_setscheduler + { __NR_sched_setscheduler, "sched_setscheduler" }, +#endif +#ifdef __NR_sched_yield + { __NR_sched_yield, "sched_yield" }, +#endif +#ifdef __NR_security + { __NR_security, "security" }, +#endif +#ifdef __NR_select + { __NR_select, "select" }, +#endif +#ifdef __NR_semctl + { __NR_semctl, "semctl" }, +#endif +#ifdef __NR_semget + { __NR_semget, "semget" }, +#endif +#ifdef __NR_semop + { __NR_semop, "semop" }, +#endif +#ifdef __NR_semtimedop + { __NR_semtimedop, "semtimedop" }, +#endif +#ifdef __NR_sendfile + { __NR_sendfile, "sendfile" }, +#endif +#ifdef __NR_sendfile64 + { __NR_sendfile64, "sendfile64" }, +#endif +#ifdef __NR_sendmmsg + { __NR_sendmmsg, "sendmmsg" }, +#endif +#ifdef __NR_sendmsg + { __NR_sendmsg, "sendmsg" }, +#endif +#ifdef __NR_sendto + { __NR_sendto, "sendto" }, +#endif +#ifdef __NR_set_mempolicy + { __NR_set_mempolicy, "set_mempolicy" }, +#endif +#ifdef __NR_set_robust_list + { __NR_set_robust_list, "set_robust_list" }, +#endif +#ifdef __NR_set_thread_area + { __NR_set_thread_area, "set_thread_area" }, +#endif +#ifdef __NR_set_tid_address + { __NR_set_tid_address, "set_tid_address" }, +#endif +#ifdef __NR_setdomainname + { __NR_setdomainname, "setdomainname" }, +#endif +#ifdef __NR_setfsgid + { __NR_setfsgid, "setfsgid" }, +#endif +#ifdef __NR_setfsgid32 + { __NR_setfsgid32, "setfsgid32" }, +#endif +#ifdef __NR_setfsuid + { __NR_setfsuid, "setfsuid" }, +#endif +#ifdef __NR_setfsuid32 + { __NR_setfsuid32, "setfsuid32" }, +#endif +#ifdef __NR_setgid + { __NR_setgid, "setgid" }, +#endif +#ifdef __NR_setgid32 + { __NR_setgid32, "setgid32" }, +#endif +#ifdef __NR_setgroups + { __NR_setgroups, "setgroups" }, +#endif +#ifdef __NR_setgroups32 + { __NR_setgroups32, "setgroups32" }, +#endif +#ifdef __NR_sethostname + { __NR_sethostname, "sethostname" }, +#endif +#ifdef __NR_setitimer + { __NR_setitimer, "setitimer" }, +#endif +#ifdef __NR_setns + { __NR_setns, "setns" }, +#endif +#ifdef __NR_setpgid + { __NR_setpgid, "setpgid" }, +#endif +#ifdef __NR_setpriority + { __NR_setpriority, "setpriority" }, +#endif +#ifdef __NR_setregid + { __NR_setregid, "setregid" }, +#endif +#ifdef __NR_setregid32 + { __NR_setregid32, "setregid32" }, +#endif +#ifdef __NR_setresgid + { __NR_setresgid, "setresgid" }, +#endif +#ifdef __NR_setresgid32 + { __NR_setresgid32, "setresgid32" }, +#endif +#ifdef __NR_setresuid + { __NR_setresuid, "setresuid" }, +#endif +#ifdef __NR_setresuid32 + { __NR_setresuid32, "setresuid32" }, +#endif +#ifdef __NR_setreuid + { __NR_setreuid, "setreuid" }, +#endif +#ifdef __NR_setreuid32 + { __NR_setreuid32, "setreuid32" }, +#endif +#ifdef __NR_setrlimit + { __NR_setrlimit, "setrlimit" }, +#endif +#ifdef __NR_setsid + { __NR_setsid, "setsid" }, +#endif +#ifdef __NR_setsockopt + { __NR_setsockopt, "setsockopt" }, +#endif +#ifdef __NR_settimeofday + { __NR_settimeofday, "settimeofday" }, +#endif +#ifdef __NR_setuid + { __NR_setuid, "setuid" }, +#endif +#ifdef __NR_setuid32 + { __NR_setuid32, "setuid32" }, +#endif +#ifdef __NR_setxattr + { __NR_setxattr, "setxattr" }, +#endif +#ifdef __NR_sgetmask + { __NR_sgetmask, "sgetmask" }, +#endif +#ifdef __NR_shmat + { __NR_shmat, "shmat" }, +#endif +#ifdef __NR_shmctl + { __NR_shmctl, "shmctl" }, +#endif +#ifdef __NR_shmdt + { __NR_shmdt, "shmdt" }, +#endif +#ifdef __NR_shmget + { __NR_shmget, "shmget" }, +#endif +#ifdef __NR_shutdown + { __NR_shutdown, "shutdown" }, +#endif +#ifdef __NR_sigaction + { __NR_sigaction, "sigaction" }, +#endif +#ifdef __NR_sigaltstack + { __NR_sigaltstack, "sigaltstack" }, +#endif +#ifdef __NR_signal + { __NR_signal, "signal" }, +#endif +#ifdef __NR_signalfd + { __NR_signalfd, "signalfd" }, +#endif +#ifdef __NR_signalfd4 + { __NR_signalfd4, "signalfd4" }, +#endif +#ifdef __NR_sigpending + { __NR_sigpending, "sigpending" }, +#endif +#ifdef __NR_sigprocmask + { __NR_sigprocmask, "sigprocmask" }, +#endif +#ifdef __NR_sigreturn + { __NR_sigreturn, "sigreturn" }, +#endif +#ifdef __NR_sigsuspend + { __NR_sigsuspend, "sigsuspend" }, +#endif +#ifdef __NR_socket + { __NR_socket, "socket" }, +#endif +#ifdef __NR_socketcall + { __NR_socketcall, "socketcall" }, +#endif +#ifdef __NR_socketpair + { __NR_socketpair, "socketpair" }, +#endif +#ifdef __NR_splice + { __NR_splice, "splice" }, +#endif +#ifdef __NR_ssetmask + { __NR_ssetmask, "ssetmask" }, +#endif +#ifdef __NR_stat + { __NR_stat, "stat" }, +#endif +#ifdef __NR_stat64 + { __NR_stat64, "stat64" }, +#endif +#ifdef __NR_statfs + { __NR_statfs, "statfs" }, +#endif +#ifdef __NR_statfs64 + { __NR_statfs64, "statfs64" }, +#endif +#ifdef __NR_stime + { __NR_stime, "stime" }, +#endif +#ifdef __NR_stty + { __NR_stty, "stty" }, +#endif +#ifdef __NR_swapoff + { __NR_swapoff, "swapoff" }, +#endif +#ifdef __NR_swapon + { __NR_swapon, "swapon" }, +#endif +#ifdef __NR_symlink + { __NR_symlink, "symlink" }, +#endif +#ifdef __NR_symlinkat + { __NR_symlinkat, "symlinkat" }, +#endif +#ifdef __NR_sync + { __NR_sync, "sync" }, +#endif +#ifdef __NR_sync_file_range + { __NR_sync_file_range, "sync_file_range" }, +#endif +#ifdef __NR_syncfs + { __NR_syncfs, "syncfs" }, +#endif +#ifdef __NR_sysfs + { __NR_sysfs, "sysfs" }, +#endif +#ifdef __NR_sysinfo + { __NR_sysinfo, "sysinfo" }, +#endif +#ifdef __NR_syslog + { __NR_syslog, "syslog" }, +#endif +#ifdef __NR_tee + { __NR_tee, "tee" }, +#endif +#ifdef __NR_tgkill + { __NR_tgkill, "tgkill" }, +#endif +#ifdef __NR_time + { __NR_time, "time" }, +#endif +#ifdef __NR_timer_create + { __NR_timer_create, "timer_create" }, +#endif +#ifdef __NR_timer_delete + { __NR_timer_delete, "timer_delete" }, +#endif +#ifdef __NR_timer_getoverrun + { __NR_timer_getoverrun, "timer_getoverrun" }, +#endif +#ifdef __NR_timer_gettime + { __NR_timer_gettime, "timer_gettime" }, +#endif +#ifdef __NR_timer_settime + { __NR_timer_settime, "timer_settime" }, +#endif +#ifdef __NR_timerfd_create + { __NR_timerfd_create, "timerfd_create" }, +#endif +#ifdef __NR_timerfd_gettime + { __NR_timerfd_gettime, "timerfd_gettime" }, +#endif +#ifdef __NR_timerfd_settime + { __NR_timerfd_settime, "timerfd_settime" }, +#endif +#ifdef __NR_times + { __NR_times, "times" }, +#endif +#ifdef __NR_tkill + { __NR_tkill, "tkill" }, +#endif +#ifdef __NR_truncate + { __NR_truncate, "truncate" }, +#endif +#ifdef __NR_truncate64 + { __NR_truncate64, "truncate64" }, +#endif +#ifdef __NR_tuxcall + { __NR_tuxcall, "tuxcall" }, +#endif +#ifdef __NR_ugetrlimit + { __NR_ugetrlimit, "ugetrlimit" }, +#endif +#ifdef __NR_ulimit + { __NR_ulimit, "ulimit" }, +#endif +#ifdef __NR_umask + { __NR_umask, "umask" }, +#endif +#ifdef __NR_umount + { __NR_umount, "umount" }, +#endif +#ifdef __NR_umount2 + { __NR_umount2, "umount2" }, +#endif +#ifdef __NR_uname + { __NR_uname, "uname" }, +#endif +#ifdef __NR_unlink + { __NR_unlink, "unlink" }, +#endif +#ifdef __NR_unlinkat + { __NR_unlinkat, "unlinkat" }, +#endif +#ifdef __NR_unshare + { __NR_unshare, "unshare" }, +#endif +#ifdef __NR_uselib + { __NR_uselib, "uselib" }, +#endif +#ifdef __NR_ustat + { __NR_ustat, "ustat" }, +#endif +#ifdef __NR_utime + { __NR_utime, "utime" }, +#endif +#ifdef __NR_utimensat + { __NR_utimensat, "utimensat" }, +#endif +#ifdef __NR_utimes + { __NR_utimes, "utimes" }, +#endif +#ifdef __NR_vfork + { __NR_vfork, "vfork" }, +#endif +#ifdef __NR_vhangup + { __NR_vhangup, "vhangup" }, +#endif +#ifdef __NR_vm86 + { __NR_vm86, "vm86" }, +#endif +#ifdef __NR_vm86old + { __NR_vm86old, "vm86old" }, +#endif +#ifdef __NR_vmsplice + { __NR_vmsplice, "vmsplice" }, +#endif +#ifdef __NR_vserver + { __NR_vserver, "vserver" }, +#endif +#ifdef __NR_wait4 + { __NR_wait4, "wait4" }, +#endif +#ifdef __NR_waitid + { __NR_waitid, "waitid" }, +#endif +#ifdef __NR_waitpid + { __NR_waitpid, "waitpid" }, +#endif +#ifdef __NR_write + { __NR_write, "write" }, +#endif +#ifdef __NR_writev + { __NR_writev, "writev" }, +#endif + {0, NULL} +}; + diff --git a/src/common/log.c b/src/common/log.c index a837cf86a..592dc2c5d 100644 --- a/src/common/log.c +++ b/src/common/log.c @@ -147,9 +147,6 @@ static INLINE char *format_msg(char *buf, size_t buf_len, const char *suffix, const char *format, va_list ap, size_t *msg_len_out) CHECK_PRINTF(7,0); -static void logv(int severity, log_domain_mask_t domain, const char *funcname, - const char *suffix, const char *format, va_list ap) - CHECK_PRINTF(5,0); /** Name of the application: used to generate the message we write at the * start of each new log. */ @@ -336,9 +333,9 @@ format_msg(char *buf, size_t buf_len, * <b>severity</b>. If provided, <b>funcname</b> is prepended to the * message. The actual message is derived as from tor_snprintf(format,ap). */ -static void -logv(int severity, log_domain_mask_t domain, const char *funcname, - const char *suffix, const char *format, va_list ap) +MOCK_IMPL(STATIC void, +logv,(int severity, log_domain_mask_t domain, const char *funcname, + const char *suffix, const char *format, va_list ap)) { char buf[10024]; size_t msg_len = 0; diff --git a/src/common/sandbox.c b/src/common/sandbox.c index 577528988..4ce9aa920 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -27,6 +27,7 @@ #include <stdlib.h> #include "sandbox.h" +#include "container.h" #include "torlog.h" #include "torint.h" #include "util.h" @@ -46,7 +47,6 @@ #include <sys/prctl.h> #include <linux/futex.h> #include <bits/signum.h> -#include <event2/event.h> #include <stdarg.h> #include <seccomp.h> @@ -56,6 +56,17 @@ #include <time.h> #include <poll.h> +#if defined(HAVE_EXECINFO_H) && defined(HAVE_BACKTRACE) && \ + defined(HAVE_BACKTRACE_SYMBOLS_FD) && defined(HAVE_SIGACTION) +#define USE_BACKTRACE +#define EXPOSE_CLEAN_BACKTRACE +#include "backtrace.h" +#endif + +#ifdef USE_BACKTRACE +#include <execinfo.h> +#endif + /**Determines if at least one sandbox is active.*/ static int sandbox_active = 0; /** Holds the parameter list configuration for the sandbox.*/ @@ -65,6 +76,13 @@ static sb_addr_info_t *sb_addr_info = NULL; #undef SCMP_CMP #define SCMP_CMP(a,b,c) ((struct scmp_arg_cmp){(a),(b),(c),0}) +#define SCMP_CMP4(a,b,c,d) ((struct scmp_arg_cmp){(a),(b),(c),(d)}) +/* We use a wrapper here because these masked comparisons seem to be pretty + * verbose. Also, it's important to cast to scmp_datum_t before negating the + * mask, since otherwise the negation might get applied to a 32 bit value, and + * the high bits of the value might get masked out improperly. */ +#define SCMP_CMP_MASKED(a,b,c) \ + SCMP_CMP4((a), SCMP_CMP_MASKED_EQ, ~(scmp_datum_t)(b), (c)) /** Variable used for storing all syscall numbers that will be allowed with the * stage 1 general Tor sandbox. @@ -110,7 +128,6 @@ static int filter_nopar_gen[] = { SCMP_SYS(mmap), SCMP_SYS(munmap), SCMP_SYS(read), - SCMP_SYS(rename), SCMP_SYS(rt_sigreturn), SCMP_SYS(set_robust_list), #ifdef __NR_sigreturn @@ -119,6 +136,7 @@ static int filter_nopar_gen[] = { SCMP_SYS(stat), SCMP_SYS(uname), SCMP_SYS(write), + SCMP_SYS(writev), SCMP_SYS(exit_group), SCMP_SYS(exit), @@ -147,6 +165,19 @@ static int filter_nopar_gen[] = { SCMP_SYS(unlink) }; +/* These macros help avoid the error where the number of filters we add on a + * single rule don't match the arg_cnt param. */ +#define seccomp_rule_add_0(ctx,act,call) \ + seccomp_rule_add((ctx),(act),(call),0) +#define seccomp_rule_add_1(ctx,act,call,f1) \ + seccomp_rule_add((ctx),(act),(call),1,(f1)) +#define seccomp_rule_add_2(ctx,act,call,f1,f2) \ + seccomp_rule_add((ctx),(act),(call),2,(f1),(f2)) +#define seccomp_rule_add_3(ctx,act,call,f1,f2,f3) \ + seccomp_rule_add((ctx),(act),(call),3,(f1),(f2),(f3)) +#define seccomp_rule_add_4(ctx,act,call,f1,f2,f3,f4) \ + seccomp_rule_add((ctx),(act),(call),4,(f1),(f2),(f3),(f4)) + /** * Function responsible for setting up the rt_sigaction syscall for * the seccomp filter sandbox. @@ -164,7 +195,7 @@ sb_rt_sigaction(scmp_filter_ctx ctx, sandbox_cfg_t *filter) (void) filter; for (i = 0; i < ARRAY_LENGTH(param); i++) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigaction), SCMP_CMP(0, SCMP_CMP_EQ, param[i])); if (rc) break; @@ -185,11 +216,11 @@ sb_execve(scmp_filter_ctx ctx, sandbox_cfg_t *filter) // for each dynamic parameter filters for (elem = filter; elem != NULL; elem = elem->next) { - smp_param_t *param = (smp_param_t*) elem->param; + smp_param_t *param = elem->param; if (param != NULL && param->prot == 1 && param->syscall == SCMP_SYS(execve)) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(execve), SCMP_CMP(0, SCMP_CMP_EQ, param->value)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add execve syscall, received " @@ -210,7 +241,7 @@ static int sb_time(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { (void) filter; - return seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), 1, + return seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(time), SCMP_CMP(0, SCMP_CMP_EQ, 0)); } @@ -225,15 +256,15 @@ sb_accept4(scmp_filter_ctx ctx, sandbox_cfg_t *filter) (void)filter; #ifdef __i386__ - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketcall), SCMP_CMP(0, SCMP_CMP_EQ, 18)); if (rc) { return rc; } #endif - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), 1, - SCMP_CMP(3, SCMP_CMP_EQ, SOCK_CLOEXEC)); + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(accept4), + SCMP_CMP_MASKED(3, SOCK_CLOEXEC|SOCK_NONBLOCK, 0)); if (rc) { return rc; } @@ -252,49 +283,49 @@ sb_mmap2(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void)filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ), SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE)); if (rc) { return rc; } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE), SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE)); if (rc) { return rc; } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_ANONYMOUS)); if (rc) { return rc; } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), SCMP_CMP(3, SCMP_CMP_EQ,MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK)); if (rc) { return rc; } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE)); if (rc) { return rc; } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE), SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS)); if (rc) { return rc; } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap2), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_EXEC), SCMP_CMP(3, SCMP_CMP_EQ, MAP_PRIVATE|MAP_DENYWRITE)); if (rc) { @@ -321,7 +352,7 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (param != NULL && param->prot == 1 && param->syscall == SCMP_SYS(open)) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), SCMP_CMP(0, SCMP_CMP_EQ, param->value)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " @@ -331,8 +362,8 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) } } - rc = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(-1), SCMP_SYS(open), 1, - SCMP_CMP(1, SCMP_CMP_EQ, O_RDONLY|O_CLOEXEC)); + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open), + SCMP_CMP_MASKED(1, O_CLOEXEC|O_NONBLOCK|O_NOCTTY, O_RDONLY)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received libseccomp " "error %d", rc); @@ -342,6 +373,54 @@ sb_open(scmp_filter_ctx ctx, sandbox_cfg_t *filter) return 0; } +static int +sb__sysctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + (void) filter; + (void) ctx; + + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ERRNO(EPERM), SCMP_SYS(_sysctl)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add _sysctl syscall, " + "received libseccomp error %d", rc); + return rc; + } + + return 0; +} + +/** + * Function responsible for setting up the rename syscall for + * the seccomp filter sandbox. + */ +static int +sb_rename(scmp_filter_ctx ctx, sandbox_cfg_t *filter) +{ + int rc; + sandbox_cfg_t *elem = NULL; + + // for each dynamic parameter filters + for (elem = filter; elem != NULL; elem = elem->next) { + smp_param_t *param = elem->param; + + if (param != NULL && param->prot == 1 && + param->syscall == SCMP_SYS(rename)) { + + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rename), + SCMP_CMP(0, SCMP_CMP_EQ, param->value), + SCMP_CMP(1, SCMP_CMP_EQ, param->value2)); + if (rc != 0) { + log_err(LD_BUG,"(Sandbox) failed to add rename syscall, received " + "libseccomp error %d", rc); + return rc; + } + } + } + + return 0; +} + /** * Function responsible for setting up the openat syscall for * the seccomp filter sandbox. @@ -358,7 +437,7 @@ sb_openat(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (param != NULL && param->prot == 1 && param->syscall == SCMP_SYS(openat)) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1, + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD), SCMP_CMP(1, SCMP_CMP_EQ, param->value), SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY| @@ -382,43 +461,40 @@ static int sb_socket(scmp_filter_ctx ctx, sandbox_cfg_t *filter) { int rc = 0; + int i; (void) filter; #ifdef __i386__ - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 0); + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket)); if (rc) return rc; #endif - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE), - SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK), - SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP)); + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, - SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), - SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC), - SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP)); - if (rc) - return rc; + for (i = 0; i < 2; ++i) { + const int pf = i ? PF_INET : PF_INET6; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, - SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), - SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK), + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), + SCMP_CMP(0, SCMP_CMP_EQ, pf), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_STREAM), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_TCP)); - if (rc) - return rc; + if (rc) + return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, - SCMP_CMP(0, SCMP_CMP_EQ, PF_INET), - SCMP_CMP(1, SCMP_CMP_EQ, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK), + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), + SCMP_CMP(0, SCMP_CMP_EQ, pf), + SCMP_CMP_MASKED(1, SOCK_CLOEXEC|SOCK_NONBLOCK, SOCK_DGRAM), SCMP_CMP(2, SCMP_CMP_EQ, IPPROTO_IP)); - if (rc) - return rc; + if (rc) + return rc; + } - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 3, + rc = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), SCMP_CMP(0, SCMP_CMP_EQ, PF_NETLINK), SCMP_CMP(1, SCMP_CMP_EQ, SOCK_RAW), SCMP_CMP(2, SCMP_CMP_EQ, 0)); @@ -439,12 +515,12 @@ sb_socketpair(scmp_filter_ctx ctx, sandbox_cfg_t *filter) (void) filter; #ifdef __i386__ - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 0); + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair)); if (rc) return rc; #endif - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), SCMP_CMP(0, SCMP_CMP_EQ, PF_FILE), SCMP_CMP(1, SCMP_CMP_EQ, SOCK_STREAM|SOCK_CLOEXEC)); if (rc) @@ -464,19 +540,19 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) (void) filter; #ifdef __i386__ - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt)); if (rc) return rc; #endif - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET), SCMP_CMP(2, SCMP_CMP_EQ, SO_REUSEADDR)); if (rc) return rc; #ifdef IP_TRANSPARENT - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP), SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT)); if (rc) @@ -497,12 +573,12 @@ sb_getsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) (void) filter; #ifdef __i386__ - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 0); + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt)); if (rc) return rc; #endif - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getsockopt), SCMP_CMP(1, SCMP_CMP_EQ, SOL_SOCKET), SCMP_CMP(2, SCMP_CMP_EQ, SO_ERROR)); if (rc) @@ -522,23 +598,23 @@ sb_fcntl64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), SCMP_CMP(1, SCMP_CMP_EQ, F_GETFL)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), SCMP_CMP(1, SCMP_CMP_EQ, F_SETFL), SCMP_CMP(2, SCMP_CMP_EQ, O_RDWR|O_NONBLOCK)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), SCMP_CMP(1, SCMP_CMP_EQ, F_GETFD)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fcntl64), SCMP_CMP(1, SCMP_CMP_EQ, F_SETFD), SCMP_CMP(2, SCMP_CMP_EQ, FD_CLOEXEC)); if (rc) @@ -560,17 +636,17 @@ sb_epoll_ctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_ADD)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_MOD)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(epoll_ctl), SCMP_CMP(1, SCMP_CMP_EQ, EPOLL_CTL_DEL)); if (rc) return rc; @@ -591,7 +667,7 @@ sb_prctl(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(prctl), SCMP_CMP(0, SCMP_CMP_EQ, PR_SET_DUMPABLE)); if (rc) return rc; @@ -612,12 +688,12 @@ sb_mprotect(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), SCMP_CMP(2, SCMP_CMP_EQ, PROT_NONE)); if (rc) return rc; @@ -635,12 +711,12 @@ sb_rt_sigprocmask(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), SCMP_CMP(0, SCMP_CMP_EQ, SIG_UNBLOCK)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask), SCMP_CMP(0, SCMP_CMP_EQ, SIG_SETMASK)); if (rc) return rc; @@ -660,12 +736,12 @@ sb_flock(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), SCMP_CMP(1, SCMP_CMP_EQ, LOCK_EX|LOCK_NB)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(flock), SCMP_CMP(1, SCMP_CMP_EQ, LOCK_UN)); if (rc) return rc; @@ -684,18 +760,18 @@ sb_futex(scmp_filter_ctx ctx, sandbox_cfg_t *filter) (void) filter; // can remove - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAKE_PRIVATE)); if (rc) return rc; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(futex), SCMP_CMP(1, SCMP_CMP_EQ, FUTEX_WAIT_PRIVATE)); if (rc) return rc; @@ -715,7 +791,7 @@ sb_mremap(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mremap), SCMP_CMP(3, SCMP_CMP_EQ, MREMAP_MAYMOVE)); if (rc) return rc; @@ -733,7 +809,7 @@ sb_poll(scmp_filter_ctx ctx, sandbox_cfg_t *filter) int rc = 0; (void) filter; - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), 2, + rc = seccomp_rule_add_2(ctx, SCMP_ACT_ALLOW, SCMP_SYS(poll), SCMP_CMP(1, SCMP_CMP_EQ, 1), SCMP_CMP(2, SCMP_CMP_EQ, 10)); if (rc) @@ -759,7 +835,7 @@ sb_stat64(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (param != NULL && param->prot == 1 && (param->syscall == SCMP_SYS(open) || param->syscall == SCMP_SYS(stat64))) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64), 1, + rc = seccomp_rule_add_1(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat64), SCMP_CMP(0, SCMP_CMP_EQ, param->value)); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add open syscall, received " @@ -788,6 +864,8 @@ static sandbox_filter_func_t filter_func[] = { #endif sb_open, sb_openat, + sb__sysctl, + sb_rename, #ifdef __NR_fcntl64 sb_fcntl64, #endif @@ -808,7 +886,7 @@ static sandbox_filter_func_t filter_func[] = { sb_socketpair }; -const char* +const char * sandbox_intern_string(const char *str) { sandbox_cfg_t *elem; @@ -819,15 +897,65 @@ sandbox_intern_string(const char *str) for (elem = filter_dynamic; elem != NULL; elem = elem->next) { smp_param_t *param = elem->param; - if (param->prot && !strcmp(str, (char*)(param->value))) { - return (char*)(param->value); + if (param->prot) { + if (!strcmp(str, (char*)(param->value))) { + return (char*)param->value; + } + if (param->value2 && !strcmp(str, (char*)param->value2)) { + return (char*)param->value2; + } } } - log_info(LD_GENERAL, "(Sandbox) Parameter %s not found", str); + if (sandbox_active) + log_warn(LD_BUG, "No interned sandbox parameter found for %s", str); return str; } +/** DOCDOC */ +static int +prot_strings_helper(strmap_t *locations, + char **pr_mem_next_p, + size_t *pr_mem_left_p, + intptr_t *value_p) +{ + char *param_val; + size_t param_size; + void *location; + + if (*value_p == 0) + return 0; + + param_val = (char*) *value_p; + param_size = strlen(param_val) + 1; + location = strmap_get(locations, param_val); + + if (location) { + // We already interned this string. + tor_free(param_val); + *value_p = (intptr_t) location; + return 0; + } else if (*pr_mem_left_p >= param_size) { + // copy to protected + location = *pr_mem_next_p; + memcpy(location, param_val, param_size); + + // re-point el parameter to protected + tor_free(param_val); + *value_p = (intptr_t) location; + + strmap_set(locations, location, location); /* good real estate advice */ + + // move next available protected memory + *pr_mem_next_p += param_size; + *pr_mem_left_p -= param_size; + return 0; + } else { + log_err(LD_BUG,"(Sandbox) insufficient protected memory!"); + return -1; + } +} + /** * Protects all the strings in the sandbox's parameter list configuration. It * works by calculating the total amount of memory required by the parameter @@ -841,10 +969,13 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) size_t pr_mem_size = 0, pr_mem_left = 0; char *pr_mem_next = NULL, *pr_mem_base; sandbox_cfg_t *el = NULL; + strmap_t *locations = NULL; - // get total number of bytes required to mmap + // get total number of bytes required to mmap. (Overestimate.) for (el = cfg; el != NULL; el = el->next) { - pr_mem_size += strlen((char*) ((smp_param_t*)el->param)->value) + 1; + pr_mem_size += strlen((char*) el->param->value) + 1; + if (el->param->value2) + pr_mem_size += strlen((char*) el->param->value2) + 1; } // allocate protected memory with MALLOC_MP_LIM canary @@ -860,31 +991,21 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) pr_mem_next = pr_mem_base + MALLOC_MP_LIM; pr_mem_left = pr_mem_size; + locations = strmap_new(); + // change el value pointer to protected for (el = cfg; el != NULL; el = el->next) { - char *param_val = (char*)((smp_param_t *)el->param)->value; - size_t param_size = strlen(param_val) + 1; - - if (pr_mem_left >= param_size) { - // copy to protected - memcpy(pr_mem_next, param_val, param_size); - - // re-point el parameter to protected - { - void *old_val = (void *) ((smp_param_t*)el->param)->value; - tor_free(old_val); - } - ((smp_param_t*)el->param)->value = (intptr_t) pr_mem_next; - ((smp_param_t*)el->param)->prot = 1; - - // move next available protected memory - pr_mem_next += param_size; - pr_mem_left -= param_size; - } else { - log_err(LD_BUG,"(Sandbox) insufficient protected memory!"); + if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left, + &el->param->value) < 0) { ret = -2; goto out; } + if (prot_strings_helper(locations, &pr_mem_next, &pr_mem_left, + &el->param->value2) < 0) { + ret = -2; + goto out; + } + el->param->prot = 1; } // protecting from writes @@ -899,7 +1020,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) * Setting sandbox restrictions so the string memory cannot be tampered with */ // no mremap of the protected base address - ret = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap), 1, + ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(mremap), SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base)); if (ret) { log_err(LD_BUG,"(Sandbox) mremap protected memory filter fail!"); @@ -907,7 +1028,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) } // no munmap of the protected base address - ret = seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap), 1, + ret = seccomp_rule_add_1(ctx, SCMP_ACT_KILL, SCMP_SYS(munmap), SCMP_CMP(0, SCMP_CMP_EQ, (intptr_t) pr_mem_base)); if (ret) { log_err(LD_BUG,"(Sandbox) munmap protected memory filter fail!"); @@ -924,7 +1045,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) * There is a restriction on how much you can mprotect with R|W up to the * size of the canary. */ - ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 2, + ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), SCMP_CMP(0, SCMP_CMP_LT, (intptr_t) pr_mem_base), SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM), SCMP_CMP(2, SCMP_CMP_EQ, PROT_READ|PROT_WRITE)); @@ -933,7 +1054,7 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) return ret; } - ret = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), 2, + ret = seccomp_rule_add_3(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mprotect), SCMP_CMP(0, SCMP_CMP_GT, (intptr_t) pr_mem_base + pr_mem_size + MALLOC_MP_LIM), SCMP_CMP(1, SCMP_CMP_LE, MALLOC_MP_LIM), @@ -944,7 +1065,8 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) } out: - return ret; + strmap_free(locations, NULL); + return ret; } /** @@ -954,22 +1076,27 @@ prot_strings(scmp_filter_ctx ctx, sandbox_cfg_t* cfg) * point. */ static sandbox_cfg_t* -new_element(int syscall, int index, intptr_t value) +new_element2(int syscall, intptr_t value, intptr_t value2) { smp_param_t *param = NULL; - sandbox_cfg_t *elem = tor_malloc(sizeof(sandbox_cfg_t)); - elem->param = tor_malloc(sizeof(smp_param_t)); + sandbox_cfg_t *elem = tor_malloc_zero(sizeof(sandbox_cfg_t)); + param = elem->param = tor_malloc_zero(sizeof(smp_param_t)); - param = elem->param; param->syscall = syscall; - param->pindex = index; param->value = value; + param->value2 = value2; param->prot = 0; return elem; } +static sandbox_cfg_t* +new_element(int syscall, intptr_t value) +{ + return new_element2(syscall, value, 0); +} + #ifdef __NR_stat64 #define SCMP_stat SCMP_SYS(stat64) #else @@ -977,11 +1104,11 @@ new_element(int syscall, int index, intptr_t value) #endif int -sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr) +sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) { sandbox_cfg_t *elem = NULL; - elem = new_element(SCMP_stat, 0, (intptr_t)(void*) tor_strdup(file)); + elem = new_element(SCMP_stat, (intptr_t)(void*) file); if (!elem) { log_err(LD_BUG,"(Sandbox) failed to register parameter!"); return -1; @@ -990,7 +1117,6 @@ sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, int fr) elem->next = *cfg; *cfg = elem; - if (fr) tor_free(file); return 0; } @@ -1004,9 +1130,7 @@ sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...) va_start(ap, cfg); while ((fn = va_arg(ap, char*)) != NULL) { - int fr = va_arg(ap, int); - - rc = sandbox_cfg_allow_stat_filename(cfg, fn, fr); + rc = sandbox_cfg_allow_stat_filename(cfg, fn); if (rc) { log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_stat_filename_array fail"); goto end; @@ -1019,11 +1143,11 @@ sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...) } int -sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr) +sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) { sandbox_cfg_t *elem = NULL; - elem = new_element(SCMP_SYS(open), 0, (intptr_t)(void *)tor_strdup(file)); + elem = new_element(SCMP_SYS(open), (intptr_t)(void *) file); if (!elem) { log_err(LD_BUG,"(Sandbox) failed to register parameter!"); return -1; @@ -1032,7 +1156,25 @@ sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, int fr) elem->next = *cfg; *cfg = elem; - if (fr) tor_free(file); + return 0; +} + +int +sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2) +{ + sandbox_cfg_t *elem = NULL; + + elem = new_element2(SCMP_SYS(rename), + (intptr_t)(void *) file1, + (intptr_t)(void *) file2); + + if (!elem) { + log_err(LD_BUG,"(Sandbox) failed to register parameter!"); + return -1; + } + + elem->next = *cfg; + *cfg = elem; return 0; } @@ -1047,9 +1189,7 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...) va_start(ap, cfg); while ((fn = va_arg(ap, char*)) != NULL) { - int fr = va_arg(ap, int); - - rc = sandbox_cfg_allow_open_filename(cfg, fn, fr); + rc = sandbox_cfg_allow_open_filename(cfg, fn); if (rc) { log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_open_filename_array fail"); goto end; @@ -1062,11 +1202,11 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...) } int -sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr) +sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) { sandbox_cfg_t *elem = NULL; - elem = new_element(SCMP_SYS(openat), 1, (intptr_t)(void *)tor_strdup(file)); + elem = new_element(SCMP_SYS(openat), (intptr_t)(void *) file); if (!elem) { log_err(LD_BUG,"(Sandbox) failed to register parameter!"); return -1; @@ -1075,8 +1215,6 @@ sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, int fr) elem->next = *cfg; *cfg = elem; - if (fr) tor_free(file); - return 0; } @@ -1090,9 +1228,7 @@ sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...) va_start(ap, cfg); while ((fn = va_arg(ap, char*)) != NULL) { - int fr = va_arg(ap, int); - - rc = sandbox_cfg_allow_openat_filename(cfg, fn, fr); + rc = sandbox_cfg_allow_openat_filename(cfg, fn); if (rc) { log_err(LD_BUG,"(Sandbox) sandbox_cfg_allow_openat_filename_array fail"); goto end; @@ -1109,7 +1245,7 @@ sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com) { sandbox_cfg_t *elem = NULL; - elem = new_element(SCMP_SYS(execve), 1, (intptr_t)(void *)tor_strdup(com)); + elem = new_element(SCMP_SYS(execve), (intptr_t)(void *) com); if (!elem) { log_err(LD_BUG,"(Sandbox) failed to register parameter!"); return -1; @@ -1247,7 +1383,7 @@ add_noparam_filter(scmp_filter_ctx ctx) // add general filters for (i = 0; i < ARRAY_LENGTH(filter_nopar_gen); i++) { - rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i], 0); + rc = seccomp_rule_add_0(ctx, SCMP_ACT_ALLOW, filter_nopar_gen[i]); if (rc != 0) { log_err(LD_BUG,"(Sandbox) failed to add syscall index %d (NR=%d), " "received libseccomp error %d", i, filter_nopar_gen[i], rc); @@ -1307,6 +1443,29 @@ install_syscall_filter(sandbox_cfg_t* cfg) return (rc < 0 ? -rc : rc); } +#include "linux_syscalls.inc" +static const char * +get_syscall_name(int syscall_num) +{ + int i; + for (i = 0; SYSCALLS_BY_NUMBER[i].syscall_name; ++i) { + if (SYSCALLS_BY_NUMBER[i].syscall_num == syscall_num) + return SYSCALLS_BY_NUMBER[i].syscall_name; + } + + { + static char syscall_name_buf[64]; + format_dec_number_sigsafe(syscall_num, + syscall_name_buf, sizeof(syscall_name_buf)); + return syscall_name_buf; + } +} + +#ifdef USE_BACKTRACE +#define MAX_DEPTH 256 +static void *syscall_cb_buf[MAX_DEPTH]; +#endif + /** * Function called when a SIGSYS is caught by the application. It notifies the * user that an error has occurred and either terminates or allows the @@ -1316,8 +1475,14 @@ static void sigsys_debugging(int nr, siginfo_t *info, void *void_context) { ucontext_t *ctx = (ucontext_t *) (void_context); - char number[32]; + const char *syscall_name; int syscall; +#ifdef USE_BACKTRACE + int depth; + int n_fds, i; + const int *fds = NULL; +#endif + (void) nr; if (info->si_code != SYS_SECCOMP) @@ -1328,12 +1493,26 @@ sigsys_debugging(int nr, siginfo_t *info, void *void_context) syscall = (int) ctx->uc_mcontext.gregs[REG_SYSCALL]; - format_dec_number_sigsafe(syscall, number, sizeof(number)); +#ifdef USE_BACKTRACE + depth = backtrace(syscall_cb_buf, MAX_DEPTH); + /* Clean up the top stack frame so we get the real function + * name for the most recently failing function. */ + clean_backtrace(syscall_cb_buf, depth, ctx); +#endif + + syscall_name = get_syscall_name(syscall); + tor_log_err_sigsafe("(Sandbox) Caught a bad syscall attempt (syscall ", - number, + syscall_name, ")\n", NULL); +#ifdef USE_BACKTRACE + n_fds = tor_log_get_sigsafe_err_fds(&fds); + for (i=0; i < n_fds; ++i) + backtrace_symbols_fd(syscall_cb_buf, depth, fds[i]); +#endif + #if defined(DEBUGGING_CLOSE) _exit(1); #endif // DEBUGGING_CLOSE @@ -1385,7 +1564,8 @@ register_cfg(sandbox_cfg_t* cfg) return 0; } - for (elem = filter_dynamic; elem->next != NULL; elem = elem->next); + for (elem = filter_dynamic; elem->next != NULL; elem = elem->next) + ; elem->next = cfg; @@ -1414,6 +1594,11 @@ initialise_libseccomp_sandbox(sandbox_cfg_t* cfg) return 0; } +int +sandbox_is_active(void) +{ + return sandbox_active != 0; +} #endif // USE_LIBSECCOMP sandbox_cfg_t* @@ -1428,31 +1613,28 @@ sandbox_init(sandbox_cfg_t *cfg) #if defined(USE_LIBSECCOMP) return initialise_libseccomp_sandbox(cfg); -#elif defined(_WIN32) +#elif defined(__linux__) (void)cfg; - log_warn(LD_BUG,"Windows sandboxing is not implemented. The feature is " - "currently disabled."); + log_warn(LD_GENERAL, + "This version of Tor was built without support for sanboxing. To " + "build with support for sandboxing on Linux, you must have " + "libseccomp and its necessary header files (e.g. seccomp.h)."); return 0; -#elif defined(TARGET_OS_MAC) - (void)cfg; - log_warn(LD_BUG,"Mac OSX sandboxing is not implemented. The feature is " - "currently disabled"); - return 0; #else (void)cfg; - log_warn(LD_BUG,"Sandboxing is not implemented for your platform. The " - "feature is currently disabled"); + log_warn(LD_GENERAL, + "Currently, sandboxing is only implemented on Linux. The feature " + "is disabled on your platform."); return 0; #endif } #ifndef USE_LIBSECCOMP int -sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, - int fr) +sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file) { - (void)cfg; (void)file; (void)fr; + (void)cfg; (void)file; return 0; } @@ -1464,10 +1646,9 @@ sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...) } int -sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, - int fr) +sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file) { - (void)cfg; (void)file; (void)fr; + (void)cfg; (void)file; return 0; } @@ -1493,10 +1674,9 @@ sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...) } int -sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, - int fr) +sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file) { - (void)cfg; (void)file; (void)fr; + (void)cfg; (void)file; return 0; } @@ -1506,5 +1686,18 @@ sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...) (void)cfg; return 0; } + +int +sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2) +{ + (void)cfg; (void)file1; (void)file2; + return 0; +} + +int +sandbox_is_active(void) +{ + return 0; +} #endif diff --git a/src/common/sandbox.h b/src/common/sandbox.h index d64d427d3..c40f5e0d1 100644 --- a/src/common/sandbox.h +++ b/src/common/sandbox.h @@ -65,10 +65,10 @@ typedef struct smp_param { /** syscall associated with parameter. */ int syscall; - /** parameter index. */ - int pindex; /** parameter value. */ intptr_t value; + /** parameter value, second argument. */ + intptr_t value2; /** parameter flag (0 = not protected, 1 = protected). */ int prot; @@ -85,7 +85,7 @@ struct sandbox_cfg_elem { SB_IMPL implem; /** Configuration parameter. */ - void *param; + smp_param_t *param; /** Next element of the configuration*/ struct sandbox_cfg_elem *next; @@ -167,81 +167,70 @@ sandbox_cfg_t * sandbox_cfg_new(void); /** * Function used to add a open allowed filename to a supplied configuration. - * The (char*) specifies the path to the allowed file, fr = 1 tells the - * function that the char* needs to be free-ed, 0 means the pointer does not - * need to be free-ed. + * The (char*) specifies the path to the allowed file; we take ownership + * of the pointer. */ -int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file, - int fr); +int sandbox_cfg_allow_open_filename(sandbox_cfg_t **cfg, char *file); + +/**DOCDOC*/ +int sandbox_cfg_allow_rename(sandbox_cfg_t **cfg, char *file1, char *file2); /** Function used to add a series of open allowed filenames to a supplied * configuration. * @param cfg sandbox configuration. - * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> - * the char* specifies the path to the allowed file, 1 tells the function - * that the char* needs to be free-ed, 0 means the pointer does not need to - * be free-ed; the final parameter needs to be <NULL, 0>. - */ + * @param ... a list of stealable pointers to permitted files. The last + * one must be NULL. +*/ int sandbox_cfg_allow_open_filename_array(sandbox_cfg_t **cfg, ...); /** * Function used to add a openat allowed filename to a supplied configuration. - * The (char*) specifies the path to the allowed file, fr = 1 tells the - * function that the char* needs to be free-ed, 0 means the pointer does not - * need to be free-ed. + * The (char*) specifies the path to the allowed file; we steal the pointer to + * that file. */ -int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file, - int fr); +int sandbox_cfg_allow_openat_filename(sandbox_cfg_t **cfg, char *file); /** Function used to add a series of openat allowed filenames to a supplied * configuration. * @param cfg sandbox configuration. - * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> - * the char* specifies the path to the allowed file, 1 tells the function - * that the char* needs to be free-ed, 0 means the pointer does not need to - * be free-ed; the final parameter needs to be <NULL, 0>. + * @param ... a list of stealable pointers to permitted files. The last + * one must be NULL. */ int sandbox_cfg_allow_openat_filename_array(sandbox_cfg_t **cfg, ...); /** * Function used to add a execve allowed filename to a supplied configuration. - * The (char*) specifies the path to the allowed file, fr = 1 tells the - * function that the char* needs to be free-ed, 0 means the pointer does not - * need to be free-ed. + * The (char*) specifies the path to the allowed file; that pointer is stolen. */ int sandbox_cfg_allow_execve(sandbox_cfg_t **cfg, const char *com); /** Function used to add a series of execve allowed filenames to a supplied * configuration. * @param cfg sandbox configuration. - * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> - * the char* specifies the path to the allowed file, 1 tells the function - * that the char* needs to be free-ed, 0 means the pointer does not need to - * be free-ed; the final parameter needs to be <NULL, 0>. + * @param ... an array of stealable pointers to permitted files. The last + * one must be NULL. */ int sandbox_cfg_allow_execve_array(sandbox_cfg_t **cfg, ...); /** * Function used to add a stat/stat64 allowed filename to a configuration. - * The (char*) specifies the path to the allowed file, fr = 1 tells the - * function that the char* needs to be free-ed, 0 means the pointer does not - * need to be free-ed. + * The (char*) specifies the path to the allowed file; that pointer is stolen. */ -int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file, - int fr); +int sandbox_cfg_allow_stat_filename(sandbox_cfg_t **cfg, char *file); /** Function used to add a series of stat64 allowed filenames to a supplied * configuration. * @param cfg sandbox configuration. - * @param ... all future parameters are specified as pairs of <(char*), 1 / 0> - * the char* specifies the path to the allowed file, 1 tells the function - * that the char* needs to be free-ed, 0 means the pointer does not need to - * be free-ed; the final parameter needs to be <NULL, 0>. + * @param ... an array of stealable pointers to permitted files. The last + * one must be NULL. */ int sandbox_cfg_allow_stat_filename_array(sandbox_cfg_t **cfg, ...); /** Function used to initialise a sandbox configuration.*/ int sandbox_init(sandbox_cfg_t* cfg); +/** Return true iff the sandbox is turned on. */ +int sandbox_is_active(void); + #endif /* SANDBOX_H_ */ diff --git a/src/common/torlog.h b/src/common/torlog.h index d210c8b24..4493b251d 100644 --- a/src/common/torlog.h +++ b/src/common/torlog.h @@ -13,6 +13,7 @@ #ifndef TOR_TORLOG_H #include "compat.h" +#include "testsupport.h" #ifdef HAVE_SYSLOG_H #include <syslog.h> @@ -228,6 +229,12 @@ extern const char *log_fn_function_name_; #endif /* !GNUC */ +#ifdef LOG_PRIVATE +MOCK_DECL(STATIC void, logv, (int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, + va_list ap) CHECK_PRINTF(5,0)); +#endif + # define TOR_TORLOG_H #endif diff --git a/src/common/tortls.c b/src/common/tortls.c index 9ba8fd683..a6444b818 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -712,31 +712,47 @@ tor_tls_create_certificate(crypto_pk_t *rsa, /** List of ciphers that servers should select from when we actually have * our choice of what cipher to use. */ const char UNRESTRICTED_SERVER_CIPHER_LIST[] = -#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CHC_SHA - TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":" -#endif + /* This list is autogenerated with the gen_server_ciphers.py script; + * don't hand-edit it. */ #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS1_TXT_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ":" #endif +#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ":" +#endif +#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 + TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384 ":" +#endif #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 ":" #endif +#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA + TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA ":" +#endif #ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA ":" #endif -#ifdef TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS1_TXT_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 + TLS1_TXT_DHE_RSA_WITH_AES_256_GCM_SHA384 ":" +#endif +#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 + TLS1_TXT_DHE_RSA_WITH_AES_128_GCM_SHA256 ":" #endif -//#if TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA -// TLS1_TXT_ECDHE_RSA_WITH_RC4_128_SHA ":" -//#endif - /* These next two are mandatory. */ - TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" - TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" +#ifdef TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA256 ":" +#endif +#ifdef TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA256 ":" +#endif + /* Required */ + TLS1_TXT_DHE_RSA_WITH_AES_256_SHA ":" + /* Required */ + TLS1_TXT_DHE_RSA_WITH_AES_128_SHA ":" #ifdef TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA ":" #endif - SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA; + /* Required */ + SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA; /* Note: to set up your own private testing network with link crypto * disabled, set your Tors' cipher list to @@ -1234,6 +1250,10 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, goto error; SSL_CTX_set_options(result->ctx, SSL_OP_NO_SSLv2); + /* Prefer the server's ordering of ciphers: the client's ordering has + * historically been chosen for fingerprinting resistance. */ + SSL_CTX_set_options(result->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + /* Disable TLS1.1 and TLS1.2 if they exist. We need to do this to * workaround a bug present in all OpenSSL 1.0.1 versions (as of 1 * June 2012), wherein renegotiating while using one of these TLS @@ -2563,8 +2583,8 @@ tor_tls_get_n_raw_bytes(tor_tls_t *tls, size_t *n_read, size_t *n_written) /** Return a ratio of the bytes that TLS has sent to the bytes that we've told * it to send. Used to track whether our TLS records are getting too tiny. */ -double -tls_get_write_overhead_ratio(void) +MOCK_IMPL(double, +tls_get_write_overhead_ratio,(void)) { if (total_bytes_written_over_tls == 0) return 1.0; diff --git a/src/common/tortls.h b/src/common/tortls.h index 49c488b36..a76ba3bc7 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -13,6 +13,7 @@ #include "crypto.h" #include "compat.h" +#include "testsupport.h" /* Opaque structure to hold a TLS connection. */ typedef struct tor_tls_t tor_tls_t; @@ -95,7 +96,7 @@ void tor_tls_get_buffer_sizes(tor_tls_t *tls, size_t *rbuf_capacity, size_t *rbuf_bytes, size_t *wbuf_capacity, size_t *wbuf_bytes); -double tls_get_write_overhead_ratio(void); +MOCK_DECL(double, tls_get_write_overhead_ratio, (void)); int tor_tls_used_v1_handshake(tor_tls_t *tls); int tor_tls_received_v3_certificate(tor_tls_t *tls); diff --git a/src/common/util.c b/src/common/util.c index a50f2566d..86bb8baae 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -1830,6 +1830,7 @@ file_status(const char *fname) int r; f = tor_strdup(fname); clean_name_for_stat(f); + log_debug(LD_FS, "stat()ing %s", f); r = stat(sandbox_intern_string(f), &st); tor_free(f); if (r) { @@ -1880,6 +1881,7 @@ check_private_dir(const char *dirname, cpd_check_t check, tor_assert(dirname); f = tor_strdup(dirname); clean_name_for_stat(f); + log_debug(LD_FS, "stat()ing %s", f); r = stat(sandbox_intern_string(f), &st); tor_free(f); if (r) { diff --git a/src/ext/csiphash.c b/src/ext/csiphash.c index 2a96f2881..c24788603 100644 --- a/src/ext/csiphash.c +++ b/src/ext/csiphash.c @@ -46,6 +46,10 @@ #elif defined(__APPLE__) # include <libkern/OSByteOrder.h> # define _le64toh(x) OSSwapLittleToHostInt64(x) +#elif defined(sun) || defined(__sun) +# include <sys/byteorder.h> +# define _le64toh(x) LE_64(x) + #else /* See: http://sourceforge.net/p/predef/wiki/Endianness/ */ diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index 87270037c..b71dc3c13 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -438,8 +438,8 @@ circuit_close_all_marked(void) } /** Return the head of the global linked list of circuits. */ -struct global_circuitlist_s * -circuit_get_global_list(void) +MOCK_IMPL(struct global_circuitlist_s *, +circuit_get_global_list,(void)) { return &global_circuitlist; } diff --git a/src/or/circuitlist.h b/src/or/circuitlist.h index 2bbd20b83..916afba21 100644 --- a/src/or/circuitlist.h +++ b/src/or/circuitlist.h @@ -16,7 +16,7 @@ TOR_LIST_HEAD(global_circuitlist_s, circuit_t); -struct global_circuitlist_s* circuit_get_global_list(void); +MOCK_DECL(struct global_circuitlist_s*, circuit_get_global_list, (void)); const char *circuit_state_to_string(int state); const char *circuit_purpose_to_controller_string(uint8_t purpose); const char *circuit_purpose_to_controller_hs_state_string(uint8_t purpose); diff --git a/src/or/circuitstats.c b/src/or/circuitstats.c index c093ecd26..e362b1b49 100644 --- a/src/or/circuitstats.c +++ b/src/or/circuitstats.c @@ -12,6 +12,7 @@ #include "config.h" #include "confparse.h" #include "control.h" +#include "main.h" #include "networkstatus.h" #include "statefile.h" @@ -1185,6 +1186,12 @@ circuit_build_times_needs_circuits_now(const circuit_build_times_t *cbt) } /** + * How long should we be unreachable before we think we need to check if + * our published IP address has changed. + */ +#define CIRCUIT_TIMEOUT_BEFORE_RECHECK_IP (60*3) + +/** * Called to indicate that the network showed some signs of liveness, * i.e. we received a cell. * @@ -1199,12 +1206,15 @@ circuit_build_times_network_is_live(circuit_build_times_t *cbt) { time_t now = approx_time(); if (cbt->liveness.nonlive_timeouts > 0) { + time_t time_since_live = now - cbt->liveness.network_last_live; log_notice(LD_CIRC, "Tor now sees network activity. Restoring circuit build " "timeout recording. Network was down for %d seconds " "during %d circuit attempts.", - (int)(now - cbt->liveness.network_last_live), + (int)time_since_live, cbt->liveness.nonlive_timeouts); + if (time_since_live > CIRCUIT_TIMEOUT_BEFORE_RECHECK_IP) + reschedule_descriptor_update_check(); } cbt->liveness.network_last_live = now; cbt->liveness.nonlive_timeouts = 0; diff --git a/src/or/circuituse.c b/src/or/circuituse.c index 8b82de0f9..75a10ba0c 100644 --- a/src/or/circuituse.c +++ b/src/or/circuituse.c @@ -1515,7 +1515,7 @@ circuit_launch_by_extend_info(uint8_t purpose, circ = circuit_find_to_cannibalize(purpose, extend_info, flags); if (circ) { uint8_t old_purpose = circ->base_.purpose; - struct timeval old_timestamp_began; + struct timeval old_timestamp_began = circ->base_.timestamp_began; log_info(LD_CIRC,"Cannibalizing circ '%s' for purpose %d (%s)", build_state_get_exit_nickname(circ->build_state), purpose, diff --git a/src/or/config.c b/src/or/config.c index 551b09f58..c3ddb5c31 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1,4 +1,4 @@ - /* Copyright (c) 2001 Matej Pfajfar. +/* Copyright (c) 2001 Matej Pfajfar. * Copyright (c) 2001-2004, Roger Dingledine. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. * Copyright (c) 2007-2013, The Tor Project, Inc. */ @@ -620,8 +620,8 @@ get_options_mutable(void) } /** Returns the currently configured options */ -const or_options_t * -get_options(void) +MOCK_IMPL(const or_options_t *, +get_options,(void)) { return get_options_mutable(); } @@ -1043,12 +1043,18 @@ options_act_reversible(const or_options_t *old_options, char **msg) if (running_tor) { int n_ports=0; /* We need to set the connection limit before we can open the listeners. */ - if (set_max_file_descriptors((unsigned)options->ConnLimit, - &options->ConnLimit_) < 0) { - *msg = tor_strdup("Problem with ConnLimit value. See logs for details."); - goto rollback; + if (! sandbox_is_active()) { + if (set_max_file_descriptors((unsigned)options->ConnLimit, + &options->ConnLimit_) < 0) { + *msg = tor_strdup("Problem with ConnLimit value. " + "See logs for details."); + goto rollback; + } + set_conn_limit = 1; + } else { + tor_assert(old_options); + options->ConnLimit_ = old_options->ConnLimit_; } - set_conn_limit = 1; /* Set up libevent. (We need to do this before we can register the * listeners as listeners.) */ @@ -1089,7 +1095,8 @@ options_act_reversible(const or_options_t *old_options, char **msg) #if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H) /* Open /dev/pf before dropping privileges. */ - if (options->TransPort_set) { + if (options->TransPort_set && + options->TransProxyType_parsed == TPT_DEFAULT) { if (get_pf_socket() < 0) { *msg = tor_strdup("Unable to open /dev/pf for transparent proxy."); goto rollback; @@ -1131,11 +1138,13 @@ options_act_reversible(const or_options_t *old_options, char **msg) if (!running_tor) goto commit; - mark_logs_temp(); /* Close current logs once new logs are open. */ - logs_marked = 1; - if (options_init_logs(options, 0)<0) { /* Configure the tor_log(s) */ - *msg = tor_strdup("Failed to init Log options. See logs for details."); - goto rollback; + if (!sandbox_is_active()) { + mark_logs_temp(); /* Close current logs once new logs are open. */ + logs_marked = 1; + if (options_init_logs(options, 0)<0) { /* Configure the tor_log(s) */ + *msg = tor_strdup("Failed to init Log options. See logs for details."); + goto rollback; + } } commit: @@ -1178,10 +1187,13 @@ options_act_reversible(const or_options_t *old_options, char **msg) SMARTLIST_FOREACH(replaced_listeners, connection_t *, conn, { + int marked = conn->marked_for_close; log_notice(LD_NET, "Closing old %s on %s:%d", conn_type_to_string(conn->type), conn->address, conn->port); connection_close_immediate(conn); - connection_mark_for_close(conn); + if (!marked) { + connection_mark_for_close(conn); + } }); goto done; @@ -1488,8 +1500,9 @@ options_act(const or_options_t *old_options) /* Write our PID to the PID file. If we do not have write permissions we * will log a warning */ - if (options->PidFile) + if (options->PidFile && !sandbox_is_active()) { write_pidfile(options->PidFile); + } /* Register addressmap directives */ config_register_addressmaps(options); @@ -2559,12 +2572,24 @@ options_validate(or_options_t *old_options, or_options_t *options, if (options->TransProxyType) { if (!strcasecmp(options->TransProxyType, "default")) { options->TransProxyType_parsed = TPT_DEFAULT; + } else if (!strcasecmp(options->TransProxyType, "pf-divert")) { +#ifndef __OpenBSD__ + REJECT("pf-divert is a OpenBSD-specific feature."); +#else + options->TransProxyType_parsed = TPT_PF_DIVERT; +#endif } else if (!strcasecmp(options->TransProxyType, "tproxy")) { #ifndef __linux__ REJECT("TPROXY is a Linux-specific feature."); #else options->TransProxyType_parsed = TPT_TPROXY; #endif + } else if (!strcasecmp(options->TransProxyType, "ipfw")) { +#ifndef __FreeBSD__ + REJECT("ipfw is a FreeBSD-specific feature."); +#else + options->TransProxyType_parsed = TPT_IPFW; +#endif } else { REJECT("Unrecognized value for TransProxyType"); } @@ -3581,6 +3606,12 @@ options_transition_allowed(const or_options_t *old, return -1; } + if (old->Sandbox != new_val->Sandbox) { + *msg = tor_strdup("While Tor is running, changing Sandbox " + "is not allowed."); + return -1; + } + if (strcmp(old->DataDirectory,new_val->DataDirectory)!=0) { tor_asprintf(msg, "While Tor is running, changing DataDirectory " @@ -3633,6 +3664,32 @@ options_transition_allowed(const or_options_t *old, return -1; } + if (sandbox_is_active()) { + if (! opt_streq(old->PidFile, new_val->PidFile)) { + *msg = tor_strdup("Can't change PidFile while Sandbox is active"); + return -1; + } + if (! config_lines_eq(old->Logs, new_val->Logs)) { + *msg = tor_strdup("Can't change Logs while Sandbox is active"); + return -1; + } + if (old->ConnLimit != new_val->ConnLimit) { + *msg = tor_strdup("Can't change ConnLimit while Sandbox is active"); + return -1; + } + if (! opt_streq(old->ServerDNSResolvConfFile, + new_val->ServerDNSResolvConfFile)) { + *msg = tor_strdup("Can't change ServerDNSResolvConfFile" + " while Sandbox is active"); + return -1; + } + if (server_mode(old) != server_mode(new_val)) { + *msg = tor_strdup("Can't start/stop being a server while " + "Sandbox is active"); + return -1; + } + } + return 0; } @@ -6282,7 +6339,7 @@ write_configuration_file(const char *fname, const or_options_t *options) ++i; } log_notice(LD_CONFIG, "Renaming old configuration file to \"%s\"", fn_tmp); - if (rename(fname, fn_tmp) < 0) { + if (tor_rename(fname, fn_tmp) < 0) {//XXXX sandbox doesn't allow log_warn(LD_FS, "Couldn't rename configuration file \"%s\" to \"%s\": %s", fname, fn_tmp, strerror(errno)); @@ -6468,6 +6525,7 @@ remove_file_if_very_old(const char *fname, time_t now) #define VERY_OLD_FILE_AGE (28*24*60*60) struct stat st; + log_debug(LD_FS, "stat()ing %s", fname); if (stat(sandbox_intern_string(fname), &st)==0 && st.st_mtime < now-VERY_OLD_FILE_AGE) { char buf[ISO_TIME_LEN+1]; diff --git a/src/or/config.h b/src/or/config.h index 8ee2a4572..bf386134b 100644 --- a/src/or/config.h +++ b/src/or/config.h @@ -12,8 +12,10 @@ #ifndef TOR_CONFIG_H #define TOR_CONFIG_H +#include "testsupport.h" + const char *get_dirportfrontpage(void); -const or_options_t *get_options(void); +MOCK_DECL(const or_options_t *,get_options,(void)); or_options_t *get_options_mutable(void); int set_options(or_options_t *new_val, char **msg); void config_free_all(void); diff --git a/src/or/connection.c b/src/or/connection.c index 1be4c45dd..2e72e6b39 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -2359,6 +2359,20 @@ connection_mark_all_noncontrol_connections(void) connection_mark_unattached_ap(TO_ENTRY_CONN(conn), END_STREAM_REASON_HIBERNATING); break; + case CONN_TYPE_OR: + { + or_connection_t *orconn = TO_OR_CONN(conn); + if (orconn->chan) { + connection_or_close_normally(orconn, 0); + } else { + /* + * There should have been one, but mark for close and hope + * for the best.. + */ + connection_mark_for_close(conn); + } + } + break; default: connection_mark_for_close(conn); break; @@ -4009,6 +4023,12 @@ connection_write_to_buf_impl_,(const char *string, size_t len, "write_to_buf failed. Closing circuit (fd %d).", (int)conn->s); circuit_mark_for_close(circuit_get_by_edge_conn(TO_EDGE_CONN(conn)), END_CIRC_REASON_INTERNAL); + } else if (conn->type == CONN_TYPE_OR) { + or_connection_t *orconn = TO_OR_CONN(conn); + log_warn(LD_NET, + "write_to_buf failed on an orconn; notifying of error " + "(fd %d)", (int)(conn->s)); + connection_or_close_for_error(orconn, 0); } else { log_warn(LD_NET, "write_to_buf failed. Closing connection (fd %d).", diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 41ca6119b..a8ad9ec2e 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1391,35 +1391,48 @@ get_pf_socket(void) } #endif -/** Fetch the original destination address and port from a - * system-specific interface and put them into a - * socks_request_t as if they came from a socks request. - * - * Return -1 if an error prevents fetching the destination, - * else return 0. - */ +#if defined(TRANS_NETFILTER) || defined(TRANS_PF) +/** Try fill in the address of <b>req</b> from the socket configured + * with <b>conn</b>. */ static int -connection_ap_get_original_destination(entry_connection_t *conn, - socks_request_t *req) +destination_from_socket(entry_connection_t *conn, socks_request_t *req) { -#ifdef TRANS_NETFILTER - /* Linux 2.4+ */ struct sockaddr_storage orig_dst; socklen_t orig_dst_len = sizeof(orig_dst); tor_addr_t addr; +#ifdef TRANS_NETFILTER if (getsockopt(ENTRY_TO_CONN(conn)->s, SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&orig_dst, &orig_dst_len) < 0) { int e = tor_socket_errno(ENTRY_TO_CONN(conn)->s); log_warn(LD_NET, "getsockopt() failed: %s", tor_socket_strerror(e)); return -1; } +#elif defined(TRANS_PF) + if (getsockname(ENTRY_TO_CONN(conn)->s, (struct sockaddr*)&orig_dst, + &orig_dst_len) < 0) { + int e = tor_socket_errno(ENTRY_TO_CONN(conn)->s); + log_warn(LD_NET, "getsockname() failed: %s", tor_socket_strerror(e)); + return -1; + } +#else + (void)conn; + (void)req; + log_warn(LD_BUG, "Unable to determine destination from socket."); + return -1; +#endif tor_addr_from_sockaddr(&addr, (struct sockaddr*)&orig_dst, &req->port); tor_addr_to_str(req->address, &addr, sizeof(req->address), 1); return 0; -#elif defined(TRANS_PF) +} +#endif + +#ifdef TRANS_PF +static int +destination_from_pf(entry_connection_t *conn, socks_request_t *req) +{ struct sockaddr_storage proxy_addr; socklen_t proxy_addr_len = sizeof(proxy_addr); struct sockaddr *proxy_sa = (struct sockaddr*) &proxy_addr; @@ -1435,6 +1448,21 @@ connection_ap_get_original_destination(entry_connection_t *conn, return -1; } +#ifdef __FreeBSD__ + if (get_options()->TransProxyType_parsed == TPT_IPFW) { + /* ipfw(8) is used and in this case getsockname returned the original + destination */ + if (tor_addr_from_sockaddr(&addr, proxy_sa, &req->port) < 0) { + tor_fragile_assert(); + return -1; + } + + tor_addr_to_str(req->address, &addr, sizeof(req->address), 0); + + return 0; + } +#endif + memset(&pnl, 0, sizeof(pnl)); pnl.proto = IPPROTO_TCP; pnl.direction = PF_OUT; @@ -1481,6 +1509,36 @@ connection_ap_get_original_destination(entry_connection_t *conn, req->port = ntohs(pnl.rdport); return 0; +} +#endif + +/** Fetch the original destination address and port from a + * system-specific interface and put them into a + * socks_request_t as if they came from a socks request. + * + * Return -1 if an error prevents fetching the destination, + * else return 0. + */ +static int +connection_ap_get_original_destination(entry_connection_t *conn, + socks_request_t *req) +{ +#ifdef TRANS_NETFILTER + return destination_from_socket(conn, req); +#elif defined(TRANS_PF) + const or_options_t *options = get_options(); + + if (options->TransProxyType_parsed == TPT_PF_DIVERT) + return destination_from_socket(conn, req); + + if (options->TransProxyType_parsed == TPT_DEFAULT) + return destination_from_pf(conn, req); + + (void)conn; + (void)req; + log_warn(LD_BUG, "Proxy destination determination mechanism %s unknown.", + options->TransProxyType); + return -1; #else (void)conn; (void)req; diff --git a/src/or/control.c b/src/or/control.c index 23e2054f9..2815b7901 100644..100755 --- a/src/or/control.c +++ b/src/or/control.c @@ -2193,6 +2193,9 @@ static const getinfo_item_t getinfo_items[] = { "v3 Networkstatus consensus as retrieved from a DirPort."), ITEM("exit-policy/default", policies, "The default value appended to the configured exit policy."), + ITEM("exit-policy/full", policies, "The entire exit policy of onion router"), + ITEM("exit-policy/ipv4", policies, "IPv4 parts of exit policy"), + ITEM("exit-policy/ipv6", policies, "IPv6 parts of exit policy"), PREFIX("ip-to-country/", geoip, "Perform a GEOIP lookup"), { NULL, NULL, NULL, 0 } }; @@ -4819,16 +4822,28 @@ bootstrap_status_to_string(bootstrap_status_t s, const char **tag, * Tor initializes. */ static int bootstrap_percent = BOOTSTRAP_STATUS_UNDEF; +/** As bootstrap_percent, but holds the bootstrapping level at which we last + * logged a NOTICE-level message. We use this, plus BOOTSTRAP_PCT_INCREMENT, + * to avoid flooding the log with a new message every time we get a few more + * microdescriptors */ +static int notice_bootstrap_percent = 0; + /** How many problems have we had getting to the next bootstrapping phase? * These include failure to establish a connection to a Tor relay, * failures to finish the TLS handshake, failures to validate the * consensus document, etc. */ static int bootstrap_problems = 0; -/* We only tell the controller once we've hit a threshold of problems +/** We only tell the controller once we've hit a threshold of problems * for the current phase. */ #define BOOTSTRAP_PROBLEM_THRESHOLD 10 +/** When our bootstrapping progress level changes, but our bootstrapping + * status has not advanced, we only log at NOTICE when we have made at least + * this much progress. + */ +#define BOOTSTRAP_PCT_INCREMENT 5 + /** Called when Tor has made progress at bootstrapping its directory * information and initial circuits. * @@ -4848,7 +4863,7 @@ control_event_bootstrap(bootstrap_status_t status, int progress) * can't distinguish what the connection is going to be for. */ if (status == BOOTSTRAP_STATUS_HANDSHAKE) { if (bootstrap_percent < BOOTSTRAP_STATUS_CONN_OR) { - status = BOOTSTRAP_STATUS_HANDSHAKE_DIR; + status = BOOTSTRAP_STATUS_HANDSHAKE_DIR; } else { status = BOOTSTRAP_STATUS_HANDSHAKE_OR; } @@ -4856,9 +4871,19 @@ control_event_bootstrap(bootstrap_status_t status, int progress) if (status > bootstrap_percent || (progress && progress > bootstrap_percent)) { + int loglevel = LOG_NOTICE; bootstrap_status_to_string(status, &tag, &summary); - tor_log(status ? LOG_NOTICE : LOG_INFO, LD_CONTROL, - "Bootstrapped %d%%: %s.", progress ? progress : status, summary); + + if (status <= bootstrap_percent && + (progress < notice_bootstrap_percent + BOOTSTRAP_PCT_INCREMENT)) { + /* We log the message at info if the status hasn't advanced, and if less + * than BOOTSTRAP_PCT_INCREMENT progress has been made. + */ + loglevel = LOG_INFO; + } + + tor_log(loglevel, LD_CONTROL, + "Bootstrapped %d%%: %s", progress ? progress : status, summary); tor_snprintf(buf, sizeof(buf), "BOOTSTRAP PROGRESS=%d TAG=%s SUMMARY=\"%s\"", progress ? progress : status, tag, summary); @@ -4874,6 +4899,11 @@ control_event_bootstrap(bootstrap_status_t status, int progress) bootstrap_percent = progress; bootstrap_problems = 0; /* Progress! Reset our problem counter. */ } + if (loglevel == LOG_NOTICE && + bootstrap_percent > notice_bootstrap_percent) { + /* Remember that we gave a notice at this level. */ + notice_bootstrap_percent = bootstrap_percent; + } } } @@ -4884,7 +4914,7 @@ control_event_bootstrap(bootstrap_status_t status, int progress) */ MOCK_IMPL(void, control_event_bootstrap_problem, (const char *warn, int reason, - const or_connection_t *or_conn)) + or_connection_t *or_conn)) { int status = bootstrap_percent; const char *tag, *summary; @@ -4895,6 +4925,11 @@ MOCK_IMPL(void, /* bootstrap_percent must not be in "undefined" state here. */ tor_assert(status >= 0); + if (or_conn->have_noted_bootstrap_problem) + return; + + or_conn->have_noted_bootstrap_problem = 1; + if (bootstrap_percent == 100) return; /* already bootstrapped; nothing to be done here. */ diff --git a/src/or/control.h b/src/or/control.h index ce605a120..988c171d7 100644 --- a/src/or/control.h +++ b/src/or/control.h @@ -94,7 +94,7 @@ void monitor_owning_controller_process(const char *process_spec); void control_event_bootstrap(bootstrap_status_t status, int progress); MOCK_DECL(void, control_event_bootstrap_problem,(const char *warn, int reason, - const or_connection_t *or_conn)); + or_connection_t *or_conn)); void control_event_clients_seen(const char *controller_str); void control_event_transport_launched(const char *mode, diff --git a/src/or/dns.c b/src/or/dns.c index a88a46eb7..36271939b 100644 --- a/src/or/dns.c +++ b/src/or/dns.c @@ -1353,6 +1353,7 @@ inform_pending_connections(cached_resolve_t *resolve) } resolve->pending_connections = pend->next; tor_free(pend); + tor_free(hostname); } } @@ -1479,6 +1480,7 @@ configure_nameservers(int force) evdns_set_log_fn(evdns_log_cb); if (conf_fname) { + log_debug(LD_FS, "stat()ing %s", conf_fname); if (stat(sandbox_intern_string(conf_fname), &st)) { log_warn(LD_EXIT, "Unable to stat resolver configuration in '%s': %s", conf_fname, strerror(errno)); @@ -1496,6 +1498,7 @@ configure_nameservers(int force) #if defined(DNS_OPTION_HOSTSFILE) && defined(USE_LIBSECCOMP) if (flags & DNS_OPTION_HOSTSFILE) { flags ^= DNS_OPTION_HOSTSFILE; + log_debug(LD_FS, "Loading /etc/hosts"); evdns_base_load_hosts(the_evdns_base, sandbox_intern_string("/etc/hosts")); } diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index b374ac7a3..70587bd75 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -70,7 +70,9 @@ static int entry_guards_dirty = 0; static void bridge_free(bridge_info_t *bridge); static const node_t *choose_random_entry_impl(cpath_build_state_t *state, int for_directory, - dirinfo_type_t dirtype); + dirinfo_type_t dirtype, + int *n_options_out); +static int num_bridges_usable(void); /** Return the list of entry guards, creating it if necessary. */ const smartlist_t * @@ -982,7 +984,7 @@ node_can_handle_dirinfo(const node_t *node, dirinfo_type_t dirinfo) const node_t * choose_random_entry(cpath_build_state_t *state) { - return choose_random_entry_impl(state, 0, 0); + return choose_random_entry_impl(state, 0, 0, NULL); } /** Pick a live (up and listed) directory guard from entry_guards for @@ -990,13 +992,13 @@ choose_random_entry(cpath_build_state_t *state) const node_t * choose_random_dirguard(dirinfo_type_t type) { - return choose_random_entry_impl(NULL, 1, type); + return choose_random_entry_impl(NULL, 1, type, NULL); } /** Helper for choose_random{entry,dirguard}. */ static const node_t * choose_random_entry_impl(cpath_build_state_t *state, int for_directory, - dirinfo_type_t dirinfo_type) + dirinfo_type_t dirinfo_type, int *n_options_out) { const or_options_t *options = get_options(); smartlist_t *live_entry_guards = smartlist_new(); @@ -1010,6 +1012,9 @@ choose_random_entry_impl(cpath_build_state_t *state, int for_directory, int need_descriptor = !for_directory; const int num_needed = decide_num_guards(options, for_directory); + if (n_options_out) + *n_options_out = 0; + if (chosen_exit) { nodelist_add_node_and_family(exit_family, chosen_exit); consider_exit_family = 1; @@ -1136,6 +1141,8 @@ choose_random_entry_impl(cpath_build_state_t *state, int for_directory, * *double*-weight our guard selection. */ node = smartlist_choose(live_entry_guards); } + if (n_options_out) + *n_options_out = smartlist_len(live_entry_guards); smartlist_free(live_entry_guards); smartlist_free(exit_family); return node; @@ -2166,7 +2173,7 @@ learned_bridge_descriptor(routerinfo_t *ri, int from_cache) tor_assert(ri); tor_assert(ri->purpose == ROUTER_PURPOSE_BRIDGE); if (get_options()->UseBridges) { - int first = !any_bridge_descriptors_known(); + int first = num_bridges_usable() <= 1; bridge_info_t *bridge = get_configured_bridge_by_routerinfo(ri); time_t now = time(NULL); router_set_status(ri->cache_info.identity_digest, 1); @@ -2188,14 +2195,15 @@ learned_bridge_descriptor(routerinfo_t *ri, int from_cache) * our entry node list */ entry_guard_register_connect_status(ri->cache_info.identity_digest, 1, 0, now); - if (first) + if (first) { routerlist_retry_directory_downloads(now); + } } } } -/** Return 1 if any of our entry guards have descriptors that - * are marked with purpose 'bridge' and are running. Else return 0. +/** Return the number of bridges that have descriptors that + * are marked with purpose 'bridge' and are running. * * We use this function to decide if we're ready to start building * circuits through our bridges, or if we need to wait until the @@ -2207,6 +2215,18 @@ any_bridge_descriptors_known(void) return choose_random_entry(NULL) != NULL; } +/** Return the number of bridges that have descriptors that are marked with + * purpose 'bridge' and are running. + */ +static int +num_bridges_usable(void) +{ + int n_options = 0; + tor_assert(get_options()->UseBridges); + (void) choose_random_entry_impl(NULL, 0, 0, &n_options); + return n_options; +} + /** Return 1 if we have at least one descriptor for an entry guard * (bridge or member of EntryNodes) and all descriptors we know are * down. Else return 0. If <b>act</b> is 1, then mark the down guards diff --git a/src/or/hibernate.c b/src/or/hibernate.c index bbda8424f..c433ac1be 100644 --- a/src/or/hibernate.c +++ b/src/or/hibernate.c @@ -239,8 +239,8 @@ accounting_parse_options(const or_options_t *options, int validate_only) /** If we want to manage the accounting system and potentially * hibernate, return 1, else return 0. */ -int -accounting_is_enabled(const or_options_t *options) +MOCK_IMPL(int, +accounting_is_enabled,(const or_options_t *options)) { if (options->AccountingMax) return 1; @@ -256,8 +256,8 @@ accounting_get_interval_length(void) } /** Return the time at which the current accounting interval will end. */ -time_t -accounting_get_end_time(void) +MOCK_IMPL(time_t, +accounting_get_end_time,(void)) { return interval_end_time; } @@ -823,8 +823,8 @@ hibernate_begin_shutdown(void) } /** Return true iff we are currently hibernating. */ -int -we_are_hibernating(void) +MOCK_IMPL(int, +we_are_hibernating,(void)) { return hibernate_state != HIBERNATE_STATE_LIVE; } diff --git a/src/or/hibernate.h b/src/or/hibernate.h index 4f7331ce8..38ecb7512 100644 --- a/src/or/hibernate.h +++ b/src/or/hibernate.h @@ -12,16 +12,18 @@ #ifndef TOR_HIBERNATE_H #define TOR_HIBERNATE_H +#include "testsupport.h" + int accounting_parse_options(const or_options_t *options, int validate_only); -int accounting_is_enabled(const or_options_t *options); +MOCK_DECL(int, accounting_is_enabled, (const or_options_t *options)); int accounting_get_interval_length(void); -time_t accounting_get_end_time(void); +MOCK_DECL(time_t, accounting_get_end_time, (void)); void configure_accounting(time_t now); void accounting_run_housekeeping(time_t now); void accounting_add_bytes(size_t n_read, size_t n_written, int seconds); int accounting_record_bandwidth_usage(time_t now, or_state_t *state); void hibernate_begin_shutdown(void); -int we_are_hibernating(void); +MOCK_DECL(int, we_are_hibernating, (void)); void consider_hibernation(time_t now); int getinfo_helper_accounting(control_connection_t *conn, const char *question, char **answer, diff --git a/src/or/main.c b/src/or/main.c index feca35c44..4770b7e6d 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -469,15 +469,15 @@ get_connection_array(void) /** Provides the traffic read and written over the life of the process. */ -uint64_t -get_bytes_read(void) +MOCK_IMPL(uint64_t, +get_bytes_read,(void)) { return stats_n_bytes_read; } /* DOCDOC get_bytes_written */ -uint64_t -get_bytes_written(void) +MOCK_IMPL(uint64_t, +get_bytes_written,(void)) { return stats_n_bytes_written; } @@ -919,16 +919,7 @@ conn_close_if_marked(int i) return 0; } if (connection_wants_to_flush(conn)) { - int severity; - if (conn->type == CONN_TYPE_EXIT || - (conn->type == CONN_TYPE_OR && server_mode(get_options())) || - (conn->type == CONN_TYPE_DIR && conn->purpose == DIR_PURPOSE_SERVER)) - severity = LOG_INFO; - else - severity = LOG_NOTICE; - /* XXXX Maybe allow this to happen a certain amount per hour; it usually - * is meaningless. */ - log_fn(severity, LD_NET, "We stalled too much while trying to write %d " + log_fn(LOG_INFO, LD_NET, "We stalled too much while trying to write %d " "bytes to address %s. If this happens a lot, either " "something is wrong with your network connection, or " "something is wrong with theirs. " @@ -1162,6 +1153,18 @@ get_signewnym_epoch(void) return newnym_epoch; } +static time_t time_to_check_descriptor = 0; +/** + * Update our schedule so that we'll check whether we need to update our + * descriptor immediately, rather than after up to CHECK_DESCRIPTOR_INTERVAL + * seconds. + */ +void +reschedule_descriptor_update_check(void) +{ + time_to_check_descriptor = 0; +} + /** Perform regular maintenance tasks. This function gets run once per * second by second_elapsed_callback(). */ @@ -1171,7 +1174,6 @@ run_scheduled_events(time_t now) static time_t last_rotated_x509_certificate = 0; static time_t time_to_check_v3_certificate = 0; static time_t time_to_check_listeners = 0; - static time_t time_to_check_descriptor = 0; static time_t time_to_download_networkstatus = 0; static time_t time_to_shrink_memory = 0; static time_t time_to_try_getting_descriptors = 0; @@ -2119,8 +2121,8 @@ process_signal(uintptr_t sig) } /** Returns Tor's uptime. */ -long -get_uptime(void) +MOCK_IMPL(long, +get_uptime,(void)) { return stats_n_seconds_working; } @@ -2430,6 +2432,9 @@ tor_init(int argc, char *argv[]) return -1; } stream_choice_seed_weak_rng(); + if (tor_init_libevent_rng() < 0) { + log_warn(LD_NET, "Problem initializing libevent RNG."); + } return 0; } @@ -2721,79 +2726,143 @@ init_addrinfo(void) static sandbox_cfg_t* sandbox_init_filter(void) { + const or_options_t *options = get_options(); sandbox_cfg_t *cfg = sandbox_cfg_new(); + int i; sandbox_cfg_allow_openat_filename(&cfg, - get_datadir_fname("cached-status"), 1); + get_datadir_fname("cached-status")); sandbox_cfg_allow_open_filename_array(&cfg, - get_datadir_fname("cached-certs"), 1, - get_datadir_fname("cached-certs.tmp"), 1, - get_datadir_fname("cached-consensus"), 1, - get_datadir_fname("unverified-consensus"), 1, - get_datadir_fname("unverified-consensus.tmp"), 1, - get_datadir_fname("cached-microdesc-consensus"), 1, - get_datadir_fname("cached-microdesc-consensus.tmp"), 1, - get_datadir_fname("cached-microdescs"), 1, - get_datadir_fname("cached-microdescs.tmp"), 1, - get_datadir_fname("cached-microdescs.new"), 1, - get_datadir_fname("cached-microdescs.new.tmp"), 1, - get_datadir_fname("unverified-microdesc-consensus"), 1, - get_datadir_fname("cached-descriptors"), 1, - get_datadir_fname("cached-descriptors.new"), 1, - get_datadir_fname("cached-descriptors.tmp"), 1, - get_datadir_fname("cached-descriptors.new.tmp"), 1, - get_datadir_fname("cached-descriptors.tmp.tmp"), 1, - get_datadir_fname("cached-extrainfo"), 1, - get_datadir_fname("state.tmp"), 1, - get_datadir_fname("unparseable-desc.tmp"), 1, - get_datadir_fname("unparseable-desc"), 1, - "/dev/srandom", 0, - "/dev/urandom", 0, - "/dev/random", 0, + get_datadir_fname("cached-certs"), + get_datadir_fname("cached-certs.tmp"), + get_datadir_fname("cached-consensus"), + get_datadir_fname("cached-consensus.tmp"), + get_datadir_fname("unverified-consensus"), + get_datadir_fname("unverified-consensus.tmp"), + get_datadir_fname("unverified-microdesc-consensus"), + get_datadir_fname("unverified-microdesc-consensus.tmp"), + get_datadir_fname("cached-microdesc-consensus"), + get_datadir_fname("cached-microdesc-consensus.tmp"), + get_datadir_fname("cached-microdescs"), + get_datadir_fname("cached-microdescs.tmp"), + get_datadir_fname("cached-microdescs.new"), + get_datadir_fname("cached-microdescs.new.tmp"), + get_datadir_fname("cached-descriptors"), + get_datadir_fname("cached-descriptors.new"), + get_datadir_fname("cached-descriptors.tmp"), + get_datadir_fname("cached-descriptors.new.tmp"), + get_datadir_fname("cached-descriptors.tmp.tmp"), + get_datadir_fname("cached-extrainfo"), + get_datadir_fname("cached-extrainfo.new"), + get_datadir_fname("cached-extrainfo.tmp"), + get_datadir_fname("cached-extrainfo.new.tmp"), + get_datadir_fname("cached-extrainfo.tmp.tmp"), + get_datadir_fname("state.tmp"), + get_datadir_fname("unparseable-desc.tmp"), + get_datadir_fname("unparseable-desc"), + get_datadir_fname("v3-status-votes"), + get_datadir_fname("v3-status-votes.tmp"), + tor_strdup("/dev/srandom"), + tor_strdup("/dev/urandom"), + tor_strdup("/dev/random"), + tor_strdup("/etc/hosts"), NULL, 0 ); + if (options->ServerDNSResolvConfFile) + sandbox_cfg_allow_open_filename(&cfg, + tor_strdup(options->ServerDNSResolvConfFile)); + else + sandbox_cfg_allow_open_filename(&cfg, tor_strdup("/etc/resolv.conf")); + + for (i = 0; i < 2; ++i) { + if (get_torrc_fname(i)) { + sandbox_cfg_allow_open_filename(&cfg, tor_strdup(get_torrc_fname(i))); + } + } + +#define RENAME_SUFFIX(name, suffix) \ + sandbox_cfg_allow_rename(&cfg, \ + get_datadir_fname(name suffix), \ + get_datadir_fname(name)) + +#define RENAME_SUFFIX2(prefix, name, suffix) \ + sandbox_cfg_allow_rename(&cfg, \ + get_datadir_fname2(prefix, name suffix), \ + get_datadir_fname2(prefix, name)) + + RENAME_SUFFIX("cached-certs", ".tmp"); + RENAME_SUFFIX("cached-consensus", ".tmp"); + RENAME_SUFFIX("unverified-consensus", ".tmp"); + RENAME_SUFFIX("unverified-microdesc-consensus", ".tmp"); + RENAME_SUFFIX("cached-microdesc-consensus", ".tmp"); + RENAME_SUFFIX("cached-microdescs", ".tmp"); + RENAME_SUFFIX("cached-microdescs", ".new"); + RENAME_SUFFIX("cached-microdescs.new", ".tmp"); + RENAME_SUFFIX("cached-descriptors", ".tmp"); + RENAME_SUFFIX("cached-descriptors", ".new"); + RENAME_SUFFIX("cached-descriptors.new", ".tmp"); + RENAME_SUFFIX("cached-extrainfo", ".tmp"); + RENAME_SUFFIX("cached-extrainfo", ".new"); + RENAME_SUFFIX("cached-extrainfo.new", ".tmp"); + RENAME_SUFFIX("state", ".tmp"); + RENAME_SUFFIX("unparseable-desc", ".tmp"); + RENAME_SUFFIX("v3-status-votes", ".tmp"); sandbox_cfg_allow_stat_filename_array(&cfg, - get_datadir_fname(NULL), 1, - get_datadir_fname("lock"), 1, - get_datadir_fname("state"), 1, - get_datadir_fname("router-stability"), 1, - get_datadir_fname("cached-extrainfo.new"), 1, + get_datadir_fname(NULL), + get_datadir_fname("lock"), + get_datadir_fname("state"), + get_datadir_fname("router-stability"), + get_datadir_fname("cached-extrainfo.new"), NULL, 0 ); // orport if (server_mode(get_options())) { sandbox_cfg_allow_open_filename_array(&cfg, - get_datadir_fname2("keys", "secret_id_key"), 1, - get_datadir_fname2("keys", "secret_onion_key"), 1, - get_datadir_fname2("keys", "secret_onion_key_ntor"), 1, - get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"), 1, - get_datadir_fname2("keys", "secret_id_key.old"), 1, - get_datadir_fname2("keys", "secret_onion_key.old"), 1, - get_datadir_fname2("keys", "secret_onion_key_ntor.old"), 1, - get_datadir_fname2("keys", "secret_onion_key.tmp"), 1, - get_datadir_fname2("keys", "secret_id_key.tmp"), 1, - get_datadir_fname("fingerprint"), 1, - get_datadir_fname("fingerprint.tmp"), 1, - get_datadir_fname("hashed-fingerprint"), 1, - get_datadir_fname("hashed-fingerprint.tmp"), 1, - get_datadir_fname("cached-consensus"), 1, - get_datadir_fname("cached-consensus.tmp"), 1, - "/etc/resolv.conf", 0, + get_datadir_fname2("keys", "secret_id_key"), + get_datadir_fname2("keys", "secret_onion_key"), + get_datadir_fname2("keys", "secret_onion_key_ntor"), + get_datadir_fname2("keys", "secret_onion_key_ntor.tmp"), + get_datadir_fname2("keys", "secret_id_key.old"), + get_datadir_fname2("keys", "secret_onion_key.old"), + get_datadir_fname2("keys", "secret_onion_key_ntor.old"), + get_datadir_fname2("keys", "secret_onion_key.tmp"), + get_datadir_fname2("keys", "secret_id_key.tmp"), + get_datadir_fname("fingerprint"), + get_datadir_fname("fingerprint.tmp"), + get_datadir_fname("hashed-fingerprint"), + get_datadir_fname("hashed-fingerprint.tmp"), + get_datadir_fname("router-stability"), + get_datadir_fname("router-stability.tmp"), + tor_strdup("/etc/resolv.conf"), NULL, 0 ); + RENAME_SUFFIX("fingerprint", ".tmp"); + RENAME_SUFFIX2("keys", "secret_onion_key_ntor", ".tmp"); + RENAME_SUFFIX2("keys", "secret_id_key", ".tmp"); + RENAME_SUFFIX2("keys", "secret_id_key.old", ".tmp"); + RENAME_SUFFIX2("keys", "secret_onion_key", ".tmp"); + RENAME_SUFFIX2("keys", "secret_onion_key.old", ".tmp"); + RENAME_SUFFIX("hashed-fingerprint", ".tmp"); + RENAME_SUFFIX("router-stability", ".tmp"); + + sandbox_cfg_allow_rename(&cfg, + get_datadir_fname2("keys", "secret_onion_key"), + get_datadir_fname2("keys", "secret_onion_key.old")); + sandbox_cfg_allow_rename(&cfg, + get_datadir_fname2("keys", "secret_onion_key_ntor"), + get_datadir_fname2("keys", "secret_onion_key_ntor.old")); + sandbox_cfg_allow_stat_filename_array(&cfg, - get_datadir_fname("keys"), 1, - get_datadir_fname("stats/dirreq-stats"), 1, + get_datadir_fname("keys"), + get_datadir_fname("stats/dirreq-stats"), NULL, 0 ); } - sandbox_cfg_allow_execve(&cfg, "/usr/local/bin/tor"); - init_addrinfo(); return cfg; diff --git a/src/or/main.h b/src/or/main.h index df302ffa7..a3bce3486 100644 --- a/src/or/main.h +++ b/src/or/main.h @@ -24,8 +24,8 @@ void add_connection_to_closeable_list(connection_t *conn); int connection_is_on_closeable_list(connection_t *conn); smartlist_t *get_connection_array(void); -uint64_t get_bytes_read(void); -uint64_t get_bytes_written(void); +MOCK_DECL(uint64_t,get_bytes_read,(void)); +MOCK_DECL(uint64_t,get_bytes_written,(void)); /** Bitmask for events that we can turn on and off with * connection_watch_events. */ @@ -50,8 +50,10 @@ void directory_info_has_arrived(time_t now, int from_cache); void ip_address_changed(int at_interface); void dns_servers_relaunch_checks(void); +void reschedule_descriptor_update_check(void); + +MOCK_DECL(long,get_uptime,(void)); -long get_uptime(void); unsigned get_signewnym_epoch(void); void handle_signals(int is_parent); diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c index 74c4ca45a..b8ac2e05f 100644 --- a/src/or/networkstatus.c +++ b/src/or/networkstatus.c @@ -322,6 +322,17 @@ networkstatus_check_document_signature(const networkstatus_t *consensus, DIGEST_LEN)) return -1; + if (authority_cert_is_blacklisted(cert)) { + /* We implement blacklisting for authority signing keys by treating + * all their signatures as always bad. That way we don't get into + * crazy loops of dropping and re-fetching signatures. */ + log_warn(LD_DIR, "Ignoring a consensus signature made with deprecated" + " signing key %s", + hex_str(cert->signing_key_digest, DIGEST_LEN)); + sig->bad_signature = 1; + return 0; + } + signed_digest_len = crypto_pk_keysize(cert->signing_key); signed_digest = tor_malloc(signed_digest_len); if (crypto_pk_public_checksig(cert->signing_key, diff --git a/src/or/nodelist.c b/src/or/nodelist.c index 52c92661c..a38a6d499 100644 --- a/src/or/nodelist.c +++ b/src/or/nodelist.c @@ -85,8 +85,8 @@ node_get_mutable_by_id(const char *identity_digest) /** Return the node_t whose identity is <b>identity_digest</b>, or NULL * if no such node exists. */ -const node_t * -node_get_by_id(const char *identity_digest) +MOCK_IMPL(const node_t *, +node_get_by_id,(const char *identity_digest)) { return node_get_mutable_by_id(identity_digest); } diff --git a/src/or/nodelist.h b/src/or/nodelist.h index 95d0c2328..8e719e012 100644 --- a/src/or/nodelist.h +++ b/src/or/nodelist.h @@ -17,7 +17,7 @@ } STMT_END node_t *node_get_mutable_by_id(const char *identity_digest); -const node_t *node_get_by_id(const char *identity_digest); +MOCK_DECL(const node_t *, node_get_by_id, (const char *identity_digest)); const node_t *node_get_by_hex_id(const char *identity_digest); node_t *nodelist_set_routerinfo(routerinfo_t *ri, routerinfo_t **ri_old_out); node_t *nodelist_add_microdesc(microdesc_t *md); diff --git a/src/or/or.h b/src/or/or.h index e17b5816a..4ca7ecc60 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1482,6 +1482,10 @@ typedef struct or_connection_t { unsigned int is_outgoing:1; unsigned int proxy_type:2; /**< One of PROXY_NONE...PROXY_SOCKS5 */ unsigned int wide_circ_ids:1; + /** True iff this connection has had its bootstrap failure logged with + * control_event_bootstrap_problem. */ + unsigned int have_noted_bootstrap_problem:1; + uint16_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ @@ -3469,7 +3473,12 @@ typedef struct { const char *TransProxyType; /**< What kind of transparent proxy * implementation are we using? */ /** Parsed value of TransProxyType. */ - enum { TPT_DEFAULT, TPT_TPROXY } TransProxyType_parsed; + enum { + TPT_DEFAULT, + TPT_PF_DIVERT, + TPT_IPFW, + TPT_TPROXY, + } TransProxyType_parsed; config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd * connections. */ config_line_t *ControlPort_lines; /**< Ports to listen on for control diff --git a/src/or/policies.c b/src/or/policies.c index 42dc46b7f..8a91509a7 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -13,6 +13,7 @@ #include "dirserv.h" #include "nodelist.h" #include "policies.h" +#include "router.h" #include "routerparse.h" #include "geoip.h" #include "ht.h" @@ -1692,6 +1693,28 @@ getinfo_helper_policies(control_connection_t *conn, (void) errmsg; if (!strcmp(question, "exit-policy/default")) { *answer = tor_strdup(DEFAULT_EXIT_POLICY); + } else if (!strcmpstart(question, "exit-policy/")) { + const routerinfo_t *me = router_get_my_routerinfo(); + + int include_ipv4 = 0; + int include_ipv6 = 0; + + if (!strcmp(question, "exit-policy/ipv4")) { + include_ipv4 = 1; + } else if (!strcmp(question, "exit-policy/ipv6")) { + include_ipv6 = 1; + } else if (!strcmp(question, "exit-policy/full")) { + include_ipv4 = include_ipv6 = 1; + } else { + return 0; /* No such key. */ + } + + if (!me) { + *errmsg = "router_get_my_routerinfo returned NULL"; + return -1; + } + + *answer = router_dump_exit_policy_to_string(me,include_ipv4,include_ipv6); } return 0; } diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 500efaf20..abd78da73 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -82,7 +82,7 @@ typedef struct rend_service_port_config_t { #define MAX_INTRO_CIRCS_PER_PERIOD 10 /** How many times will a hidden service operator attempt to connect to * a requested rendezvous point before giving up? */ -#define MAX_REND_FAILURES 30 +#define MAX_REND_FAILURES 8 /** How many seconds should we spend trying to connect to a requested * rendezvous point before giving up? */ #define MAX_REND_TIMEOUT 30 diff --git a/src/or/rephist.c b/src/or/rephist.c index 87f930a28..70be39e23 100644 --- a/src/or/rephist.c +++ b/src/or/rephist.c @@ -2995,8 +2995,8 @@ rep_hist_conn_stats_write(time_t now) * handshake we've received, and how many we've assigned to cpuworkers. * Useful for seeing trends in cpu load. * @{ */ -static int onion_handshakes_requested[MAX_ONION_HANDSHAKE_TYPE+1] = {0}; -static int onion_handshakes_assigned[MAX_ONION_HANDSHAKE_TYPE+1] = {0}; +STATIC int onion_handshakes_requested[MAX_ONION_HANDSHAKE_TYPE+1] = {0}; +STATIC int onion_handshakes_assigned[MAX_ONION_HANDSHAKE_TYPE+1] = {0}; /**@}*/ /** A new onionskin (using the <b>type</b> handshake) has arrived. */ diff --git a/src/or/router.c b/src/or/router.c index 1f5df4b89..86cefc9a6 100644..100755 --- a/src/or/router.c +++ b/src/or/router.c @@ -1348,8 +1348,8 @@ authdir_mode_bridge(const or_options_t *options) /** Return true iff we are trying to be a server. */ -int -server_mode(const or_options_t *options) +MOCK_IMPL(int, +server_mode,(const or_options_t *options)) { if (options->ClientOnly) return 0; /* XXXX024 I believe we can kill off ORListenAddress here.*/ @@ -1358,8 +1358,8 @@ server_mode(const or_options_t *options) /** Return true iff we are trying to be a non-bridge server. */ -int -public_server_mode(const or_options_t *options) +MOCK_IMPL(int, +public_server_mode,(const or_options_t *options)) { if (!server_mode(options)) return 0; return (!options->BridgeRelay); @@ -1689,8 +1689,8 @@ router_is_me(const routerinfo_t *router) /** Return a routerinfo for this OR, rebuilding a fresh one if * necessary. Return NULL on error, or if called on an OP. */ -const routerinfo_t * -router_get_my_routerinfo(void) +MOCK_IMPL(const routerinfo_t *, +router_get_my_routerinfo,(void)) { if (!server_mode(get_options())) return NULL; @@ -2398,20 +2398,13 @@ router_dump_router_to_string(routerinfo_t *router, if (!router->exit_policy || !smartlist_len(router->exit_policy)) { smartlist_add(chunks, tor_strdup("reject *:*\n")); } else if (router->exit_policy) { - int i; - for (i = 0; i < smartlist_len(router->exit_policy); ++i) { - char pbuf[POLICY_BUF_LEN]; - addr_policy_t *tmpe = smartlist_get(router->exit_policy, i); - int result; - if (tor_addr_family(&tmpe->addr) == AF_INET6) - continue; /* Don't include IPv6 parts of address policy */ - result = policy_write_item(pbuf, POLICY_BUF_LEN, tmpe, 1); - if (result < 0) { - log_warn(LD_BUG,"descriptor policy_write_item ran out of room!"); - goto err; - } - smartlist_add_asprintf(chunks, "%s\n", pbuf); - } + char *exit_policy = router_dump_exit_policy_to_string(router,1,0); + + if (!exit_policy) + goto err; + + smartlist_add_asprintf(chunks, "%s\n", exit_policy); + tor_free(exit_policy); } if (router->ipv6_exit_policy) { @@ -2479,6 +2472,56 @@ router_dump_router_to_string(routerinfo_t *router, return output; } +/** + * OR only: Given <b>router</b>, produce a string with its exit policy. + * If <b>include_ipv4</b> is true, include IPv4 entries. + * If <b>include_ipv6</b> is true, include IPv6 entries. + */ +char * +router_dump_exit_policy_to_string(const routerinfo_t *router, + int include_ipv4, + int include_ipv6) +{ + smartlist_t *exit_policy_strings; + char *policy_string = NULL; + + if ((!router->exit_policy) || (router->policy_is_reject_star)) { + return tor_strdup("reject *:*"); + } + + exit_policy_strings = smartlist_new(); + + SMARTLIST_FOREACH_BEGIN(router->exit_policy, addr_policy_t *, tmpe) { + char *pbuf; + int bytes_written_to_pbuf; + if ((tor_addr_family(&tmpe->addr) == AF_INET6) && (!include_ipv6)) { + continue; /* Don't include IPv6 parts of address policy */ + } + if ((tor_addr_family(&tmpe->addr) == AF_INET) && (!include_ipv4)) { + continue; /* Don't include IPv4 parts of address policy */ + } + + pbuf = tor_malloc(POLICY_BUF_LEN); + bytes_written_to_pbuf = policy_write_item(pbuf,POLICY_BUF_LEN, tmpe, 1); + + if (bytes_written_to_pbuf < 0) { + log_warn(LD_BUG, "router_dump_exit_policy_to_string ran out of room!"); + tor_free(pbuf); + goto done; + } + + smartlist_add(exit_policy_strings,pbuf); + } SMARTLIST_FOREACH_END(tmpe); + + policy_string = smartlist_join_strings(exit_policy_strings, "\n", 0, NULL); + + done: + SMARTLIST_FOREACH(exit_policy_strings, char *, str, tor_free(str)); + smartlist_free(exit_policy_strings); + + return policy_string; +} + /** Copy the primary (IPv4) OR port (IP address and TCP port) for * <b>router</b> into *<b>ap_out</b>. */ void diff --git a/src/or/router.h b/src/or/router.h index bf6cdbea3..d18ff065e 100644 --- a/src/or/router.h +++ b/src/or/router.h @@ -66,8 +66,8 @@ uint16_t router_get_advertised_or_port_by_af(const or_options_t *options, uint16_t router_get_advertised_dir_port(const or_options_t *options, uint16_t dirport); -int server_mode(const or_options_t *options); -int public_server_mode(const or_options_t *options); +MOCK_DECL(int, server_mode, (const or_options_t *options)); +MOCK_DECL(int, public_server_mode, (const or_options_t *options)); int advertised_server_mode(void); int proxy_mode(const or_options_t *options); void consider_publishable_server(int force); @@ -82,7 +82,7 @@ void router_new_address_suggestion(const char *suggestion, const dir_connection_t *d_conn); int router_compare_to_my_exit_policy(const tor_addr_t *addr, uint16_t port); int router_my_exit_policy_is_reject_star(void); -const routerinfo_t *router_get_my_routerinfo(void); +MOCK_DECL(const routerinfo_t *, router_get_my_routerinfo, (void)); extrainfo_t *router_get_my_extrainfo(void); const char *router_get_my_descriptor(void); const char *router_get_descriptor_gen_reason(void); @@ -94,6 +94,9 @@ int router_pick_published_address(const or_options_t *options, uint32_t *addr); int router_rebuild_descriptor(int force); char *router_dump_router_to_string(routerinfo_t *router, crypto_pk_t *ident_key); +char *router_dump_exit_policy_to_string(const routerinfo_t *router, + int include_ipv4, + int include_ipv6); void router_get_prim_orport(const routerinfo_t *router, tor_addr_port_t *addr_port_out); void router_get_pref_orport(const routerinfo_t *router, diff --git a/src/or/routerlist.c b/src/or/routerlist.c index f1bd12c19..c15274e99 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -98,7 +98,8 @@ static smartlist_t *trusted_dir_servers = NULL; * and all fallback directory servers. */ static smartlist_t *fallback_dir_servers = NULL; -/** List of for a given authority, and download status for latest certificate. +/** List of certificates for a single authority, and download status for + * latest certificate. */ struct cert_list_t { /* @@ -621,6 +622,37 @@ authority_cert_dl_failed(const char *id_digest, } } +static const char *BAD_SIGNING_KEYS[] = { + "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31 + "0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26 + "57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09 + "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09 + "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56 + "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01 + "9DCD8E3F1DD1597E2AD476BBA28A1A89F3095227", // Expires 2015-01-16 03:52:30 + "A61682F34B9BB9694AC98491FE1ABBFE61923941", // Expires 2014-06-11 09:25:09 + "B59F6E99C575113650C99F1C425BA7B20A8C071D", // Expires 2014-07-31 13:22:10 + "D27178388FA75B96D37FA36E0B015227DDDBDA51", // Expires 2014-08-04 04:01:57 + NULL, +}; + +/** DOCDOC */ +int +authority_cert_is_blacklisted(const authority_cert_t *cert) +{ + char hex_digest[HEX_DIGEST_LEN+1]; + int i; + base16_encode(hex_digest, sizeof(hex_digest), + cert->signing_key_digest, sizeof(cert->signing_key_digest)); + + for (i = 0; BAD_SIGNING_KEYS[i]; ++i) { + if (!strcasecmp(hex_digest, BAD_SIGNING_KEYS[i])) { + return 1; + } + } + return 0; +} + /** Return true iff when we've been getting enough failures when trying to * download the certificate with ID digest <b>id_digest</b> that we're willing * to start bugging the user about it. */ diff --git a/src/or/routerlist.h b/src/or/routerlist.h index cfa868386..6e2f2eaea 100644 --- a/src/or/routerlist.h +++ b/src/or/routerlist.h @@ -43,6 +43,7 @@ int router_reload_router_list(void); int authority_cert_dl_looks_uncertain(const char *id_digest); const smartlist_t *router_get_trusted_dir_servers(void); const smartlist_t *router_get_fallback_dir_servers(void); +int authority_cert_is_blacklisted(const authority_cert_t *cert); const routerstatus_t *router_pick_directory_server(dirinfo_type_t type, int flags); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 7bf9a4d8e..14f800e7b 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -2687,6 +2687,14 @@ networkstatus_parse_vote_from_string(const char *s, const char **eos_out, log_warn(LD_DIR,"Mismatch between identities in certificate and vote"); goto err; } + if (ns->type != NS_TYPE_CONSENSUS) { + if (authority_cert_is_blacklisted(ns->cert)) { + log_warn(LD_DIR, "Rejecting vote signature made with blacklisted " + "signing key %s", + hex_str(ns->cert->signing_key_digest, DIGEST_LEN)); + goto err; + } + } voter->address = tor_strdup(tok->args[2]); if (!tor_inet_aton(tok->args[3], &in)) { log_warn(LD_DIR, "Error decoding IP address %s in network-status.", diff --git a/src/or/statefile.c b/src/or/statefile.c index 2251f25e9..da3134171 100644 --- a/src/or/statefile.c +++ b/src/or/statefile.c @@ -13,6 +13,7 @@ #include "hibernate.h" #include "rephist.h" #include "router.h" +#include "sandbox.h" #include "statefile.h" /** A list of state-file "abbreviations," for compatibility. */ @@ -285,7 +286,7 @@ or_state_save_broken(char *fname) log_warn(LD_BUG, "Unable to parse state in \"%s\". Moving it aside " "to \"%s\". This could be a bug in Tor; please tell " "the developers.", fname, fname2); - if (rename(fname, fname2) < 0) { + if (tor_rename(fname, fname2) < 0) {//XXXX sandbox prohibits log_warn(LD_BUG, "Weirdly, I couldn't even move the state aside. The " "OS gave an error of %s", strerror(errno)); } diff --git a/src/or/status.c b/src/or/status.c index e1820c888..7e2afbce8 100644 --- a/src/or/status.c +++ b/src/or/status.c @@ -6,6 +6,8 @@ * \brief Keep status information and log the heartbeat messages. **/ +#define STATUS_PRIVATE + #include "or.h" #include "config.h" #include "status.h" @@ -22,7 +24,7 @@ static void log_accounting(const time_t now, const or_options_t *options); /** Return the total number of circuits. */ -static int +STATIC int count_circuits(void) { circuit_t *circ; @@ -36,7 +38,7 @@ count_circuits(void) /** Take seconds <b>secs</b> and return a newly allocated human-readable * uptime string */ -static char * +STATIC char * secs_to_uptime(long secs) { long int days = secs / 86400; @@ -63,7 +65,7 @@ secs_to_uptime(long secs) /** Take <b>bytes</b> and returns a newly allocated human-readable usage * string. */ -static char * +STATIC char * bytes_to_usage(uint64_t bytes) { char *bw_string = NULL; diff --git a/src/or/status.h b/src/or/status.h index 7c3b969c8..13458ea47 100644 --- a/src/or/status.h +++ b/src/or/status.h @@ -4,7 +4,15 @@ #ifndef TOR_STATUS_H #define TOR_STATUS_H +#include "testsupport.h" + int log_heartbeat(time_t now); +#ifdef STATUS_PRIVATE +STATIC int count_circuits(void); +STATIC char *secs_to_uptime(long secs); +STATIC char *bytes_to_usage(uint64_t bytes); +#endif + #endif diff --git a/src/test/include.am b/src/test/include.am index c59ebb2ad..fba439a61 100644 --- a/src/test/include.am +++ b/src/test/include.am @@ -43,6 +43,8 @@ src_test_test_SOURCES = \ src/test/test_config.c \ src/test/test_hs.c \ src/test/test_nodelist.c \ + src/test/test_policy.c \ + src/test/test_status.c \ src/ext/tinytest.c src_test_test_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS) diff --git a/src/test/test.c b/src/test/test.c index 0e0fc6a4f..771725e23 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -598,343 +598,6 @@ test_circuit_timeout(void) return; } -/* Helper: assert that short_policy parses and writes back out as itself, - or as <b>expected</b> if that's provided. */ -static void -test_short_policy_parse(const char *input, - const char *expected) -{ - short_policy_t *short_policy = NULL; - char *out = NULL; - - if (expected == NULL) - expected = input; - - short_policy = parse_short_policy(input); - tt_assert(short_policy); - out = write_short_policy(short_policy); - tt_str_op(out, ==, expected); - - done: - tor_free(out); - short_policy_free(short_policy); -} - -/** Helper: Parse the exit policy string in <b>policy_str</b>, and make sure - * that policies_summarize() produces the string <b>expected_summary</b> from - * it. */ -static void -test_policy_summary_helper(const char *policy_str, - const char *expected_summary) -{ - config_line_t line; - smartlist_t *policy = smartlist_new(); - char *summary = NULL; - char *summary_after = NULL; - int r; - short_policy_t *short_policy = NULL; - - line.key = (char*)"foo"; - line.value = (char *)policy_str; - line.next = NULL; - - r = policies_parse_exit_policy(&line, &policy, 1, 0, 0, 1); - test_eq(r, 0); - summary = policy_summarize(policy, AF_INET); - - test_assert(summary != NULL); - test_streq(summary, expected_summary); - - short_policy = parse_short_policy(summary); - tt_assert(short_policy); - summary_after = write_short_policy(short_policy); - test_streq(summary, summary_after); - - done: - tor_free(summary_after); - tor_free(summary); - if (policy) - addr_policy_list_free(policy); - short_policy_free(short_policy); -} - -/** Run unit tests for generating summary lines of exit policies */ -static void -test_policies(void) -{ - int i; - smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL, - *policy4 = NULL, *policy5 = NULL, *policy6 = NULL, - *policy7 = NULL; - addr_policy_t *p; - tor_addr_t tar; - config_line_t line; - smartlist_t *sm = NULL; - char *policy_str = NULL; - short_policy_t *short_parsed = NULL; - - policy = smartlist_new(); - - p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",-1); - test_assert(p != NULL); - test_eq(ADDR_POLICY_REJECT, p->policy_type); - tor_addr_from_ipv4h(&tar, 0xc0a80000u); - test_eq(0, tor_addr_compare(&p->addr, &tar, CMP_EXACT)); - test_eq(16, p->maskbits); - test_eq(1, p->prt_min); - test_eq(65535, p->prt_max); - - smartlist_add(policy, p); - - tor_addr_from_ipv4h(&tar, 0x01020304u); - test_assert(ADDR_POLICY_ACCEPTED == - compare_tor_addr_to_addr_policy(&tar, 2, policy)); - tor_addr_make_unspec(&tar); - test_assert(ADDR_POLICY_PROBABLY_ACCEPTED == - compare_tor_addr_to_addr_policy(&tar, 2, policy)); - tor_addr_from_ipv4h(&tar, 0xc0a80102); - test_assert(ADDR_POLICY_REJECTED == - compare_tor_addr_to_addr_policy(&tar, 2, policy)); - - test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, 1, 0, 1)); - test_assert(policy2); - - policy3 = smartlist_new(); - p = router_parse_addr_policy_item_from_string("reject *:*",-1); - test_assert(p != NULL); - smartlist_add(policy3, p); - p = router_parse_addr_policy_item_from_string("accept *:*",-1); - test_assert(p != NULL); - smartlist_add(policy3, p); - - policy4 = smartlist_new(); - p = router_parse_addr_policy_item_from_string("accept *:443",-1); - test_assert(p != NULL); - smartlist_add(policy4, p); - p = router_parse_addr_policy_item_from_string("accept *:443",-1); - test_assert(p != NULL); - smartlist_add(policy4, p); - - policy5 = smartlist_new(); - p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject *:1-65534",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("reject *:65535",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - p = router_parse_addr_policy_item_from_string("accept *:1-65535",-1); - test_assert(p != NULL); - smartlist_add(policy5, p); - - policy6 = smartlist_new(); - p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*",-1); - test_assert(p != NULL); - smartlist_add(policy6, p); - - policy7 = smartlist_new(); - p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*",-1); - test_assert(p != NULL); - smartlist_add(policy7, p); - - test_assert(!exit_policy_is_general_exit(policy)); - test_assert(exit_policy_is_general_exit(policy2)); - test_assert(!exit_policy_is_general_exit(NULL)); - test_assert(!exit_policy_is_general_exit(policy3)); - test_assert(!exit_policy_is_general_exit(policy4)); - test_assert(!exit_policy_is_general_exit(policy5)); - test_assert(!exit_policy_is_general_exit(policy6)); - test_assert(!exit_policy_is_general_exit(policy7)); - - test_assert(cmp_addr_policies(policy, policy2)); - test_assert(cmp_addr_policies(policy, NULL)); - test_assert(!cmp_addr_policies(policy2, policy2)); - test_assert(!cmp_addr_policies(NULL, NULL)); - - test_assert(!policy_is_reject_star(policy2, AF_INET)); - test_assert(policy_is_reject_star(policy, AF_INET)); - test_assert(policy_is_reject_star(NULL, AF_INET)); - - addr_policy_list_free(policy); - policy = NULL; - - /* make sure compacting logic works. */ - policy = NULL; - line.key = (char*)"foo"; - line.value = (char*)"accept *:80,reject private:*,reject *:*"; - line.next = NULL; - test_assert(0 == policies_parse_exit_policy(&line, &policy, 1, 0, 0, 1)); - test_assert(policy); - //test_streq(policy->string, "accept *:80"); - //test_streq(policy->next->string, "reject *:*"); - test_eq(smartlist_len(policy), 4); - - /* test policy summaries */ - /* check if we properly ignore private IP addresses */ - test_policy_summary_helper("reject 192.168.0.0/16:*," - "reject 0.0.0.0/8:*," - "reject 10.0.0.0/8:*," - "accept *:10-30," - "accept *:90," - "reject *:*", - "accept 10-30,90"); - /* check all accept policies, and proper counting of rejects */ - test_policy_summary_helper("reject 11.0.0.0/9:80," - "reject 12.0.0.0/9:80," - "reject 13.0.0.0/9:80," - "reject 14.0.0.0/9:80," - "accept *:*", "accept 1-65535"); - test_policy_summary_helper("reject 11.0.0.0/9:80," - "reject 12.0.0.0/9:80," - "reject 13.0.0.0/9:80," - "reject 14.0.0.0/9:80," - "reject 15.0.0.0:81," - "accept *:*", "accept 1-65535"); - test_policy_summary_helper("reject 11.0.0.0/9:80," - "reject 12.0.0.0/9:80," - "reject 13.0.0.0/9:80," - "reject 14.0.0.0/9:80," - "reject 15.0.0.0:80," - "accept *:*", - "reject 80"); - /* no exits */ - test_policy_summary_helper("accept 11.0.0.0/9:80," - "reject *:*", - "reject 1-65535"); - /* port merging */ - test_policy_summary_helper("accept *:80," - "accept *:81," - "accept *:100-110," - "accept *:111," - "reject *:*", - "accept 80-81,100-111"); - /* border ports */ - test_policy_summary_helper("accept *:1," - "accept *:3," - "accept *:65535," - "reject *:*", - "accept 1,3,65535"); - /* holes */ - test_policy_summary_helper("accept *:1," - "accept *:3," - "accept *:5," - "accept *:7," - "reject *:*", - "accept 1,3,5,7"); - test_policy_summary_helper("reject *:1," - "reject *:3," - "reject *:5," - "reject *:7," - "accept *:*", - "reject 1,3,5,7"); - - /* Short policies with unrecognized formats should get accepted. */ - test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5"); - test_short_policy_parse("accept 2,fred,3", "accept 2,3"); - test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3"); - test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600"); - /* Short policies with nil entries are accepted too. */ - test_short_policy_parse("accept 1,,3", "accept 1,3"); - test_short_policy_parse("accept 100-200,,", "accept 100-200"); - test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40"); - - /* Try parsing various broken short policies */ -#define TT_BAD_SHORT_POLICY(s) \ - do { \ - tt_ptr_op(NULL, ==, (short_parsed = parse_short_policy((s)))); \ - } while (0) - TT_BAD_SHORT_POLICY("accept 200-199"); - TT_BAD_SHORT_POLICY(""); - TT_BAD_SHORT_POLICY("rejekt 1,2,3"); - TT_BAD_SHORT_POLICY("reject "); - TT_BAD_SHORT_POLICY("reject"); - TT_BAD_SHORT_POLICY("rej"); - TT_BAD_SHORT_POLICY("accept 2,3,100000"); - TT_BAD_SHORT_POLICY("accept 2,3x,4"); - TT_BAD_SHORT_POLICY("accept 2,3x,4"); - TT_BAD_SHORT_POLICY("accept 2-"); - TT_BAD_SHORT_POLICY("accept 2-x"); - TT_BAD_SHORT_POLICY("accept 1-,3"); - TT_BAD_SHORT_POLICY("accept 1-,3"); - - /* Test a too-long policy. */ - { - int i; - char *policy = NULL; - smartlist_t *chunks = smartlist_new(); - smartlist_add(chunks, tor_strdup("accept ")); - for (i=1; i<10000; ++i) - smartlist_add_asprintf(chunks, "%d,", i); - smartlist_add(chunks, tor_strdup("20000")); - policy = smartlist_join_strings(chunks, "", 0, NULL); - SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch)); - smartlist_free(chunks); - short_parsed = parse_short_policy(policy);/* shouldn't be accepted */ - tor_free(policy); - tt_ptr_op(NULL, ==, short_parsed); - } - - /* truncation ports */ - sm = smartlist_new(); - for (i=1; i<2000; i+=2) { - char buf[POLICY_BUF_LEN]; - tor_snprintf(buf, sizeof(buf), "reject *:%d", i); - smartlist_add(sm, tor_strdup(buf)); - } - smartlist_add(sm, tor_strdup("accept *:*")); - policy_str = smartlist_join_strings(sm, ",", 0, NULL); - test_policy_summary_helper( policy_str, - "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44," - "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90," - "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128," - "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164," - "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200," - "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236," - "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272," - "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308," - "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344," - "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380," - "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416," - "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452," - "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488," - "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522"); - - done: - addr_policy_list_free(policy); - addr_policy_list_free(policy2); - addr_policy_list_free(policy3); - addr_policy_list_free(policy4); - addr_policy_list_free(policy5); - addr_policy_list_free(policy6); - addr_policy_list_free(policy7); - tor_free(policy_str); - if (sm) { - SMARTLIST_FOREACH(sm, char *, s, tor_free(s)); - smartlist_free(sm); - } - short_policy_free(short_parsed); -} - /** Test encoding and parsing of rendezvous service descriptors. */ static void test_rend_fns(void) @@ -1603,7 +1266,6 @@ static struct testcase_t test_array[] = { { "ntor_handshake", test_ntor_handshake, 0, NULL, NULL }, #endif ENT(circuit_timeout), - ENT(policies), ENT(rend_fns), ENT(geoip), FORK(geoip_with_pt), @@ -1633,11 +1295,12 @@ extern struct testcase_t socks_tests[]; extern struct testcase_t extorport_tests[]; extern struct testcase_t controller_event_tests[]; extern struct testcase_t logging_tests[]; -extern struct testcase_t backtrace_tests[]; extern struct testcase_t hs_tests[]; extern struct testcase_t nodelist_tests[]; extern struct testcase_t routerkeys_tests[]; extern struct testcase_t oom_tests[]; +extern struct testcase_t policy_tests[]; +extern struct testcase_t status_tests[]; static struct testgroup_t testgroups[] = { { "", test_array }, @@ -1666,6 +1329,8 @@ static struct testgroup_t testgroups[] = { { "nodelist/", nodelist_tests }, { "routerkeys/", routerkeys_tests }, { "oom/", oom_tests }, + { "policy/" , policy_tests }, + { "status/" , status_tests }, END_OF_GROUPS }; diff --git a/src/test/test.h b/src/test/test.h index ba82f52ad..0ccf6c718 100644 --- a/src/test/test.h +++ b/src/test/test.h @@ -65,5 +65,97 @@ crypto_pk_t *pk_generate(int idx); void legacy_test_helper(void *data); extern const struct testcase_setup_t legacy_setup; +#define US2_CONCAT_2__(a, b) a ## __ ## b +#define US_CONCAT_2__(a, b) a ## _ ## b +#define US_CONCAT_3__(a, b, c) a ## _ ## b ## _ ## c +#define US_CONCAT_2_(a, b) US_CONCAT_2__(a, b) +#define US_CONCAT_3_(a, b, c) US_CONCAT_3__(a, b, c) + +/* + * These macros are helpful for streamlining the authorship of several test + * cases that use mocks. + * + * The pattern is as follows. + * * Declare a top level namespace: + * #define NS_MODULE foo + * + * * For each test case you want to write, create a new submodule in the + * namespace. All mocks and other information should belong to a single + * submodule to avoid interference with other test cases. + * You can simply name the submodule after the function in the module you + * are testing: + * #define NS_SUBMODULE some_function + * or, if you're wanting to write several tests against the same function, + * ie., you are testing an aspect of that function, you can use: + * #define NS_SUBMODULE ASPECT(some_function, behavior) + * + * * Declare all the mocks you will use. The NS_DECL macro serves to declare + * the mock in the current namespace (defined by NS_MODULE and NS_SUBMODULE). + * It behaves like MOCK_DECL: + * NS_DECL(int, dependent_function, (void *)); + * Here, dependent_function must be declared and implemented with the + * MOCK_DECL and MOCK_IMPL macros. The NS_DECL macro also defines an integer + * global for use for tracking how many times a mock was called, and can be + * accessed by CALLED(mock_name). For example, you might put + * CALLED(dependent_function)++; + * in your mock body. + * + * * Define a function called NS(main) that will contain the body of the + * test case. The NS macro can be used to reference a name in the current + * namespace. + * + * * In NS(main), indicate that a mock function in the current namespace, + * declared with NS_DECL is to override that in the global namespace, + * with the NS_MOCK macro: + * NS_MOCK(dependent_function) + * Unmock with: + * NS_UNMOCK(dependent_function) + * + * * Define the mocks with the NS macro, eg., + * int + * NS(dependent_function)(void *) + * { + * CALLED(dependent_function)++; + * } + * + * * In the struct testcase_t array, you can use the TEST_CASE and + * TEST_CASE_ASPECT macros to define the cases without having to do so + * explicitly nor without having to reset NS_SUBMODULE, eg., + * struct testcase_t foo_tests[] = { + * TEST_CASE_ASPECT(some_function, behavior), + * ... + * END_OF_TESTCASES + * which will define a test case named "some_function__behavior". + */ + +#define NAME_TEST_(name) #name +#define NAME_TEST(name) NAME_TEST_(name) +#define ASPECT(test_module, test_name) US2_CONCAT_2__(test_module, test_name) +#define TEST_CASE(function) \ + { \ + NAME_TEST(function), \ + NS_FULL(NS_MODULE, function, test_main), \ + TT_FORK, \ + NULL, \ + NULL, \ + } +#define TEST_CASE_ASPECT(function, aspect) \ + { \ + NAME_TEST(ASPECT(function, aspect)), \ + NS_FULL(NS_MODULE, ASPECT(function, aspect), test_main), \ + TT_FORK, \ + NULL, \ + NULL, \ + } + +#define NS(name) US_CONCAT_3_(NS_MODULE, NS_SUBMODULE, name) +#define NS_FULL(module, submodule, name) US_CONCAT_3_(module, submodule, name) + +#define CALLED(mock_name) US_CONCAT_2_(NS(mock_name), called) +#define NS_DECL(retval, mock_fn, args) \ + static retval NS(mock_fn) args; int CALLED(mock_fn) = 0 +#define NS_MOCK(name) MOCK(name, NS(name)) +#define NS_UNMOCK(name) UNMOCK(name) + #endif diff --git a/src/test/test_circuitlist.c b/src/test/test_circuitlist.c index 54c0c03ca..ad8d0ac3a 100644 --- a/src/test/test_circuitlist.c +++ b/src/test/test_circuitlist.c @@ -177,7 +177,10 @@ test_rend_token_maps(void *arg) c3 = or_circuit_new(0, NULL); c4 = or_circuit_new(0, NULL); - tt_int_op(strlen((char*)tok1), ==, REND_TOKEN_LEN); + /* Make sure we really filled up the tok* variables */ + tt_int_op(tok1[REND_TOKEN_LEN-1], ==, 'y'); + tt_int_op(tok2[REND_TOKEN_LEN-1], ==, ' '); + tt_int_op(tok3[REND_TOKEN_LEN-1], ==, '.'); /* No maps; nothing there. */ tt_ptr_op(NULL, ==, circuit_get_rendezvous(tok1)); @@ -244,10 +247,14 @@ test_rend_token_maps(void *arg) tt_ptr_op(NULL, ==, circuit_get_intro_point(tok3)); done: - circuit_free(TO_CIRCUIT(c1)); - circuit_free(TO_CIRCUIT(c2)); - circuit_free(TO_CIRCUIT(c3)); - circuit_free(TO_CIRCUIT(c4)); + if (c1) + circuit_free(TO_CIRCUIT(c1)); + if (c2) + circuit_free(TO_CIRCUIT(c2)); + if (c3) + circuit_free(TO_CIRCUIT(c3)); + if (c4) + circuit_free(TO_CIRCUIT(c4)); } struct testcase_t circuitlist_tests[] = { diff --git a/src/test/test_config.c b/src/test/test_config.c index 3a1e6cb78..dbb50798b 100644 --- a/src/test/test_config.c +++ b/src/test/test_config.c @@ -421,6 +421,23 @@ test_config_parse_bridge_line(void *arg) smartlist_free(sl_tmp); } + { + smartlist_t *sl_tmp = smartlist_new(); + smartlist_add_asprintf(sl_tmp, "dub=come"); + smartlist_add_asprintf(sl_tmp, "save=me"); + + good_bridge_line_test("transport 192.0.2.1:12 " + "4352e58420e68f5e40bf7c74faddccd9d1349666 " + "dub=come save=me", + + "192.0.2.1:12", + "4352e58420e68f5e40bf7c74faddccd9d1349666", + "transport", sl_tmp); + + SMARTLIST_FOREACH(sl_tmp, char *, s, tor_free(s)); + smartlist_free(sl_tmp); + } + good_bridge_line_test("192.0.2.1:1231 " "4352e58420e68f5e40bf7c74faddccd9d1349413", "192.0.2.1:1231", diff --git a/src/test/test_extorport.c b/src/test/test_extorport.c index b34f5e38d..f91ac7415 100644 --- a/src/test/test_extorport.c +++ b/src/test/test_extorport.c @@ -364,7 +364,7 @@ test_ext_or_cookie_auth_testvec(void *arg) static void ignore_bootstrap_problem(const char *warn, int reason, - const or_connection_t *conn) + or_connection_t *conn) { (void)warn; (void)reason; diff --git a/src/test/test_policy.c b/src/test/test_policy.c new file mode 100644 index 000000000..d2ba1612d --- /dev/null +++ b/src/test/test_policy.c @@ -0,0 +1,432 @@ +/* Copyright (c) 2013, The Tor Project, Inc. */ +/* See LICENSE for licensing information */ + +#include "or.h" +#include "router.h" +#include "routerparse.h" +#include "policies.h" +#include "test.h" + +/* Helper: assert that short_policy parses and writes back out as itself, + or as <b>expected</b> if that's provided. */ +static void +test_short_policy_parse(const char *input, + const char *expected) +{ + short_policy_t *short_policy = NULL; + char *out = NULL; + + if (expected == NULL) + expected = input; + + short_policy = parse_short_policy(input); + tt_assert(short_policy); + out = write_short_policy(short_policy); + tt_str_op(out, ==, expected); + + done: + tor_free(out); + short_policy_free(short_policy); +} + +/** Helper: Parse the exit policy string in <b>policy_str</b>, and make sure + * that policies_summarize() produces the string <b>expected_summary</b> from + * it. */ +static void +test_policy_summary_helper(const char *policy_str, + const char *expected_summary) +{ + config_line_t line; + smartlist_t *policy = smartlist_new(); + char *summary = NULL; + char *summary_after = NULL; + int r; + short_policy_t *short_policy = NULL; + + line.key = (char*)"foo"; + line.value = (char *)policy_str; + line.next = NULL; + + r = policies_parse_exit_policy(&line, &policy, 1, 0, 0, 1); + test_eq(r, 0); + summary = policy_summarize(policy, AF_INET); + + test_assert(summary != NULL); + test_streq(summary, expected_summary); + + short_policy = parse_short_policy(summary); + tt_assert(short_policy); + summary_after = write_short_policy(short_policy); + test_streq(summary, summary_after); + + done: + tor_free(summary_after); + tor_free(summary); + if (policy) + addr_policy_list_free(policy); + short_policy_free(short_policy); +} + +/** Run unit tests for generating summary lines of exit policies */ +static void +test_policies_general(void *arg) +{ + int i; + smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL, + *policy4 = NULL, *policy5 = NULL, *policy6 = NULL, + *policy7 = NULL; + addr_policy_t *p; + tor_addr_t tar; + config_line_t line; + smartlist_t *sm = NULL; + char *policy_str = NULL; + short_policy_t *short_parsed = NULL; + (void)arg; + + policy = smartlist_new(); + + p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",-1); + test_assert(p != NULL); + test_eq(ADDR_POLICY_REJECT, p->policy_type); + tor_addr_from_ipv4h(&tar, 0xc0a80000u); + test_eq(0, tor_addr_compare(&p->addr, &tar, CMP_EXACT)); + test_eq(16, p->maskbits); + test_eq(1, p->prt_min); + test_eq(65535, p->prt_max); + + smartlist_add(policy, p); + + tor_addr_from_ipv4h(&tar, 0x01020304u); + test_assert(ADDR_POLICY_ACCEPTED == + compare_tor_addr_to_addr_policy(&tar, 2, policy)); + tor_addr_make_unspec(&tar); + test_assert(ADDR_POLICY_PROBABLY_ACCEPTED == + compare_tor_addr_to_addr_policy(&tar, 2, policy)); + tor_addr_from_ipv4h(&tar, 0xc0a80102); + test_assert(ADDR_POLICY_REJECTED == + compare_tor_addr_to_addr_policy(&tar, 2, policy)); + + test_assert(0 == policies_parse_exit_policy(NULL, &policy2, 1, 1, 0, 1)); + test_assert(policy2); + + policy3 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("reject *:*",-1); + test_assert(p != NULL); + smartlist_add(policy3, p); + p = router_parse_addr_policy_item_from_string("accept *:*",-1); + test_assert(p != NULL); + smartlist_add(policy3, p); + + policy4 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("accept *:443",-1); + test_assert(p != NULL); + smartlist_add(policy4, p); + p = router_parse_addr_policy_item_from_string("accept *:443",-1); + test_assert(p != NULL); + smartlist_add(policy4, p); + + policy5 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject 80.190.250.90:*",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject *:1-65534",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("reject *:65535",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + p = router_parse_addr_policy_item_from_string("accept *:1-65535",-1); + test_assert(p != NULL); + smartlist_add(policy5, p); + + policy6 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*",-1); + test_assert(p != NULL); + smartlist_add(policy6, p); + + policy7 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*",-1); + test_assert(p != NULL); + smartlist_add(policy7, p); + + test_assert(!exit_policy_is_general_exit(policy)); + test_assert(exit_policy_is_general_exit(policy2)); + test_assert(!exit_policy_is_general_exit(NULL)); + test_assert(!exit_policy_is_general_exit(policy3)); + test_assert(!exit_policy_is_general_exit(policy4)); + test_assert(!exit_policy_is_general_exit(policy5)); + test_assert(!exit_policy_is_general_exit(policy6)); + test_assert(!exit_policy_is_general_exit(policy7)); + + test_assert(cmp_addr_policies(policy, policy2)); + test_assert(cmp_addr_policies(policy, NULL)); + test_assert(!cmp_addr_policies(policy2, policy2)); + test_assert(!cmp_addr_policies(NULL, NULL)); + + test_assert(!policy_is_reject_star(policy2, AF_INET)); + test_assert(policy_is_reject_star(policy, AF_INET)); + test_assert(policy_is_reject_star(NULL, AF_INET)); + + addr_policy_list_free(policy); + policy = NULL; + + /* make sure compacting logic works. */ + policy = NULL; + line.key = (char*)"foo"; + line.value = (char*)"accept *:80,reject private:*,reject *:*"; + line.next = NULL; + test_assert(0 == policies_parse_exit_policy(&line, &policy, 1, 0, 0, 1)); + test_assert(policy); + //test_streq(policy->string, "accept *:80"); + //test_streq(policy->next->string, "reject *:*"); + test_eq(smartlist_len(policy), 4); + + /* test policy summaries */ + /* check if we properly ignore private IP addresses */ + test_policy_summary_helper("reject 192.168.0.0/16:*," + "reject 0.0.0.0/8:*," + "reject 10.0.0.0/8:*," + "accept *:10-30," + "accept *:90," + "reject *:*", + "accept 10-30,90"); + /* check all accept policies, and proper counting of rejects */ + test_policy_summary_helper("reject 11.0.0.0/9:80," + "reject 12.0.0.0/9:80," + "reject 13.0.0.0/9:80," + "reject 14.0.0.0/9:80," + "accept *:*", "accept 1-65535"); + test_policy_summary_helper("reject 11.0.0.0/9:80," + "reject 12.0.0.0/9:80," + "reject 13.0.0.0/9:80," + "reject 14.0.0.0/9:80," + "reject 15.0.0.0:81," + "accept *:*", "accept 1-65535"); + test_policy_summary_helper("reject 11.0.0.0/9:80," + "reject 12.0.0.0/9:80," + "reject 13.0.0.0/9:80," + "reject 14.0.0.0/9:80," + "reject 15.0.0.0:80," + "accept *:*", + "reject 80"); + /* no exits */ + test_policy_summary_helper("accept 11.0.0.0/9:80," + "reject *:*", + "reject 1-65535"); + /* port merging */ + test_policy_summary_helper("accept *:80," + "accept *:81," + "accept *:100-110," + "accept *:111," + "reject *:*", + "accept 80-81,100-111"); + /* border ports */ + test_policy_summary_helper("accept *:1," + "accept *:3," + "accept *:65535," + "reject *:*", + "accept 1,3,65535"); + /* holes */ + test_policy_summary_helper("accept *:1," + "accept *:3," + "accept *:5," + "accept *:7," + "reject *:*", + "accept 1,3,5,7"); + test_policy_summary_helper("reject *:1," + "reject *:3," + "reject *:5," + "reject *:7," + "accept *:*", + "reject 1,3,5,7"); + + /* Short policies with unrecognized formats should get accepted. */ + test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5"); + test_short_policy_parse("accept 2,fred,3", "accept 2,3"); + test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3"); + test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600"); + /* Short policies with nil entries are accepted too. */ + test_short_policy_parse("accept 1,,3", "accept 1,3"); + test_short_policy_parse("accept 100-200,,", "accept 100-200"); + test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40"); + + /* Try parsing various broken short policies */ +#define TT_BAD_SHORT_POLICY(s) \ + do { \ + tt_ptr_op(NULL, ==, (short_parsed = parse_short_policy((s)))); \ + } while (0) + TT_BAD_SHORT_POLICY("accept 200-199"); + TT_BAD_SHORT_POLICY(""); + TT_BAD_SHORT_POLICY("rejekt 1,2,3"); + TT_BAD_SHORT_POLICY("reject "); + TT_BAD_SHORT_POLICY("reject"); + TT_BAD_SHORT_POLICY("rej"); + TT_BAD_SHORT_POLICY("accept 2,3,100000"); + TT_BAD_SHORT_POLICY("accept 2,3x,4"); + TT_BAD_SHORT_POLICY("accept 2,3x,4"); + TT_BAD_SHORT_POLICY("accept 2-"); + TT_BAD_SHORT_POLICY("accept 2-x"); + TT_BAD_SHORT_POLICY("accept 1-,3"); + TT_BAD_SHORT_POLICY("accept 1-,3"); + + /* Test a too-long policy. */ + { + int i; + char *policy = NULL; + smartlist_t *chunks = smartlist_new(); + smartlist_add(chunks, tor_strdup("accept ")); + for (i=1; i<10000; ++i) + smartlist_add_asprintf(chunks, "%d,", i); + smartlist_add(chunks, tor_strdup("20000")); + policy = smartlist_join_strings(chunks, "", 0, NULL); + SMARTLIST_FOREACH(chunks, char *, ch, tor_free(ch)); + smartlist_free(chunks); + short_parsed = parse_short_policy(policy);/* shouldn't be accepted */ + tor_free(policy); + tt_ptr_op(NULL, ==, short_parsed); + } + + /* truncation ports */ + sm = smartlist_new(); + for (i=1; i<2000; i+=2) { + char buf[POLICY_BUF_LEN]; + tor_snprintf(buf, sizeof(buf), "reject *:%d", i); + smartlist_add(sm, tor_strdup(buf)); + } + smartlist_add(sm, tor_strdup("accept *:*")); + policy_str = smartlist_join_strings(sm, ",", 0, NULL); + test_policy_summary_helper( policy_str, + "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44," + "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90," + "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128," + "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164," + "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200," + "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236," + "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272," + "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308," + "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344," + "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380," + "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416," + "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452," + "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488," + "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522"); + + done: + addr_policy_list_free(policy); + addr_policy_list_free(policy2); + addr_policy_list_free(policy3); + addr_policy_list_free(policy4); + addr_policy_list_free(policy5); + addr_policy_list_free(policy6); + addr_policy_list_free(policy7); + tor_free(policy_str); + if (sm) { + SMARTLIST_FOREACH(sm, char *, s, tor_free(s)); + smartlist_free(sm); + } + short_policy_free(short_parsed); +} + +static void +test_dump_exit_policy_to_string(void *arg) +{ + char *ep; + addr_policy_t *policy_entry; + + routerinfo_t *ri = tor_malloc_zero(sizeof(routerinfo_t)); + + (void)arg; + + ri->policy_is_reject_star = 1; + ri->exit_policy = NULL; // expecting "reject *:*" + ep = router_dump_exit_policy_to_string(ri,1,1); + + test_streq("reject *:*",ep); + + tor_free(ep); + + ri->exit_policy = smartlist_new(); + ri->policy_is_reject_star = 0; + + policy_entry = router_parse_addr_policy_item_from_string("accept *:*",-1); + + smartlist_add(ri->exit_policy,policy_entry); + + ep = router_dump_exit_policy_to_string(ri,1,1); + + test_streq("accept *:*",ep); + + tor_free(ep); + + policy_entry = router_parse_addr_policy_item_from_string("reject *:25",-1); + + smartlist_add(ri->exit_policy,policy_entry); + + ep = router_dump_exit_policy_to_string(ri,1,1); + + test_streq("accept *:*\nreject *:25",ep); + + tor_free(ep); + + policy_entry = + router_parse_addr_policy_item_from_string("reject 8.8.8.8:*",-1); + + smartlist_add(ri->exit_policy,policy_entry); + + ep = router_dump_exit_policy_to_string(ri,1,1); + + test_streq("accept *:*\nreject *:25\nreject 8.8.8.8:*",ep); + + policy_entry = + router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*",-1); + + smartlist_add(ri->exit_policy,policy_entry); + + ep = router_dump_exit_policy_to_string(ri,1,1); + + test_streq("accept *:*\nreject *:25\nreject 8.8.8.8:*\n" + "reject6 [fc00::]/7:*",ep); + + policy_entry = + router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*",-1); + + smartlist_add(ri->exit_policy,policy_entry); + + ep = router_dump_exit_policy_to_string(ri,1,1); + + test_streq("accept *:*\nreject *:25\nreject 8.8.8.8:*\n" + "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",ep); + + done: + + SMARTLIST_FOREACH(ri->exit_policy, addr_policy_t *, + entry, addr_policy_free(entry)); + tor_free(ri); + tor_free(ep); +} + +struct testcase_t policy_tests[] = { + { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string, 0, + NULL, NULL }, + { "general", test_policies_general, 0, NULL, NULL }, + END_OF_TESTCASES +}; + diff --git a/src/test/test_status.c b/src/test/test_status.c new file mode 100644 index 000000000..b704053d0 --- /dev/null +++ b/src/test/test_status.c @@ -0,0 +1,1109 @@ +#define STATUS_PRIVATE +#define HIBERNATE_PRIVATE +#define LOG_PRIVATE +#define REPHIST_PRIVATE + +#include <float.h> +#include <math.h> + +#include "or.h" +#include "torlog.h" +#include "tor_queue.h" +#include "status.h" +#include "circuitlist.h" +#include "config.h" +#include "hibernate.h" +#include "rephist.h" +#include "relay.h" +#include "router.h" +#include "main.h" +#include "nodelist.h" +#include "statefile.h" +#include "test.h" + +#define NS_MODULE status + +#define NS_SUBMODULE count_circuits + +/* + * Test that count_circuits() is correctly counting the number of + * global circuits. + */ + +struct global_circuitlist_s mock_global_circuitlist = + TOR_LIST_HEAD_INITIALIZER(global_circuitlist); + +NS_DECL(struct global_circuitlist_s *, circuit_get_global_list, (void)); + +static void +NS(test_main)(void *arg) +{ + /* Choose origin_circuit_t wlog. */ + origin_circuit_t *mock_circuit1, *mock_circuit2; + circuit_t *circ, *tmp; + int expected_circuits = 2, actual_circuits; + + (void)arg; + + mock_circuit1 = tor_malloc_zero(sizeof(origin_circuit_t)); + mock_circuit2 = tor_malloc_zero(sizeof(origin_circuit_t)); + TOR_LIST_INSERT_HEAD( + &mock_global_circuitlist, TO_CIRCUIT(mock_circuit1), head); + TOR_LIST_INSERT_HEAD( + &mock_global_circuitlist, TO_CIRCUIT(mock_circuit2), head); + + NS_MOCK(circuit_get_global_list); + + actual_circuits = count_circuits(); + + tt_assert(expected_circuits == actual_circuits); + + done: + TOR_LIST_FOREACH_SAFE( + circ, NS(circuit_get_global_list)(), head, tmp); + tor_free(circ); + NS_UNMOCK(circuit_get_global_list); +} + +static struct global_circuitlist_s * +NS(circuit_get_global_list)(void) +{ + return &mock_global_circuitlist; +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE secs_to_uptime + +/* + * Test that secs_to_uptime() is converting the number of seconds that + * Tor is up for into the appropriate string form containing hours and minutes. + */ + +static void +NS(test_main)(void *arg) +{ + const char *expected; + char *actual; + (void)arg; + + expected = "0:00 hours"; + actual = secs_to_uptime(0); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "0:00 hours"; + actual = secs_to_uptime(1); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "0:01 hours"; + actual = secs_to_uptime(60); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "0:59 hours"; + actual = secs_to_uptime(60 * 59); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1:00 hours"; + actual = secs_to_uptime(60 * 60); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "23:59 hours"; + actual = secs_to_uptime(60 * 60 * 23 + 60 * 59); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1 day 0:00 hours"; + actual = secs_to_uptime(60 * 60 * 23 + 60 * 60); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1 day 0:00 hours"; + actual = secs_to_uptime(86400 + 1); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1 day 0:01 hours"; + actual = secs_to_uptime(86400 + 60); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "10 days 0:00 hours"; + actual = secs_to_uptime(86400 * 10); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "10 days 0:00 hours"; + actual = secs_to_uptime(864000 + 1); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "10 days 0:01 hours"; + actual = secs_to_uptime(864000 + 60); + tt_str_op(actual, ==, expected); + tor_free(actual); + + done: + if (actual != NULL) + tor_free(actual); +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE bytes_to_usage + +/* + * Test that bytes_to_usage() is correctly converting the number of bytes that + * Tor has read/written into the appropriate string form containing kilobytes, + * megabytes, or gigabytes. + */ + +static void +NS(test_main)(void *arg) +{ + const char *expected; + char *actual; + (void)arg; + + expected = "0 kB"; + actual = bytes_to_usage(0); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "0 kB"; + actual = bytes_to_usage(1); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1 kB"; + actual = bytes_to_usage(1024); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1023 kB"; + actual = bytes_to_usage((1 << 20) - 1); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1.00 MB"; + actual = bytes_to_usage((1 << 20)); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1.00 MB"; + actual = bytes_to_usage((1 << 20) + 5242); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1.01 MB"; + actual = bytes_to_usage((1 << 20) + 5243); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1024.00 MB"; + actual = bytes_to_usage((1 << 30) - 1); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1.00 GB"; + actual = bytes_to_usage((1 << 30)); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1.00 GB"; + actual = bytes_to_usage((1 << 30) + 5368709); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "1.01 GB"; + actual = bytes_to_usage((1 << 30) + 5368710); + tt_str_op(actual, ==, expected); + tor_free(actual); + + expected = "10.00 GB"; + actual = bytes_to_usage((U64_LITERAL(1) << 30) * 10L); + tt_str_op(actual, ==, expected); + tor_free(actual); + + done: + if (actual != NULL) + tor_free(actual); +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE ASPECT(log_heartbeat, fails) + +/* + * Tests that log_heartbeat() fails when in the public server mode, + * not hibernating, and we couldn't get the current routerinfo. + */ + +NS_DECL(double, tls_get_write_overhead_ratio, (void)); +NS_DECL(int, we_are_hibernating, (void)); +NS_DECL(const or_options_t *, get_options, (void)); +NS_DECL(int, public_server_mode, (const or_options_t *options)); +NS_DECL(const routerinfo_t *, router_get_my_routerinfo, (void)); + +static void +NS(test_main)(void *arg) +{ + int expected, actual; + (void)arg; + + NS_MOCK(tls_get_write_overhead_ratio); + NS_MOCK(we_are_hibernating); + NS_MOCK(get_options); + NS_MOCK(public_server_mode); + NS_MOCK(router_get_my_routerinfo); + + expected = -1; + actual = log_heartbeat(0); + + tt_int_op(actual, ==, expected); + + done: + NS_UNMOCK(tls_get_write_overhead_ratio); + NS_UNMOCK(we_are_hibernating); + NS_UNMOCK(get_options); + NS_UNMOCK(public_server_mode); + NS_UNMOCK(router_get_my_routerinfo); +} + +static double +NS(tls_get_write_overhead_ratio)(void) +{ + return 2.0; +} + +static int +NS(we_are_hibernating)(void) +{ + return 0; +} + +static const or_options_t * +NS(get_options)(void) +{ + return NULL; +} + +static int +NS(public_server_mode)(const or_options_t *options) +{ + (void)options; + + return 1; +} + +static const routerinfo_t * +NS(router_get_my_routerinfo)(void) +{ + return NULL; +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE ASPECT(log_heartbeat, not_in_consensus) + +/* + * Tests that log_heartbeat() logs appropriately if we are not in the cached + * consensus. + */ + +NS_DECL(double, tls_get_write_overhead_ratio, (void)); +NS_DECL(int, we_are_hibernating, (void)); +NS_DECL(const or_options_t *, get_options, (void)); +NS_DECL(int, public_server_mode, (const or_options_t *options)); +NS_DECL(const routerinfo_t *, router_get_my_routerinfo, (void)); +NS_DECL(const node_t *, node_get_by_id, (const char *identity_digest)); +NS_DECL(void, logv, (int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap)); +NS_DECL(int, server_mode, (const or_options_t *options)); + +static routerinfo_t *mock_routerinfo; +extern int onion_handshakes_requested[MAX_ONION_HANDSHAKE_TYPE+1]; +extern int onion_handshakes_assigned[MAX_ONION_HANDSHAKE_TYPE+1]; + +static void +NS(test_main)(void *arg) +{ + int expected, actual; + (void)arg; + + NS_MOCK(tls_get_write_overhead_ratio); + NS_MOCK(we_are_hibernating); + NS_MOCK(get_options); + NS_MOCK(public_server_mode); + NS_MOCK(router_get_my_routerinfo); + NS_MOCK(node_get_by_id); + NS_MOCK(logv); + NS_MOCK(server_mode); + + log_global_min_severity_ = LOG_DEBUG; + onion_handshakes_requested[ONION_HANDSHAKE_TYPE_TAP] = 1; + onion_handshakes_assigned[ONION_HANDSHAKE_TYPE_TAP] = 1; + onion_handshakes_requested[ONION_HANDSHAKE_TYPE_NTOR] = 1; + onion_handshakes_assigned[ONION_HANDSHAKE_TYPE_NTOR] = 1; + + expected = 0; + actual = log_heartbeat(0); + + tt_int_op(actual, ==, expected); + tt_int_op(CALLED(logv), ==, 3); + + done: + NS_UNMOCK(tls_get_write_overhead_ratio); + NS_UNMOCK(we_are_hibernating); + NS_UNMOCK(get_options); + NS_UNMOCK(public_server_mode); + NS_UNMOCK(router_get_my_routerinfo); + NS_UNMOCK(node_get_by_id); + NS_UNMOCK(logv); + NS_UNMOCK(server_mode); + tor_free(mock_routerinfo); +} + +static double +NS(tls_get_write_overhead_ratio)(void) +{ + return 1.0; +} + +static int +NS(we_are_hibernating)(void) +{ + return 0; +} + +static const or_options_t * +NS(get_options)(void) +{ + return NULL; +} + +static int +NS(public_server_mode)(const or_options_t *options) +{ + (void)options; + + return 1; +} + +static const routerinfo_t * +NS(router_get_my_routerinfo)(void) +{ + mock_routerinfo = tor_malloc(sizeof(routerinfo_t)); + + return mock_routerinfo; +} + +static const node_t * +NS(node_get_by_id)(const char *identity_digest) +{ + (void)identity_digest; + + return NULL; +} + +static void +NS(logv)(int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap) +{ + switch (CALLED(logv)) + { + case 0: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: It seems like we are not in the cached consensus."); + break; + case 1: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: Tor's uptime is %s, with %d circuits open. " + "I've sent %s and received %s.%s"); + tt_str_op(va_arg(ap, char *), ==, "0:00 hours"); /* uptime */ + tt_int_op(va_arg(ap, int), ==, 0); /* count_circuits() */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_sent */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_rcvd */ + tt_str_op(va_arg(ap, char *), ==, ""); /* hibernating */ + break; + case 2: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op( + strstr(funcname, "rep_hist_log_circuit_handshake_stats"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Circuit handshake stats since last time: %d/%d TAP, %d/%d NTor."); + tt_int_op(va_arg(ap, int), ==, 1); /* handshakes assigned (TAP) */ + tt_int_op(va_arg(ap, int), ==, 1); /* handshakes requested (TAP) */ + tt_int_op(va_arg(ap, int), ==, 1); /* handshakes assigned (NTOR) */ + tt_int_op(va_arg(ap, int), ==, 1); /* handshakes requested (NTOR) */ + break; + default: + tt_abort_msg("unexpected call to logv()"); // TODO: prettyprint args + break; + } + + done: + CALLED(logv)++; +} + +static int +NS(server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE ASPECT(log_heartbeat, simple) + +/* + * Tests that log_heartbeat() correctly logs heartbeat information + * normally. + */ + +NS_DECL(double, tls_get_write_overhead_ratio, (void)); +NS_DECL(int, we_are_hibernating, (void)); +NS_DECL(const or_options_t *, get_options, (void)); +NS_DECL(int, public_server_mode, (const or_options_t *options)); +NS_DECL(long, get_uptime, (void)); +NS_DECL(uint64_t, get_bytes_read, (void)); +NS_DECL(uint64_t, get_bytes_written, (void)); +NS_DECL(void, logv, (int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap)); +NS_DECL(int, server_mode, (const or_options_t *options)); + +static void +NS(test_main)(void *arg) +{ + int expected, actual; + (void)arg; + + NS_MOCK(tls_get_write_overhead_ratio); + NS_MOCK(we_are_hibernating); + NS_MOCK(get_options); + NS_MOCK(public_server_mode); + NS_MOCK(get_uptime); + NS_MOCK(get_bytes_read); + NS_MOCK(get_bytes_written); + NS_MOCK(logv); + NS_MOCK(server_mode); + + log_global_min_severity_ = LOG_DEBUG; + + expected = 0; + actual = log_heartbeat(0); + + tt_int_op(actual, ==, expected); + + done: + NS_UNMOCK(tls_get_write_overhead_ratio); + NS_UNMOCK(we_are_hibernating); + NS_UNMOCK(get_options); + NS_UNMOCK(public_server_mode); + NS_UNMOCK(get_uptime); + NS_UNMOCK(get_bytes_read); + NS_UNMOCK(get_bytes_written); + NS_UNMOCK(logv); + NS_UNMOCK(server_mode); +} + +static double +NS(tls_get_write_overhead_ratio)(void) +{ + return 1.0; +} + +static int +NS(we_are_hibernating)(void) +{ + return 1; +} + +static const or_options_t * +NS(get_options)(void) +{ + return NULL; +} + +static int +NS(public_server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +static long +NS(get_uptime)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_read)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_written)(void) +{ + return 0; +} + +static void +NS(logv)(int severity, log_domain_mask_t domain, const char *funcname, + const char *suffix, const char *format, va_list ap) +{ + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: Tor's uptime is %s, with %d circuits open. " + "I've sent %s and received %s.%s"); + tt_str_op(va_arg(ap, char *), ==, "0:00 hours"); /* uptime */ + tt_int_op(va_arg(ap, int), ==, 0); /* count_circuits() */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_sent */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_rcvd */ + tt_str_op(va_arg(ap, char *), ==, " We are currently hibernating."); + + done: + ; +} + +static int +NS(server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE ASPECT(log_heartbeat, calls_log_accounting) + +/* + * Tests that log_heartbeat() correctly logs heartbeat information + * and accounting information when configured. + */ + +NS_DECL(double, tls_get_write_overhead_ratio, (void)); +NS_DECL(int, we_are_hibernating, (void)); +NS_DECL(const or_options_t *, get_options, (void)); +NS_DECL(int, public_server_mode, (const or_options_t *options)); +NS_DECL(long, get_uptime, (void)); +NS_DECL(uint64_t, get_bytes_read, (void)); +NS_DECL(uint64_t, get_bytes_written, (void)); +NS_DECL(void, logv, (int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap)); +NS_DECL(int, server_mode, (const or_options_t *options)); +NS_DECL(or_state_t *, get_or_state, (void)); +NS_DECL(int, accounting_is_enabled, (const or_options_t *options)); +NS_DECL(time_t, accounting_get_end_time, (void)); + +static void +NS(test_main)(void *arg) +{ + int expected, actual; + (void)arg; + + NS_MOCK(tls_get_write_overhead_ratio); + NS_MOCK(we_are_hibernating); + NS_MOCK(get_options); + NS_MOCK(public_server_mode); + NS_MOCK(get_uptime); + NS_MOCK(get_bytes_read); + NS_MOCK(get_bytes_written); + NS_MOCK(logv); + NS_MOCK(server_mode); + NS_MOCK(get_or_state); + NS_MOCK(accounting_is_enabled); + NS_MOCK(accounting_get_end_time); + + log_global_min_severity_ = LOG_DEBUG; + + expected = 0; + actual = log_heartbeat(0); + + tt_int_op(actual, ==, expected); + tt_int_op(CALLED(logv), ==, 2); + + done: + NS_UNMOCK(tls_get_write_overhead_ratio); + NS_UNMOCK(we_are_hibernating); + NS_UNMOCK(get_options); + NS_UNMOCK(public_server_mode); + NS_UNMOCK(get_uptime); + NS_UNMOCK(get_bytes_read); + NS_UNMOCK(get_bytes_written); + NS_UNMOCK(logv); + NS_UNMOCK(server_mode); + NS_UNMOCK(accounting_is_enabled); + NS_UNMOCK(accounting_get_end_time); +} + +static double +NS(tls_get_write_overhead_ratio)(void) +{ + return 1.0; +} + +static int +NS(we_are_hibernating)(void) +{ + return 0; +} + +static const or_options_t * +NS(get_options)(void) +{ + or_options_t *mock_options = tor_malloc_zero(sizeof(or_options_t)); + mock_options->AccountingMax = 0; + + return mock_options; +} + +static int +NS(public_server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +static long +NS(get_uptime)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_read)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_written)(void) +{ + return 0; +} + +static void +NS(logv)(int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap) +{ + switch (CALLED(logv)) + { + case 0: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: Tor's uptime is %s, with %d circuits open. " + "I've sent %s and received %s.%s"); + tt_str_op(va_arg(ap, char *), ==, "0:00 hours"); /* uptime */ + tt_int_op(va_arg(ap, int), ==, 0); /* count_circuits() */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_sent */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_rcvd */ + tt_str_op(va_arg(ap, char *), ==, ""); /* hibernating */ + break; + case 1: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_accounting"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: Accounting enabled. Sent: %s / %s, Received: %s / %s. " + "The current accounting interval ends on %s, in %s."); + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* acc_sent */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* acc_max */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* acc_rcvd */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* acc_max */ + /* format_local_iso_time uses local tz, just check mins and secs. */ + tt_ptr_op(strstr(va_arg(ap, char *), ":01:00"), !=, NULL); /* end_buf */ + tt_str_op(va_arg(ap, char *), ==, "0:01 hours"); /* remaining */ + break; + default: + tt_abort_msg("unexpected call to logv()"); // TODO: prettyprint args + break; + } + + done: + CALLED(logv)++; +} + +static int +NS(server_mode)(const or_options_t *options) +{ + (void)options; + + return 1; +} + +static int +NS(accounting_is_enabled)(const or_options_t *options) +{ + (void)options; + + return 1; +} + +static time_t +NS(accounting_get_end_time)(void) +{ + return 60; +} + +static or_state_t * +NS(get_or_state)(void) +{ + or_state_t *mock_state = tor_malloc_zero(sizeof(or_state_t)); + mock_state->AccountingBytesReadInInterval = 0; + mock_state->AccountingBytesWrittenInInterval = 0; + + return mock_state; +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE ASPECT(log_heartbeat, packaged_cell_fullness) + +/* + * Tests that log_heartbeat() correctly logs packaged cell + * fullness information. + */ + +NS_DECL(double, tls_get_write_overhead_ratio, (void)); +NS_DECL(int, we_are_hibernating, (void)); +NS_DECL(const or_options_t *, get_options, (void)); +NS_DECL(int, public_server_mode, (const or_options_t *options)); +NS_DECL(long, get_uptime, (void)); +NS_DECL(uint64_t, get_bytes_read, (void)); +NS_DECL(uint64_t, get_bytes_written, (void)); +NS_DECL(void, logv, (int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap)); +NS_DECL(int, server_mode, (const or_options_t *options)); +NS_DECL(int, accounting_is_enabled, (const or_options_t *options)); + +static void +NS(test_main)(void *arg) +{ + int expected, actual; + (void)arg; + + NS_MOCK(tls_get_write_overhead_ratio); + NS_MOCK(we_are_hibernating); + NS_MOCK(get_options); + NS_MOCK(public_server_mode); + NS_MOCK(get_uptime); + NS_MOCK(get_bytes_read); + NS_MOCK(get_bytes_written); + NS_MOCK(logv); + NS_MOCK(server_mode); + NS_MOCK(accounting_is_enabled); + log_global_min_severity_ = LOG_DEBUG; + + stats_n_data_bytes_packaged = RELAY_PAYLOAD_SIZE; + stats_n_data_cells_packaged = 1; + expected = 0; + actual = log_heartbeat(0); + + tt_int_op(actual, ==, expected); + tt_int_op(CALLED(logv), ==, 2); + + done: + stats_n_data_bytes_packaged = 0; + stats_n_data_cells_packaged = 0; + NS_UNMOCK(tls_get_write_overhead_ratio); + NS_UNMOCK(we_are_hibernating); + NS_UNMOCK(get_options); + NS_UNMOCK(public_server_mode); + NS_UNMOCK(get_uptime); + NS_UNMOCK(get_bytes_read); + NS_UNMOCK(get_bytes_written); + NS_UNMOCK(logv); + NS_UNMOCK(server_mode); + NS_UNMOCK(accounting_is_enabled); +} + +static double +NS(tls_get_write_overhead_ratio)(void) +{ + return 1.0; +} + +static int +NS(we_are_hibernating)(void) +{ + return 0; +} + +static const or_options_t * +NS(get_options)(void) +{ + return NULL; +} + +static int +NS(public_server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +static long +NS(get_uptime)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_read)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_written)(void) +{ + return 0; +} + +static void +NS(logv)(int severity, log_domain_mask_t domain, const char *funcname, + const char *suffix, const char *format, va_list ap) +{ + switch (CALLED(logv)) + { + case 0: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: Tor's uptime is %s, with %d circuits open. " + "I've sent %s and received %s.%s"); + tt_str_op(va_arg(ap, char *), ==, "0:00 hours"); /* uptime */ + tt_int_op(va_arg(ap, int), ==, 0); /* count_circuits() */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_sent */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_rcvd */ + tt_str_op(va_arg(ap, char *), ==, ""); /* hibernating */ + break; + case 1: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Average packaged cell fullness: %2.3f%%"); + tt_int_op(fabs(va_arg(ap, double) - 100.0) <= DBL_EPSILON, ==, 1); + break; + default: + tt_abort_msg("unexpected call to logv()"); // TODO: prettyprint args + break; + } + + done: + CALLED(logv)++; +} + +static int +NS(server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +static int +NS(accounting_is_enabled)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +#undef NS_SUBMODULE +#define NS_SUBMODULE ASPECT(log_heartbeat, tls_write_overhead) + +/* + * Tests that log_heartbeat() correctly logs the TLS write overhead information + * when the TLS write overhead ratio exceeds 1. + */ + +NS_DECL(double, tls_get_write_overhead_ratio, (void)); +NS_DECL(int, we_are_hibernating, (void)); +NS_DECL(const or_options_t *, get_options, (void)); +NS_DECL(int, public_server_mode, (const or_options_t *options)); +NS_DECL(long, get_uptime, (void)); +NS_DECL(uint64_t, get_bytes_read, (void)); +NS_DECL(uint64_t, get_bytes_written, (void)); +NS_DECL(void, logv, (int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap)); +NS_DECL(int, server_mode, (const or_options_t *options)); +NS_DECL(int, accounting_is_enabled, (const or_options_t *options)); + +static void +NS(test_main)(void *arg) +{ + int expected, actual; + (void)arg; + + NS_MOCK(tls_get_write_overhead_ratio); + NS_MOCK(we_are_hibernating); + NS_MOCK(get_options); + NS_MOCK(public_server_mode); + NS_MOCK(get_uptime); + NS_MOCK(get_bytes_read); + NS_MOCK(get_bytes_written); + NS_MOCK(logv); + NS_MOCK(server_mode); + NS_MOCK(accounting_is_enabled); + stats_n_data_cells_packaged = 0; + log_global_min_severity_ = LOG_DEBUG; + + expected = 0; + actual = log_heartbeat(0); + + tt_int_op(actual, ==, expected); + tt_int_op(CALLED(logv), ==, 2); + + done: + NS_UNMOCK(tls_get_write_overhead_ratio); + NS_UNMOCK(we_are_hibernating); + NS_UNMOCK(get_options); + NS_UNMOCK(public_server_mode); + NS_UNMOCK(get_uptime); + NS_UNMOCK(get_bytes_read); + NS_UNMOCK(get_bytes_written); + NS_UNMOCK(logv); + NS_UNMOCK(server_mode); + NS_UNMOCK(accounting_is_enabled); +} + +static double +NS(tls_get_write_overhead_ratio)(void) +{ + return 2.0; +} + +static int +NS(we_are_hibernating)(void) +{ + return 0; +} + +static const or_options_t * +NS(get_options)(void) +{ + return NULL; +} + +static int +NS(public_server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +static long +NS(get_uptime)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_read)(void) +{ + return 0; +} + +static uint64_t +NS(get_bytes_written)(void) +{ + return 0; +} + +static void +NS(logv)(int severity, log_domain_mask_t domain, + const char *funcname, const char *suffix, const char *format, va_list ap) +{ + switch (CALLED(logv)) + { + case 0: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, + "Heartbeat: Tor's uptime is %s, with %d circuits open. " + "I've sent %s and received %s.%s"); + tt_str_op(va_arg(ap, char *), ==, "0:00 hours"); /* uptime */ + tt_int_op(va_arg(ap, int), ==, 0); /* count_circuits() */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_sent */ + tt_str_op(va_arg(ap, char *), ==, "0 kB"); /* bw_rcvd */ + tt_str_op(va_arg(ap, char *), ==, ""); /* hibernating */ + break; + case 1: + tt_int_op(severity, ==, LOG_NOTICE); + tt_int_op(domain, ==, LD_HEARTBEAT); + tt_ptr_op(strstr(funcname, "log_heartbeat"), !=, NULL); + tt_ptr_op(suffix, ==, NULL); + tt_str_op(format, ==, "TLS write overhead: %.f%%"); + tt_int_op(fabs(va_arg(ap, double) - 100.0) <= DBL_EPSILON, ==, 1); + break; + default: + tt_abort_msg("unexpected call to logv()"); // TODO: prettyprint args + break; + } + + done: + CALLED(logv)++; +} + +static int +NS(server_mode)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +static int +NS(accounting_is_enabled)(const or_options_t *options) +{ + (void)options; + + return 0; +} + +#undef NS_SUBMODULE + +struct testcase_t status_tests[] = { + TEST_CASE(count_circuits), + TEST_CASE(secs_to_uptime), + TEST_CASE(bytes_to_usage), + TEST_CASE_ASPECT(log_heartbeat, fails), + TEST_CASE_ASPECT(log_heartbeat, simple), + TEST_CASE_ASPECT(log_heartbeat, not_in_consensus), + TEST_CASE_ASPECT(log_heartbeat, calls_log_accounting), + TEST_CASE_ASPECT(log_heartbeat, packaged_cell_fullness), + TEST_CASE_ASPECT(log_heartbeat, tls_write_overhead), + END_OF_TESTCASES +}; + |