| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | |
| | | |
| | | |
| | | |
| | | | |
This appeases some versions of MSVC, which don't like it when you
have preprocessor commands inside a set of macro arguments.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Back when we changed the idea of a connection being "too old" for new
circuits into the connection being "bad" for new circuits, we didn't
actually change the info messages. This led to telling the user that
we were labelling connections as "too old" for being worse than
connections that were actually older than them.
Found by Scott on or-talk.
|
| |\ \ \ \ |
|
| | | | | | |
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Build on Ubuntu 10.04 64-bit was failing:
util.c: In function ‘parse_http_time’:
util.c:1370: error: not protecting function: no buffer at least 8 bytes long
We don't want to lose -Werror, and we don't care too much about the
added overhead of protecting even small buffers, so let's simply turn on
SSP for all buffers.
Thanks to Jacob Appelbaum for the pointer and SwissTorExit for the
original report.
Signed-off-by: Andy Isaacson <adi@hexapodia.org>
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This patch adds support for two new configure options:
'--enable-gcc-hardening'
This sets CFLAGS to include:
"-D_FORTIFY_SOURCE=2 -fstack-protector-all"
"-fwrapv -fPIE -Wstack-protector -Wformat -Wformat-security"
"-Wpointer-sign"
It sets LDFLAGS to include:
"-pie"
'--enable-linker-hardening'
This sets LDFLAGS to include:
" -z relro -z now"
|
| |\ \ \ \ \
| |/ / / /
|/| | / /
| | |/ /
| |/| | |
|
| | | | | |
|
| |\| | | |
|
| | | | | |
|
| | | | | |
|
| | |/ /
|/| | |
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The main changes are to explain how we use git branches, how we use
changes files, and what should go into a patch. Putting these in
HACKING means that we shouldn't need to constantly refer to the or-dev
emails where we explain this stuff.
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| |\ \ \ \
| | |/ /
| |/| | |
|
| | | | | |
|
| |\| | | |
|
| | | | | |
|
| |\| | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
what's happening here is that we're fetching certs for obsolete
authorities -- probably legacy signers in this case. but try to
remain general in the log message.
|
| | | | |
| | | |
| | | |
| | | | |
libevent
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It's natural for the definition of bandwidth_rule_t to be with the functions
that actually care about its values. Unfortunately, this means declaring
bandwidth_rate_rule_to_string() out of sequence. Someday we'll just rename
reasons.c to strings.c, and put it at the end of or.h, and this will all be
better.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
1) mingw doesn't have _vscprintf(); mingw instead has a working snprintf.
2) windows compilers that _do_ have a working _vscprintf spell it so; they do
not spell it _vcsprintf().
|
| | | | | |
|
| | | | | |
|
| | | | | |
|
| | |/ /
|/| | |
|
| |\| | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Our code assumed that any version of OpenSSL before 0.9.8l could not
possibly require SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION. This is
so... except that many vendors have backported the flag from later
versions of openssl when they backported the RFC5476 renegotiation
feature.
The new behavior is particularly annoying to detect. Previously,
leaving SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION unset meant that
clients would fail to renegotiate. People noticed that one fast!
Now, OpenSSL's RFC5476 support means that clients will happily talk to
any servers there are, but servers won't accept renegotiation requests
from unpatched clients unless SSL_OP_ALLOW_etc is set. More fun:
servers send back a "no renegotiation for you!" error, which unpatched
clients respond to by stalling, and generally producing no useful
error message.
This might not be _the_ cause of bug 1346, but it is quite likely _a_
cause for bug 1346.
|