Merge branch 'maint-0.2.1' into release-0.2.1
This commit is contained in:
commit
6ef2e30c72
|
@ -0,0 +1,8 @@
|
||||||
|
o Security fixes:
|
||||||
|
- Don't attach new streams to old rendezvous circuits after SIGNAL
|
||||||
|
NEWNYM. Previously, we would keep using an existing rendezvous
|
||||||
|
circuit if it remained open (i.e. if it were kept open by a
|
||||||
|
long-lived stream or if a new stream were attached to it before
|
||||||
|
Tor could notice that it was old and no longer in use and close
|
||||||
|
it). Bugfix on 0.1.1.15-rc; fixes bug 3375.
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Allow nameservers with IPv6 address. Fixes bug 2574.
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Adjust the expiration time on our SSL session certificates to
|
||||||
|
better match SSL certs seen in the wild. Resolves ticket 4014.
|
|
@ -0,0 +1,5 @@
|
||||||
|
o Minor bugfixes:
|
||||||
|
- Always NUL-terminate the sun_path field of a sockaddr_un before
|
||||||
|
passing it to the kernel. (Not a security issue: kernels are
|
||||||
|
smart enough to reject bad sockaddr_uns.) Found by Coverity; CID
|
||||||
|
# 428. Bugfix on Tor 0.2.0.3-alpha.
|
|
@ -0,0 +1,5 @@
|
||||||
|
o Minor bugfixes:
|
||||||
|
- Don't stack-allocate the list of supplementary GIDs when we're
|
||||||
|
about to log them. Stack-allocating NGROUPS_MAX gid_t elements
|
||||||
|
could take up to 256K, which is way too much stack. Found by
|
||||||
|
Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Update to the August 2 2011 Maxmind GeoLite Country database.
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Update to the July 1 2011 Maxmind GeoLite Country database.
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Update to the June 1 2011 Maxmind GeoLite Country database.
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
o Minor features:
|
||||||
|
- Update to the September 6 2011 Maxmind GeoLite Country database.
|
||||||
|
|
|
@ -1080,7 +1080,8 @@ log_credential_status(void)
|
||||||
/* Read, effective and saved GIDs */
|
/* Read, effective and saved GIDs */
|
||||||
gid_t rgid, egid, sgid;
|
gid_t rgid, egid, sgid;
|
||||||
/* Supplementary groups */
|
/* Supplementary groups */
|
||||||
gid_t sup_gids[NGROUPS_MAX + 1];
|
gid_t *sup_gids = NULL;
|
||||||
|
int sup_gids_size;
|
||||||
/* Number of supplementary groups */
|
/* Number of supplementary groups */
|
||||||
int ngids;
|
int ngids;
|
||||||
|
|
||||||
|
@ -1126,9 +1127,19 @@ log_credential_status(void)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* log supplementary groups */
|
/* log supplementary groups */
|
||||||
if ((ngids = getgroups(NGROUPS_MAX + 1, sup_gids)) < 0) {
|
sup_gids_size = 64;
|
||||||
|
sup_gids = tor_malloc(sizeof(gid_t) * 64);
|
||||||
|
while ((ngids = getgroups(sup_gids_size, sup_gids)) < 0 &&
|
||||||
|
errno == EINVAL &&
|
||||||
|
sup_gids_size < NGROUPS_MAX) {
|
||||||
|
sup_gids_size *= 2;
|
||||||
|
sup_gids = tor_realloc(sup_gids, sizeof(gid_t) * sup_gids_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (ngids < 0) {
|
||||||
log_warn(LD_GENERAL, "Error getting supplementary GIDs: %s",
|
log_warn(LD_GENERAL, "Error getting supplementary GIDs: %s",
|
||||||
strerror(errno));
|
strerror(errno));
|
||||||
|
tor_free(sup_gids);
|
||||||
return -1;
|
return -1;
|
||||||
} else {
|
} else {
|
||||||
int i, retval = 0;
|
int i, retval = 0;
|
||||||
|
@ -1158,6 +1169,7 @@ log_credential_status(void)
|
||||||
tor_free(cp);
|
tor_free(cp);
|
||||||
});
|
});
|
||||||
smartlist_free(elts);
|
smartlist_free(elts);
|
||||||
|
tor_free(sup_gids);
|
||||||
|
|
||||||
return retval;
|
return retval;
|
||||||
}
|
}
|
||||||
|
|
24782
src/config/geoip
24782
src/config/geoip
File diff suppressed because it is too large
Load Diff
|
@ -59,7 +59,8 @@ circuit_is_acceptable(circuit_t *circ, edge_connection_t *conn,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (purpose == CIRCUIT_PURPOSE_C_GENERAL)
|
if (purpose == CIRCUIT_PURPOSE_C_GENERAL ||
|
||||||
|
purpose == CIRCUIT_PURPOSE_C_REND_JOINED)
|
||||||
if (circ->timestamp_dirty &&
|
if (circ->timestamp_dirty &&
|
||||||
circ->timestamp_dirty+get_options()->MaxCircuitDirtiness <= now)
|
circ->timestamp_dirty+get_options()->MaxCircuitDirtiness <= now)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -804,7 +804,13 @@ create_unix_sockaddr(const char *listenaddress, char **readable_address,
|
||||||
|
|
||||||
sockaddr = tor_malloc_zero(sizeof(struct sockaddr_un));
|
sockaddr = tor_malloc_zero(sizeof(struct sockaddr_un));
|
||||||
sockaddr->sun_family = AF_UNIX;
|
sockaddr->sun_family = AF_UNIX;
|
||||||
strncpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path));
|
if (strlcpy(sockaddr->sun_path, listenaddress, sizeof(sockaddr->sun_path))
|
||||||
|
>= sizeof(sockaddr->sun_path)) {
|
||||||
|
log_warn(LD_CONFIG, "Unix socket path '%s' is too long to fit.",
|
||||||
|
escaped(listenaddress));
|
||||||
|
tor_free(sockaddr);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
if (readable_address)
|
if (readable_address)
|
||||||
*readable_address = tor_strdup(listenaddress);
|
*readable_address = tor_strdup(listenaddress);
|
||||||
|
|
|
@ -2320,7 +2320,7 @@ _evdns_nameserver_add_impl(const struct sockaddr *address,
|
||||||
memset(ns, 0, sizeof(struct nameserver));
|
memset(ns, 0, sizeof(struct nameserver));
|
||||||
ns->timeout_event_deleted = __LINE__;
|
ns->timeout_event_deleted = __LINE__;
|
||||||
|
|
||||||
ns->socket = socket(PF_INET, SOCK_DGRAM, 0);
|
ns->socket = socket(address->sa_family, SOCK_DGRAM, 0);
|
||||||
if (ns->socket < 0) { err = 1; goto out1; }
|
if (ns->socket < 0) { err = 1; goto out1; }
|
||||||
#ifdef WIN32
|
#ifdef WIN32
|
||||||
{
|
{
|
||||||
|
|
|
@ -866,12 +866,14 @@ run_scheduled_events(time_t now)
|
||||||
now + DESCRIPTOR_FAILURE_RESET_INTERVAL;
|
now + DESCRIPTOR_FAILURE_RESET_INTERVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
/** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
|
/** 1b. Every MAX_SSL_KEY_LIFETIME_INTERNAL seconds, we change our
|
||||||
|
* TLS context. */
|
||||||
if (!last_rotated_x509_certificate)
|
if (!last_rotated_x509_certificate)
|
||||||
last_rotated_x509_certificate = now;
|
last_rotated_x509_certificate = now;
|
||||||
if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
|
if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
|
||||||
log_info(LD_GENERAL,"Rotating tls context.");
|
log_info(LD_GENERAL,"Rotating tls context.");
|
||||||
if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
|
if (tor_tls_context_new(get_identity_key(),
|
||||||
|
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
||||||
log_warn(LD_BUG, "Error reinitializing TLS context");
|
log_warn(LD_BUG, "Error reinitializing TLS context");
|
||||||
/* XXX is it a bug here, that we just keep going? -RD */
|
/* XXX is it a bug here, that we just keep going? -RD */
|
||||||
}
|
}
|
||||||
|
|
|
@ -166,7 +166,9 @@
|
||||||
/** How often do we rotate onion keys? */
|
/** How often do we rotate onion keys? */
|
||||||
#define MIN_ONION_KEY_LIFETIME (7*24*60*60)
|
#define MIN_ONION_KEY_LIFETIME (7*24*60*60)
|
||||||
/** How often do we rotate TLS contexts? */
|
/** How often do we rotate TLS contexts? */
|
||||||
#define MAX_SSL_KEY_LIFETIME (2*60*60)
|
#define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
|
||||||
|
/** What expiry time shall we place on our SSL certs? */
|
||||||
|
#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
|
||||||
|
|
||||||
/** How old do we allow a router to get before removing it
|
/** How old do we allow a router to get before removing it
|
||||||
* from the router list? In seconds. */
|
* from the router list? In seconds. */
|
||||||
|
|
|
@ -1077,6 +1077,7 @@ rend_cache_store(const char *desc, size_t desc_len, int published,
|
||||||
log_warn(LD_REND, "Received service descriptor for service ID %s; "
|
log_warn(LD_REND, "Received service descriptor for service ID %s; "
|
||||||
"expected descriptor for service ID %s.",
|
"expected descriptor for service ID %s.",
|
||||||
query, safe_str(service_id));
|
query, safe_str(service_id));
|
||||||
|
rend_service_descriptor_free(parsed);
|
||||||
return -2;
|
return -2;
|
||||||
}
|
}
|
||||||
now = time(NULL);
|
now = time(NULL);
|
||||||
|
|
|
@ -458,7 +458,8 @@ init_keys(void)
|
||||||
}
|
}
|
||||||
set_identity_key(prkey);
|
set_identity_key(prkey);
|
||||||
/* Create a TLS context; default the client nickname to "client". */
|
/* Create a TLS context; default the client nickname to "client". */
|
||||||
if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
|
if (tor_tls_context_new(get_identity_key(),
|
||||||
|
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
||||||
log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
|
log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -536,7 +537,8 @@ init_keys(void)
|
||||||
tor_free(keydir);
|
tor_free(keydir);
|
||||||
|
|
||||||
/* 3. Initialize link key and TLS context. */
|
/* 3. Initialize link key and TLS context. */
|
||||||
if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
|
if (tor_tls_context_new(get_identity_key(),
|
||||||
|
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
||||||
log_err(LD_GENERAL,"Error initializing TLS context");
|
log_err(LD_GENERAL,"Error initializing TLS context");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue