February 2015 - tor-commits - lists.torproject.org

[tor/master] Merge remote-tracking branch 'public/bug13319'
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit 69deab8b2a5f09577fa4f15190c3aac181f5b6af Merge: f4b79bc 5bcf952 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Feb 2 10:25:25 2015 -0500 Merge remote-tracking branch 'public/bug13319' changes/bug13319 | 4 ++++ src/common/tortls.c | 55 ++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 47 insertions(+), 12 deletions(-)

1 0

[tor/master] Only retry connecting to configured bridges
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit 4cb59ceb8ef603f5661f87e4787d45255fbe210c Author: Matthew Finkel <Matthew.Finkel(a)gmail.com> Date: Sat Jan 31 09:34:24 2015 +0000 Only retry connecting to configured bridges After connectivity problems, only try connecting to bridges which are currently configured; don't mark bridges which we previously used but are no longer configured. Fixes 14216. Reported by and fix provided by arma. --- changes/bug14216 | 5 +++++ src/or/entrynodes.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/changes/bug14216 b/changes/bug14216 new file mode 100644 index 0000000..47893ce --- /dev/null +++ b/changes/bug14216 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - When we are using bridges and we had a network connectivity problem, only + retry connecting to our currently configured bridges, not all bridges we + know about and remember using. + Fixes bug 14216; bugfix on tor-0.2.2.17-alpha. Patch from arma. diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index 5b0e342..17cb825 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -2368,7 +2368,9 @@ entries_retry_helper(const or_options_t *options, int act) SMARTLIST_FOREACH_BEGIN(entry_guards, entry_guard_t *, e) { node = node_get_by_id(e->identity); if (node && node_has_descriptor(node) && - node_is_bridge(node) == need_bridges) { + node_is_bridge(node) == need_bridges && + (!need_bridges || (!e->bad_since && + node_is_a_configured_bridge(node)))) { any_known = 1; if (node->is_running) any_running = 1; /* some entry is both known and running */

1 0

[tor/master] Merge remote-tracking branch 'sysrqb/bug14216_bad_since'
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit f4b79bc4208132d057a7be04e6135480129c5048 Merge: 55639bc 4cb59ce Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Feb 2 10:23:52 2015 -0500 Merge remote-tracking branch 'sysrqb/bug14216_bad_since' changes/bug14216 | 5 +++++ src/or/entrynodes.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-)

1 0

[tor/master] Remove obsolete workaround in dirserv_thinks_router_is_hs_dir()
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit 80bed1ac96a3035f8c55ddced5528f0d7d16d386 Author: David Goulet <dgoulet(a)ev0ke.net> Date: Thu Jan 29 12:52:18 2015 -0500 Remove obsolete workaround in dirserv_thinks_router_is_hs_dir() Fixes #14202 Signed-off-by: David Goulet <dgoulet(a)ev0ke.net> --- changes/bug14202 | 3 +++ src/or/dirserv.c | 9 +-------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/changes/bug14202 b/changes/bug14202 new file mode 100644 index 0000000..2bb4ba1 --- /dev/null +++ b/changes/bug14202 @@ -0,0 +1,3 @@ + o Minor cleanup + - Remove workaround in dirserv_thinks_router_is_hs_dir() that was only + for version <= 0.2.2.24 which is now deprecated. diff --git a/src/or/dirserv.c b/src/or/dirserv.c index b694f8a..3579924 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1305,14 +1305,7 @@ dirserv_thinks_router_is_hs_dir(const routerinfo_t *router, else uptime = real_uptime(router, now); - /* XXX We shouldn't need to check dir_port, but we do because of - * bug 1693. In the future, once relays set wants_to_be_hs_dir - * correctly, we can revert to only checking dir_port if router's - * version is too old. */ - /* XXX Unfortunately, we need to keep checking dir_port until all - * *clients* suffering from bug 2722 are obsolete. The first version - * to fix the bug was 0.2.2.25-alpha. */ - return (router->wants_to_be_hs_dir && router->dir_port && + return (router->wants_to_be_hs_dir && uptime >= get_options()->MinUptimeHidServDirectoryV2 && router_is_active(router, node, now)); }

1 0

[tor/master] Merge remote-tracking branch 'dgoulet/bug14202_026_v1'
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit 55639bc67f66e0bb41af1474ce8654d49faf9a61 Merge: e78b7e2 80bed1a Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Feb 2 10:16:48 2015 -0500 Merge remote-tracking branch 'dgoulet/bug14202_026_v1' changes/bug14202 | 3 +++ src/or/dirserv.c | 9 +-------- 2 files changed, 4 insertions(+), 8 deletions(-)

1 0

[tor/master] Try to work around changes in openssl 1.1.0
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit e9caa8645e5da69ac503a365624896d33b91504b Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jan 28 10:00:58 2015 -0500 Try to work around changes in openssl 1.1.0 Prefer not to use a couple of deprecated functions; include more headers in tortls.c This is part of ticket 14188. --- changes/ticket14188_part1 | 2 ++ src/common/crypto.c | 18 +++++++++++++++++- src/common/tortls.c | 2 ++ 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/changes/ticket14188_part1 b/changes/ticket14188_part1 new file mode 100644 index 0000000..9d66bba --- /dev/null +++ b/changes/ticket14188_part1 @@ -0,0 +1,2 @@ + o Compilation fixes: + - Compile correctly with (unreleased) OpenSSL 1.1.0 headers. diff --git a/src/common/crypto.c b/src/common/crypto.c index 370c04a..218c7be 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1780,9 +1780,13 @@ crypto_generate_dynamic_dh_modulus(void) dynamic_dh_modulus = BN_new(); tor_assert(dynamic_dh_modulus); - dh_parameters = DH_generate_parameters(DH_BYTES*8, DH_GENERATOR, NULL, NULL); + dh_parameters = DH_new(); tor_assert(dh_parameters); + r = DH_generate_parameters_ex(dh_parameters, + DH_BYTES*8, DH_GENERATOR, NULL); + tor_assert(r == 0); + r = DH_check(dh_parameters, &dh_codes); tor_assert(r && !dh_codes); @@ -3115,6 +3119,14 @@ openssl_dynlock_destroy_cb_(struct CRYPTO_dynlock_value *v, tor_free(v); } +#if OPENSSL_VERSION_NUMBER >= OPENSSL_V_SERIES(1,0,0) +static void +tor_set_openssl_thread_id(CRYPTO_THREADID *threadid) +{ + CRYPTO_THREADID_set_numeric(threadid, tor_get_thread_id()); +} +#endif + /** @{ */ /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being * multithreaded. */ @@ -3128,7 +3140,11 @@ setup_openssl_threading(void) for (i=0; i < n; ++i) openssl_mutexes_[i] = tor_mutex_new(); CRYPTO_set_locking_callback(openssl_locking_cb_); +#if OPENSSL_VERSION_NUMBER < OPENSSL_V_SERIES(1,0,0) CRYPTO_set_id_callback(tor_get_thread_id); +#else + CRYPTO_THREADID_set_callback(tor_set_openssl_thread_id); +#endif CRYPTO_set_dynlock_create_callback(openssl_dynlock_create_cb_); CRYPTO_set_dynlock_lock_callback(openssl_dynlock_lock_cb_); CRYPTO_set_dynlock_destroy_callback(openssl_dynlock_destroy_cb_); diff --git a/src/common/tortls.c b/src/common/tortls.c index ca62913..5df6364 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -50,6 +50,8 @@ #include <openssl/asn1.h> #include <openssl/bio.h> #include <openssl/opensslv.h> +#include <openssl/bn.h> +#include <openssl/rsa.h> #if __GNUC__ && GCC_VERSION >= 402 #if GCC_VERSION >= 406

1 0

[tor/master] Merge remote-tracking branch 'public/14188_part1'
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit e78b7e27761df246349b4eee7667c304a68b73fd Merge: aa4f773 e9caa86 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Feb 2 10:15:26 2015 -0500 Merge remote-tracking branch 'public/14188_part1' changes/ticket14188_part1 | 2 ++ src/common/crypto.c | 18 +++++++++++++++++- src/common/tortls.c | 2 ++ 3 files changed, 21 insertions(+), 1 deletion(-)

1 0

[tor/master] Updating OpenBSD section of doc/TUNING.
by nickm＠torproject.org 02 Feb '15

02 Feb '15

commit aa4f773670e79bc78ed68de3b4c05e7d5afadea0 Author: rl1987 <rl1987(a)sdf.lonestar.org> Date: Sun Feb 1 19:52:54 2015 +0200 Updating OpenBSD section of doc/TUNING. --- doc/TUNING | 75 ++++++++++++++++++++++-------------------------------------- 1 file changed, 27 insertions(+), 48 deletions(-) diff --git a/doc/TUNING b/doc/TUNING index 90bd120..24552a3 100644 --- a/doc/TUNING +++ b/doc/TUNING @@ -38,62 +38,41 @@ read-only on OS X. OpenBSD ------- -For recent versions of OpenBSD (5.5 and 5.6, and probably older releases -as well), the maximum number of file descriptors that can be opened is -7030: +Because OpenBSD is primarily focused on security and stability, it uses default +resource limits stricter than those of more popular Unix-like operating systems. -http://unix.stackexchange.com/questions/104929/does-openbsd-have-a-limit-to-the-number-of-file-descriptors/104948#104948 +OpenBSD stores a kernel-level file descriptor limit in the sysctl variable +kern.maxfiles. It defaults to 7,030. To change it to, for example, 16,000 while +the system is running, use the command 'sudo sysctl kern.maxfiles=16000'. +kern.maxfiles will reset to the default value upon system reboot unless you also +add 'kern.maxfiles=16000' to the file /etc/sysctl.conf. -The maximum number of file descriptors that an OpenBSD machine can have -open is stored in the sysctl variable kern.maxfiles. This value defaults -to 7030 - to verify this, run sysctl kern.maxfiles. +There are stricter resource limits set on user classes, which are stored in +/etc/login.conf. This config file also allows limit sets for daemons started +with scripts in the /etc/rc.d directory, which presumably includes Tor. -To immediately change a running system's file descriptor limit to, for -example, 20,000 files, run sudo sysctl kern.maxfiles=20000. All sysctl -variables are reset upon reboot using defaults and /etc/sysctl.conf, so -to make your change permanent you must add the line kern.maxfiles=20000 -to /etc/sysctl.conf. - -One can also change a maximum number of allowed file descriptors for Tor -daemon alone by editing /etc/rc.d/tor and adding the following lines: +To increase the file descriptor limit from its default of 1,024, add the +following to /etc/login.conf: tor:\ - :openfiles-max=8192:\ - :tc=daemon: - -However, there are stricter limits set on users. This is a security -feature intended to prevent one user from choking out others by opening -all possible file descriptors. - -The stricter limits are set in /etc/login.conf. This config file sets -resource access rules for user classes. You should be running -Tor as a non-privileged daemon user '_tor', which belongs to the 'daemon' -class. It will therefore be subject to the 'default' and 'daemon' rules. -There are two relevant rules: openfiles-cur and openfiles-max. The prior -is the initial limit upon login - the soft limit. The latter is the maximum -limit that can be set using 'ulimit -n' or setrlimit() without editing -/etc/login.conf and rebooting. This is known as the hard limit. - -Without editing /etc/login.conf, daemon-owned processes have -soft limit of 512 open files and a hard limit of 1024 open files. -Tor can increase the soft limit as needed, so you will therefore -eventually get warnings about running out of available file descriptors -once Tor reaches ~1024 open files. - -To increase the hard limit, add the following line to the daemon class -rules in /etc/login.conf: + :openfiles-max=13500:\ + :tc=daemon: -tor:\ - :openfiles-max=8192:\ - :tc=daemon: +Upon restarting Tor, it will be able to open up to 13,500 file descriptors. + +This will work *only* if you are starting Tor with the script /etc/rc.d/tor. If +you're using a custom build instead of the package, you can easily copy the rc.d +script from the Tor port directory. Alternatively, you can ensure that the Tor's +daemon user has its own user class and make a /etc/login.conf entry for it. + +High-bandwidth relays sometimes give the syslog warning: -Upon restarting the machine, Tor will be able to open up to 6500 file -descriptors. +/bsd: WARNING: mclpools limit reached; increase kern.maxclusters -Be aware that, by doing this, you are bypassing a security and stability -feature of the OS. If you are running your relay on a weak or old system, -watch your system load to ensure that it can handle this many open files. -Also, Tor may interfere with any other programs that open many files. +In this case, increase kern.maxclusters with the sysctl command and in the file +/etc/sysctl.conf, as described with kern.maxfiles above. Use 'sysctl +kern.maxclusters' to query the current value. Increasing by about 15% per day +until the error no longer appears is a good guideline. Disclaimer ----------

1 0

[translation/torbutton-torbuttonproperties] Update translations for torbutton-torbuttonproperties
by translation＠torproject.org 02 Feb '15

02 Feb '15

commit a63bef0b61b73c7137c46bf2c866d3ae7da80a6e Author: Translation commit bot <translation(a)torproject.org> Date: Mon Feb 2 13:46:13 2015 +0000 Update translations for torbutton-torbuttonproperties --- kn/torbutton.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kn/torbutton.properties b/kn/torbutton.properties index d23c67d..fb501d9 100644 --- a/kn/torbutton.properties +++ b/kn/torbutton.properties @@ -21,8 +21,8 @@ torbutton.popup.test.auto_failed = The automatic Tor proxy test failed to use To torbutton.prefs.recommended = (recommended) torbutton.prefs.optional = (optional) torbutton.prefs.crucial = (crucial) -torbutton.popup.external.title = Download an external file type? -torbutton.popup.external.app = Tor Browser cannot display this file. You will need to open it with another application.\n\n +torbutton.popup.external.title = ಬಾಹ್ಯ ಕಡತ ಪ್ರಕಾರವನ್ನು ಡೌನ್ಲೋಡ್ ಮಾಡಬೇಕೆ? +torbutton.popup.external.app = ಟಾರ್ ಬ್ರೌಸರ್ ಈ ಕಡತವನ್ನು ಪ್ರದರ್ಶಿಸಲಾಗುವುದಿಲ್ಲ. ನೀವು ಇದನ್ನು ಇನ್ನೊಂದು ಅಪ್ಲಿಕೇಶನಿಂದ ಅದನ್ನು ತೆರೆಯಿರಿ.\n\n torbutton.popup.external.note = Some types of files can cause applications to connect to the Internet without using Tor.\n\n torbutton.popup.external.suggest = To be safe, you should only open downloaded files while offline, or use a Tor Live CD such as Tails.\n torbutton.popup.launch = Download file

1 0

[translation/torbirdy_completed] Update translations for torbirdy_completed
by translation＠torproject.org 02 Feb '15

02 Feb '15

commit 6ca0126aff0483df111092b7f97fa5f8b2d95a98 Author: Translation commit bot <translation(a)torproject.org> Date: Mon Feb 2 13:45:44 2015 +0000 Update translations for torbirdy_completed --- kn/torbirdy.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kn/torbirdy.properties b/kn/torbirdy.properties index 714da70..888801c 100644 --- a/kn/torbirdy.properties +++ b/kn/torbirdy.properties @@ -13,7 +13,7 @@ torbirdy.email.advanced=ಗಮನಿಸಿ: ಟಾರ್ ಬರ್ಡಿಯ ಸ torbirdy.email.advanced.nextwarning=ಮುಂದಿನ ಸಲ ಈ ಎಚ್ಚರಿಕೆಯನ್ನ ಮತ್ತೆ ತೋರಿಸಿ. torbirdy.email.advanced.title=ಟಾರ್ ಬರ್ಡಿಯ ಸೂಕ್ಶ್ಮ ಜೋಡಣೆಗಳು. -torbirdy.restart=ಸಮಯ ವಲಯದ ಏರ್ಪಾಡು ಸನ್ನದ್ಧವಾಗಲು, ಥಂಡರ್‌ಬರ್ಡ್ ಅನ್ನು ಒಮ್ಮೆ ಮುಚ್ಚಿ ನಂತರ ಶುರು ಮಾಡಿರಿ. +torbirdy.restart=ಸಮಯ ವಲಯದ ಆದ್ಯತೆ ಕಾರ್ಯಗತವಾಗಲು ನೀವು ತಂಡರ್ಬರ್ಡ್ ಮರಳಿ ಆರಂಭಿಸಬೇಕಾಗುತ್ತದೆ torbirdy.firstrun=ನೀವೀಗ ಟಾರ್ ಬರ್ಡಿಯನ್ನ ಓಡಿಸ್ತಾ ಇದ್ದೀರಿ.\n\nನಿಮ್ಮ ಗೌಪ್ಯತೆ ಕಾಪಾಡಲು, ಟಾರ್ ಬರ್ಡಿಯು ಥಂಡರ್ ಬರ್ಡ್ನ ಜೋಡಣೆಗಲನ್ನ \n\nನೀವು ಹೊಸ ಬಳಕೆದಾರರೋ? ಹಾಗಿದ್ರೆ ಟಾರ್ ಬರ್ಡಿಯ ವೆಬ್‌ಸೈಟ್‌ನಲ್ಲಿರೋ ಅಂಶಗಳ್ನ ಓದಿ-ಅರಿತ ನಂತರ ನಾವು ಟಾರ್ ಬರ್ಡಿ ಬಳಕೆದಾರರಿಗೆ ನೀಡುವ ಸೌಲಭ್ಯಗಳ ಬಗ್ಗೆ ತಿಳಕೊಳ್ಳಿ. torbirdy.website=https://trac.torproject.org/projects/tor/wiki/torbirdy

1 0