| Commit message (Expand) | Author | Age |
|---|
| * | Merge remote-tracking branch 'public/bug11200' | Nick Mathewson | 2014-04-23 |
| |\ |
|
| | * | should_disable_dir_fetches() now returns 1 if DisableNetwork==1•••This change prevents LD_BUG warnings and bootstrap failure messages
when we try to do directory fetches when starting with
DisableNetwork == 1, a consensus present, but no descriptors (or
insufficient descriptors) yet.
Fixes bug 11200 and bug 10405. It's a bugfix on 0.2.3.9-alpha.
Thanks to mcs for walking me through the repro instructions!
| Nick Mathewson | 2014-03-14 |
| * | | Merge branch 'bug11156_issue2_squashed' | Nick Mathewson | 2014-04-23 |
| |\ \ |
|
| | * | | Slightly improve the documentation of src/or/transports.c•••Make it clear that a SIGHUP is not the only action that can cause a
config re-read.
| George Kadianakis | 2014-04-23 |
| | * | | Rename the got_hup element of managed proxies.•••Since we need to toggle that element in non-SIGHUP situations too where
the config was re-read (like in SETCONF or RESETCONF).
| George Kadianakis | 2014-04-23 |
| | * | | Don't halt bootstrap to figure out if we should restart PT proxies.•••Instead, figure out if we should restart PT proxies _immediately_ after
we re-read the config file.
| George Kadianakis | 2014-04-23 |
| * | | | Merge remote-tracking branch 'public/bug9229_025'•••Conflicts:
src/or/entrynodes.c
| Nick Mathewson | 2014-04-23 |
| |\ \ \ |
|
| | * | | | Make num_bridges_usable work properly.•••My first implementation was broken, since it returned "whether there
is one bridge" rather than "how many bridges."
Also, the implementation for the n_options_out feature in
choose_random_entry_impl was completely broken due to a missing *.
| Nick Mathewson | 2014-04-08 |
| | * | | | Fix our check for the "first" bridge descriptor.•••This is meant to be a better bug 9229 fix -- or at least, one more
in tune with the intent of the original code, which calls
router_retry_directory_downloads() only on the first bridge descriptor.
| Nick Mathewson | 2014-03-10 |
| * | | | | Merge remote-tracking branch 'public/bug9963_v2_024' | Nick Mathewson | 2014-04-18 |
| |\ \ \ \ |
|
| | * | | | | Log descriptor-download bootstrapping messages less verbosely•••This is a fix for 9963. I say this is a feature, but if it's a
bugfix, it's a bugfix on 0.2.4.18-rc.
Old behavior:
Mar 27 11:02:19.000 [notice] Bootstrapped 50%: Loading relay descriptors.
Mar 27 11:02:20.000 [notice] Bootstrapped 51%: Loading relay descriptors.
Mar 27 11:02:20.000 [notice] Bootstrapped 52%: Loading relay descriptors.
... [Many lines omitted] ...
Mar 27 11:02:29.000 [notice] Bootstrapped 78%: Loading relay descriptors.
Mar 27 11:02:33.000 [notice] We now have enough directory information to build circuits.
New behavior:
Mar 27 11:16:17.000 [notice] Bootstrapped 50%: Loading relay descriptors
Mar 27 11:16:19.000 [notice] Bootstrapped 55%: Loading relay descriptors
Mar 27 11:16:21.000 [notice] Bootstrapped 60%: Loading relay descriptors
Mar 27 11:16:21.000 [notice] Bootstrapped 65%: Loading relay descriptors
Mar 27 11:16:21.000 [notice] Bootstrapped 70%: Loading relay descriptors
Mar 27 11:16:21.000 [notice] Bootstrapped 75%: Loading relay descriptors
Mar 27 11:16:21.000 [notice] We now have enough directory information to build circuits.
| Nick Mathewson | 2014-03-27 |
| * | | | | | Improved message when running sandbox on Linux without libseccomp•••Previously we said "Sandbox is not implemented on this platform" on
Linux boxes without libseccomp. Now we say that you need to build
Tor built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
| Nick Mathewson | 2014-04-18 |
| * | | | | | Merge remote-tracking branch 'public/ticket11528_024' | Nick Mathewson | 2014-04-17 |
| |\ \ \ \ \ |
|
| | * | | | | | Elevate server TLS cipher preferences over client•••The server cipher list is (thanks to #11513) chosen systematically to
put the best choices for Tor first. The client cipher list is chosen
to resemble a browser. So let's set SSL_OP_CIPHER_SERVER_PREFERENCE
to have the servers pick according to their own preference order.
| Nick Mathewson | 2014-04-17 |
| * | | | | | | Remove spurious libevent include in sandbox.c | Nick Mathewson | 2014-04-17 |
| * | | | | | | Fix uninitialized-ram free in unit tests•••Fix on fb595922; bug not in any released Tor. Found with
--enable-expensive-hardening.
| Nick Mathewson | 2014-04-17 |
| * | | | | | | Merge remote-tracking branch 'public/sandbox_fixes_rebased_2' | Nick Mathewson | 2014-04-16 |
| |\ \ \ \ \ \ |
|
| | * | | | | | | Log the name of the failing syscall on failure | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Block certain option transitions while sandbox enabled | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Sandbox: permit O_NONBLOCK and O_NOCTTY for files we refuse•••OpenSSL needs this, or RAND_poll() will kill the process.
Also, refuse with EACCESS, not errno==-1 (!).
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Don't reload logs or rewrite pidfile while sandbox is active | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Don't allow change to ConnLimit while sandbox is active | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Allow reloading torrc and writing to router-stability | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Use SCMP_CMP_MASKED_EQ to allow flags, not force them•••Older versions of Libevent are happy to open SOCK_DGRAM sockets
non-cloexec and non-nonblocking, and then set those flags
afterwards. It's nice to be able to allow a flag to be on or off in
the sandbox without having to enumerate all its values.
Also, permit PF_INET6 sockets. (D'oh!)
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Add a couple of missing renames so the server sandbox works again | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Get Libevent's PRNG functioning under the linux sandbox•••Libevent uses an arc4random implementation (I know, I know) to
generate DNS transaction IDs and capitalization. But it liked to
initialize it either with opening /dev/urandom (which won't work
under the sandbox if it doesn't use the right pointer), or with
sysctl({CTL_KERN,KERN_RANDOM,RANDOM_UUIC}). To make _that_ work, we
were permitting sysctl unconditionally. That's not such a great
idea.
Instead, we try to initialize the libevent PRNG _before_ installing
the sandbox, and make sysctl always fail with EPERM under the
sandbox.
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Make sure everything using an interned string is preceded by a log•••(It's nice to know what we were about to rename before we died from
renaming it.)
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Introduce arg-counting macros to wrap seccomp_rule_add()•••The compiler doesn't warn about this code:
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
SCMP_CMP(0, SCMP_CMP_EQ, AT_FDCWD),
SCMP_CMP(1, SCMP_CMP_EQ, param->value),
SCMP_CMP(2, SCMP_CMP_EQ, O_RDONLY|...));
but note that the arg_cnt argument above is only 1. This means that
only the first filter (argument 0 == AT_FDCWD) is actually checked!
This patch also fixes the above error in the openat() filter.
Earlier I fixed corresponding errors in filters for rename() and
mprotect().
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Fix sandbox protection for rename•••(We were only checking the first parameter of each rename call.)
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Upgrade warning about missing interned string for sandbox | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Have sandbox string protection include multi-valued parmeters. | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Clean up sandbox structures a bit•••Drop pindex,pindex2 as unused.
Admit a type to avoid using a void*
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Add missing rename function for non-linux platforms | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Drop 'fr' parameter from sandbox code.•••Appearently, the majority of the filenames we pass to
sandbox_cfg_allow() functions are "freeable right after". So, consider
_all_ of them safe-to-steal, and add a tor_strdup() in the few cases
that aren't.
(Maybe buggy; revise when I can test.)
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Remove nonsensical exec permission from sandbox code. | Nick Mathewson | 2014-04-16 |
| | * | | | | | | Add 'rename' to the sandboxed syscalls•••(If we don't restrict rename, there's not much point in restricting
open, since an attacker could always use rename to make us open
whatever they want.)
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Only intern one copy of each magic string for the sandbox•••If we intern two copies of a string, later calls to
sandbox_intern_string will give the wrong one sometimes.
| Nick Mathewson | 2014-04-16 |
| | * | | | | | | Fix some initial sandbox issues.•••Allow files that weren't in the list; Allow the _sysctl syscall;
allow accept4 with CLOEXEC and NONBLOCK.
| Nick Mathewson | 2014-04-16 |
| * | | | | | | | Merge remote-tracking branch 'andrea/bug11304' | Nick Mathewson | 2014-04-16 |
| |\ \ \ \ \ \ \ |
|
| | * | | | | | | | Call connection_or_close_for_error() properly if write_to_buf() ever fails on... | Andrea Shepard | 2014-04-15 |
| * | | | | | | | | Merge remote-tracking branch 'andrea/bug11306' | Nick Mathewson | 2014-04-16 |
| |\ \ \ \ \ \ \ \ |
|
| | * | | | | | | | | Avoid redundant calls to connection_mark_for_close() on listeners when settin... | Andrea Shepard | 2014-04-15 |
| | * | | | | | | | | Close orconns correctly through channels when setting DisableNetwork to 1 | Andrea Shepard | 2014-04-15 |
| | |/ / / / / / / |
|
| * | | | | | | | | Merge branch '10267_plus_10896_rebased_twice' | Nick Mathewson | 2014-04-16 |
| |\ \ \ \ \ \ \ \
| |_|/ / / / / /
|/| | | | | | | |
|
| | * | | | | | | | Call pf-divert openbsd-specific, not no-linux | Nick Mathewson | 2014-04-16 |
| | * | | | | | | | Fix OSX compilation. | Nick Mathewson | 2014-04-16 |
| | * | | | | | | | Whitespace, doc fixes | Nick Mathewson | 2014-04-16 |
| | * | | | | | | | Educate tor on OpenBSD's use of divert-to rules with the pf firewall.•••This means that tor can run without needing to communicate with ioctls
to the firewall, and therefore doesn't need to run with privileges to
open the /dev/pf device node.
A new TransProxyType is added for this purpose, "pf-divert"; if the user
specifies this TransProxyType in their torrc, then the pf device node is
never opened and the connection destination is determined with getsockname
(as per pf(4)). The default behaviour (ie., when TransProxyType is "default"
when using the pf firewall) is still to assume that pf is configured with
rdr-to rules.
| dana koch | 2014-04-16 |
| | * | | | | | | | tor_addr_from_sockaddr() is applicable in ipfw code, so use it. | Nick Mathewson | 2014-04-16 |
| | * | | | | | | | ipfw TransPort support on FreeBSD (10267)•••This isn't on by default; to get it, you need to set "TransProxyType
ipfw". (The original patch had automatic detection for whether
/dev/pf is present and openable, but that seems marginally fragile.)
| Nick Mathewson | 2014-04-16 |