Signed-off-by: David Goulet <dgoulet@torproject.org>

Add to the Denial of Service section of the man page an explanation about the
three different mitigation Tor has.

Fixes #25248.

Signed-off-by: David Goulet <dgoulet@torproject.org>

When size_t is 32 bits, the unit tests can't fit anything more than
4GB-1 into a size_t.

Additionally, tt_int_op() uses "long" -- we need tt_u64_op() to
safely test uint64_t values for equality.

Bug caused by tests for #24782 fix; not in any released Tor.

When size_t is 32 bits, doing "size_t ram; if (ram > 8GB) { ... }"
produces a compile-time warning.

Bug caused by #24782 fix; not in any released Tor.

Alexander Hansen Færøy authored 6 years ago and Nick Mathewson committed 6 years ago

This patch changes the algorithm of compute_real_max_mem_in_queues() to
use 0.4 * RAM iff the system has more than or equal to 8 GB of RAM, but
will continue to use the old value of 0.75 * RAM if the system have less
than * GB of RAM available.

This patch also adds tests for compute_real_max_mem_in_queues().

See: https://bugs.torproject.org/24782

Alexander Hansen Færøy authored 6 years ago and David Goulet committed 6 years ago

This patch makes compute_real_max_mem_in_queues use the STATIC macro,
which allows us to test the function.

See: https://bugs.torproject.org/24782

Alexander Hansen Færøy authored 6 years ago and David Goulet committed 6 years ago

This patch makes get_total_system_memory mockable, which allows us to
alter the return value of the function in tests.

See: https://bugs.torproject.org/24782

The old single-underscore names remain as a deprecated synonym.

Fixes bug 25581; bugfix on 0.3.3.1-alpha.

Mike Perry authored 7 years ago and Nick Mathewson committed 6 years ago

We removed this by breaking them out from general in #13837.

This patch lifts the list of default directory authorities from config.c
into their own auth_dirs.inc file, which is then included in config.c
using the C preprocessor.

Patch by beastr0.

See: https://bugs.torproject.org/24854

Fixes bug 25732; bugfix on 0.3.3.2-alpha when strings.rs was
introduced.

Closes ticket 25296; bugfix on 0.2.2.7-alpha when these manpage
entries were introduced.

By default, we want to look at the crates directory of the
submodule, not the toplevel of the submodule.  Fixes bug 25679;
bugfix on 0.3.3.1-alpha.

Some anchor don't appear in the final man page so document those so we
understand why we do that in the future.

Part of #25582

Signed-off-by: David Goulet <dgoulet@torproject.org>

Dhalgren authored 7 years ago and Nick Mathewson committed 6 years ago

Also don't give up on a resolver as quickly if multiple are configured.

(cherry picked from commit 5a8cdec3)

Previously, the limit for MAX_PROTOCOLS_TO_EXPAND was actually being applied
in Rust to the maximum number of version (total, for all subprotocols).
Whereas in C, it was being applied to the number of subprotocols that were
allowed.  This changes the Rust to match C's behaviour.

The behaviours still do not match, unsurprisingly, but now we know where a
primary difference is: the Rust is validating version ranges more than the C,
so in the C it's possible to call protover_all_supported on a ridiculous
version range like "Sleen=0-4294967294" because the C uses
MAX_PROTOCOLS_TO_EXPAND to count the number of *subprotocols* whereas the Rust
uses it to count the total number of *versions* of all subprotocols.

There's now no difference in these tests w.r.t. the C or Rust: both
fail miserably (well, Rust fails with nice descriptive errors, and C
gives you a traceback, because, well, C).

The DoS potential is slightly higher in C now due to some differences to the
Rust code, see the C_RUST_DIFFERS tags in src/rust/protover/tests/protover.rs.

Also, the comment about "failing at the splitting stage" in Rust wasn't true,
since when we split, we ignore empty chunks (e.g. "1--1" parses into
"(1,None),(None,1)" and "None" can't be parsed into an integer).

Finally, the comment about "Rust seems to experience an internal error" is only
true in debug mode, where u32s are bounds-checked at runtime.  In release mode,
code expressing the equivalent of this test will error with
`Err(ProtoverError::Unparseable)` because 4294967295 is too large.