| Commit message (Expand) | Author | Age |
|---|
| * | Avoid undefined behaviour when parsing HS protocol versions•••Fixes bug 6827; bugfix on c58675ca728f12b42f65e5b8964ae695c2e0ec2d
(when the v2 HS desc parser was implemented).
Found by asn.
| Robert Ransom | 2012-09-13 |
| * | Disable extending to private/internal addresses by default•••This is important, since otherwise an attacker can use timing info
to probe the internal network.
Also, add an option (ExtendAllowPrivateAddresses) so that
TestingTorNetwork won't break.
Fix for bug 6710; bugfix on all released versions of Tor.
| Nick Mathewson | 2012-08-27 |
| * | Merge remote-tracking branch 'public/bug6507' into maint-0.2.3 | Nick Mathewson | 2012-08-17 |
| |\ |
|
| | * | Fix spaces from last patch | Nick Mathewson | 2012-08-09 |
| | * | Don't infer we have a FooPort from the presence of a FooPort line•••Thanks to the changes we started making with SocksPort and friends
in 0.2.3.3-alpha, any of our code that did "if (options->Sockport)"
became wrong, since "SocksPort 0" would make that test true whereas
using the default SocksPort value would make it false. (We didn't
actually do "if (options->SockPort)" but we did have tests for
TransPort. When we moved DirPort, ORPort, and ControlPort over to
the same system in 0.2.3.9-alpha, the problem got worse, since our
code is littered with checks for DirPort and ORPort as booleans.
This code renames the current linelist-based FooPort options to
FooPort_lines, and adds new FooPort_set options which get set at
parse-and-validate time on the or_options_t. FooPort_set is true
iff we will actually try to open a listener of the given type. (I
renamed the FooPort options rather than leave them alone so that
every previous user of a FooPort would need to get inspected, and so
that any new code that forgetfully uses FooPort will need fail to
compile.)
Fix for bug 6507.
| Nick Mathewson | 2012-08-09 |
| * | | Address Nick's comments from code review.•••Also promote log messages to notice and rate-limit them.
| Mike Perry | 2012-08-16 |
| * | | Bug 6475: Explicitly track our path bias state.•••This is done to avoid spurious warns. Additional log lines are also
added to try to track down the codepaths where we are somehow overcounting
success counts.
| Mike Perry | 2012-08-15 |
| |/ |
|
| * | Defend against entry node path bias attacks•••The defense counts the circuit failure rate for each guard for the past N
circuits. Failure is defined as the ability to complete a first hop, but not
finish completing the circuit all the way to the exit.
If the failure rate exceeds a certain amount, a notice is emitted.
If it exceeds a greater amount, a warn is emitted and the guard is disabled.
These values are governed by consensus parameters which we intend to tune as
we perform experiments and statistical simulations.
| Mike Perry | 2012-06-14 |
| * | Merge remote-tracking branch 'public/bug3940_redux' | Nick Mathewson | 2012-06-13 |
| |\ |
|
| | * | Document ADDRMAPSRC_NONE. | Nick Mathewson | 2012-06-11 |
| | * | An attempt at bug3940 and making AllowDotExit 0 work with MapAddress•••This time, I follow grarpamp's suggestion and move the check for
.exit+AllowDotExit 0 to the top of connection_ap_rewrite_and_attach,
before any rewriting occurs. This way, .exit addresses are
forbidden as they arrive from a socks connection or a DNSPort
request, and not otherwise.
It _is_ a little more complicated than that, though. We need to
treat any .exit addresses whose source is TrackHostExits as meaning
that we can retry without that exit. We also need to treat any
.exit address that comes from an AutomapHostsOnResolve operation as
user-provided (and thus forbidden if AllowDotExits==0), so that
transitioning from AllowDotExits==1 to AllowDotExits==0 will
actually turn off automapped .exit addresses.
| Nick Mathewson | 2012-05-11 |
| * | | Resolve about 24 DOCDOCs | Nick Mathewson | 2012-06-05 |
| * | | Update copyright dates to 2012; add a few missing copyright statements | Nick Mathewson | 2012-06-04 |
| * | | Add about 60 more DOCDOC comments to 0.2.3•••Also, try to resolve some doxygen issues. First, define a magic
"This is doxygen!" macro so that we take the correct branch in
various #if/#else/#endifs in order to get the right documentation.
Second, add in a few grouping @{ and @} entries in order to get some
variables and fields to get grouped together.
| Nick Mathewson | 2012-06-04 |
| * | | Resolve all currently pending DOCDOC items in master | Nick Mathewson | 2012-06-04 |
| * | | Bump _WIN32_WINNT to 0x0501 throughout the code•••This tells the windows headers to give us definitions that didn't
exist before XP -- like the ones that we need for IPv6 support.
See bug #5861. We didn't run into this issue with mingw, since
mingw doesn't respect _WIN32_WINNT as well as it should for some of
its definitions.
| Nick Mathewson | 2012-05-14 |
| * | | Remove all instances of WIN32_WINNT (without leading _)•••We started adding it in 59e2c77824840f back in 2004, 8 years and 3
days ago. It's time to deprogram ourselves from this cargo cult.
| Nick Mathewson | 2012-05-14 |
| |/ |
|
| * | Merge remote-tracking branch 'nickm/bug2497' | Roger Dingledine | 2012-04-24 |
| |\ |
|
| | * | Twiddle ROUTER_{MAX_COSMETIC_TIME_DIFFERENCE,MAX_AGE_TO_PUBLISH}•••This is ticket 2479. Roger's original explanation was:
We have a series of bugs where relays publish a descriptor within
12 hours of their last descriptor, but the authorities drop it
because it's not different "enough" from the last one and it's
too close to the last one.
The original goal of this idea was to a) reduce the number of new
descriptors authorities accept (and thus have to store) and b)
reduce the total number of descriptors that clients and mirrors
fetch. It's a defense against bugs where relays publish a new
descriptor every minute.
Now that we're putting out one consensus per hour, we're doing
better at the total damage that can be caused by 'b'.
There are broader-scale design changes that would help here, and
we've had a trac entry open for years about how relays should
recognize that they're not in the consensus, or recognize when
their publish failed, and republish sooner.
In the mean time, I think we should change some of the parameters
to make the problem less painful.
| Nick Mathewson | 2012-03-30 |
| * | | Obsolete GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays•••Closes ticket 4572.
| Nick Mathewson | 2012-04-11 |
| * | | Merge branch 'maint-0.2.2'•••Conflicts:
src/or/config.c
| Roger Dingledine | 2012-04-01 |
| |\ \ |
|
| | * | | put a _ before or_options_t elements that aren't configurable•••it's fine with me if we change the current convention, but we should
actually decide to change it if we want to.
| Roger Dingledine | 2012-04-01 |
| * | | | Merge remote-tracking branch 'origin/maint-0.2.2'•••Conflicts:
src/or/config.c
Conflict was in or_options_free, where two newly added fields had free
calls in the same place.
| Nick Mathewson | 2012-04-01 |
| |\| |
| |/
|/| |
|
| | * | Do not use strcmp() to compare an http authenticator to its expected value•••This fixes a side-channel attack on the (fortunately unused!)
BridgePassword option for bridge authorities. Fix for bug 5543;
bugfix on 0.2.0.14-alpha.
| Nick Mathewson | 2012-04-01 |
| * | | Merge remote-tracking branch 'origin/maint-0.2.2'•••Conflicts:
src/or/control.c
| Nick Mathewson | 2012-03-26 |
| |\| |
|
| | * | Implement 'safe cookie authentication' | Robert Ransom | 2012-02-22 |
| * | | Use the standard _WIN32, not the Torism MS_WINDOWS or deprecated WIN32•••This commit is completely mechanical; I used this perl script to make it:
#!/usr/bin/perl -w -i.bak -p
if (/^\s*\#/) {
s/MS_WINDOWS/_WIN32/g;
s/\bWIN32\b/_WIN32/g;
}
| Nick Mathewson | 2012-01-31 |
| * | | update comment to reflect our TOR_INVALID_SOCKET convention | Roger Dingledine | 2012-01-22 |
| * | | Rename nonconformant identifiers.•••Fixes bug 4893.
These changes are pure mechanical, and were generated with this
perl script:
/usr/bin/perl -w -i.bak -p
s/crypto_pk_env_t/crypto_pk_t/g;
s/crypto_dh_env_t/crypto_dh_t/g;
s/crypto_cipher_env_t/crypto_cipher_t/g;
s/crypto_digest_env_t/crypto_digest_t/g;
s/aes_free_cipher/aes_cipher_free/g;
s/crypto_free_cipher_env/crypto_cipher_free/g;
s/crypto_free_digest_env/crypto_digest_free/g;
s/crypto_free_pk_env/crypto_pk_free/g;
s/_crypto_dh_env_get_dh/_crypto_dh_get_dh/g;
s/_crypto_new_pk_env_rsa/_crypto_new_pk_from_rsa/g;
s/_crypto_pk_env_get_evp_pkey/_crypto_pk_get_evp_pkey/g;
s/_crypto_pk_env_get_rsa/_crypto_pk_get_rsa/g;
s/crypto_new_cipher_env/crypto_cipher_new/g;
s/crypto_new_digest_env/crypto_digest_new/g;
s/crypto_new_digest256_env/crypto_digest256_new/g;
s/crypto_new_pk_env/crypto_pk_new/g;
s/crypto_create_crypto_env/crypto_cipher_new/g;
s/connection_create_listener/connection_listener_new/g;
s/smartlist_create/smartlist_new/g;
s/transport_create/transport_new/g;
| Nick Mathewson | 2012-01-18 |
| * | | fix crash bug in original feature4207 branch•••PLURAL() assumes that the plural is the canonical name for the option,
so now it is.
| Roger Dingledine | 2012-01-16 |
| * | | Comment fixups on 4207 suggested by arma | Nick Mathewson | 2012-01-16 |
| * | | Allow authorities to baddir/badexit/invalid/reject nodes by cc•••Implements ticket #4207
| Nick Mathewson | 2012-01-13 |
| * | | Merge branch 'prop187_squashed' | Nick Mathewson | 2012-01-11 |
| |\ \ |
|
| | * | | Implement proposal 187: reserve a cell type for client authorization•••This needs a changes file and more testing.
| Nick Mathewson | 2012-01-11 |
| * | | | Merge branch 'feature3457-v4-nm-squashed'•••Conflicts:
src/or/rendclient.c
| Nick Mathewson | 2012-01-11 |
| |\ \ \
| |/ /
|/| | |
|
| | * | | Rename CIRC2 to CIRC_MINOR•••Also give the arguments to control_event_circuit_status_minor real
names.
| Nick Mathewson | 2012-01-11 |
| | * | | Send CIRC2 event when a circuit is cannibalized | Robert Ransom | 2011-11-24 |
| | * | | Add CIRC2 control-port event, and send it when a circ's purpose changes | Robert Ransom | 2011-11-24 |
| * | | | Don't remove rend cpath element from relaunched service-side rend circs•••Fixes bug 4842, not in any release.
| Robert Ransom | 2012-01-06 |
| * | | | Verbotify documentation comments for the #1297-fix flags | Robert Ransom | 2012-01-04 |
| * | | | Add an option to close HS service-side rend circs on timeout | Robert Ransom | 2011-12-27 |
| * | | | Don't close HS service-side rend circs on timeout | Robert Ransom | 2011-12-27 |
| * | | | Add an option to close 'almost-connected' HS client circs on timeout | Robert Ransom | 2011-12-27 |
| * | | | Don't close HS client circs which are 'almost connected' on timeout | Robert Ransom | 2011-12-27 |
| * | | | Adjust n_intro_points_wanted when a service's intro points are closed | Robert Ransom | 2011-12-20 |
| * | | | Revert "Make pending libevent actions cancelable"•••This reverts commit aba25a6939a5907d40dbcff7433a8c130ffd12ad.
| Nick Mathewson | 2011-12-06 |
| * | | | Merge branch 'feature2553-v4-rebased' | Nick Mathewson | 2011-11-30 |
| |\ \ \ |
|
| | * | | | Add a compile-time #define to control whether Tor runs in 'tor2web mode'•••The Tor2webMode torrc option is still required to run a Tor client in
'tor2web mode', but now it can't be turned on at runtime in a normal build
of Tor. (And a tor2web build of Tor can't be used as a normal Tor client,
so we don't have to worry as much about someone distributing packages with
this particular pistol accessible to normal users.)
| Robert Ransom | 2011-11-30 |
| | * | | | Add Tor2webMode configuration option | Robert Ransom | 2011-11-24 |
| | |/ / |
|
| * | | | appease "make check-spaces" | Nick Mathewson | 2011-11-30 |