If setting our rlimit to rlim_max or cap fails, fall back to OPEN_FILES if defiled. This makes Tor run on OSX 10.5, while allowing OSX to mend its ways in the future.
svn:r12341
As an authority, send back an X-Descriptor-Not-New header when we accept but do not store a descriptor. Partial implementation of fix for bug 535.
svn:r12310
Improved skew reporting: "You are 365 days in the duture" is more useful than "You are 525600 minutes in the future". Also, when we get something that proves we are at least an hour in the past, tell the controller "CLOCK_SKEW MIN_SKEW=-3600" rather than just "CLOCK_SKEW"
svn:r12283
Tidy v2 hidden service descriptor format code: fix memory leaks, fix reference problems, note magic numbers, note questions, remove redundant checks, remove a possible stack smashing bug when encoding a descriptor with no protocols supported.
svn:r12255
edge_connection_t: want_onehop if it must attach to a circuit with
only one hop (e.g. for the current tunnelled connections that use
begin_dir), and use_begindir if we mean to use a BEGIN_DIR relay
command to establish the stream rather than the normal BEGIN. Now
we can make anonymized begin_dir connections for (e.g.) more secure
hidden service posting and fetching.
svn:r12244
Stop servers from crashing if they set a Family option (or
maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported
by Fabian Keil.
svn:r12235
Keep circuitless TLS connections open for 1.5 x MaxCircuitDirtiness: this ensures that we don't thrash closing and repoening connections to our guards.
svn:r12218
Fix logic for downloading consensuses: make getting an duplicate or not-currently-valid consensus count as a failure. Make running out of time to get certificates count as a failure. Delay while fetching certificates.
svn:r12159
Refactor the arguments for router_pick_{directory_|trusteddir}server[_impl] so that they all take the same flags, and so that their flags have names. Fix their documentation too.
svn:r12157
minutes, but writing the "valid-after" line in our vote based
on our configured V3AuthVotingInterval: so unless the intervals
matched up, we immediately rejected our own vote because it didn't
start at the voting interval that caused us to construct a vote.
This caused log entries like:
Oct 23 01:16:16.303 [notice] Choosing expected valid-after time
as 2007-10-23 05:30:00: consensus_set=0, interval=1800
...
Oct 23 01:20:01.203 [notice] Choosing valid-after time in vote as
2007-10-23 06:00:00: consensus_set=0, interval=3600
Oct 23 01:20:01.290 [warn] Rejecting vote with valid-after time of
2007-10-23 06:00:00; we were expecting 2007-10-23 05:30:00
Oct 23 01:20:01.291 [warn] Couldn't store my own vote! (I told
myself, 'Bad valid-after time'.)
Nick, you should look at this, as it's your design. :)
svn:r12129
Respond to INT and TERM SIGNAL commands before we execute the
signal, in case the signal shuts us down. We had a patch in
0.1.2.1-alpha that tried to do this by queueing the response on
the connection's buffer before shutting down, but that really
isn't the same thing. Bug located by Matt Edman.
This is a bug in 0.1.2.x too, but there's no way we should backport
this fix. Speaking of which, can somebody double-check it? :)
svn:r12070
Remember the valid-until time of the most recent consensus that listed
a router, and (if we are a cache) never delete the routerdesc until
that conensus is expired. This is way easier than retaining multiple
consensuses. (Of course, the info isn't retained across restarts,
but that only affects a few caches at a time.)
svn:r12041
When a networkstatus consensus download fails, do not wait 60 seconds to decide whether to retry. (Also, log the time at which we'll try to replace the current networkstatus.)
svn:r12005
oprofile was telling me that a fair bit of our time in openssl was spent in base64_decode, so replace base64_decode with an all-at-once fairly optimized implementation. For decoding keys and digests, it seems 3-3.5x faster than calling out to openssl. (Yes, I wrote it from scratch.)
svn:r12002
Make unverified-consensus get removed when it is accepted or rejected. Make a new get_datadir_fname*() set of functions to eliminate the common code of "get the options, get the datadir, append some stuff".
svn:r12000
Implement v3 networkstatus client code. Remove v2 networkstatus client code, except as needed for caches to fetch and serve v2 networkstatues and the routers they list.
svn:r11957
Make discard_old_votes part of the consensus publishing process, so we conform to spec, and so we avoid a weird bugs where publishing sets the consensus, setting the consensus makes us reschedule, and rescheduling makes us delay vote-discarding.
svn:r11944
when we find our DirPort to be reachable but won't actually publish
it. Extra descriptors without any real changes are dropped by the
authorities, and can screw up our "publish every 18 hours" schedule.
svn:r11915
Fix bug 451. This was a nasty bug, so let's fix it twice: first, by banning recursive calls to connection_handle_write from connection_flushed_some; and second, by not calling connection_finished_flushing() on a closed connection. Backport candidate.
svn:r11882
Fix a bunch of XXX020s: treat some 403s as INFO severity; remove some dead code; share the retry path for consensus routerdescs that are also listed in the v2 networkstatus; check even more aspects of votes when parsing them.
svn:r11871
Fix the implementation of if-modified-since for certificates so that it applies to all types of certificate requests. Note that the kind of consensus that matters already has a working if-modified-since.
svn:r11852
Fix some memory leaks when serving v3 networkstatus documents and v3 certs. Generate 503 correctly when serving v3 networkstatus documents and v3 certs.
svn:r11850
Retry consensus and certificate downloads properly. Do not fail when there are no certificates to download. Do not download certificates we already have when retrying.
svn:r11841
Save weighted-fractional-uptime to disk as well as MTBF. Bump the version on rouer-stability: downgrading to versions earlier than this one will lose your WFU data.
svn:r11835
Fix the bug that was making moria1 set valid-after wrong in its votes: we were looking at the preferred timing when we should have been looking at the consensus timing.
svn:r11818
Use download_status_t for v2 networkstatuses and certs as well as for routers. Make functions to manipulate it. Next steps: use it for consensus networkstatuses, and get consensus download rescheduling working.
svn:r11800
Refactor out about a third of routerlist.c into a new networkstatus.c. I\m not sure that I got everything that needed to move, but so far so good.
svn:r11791
Use descriptor annotations to record the source, download t time, and purpose of every descriptor we add to the store. The remaining to-do item is to stop setting do_not_cache on bridges.
svn:r11680
Remove annotated_desc_store store (which we never used). Instead, shift name of router store to cached-descriptors, but initialize it from cached-routers as needed
svn:r11678
Fix a stupid logic error in authority_cert_get_by_sk_digest: the presence of an authority lacking a v3 cert does not mean that subsequent authorities lack them too.
svn:r11668
users configure that and specify a bridge with an identity
fingerprint, now they will lookup the bridge descriptor at the
default bridge authority via a one-hop tunnel, but once circuits
are established they will switch to a three-hop tunnel for later
connections to the bridge authority.
svn:r11550
Fix a bug that made servers send a "404 Not found" in response to
attempts to fetch their server descriptor. This caused Tor servers
to take many minutes to establish reachability for their DirPort,
and it totally crippled bridges. Bugfix on 0.2.0.5-alpha.
svn:r11545
Re-optimize counter-mode: save about 15% on my core2 by (1) not regenerating the entire counter buffer every time we encrypt a block of keystream (2) using the platform-optimized htonl to convert to big-endian (It's a single instruction on 486 and later ) and (3) not even keeping a separate "counter" and "buffer" when the platform is big-endian. The third still needs testing.
svn:r11536
clients specify their chosen rendezvous point by identity digest
rather than by (potentially ambiguous) nickname. This change could
speed up hidden service connections dramatically.
svn:r11499
Get rid of a needless malloc() when parsing address policies. Original patch from "Some guy on #tor", via arma. Altered to have a sufficiently large buffer, and not use the buffer so much, and to save a strlcpy.
svn:r11480
BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth
were below a threshold. Now they only look at BandwidthRate and
RelayBandwidthRate.
svn:r11465
Refactor store_stats_t to hold a pointer to the proper mmap, and turn it into a full-fledged type. This sets stuff up nicely for adding a separate "annotated" store. Add some XXXX NM items that need to be fixed when annotated stores exist
svn:r11338
Teach tor about more libevent versions. Be more clear that "Known bugs" means "it will crash or something." Most significantly, stop issuing dire warnings every time we run with kqueue on os x: it seems to have worked for a while now.
svn:r11314
Make controllers accept LF as well as CRLF. Update spec to reflect this. Remove now-dead code. Make controller warning about v0 protocol more accurate.
svn:r11299
Add a line to the state file for each guard to let us know which version added the guard. If the line is absent, assume the guard was added by whatever version of Tor last wrote the state file. Remove guards if the version that added them was using a bad guard selection algorithm. (Previously, we removed guards if the version that wrote the file was using a bad guard selection algorithm, even if the guards themselves were chosen by a good version.)
svn:r11298
Add a new ClientDNSRejectInternalAddresses option (default: on) to refuse to believe that any address can map to or from an internal address. This blocks some kinds of potential browser-based attacks, especially on hosts using DNSPort. Also clarify behavior in some comments. Backport candiate?
svn:r11287
Add a hacked-up GETINFO desc/all-recent-extrainfo-hack so that torstat can keep working with a minimum of fuss, until it learns about extrainfo documents.
svn:r11269
Finish implementing and documenting proposal 108: Authorities now use MTBF data to set their stability flags, once they have at least 4 days of data to use.
svn:r11240
Expire application streams in all cases if they've been around
longer than SocksTimeout. Right now there are some cases where the
stream will live forever, demanding a new circuit every 15 seconds.
Bugfix on 0.1.2.7-alpha; fixes bug 454; reported by lodger.
svn:r11186
Long overdue test.c refactoring: add --warn/--notice/--info/--debug command line options to set logging levels, and let the user specify which tests to run from the commmand line.
svn:r11167
When we are loading state info from disk, never believe any date in the future. Doing so can keep us from retrying guards, rotating onion keys, storing bandwidth info, etc. Fixes bug 434, and others. Backport candidate, once it has been tested.
svn:r11166
Fix a bug caught by Kate: when we switched from masks to bits in 0.2.0.3-alpha, we added a spurious ! that made us never believe that any address fell inside a virtual address range. While we're at it, save a trip around the loop in the common case.
svn:r11129
- If we require CookieAuthentication but we fail to write the
cookie file, we would warn but not exit, and end up in a state
where no controller could authenticate. Now we exit.
- If we require CookieAuthentication, stop generating a new cookie
every time we change any piece of our config.
svn:r11117
Drop v1 directory support: instead, just generate stub v1 directories. This should save lots and lots of directory bandwidth, and break any code relying on v1 directories, including Tor 0.1.0.x and earlier.
svn:r11067
Glibc (and maybe others) define a mallinfo() that can be used to see how the platform malloc is acting inside. When we have it, dump its output on dumpmemusage().
svn:r10996
More directory voting code. Now, if everything works, and I haven't forgotten anything, it is possible to set up some v3 authorities and start voting. Of course, I have probably forgotten something, and there are probably bugs in there somewhere too.
svn:r10976
Cheesy attempt to break some censorware. Not a long-term fix, but it will be intersting to watch the epidemiology of the workarounds as the censors apply them.
svn:r10975
Implement proposal 109: As an authority, never call more than 3 servers per IP Running and Valid. Prefer Running servers to non-running ones; then prefer high-bandwidth to low-bandwidth. Needs testing.
svn:r10968
Make our control events for multi-line async replies conform to our old grammar. Change back to the old grammar (which got "corrected" in r10931).
svn:r10964
Weasel noticed that many buffers spend their time with empty 4k, 8k, and 16k memory chunks. Thus, be more aggressive about putting empty chunks on the freelist, regardless of their high water marks. (Also, run buffer_shrink_freelist on the 8k-chunk freelist.)
svn:r10953
Fix router_choose_by_bandwidth to no longer be biases by floating-point roundoff issues. This runs through the list of routers yet another time, and uses an additional bitfield, but this should be okay: the function did not appear in profiles before, and shouldnt start appearing now.
svn:r10939
Patch from Robert Hogan: set conn->dns_server_port correctly so that we can close dns server ports when they change, thus avoiding crashes and dangling references and other sources of unhappiness.
svn:r10933
ADDRMAP events should never have specified local time. Extend them to have the proper gmt time, and make GETINFO address-mappings always do the right thing (since it is new in this version).
svn:r10930
at least 100KB/s, and consider their bandwidth adequate to be a
Guard if it is at least 250KB/s. This fix complements proposal
107. [Bugfix on 0.1.2.x]
svn:r10897
Another patch from croup: drop support for address masks that do not correspond to bit prefixes. Nobody has used this for a while, and we have given warnings for a long time.
svn:r10881
We had accidentally labelled 0.1.2.x directory servers as not
suitable for begin_dir requests, and had labelled no directory
servers as suitable for uploading extra-info documents. [Bugfix
on 0.2.0.1-alpha]
svn:r10853
Patch from croup: rewrite the logic of get_next_token() to do the right thing with input that ends at weird places, or aligns with block boundaries after mmap. should fix bug 455. Needs fuzzing.
svn:r10847
Tweaks on constrained socket buffers patch from coderman: Add a changelog; rename some variables; fix some long lines and whitespace; make ConstrainedSockSize a memunit; pass setsockopt a void.
svn:r10843
Fix a potential crash bug when we load many server descriptors at
once and some of them make others of them obsolete. Fixes bug
458. [Bugfix on 0.1.2.x]
svn:r10832
Patch from lodger: avoid roundoff-error-induced crash bugs when picking routers by bandwidth.
Also, remove listed backports for 0.1.2.x; that list is now in TODO.012
svn:r10812
When sending destroy cells from a circuit's origin, don't include
the reason for tearing down the circuit. The spec says we didn't,
and now we actually don't. Reported by lodger. [Bugfix on 0.1.2.x]
svn:r10790
Patch from Robert Hogan: Generate STREAM NEW events for dnsport requests and tunneled directory connections. Log when we are testing for hijacking.
svn:r10737
never choose any guards past it. This way we don't expand our
guard list unless we need to. [Bugfix in 0.1.2.x]
I'm not sure if this will solve all our problems, but it is at least
something.
svn:r10730
Fix solaris eventdns.c behavior. This time, I think I got it. We were redefining _FILE_OFFSET_BITS, and thereby calling fstat64() on a struct stat, or something like that.
svn:r10643
Fix the fix for bug 445: set umask properly. Also use open+fdopen rather than just umask+fopen, and create authority identity key with mode 400.
svn:r10485
Add some code to mitigate bug 393: Choose at random from multiple hidden service ports with the same virtport. This allows limited ad-hoc round-robining.
svn:r10398
Well, that was easier than I thought it would be. Tor is now a DNS proxy as well as a socks proxy. Probably some bugs remain, but since it A) has managed to resolve one address for me successfully, and B) will not affect anybody who leaves DNSPort unset, it feel like a good time to commit.
svn:r10317
backport candidate: Warn when using a version of libevent before 1.3b to run a server on osx or bsd: these versions of libevent interact badly with userspace threads.
svn:r10307
Partial backport candidate: We had a bug where we were downloading descriptors by descriptor digest, but trying to look them up by identity fingerprint when updating their failure count and next retry time. (Also use correct backoff logic for extrainfo code.) Needs testing, doubtless.
svn:r10210
Patch from shibz: implement a getinfo status/version/... so a controller can tell whether the current version is recommended, whether any versions are good, and how many authorities agree.
svn:r10162
If a directory server runs out of space in the connection table
as it's processing a begin_dir request, it will free the exit stream
but leave it attached to the circuit, leading to unpredictable
behavior. (Reported by seeess, fixes bug 425.)
svn:r10154
[Backport candidate] On windows, open cached-routers with the sharing mode "FILE_SHARE_READ so that other processes can read it while Tor is running. (Reported by Janbar).
svn:r10148
authorities should set. This will let future authorities choose
not to serve V2 directory information.
Also, go through and revamp all the authdir_mode stuff so it tries
to do the right thing if you're an auth but not a V1 or V2 auth.
svn:r10092
(Needs review.) Allow directory authorities to accept multiple router descriptors and extra info documents in a single POST. This will make implementing the client side of proposal 104 a lot simpler.
svn:r10069
Initial version of patch from Karsten Loesing: Add an HSAuthorityRecordStats option to track statistics of overall hidden service usage without logging information that would be useful to an attacker.
svn:r10067
Backport candidate: Add asserts to dirserv_remove_invalid, and fix a bug in dirserv_remove_invalid that could mess with pointers in a freed routerinfo right after it was freed.
svn:r10052
Initial version of code to stop using socket pairs for linked connections. Superficially, it seems to work, but it probably needs a lot more testing and attention.
svn:r9995
Track the number of connection_t separately from the number of open sockets. It is already possible to have connections that do not count: resolving conns, for one. Once we move from socketpairs to linked conns, and once we do dns proxying, there will be lots of such connections.
svn:r9994
Refactor router/directory parsing backend: use a separate token table for everything that we parse, and enforce the correct count of each item.
svn:r9965
More autoconf hacking: use same machinery to find zlib as for openssl and libevent. Have unified library finder include setup for --with variable. Start trying to suggest to the user what packages they should install if finding the library fails.
svn:r9945
A surprisingly simple patch to stop reading on edge connections when their circuits get too full, and start again when they empty out. This lets us remove the logic to block begin_dir conns when the corresponding or conns get full: it was already broken by cell queues anyway.
svn:r9905
Initial version of circuit-based cell queues. Instead of hammering or_conns with piles of cells, queue cells on their corresponding circuits, and append them to the or_conn as needed. This seems to work so far, but needs a bit more work. This will break the memory-use-limitation patch for begin_dir conns: the solution will be a fun but fiddly.
svn:r9904
directory information requested inside Tor connections (i.e. via
begin_dir cells). It only triggered when the same connection was
serving other data at the same time. Reported by seeess.
Backport candidate.
svn:r9841
behavior for getinfo addr-mappings/*. this is because
the code and spec have been mismatched since at least
0.1.1.x, so i would be surprised if nobody at all is
relying on the current behavior.
backport candidate.
backbackport candidate.
svn:r9823
uptime of at least 30 days, even if that's not the median uptime
in the network. Implements proposal 1xx, suggested by Kevin Bauer
and Damon McCoy.
svn:r9788
Remove support for v0 control protocol from 0.2.0.x trunk; send back error when we receive a v0 control message. (Leave "if(v1){...}"blocks indented for now so this patch is easier to read.) ((Finally, the linecount goes _down_ a little.))
svn:r9735
Make all LD_BUG log messsages get prefixed with "Bug: ". Remove manually-generated "Bug: "s from log-messages. (Apparently, we remembered to add them about 40% of the time.)
svn:r9733
nt_service_is_stopping should not load the NT service library calls: if they are not loaded, we cannot possibly be a service trying to shut own. Bug found by "norvid" on or-talk. Also, rename function to something slightly less error-prone.
svn:r9720
On mingw, use "%I64u" to printf/scanf 64-bit integers, instead of the usual GCC "%llu". This prevents a bug when saving 64-bit int configuration values on mingw; the high-order 32 bits would get truncated. If the value was then reloaded, disaster would occur. (Fixes bug 400 and maybe also bug 397.) Backport candidate.
svn:r9691
Fix a bug found by Udo van den Heuvel: avoid an assertion failure when a controller sets and clears EntryNodes before the next call to choose_random_entry(). Also make a function static.
svn:r9669
try to make aes encryption of cells about 30-40% faster where applicable. offer not available for all architectures or all versions of openssl.
svn:r9663
Fix connection_get_by_type_state_rendquery(): This has been bogus for most of 0.1.2.x. Thanks to Karsten Loesing for finding the bug; fixes bug 399.
svn:r9651
Make remap stream events have a souce; make them generated every time we get a successful connected or resolved cell. Also change reported stream target address to IP consistently when we get the IP from an exit node.
svn:r9624
Fix two XXXX012 issues in routerlist.c: a possible performance issue hasnt shown up on any profiles, so unflag it. Stop warning when we get a router descriptor that we asked for but no longer want: just drop it (if we are not a cache) or cache if (if we are).
svn:r9616
Another optimization suggested by Shark output: shave off >90% of uses of logv by cutting down on calls to log_debug when log actually debugging. This is showing up in some profiles bug not others, and might be as much as 2.5%.
svn:r9612
As a trivial optimization, remove a redundant call to router_have_minimum_dir_info. This might shave 2% on some systems by according to some profilers.
svn:r9610
Apply patch from coderman: have posix subthreads mask out signals. This could prevent some kinds of crashes when subthreads try to handle SIGPIPEs and die in the attempt. Backport candidate.
svn:r9603
Fix a longstanding dnsworker-related bug: when we decide to kill a DNS worker for having been in use too long, and we independently decide to close one of the exit connections waiting for that DNS worker (perhaps because we got an END relay cell), it was possible for us to try to double-free the connection. We were smart enough to detect this and assert, but not smart enough to fix this bug before now. This should resolve bug 390. Backport candidate.
svn:r9581
Node-picking fixes: Never warn when a down node is listed in a config option (bug 348); always warn when a node in a config option is unnamed. Also, when entrynodes is configured, then build the guard list as: (parts of EntryNodes that were guards before), (the rest of EntryNodes), (the rest of the old guards). This last point ensures that EntryNode users will get the EntryNodes they want with the minimum change to their guard list.
svn:r9574
Do not try to load advapi32.dll except when the user asks us to do something with NT services. When we _do_ try, always treat failure to load service functions as an exit-worthy error. Needs testing. (Fixes bug 389)
svn:r9571
Handle errors on opening cached-routers* more uniformly and sanely: log not-found errors at level INFO, and all other errors at level WARN. Needs testing on win32.
svn:r9569
Implement proposal 106: stop requiring clients to have certificates, and stop checking for nicknames in certificates. [See proposal 106 for rationale.] Also improve messages when checking TLS handshake, to re-resolve bug 382.
svn:r9568
Resolve some XXXX012 items:
- Remove PathlenCoinWeight: if we want it again, we can add it
back in.
- Ditto with RelayBandwidth*.
- Decide to leave in the "hey, you didn't set end_reason!" BUG log message,
but stop telling people to bug me personally.
- Postpone strengthening assert_connection_ok(): it's important, but
it's also a good way to introduce weird bugs.
- Move some expensive consistency checking from dns_free_all() into
assert_cache_ok().
svn:r9533
Fix several bugs in computing recommended versions. 1) refactor is-this-version-good handling and which-vesions-are-good handling to be in the same place. 2) a version is recommended if more than half of the versioning authorities like it, not >= half. 3) "NEW_IN_SERIES" should mean, "I don't know of an 0.1.1.x this recent, and there are some 0.1.2.x versions out", not "I don't know of an 0.1.1.x this recent, but I know some older ones." This should resolve bug 383.
svn:r9523
Set hibernate_end_time whenever we start hibernating. This fixes a problem where we would start hibernating upon startup (since it isn't time to wake up yet) but we would wind up setting the "stop hibernating" time not to the wakeup time, but to the end of the interval. Also, split hibernate_end_time from shutdown_time. Possible fix for bug 362.
svn:r9512
Report stream end events where a resolve succeeded or where we got a socks protocol error correctly, rather than calling both of them "INTERNAL". Turn ALREADY_SOCKS_REPLIED into a flag rather than a reason. This will help debug 367 part 2 a little.
svn:r9511
(Hopefully) final changes for 0.1.2.7-alpha: disable checking for whether the user account in question exists on --service install, since that seems to make windows go boom. We can figure out why later. Also, let the admin specify a password for the target user.
svn:r9506
The --service install code can no longer default to adding an -f option for the appdata directory of the current user, since the target user probably will not be able to read it. Instead, warn the user if no explicit torrc filename is given.
svn:r9502
Fix bug 254, sort of: make the default NT service user NetworkService rather than NULL (system). Also, add a --user argument to --service install so that admins can override this default: this latter point should take care of most of my objections to NetworkService. I have no idea whether this even compiles.
svn:r9486
Add a REMAP state to stream events so that controllers can learn exactly when the target address for a stream has changed. May help Vidalia resolve confusions related to bug 375.
svn:r9484
Fix an XXXX012, and make circuits_pending_or_conns a static variable. In addition to cleaning up the code, this may also resolve Bug 386 if Roger has the right intuition there.
svn:r9482
Add a couple of fixes I turned up while writing regression tests for libevent: Allow DNS servers on ports other than 53, and handle TTLs correctly on reverse hostname lookups.
svn:r9458
directory tunnel without knowing a descriptor first. Still not
ready yet. As part of the change, now assume we can use a
create_fast cell if we don't know anything about a router.
svn:r9440
This one is a little tricky. Our BEGIN_DIR implementation has a
problem: the dirserv conns will decide they can flush all their data
immediately, since the edge_conns will read greedily.
For our 0.1.2 workaround, we track which or_conn a bridged dirserv
conn is attached to, and stop writing when its outbuf is too full, and
start writing again when the or_conn's outbuf empties out a little.
This requires a bit of pointer management. Let's hope it works.
svn:r9432
When logging TLS certificate and identity-related errors, scrub IP addresses for incoming connections, and distinguish between incoming and outgoing connections in log messages. Backport candidate.
svn:r9391
Fix an XXXX012 in routerlist.c: when we do not have enough networkstatuses to launch router requests, do not launch router requests. Backport candidate.
svn:r9388
Implement SOCKS_BAD_HOSTNAME status event. Defer remaining status events. Clean up control-spec.txt a little, and fill in recommendations for events.
svn:r9374
Apparently, the OpenBSD linker thinks it knows C better than I do, and gets to call me names for having strcat and strcpy and sprintf in my code--whether I use them safely or not. All right, OpenBSD. You win... this round.
svn:r9360
Tidy up ORCONN reason patch from Mike Perry. Changes: make some of the handling of TLS error codes less error prone. Enforce house style wrt spaces. Make it compile with --enable-gcc-warnings. Only set or_conn->tls_error in the case of an actual error. Add a changelog entry.
svn:r9355
handshake to finish. Previously we would let them sit around for
days, if the connecting application didn't close them either.
Also take this opportunity to refactor a duplicate bit of circuituse.c.
And change the semantics of SocksTimeout slightly, but I think it'll
be ok.
svn:r9350
Check addresses for rfc953-saneness at exit too, and give a PROTOCOL_WARN when they fail. Also provide a mechanism to override this, so blossom can have its @@##$$^.whatever.exit hostnames if it wants.
svn:r9336
Clear untrusted networkstatuses after 10 days too. (This is not a terribly awful bug, since we would only ever retain 16 of them, but it still might be nice to backport.) Resolves part A of bug 372.
svn:r9324
Implement a control status event for bad libevent version/method combos. Warn that libevent <1.1 with select() is needlessly slow. Reply to comment.
svn:r9284
Fix computation of total_exit_bandwidth; this will cause exits not to get recommended as guards if the total exit bandwidth if they constitute less than a third of total available bandwidth. There may be problems here with flapping; lets see if they occur in practice.
svn:r9281
Re-enable warning when we resolve an already resolved address. We only warn here now if the address is not a testing address. Also, refactor out a function to check whether an address is used for testing.
svn:r9280
Add (and specify) a BadDirectory flag to networkstatuses, so authorities can tell clients that some caches are broken. Also, implement an as-yet-unused function to estimate how many bytes will be sent on a directory connection.
svn:r9255
Close any directory connection on which we have received 10MB or more of data. This prevents a malicious directory cache from running us out of memory by spooling an infinite amount of data. (Not a terribly good attack, but hey, every one helps.)
svn:r9210
Count TLS bytes accurately: previously, we counted only the number of bytes read or transmitted via tls, not the number of extra bytes used to do so. This has been a lonstanding wart. The fix "Works for me".
svn:r9207
If we only have a single nameserver, raise the threshold to decide that the nameserver is dead. (Another fumbling attempt to do something about bug 326.)
svn:r9203
Fix bug 364: check for whether popular hostnames (curently google, yahoo, mit, and slashdot) are getting wildcarded. If they are, we are probably behind a DNS server that is useless: change our exit policy to reject *:*.
svn:r9199
Better handling of internal addresses wrt X-Your-Address-Is (never believe them; never provide them.) Also, report something useful for X-Your-Address-Is with one-hop tunneled connections.
svn:r9191
Patch from Edmanm, slightly modified. Original change list:
- Support running the Tor service with a torrc not in the
same directory as tor.exe (Bug #356) and default to using the torrc
located in the %appdata%\Tor\ of the user who installed the service
- Removed the supposedly misleading error message mentioned in Bug #294
- Fixed some CloseHandle()s that should've been CloseServiceHandle()s
- Fixed some nt_service_foo() return values to be consistent
- Resolved some nt_service_foo() DOCDOCs
- Fixed one trivial typo that I happened to randomly notice
Changes:
- Make more comments into "imperative" house style.
- Remove special handling for "-f"; only use --options.
- Quote all options.
- Clean up whitespace
svn:r9185
Track when we get 503s from directory servers. Do not use directory servers that have given us a 503 until either an hour has passed, or we are are out of non-busy servers.
svn:r9172
Add an orport option to dirserver lines so that clients can tell where to connect to open an encrypted tunnel to a dirserver even before they have its descriptor.
svn:r9171
Fix bug found by Keith Skinner: Treat malformed max-ports in address ranges as an error, and dont ignore errors with min-ports even if a max-port is present.
svn:r9168
Add a maintainer script and a new make target "make check-docs" to get a quick dump of which options are undocumented where, and which documentation refers to nonexistent options.
svn:r9160
schedule. Now the first connect attempt will wait a full 10
seconds before switching to a new circuit. Perhaps this will help
a lot. Based on observations from Mike Perry.
svn:r9159
Resolve bug 363: do not fall back to 127.0.0.1 when no nameservers are configured. Instead, have the admin fix resolv.conf or configure a nameserver.
svn:r9157
Add internal documentation for a bunch of configuration options. We should do something to keep this list, the canonical list, the tor.1 list, and the torrc.complete list in sync.
svn:r9133
Add a LastRotatedOnionKey variable to the state file, so we can rotate onion keys a week after they change even if we never stay up for a whole week at a time. Should fix bug 368.
svn:r9120
Resolve bug 369: Check for integer underflow when printing "bytes left" accounting numbers. Also fix a copyright date that I noticed while reading the bug. Also make a buffer big enough that strings will not get truncated. All are backport candidates.
svn:r9115
Fix a longstanding bug in eventdns related to timeouts: The timeout count was never actually reset to 0. Argh. Now we reset it to zero after we get a successful request, or after we notice that a nameserver is back up, or after we decide the nameserver is down because of timeouts. This may fix bug 326.
svn:r9054
Round stored/transmitted values for bandwidth usage. This might make some attacks work less well. This might well be voodoo, but it gives me a warm fuzzy feeling.
svn:r9048
Revise logic used to flush state to disk. Now, we try to batch non-urgent changes so that we do not do too many writes, and we save very-non-urgent changes every once in a rare while, and we never save more than once per second.
svn:r9047
Make bandwidth accounting information get stored to the state file as well as bw_accounting. Read from the state file if it is more recent than bw_accounting, or if bw_accounting is not there.
svn:r9044
Change logging format of state file to only include non-default values. Adjust clients to never store bandwidth history in the state file. (Possible backport candidate.)
svn:r9043
Fix bug 338: log verbose nicknames, not just keys, for intro points. Also, suppress intro point name logging when SafeLogging is 1. (The security part is a possible backport candidate.)
svn:r9041
Oops, forgot ChangeLog on last commit. The commit was: Fix a couple of obvious bugs in tor_mmap_file on Windows: first, fix a boolean error when checking the return value of CreateFileMapping. Second, CreateFileMapping is documented to return NULL on failure.
svn:r9036
Fix router_new_address_suggestion() so it only changes last_guessed_ip() when it actually calls resolve_my_address(). (bug found by dev-girl)
svn:r8996
Tweaks to test-connection patch: use ".noconnect" instead of ".test" (since there are lots of ways to test things). Use a regular sequence of STREAM events (NEW followed by CLOSED) instead of a new event type. Make the function that checks the address be static and use const and strcasecmpend properly.
svn:r8959
Add support for (Free?)BSD's natd, which was an old way to let you
have your firewall automatically redirect traffic. (Original patch
from Zajcev Evgeny, updated for 0.1.2.x by tup.)
svn:r8946
Let directory authorities set the BadExit flag if they like. Also, refactor directory authority code so we can believe multiple things about a single router, and do fewer linear searches.
svn:r8794
Have connection_about_to_close use an end_reason field in edge_connection_t to tell what reason to tell the controller for closing the stream. Set end_reason in connection_edge_end, connection_mark_unattached_ap, and everwhere we set edge_has_sent_end. Add a changelog entry.
svn:r8779
Fix longstanding bug in connection_exit_begin_conn(): Since connection_edge_end() exits when the connection is unattached, we were never sending RELAY_END cells back for failed RELAY_BEGIN attempts. Fix this. This might make clients that were otherwise timing out either fail faster or retry faster, which is good news for us.
svn:r8770
Add pragma:no-cache and expires headers so that directory lookups can work better in the presence of caching HTTP proxies. (I would have used Cache-Control, but that is an HTTP/1.1 thing.) All timeouts are currently wild-assed guesses.
svn:r8765
Add unit tests for tor_mmap_file(); make tor_mmap_t.size always be the size of the file (not the size of the mapping); add an extra argument to read_file_to_str() so it can return the size of the result string.
svn:r8762
Never discard a descriptor for being too old until either it is recommended by no authorities, or until we download a better (more recent and recommended) one for the same router. This will eventually make it possible for servers to publish less often.
svn:r8761
Fix an XXX in handling destroy cells: when we get a destroy cell with reason FOO, do not tell the controller REASON=FOO. Instead, say REASON=DESTROYED REMOTE_REASON=FOO. Suggested by a conversation with Mike Perry.
svn:r8760
Change to BadExit logic: Let authorities set an "I list bad exits" flag. Consider an exit bad if it is listed as bad by more than half of *those* authorities. This gives us a better migration path.
svn:r8756
Apply patch from Mike Perry: add more reasons for circuit destroys. (Slightly tweaked to avoid allocating a number for an "internal" reason.)
svn:r8739
Add client support for a 'BadExit' flag, so authorities can say "Server X is a poor choise for your nytimes.com connections, as it seems to direct them to HoorayForMao.com or (more likely) WouldYouLikeToBuyTheseFineEncyclopedias.com"
svn:r8690
Touch up last patch (to add REASON to CIRC events): make some reasons
more sensible, send reasons only to controllers that have enabled
extended events, and clean up whitespace.
svn:r8672
Win32 patch from Matt Edman: fix compilation bugs by casting to int; defining SSIZE_T; defining USE_TWOS_COMPLEMENT in windows orconfig.h; and using the proper names for win32 functions on GetProcAddress. Also fixes bug 295.
svn:r8669
Make TrackExitHosts case-insensitive, and fix the behavior of .suffix TrackExitHosts items to avoid matching in the middle of an address. (Resolves an XXXX)
svn:r8579
Move is_local_IP to config.c; have it check for same-/24; make it used only for reachability (not for banwidth, because that is probably not what we want). Fixes an XXX.
svn:r8578
hidden service authorities too.
- Just because your DirPort is open doesn't mean people should be
able to remotely teach you about hidden service descriptors. Now
only accept rendezvous posts if you've got HSAuthoritativeDir set.
svn:r8573
Disprefer exit nodes for entry, middle positions (fixes bug 200). Also, switch to using a uint64_t to hold "total bandwidth for all nodes" under consideration; crypt_rand_int would have died at 2GB/s network capacity.
svn:r8571
Reserve the nickname "Unnamed" for routers that can't pick a hostname; any
router can call itself Unnamed; directory servers will never allocate Unnamed
to any particular router; clients won't believe that any router is the
canonical Unnamed.
svn:r8529
[Needs review.] Add a BEGIN_DIR relay cell type for an easier
in-protocol way to connect to directory servers through Tor.
Previously, clients could only connect to director servers over Tor
from exit nodes, but couldn't get directory information anonymously
from a non-exit cache without getting a directory server involved.
This needs testing, and needs client-side code to actually exercise it.
svn:r8527
Make "is a v1 authority", "is a v2 authority", and "is a hidden service authority" into separate flags so we can eventually migrate more trust away from moria.
svn:r8523
Refactor entry guard status logic a lot; allow more factors [like not
having a Guard flag or being listed in ExcludeNodes] to render a guard
"unlisted" (now called "unusable"); track guard down status (now
called "unreachable") separately from is_running.
svn:r8519
client asks us to resolve (not connect to) an address, and we have a
cached answer, give them the cached answer. Previously, we would give
them no answer at all.
svn:r8478
Instead of just checking known-invalid addresses for DNS hijacking, we
now check randomly generated addresses, and if too many of them map to
the same IP, we assume that IP is the destination of a DNS hijack
attempt.
A little bird tells me that some DNS hijackers think that declining to
give an A record for RFC2606 addresses (like .invalid and .example)
makes them more standards compliant. Standardswise, this is like an
illicit brothel making sure that nobody has pulled the tags off the
mattresss, but that doesn't get us out of working around it.
svn:r8465