diff options
| -rw-r--r-- | changes/bug1038-3 | 6 | ||||
| -rw-r--r-- | changes/bug12718 | 5 | ||||
| -rw-r--r-- | changes/bug12730-systemd-verify-config | 3 | ||||
| -rw-r--r-- | changes/ticket12688 | 6 | ||||
| -rw-r--r-- | changes/ticket12690 | 9 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | contrib/dist/tor.service.in | 1 | ||||
| -rw-r--r-- | contrib/win32build/tor-mingw.nsi.in | 2 | ||||
| -rw-r--r-- | doc/tor.1.txt | 8 | ||||
| -rw-r--r-- | src/or/channel.c | 2 | ||||
| -rw-r--r-- | src/or/command.c | 20 | ||||
| -rw-r--r-- | src/or/config.c | 7 | ||||
| -rw-r--r-- | src/or/control.c | 2 | ||||
| -rw-r--r-- | src/or/dirserv.c | 5 | ||||
| -rw-r--r-- | src/or/entrynodes.c | 20 | ||||
| -rw-r--r-- | src/win32/orconfig.h | 2 |
16 files changed, 78 insertions, 22 deletions
diff --git a/changes/bug1038-3 b/changes/bug1038-3 new file mode 100644 index 0000000000..5af4afa46f --- /dev/null +++ b/changes/bug1038-3 @@ -0,0 +1,6 @@ + o Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. diff --git a/changes/bug12718 b/changes/bug12718 new file mode 100644 index 0000000000..0c5f708446 --- /dev/null +++ b/changes/bug12718 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. diff --git a/changes/bug12730-systemd-verify-config b/changes/bug12730-systemd-verify-config new file mode 100644 index 0000000000..221633c78e --- /dev/null +++ b/changes/bug12730-systemd-verify-config @@ -0,0 +1,3 @@ + o Distribution: + - Verify configuration file via ExecStartPre in the systemd unit file. + Patch from intrigeri; resolves ticket 12730. diff --git a/changes/ticket12688 b/changes/ticket12688 new file mode 100644 index 0000000000..88228e5506 --- /dev/null +++ b/changes/ticket12688 @@ -0,0 +1,6 @@ + Major features: + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + diff --git a/changes/ticket12690 b/changes/ticket12690 new file mode 100644 index 0000000000..5091883602 --- /dev/null +++ b/changes/ticket12690 @@ -0,0 +1,9 @@ + o Minor features: + - Authorities now assign the Guard flag to the fastest 25% of the + network (it used to be the fastest 50%). Also raise the consensus + weight that guarantees the Guard flag from 250 to 2000. For the + current network, this results in about 1100 guards, down from 2500. + This step paves the way for moving the number of entry guards + down to 1 (proposal 236) while still providing reasonable expected + performance for most users. Implements ticket 12690. + diff --git a/configure.ac b/configure.ac index 1d8cfa78f0..c37f154222 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson dnl Copyright (c) 2007-2013, The Tor Project, Inc. dnl See LICENSE for licensing information -AC_INIT([tor],[0.2.5.5-alpha-dev]) +AC_INIT([tor],[0.2.5.6-alpha]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in index 1d52f622fa..2fe51c75d9 100644 --- a/contrib/dist/tor.service.in +++ b/contrib/dist/tor.service.in @@ -4,6 +4,7 @@ After = syslog.target network.target nss-lookup.target [Service] Type = simple +ExecStartPre = @BINDIR@/tor -f @CONFDIR@/torrc --verify-config # A torrc that has "RunAsDaemon 1" won't work with the "simple" service type; # let's explicitly override it. ExecStart = @BINDIR@/tor -f @CONFDIR@/torrc --RunAsDaemon 0 diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index f7c025e7d6..5d94fd9e58 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.5.5-alpha-dev" +!define VERSION "0.2.5.6-alpha" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 1ccf847c30..abe613e569 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1092,12 +1092,16 @@ The following options are useful only for clients (that is, if [[NumEntryGuards]] **NumEntryGuards** __NUM__:: If UseEntryGuards is set to 1, we will try to pick a total of NUM routers - as long-term entries for our circuits. (Default: 3) + as long-term entries for our circuits. If NUM is 0, we try to learn + the number from the NumEntryGuards consensus parameter, and default + to 3 if the consensus parameter isn't set. (Default: 0) [[NumDirectoryGuards]] **NumDirectoryGuards** __NUM__:: If UseEntryGuardsAsDirectoryGuards is enabled, we try to make sure we have at least NUM routers to use as directory guards. If this option - is set to 0, use the value from NumEntryGuards. (Default: 0) + is set to 0, use the value from the NumDirectoryGuards consensus + parameter, falling back to the value from NumEntryGuards if the + consensus parameter is 0 or isn't set. (Default: 0) [[GuardLifetime]] **GuardLifetime** __N__ **days**|**weeks**|**months**:: If nonzero, and UseEntryGuards is set, minimum time to keep a guard before diff --git a/src/or/channel.c b/src/or/channel.c index 964b3fcac3..3072effc8f 100644 --- a/src/or/channel.c +++ b/src/or/channel.c @@ -3352,7 +3352,7 @@ channel_dump_statistics(channel_t *chan, int severity) U64_PRINTF_ARG(chan->timestamp_recv), U64_PRINTF_ARG(now - chan->timestamp_recv)); tor_log(severity, LD_GENERAL, - " * Channel " U64_FORMAT " last trasmitted a cell " + " * Channel " U64_FORMAT " last transmitted a cell " "at " U64_FORMAT " (" U64_FORMAT " seconds ago)", U64_PRINTF_ARG(chan->global_identifier), U64_PRINTF_ARG(chan->timestamp_xmit), diff --git a/src/or/command.c b/src/or/command.c index fa2a0e74e7..1f6f93a868 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -474,10 +474,22 @@ command_process_relay_cell(cell_t *cell, channel_t *chan) * gotten no more than MAX_RELAY_EARLY_CELLS_PER_CIRCUIT of them. */ if (cell->command == CELL_RELAY_EARLY) { if (direction == CELL_DIRECTION_IN) { - /* Allow an unlimited number of inbound relay_early cells, - * for hidden service compatibility. There isn't any way to make - * a long circuit through inbound relay_early cells anyway. See - * bug 1038. -RD */ + /* Inbound early cells could once be encountered as a result of + * bug 1038; but relays running versions before 0.2.1.19 are long + * gone from the network, so any such cells now are surprising. */ + log_warn(LD_OR, + "Received an inbound RELAY_EARLY cell on circuit %u." + " Closing circuit. Please report this event," + " along with the following message.", + (unsigned)cell->circ_id); + if (CIRCUIT_IS_ORIGIN(circ)) { + circuit_log_path(LOG_WARN, LD_OR, TO_ORIGIN_CIRCUIT(circ)); + } else if (circ->n_chan) { + log_warn(LD_OR, " upstream=%s", + channel_get_actual_remote_descr(circ->n_chan)); + } + circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL); + return; } else { or_circuit_t *or_circ = TO_OR_CIRCUIT(circ); if (or_circ->remaining_relay_early_cells == 0) { diff --git a/src/or/config.c b/src/or/config.c index 10df83975f..2661ce3b73 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -147,7 +147,7 @@ static config_var_t option_vars_[] = { V(AuthDirInvalid, LINELIST, NULL), V(AuthDirInvalidCCs, CSV, ""), V(AuthDirFastGuarantee, MEMUNIT, "100 KB"), - V(AuthDirGuardBWGuarantee, MEMUNIT, "250 KB"), + V(AuthDirGuardBWGuarantee, MEMUNIT, "2 MB"), V(AuthDirReject, LINELIST, NULL), V(AuthDirRejectCCs, CSV, ""), V(AuthDirRejectUnlisted, BOOL, "0"), @@ -325,7 +325,7 @@ static config_var_t option_vars_[] = { VAR("NodeFamily", LINELIST, NodeFamilies, NULL), V(NumCPUs, UINT, "0"), V(NumDirectoryGuards, UINT, "0"), - V(NumEntryGuards, UINT, "3"), + V(NumEntryGuards, UINT, "0"), V(ORListenAddress, LINELIST, NULL), VPORT(ORPort, LINELIST, NULL), V(OutboundBindAddress, LINELIST, NULL), @@ -3251,9 +3251,6 @@ options_validate(or_options_t *old_options, or_options_t *options, "have it group-readable."); } - if (options->UseEntryGuards && ! options->NumEntryGuards) - REJECT("Cannot enable UseEntryGuards with NumEntryGuards set to 0"); - if (options->MyFamily && options->BridgeRelay) { log_warn(LD_CONFIG, "Listing a family for a bridge relay is not " "supported: it can reveal bridge fingerprints to censors. " diff --git a/src/or/control.c b/src/or/control.c index 21504e685e..9285fc564a 100644 --- a/src/or/control.c +++ b/src/or/control.c @@ -2464,7 +2464,7 @@ handle_control_extendcircuit(control_connection_t *conn, uint32_t len, goto done; } if (!node_has_descriptor(node)) { - connection_printf_to_buf(conn, "552 descriptor for \"%s\"\r\n", n); + connection_printf_to_buf(conn, "552 No descriptor for \"%s\"\r\n", n); goto done; } smartlist_add(nodes, (void*)node); diff --git a/src/or/dirserv.c b/src/or/dirserv.c index aedd092522..49fafafab2 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1588,7 +1588,7 @@ dirserv_compute_performance_thresholds(routerlist_t *rl, /* (Now bandwidths is sorted.) */ if (fast_bandwidth_kb < ROUTER_REQUIRED_MIN_BANDWIDTH/(2 * 1000)) fast_bandwidth_kb = bandwidths_kb[n_active/4]; - guard_bandwidth_including_exits_kb = bandwidths_kb[(n_active-1)/2]; + guard_bandwidth_including_exits_kb = bandwidths_kb[n_active*3/4]; guard_tk = find_nth_long(tks, n_active, n_active/8); } @@ -1646,7 +1646,8 @@ dirserv_compute_performance_thresholds(routerlist_t *rl, if (n_active_nonexit) { guard_bandwidth_excluding_exits_kb = - median_uint32(bandwidths_excluding_exits_kb, n_active_nonexit); + find_nth_uint32(bandwidths_excluding_exits_kb, + n_active_nonexit, n_active_nonexit*3/4); } log_info(LD_DIRSERV, diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index 957217ac6c..66b7201187 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -440,9 +440,20 @@ add_an_entry_guard(const node_t *chosen, int reset_status, int prepend, static int decide_num_guards(const or_options_t *options, int for_directory) { - if (for_directory && options->NumDirectoryGuards != 0) - return options->NumDirectoryGuards; - return options->NumEntryGuards; + if (for_directory) { + int answer; + if (options->NumDirectoryGuards != 0) + return options->NumDirectoryGuards; + answer = networkstatus_get_param(NULL, "NumDirectoryGuards", 0, 0, 10); + if (answer) /* non-zero means use the consensus value */ + return answer; + } + + if (options->NumEntryGuards) + return options->NumEntryGuards; + + /* Use the value from the consensus, or 3 if no guidance. */ + return networkstatus_get_param(NULL, "NumEntryGuards", 3, 1, 10); } /** If the use of entry guards is configured, choose more entry guards @@ -841,6 +852,7 @@ entry_guards_set_from_config(const or_options_t *options) { smartlist_t *entry_nodes, *worse_entry_nodes, *entry_fps; smartlist_t *old_entry_guards_on_list, *old_entry_guards_not_on_list; + const int numentryguards = decide_num_guards(options, 0); tor_assert(entry_guards); should_add_entry_nodes = 0; @@ -909,7 +921,7 @@ entry_guards_set_from_config(const or_options_t *options) /* Next, the rest of EntryNodes */ SMARTLIST_FOREACH_BEGIN(entry_nodes, const node_t *, node) { add_an_entry_guard(node, 0, 0, 1, 0); - if (smartlist_len(entry_guards) > options->NumEntryGuards * 10) + if (smartlist_len(entry_guards) > numentryguards * 10) break; } SMARTLIST_FOREACH_END(node); log_notice(LD_GENERAL, "%d entries in guards", smartlist_len(entry_guards)); diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 4698a2cbe7..8c2472c323 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -241,7 +241,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.5.5-alpha-dev" +#define VERSION "0.2.5.6-alpha" |