svn:r1843

svn:r1829

svn:r1775

svn:r1761

svn:r1756

returns bytes when there is a non-application record pending.

I have no idea when/why this would even happen, but let's catch it and
make sure tor_tls_get_pending_bytes stays correct.


svn:r1727

svn:r1723

svn:r1721

svn:r1718

svn:r1716

Call tls_log_errors at a more appropriate location; we can remove the other calls in tor_tls_verify once we are sure they never happen.


svn:r1709

svn:r1707

but don't use tor_assert inside log.c, to avoid loops


svn:r1696

svn:r1683

svn:r1634

svn:r1544

svn:r1502

svn:r1466

Refactor the heck out of crypto interface: admit that we will stick with one ciphersuite at a time, make const things const, and stop putting openssl in the headers.


svn:r1458

svn:r1247

also, tell start_daemon our desired cwd


svn:r1170

svn:r1007

Note discrepency between N bytes transmitted over TLS and actual bandwidth use; add 2 functions to help resolve.


svn:r986

svn:r952

svn:r833

svn:r785

svn:r664

The problem was that the fixes had us generating TLS certs with a
2-day lifetime on the assumption that we'd rotate fairly often.  In
fact, we never rotate our TLS keys.

This patch fixes the situation in 2 ways:
   1. It bumps the default lifetime back up to one year until we get
      rotation in place.
   2. It changes tor_tls_context_new() so that it doesn't leak memory
      when you call it more than once.


svn:r663

Allow some slop (currently 3 minutes) when checking certificate validity.

Change certificate lifetime from 1 year to 2 days.  Since we
regenerate regularly (we regenerate regularly, right??), this
shouldn't be a problem.

Have directories reject descriptors published too far in the future
(currently 30 minutes).  If dirservs don't do this:
    0) Today is January 1, 2000.
    1) A very skewed server publishes descriptor X with a declared
       publication time of August 1, 2000.
    2) The directory includes X.
    3) Because of certificate lifetime issues, nobody can use the
       skewed server.
    4) The server fixes its skew, and goes to republish a new descriptor Y
       with publication time of January 1, 2000.
    5) But because the directory already has a "more recent" descriptor X,
       it rejects descriptor "Y" as superseded!

This patch should make step 2 go away.


svn:r658

svn:r643

svn:r630

svn:r627

and also remember the params for ssl_write if it returns wantread.


svn:r626

how exactly the same do the arguments need to be? :(


svn:r625

svn:r623

svn:r604

svn:r603

svn:r570

svn:r504

svn:r501