| Age | Commit message (Collapse) | Author |
|---|
|
|
|
flag.
|
|
|
|
|
|
By now, support in the network is widespread and it's time to require
more modern crypto on all Tor instances, whether they're clients or
servers. By doing this early in 0.2.6, we can be sure that at some point
all clients will have reasonable support.
|
|
When Tor first generates identity keypair, emit a log message that
thanks for their participation and points to new Tor relay lifecycle
document.
|
|
Arma found this and commented on #11243. Bug not in any released
version of Tor.
|
|
Otherwise, we get implicit conversion warning on some platforms.
|
|
|
|
|
|
Conflicts:
src/tools/tor-resolve.c
|
|
|
|
|
|
|
|
This might make Coverity happier about the if statement where we
have a default case that's the same as one of the other cases. CID 1248515
|
|
Bug not in any released tor. This is CID 1248521
|
|
Ensure we securely wipe keys from memory after
crypto_digest_get_digest and init_curve25519_keypair_from_file
have finished using them.
Fixes bug 13477.
|
|
Add unit tests for tor_timegm signed overflow,
tor_timegm and parse_rfc1123_time validity checks,
and correct_tm year clamping.
Unit tests (visible) fixes in bug 13476.
|
|
Clamp year values returned by system localtime(_r) and
gmtime(_r) to year 1. This ensures tor can read any
values it might write out.
Fixes bug 13476.
|
|
Check all date/time values passed to tor_timegm
and parse_rfc1123_time for validity, taking leap
years into account.
Improves HTTP header validation.
Avoid unlikely signed integer overflow in tor_timegm
on systems with 32-bit time_t.
Fixes bug 13476.
|
|
Set the correct day of year value in correct_tm() when the
system's localtime(_r) or gmtime(_r) functions fail to set struct tm.
Fixes bug 13476.
|
|
|
|
Closes 8093.
|
|
|
|
|
|
|
|
|
|
|
|
The POODLE attack doesn't affect Tor, but there's no reason to tempt
fate: SSLv3 isn't going to get any better.
|
|
Right now this is only needed for test_util_format_time_interval, so
define it as a static function. We can move it into compat later if
we need to.
|
|
|
|
|
|
|
|
1. The test that adds things to the cache needs to set the clock back so
that the descriptors it adds are valid.
2. We split ROUTER_NOT_NEW into ROUTER_TOO_OLD, so that we can
distinguish "already had it" from "rejected because of old published
date".
3. We make extrainfo_insert() return a was_router_added_t, and we
make its caller use it correctly. This is probably redundant with
the extrainfo_is_bogus flag.
|
|
Suggested by Andrea in her review of 11243.
|
|
|
|
These tests make sure that entries are actually marked
undownloadable as appropriate.
|
|
We didn't really have test coverage for these parsing functions, so
I went and made some. These tests also verify that the parsing
functions set the list of invalid digests correctly.
|
|
One pain point in evolving the Tor design and implementing has been
adding code that makes clients reject directory documents that they
previously would have accepted, if those descriptors actually exist.
When this happened, the clients would get the document, reject it,
and then decide to try downloading it again, ad infinitum. This
problem becomes particularly obnoxious with authorities, since if
some authorities accept a descriptor that others don't, the ones
that don't accept it would go crazy trying to re-fetch it over and
over. (See for example ticket #9286.)
This patch tries to solve this problem by tracking, if a descriptor
isn't parseable, what its digest was, and whether it is invalid
because of some flaw that applies to the portion containing the
digest. (This excludes RSA signature problems: RSA signatures
aren't included in the digest. This means that a directory
authority can still put another directory authority into a loop by
mentioning a descriptor, and then serving that descriptor with an
invalid RSA signatures. But that would also make the misbehaving
directory authority get DoSed by the server it's attacking, so it's
not much of an issue.)
We already have a mechanism to mark something undownloadable with
downloadstatus_mark_impossible(); we use that here for
microdescriptors, extrainfos, and router descriptors.
Unit tests to follow in another patch.
Closes ticket #11243.
|
|
|
|
|
|
Fix an instance of integer overflow in format_time_interval() when
taking the absolute value of the supplied signed interval value.
Fixes bug 13393.
Create unit tests for format_time_interval().
|
|
The versions which this function would keep from getting the guard
flag are already blocked by the minimum version check.
Closes 13152.
|
|
|
|
'teor/bug-13163-AlternateAuthorities-type-handling-fixed'
|
|
'teor/issue-13161-TestingDirAuthVoteExit'
|
|
|
|
Bitwise check for the BRIDGE_DIRINFO flag, rather than checking for
equality.
Fixes a (potential) bug where directories offering BRIDGE_DIRINFO,
and some other flag (i.e. microdescriptors or extrainfo),
would be ignored when looking for bridge directories.
Final fix in series for bug 13163.
|
|
Document usage of the NO_DIRINFO and ALL_DIRINFO flags clearly in functions
which take them as arguments. Replace 0 with NO_DIRINFO in a function call
for clarity.
Seeks to prevent future issues like 13163.
|
|
Stop using the default authorities in networks which provide both
AlternateDirAuthority and AlternateBridgeAuthority.
This bug occurred due to an ambiguity around the use of NO_DIRINFO.
(Does it mean "any" or "none"?)
Partially fixes bug 13163.
|
