| Commit message (Collapse) | Author | Age |
|---|
| |\ |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
We do this in too many places throughout the code; it's time to start
clamping down.
Also, refactor Karsten's patch to use strchr-then-strndup, rather than
malloc-then-strlcpy-then-strchr-then-clear.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Fix statistics on client numbers by country as seen by bridges that were
broken in 0.2.2.1-alpha. Also switch to reporting full 24-hour intervals
instead of variable 12-to-48-hour intervals.
|
| |/
|
|
|
|
|
|
|
|
| |
The HSAuthorityRecordStats option was used to track statistics of overall
hidden service usage on the version 0 hidden service authorities. With the
version 2 hidden service directories being deployed and version 0
descriptors being phased out, these statistics are not as useful anymore.
Goodbye, you fine piece of software; my first major code contribution to
Tor.
|
| |\
| |
| |
| |
| | |
Conflicts:
ChangeLog
|
| | |
| |
| |
| |
| |
| |
| | |
Do not segfault when writing buffer stats when we haven't observed a
single circuit to report about. This is a minor bug that would only show
up in testing environments with no traffic and with reduced stats
intervals.
|
| |\ \
| | |
| | |
| | |
| | | |
Conflicts:
ChangeLog
|
| | | |
| | |
| | |
| | |
| | |
| | | |
The new rule is: safe_str_X() means "this string is a piece of X
information; make it safe to log." safe_str() on its own means
"this string is a piece of who-knows-what; make it safe to log".
|
| | | | |
|
| | |/ |
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | | |
Apparently Panther doesn't like comparing ints and enums
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
In connection_dir_client_reached_eof, we make sure that we either
return when we get an http status code of 503 or handle the problem
and set it to 200. Later we check if the status code is 503. Remove
that check.
|
| |\ \ \
| |/ /
|/| | |
|
| | | | |
|
| |/ /
| |
| |
| |
| | |
It returns the contents that Tor would write if you send it a SAVECONF
command, so the controller can write the file to disk itself.
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | | |
This might help fix cid 422, where coverity fails to notice that
argv strings are null-escaped.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | |/
|/|
| |
| |
| |
| |
| |
| | |
Some *_free functions threw asserts when passed NULL. Now all of them
accept NULL as input and perform no action when called that way.
This gains us consistence for our free functions, and allows some
code simplifications where an explicit null check is no longer necessary.
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Avoid crashing if the client is trying to upload many bytes and the
circuit gets torn down at the same time, or if the flip side
happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
|
| | | |
| | |
| | |
| | |
| | | |
plus some other unrelated touchups that have been sitting in my
sandbox
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
New config option "CircuitStreamTimeout" to override our internal
timeout schedule for how many seconds until we detach a stream from
a circuit and try a new circuit. If your network is particularly
slow, you might want to set this to a number like 60.
|
| | | |
| | |
| | |
| | |
| | |
| | | |
aka Fix an instance where a Tor directory mirror might accidentally
log the IP address of a misbehaving Tor client. Bugfix on
0.1.0.1-rc.
|
| | | | |
|
| | | |
| | |
| | |
| | | |
shouldn't actually change anything, but who knows.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Also, regenerate the detached-signature document whenever any signatures are
successfully added.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
Fix a memory leak on directory authorities during voting that was
introduced in 0.2.2.1-alpha. Found via valgrind.
|
| |\| |
| | |
| | |
| | |
| | | |
Conflicts:
src/common/tortls.c
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To fix a major security problem related to incorrect use of
SSL/TLS renegotiation, OpenSSL has turned off renegotiation by
default. We are not affected by this security problem, however,
since we do renegotiation right. (Specifically, we never treat a
renegotiated credential as authenticating previous communication.)
Nevertheless, OpenSSL's new behavior requires us to explicitly
turn renegotiation back on in order to get our protocol working
again.
Amusingly, this is not so simple as "set the flag when you create
the SSL object" , since calling connect or accept seems to clear
the flags.
For belt-and-suspenders purposes, we clear the flag once the Tor
handshake is done. There's no way to exploit a second handshake
either, but we might as well not allow it.
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit implements a new config option: 'DisableAllSwap'
This option probably only works properly when Tor is started as root.
We added two new functions: tor_mlockall() and tor_set_max_memlock().
tor_mlockall() attempts to mlock() all current and all future memory pages.
For tor_mlockall() to work properly we set the process rlimits for memory to
RLIM_INFINITY (and beyond) inside of tor_set_max_memlock().
We behave differently from mlockall() by only allowing tor_mlockall() to be
called one single time. All other calls will result in a return code of 1.
It is not possible to change DisableAllSwap while running.
A sample configuration item was added to the torrc.complete.in config file.
A new item in the man page for DisableAllSwap was added.
Thanks to Moxie Marlinspike and Chris Palmer for their feedback on this patch.
Please note that we make no guarantees about the quality of your OS and its
mlock/mlockall implementation. It is possible that this will do nothing at all.
It is also possible that you can ulimit the mlock properties of a given user
such that root is not required. This has not been extensively tested and is
unsupported. I have included some comments for possible ways we can handle
this on win32.
|
| | | |
| | |
| | |
| | | |
Bridges do not use the default exit policy, but reject *:* by default.
|
| |\ \ \ |
|
| | | |/
| |/| |
|
| |/ /
| |
| |
| |
| |
| | |
If your relay can't keep up with the number of incoming create cells, it
would log one warning per failure into your logs. Limit warnings to 1 per
minute.
|
| | | |
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
If all authorities restart at once right before a consensus vote, nobody
will vote about "Running", and clients will get a consensus with no usable
relays. Instead, authorities refuse to build a consensus if this happens.
|
| | | | |
|