[tor-commits] [chutney/master] Add more minimal HS, Single Onion and Exit networks

[teor]

commit 3f39ce19111a11aa5620467936c2c7cd37f769da
Author: teor 
Date:   Wed Jan 31 16:04:14 2018 +1100

Add more minimal HS, Single Onion and Exit networks

(Maybe we should come up with a way of combining networks?)
---
 networks/hs-single-onion-v23-exit-min | 19 +++
 networks/hs-v23-exit-min  | 15 +++
 2 files changed, 34 insertions(+)

diff --git a/networks/hs-single-onion-v23-exit-min 
b/networks/hs-single-onion-v23-exit-min
new file mode 100644
index 000..5f2d6f5
--- /dev/null
+++ b/networks/hs-single-onion-v23-exit-min
@@ -0,0 +1,19 @@
+# By default, Authorities are not configured as exits
+Authority = Node(tag="a", authority=1, relay=1, torrc="authority.tmpl")
+ExitRelay = Node(tag="r", relay=1, exit=1, torrc="relay.tmpl")
+Client = Node(tag="c", client=1, torrc="client.tmpl")
+HSv2 = Node(tag="h", hs=1, torrc="hs.tmpl")
+HSv3 = Node(tag="h", hs=1, torrc="hs-v3.tmpl")
+SingleOnionv2 = Node(tag="h", hs=1, torrc="single-onion.tmpl")
+SingleOnionv3 = Node(tag="h", hs=1, torrc="single-onion-v3.tmpl")
+
+# A hidden service needs 5 authorities/relays to ensure it can build HS
+# connections:
+# a minimum path length of 3, plus the client-nominated rendezvous point,
+# plus a seperate introduction point
+NODES = Authority.getN(2) + ExitRelay.getN(3) + \
+Client.getN(1) + \
+HSv2.getN(1) + HSv3.getN(1) + \
+SingleOnionv2.getN(1) + SingleOnionv3.getN(1)
+
+ConfigureNodes(NODES)
diff --git a/networks/hs-v23-exit-min b/networks/hs-v23-exit-min
new file mode 100644
index 000..ec7d9ac
--- /dev/null
+++ b/networks/hs-v23-exit-min
@@ -0,0 +1,15 @@
+# By default, Authorities are not configured as exits
+Authority = Node(tag="a", authority=1, relay=1, torrc="authority.tmpl")
+ExitRelay = Node(tag="r", relay=1, exit=1, torrc="relay.tmpl")
+Client = Node(tag="c", client=1, torrc="client.tmpl")
+HSv2 = Node(tag="h", hs=1, torrc="hs.tmpl")
+HSv3 = Node(tag="h", hs=1, torrc="hs-v3.tmpl")
+
+# A hidden service needs 5 authorities/relays to ensure it can build HS
+# connections:
+# a minimum path length of 3, plus the client-nominated rendezvous point,
+# plus a seperate introduction point
+NODES = Authority.getN(2) + ExitRelay.getN(3) + \
+Client.getN(1) + HSv2.getN(1) + HSv3.getN(1)
+
+ConfigureNodes(NODES)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup_completed] Update translations for tails-persistence-setup_completed

[translation]

commit f8343417d9884711d34b25cc01736f5e0c7d39ed
Author: Translation commit bot 
Date:   Wed Jan 31 02:46:16 2018 +

Update translations for tails-persistence-setup_completed
---
 el/el.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el/el.po b/el/el.po
index 4c52720dc..54ced6df3 100644
--- a/el/el.po
+++ b/el/el.po
@@ -17,7 +17,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-31 02:02+\n"
+"PO-Revision-Date: 2018-01-31 02:36+\n"
 "Last-Translator: Leonidas P.\n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup] Update translations for tails-persistence-setup

[translation]

commit ed0031d80ec39d16b31a197c7f7468e2c81b7948
Author: Translation commit bot 
Date:   Wed Jan 31 02:46:09 2018 +

Update translations for tails-persistence-setup
---
 el/el.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el/el.po b/el/el.po
index 4c52720dc..54ced6df3 100644
--- a/el/el.po
+++ b/el/el.po
@@ -17,7 +17,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-31 02:02+\n"
+"PO-Revision-Date: 2018-01-31 02:36+\n"
 "Last-Translator: Leonidas P.\n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [webwml/master] Move Brad to past contributors section

[atagar]

commit 80d5234365a68e464a568a83d5025df745239390
Author: Damian Johnson 
Date:   Tue Jan 30 09:50:33 2018 -0800

Move Brad to past contributors section
---
 about/en/contributors.wml |   3 +
 about/en/corepeople.wml   | 145 ++
 images/people/bparker.png | Bin 21887 -> 0 bytes
 keys/bparker.txt  |  63 
 4 files changed, 71 insertions(+), 140 deletions(-)

diff --git a/about/en/contributors.wml b/about/en/contributors.wml
index 08d7c0a7..ef73529f 100644
--- a/about/en/contributors.wml
+++ b/about/en/contributors.wml
@@ -174,6 +174,9 @@ all the users who contact the support desk.
 Chris PalmerOur liaison and tech guy with EFF while EFF
 was funding us. Also helped advocate and write end-user docs.
 
+Brad ParkerPrior chief financial  grants officer at the Tor
+Project.
+
 Martin PeckWorked on a VM-based transparent
 proxying approach for Tor clients on Windows.
 
diff --git a/about/en/corepeople.wml b/about/en/corepeople.wml
index 0e1fd824..1e6c86a2 100644
--- a/about/en/corepeople.wml
+++ b/about/en/corepeople.wml
@@ -121,15 +121,6 @@
 
   
 
-  
-  
-  
-  Brad Parker
-  IRC: bparker
-  Chief financial  grants officer at the Tor 
Project.
-
-
-
   
   
   https://db.torproject.org/fetchkey.cgi?fingerprint=F711FA29D61F88CE6879BAD0D91A345E56B01B25;>
@@ -137,9 +128,7 @@
   IRC: brade
   Developer on the Tor Browser team.
 
-  
 
-  
 
   
   
@@ -149,7 +138,9 @@
   IRC: komlo
   Chelsea is a software/security engineer and 
contributes to core tor.
 
+  
 
+  
 
   
   
@@ -157,9 +148,7 @@
   Cindy Cohn
   Tor Board member and https://www.eff.org/about/staff/cindy-cohn;>Executive Director of the 
EFF. Lawyer by training, https://blog.torproject.org/blog/tor-heart-notes-board-member;>my 
focus is on making sure Tor stays available and that Tor users stay 
safe.
 
-  
 
-  
 
   
   
@@ -169,7 +158,9 @@
   IRC: Phoul
   Support and translation coordinator, GSoC 
administrator, member of the community team and a director of https://www.coldhak.ca;>Coldhak.
 
+  
 
+  
 
   
   
@@ -178,9 +169,7 @@
   IRC: atagar
   Author of the https://stem.torproject.org/;>Stem python controller library and https://nyx.torproject.org/;>Nyx relay monitor.
 
-  
 
-  
 
   
   
@@ -189,7 +178,9 @@
   IRC: dgoulet
   Tor development team focusing on onion services 
and our torsocks maintainer.
 
+  
 
+  
 
   
   
@@ -199,9 +190,7 @@
   IRC: dawuud
   https://github.com/david415/;>Author 
of roflcoptor and honeybadger. Researches mixnets and contributes to 
txtorcon.
 
-  
 
-  
 
   
   
@@ -211,7 +200,9 @@
   IRC: DonnchaC
   Onion services developer, OnionBalance 
developer, hunter of bad relays.
 
+  
 
+  
 
   
   
@@ -220,9 +211,7 @@
   IRC: ewyatt
   Non-technical switchboard for people-related 
things: recruiting, onboarding, benefits, contracts, TPI policy questions, and 
baked goods.
 
-  
 
-  
 
   
   
@@ -232,7 +221,9 @@
   IRC: biella
   http://gabriellacoleman.org/;>Anthropologist and Wolfe Chair in 
Scientific and Technological Literacy at McGill University.
 
+  
 
+  
 
   
   
@@ -240,9 +231,7 @@
   IRC: gman999
   Tor BSD Diversity Project member, long-time 
relay operator, trainer.
 
-  
 
-  
 
   
   
@@ -251,7 +240,9 @@
   IRC: GeKo
   Currently lead of the Tor Browser team.
 
+  
 
+  
 
   
   
@@ -260,9 +251,7 @@
   IRC: asn
   Onion services. Security analysis. Used to 
obfsproxy. Follower of the onion.
 
-  
 
-  
 
   
   
@@ -272,7 +261,9 @@
   IRC: saint
   Tamper-resistant software distribution, 
censorship detection, https://github.com/glamrock/cupcake;>Cupcake, and security training 
of activists and domestic violence survivors.
 
+  
 
+  
 
   
   
@@ -282,9 +273,7 @@
   IRC: irl
   https://metrics.torproject.org;>Metrics team member and maintainer of 
https://atlas.torproject.org/;>Atlas.
 
-  
 
-  
 
   
   
@@ -292,7 +281,9 @@
   Ian Goldberg
   https://cs.uwaterloo.ca/~iang/;>Professor of CS at the https://uwaterloo.ca/;>University of Waterloo, developing https://otr.cypherpunks.ca/;>Off-the-Record Messaging among other 
things.
 
+  
 
+  
 
   
   
@@ -300,9 +291,7 @@
   intrigeri
   Our main interface with the https://tails.boum.org/;>Tails project.
 
-  
 
-  
 
   
   
@@ -312,7 +301,9 @@
   IRC: isabela
   Coordinates Tor's development teams and 
roadmaps. Keeps track of priorities, and ensures Tor always thinks of the 
user first.
 
+  
 
+  
 
   
   
@@ -322,9 +313,7 @@
   IRC: isis
   Tor developer 

[tor-commits] [translation/tails-openpgp-applet] Update translations for tails-openpgp-applet

[translation]

commit df1129c8c9cc22ef8d57090dba41e36caaed99dc
Author: Translation commit bot 
Date:   Wed Jan 31 02:18:49 2018 +

Update translations for tails-openpgp-applet
---
 el/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el/openpgp-applet.pot b/el/openpgp-applet.pot
index e6e401620..1df9cce68 100644
--- a/el/openpgp-applet.pot
+++ b/el/openpgp-applet.pot
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: ta...@boum.org\n"
 "POT-Creation-Date: 2017-08-05 15:07-0400\n"
-"PO-Revision-Date: 2018-01-25 15:53+\n"
+"PO-Revision-Date: 2018-01-31 01:49+\n"
 "Last-Translator: metamec\n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-openpgp-applet_completed] Update translations for tails-openpgp-applet_completed

[translation]

commit 599e054d8df33ee68e627d7c9ff3ebd2a85f9f52
Author: Translation commit bot 
Date:   Wed Jan 31 02:18:55 2018 +

Update translations for tails-openpgp-applet_completed
---
 el/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el/openpgp-applet.pot b/el/openpgp-applet.pot
index e6e401620..1df9cce68 100644
--- a/el/openpgp-applet.pot
+++ b/el/openpgp-applet.pot
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: ta...@boum.org\n"
 "POT-Creation-Date: 2017-08-05 15:07-0400\n"
-"PO-Revision-Date: 2018-01-25 15:53+\n"
+"PO-Revision-Date: 2018-01-31 01:49+\n"
 "Last-Translator: metamec\n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-misc] Update translations for tails-misc

[translation]

commit 2c4052b49ef368873941890a1ebf6864c8826f5f
Author: Translation commit bot 
Date:   Wed Jan 31 02:17:09 2018 +

Update translations for tails-misc
---
 el.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el.po b/el.po
index acd357043..769e3d7e6 100644
--- a/el.po
+++ b/el.po
@@ -26,7 +26,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-09-13 20:10+0200\n"
-"PO-Revision-Date: 2017-09-28 08:06+\n"
+"PO-Revision-Date: 2018-01-31 01:57+\n"
 "Last-Translator: Elektra M. \n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-misc_completed] Update translations for tails-misc_completed

[translation]

commit a039dbb5214d805d15448c90674d53956ba9fd40
Author: Translation commit bot 
Date:   Wed Jan 31 02:17:14 2018 +

Update translations for tails-misc_completed
---
 el.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el.po b/el.po
index acd357043..769e3d7e6 100644
--- a/el.po
+++ b/el.po
@@ -26,7 +26,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-09-13 20:10+0200\n"
-"PO-Revision-Date: 2017-09-28 08:06+\n"
+"PO-Revision-Date: 2018-01-31 01:57+\n"
 "Last-Translator: Elektra M. \n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup_completed] Update translations for tails-persistence-setup_completed

[translation]

commit 6296a16d1a0f10032c3a7a9c66e5c0ebad10955e
Author: Translation commit bot 
Date:   Wed Jan 31 02:16:12 2018 +

Update translations for tails-persistence-setup_completed
---
 el/el.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el/el.po b/el/el.po
index aa25edf02..4c52720dc 100644
--- a/el/el.po
+++ b/el/el.po
@@ -17,7 +17,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-25 15:57+\n"
+"PO-Revision-Date: 2018-01-31 02:02+\n"
 "Last-Translator: Leonidas P.\n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup] Update translations for tails-persistence-setup

[translation]

commit 00e48097ee620850eded94b07e5da779a0da6c56
Author: Translation commit bot 
Date:   Wed Jan 31 02:16:03 2018 +

Update translations for tails-persistence-setup
---
 el/el.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/el/el.po b/el/el.po
index aa25edf02..4c52720dc 100644
--- a/el/el.po
+++ b/el/el.po
@@ -17,7 +17,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-25 15:57+\n"
+"PO-Revision-Date: 2018-01-31 02:02+\n"
 "Last-Translator: Leonidas P.\n"
 "Language-Team: Greek (http://www.transifex.com/otf/torproject/language/el/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/torbirdy] Update translations for torbirdy

[translation]

commit 0ae8c816ddc16b4a6817964ba8dfd698f3a612c7
Author: Translation commit bot 
Date:   Tue Jan 30 23:46:21 2018 +

Update translations for torbirdy
---
 el/torbirdy.dtd | 2 --
 1 file changed, 2 deletions(-)

diff --git a/el/torbirdy.dtd b/el/torbirdy.dtd
index a5e160464..767c973b7 100644
--- a/el/torbirdy.dtd
+++ b/el/torbirdy.dtd
@@ -40,8 +40,6 @@
 
 
 
-
-
 
 
 

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] dos: Man page entry for DoS mitigation

[nickm]

commit a3714268f659998dc879ed723852440cd8be1b04
Author: David Goulet 
Date:   Fri Jan 26 09:00:17 2018 -0500

dos: Man page entry for DoS mitigation

Signed-off-by: David Goulet 
---
 doc/tor.1.txt | 90 +++
 1 file changed, 90 insertions(+)

diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 4c5d5359a..a2bbb8ab6 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -2441,6 +2441,96 @@ The following options are used to configure a hidden 
service.
 including setting SOCKSPort to "0".
 (Default: 0)
 
+DENIAL OF SERVICE MITIGATION OPTIONS
+
+
+The following options are useful only for a public relay. They control the
+Denial of Service mitigation subsystem.
+
+[[DoSCircuitCreationEnabled]] **DoSCircuitCreationEnabled** 
**0**|**1**|**auto**::
+
+Enable circuit creation DoS mitigation. If enabled, tor will cache client
+IPs along with statistics in order to detect circuit DoS attacks. If an
+address is positively identified, tor will activate defenses against the
+address. See the DoSCircuitCreationDefenseType option for more details.
+This is a client to relay detection only. "auto" means use the consensus
+parameter.
+(Default: auto)
+
+[[DoSCircuitCreationMinConnections]] **DoSCircuitCreationMinConnections** 
__NUM__::
+
+Minimum threshold of concurrent connections before a client address can be
+flagged as executing a circuit creation DoS. In other words, once a client
+address reaches the circuit rate and has a minimum of NUM concurrent
+connections, a detection is positive. "0" means use the consensus
+parameter.
+(Default: 0)
+
+[[DoSCircuitCreationRateTenths]] **DoSCircuitCreationRateTenths** __NUM__::
+
+The allowed circuit creation rate in tenths of circuit per second applied
+per client IP address. For example, if you want to set a rate of 5
+circuits per second allowed per IP address, this value should be set to
+50. If this option is 0, it obeys a consensus parameter. (Default: 0)
+
+[[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__::
+
+The allowed circuit creation burst per client IP address. If the circuit
+rate and the burst are reached, a client is marked as executing a circuit
+creation DoS. "0" means use the consensus parameter.
+(Default: 0)
+
+[[DoSCircuitCreationDefenseType]] **DoSCircuitCreationDefenseType** __NUM__::
+
+This is the type of defense applied to a detected client address. The
+possible values are:
+
+  1: No defense.
+  2: Refuse circuit creation for the DoSCircuitCreationDefenseTimePeriod 
period of time.
++
+"0" means use the consensus parameter.
+(Default: 0)
+
+[[DoSCircuitCreationDefenseTimePeriod]] 
**DoSCircuitCreationDefenseTimePeriod** __NUM__::
+
+The base time period that the DoS defense is activated for. The actual
+value is selected randomly for each activation from NUM+1 to 3/2 * NUM.
+"0" means use the consensus parameter.
+(Default: 0)
+
+[[DoSConnectionEnabled]] **DoSConnectionEnabled** **0**|**1**|**auto**::
+
+Enable the connection DoS mitigation. For client address only, this allows
+tor to mitigate against large number of concurrent connections made by a
+single IP address. "auto" means use the consensus parameter.
+(Default: auto)
+
+[[DoSConnectionMaxConcurrentCount]] **DoSConnectionMaxConcurrentCount** 
__NUM__::
+
+The maximum threshold of concurrent connection from a client IP address.
+Above this limit, a defense selected by DoSConnectionDefenseType is
+applied. "0" means use the consensus parameter.
+(Default: 0)
+
+[[DoSConnectionDefenseType]] **DoSConnectionDefenseType** __NUM__::
+
+This is the type of defense applied to a detected client address for the
+connection mitigation. The possible values are:
+
+  1: No defense.
+  2: Immediately close new connections.
++
+"0" means use the consensus parameter.
+(Default: 0)
+
+[[DoSRefuseSingleHopClientRendezvous]] **DoSRefuseSingleHopClientRendezvous** 
**0**|**1**|**auto**::
+
+Refuse establishment of rendezvous points for single hop clients. In other
+words, if a client directly connects to the relay and sends an
+ESTABLISH_RENDEZVOUS cell, it is silently dropped. "auto" means use the
+consensus parameter.
+(Default: auto)
+
 TESTING NETWORK OPTIONS
 ---
 



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] Merge branch 'ticket24902_029_05' into ticket24902_033_02

[nickm]

commit cd81403cc0d73d53cb7f3650b38d49c54100af25
Merge: 03ab24b44 9aca7d473
Author: David Goulet 
Date:   Tue Jan 30 09:33:12 2018 -0500

Merge branch 'ticket24902_029_05' into ticket24902_033_02

 changes/ticket24902|  13 +
 doc/tor.1.txt  |  88 ++
 src/common/log.c   |   2 +-
 src/common/torlog.h|   4 +-
 src/or/channel.c   |   9 +-
 src/or/channel.h   |   3 +-
 src/or/command.c   |  13 +
 src/or/config.c|  25 ++
 src/or/connection.c|  16 ++
 src/or/dos.c   | 737 +
 src/or/dos.h   | 140 ++
 src/or/geoip.c |  63 +++--
 src/or/geoip.h |  27 ++
 src/or/include.am  |   2 +
 src/or/main.c  |   2 +
 src/or/networkstatus.c |   2 +
 src/or/or.h|  33 +++
 src/or/rendmid.c   |  12 +
 src/or/status.c|   2 +
 src/test/include.am|   1 +
 src/test/test.c|   1 +
 src/test/test.h|   1 +
 src/test/test_dos.c| 248 +
 23 files changed, 1410 insertions(+), 34 deletions(-)

diff --cc doc/tor.1.txt
index ef3d1eb9e,58997cdf3..5ad818365
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@@ -2749,9 -2438,97 +2749,97 @@@ The following options are used to confi
  non-anonymous HiddenServiceSingleHopMode. Enables direct connections in 
the
  server-side hidden service protocol.  If you are using this option,
  you need to disable all client-side services on your Tor instance,
 -including setting SOCKSPort to "0".
 -(Default: 0)
 +including setting SOCKSPort to "0". Can not be changed while tor is
 +running. (Default: 0)
  
+ DENIAL OF SERVICE MITIGATION OPTIONS
+ 
+ 
+ The following options are useful only for a public relay. They control the
+ Denial of Service mitigation subsystem.
+ 
+ [[DoSCircuitCreationEnabled]] **DoSCircuitCreationEnabled** 
**0**|**1**|**auto**::
+ 
+ Enable circuit creation DoS mitigation. If enabled, tor will cache client
+ IPs along with statistics in order to detect circuit DoS attacks. If an
+ address is positively identified, tor will activate defenses against the
+ address. See the DoSCircuitCreationDefenseType option for more details.
+ This is a client to relay detection only. "auto" means use the consensus
+ parameter.
+ (Default: auto)
+ 
+ [[DoSCircuitCreationMinConnections]] **DoSCircuitCreationMinConnections** 
__NUM__::
+ 
+ Minimum threshold of concurrent connections before a client address can be
+ flagged as executing a circuit creation DoS. In other words, once a client
+ address reaches the circuit rate and has a minimum of NUM concurrent
+ connections, a detection is positive. "0" means use the consensus
+ parameter.
+ (Default: 0)
+ 
+ [[DoSCircuitCreationRate]] **DoSCircuitCreationRate** __NUM__::
+ 
+ The allowed circuit creation rate per second applied per client IP
+ address. If this option is 0, it obeys a consensus parameter. (Default: 0)
+ 
+ [[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__::
+ 
+ The allowed circuit creation burst per client IP address. If the circuit
+ rate and the burst are reached, a client is marked as executing a circuit
+ creation DoS. "0" means use the consensus parameter.
+ (Default: 0)
+ 
+ [[DoSCircuitCreationDefenseType]] **DoSCircuitCreationDefenseType** __NUM__::
+ 
+ This is the type of defense applied to a detected client address. The
+ possible values are:
+ 
+   1: No defense.
+   2: Refuse circuit creation for the DoSCircuitCreationDefenseTimePeriod 
period of time.
+ +
+ "0" means use the consensus parameter.
+ (Default: 0)
+ 
+ [[DoSCircuitCreationDefenseTimePeriod]] 
**DoSCircuitCreationDefenseTimePeriod** __NUM__::
+ 
+ The base time period that the DoS defense is activated for. The actual
+ value is selected randomly for each activation from NUM+1 to 3/2 * NUM.
+ "0" means use the consensus parameter.
+ (Default: 0)
+ 
+ [[DoSConnectionEnabled]] **DoSConnectionEnabled** **0**|**1**|**auto**::
+ 
+ Enable the connection DoS mitigation. For client address only, this allows
+ tor to mitigate against large number of concurrent connections made by a
+ single IP address. "auto" means use the consensus parameter.
+ (Default: auto)
+ 
+ [[DoSConnectionMaxConcurrentCount]] **DoSConnectionMaxConcurrentCount** 
__NUM__::
+ 
+ The maximum threshold of concurrent connection from a client IP address.
+ Above this limit, a defense selected by DoSConnectionDefenseType is
+ applied. "0" means use the consensus parameter.
+ (Default: 0)
+ 
+ [[DoSConnectionDefenseType]] **DoSConnectionDefenseType** __NUM__::
+ 
+ This is the type of defense applied to a detected client address for the
+ connection mitigation. The possible values are:
+ 
+   1: No defense.
+   2: Immediately close new 

[tor-commits] [tor/master] dos: Add changes file for ticket 24902

[nickm]

commit 9aca7d47306222f2870ec16a7291a8215d6c3316
Author: David Goulet 
Date:   Tue Jan 30 09:15:33 2018 -0500

dos: Add changes file for ticket 24902

Signed-off-by: David Goulet 
---
 changes/ticket24902 | 13 +
 1 file changed, 13 insertions(+)

diff --git a/changes/ticket24902 b/changes/ticket24902
new file mode 100644
index 0..1a2ef95cc
--- /dev/null
+++ b/changes/ticket24902
@@ -0,0 +1,13 @@
+  o Major features (denial of service mitigation):
+- Give relays some defenses against the recent network overload. We start
+  with three defenses (default parameters in parentheses). First: if a
+  single client address makes too many concurrent connections (>100), hang
+  up on further connections. Second: if a single client address makes
+  circuits too quickly (more than 3 per second, with an allowed burst of
+  90) while also having too many connections open (3), refuse new create
+  cells for the next while (1-2 hours). Third: if a client asks to
+  establish a rendezvous point to you directly, ignore the request. These
+  defenses can be manually controlled by new torrc options, but relays
+  will also take guidance from consensus parameters, so there's no need to
+  configure anything manually. Implements ticket 24902.
+



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] geoip: Add a lookup function for client map entry

[nickm]

commit 93b826faaa7cca351c68256ce60a7f7e6c5fda5b
Author: David Goulet 
Date:   Thu Jan 25 15:44:48 2018 -0500

geoip: Add a lookup function for client map entry

The upcoming DoS mitigation subsytem needs to keep information on a per-IP
basis which is also what the geoip clientmap does.

For another subsystem to access that clientmap, this commit adds a lookup
function that returns the entry. For this, the clientmap_entry_t had to be
moved to the header file.

Signed-off-by: David Goulet 
---
 src/or/geoip.c | 46 +-
 src/or/geoip.h | 22 ++
 2 files changed, 43 insertions(+), 25 deletions(-)

diff --git a/src/or/geoip.c b/src/or/geoip.c
index 00c055bbe..e2a1b1cee 100644
--- a/src/or/geoip.c
+++ b/src/or/geoip.c
@@ -472,24 +472,6 @@ geoip_db_digest(sa_family_t family)
 return hex_str(geoip6_digest, DIGEST_LEN);
 }
 
-/** Entry in a map from IP address to the last time we've seen an incoming
- * connection from that IP address. Used by bridges only, to track which
- * countries have them blocked. */
-typedef struct clientmap_entry_t {
-  HT_ENTRY(clientmap_entry_t) node;
-  tor_addr_t addr;
- /* Name of pluggable transport used by this client. NULL if no
-pluggable transport was used. */
-  char *transport_name;
-
-  /** Time when we last saw this IP address, in MINUTES since the epoch.
-   *
-   * (This will run out of space around 4011 CE.  If Tor is still in use around
-   * 4000 CE, please remember to add more bits to last_seen_in_minutes.) */
-  unsigned int last_seen_in_minutes:30;
-  unsigned int action:2;
-} clientmap_entry_t;
-
 /** Largest allowable value for last_seen_in_minutes.  (It's a 30-bit field,
  * so it can hold up to (1u<<30)-1, or 0x3fffu.
  */
@@ -564,8 +546,7 @@ geoip_note_client_seen(geoip_client_action_t action,
time_t now)
 {
   const or_options_t *options = get_options();
-  clientmap_entry_t lookup, *ent;
-  memset(, 0, sizeof(clientmap_entry_t));
+  clientmap_entry_t *ent;
 
   if (action == GEOIP_CLIENT_CONNECT) {
 /* Only remember statistics as entry guard or as bridge. */
@@ -583,11 +564,7 @@ geoip_note_client_seen(geoip_client_action_t action,
 safe_str_client(fmt_addr((addr))),
 transport_name ? transport_name : "");
 
-  tor_addr_copy(, addr);
-  lookup.action = (int)action;
-  lookup.transport_name = (char*) transport_name;
-  ent = HT_FIND(clientmap, _history, );
-
+  ent = geoip_lookup_client(addr, transport_name, action);
   if (! ent) {
 ent = tor_malloc_zero(sizeof(clientmap_entry_t));
 tor_addr_copy(>addr, addr);
@@ -635,6 +612,25 @@ geoip_remove_old_clients(time_t cutoff)
   );
 }
 
+/* Return a client entry object matching the given address, transport name and
+ * geoip action from the clientmap. NULL if not found. The transport_name can
+ * be NULL. */
+clientmap_entry_t *
+geoip_lookup_client(const tor_addr_t *addr, const char *transport_name,
+geoip_client_action_t action)
+{
+  clientmap_entry_t lookup;
+
+  tor_assert(addr);
+
+  /* We always look for a client connection with no transport. */
+  tor_addr_copy(, addr);
+  lookup.action = action;
+  lookup.transport_name = (char *) transport_name;
+
+  return HT_FIND(clientmap, _history, );
+}
+
 /** How many responses are we giving to clients requesting v3 network
  * statuses? */
 static uint32_t ns_v3_responses[GEOIP_NS_RESPONSE_NUM];
diff --git a/src/or/geoip.h b/src/or/geoip.h
index 070296dd0..b80efceb3 100644
--- a/src/or/geoip.h
+++ b/src/or/geoip.h
@@ -20,6 +20,25 @@ STATIC int geoip_get_country_by_ipv4(uint32_t ipaddr);
 STATIC int geoip_get_country_by_ipv6(const struct in6_addr *addr);
 STATIC void clear_geoip_db(void);
 #endif
+
+/** Entry in a map from IP address to the last time we've seen an incoming
+ * connection from that IP address. Used by bridges only to track which
+ * countries have them blocked, or the DoS mitigation subsystem if enabled. */
+typedef struct clientmap_entry_t {
+  HT_ENTRY(clientmap_entry_t) node;
+  tor_addr_t addr;
+  /* Name of pluggable transport used by this client. NULL if no
+ pluggable transport was used. */
+  char *transport_name;
+
+  /** Time when we last saw this IP address, in MINUTES since the epoch.
+   *
+   * (This will run out of space around 4011 CE.  If Tor is still in use around
+   * 4000 CE, please remember to add more bits to last_seen_in_minutes.) */
+  unsigned int last_seen_in_minutes:30;
+  unsigned int action:2;
+} clientmap_entry_t;
+
 int should_record_bridge_info(const or_options_t *options);
 int geoip_load_file(sa_family_t family, const char *filename);
 MOCK_DECL(int, geoip_get_country_by_addr, (const tor_addr_t *addr));
@@ -33,6 +52,9 @@ void geoip_note_client_seen(geoip_client_action_t action,
 const tor_addr_t *addr, const char 

[tor-commits] [tor/master] dos: Detect circuit creation denial of service

[nickm]

commit 97abb3543b858afd27ed857903814175c1dfbf12
Author: David Goulet 
Date:   Thu Jan 25 16:14:40 2018 -0500

dos: Detect circuit creation denial of service

Add a function that notifies the DoS subsystem that a new CREATE cell has
arrived. The statistics are updated accordingly and the IP address can also 
be
marked as malicious if it is above threshold.

At this commit, no defense is applied, just detection with a circuit 
creation
token bucket system.

Signed-off-by: David Goulet 
---
 src/or/command.c |   6 ++
 src/or/dos.c | 179 +++
 src/or/dos.h |   6 ++
 3 files changed, 191 insertions(+)

diff --git a/src/or/command.c b/src/or/command.c
index 5866c386e..d2df55a4b 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -46,6 +46,7 @@
 #include "config.h"
 #include "control.h"
 #include "cpuworker.h"
+#include "dos.h"
 #include "hibernate.h"
 #include "nodelist.h"
 #include "onion.h"
@@ -247,6 +248,11 @@ command_process_create_cell(cell_t *cell, channel_t *chan)
 (unsigned)cell->circ_id,
 U64_PRINTF_ARG(chan->global_identifier), chan);
 
+  /* First thing we do, even though the cell might be invalid, is inform the
+   * DoS mitigation subsystem layer of this event. Validation is done by this
+   * function. */
+  dos_cc_new_create_cell(chan);
+
   /* We check for the conditions that would make us drop the cell before
* we check for the conditions that would make us send a DESTROY back,
* since those conditions would make a DESTROY nonsensical. */
diff --git a/src/or/dos.c b/src/or/dos.c
index d1a2c6a28..b83ea6029 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -35,6 +35,9 @@ static uint32_t dos_cc_circuit_burst;
 static dos_cc_defense_type_t dos_cc_defense_type;
 static int32_t dos_cc_defense_time_period;
 
+/* Keep some stats for the heartbeat so we can report out. */
+static uint32_t cc_num_marked_addrs;
+
 /*
  * Concurrent connection denial of service mitigation.
  *
@@ -209,6 +212,117 @@ cc_consensus_has_changed(const networkstatus_t *ns)
   }
 }
 
+/** Return the number of circuits we allow per second under the current
+ *  configuration. */
+STATIC uint32_t
+get_circuit_rate_per_second(void)
+{
+  int64_t circ_rate;
+
+  /* We take the burst divided by the rate which is in tenths of a second so
+   * convert to get a circuit rate per second. */
+  circ_rate = dos_cc_circuit_rate_tenths / 10;
+  if (circ_rate < 0) {
+/* Safety check, never allow it to go below 0 else the bucket will always
+ * be empty resulting in every address to be detected. */
+circ_rate = 1;
+  }
+
+  /* Clamp it down to a 32 bit value because a rate of 2^32 circuits per
+   * second is just too much in any circumstances. */
+  if (circ_rate > UINT32_MAX) {
+circ_rate = UINT32_MAX;
+  }
+  return (uint32_t) circ_rate;
+}
+
+/* Given the circuit creation client statistics object, refill the circuit
+ * bucket if needed. This also works if the bucket was never filled in the
+ * first place. The addr is only used for logging purposes. */
+STATIC void
+cc_stats_refill_bucket(cc_client_stats_t *stats, const tor_addr_t *addr)
+{
+  uint32_t new_circuit_bucket_count, circuit_rate = 0, num_token;
+  time_t now, elapsed_time_last_refill;
+
+  tor_assert(stats);
+  tor_assert(addr);
+
+  now = approx_time();
+
+  /* We've never filled the bucket so fill it with the maximum being the burst
+   * and we are done. */
+  if (stats->last_circ_bucket_refill_ts == 0) {
+num_token = dos_cc_circuit_burst;
+goto end;
+  }
+
+  /* At this point, we know we might need to add token to the bucket. We'll
+   * first compute the circuit rate that is how many circuit are we allowed to
+   * do per second. */
+  circuit_rate = get_circuit_rate_per_second();
+
+  /* How many seconds have elapsed between now and the last refill? */
+  elapsed_time_last_refill = now - stats->last_circ_bucket_refill_ts;
+
+  /* If the elapsed time is below 0 it means our clock jumped backward so in
+   * that case, lets be safe and fill it up to the maximum. Not filling it
+   * could trigger a detection for a valid client. Also, if the clock jumped
+   * negative but we didn't notice until the elapsed time became positive
+   * again, then we potentially spent many seconds not refilling the bucket
+   * when we should have been refilling it. But the fact that we didn't notice
+   * until now means that no circuit creation requests came in during that
+   * time, so the client doesn't end up punished that much from this hopefully
+   * rare situation.*/
+  if (elapsed_time_last_refill < 0) {
+/* Dividing the burst by the circuit rate gives us the time span that will
+ * give us the maximum allowed value of token. */
+elapsed_time_last_refill = (dos_cc_circuit_burst / circuit_rate);
+  }
+
+  /* Compute how many circuits we are allowed in that time frame 

[tor-commits] [tor/master] dos: Add the connection DoS mitigation subsystem

[nickm]

commit acf7ea77d8d76830924a14145afbcf3c95a06b0e
Author: David Goulet 
Date:   Thu Jan 25 16:28:54 2018 -0500

dos: Add the connection DoS mitigation subsystem

Defend against an address that has reached the concurrent connection count
threshold.

Signed-off-by: David Goulet 
---
 src/or/connection.c |  8 
 src/or/dos.c| 34 ++
 src/or/dos.h|  2 ++
 3 files changed, 44 insertions(+)

diff --git a/src/or/connection.c b/src/or/connection.c
index 15f489c6b..791fd95c2 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1600,6 +1600,14 @@ connection_handle_listener_read(connection_t *conn, int 
new_type)
 return 0;
   }
 }
+if (new_type == CONN_TYPE_OR) {
+  /* Assess with the connection DoS mitigation subsystem if this address
+   * can open a new connection. */
+  if (dos_conn_addr_get_defense_type() == DOS_CONN_DEFENSE_CLOSE) {
+tor_close_socket(news);
+return 0;
+  }
+}
 
 newconn = connection_new(new_type, conn->socket_family);
 newconn->s = news;
diff --git a/src/or/dos.c b/src/or/dos.c
index 8c00a2f31..7e3a2ab7f 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -53,6 +53,9 @@ static unsigned int dos_conn_enabled = 0;
 static uint32_t dos_conn_max_concurrent_count;
 static dos_conn_defense_type_t dos_conn_defense_type;
 
+/* Keep some stats for the heartbeat so we can report out. */
+static uint64_t conn_num_addr_rejected;
+
 /*
  * General interface of the denial of service mitigation subsystem.
  */
@@ -488,6 +491,37 @@ dos_cc_get_defense_type(channel_t *chan)
 
 /* Concurrent connection detection public API. */
 
+/* Return true iff the given address is permitted to open another connection.
+ * A defense value is returned for the caller to take appropriate actions. */
+dos_conn_defense_type_t
+dos_conn_addr_get_defense_type(const tor_addr_t *addr)
+{
+  clientmap_entry_t *entry;
+
+  tor_assert(addr);
+
+  /* Skip everything if not enabled. */
+  if (!dos_conn_enabled) {
+goto end;
+  }
+
+  /* We are only interested in client connection from the geoip cache. */
+  entry = geoip_lookup_client(addr, NULL, GEOIP_CLIENT_CONNECT);
+  if (entry == NULL) {
+goto end;
+  }
+
+  /* Need to be above the maximum concurrent connection count to trigger a
+   * defense. */
+  if (entry->dos_stats.concurrent_count > dos_conn_max_concurrent_count) {
+conn_num_addr_rejected++;
+return dos_conn_defense_type;
+  }
+
+ end:
+  return DOS_CONN_DEFENSE_NONE;
+}
+
 /* General API */
 
 /* Called when a new client connection has been established on the given
diff --git a/src/or/dos.h b/src/or/dos.h
index fa86295cf..cc7749836 100644
--- a/src/or/dos.h
+++ b/src/or/dos.h
@@ -107,6 +107,8 @@ typedef enum dos_conn_defense_type_t {
   DOS_CONN_DEFENSE_MAX  = 2,
 } dos_conn_defense_type_t;
 
+dos_conn_defense_type_t dos_conn_addr_get_defense_type(const tor_addr_t *addr);
+
 #ifdef DOS_PRIVATE
 
 STATIC uint32_t get_param_conn_max_concurrent_count(



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] dos: Track new and closed OR client connections

[nickm]

commit c05272783d0164363023ddd4b3ee93c2e12c8911
Author: David Goulet 
Date:   Thu Jan 25 16:05:59 2018 -0500

dos: Track new and closed OR client connections

Implement a basic connection tracking that counts the number of concurrent
connections when they open and close.

This commit also adds the circuit creation mitigation data structure that 
will
be needed at later commit to keep track of the circuit rate.

Signed-off-by: David Goulet 
---
 src/or/channel.c|  5 
 src/or/connection.c |  8 ++
 src/or/dos.c| 75 +
 src/or/dos.h|  3 +++
 src/or/geoip.h  |  5 
 src/or/or.h |  4 +++
 6 files changed, 100 insertions(+)

diff --git a/src/or/channel.c b/src/or/channel.c
index f547aea1b..fdd3f81e8 100644
--- a/src/or/channel.c
+++ b/src/or/channel.c
@@ -2583,6 +2583,7 @@ channel_do_open_actions(channel_t *chan)
 if (!router_get_by_id_digest(chan->identity_digest)) {
   if (channel_get_addr_if_possible(chan, _addr)) {
 char *transport_name = NULL;
+channel_tls_t *tlschan = BASE_CHAN_TO_TLS(chan);
 if (chan->get_transport_name(chan, _name) < 0)
   transport_name = NULL;
 
@@ -2590,6 +2591,10 @@ channel_do_open_actions(channel_t *chan)
_addr, transport_name,
now);
 tor_free(transport_name);
+/* Notify the DoS subsystem of a new client. */
+if (tlschan && tlschan->conn) {
+  dos_new_client_conn(tlschan->conn);
+}
   }
   /* Otherwise the underlying transport can't tell us this, so skip it */
 }
diff --git a/src/or/connection.c b/src/or/connection.c
index 8b00d637f..15f489c6b 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -78,6 +78,7 @@
 #include "dirserv.h"
 #include "dns.h"
 #include "dnsserv.h"
+#include "dos.h"
 #include "entrynodes.h"
 #include "ext_orport.h"
 #include "geoip.h"
@@ -687,6 +688,13 @@ connection_free,(connection_t *conn))
   "connection_free");
   }
 #endif
+
+  /* Notify the circuit creation DoS mitigation subsystem that an OR client
+   * connection has been closed. And only do that if we track it. */
+  if (conn->type == CONN_TYPE_OR) {
+dos_close_client_conn(TO_OR_CONN(conn));
+  }
+
   connection_unregister_events(conn);
   connection_free_(conn);
 }
diff --git a/src/or/dos.c b/src/or/dos.c
index 4b5983d16..d1a2c6a28 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -246,6 +246,81 @@ dos_is_enabled(void)
 
 /* General API */
 
+/* Called when a new client connection has been established on the given
+ * address. */
+void
+dos_new_client_conn(or_connection_t *or_conn)
+{
+  clientmap_entry_t *entry;
+
+  tor_assert(or_conn);
+
+  /* Past that point, we know we have at least one DoS detection subsystem
+   * enabled so we'll start allocating stuff. */
+  if (!dos_is_enabled()) {
+goto end;
+  }
+
+  /* We are only interested in client connection from the geoip cache. */
+  entry = geoip_lookup_client(_conn->real_addr, NULL,
+  GEOIP_CLIENT_CONNECT);
+  if (BUG(entry == NULL)) {
+/* Should never happen because we note down the address in the geoip
+ * cache before this is called. */
+goto end;
+  }
+
+  entry->dos_stats.concurrent_count++;
+  or_conn->tracked_for_dos_mitigation = 1;
+  log_debug(LD_DOS, "Client address %s has now %u concurrent connections.",
+fmt_addr(_conn->real_addr),
+entry->dos_stats.concurrent_count);
+
+ end:
+  return;
+}
+
+/* Called when a client connection for the given IP address has been closed. */
+void
+dos_close_client_conn(const or_connection_t *or_conn)
+{
+  clientmap_entry_t *entry;
+
+  tor_assert(or_conn);
+
+  /* We have to decrement the count on tracked connection only even if the
+   * subsystem has been disabled at runtime because it might be re-enabled
+   * after and we need to keep a synchronized counter at all time. */
+  if (!or_conn->tracked_for_dos_mitigation) {
+goto end;
+  }
+
+  /* We are only interested in client connection from the geoip cache. */
+  entry = geoip_lookup_client(_conn->real_addr, NULL,
+  GEOIP_CLIENT_CONNECT);
+  if (entry == NULL) {
+/* This can happen because we can close a connection before the channel
+ * got to be noted down in the geoip cache. */
+goto end;
+  }
+
+  /* Extra super duper safety. Going below 0 means an underflow which could
+   * lead to most likely a false positive. In theory, this should never happen
+   * but lets be extra safe. */
+  if (BUG(entry->dos_stats.concurrent_count == 0)) {
+goto end;
+  }
+
+  entry->dos_stats.concurrent_count--;
+  log_debug(LD_DOS, "Client address %s has lost a connection. Concurrent "
+"connections are now at %u",
+

[tor-commits] [tor/master] dos: Add a heartbeat log

[nickm]

commit 14a8b87852887f8c20a424ff32a2b6746105dd6c
Author: David Goulet 
Date:   Thu Jan 25 16:36:05 2018 -0500

dos: Add a heartbeat log

Signed-off-by: David Goulet 
---
 src/or/dos.c| 45 +
 src/or/dos.h|  1 +
 src/or/status.c |  2 ++
 3 files changed, 48 insertions(+)

diff --git a/src/or/dos.c b/src/or/dos.c
index d98d3db16..40e88aead 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -555,6 +555,51 @@ dos_should_refuse_single_hop_client(void)
0 /* default */, 0, 1);
 }
 
+/* Log a heartbeat message with some statistics. */
+void
+dos_log_heartbeat(void)
+{
+  char *conn_msg = NULL;
+  char *cc_msg = NULL;
+  char *single_hop_client_msg = NULL;
+
+  if (!dos_is_enabled()) {
+goto end;
+  }
+
+  if (dos_cc_enabled) {
+tor_asprintf(_msg,
+ " %" PRIu64 " circuits rejected,"
+ " %" PRIu32 " marked addresses.",
+ cc_num_rejected_cells, cc_num_marked_addrs);
+  }
+
+  if (dos_conn_enabled) {
+tor_asprintf(_msg,
+ " %" PRIu64 " connections closed.",
+ conn_num_addr_rejected);
+  }
+
+  if (dos_should_refuse_single_hop_client()) {
+tor_asprintf(_hop_client_msg,
+ " %" PRIu64 " single hop clients refused.",
+ num_single_hop_client_refused);
+  }
+
+  log_notice(LD_HEARTBEAT,
+ "DoS mitigation since startup:%s%s%s",
+ (cc_msg != NULL) ? cc_msg : " [cc not enabled]",
+ (conn_msg != NULL) ? conn_msg : " [conn not enabled]",
+ (single_hop_client_msg != NULL) ? single_hop_client_msg : "");
+
+  tor_free(conn_msg);
+  tor_free(cc_msg);
+  tor_free(single_hop_client_msg);
+
+ end:
+  return;
+}
+
 /* Called when a new client connection has been established on the given
  * address. */
 void
diff --git a/src/or/dos.h b/src/or/dos.h
index ec4c033ae..56835169d 100644
--- a/src/or/dos.h
+++ b/src/or/dos.h
@@ -47,6 +47,7 @@ void dos_init(void);
 void dos_free_all(void);
 void dos_consensus_has_changed(const networkstatus_t *ns);
 int dos_enabled(void);
+void dos_log_heartbeat(void);
 
 void dos_new_client_conn(or_connection_t *or_conn);
 void dos_close_client_conn(const or_connection_t *or_conn);
diff --git a/src/or/status.c b/src/or/status.c
index fce6a1015..fa2238b9f 100644
--- a/src/or/status.c
+++ b/src/or/status.c
@@ -27,6 +27,7 @@
 #include "hibernate.h"
 #include "rephist.h"
 #include "statefile.h"
+#include "dos.h"
 
 static void log_accounting(const time_t now, const or_options_t *options);
 #include "geoip.h"
@@ -145,6 +146,7 @@ log_heartbeat(time_t now)
   if (public_server_mode(options)) {
 rep_hist_log_circuit_handshake_stats(now);
 rep_hist_log_link_protocol_counts();
+dos_log_heartbeat();
   }
 
   circuit_log_ancient_one_hop_circuits(1800);



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] remove a redundant semicolon

[nickm]

commit d2ae1bfcb314965fd1ff1353308da0e92a00c958
Author: Nick Mathewson 
Date:   Tue Jan 30 18:11:16 2018 -0500

remove a redundant semicolon
---
 src/test/test_dos.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/test/test_dos.c b/src/test/test_dos.c
index 5a8474ad8..d7d871ab6 100644
--- a/src/test/test_dos.c
+++ b/src/test/test_dos.c
@@ -78,7 +78,7 @@ static int
 mock_channel_get_addr_if_possible(channel_t *chan, tor_addr_t *addr_out)
 {
   (void)chan;
-  tt_int_op(AF_INET,OP_EQ, tor_addr_parse(addr_out, "18.0.0.1"));;
+  tt_int_op(AF_INET,OP_EQ, tor_addr_parse(addr_out, "18.0.0.1"));
   return 1;
 
  done:

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] test: Add unit tests for the DoS subsystem

[nickm]

commit c3c2b55decc80028728780422fe2766ec6517246
Author: George Kadianakis 
Date:   Thu Jan 25 16:38:59 2018 -0500

test: Add unit tests for the DoS subsystem

Signed-off-by: David Goulet 
---
 src/or/channel.c|   4 +-
 src/or/channel.h|   3 +-
 src/test/include.am |   1 +
 src/test/test.c |   1 +
 src/test/test.h |   1 +
 src/test/test_dos.c | 248 
 6 files changed, 255 insertions(+), 3 deletions(-)

diff --git a/src/or/channel.c b/src/or/channel.c
index fdd3f81e8..54e10666d 100644
--- a/src/or/channel.c
+++ b/src/or/channel.c
@@ -3845,8 +3845,8 @@ channel_get_canonical_remote_descr(channel_t *chan)
  * supports this operation, and return 1.  Return 0 if the underlying transport
  * doesn't let us do this.
  */
-int
-channel_get_addr_if_possible(channel_t *chan, tor_addr_t *addr_out)
+MOCK_IMPL(int,
+channel_get_addr_if_possible,(channel_t *chan, tor_addr_t *addr_out))
 {
   tor_assert(chan);
   tor_assert(addr_out);
diff --git a/src/or/channel.h b/src/or/channel.h
index a711b56d4..bcd345e8d 100644
--- a/src/or/channel.h
+++ b/src/or/channel.h
@@ -550,7 +550,8 @@ MOCK_DECL(void, channel_dump_statistics, (channel_t *chan, 
int severity));
 void channel_dump_transport_statistics(channel_t *chan, int severity);
 const char * channel_get_actual_remote_descr(channel_t *chan);
 const char * channel_get_actual_remote_address(channel_t *chan);
-int channel_get_addr_if_possible(channel_t *chan, tor_addr_t *addr_out);
+MOCK_DECL(int, channel_get_addr_if_possible, (channel_t *chan,
+  tor_addr_t *addr_out));
 const char * channel_get_canonical_remote_descr(channel_t *chan);
 int channel_has_queued_writes(channel_t *chan);
 int channel_is_bad_for_new_circs(channel_t *chan);
diff --git a/src/test/include.am b/src/test/include.am
index 8ecfaf10c..91b0a5910 100644
--- a/src/test/include.am
+++ b/src/test/include.am
@@ -87,6 +87,7 @@ src_test_test_SOURCES = \
src/test/test_controller.c \
src/test/test_controller_events.c \
src/test/test_crypto.c \
+   src/test/test_dos.c \
src/test/test_data.c \
src/test/test_dir.c \
src/test/test_dir_common.c \
diff --git a/src/test/test.c b/src/test/test.c
index 9a41b976b..f66dee2d0 100644
--- a/src/test/test.c
+++ b/src/test/test.c
@@ -1197,6 +1197,7 @@ struct testgroup_t testgroups[] = {
   { "control/", controller_tests },
   { "control/event/", controller_event_tests },
   { "crypto/", crypto_tests },
+  { "dos/", dos_tests },
   { "dir/", dir_tests },
   { "dir_handle_get/", dir_handle_get_tests },
   { "dir/md/", microdesc_tests },
diff --git a/src/test/test.h b/src/test/test.h
index 25336ac83..41df6b134 100644
--- a/src/test/test.h
+++ b/src/test/test.h
@@ -190,6 +190,7 @@ extern struct testcase_t container_tests[];
 extern struct testcase_t controller_tests[];
 extern struct testcase_t controller_event_tests[];
 extern struct testcase_t crypto_tests[];
+extern struct testcase_t dos_tests[];
 extern struct testcase_t dir_tests[];
 extern struct testcase_t dir_handle_get_tests[];
 extern struct testcase_t entryconn_tests[];
diff --git a/src/test/test_dos.c b/src/test/test_dos.c
new file mode 100644
index 0..5a8474ad8
--- /dev/null
+++ b/src/test/test_dos.c
@@ -0,0 +1,248 @@
+/* Copyright (c) 2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#define DOS_PRIVATE
+#define TOR_CHANNEL_INTERNAL_
+#define CIRCUITLIST_PRIVATE
+
+#include "or.h"
+#include "dos.h"
+#include "circuitlist.h"
+#include "geoip.h"
+#include "channel.h"
+#include "test.h"
+#include "log_test_helpers.h"
+
+static unsigned int
+mock_enable_dos_protection(const networkstatus_t *ns)
+{
+  (void) ns;
+  return 1;
+}
+
+/** Test that the connection tracker of the DoS subsystem will block clients
+ *  who try to establish too many connections */
+static void
+test_dos_conn_creation(void *arg)
+{
+  (void) arg;
+
+  MOCK(get_param_cc_enabled, mock_enable_dos_protection);
+  MOCK(get_param_conn_enabled, mock_enable_dos_protection);
+
+  /* Initialize test data */
+  or_connection_t or_conn;
+  time_t now = 1281533250; /* 2010-08-11 13:27:30 UTC */
+  tt_int_op(AF_INET,OP_EQ, tor_addr_parse(_conn.real_addr,
+  "18.0.0.1"));
+  tor_addr_t *addr = _conn.real_addr;
+
+  /* Get DoS subsystem limits */
+  dos_init();
+  uint32_t max_concurrent_conns = get_param_conn_max_concurrent_count(NULL);
+
+  /* Introduce new client */
+  geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now);
+  { /* Register many conns from this client but not enough to get it blocked */
+unsigned int i;
+for (i = 0; i < max_concurrent_conns; i++) {
+  dos_new_client_conn(_conn);
+}
+  }
+
+  /* Check that new conns are still permitted */
+  tt_int_op(DOS_CONN_DEFENSE_NONE, OP_EQ,
+dos_conn_addr_get_defense_type(addr));
+
+ 

[tor-commits] [tor/master] dos: Apply defense for circuit creation DoS

[nickm]

commit 1bfc91a029839f36e04c8204d1bccaa04a5c2afd
Author: David Goulet 
Date:   Thu Jan 25 16:20:52 2018 -0500

dos: Apply defense for circuit creation DoS

If the client address was detected as malicious, apply a defense which is at
this commit to return a DESTROY cell.

Signed-off-by: David Goulet 
---
 src/or/command.c |  7 ++
 src/or/dos.c | 65 
 src/or/dos.h |  1 +
 3 files changed, 73 insertions(+)

diff --git a/src/or/command.c b/src/or/command.c
index d2df55a4b..0d2808e23 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -290,6 +290,13 @@ command_process_create_cell(cell_t *cell, channel_t *chan)
 return;
   }
 
+  /* Check if we should apply a defense for this channel. */
+  if (dos_cc_get_defense_type(chan) == DOS_CC_DEFENSE_REFUSE_CELL) {
+channel_send_destroy(cell->circ_id, chan,
+ END_CIRC_REASON_RESOURCELIMIT);
+return;
+  }
+
   if (!server_mode(options) ||
   (!public_server_mode(options) && channel_is_outgoing(chan))) {
 log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
diff --git a/src/or/dos.c b/src/or/dos.c
index b83ea6029..8c00a2f31 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -36,6 +36,7 @@ static dos_cc_defense_type_t dos_cc_defense_type;
 static int32_t dos_cc_defense_time_period;
 
 /* Keep some stats for the heartbeat so we can report out. */
+static uint64_t cc_num_rejected_cells;
 static uint32_t cc_num_marked_addrs;
 
 /*
@@ -323,6 +324,44 @@ cc_mark_client(cc_client_stats_t *stats)
 crypto_rand_int_range(1, dos_cc_defense_time_period / 2);
 }
 
+/* Return true iff the given channel address is marked as malicious. This is
+ * called a lot and part of the fast path of handling cells. It has to remain
+ * as fast as we can. */
+static int
+cc_channel_addr_is_marked(channel_t *chan)
+{
+  time_t now;
+  tor_addr_t addr;
+  clientmap_entry_t *entry;
+  cc_client_stats_t *stats = NULL;
+
+  if (chan == NULL) {
+goto end;
+  }
+  /* Must be a client connection else we ignore. */
+  if (!channel_is_client(chan)) {
+goto end;
+  }
+  /* Without an IP address, nothing can work. */
+  if (!channel_get_addr_if_possible(chan, )) {
+goto end;
+  }
+
+  /* We are only interested in client connection from the geoip cache. */
+  entry = geoip_lookup_client(, NULL, GEOIP_CLIENT_CONNECT);
+  if (entry == NULL) {
+/* We can have a connection creating circuits but not tracked by the geoip
+ * cache. Once this DoS subsystem is enabled, we can end up here with no
+ * entry for the channel. */
+goto end;
+  }
+  now = approx_time();
+  stats = >dos_stats.cc_stats;
+
+ end:
+  return stats && stats->marked_until_ts >= now;
+}
+
 /* Concurrent connection private API. */
 
 /* Free everything for the connection DoS mitigation subsystem. */
@@ -421,6 +460,32 @@ dos_cc_new_create_cell(channel_t *chan)
   return;
 }
 
+/* Return the defense type that should be used for this circuit.
+ *
+ * This is part of the fast path and called a lot. */
+dos_cc_defense_type_t
+dos_cc_get_defense_type(channel_t *chan)
+{
+  tor_assert(chan);
+
+  /* Skip everything if not enabled. */
+  if (!dos_cc_enabled) {
+goto end;
+  }
+
+  /* On an OR circuit, we'll check if the previous channel is a marked client
+   * connection detected by our DoS circuit creation mitigation subsystem. */
+  if (cc_channel_addr_is_marked(chan)) {
+/* We've just assess that this circuit should trigger a defense for the
+ * cell it just seen. Note it down. */
+cc_num_rejected_cells++;
+return dos_cc_defense_type;
+  }
+
+ end:
+  return DOS_CC_DEFENSE_NONE;
+}
+
 /* Concurrent connection detection public API. */
 
 /* General API */
diff --git a/src/or/dos.h b/src/or/dos.h
index bb8d7d1a7..fa86295cf 100644
--- a/src/or/dos.h
+++ b/src/or/dos.h
@@ -81,6 +81,7 @@ typedef enum dos_cc_defense_type_t {
 } dos_cc_defense_type_t;
 
 void dos_cc_new_create_cell(channel_t *channel);
+dos_cc_defense_type_t dos_cc_get_defense_type(channel_t *chan);
 
 /*
  * Concurrent connection DoS mitigation interface.



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] geoip: Remember client stats if DoS mitigation is enabled

[nickm]

commit 51fda85c23e5ff2cabbc66ea19b006c4cb04b1e2
Author: David Goulet 
Date:   Fri Jan 19 13:15:07 2018 -0500

geoip: Remember client stats if DoS mitigation is enabled

Make the geoip cache track client address if the DoS subsystem is enabled.

Signed-off-by: David Goulet 
---
 src/or/geoip.c | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/or/geoip.c b/src/or/geoip.c
index e2a1b1cee..5f0b04b56 100644
--- a/src/or/geoip.c
+++ b/src/or/geoip.c
@@ -33,6 +33,7 @@
 #include "config.h"
 #include "control.h"
 #include "dnsserv.h"
+#include "dos.h"
 #include "geoip.h"
 #include "routerlist.h"
 
@@ -549,10 +550,14 @@ geoip_note_client_seen(geoip_client_action_t action,
   clientmap_entry_t *ent;
 
   if (action == GEOIP_CLIENT_CONNECT) {
-/* Only remember statistics as entry guard or as bridge. */
-if (!options->EntryStatistics &&
-(!(options->BridgeRelay && options->BridgeRecordUsageByCountry)))
-  return;
+/* Only remember statistics if the DoS mitigation subsystem is enabled. If
+ * not, only if as entry guard or as bridge. */
+if (!dos_enabled()) {
+  if (!options->EntryStatistics &&
+  (!(options->BridgeRelay && options->BridgeRecordUsageByCountry))) {
+return;
+  }
+}
   } else {
 /* Only gather directory-request statistics if configured, and
  * forcibly disable them on bridge authorities. */



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] dos: Add the DoSRefuseSingleHopClientRendezvous option

[nickm]

commit 36a0ae151f8f85c76b4bd91a8fc2871dd88b6005
Author: David Goulet 
Date:   Thu Jan 25 16:32:28 2018 -0500

dos: Add the DoSRefuseSingleHopClientRendezvous option

This option refuses any ESTABLISH_RENDEZVOUS cell arriving from a client
connection. Its default value is "auto" for which we can turn it on or off
with a consensus parameter. Default value is 0.

Signed-off-by: David Goulet 
---
 src/or/dos.c | 31 +++
 src/or/dos.h |  3 +++
 src/or/rendmid.c | 12 
 3 files changed, 46 insertions(+)

diff --git a/src/or/dos.c b/src/or/dos.c
index 7e3a2ab7f..d98d3db16 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -14,6 +14,7 @@
 #include "geoip.h"
 #include "main.h"
 #include "networkstatus.h"
+#include "router.h"
 
 #include "dos.h"
 
@@ -60,6 +61,9 @@ static uint64_t conn_num_addr_rejected;
  * General interface of the denial of service mitigation subsystem.
  */
 
+/* Keep stats for the heartbeat. */
+static uint64_t num_single_hop_client_refused;
+
 /* Return true iff the circuit creation mitigation is enabled. We look at the
  * consensus for this else a default value is returned. */
 MOCK_IMPL(STATIC unsigned int,
@@ -524,6 +528,33 @@ dos_conn_addr_get_defense_type(const tor_addr_t *addr)
 
 /* General API */
 
+/* Note down that we've just refused a single hop client. This increments a
+ * counter later used for the heartbeat. */
+void
+dos_note_refuse_single_hop_client(void)
+{
+  num_single_hop_client_refused++;
+}
+
+/* Return true iff single hop client connection (ESTABLISH_RENDEZVOUS) should
+ * be refused. */
+int
+dos_should_refuse_single_hop_client(void)
+{
+  /* If we aren't a public relay, this shouldn't apply to anything. */
+  if (!public_server_mode(get_options())) {
+return 0;
+  }
+
+  if (get_options()->DoSRefuseSingleHopClientRendezvous != -1) {
+return get_options()->DoSRefuseSingleHopClientRendezvous;
+  }
+
+  return (int) networkstatus_get_param(NULL,
+   "DoSRefuseSingleHopClientRendezvous",
+   0 /* default */, 0, 1);
+}
+
 /* Called when a new client connection has been established on the given
  * address. */
 void
diff --git a/src/or/dos.h b/src/or/dos.h
index cc7749836..ec4c033ae 100644
--- a/src/or/dos.h
+++ b/src/or/dos.h
@@ -51,6 +51,9 @@ int dos_enabled(void);
 void dos_new_client_conn(or_connection_t *or_conn);
 void dos_close_client_conn(const or_connection_t *or_conn);
 
+int dos_should_refuse_single_hop_client(void);
+void dos_note_refuse_single_hop_client(void);
+
 /*
  * Circuit creation DoS mitigation subsystemn interface.
  */
diff --git a/src/or/rendmid.c b/src/or/rendmid.c
index ca0ad7b0d..441d5043c 100644
--- a/src/or/rendmid.c
+++ b/src/or/rendmid.c
@@ -8,9 +8,11 @@
  **/
 
 #include "or.h"
+#include "channel.h"
 #include "circuitlist.h"
 #include "circuituse.h"
 #include "config.h"
+#include "dos.h"
 #include "relay.h"
 #include "rendmid.h"
 #include "rephist.h"
@@ -246,6 +248,16 @@ rend_mid_establish_rendezvous(or_circuit_t *circ, const 
uint8_t *request,
 goto err;
   }
 
+  /* Check if we are configured to accept established rendezvous cells from
+   * client or in other words tor2web clients. */
+  if (channel_is_client(circ->p_chan) &&
+  dos_should_refuse_single_hop_client()) {
+/* Note it down for the heartbeat log purposes. */
+dos_note_refuse_single_hop_client();
+/* Silent drop so the client has to time out before moving on. */
+return 0;
+  }
+
   if (circ->base_.n_chan) {
 log_warn(LD_PROTOCOL,
  "Tried to establish rendezvous on non-edge circuit");



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor/master] dos: Initial code of Denial of Service mitigation

[nickm]

commit 64149353dda6336488e7d011534a7132b3f01acc
Author: David Goulet 
Date:   Thu Jan 25 15:54:58 2018 -0500

dos: Initial code of Denial of Service mitigation

This commit introduces the src/or/dos.{c|h} files that contains the code for
the Denial of Service mitigation subsystem. It currently contains basic
functions to initialize and free the subsystem. They are used at this 
commit.

The torrc options and consensus parameters are defined at this commit and
getters are implemented.

Signed-off-by: David Goulet 
---
 src/common/log.c   |   2 +-
 src/common/torlog.h|   4 +-
 src/or/config.c|  25 +
 src/or/dos.c   | 289 +
 src/or/dos.h   | 120 
 src/or/include.am  |   2 +
 src/or/main.c  |   2 +
 src/or/networkstatus.c |  13 ++-
 src/or/or.h|  30 +
 9 files changed, 483 insertions(+), 4 deletions(-)

diff --git a/src/common/log.c b/src/common/log.c
index 56adc77f8..4db1c9f0d 100644
--- a/src/common/log.c
+++ b/src/common/log.c
@@ -1177,7 +1177,7 @@ static const char *domain_list[] = {
   "GENERAL", "CRYPTO", "NET", "CONFIG", "FS", "PROTOCOL", "MM",
   "HTTP", "APP", "CONTROL", "CIRC", "REND", "BUG", "DIR", "DIRSERV",
   "OR", "EDGE", "ACCT", "HIST", "HANDSHAKE", "HEARTBEAT", "CHANNEL",
-  "SCHED", NULL
+  "SCHED", "DOS", NULL
 };
 
 /** Return a bitmask for the log domain for which domain is the name,
diff --git a/src/common/torlog.h b/src/common/torlog.h
index 6732a4274..20b7d938f 100644
--- a/src/common/torlog.h
+++ b/src/common/torlog.h
@@ -99,8 +99,10 @@
 #define LD_CHANNEL   (1u<<21)
 /** Scheduler */
 #define LD_SCHED (1u<<22)
+/** Denial of Service mitigation. */
+#define LD_DOS   (1u<<23)
 /** Number of logging domains in the code. */
-#define N_LOGGING_DOMAINS 23
+#define N_LOGGING_DOMAINS 24
 
 /** This log message is not safe to send to a callback-based logger
  * immediately.  Used as a flag, not a log domain. */
diff --git a/src/or/config.c b/src/or/config.c
index 42ff25877..c651c202e 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -29,6 +29,7 @@
 #include "dirserv.h"
 #include "dirvote.h"
 #include "dns.h"
+#include "dos.h"
 #include "entrynodes.h"
 #include "geoip.h"
 #include "hibernate.h"
@@ -241,6 +242,19 @@ static config_var_t option_vars_[] = {
   OBSOLETE("DynamicDHGroups"),
   VPORT(DNSPort, LINELIST, NULL),
   V(DNSListenAddress,LINELIST, NULL),
+  /* DoS circuit creation options. */
+  V(DoSCircuitCreationEnabled,   AUTOBOOL, "auto"),
+  V(DoSCircuitCreationMinConnections,  UINT, "0"),
+  V(DoSCircuitCreationRateTenths,  UINT, "0"),
+  V(DoSCircuitCreationBurst, UINT, "0"),
+  V(DoSCircuitCreationDefenseType, INT,  "0"),
+  V(DoSCircuitCreationDefenseTimePeriod,   INTERVAL, "0"),
+  /* DoS connection options. */
+  V(DoSConnectionEnabled,AUTOBOOL, "auto"),
+  V(DoSConnectionMaxConcurrentCount,   UINT, "0"),
+  V(DoSConnectionDefenseType,INT,  "0"),
+  /* DoS single hop client options. */
+  V(DoSRefuseSingleHopClientRendezvous,AUTOBOOL, "auto"),
   V(DownloadExtraInfo,   BOOL, "0"),
   V(TestingEnableConnBwEvent,BOOL, "0"),
   V(TestingEnableCellStatsEvent, BOOL, "0"),
@@ -2039,6 +2053,17 @@ options_act(const or_options_t *old_options)
 }
   }
 
+  /* DoS mitigation subsystem only applies to public relay. */
+  if (public_server_mode(options)) {
+/* If we are configured as a relay, initialize the subsystem. Even on HUP,
+ * this is safe to call as it will load data from the current options
+ * or/and the consensus. */
+dos_init();
+  } else if (old_options && public_server_mode(old_options)) {
+/* Going from relay to non relay, clean it up. */
+dos_free_all();
+  }
+
   /* Load the webpage we're going to serve every time someone asks for '/' on
  our DirPort. */
   tor_free(global_dirfrontpagecontents);
diff --git a/src/or/dos.c b/src/or/dos.c
new file mode 100644
index 0..4b5983d16
--- /dev/null
+++ b/src/or/dos.c
@@ -0,0 +1,289 @@
+/* Copyright (c) 2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/*
+ * \file dos.c
+ * \brief Implement Denial of Service mitigation subsystem.
+ */
+
+#define DOS_PRIVATE
+
+#include "or.h"
+#include "channel.h"
+#include "config.h"
+#include "geoip.h"
+#include "main.h"
+#include "networkstatus.h"
+
+#include "dos.h"
+
+/*
+ * Circuit creation denial of service mitigation.
+ *
+ * Namespace used for this mitigation framework is "dos_cc_" where "cc" is for
+ * Circuit Creation.
+ */
+
+/* Is the circuit creation DoS mitigation enabled? */
+static unsigned int dos_cc_enabled = 0;
+
+/* Consensus parameters. They can be changed when a new consensus arrives.
+ * They are initialized with the hardcoded default values. */
+static uint32_t 

[tor-commits] [tor/master] dos: Make circuit rate limit per second, not tenths anymore

[nickm]

commit e58a4fc6cfcdeafc2ebfb61fd3cf6d163ce2436c
Author: David Goulet 
Date:   Mon Jan 29 11:50:11 2018 -0500

dos: Make circuit rate limit per second, not tenths anymore

Because this touches too many commits at once, it is made into one single
commit.

Remove the use of "tenths" for the circuit rate to simplify things. We can
only refill the buckets at best once every second because of the use of
approx_time() and our token system is set to be 1 token = 1 circuit so make
the rate a flat integer of circuit per second.

Signed-off-by: David Goulet 
---
 doc/tor.1.txt   |  8 +++-
 src/or/config.c |  2 +-
 src/or/dos.c| 32 
 src/or/dos.h|  2 +-
 src/or/or.h |  5 ++---
 5 files changed, 15 insertions(+), 34 deletions(-)

diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index a2bbb8ab6..58997cdf3 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -2466,12 +2466,10 @@ Denial of Service mitigation subsystem.
 parameter.
 (Default: 0)
 
-[[DoSCircuitCreationRateTenths]] **DoSCircuitCreationRateTenths** __NUM__::
+[[DoSCircuitCreationRate]] **DoSCircuitCreationRate** __NUM__::
 
-The allowed circuit creation rate in tenths of circuit per second applied
-per client IP address. For example, if you want to set a rate of 5
-circuits per second allowed per IP address, this value should be set to
-50. If this option is 0, it obeys a consensus parameter. (Default: 0)
+The allowed circuit creation rate per second applied per client IP
+address. If this option is 0, it obeys a consensus parameter. (Default: 0)
 
 [[DoSCircuitCreationBurst]] **DoSCircuitCreationBurst** __NUM__::
 
diff --git a/src/or/config.c b/src/or/config.c
index c651c202e..3b4027433 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -245,7 +245,7 @@ static config_var_t option_vars_[] = {
   /* DoS circuit creation options. */
   V(DoSCircuitCreationEnabled,   AUTOBOOL, "auto"),
   V(DoSCircuitCreationMinConnections,  UINT, "0"),
-  V(DoSCircuitCreationRateTenths,  UINT, "0"),
+  V(DoSCircuitCreationRate,  UINT, "0"),
   V(DoSCircuitCreationBurst, UINT, "0"),
   V(DoSCircuitCreationDefenseType, INT,  "0"),
   V(DoSCircuitCreationDefenseTimePeriod,   INTERVAL, "0"),
diff --git a/src/or/dos.c b/src/or/dos.c
index 5af75ca57..a614d1231 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -31,7 +31,7 @@ static unsigned int dos_cc_enabled = 0;
 /* Consensus parameters. They can be changed when a new consensus arrives.
  * They are initialized with the hardcoded default values. */
 static uint32_t dos_cc_min_concurrent_conn;
-static uint32_t dos_cc_circuit_rate_tenths;
+static uint32_t dos_cc_circuit_rate;
 static uint32_t dos_cc_circuit_burst;
 static dos_cc_defense_type_t dos_cc_defense_type;
 static int32_t dos_cc_defense_time_period;
@@ -93,14 +93,14 @@ get_param_cc_min_concurrent_connection(const 
networkstatus_t *ns)
 /* Return the parameter for the time rate that is how many circuits over this
  * time span. */
 static uint32_t
-get_param_cc_circuit_rate_tenths(const networkstatus_t *ns)
+get_param_cc_circuit_rate(const networkstatus_t *ns)
 {
   /* This is in seconds. */
-  if (get_options()->DoSCircuitCreationRateTenths) {
-return get_options()->DoSCircuitCreationRateTenths;
+  if (get_options()->DoSCircuitCreationRate) {
+return get_options()->DoSCircuitCreationRate;
   }
-  return networkstatus_get_param(ns, "DoSCircuitCreationRateTenths",
- DOS_CC_CIRCUIT_RATE_TENTHS_DEFAULT,
+  return networkstatus_get_param(ns, "DoSCircuitCreationRate",
+ DOS_CC_CIRCUIT_RATE_DEFAULT,
  1, INT32_MAX);
 }
 
@@ -189,7 +189,7 @@ set_dos_parameters(const networkstatus_t *ns)
   /* Get the default consensus param values. */
   dos_cc_enabled = get_param_cc_enabled(ns);
   dos_cc_min_concurrent_conn = get_param_cc_min_concurrent_connection(ns);
-  dos_cc_circuit_rate_tenths = get_param_cc_circuit_rate_tenths(ns);
+  dos_cc_circuit_rate = get_param_cc_circuit_rate(ns);
   dos_cc_circuit_burst = get_param_cc_circuit_burst(ns);
   dos_cc_defense_time_period = get_param_cc_defense_time_period(ns);
   dos_cc_defense_type = get_param_cc_defense_type(ns);
@@ -225,23 +225,7 @@ cc_consensus_has_changed(const networkstatus_t *ns)
 STATIC uint32_t
 get_circuit_rate_per_second(void)
 {
-  int64_t circ_rate;
-
-  /* We take the burst divided by the rate which is in tenths of a second so
-   * convert to get a circuit rate per second. */
-  circ_rate = dos_cc_circuit_rate_tenths / 10;
-  if (circ_rate < 0) {
-/* Safety check, never allow it to go below 0 else the bucket will always
- * be empty resulting in every address to be detected. */
-circ_rate = 1;
-  }
-
-  /* Clamp it down to a 32 bit value because a rate of 2^32 circuits per
-   * second is just too much in any 

[tor-commits] [tor/master] dos: Clear connection tracked flag if geoip entry is removed

[nickm]

commit 82de4ea900c5d3513214b127421890595343bfaa
Author: David Goulet 
Date:   Thu Jan 25 09:44:21 2018 -0500

dos: Clear connection tracked flag if geoip entry is removed

Imagine this scenario. We had 10 connections over the 24h lifetime of a 
geoip
cache entry. The lifetime of the entry has been reached so it is about to 
get
freed but 2 connections remain for it. After the free, a third connection
comes in thus making us create a new geoip entry for that address matching 
the
2 previous ones that are still alive. If they end up being closed, we'll 
have
a concurrent count desynch from what the reality is.

To mitigate this probably very rare scenario in practice, when we free a 
geoip
entry and it has a concurrent count above 0, we'll go over all connections
matching the address and clear out the tracked flag. So once they are 
closed,
we don't try to decrement the count.

Signed-off-by: David Goulet 
---
 src/or/dos.c   | 35 +++
 src/or/dos.h   |  4 
 src/or/geoip.c |  4 
 3 files changed, 43 insertions(+)

diff --git a/src/or/dos.c b/src/or/dos.c
index 40e88aead..5af75ca57 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -528,6 +528,41 @@ dos_conn_addr_get_defense_type(const tor_addr_t *addr)
 
 /* General API */
 
+/* Take any appropriate actions for the given geoip entry that is about to get
+ * freed. This is called for every entry that is being freed.
+ *
+ * This function will clear out the connection tracked flag if the concurrent
+ * count of the entry is above 0 so if those connections end up being seen by
+ * this subsystem, we won't try to decrement the counter for a new geoip entry
+ * that might have been added after this call for the same address. */
+void
+dos_geoip_entry_about_to_free(const clientmap_entry_t *geoip_ent)
+{
+  tor_assert(geoip_ent);
+
+  /* The count is down to 0 meaning no connections right now, we can safely
+   * clear the geoip entry from the cache. */
+  if (geoip_ent->dos_stats.concurrent_count == 0) {
+goto end;
+  }
+
+  /* For each connection matching the geoip entry address, we'll clear the
+   * tracked flag because the entry is about to get removed from the geoip
+   * cache. We do not try to decrement if the flag is not set. */
+  SMARTLIST_FOREACH_BEGIN(get_connection_array(), connection_t *, conn) {
+if (conn->type == CONN_TYPE_OR) {
+  or_connection_t *or_conn = TO_OR_CONN(conn);
+  if (!tor_addr_compare(_ent->addr, _conn->real_addr,
+CMP_EXACT)) {
+or_conn->tracked_for_dos_mitigation = 0;
+  }
+}
+  } SMARTLIST_FOREACH_END(conn);
+
+ end:
+  return;
+}
+
 /* Note down that we've just refused a single hop client. This increments a
  * counter later used for the heartbeat. */
 void
diff --git a/src/or/dos.h b/src/or/dos.h
index 56835169d..9ce1baddb 100644
--- a/src/or/dos.h
+++ b/src/or/dos.h
@@ -43,11 +43,15 @@ typedef struct dos_client_stats_t {
 
 /* General API. */
 
+/* Stub. */
+struct clientmap_entry_t;
+
 void dos_init(void);
 void dos_free_all(void);
 void dos_consensus_has_changed(const networkstatus_t *ns);
 int dos_enabled(void);
 void dos_log_heartbeat(void);
+void dos_geoip_entry_about_to_free(const struct clientmap_entry_t *geoip_ent);
 
 void dos_new_client_conn(or_connection_t *or_conn);
 void dos_close_client_conn(const or_connection_t *or_conn);
diff --git a/src/or/geoip.c b/src/or/geoip.c
index 5f0b04b56..4e4f6e639 100644
--- a/src/or/geoip.c
+++ b/src/or/geoip.c
@@ -516,6 +516,10 @@ clientmap_entry_free(clientmap_entry_t *ent)
   if (!ent)
 return;
 
+  /* This entry is about to be freed so pass it to the DoS subsystem to see if
+   * any actions can be taken about it. */
+  dos_geoip_entry_about_to_free(ent);
+
   tor_free(ent->transport_name);
   tor_free(ent);
 }



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor-messenger-build/master] Also add the logo to the config file

[sukhbir]

commit 7bb4436dda23bf06ab02dfcb038817bbf2391738
Author: Sukhbir Singh 
Date:   Tue Jan 30 15:54:16 2018 -0500

Also add the logo to the config file
---
 projects/tor-launcher/config | 1 +
 1 file changed, 1 insertion(+)

diff --git a/projects/tor-launcher/config b/projects/tor-launcher/config
index 10d0937..aa83531 100644
--- a/projects/tor-launcher/config
+++ b/projects/tor-launcher/config
@@ -10,3 +10,4 @@ input_files:
 content: '[% INCLUDE controlport.patch.tmpl -%]'
 refresh_input: 1
 enable: '[% c("var/tor_control_port") %]'
+  - filename: tm-logo.svg

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor-messenger-build/master] Set Tor Messenger's logo in Tor Launcher

[sukhbir]

commit 3e87965ab90ab3bb6c026ebc158293fb4badc3b4
Author: Sukhbir Singh 
Date:   Tue Jan 30 15:53:17 2018 -0500

Set Tor Messenger's logo in Tor Launcher
---
 projects/tor-launcher/build   |   3 +
 projects/tor-launcher/tm-logo.svg | 141 ++
 2 files changed, 144 insertions(+)

diff --git a/projects/tor-launcher/build b/projects/tor-launcher/build
index 0891389..45be6a6 100644
--- a/projects/tor-launcher/build
+++ b/projects/tor-launcher/build
@@ -5,5 +5,8 @@ cd [% project %]-[% c('version') %]
 [% IF c("var/tor_control_port") -%]
 patch -p1 < ../controlport.patch
 [% END -%]
+[% IF c("var/tor-messenger") -%]
+cp ../tm-logo.svg src/chrome/skin/tbb-logo.svg
+[% END -%]
 make package
 mv pkg/*.xpi [% dest_dir _ '/' _ c('filename') %]
diff --git a/projects/tor-launcher/tm-logo.svg 
b/projects/tor-launcher/tm-logo.svg
new file mode 100644
index 000..279c7cd
--- /dev/null
+++ b/projects/tor-launcher/tm-logo.svg
@@ -0,0 +1,141 @@
+
+http://purl.org/dc/elements/1.1/;
+   xmlns:cc="http://creativecommons.org/ns#;
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#;
+   xmlns:svg="http://www.w3.org/2000/svg;
+   xmlns="http://www.w3.org/2000/svg;
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd;
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape;
+   version="1.1"
+   id="Layer_1"
+   x="0px"
+   y="0px"
+   viewBox="0 0 328.6 66.3"
+   enable-background="new 0 0 328.6 66.3"
+   xml:space="preserve"
+   sodipodi:docname="tbb-logo.svg"
+   inkscape:version="0.92.2 (5c3e80d, 2017-08-06)">image/svg+xmlhttp://purl.org/dc/dcmitype/StillImage; 
/>
\ No newline at end of file

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor-messenger-build/master] Update config file for the last commit

[sukhbir]

commit 454d3e4e8115d7cd15a7109332b3a144fe6bdb6e
Author: Sukhbir Singh 
Date:   Tue Jan 30 11:38:10 2018 -0500

Update config file for the last commit
---
 projects/mozilla/STL_win64.patch | 24 
 projects/mozilla/config  |  2 +-
 2 files changed, 1 insertion(+), 25 deletions(-)

diff --git a/projects/mozilla/STL_win64.patch b/projects/mozilla/STL_win64.patch
deleted file mode 100644
index e528905..000
--- a/projects/mozilla/STL_win64.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From 8f8c1a1069d4907d3cedae578975225d8caeecaf Mon Sep 17 00:00:00 2001
-From: Nicolas Vigier 
-Date: Sat, 12 Aug 2017 22:00:13 +0200
-Subject: [PATCH] Bug 23231: disable STL Wrappers on Windows
-
-Workaround for:
-https://bugzilla.mozilla.org/show_bug.cgi?id=1392604

- old-configure.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/old-configure.in b/old-configure.in
-index f5a2f05..e247551 100644
 a/old-configure.in
-+++ b/old-configure.in
-@@ -1338,7 +1338,7 @@ MOZ_CXX11
- AC_LANG_C
- 
- case "${OS_TARGET}" in
--Darwin)
-+WINNT|Darwin)
-   ;;
- *)
-   STL_FLAGS="-I${DIST}/stl_wrappers"
diff --git a/projects/mozilla/config b/projects/mozilla/config
index f3c4234..81d52d7 100644
--- a/projects/mozilla/config
+++ b/projects/mozilla/config
@@ -11,5 +11,5 @@ input_files:
   - filename: 0003-OSX-package-as-tar.bz2.patch
   - filename: 0004-Updater-fixups-for-TM.patch
   - filename: 0005-Permit-storing-exceptions-even-w-inPrivateBrowsingMo.patch
-  - filename: STL_win64.patch
+  - filename: 0006-Bug-23231-disable-STL-Wrappers-on-Windows.patch
 enable: '[% c("var/windows-x86_64") %]'

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [tor-messenger-build/master] Use proper formatting for mozilla/ patches

[sukhbir]

commit 7771c1378bd74a12d06a0a3429dbaec8743383ad
Author: Sukhbir Singh 
Date:   Tue Jan 30 11:22:10 2018 -0500

Use proper formatting for mozilla/ patches
---
 ...0001-Trac-19910-Prevents-STARTTLS-in-XMPP.patch |  6 ++---
 .../mozilla/0002-Trac-16475-Block-flash-too.patch  |  6 ++---
 projects/mozilla/0003-OSX-package-as-tar.bz2.patch |  6 ++---
 projects/mozilla/0004-Updater-fixups-for-TM.patch  |  6 ++---
 ...ing-exceptions-even-w-inPrivateBrowsingMo.patch |  6 ++---
 ...Bug-23231-disable-STL-Wrappers-on-Windows.patch | 27 ++
 6 files changed, 42 insertions(+), 15 deletions(-)

diff --git a/projects/mozilla/0001-Trac-19910-Prevents-STARTTLS-in-XMPP.patch 
b/projects/mozilla/0001-Trac-19910-Prevents-STARTTLS-in-XMPP.patch
index e78e36b..d634f0b 100644
--- a/projects/mozilla/0001-Trac-19910-Prevents-STARTTLS-in-XMPP.patch
+++ b/projects/mozilla/0001-Trac-19910-Prevents-STARTTLS-in-XMPP.patch
@@ -1,7 +1,7 @@
-From 6ee07445bcfa1ef74934ecc7a7862afd10d0927d Mon Sep 17 00:00:00 2001
+From 4015b1fc6b60638ec28bdfb568ff263e4a69783a Mon Sep 17 00:00:00 2001
 From: Arlo Breault 
 Date: Fri, 1 Sep 2017 17:39:04 -0400
-Subject: [PATCH 1/5] Trac 19910: Prevents STARTTLS in XMPP
+Subject: [PATCH 1/6] Trac 19910: Prevents STARTTLS in XMPP
 
  * Revert "Bug 3875: Use Optimistic Data SOCKS variant."
 
@@ -115,5 +115,5 @@ index a21dfa4a5a11..5429637c1c3a 100644
  void SetNamedPipeFD(PRFileDesc *fd) { mFD = fd; }
  
 -- 
-2.16.1
+2.11.0
 
diff --git a/projects/mozilla/0002-Trac-16475-Block-flash-too.patch 
b/projects/mozilla/0002-Trac-16475-Block-flash-too.patch
index 5c24cdb..81d60d3 100644
--- a/projects/mozilla/0002-Trac-16475-Block-flash-too.patch
+++ b/projects/mozilla/0002-Trac-16475-Block-flash-too.patch
@@ -1,7 +1,7 @@
-From a1f8139363a279d8c948ef621e860e306eca2167 Mon Sep 17 00:00:00 2001
+From add0c6cef2e16013a4e937477fa74156589d310f Mon Sep 17 00:00:00 2001
 From: Arlo Breault 
 Date: Thu, 6 Oct 2016 20:13:35 -0700
-Subject: [PATCH 2/5] Trac 16475: Block flash too
+Subject: [PATCH 2/6] Trac 16475: Block flash too
 
  * Builds on "Bug #3547: Block all plugins except flash."
 ---
@@ -29,5 +29,5 @@ index cd1707beaf5f..d014832e0595 100644
  }
  
 -- 
-2.16.1
+2.11.0
 
diff --git a/projects/mozilla/0003-OSX-package-as-tar.bz2.patch 
b/projects/mozilla/0003-OSX-package-as-tar.bz2.patch
index ce7636d..33108b5 100644
--- a/projects/mozilla/0003-OSX-package-as-tar.bz2.patch
+++ b/projects/mozilla/0003-OSX-package-as-tar.bz2.patch
@@ -1,7 +1,7 @@
-From 4502122ff76eb1c6de00f3db49b6ff3121f1e9ce Mon Sep 17 00:00:00 2001
+From 4a6547f057868dcf8a6660632f2a84dcbdc9ff30 Mon Sep 17 00:00:00 2001
 From: Nicolas Vigier 
 Date: Thu, 25 Jun 2015 12:18:43 +0200
-Subject: [PATCH 3/5] OSX: package as tar.bz2
+Subject: [PATCH 3/6] OSX: package as tar.bz2
 
 ---
  toolkit/mozapps/installer/upload-files.mk | 2 +-
@@ -21,5 +21,5 @@ index 51633178226c..64584f579390 100644
  ifeq (,$(filter-out WINNT, $(OS_ARCH)))
  MOZ_PKG_FORMAT  = ZIP
 -- 
-2.16.1
+2.11.0
 
diff --git a/projects/mozilla/0004-Updater-fixups-for-TM.patch 
b/projects/mozilla/0004-Updater-fixups-for-TM.patch
index 305bc0f..9d3053d 100644
--- a/projects/mozilla/0004-Updater-fixups-for-TM.patch
+++ b/projects/mozilla/0004-Updater-fixups-for-TM.patch
@@ -1,7 +1,7 @@
-From 26c0c11d82d4192f68cdb87ea4dd2d5f6f6d52e3 Mon Sep 17 00:00:00 2001
+From 7bd981927d912cb20dc16658deccc9fa77a92690 Mon Sep 17 00:00:00 2001
 From: Arlo Breault 
 Date: Fri, 1 Sep 2017 17:45:40 -0400
-Subject: [PATCH 4/5] Updater fixups for TM
+Subject: [PATCH 4/6] Updater fixups for TM
 
  * Remove updater links
 
@@ -804,5 +804,5 @@ index c45961ac54e7..23d6fbe2929a 100644
nsresult rv = GetAppRootDir(aExeFile, getter_AddRefs(appRootDir));
NS_ENSURE_SUCCESS(rv, rv);
 -- 
-2.16.1
+2.11.0
 
diff --git 
a/projects/mozilla/0005-Permit-storing-exceptions-even-w-inPrivateBrowsingMo.patch
 
b/projects/mozilla/0005-Permit-storing-exceptions-even-w-inPrivateBrowsingMo.patch
index 1e327f6..9f9e15f 100644
--- 
a/projects/mozilla/0005-Permit-storing-exceptions-even-w-inPrivateBrowsingMo.patch
+++ 
b/projects/mozilla/0005-Permit-storing-exceptions-even-w-inPrivateBrowsingMo.patch
@@ -1,7 +1,7 @@
-From bd9333d8dfd64559b4d33f06b3871740104259f5 Mon Sep 17 00:00:00 2001
+From 7abd599adc7c76757e56cea3a4c73c1daa3c1781 Mon Sep 17 00:00:00 2001
 From: Arlo Breault 
 Date: Sat, 3 Dec 2016 10:01:52 -0800
-Subject: [PATCH 5/5] Permit storing exceptions even w/ inPrivateBrowsingMode
+Subject: [PATCH 5/6] Permit storing exceptions even w/ inPrivateBrowsingMode
 
 ---
  security/manager/pki/resources/content/exceptionDialog.js | 3 ++-
@@ -20,5 +20,5 @@ index 0ca24a614dca..df50701729ce 100644
 +  return false;  // PrivateBrowsingUtils.isWindowPrivate(window);
  }
 -- 
-2.16.1
+2.11.0
 
diff --git 
a/projects/mozilla/0006-Bug-23231-disable-STL-Wrappers-on-Windows.patch 

[tor-commits] [translation/tails-persistence-setup_completed] Update translations for tails-persistence-setup_completed

[translation]

commit 9ab7fa50299982b7cef759583c977bba7d814922
Author: Translation commit bot 
Date:   Tue Jan 30 13:16:11 2018 +

Update translations for tails-persistence-setup_completed
---
 ru/ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/ru.po b/ru/ru.po
index f624e0d35..3431ed854 100644
--- a/ru/ru.po
+++ b/ru/ru.po
@@ -21,7 +21,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-30 12:15+\n"
+"PO-Revision-Date: 2018-01-30 12:46+\n"
 "Last-Translator: Andrey\n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup] Update translations for tails-persistence-setup

[translation]

commit dd9ec519f06303989e4317634f1261ecf3bc4a5b
Author: Translation commit bot 
Date:   Tue Jan 30 13:16:05 2018 +

Update translations for tails-persistence-setup
---
 ru/ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/ru.po b/ru/ru.po
index f624e0d35..3431ed854 100644
--- a/ru/ru.po
+++ b/ru/ru.po
@@ -21,7 +21,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-30 12:15+\n"
+"PO-Revision-Date: 2018-01-30 12:46+\n"
 "Last-Translator: Andrey\n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [webwml/master] Bug 25017: Remove 2017 donation banner from homepage

[hiro]

commit 42dd7261084a94da969dd809e6945629dfb6ab38
Author: Arthur Edelstein 
Date:   Thu Jan 25 00:13:26 2018 -0500

Bug 25017: Remove 2017 donation banner from homepage
---
 css/donation-banner.css |  99 
 en/index.wml|   2 +-
 images/onion-hand.png   | Bin 69055 -> 0 bytes
 include/head.wmi|  19 --
 js/donation_banner.js   |  33 
 5 files changed, 1 insertion(+), 152 deletions(-)

diff --git a/css/donation-banner.css b/css/donation-banner.css
deleted file mode 100644
index 09b94e02..
--- a/css/donation-banner.css
+++ /dev/null
@@ -1,99 +0,0 @@
-#banner-wrapper {
--khtml-user-select: none;/* Konqueror */
--moz-user-select: none;  /* Firefox */
--ms-user-select: none;   /* Internet Explorer/Edge */
--webkit-touch-callout: none; /* iOS Safari */
--webkit-user-select: none;   /* Chrome/Safari/Opera */
-display: block;
-height: 150px;
-justify-content: center;
-left: 0px;
-margin-top: 0px;
-min-width: 900px;
-opacity: 1;
-position: absolute;
-user-select: none;
-width: 100%;
-z-index: 1;
-}
-#banner-wrapper:before {
-background-color: #551373;
-background-image: url('../images/onion-hand.png');
-background-position: calc(50% - 40px) 50%;
-background-size: cover;
-content: "";
-height: 150px;
-left: 0px;
-position: absolute;
-top: 0px;
-right: 0px;
-}
-#banner-contents-container {
-align-items: center;
-height: 100%;
-margin: 0 auto;
-max-width: 960px;
-position: relative;
-width: 960px;
-}
-#banner-tagline {
-align-items: center;
-bottom: 60px;
-color: white;
-display: flex;
-font-family: monospace;
-font-weight: bold;
-left: 200px;
-position: absolute;
-right: 0px;
-text-align: start;
-text-transform: uppercase;
-top: 10px;
-}
-#banner-slogan {
-align-items: center;
-bottom: 30px;
-color: #f8f8a0;
-display: flex;
-font-size: 20px;
-font-family: monospace;
-font-weight: bold;
-left: 200px;
-position: absolute;
-right: 285px;
-text-align: start;
-top: 90px;
-white-space: nowrap;
-}
-#banner-donate-button {
-align-items: center;
-background-color: #13a513;
-border: 0px;
-bottom: 10px;
-color: #fbf7ef;
-display: flex;
-font-family: sans-serif;
-font-size: 22px;
-font-weight: bold;
-justify-content: center;
-left: 630px;
-letter-spacing: -0.00em;
-position: absolute;
-right: 10px;
-top: 90px;
-}
-#banner-donate-button:hover {
-background-color: #38bc38;
-}
-#banner-spacer {
-background-color: #551373;
-display: block;
-height: 150px;
-position: relative;
-top: 0px;
-left: 0px;
-width: 100%;
-}
-body {
-min-width: 960px;
-}
diff --git a/en/index.wml b/en/index.wml
index 24f55b53..67414bcc 100644
--- a/en/index.wml
+++ b/en/index.wml
@@ -2,7 +2,7 @@
 # Revision: $Revision$
 # Translation-Priority: 1-high
 
-#include "head.wmi" TITLE="Tor Project | Privacy Online" CHARSET="UTF-8" 
DONATION_BANNER="true"
+#include "head.wmi" TITLE="Tor Project | Privacy Online" CHARSET="UTF-8"
 
 
 
diff --git a/images/onion-hand.png b/images/onion-hand.png
deleted file mode 100644
index 00a5a41c..
Binary files a/images/onion-hand.png and /dev/null differ
diff --git a/include/head.wmi b/include/head.wmi
index 0732bb7c..dc4d5e26 100644
--- a/include/head.wmi
+++ b/include/head.wmi
@@ -33,7 +33,6 @@
# begin WML to generate css/js paths
">
">
-   ">
 
#

-
-
-Protecting the Privacy of 
Millions Every Day
-Tor: Powering Digital 
Resistance
-https://www.torproject.org/donate/donate-pdr-hp;>
-
-Donate Now!
-
-
-
-
-
-
-
-">
 
   
 Tor
diff --git a/js/donation_banner.js b/js/donation_banner.js
deleted file mode 100644
index 239fcafd..
--- a/js/donation_banner.js
+++ /dev/null
@@ -1,33 +0,0 @@
-/* jshint esnext:true */
-
-let kTaglines = [
-  "Protecting Journalists, Whistleblowers, & Activists Since 2006",
-  "Networking Freedom Worldwide",
-  "Freedom Online",
-  "Fostering Free Expression Worldwide",
-  "Protecting the Privacy of Millions Every Day",
-];
-
-let kTaglineSizes = [
-  30,
-  40,
-  48,
-  36,
-  36,
-];
-
-// Returns a random integer x, such that 0 <= x < max
-let randomInteger = function (max) {
-  return Math.floor(max * Math.random());
-};
-
-// The main donation banner function.
-let runDonationBanner = function () {
-  // Load random tag line once page is loaded
-  let index = randomInteger(kTaglines.length);
-  let taglineElement = document.querySelector("#banner-tagline span");
-  taglineElement.innerText = kTaglines[index];
-  taglineElement.style.fontSize = kTaglineSizes[index] + "px";
-};
-

[tor-commits] [webwml/master] Merge branch 'master' of git-rw.torproject.org:project/web/webwml into 25017

[hiro]

commit 08ceceb08dd1099d394872f5226a5c165be0ea6d
Merge: 42dd7261 c94a7c2c
Author: hiromipaw 
Date:   Tue Jan 30 13:43:06 2018 +0100

Merge branch 'master' of git-rw.torproject.org:project/web/webwml into 25017

 Makefile   |   2 +-
 docs/en/rpms.wml   |  47 
 docs/en/sidenav.wmi|   3 -
 include/versions.wmi   |   2 +-
 projects/torbrowser/RecommendedTBBVersions |  12 
 projects/torbrowser/design/index.html.en   | 112 +++--
 6 files changed, 91 insertions(+), 87 deletions(-)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-openpgp-applet_completed] Update translations for tails-openpgp-applet_completed

[translation]

commit 468de492d0b1d6a641ba97e39b90faa3fd904b52
Author: Translation commit bot 
Date:   Tue Jan 30 12:19:01 2018 +

Update translations for tails-openpgp-applet_completed
---
 ru/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/openpgp-applet.pot b/ru/openpgp-applet.pot
index 21db88faa..701c11c5f 100644
--- a/ru/openpgp-applet.pot
+++ b/ru/openpgp-applet.pot
@@ -11,7 +11,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: ta...@boum.org\n"
 "POT-Creation-Date: 2017-08-05 15:07-0400\n"
-"PO-Revision-Date: 2018-01-30 10:46+\n"
+"PO-Revision-Date: 2018-01-30 12:05+\n"
 "Last-Translator: Misha Dyachuk \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-openpgp-applet] Update translations for tails-openpgp-applet

[translation]

commit 8f30a67b6270df69522a4cecbb8f6bc518869bfa
Author: Translation commit bot 
Date:   Tue Jan 30 12:18:56 2018 +

Update translations for tails-openpgp-applet
---
 ru/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/openpgp-applet.pot b/ru/openpgp-applet.pot
index 21db88faa..701c11c5f 100644
--- a/ru/openpgp-applet.pot
+++ b/ru/openpgp-applet.pot
@@ -11,7 +11,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: ta...@boum.org\n"
 "POT-Creation-Date: 2017-08-05 15:07-0400\n"
-"PO-Revision-Date: 2018-01-30 10:46+\n"
+"PO-Revision-Date: 2018-01-30 12:05+\n"
 "Last-Translator: Misha Dyachuk \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-misc] Update translations for tails-misc

[translation]

commit 39fc9b1f6c588c866b8bd75eefa2d3e47e421499
Author: Translation commit bot 
Date:   Tue Jan 30 12:17:11 2018 +

Update translations for tails-misc
---
 ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru.po b/ru.po
index df6e31b66..4ffe6c8e0 100644
--- a/ru.po
+++ b/ru.po
@@ -28,7 +28,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-09-13 20:10+0200\n"
-"PO-Revision-Date: 2018-01-30 10:49+\n"
+"PO-Revision-Date: 2018-01-30 12:10+\n"
 "Last-Translator: Timofey Lisunov \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-misc_completed] Update translations for tails-misc_completed

[translation]

commit 6d5e5a7cc07259cacad3131e226d6f6d4ccb4a39
Author: Translation commit bot 
Date:   Tue Jan 30 12:17:16 2018 +

Update translations for tails-misc_completed
---
 ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru.po b/ru.po
index df6e31b66..4ffe6c8e0 100644
--- a/ru.po
+++ b/ru.po
@@ -28,7 +28,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-09-13 20:10+0200\n"
-"PO-Revision-Date: 2018-01-30 10:49+\n"
+"PO-Revision-Date: 2018-01-30 12:10+\n"
 "Last-Translator: Timofey Lisunov \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup] Update translations for tails-persistence-setup

[translation]

commit 1329cdbaf81b23df489f99395e710c505e510a2b
Author: Translation commit bot 
Date:   Tue Jan 30 12:16:04 2018 +

Update translations for tails-persistence-setup
---
 ru/ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/ru.po b/ru/ru.po
index 0bd65e9c0..f624e0d35 100644
--- a/ru/ru.po
+++ b/ru/ru.po
@@ -21,7 +21,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-12 16:43+\n"
+"PO-Revision-Date: 2018-01-30 12:15+\n"
 "Last-Translator: Andrey\n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup_completed] Update translations for tails-persistence-setup_completed

[translation]

commit d54780a8a8c5d2bb88cd6cfdab3fb81b841dcfa8
Author: Translation commit bot 
Date:   Tue Jan 30 12:16:12 2018 +

Update translations for tails-persistence-setup_completed
---
 ru/ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/ru.po b/ru/ru.po
index 0bd65e9c0..f624e0d35 100644
--- a/ru/ru.po
+++ b/ru/ru.po
@@ -21,7 +21,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-12 16:43+\n"
+"PO-Revision-Date: 2018-01-30 12:15+\n"
 "Last-Translator: Andrey\n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tor-browser-manual] Update translations for tor-browser-manual

[translation]

commit 8379717d88d4f19b5bbbc9e13b00ebfe753157b6
Author: Translation commit bot 
Date:   Tue Jan 30 11:50:42 2018 +

Update translations for tor-browser-manual
---
 br/br.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/br/br.po b/br/br.po
index e889cc505..a5b7927b5 100644
--- a/br/br.po
+++ b/br/br.po
@@ -439,7 +439,7 @@ msgstr ""
 
 #: first-time.page:33
 msgid "Configure"
-msgstr ""
+msgstr "Kefluniañ"
 
 #: first-time.page:37
 msgid ""

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-openpgp-applet] Update translations for tails-openpgp-applet

[translation]

commit eaba8b3bee661994adefd17c0d4faeae46674750
Author: Translation commit bot 
Date:   Tue Jan 30 11:48:47 2018 +

Update translations for tails-openpgp-applet
---
 br/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/br/openpgp-applet.pot b/br/openpgp-applet.pot
index 300ba4579..142a7e656 100644
--- a/br/openpgp-applet.pot
+++ b/br/openpgp-applet.pot
@@ -27,7 +27,7 @@ msgstr ""
 
 #: bin/openpgp-applet:175
 msgid "Exit"
-msgstr ""
+msgstr "Kuitaat"
 
 #: bin/openpgp-applet:177
 msgid "About"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tor-launcher-network-settings] Update translations for tor-launcher-network-settings

[translation]

commit ee410c6f84906e2a502d2e8f07e5de1c7bc2b7f4
Author: Translation commit bot 
Date:   Tue Jan 30 11:46:58 2018 +

Update translations for tor-launcher-network-settings
---
 br/network-settings.dtd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/br/network-settings.dtd b/br/network-settings.dtd
index 740612491..bffe154b2 100644
--- a/br/network-settings.dtd
+++ b/br/network-settings.dtd
@@ -11,7 +11,7 @@
 
 
 
-
+
 
 
 

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tor-launcher-properties] Update translations for tor-launcher-properties

[translation]

commit a20a9ee8b8420bddb4857ad1e693a0b513789be4
Author: Translation commit bot 
Date:   Tue Jan 30 11:46:39 2018 +

Update translations for tor-launcher-properties
---
 br/torlauncher.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/br/torlauncher.properties b/br/torlauncher.properties
index 8b87e767a..eeaf0b53b 100644
--- a/br/torlauncher.properties
+++ b/br/torlauncher.properties
@@ -34,7 +34,7 @@ torlauncher.bridge_suffix.meek-azure=(works in China)
 torlauncher.connect=Connect
 torlauncher.restart_tor=Restart Tor
 torlauncher.quit=Quit
-torlauncher.quit_win=Exit
+torlauncher.quit_win=Kuitaat
 torlauncher.done=Done
 
 torlauncher.forAssistance=For assistance, contact %S

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/torbirdy] Update translations for torbirdy

[translation]

commit deccbe18c03bb6040aa54d85c48484cdce3e8159
Author: Translation commit bot 
Date:   Tue Jan 30 11:46:17 2018 +

Update translations for torbirdy
---
 br/torbirdy.dtd | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/br/torbirdy.dtd b/br/torbirdy.dtd
index bdccae1dd..ba467b325 100644
--- a/br/torbirdy.dtd
+++ b/br/torbirdy.dtd
@@ -5,11 +5,11 @@
 
 
 
-
+
 
 
 
-
+
 
 
 

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-persistence-setup] Update translations for tails-persistence-setup

[translation]

commit 5c3f623ae7e04682355ee3d2fca3013a35937ec0
Author: Translation commit bot 
Date:   Tue Jan 30 11:46:04 2018 +

Update translations for tails-persistence-setup
---
 br/br.po | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/br/br.po b/br/br.po
index 513f8fdf9..493fc054d 100644
--- a/br/br.po
+++ b/br/br.po
@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: Tails developers \n"
 "POT-Creation-Date: 2017-05-15 13:51+0200\n"
-"PO-Revision-Date: 2018-01-26 13:31+\n"
+"PO-Revision-Date: 2018-01-30 11:33+\n"
 "Last-Translator: carolyn \n"
 "Language-Team: Breton 
(http://www.transifex.com/otf/torproject/language/br/)\n"
 "MIME-Version: 1.0\n"
@@ -287,7 +287,7 @@ msgstr ""
 
 #: ../lib/Tails/Persistence/Step/Configure.pm:74
 msgid "Save"
-msgstr ""
+msgstr "Enrollañ"
 
 #: ../lib/Tails/Persistence/Step/Configure.pm:143
 msgid "Saving..."

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-misc_completed] Update translations for tails-misc_completed

[translation]

commit 080c3473103a2157b66ca95a0318bcefa3d7f68a
Author: Translation commit bot 
Date:   Tue Jan 30 11:17:14 2018 +

Update translations for tails-misc_completed
---
 ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru.po b/ru.po
index 212e9f9cc..df6e31b66 100644
--- a/ru.po
+++ b/ru.po
@@ -28,7 +28,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-09-13 20:10+0200\n"
-"PO-Revision-Date: 2017-12-29 07:52+\n"
+"PO-Revision-Date: 2018-01-30 10:49+\n"
 "Last-Translator: Timofey Lisunov \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-misc] Update translations for tails-misc

[translation]

commit 158d69586240bb71f0becc2dce342c74fd9a337c
Author: Translation commit bot 
Date:   Tue Jan 30 11:17:09 2018 +

Update translations for tails-misc
---
 ru.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru.po b/ru.po
index 212e9f9cc..df6e31b66 100644
--- a/ru.po
+++ b/ru.po
@@ -28,7 +28,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-09-13 20:10+0200\n"
-"PO-Revision-Date: 2017-12-29 07:52+\n"
+"PO-Revision-Date: 2018-01-30 10:49+\n"
 "Last-Translator: Timofey Lisunov \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/bridgedb_completed] Update translations for bridgedb_completed

[translation]

commit 56d1d8412a9e7ebd4dd9b03b7727ad54073c6e2b
Author: Translation commit bot 
Date:   Tue Jan 30 11:15:15 2018 +

Update translations for bridgedb_completed
---
 ru/LC_MESSAGES/bridgedb.po | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ru/LC_MESSAGES/bridgedb.po b/ru/LC_MESSAGES/bridgedb.po
index 2b5c2a892..5147520d6 100644
--- a/ru/LC_MESSAGES/bridgedb.po
+++ b/ru/LC_MESSAGES/bridgedb.po
@@ -12,7 +12,7 @@
 # Иван Лапенков, 2015
 # joshua ridney , 2015
 # Kalyuzhniy Aleksey, 2017
-# liquixis , 2012
+# liquixis, 2012
 # Misha Dyachuk , 2016
 # Oleg, 2014
 # Roberto Brigante, 2017
@@ -27,7 +27,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: 
'https://trac.torproject.org/projects/tor/newticket?component=BridgeDB=bridgedb-reported,msgid=isis,sysrqb=isis'\n"
 "POT-Creation-Date: 2015-07-25 03:40+\n"
-"PO-Revision-Date: 2017-10-02 08:49+\n"
+"PO-Revision-Date: 2018-01-30 10:47+\n"
 "Last-Translator: Andrey\n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/bridgedb] Update translations for bridgedb

[translation]

commit dea70792f12a708f83d3b56d0a45b843dc040f7a
Author: Translation commit bot 
Date:   Tue Jan 30 11:15:08 2018 +

Update translations for bridgedb
---
 ru/LC_MESSAGES/bridgedb.po | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ru/LC_MESSAGES/bridgedb.po b/ru/LC_MESSAGES/bridgedb.po
index 2b5c2a892..5147520d6 100644
--- a/ru/LC_MESSAGES/bridgedb.po
+++ b/ru/LC_MESSAGES/bridgedb.po
@@ -12,7 +12,7 @@
 # Иван Лапенков, 2015
 # joshua ridney , 2015
 # Kalyuzhniy Aleksey, 2017
-# liquixis , 2012
+# liquixis, 2012
 # Misha Dyachuk , 2016
 # Oleg, 2014
 # Roberto Brigante, 2017
@@ -27,7 +27,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: 
'https://trac.torproject.org/projects/tor/newticket?component=BridgeDB=bridgedb-reported,msgid=isis,sysrqb=isis'\n"
 "POT-Creation-Date: 2015-07-25 03:40+\n"
-"PO-Revision-Date: 2017-10-02 08:49+\n"
+"PO-Revision-Date: 2018-01-30 10:47+\n"
 "Last-Translator: Andrey\n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [webwml/master] Merge branch 'master' of git-rw.torproject.org:project/web/webwml into remove_rpms_from_sidenav

[hiro]

commit c94a7c2c5535d0b0548ed0f99e8819ff5ff9a858
Merge: 467ed909 59a33abb
Author: hiromipaw 
Date:   Tue Jan 30 12:04:40 2018 +0100

Merge branch 'master' of git-rw.torproject.org:project/web/webwml into 
remove_rpms_from_sidenav

 Makefile   |   2 +-
 include/versions.wmi   |  14 +-
 projects/en/torbrowser.wml |   4 +-
 projects/torbrowser/RecommendedTBBVersions |  20 +-
 projects/torbrowser/design/index.html.en   | 763 ++---
 5 files changed, 489 insertions(+), 314 deletions(-)

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [webwml/master] delete obsolete docs/en/rpms.wml

[hiro]

commit 467ed909e08e152ab32ec986bcf77ddc5f4661f1
Author: nusenu 
Date:   Tue Jan 23 14:41:06 2018 +

delete obsolete docs/en/rpms.wml
---
 docs/en/rpms.wml | 47 ---
 1 file changed, 47 deletions(-)

diff --git a/docs/en/rpms.wml b/docs/en/rpms.wml
deleted file mode 100644
index 77fd243f..
--- a/docs/en/rpms.wml
+++ /dev/null
@@ -1,47 +0,0 @@
-## translation metadata
-# Revision: $Revision$
-# Translation-Priority: 3-low
-
-#include "head.wmi" TITLE="Tor Project: CentOS/Fedora Instructions" 
CHARSET="UTF-8"
-
-  
-Home  
-Documentation  
-RPMs
-  
-   
-
-Tor packages for RPM-based
-linux distributions.
-
-
-Fedora, RHEL, CentOS, Scientific Linux packages
-
-Use native Fedora packages for the Fedora distribution or https://fedoraproject.org/wiki/EPEL;>EPEL
-packages for distribitons derived from RHEL.
-
-
-
-
-Building from source
-
-
-
-If you'd like to build from source, please follow the RPM creation 
instructions.
-
-
-
-
-If you have suggestions for improving this document, please send them to us. Thanks!
-  
-  
-  
-#include "side.wmi"
-#include "info.wmi"
-  
-  
-
-
-#include   
\ No newline at end of file



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [webwml/master] Remove "Installing Tor on Fedora/CentOS" from sidenav

[hiro]

commit 97ff406ac1fc4b6f444be76b8e8d2b5896868299
Author: nusenu 
Date:   Tue Jan 23 14:38:12 2018 +

Remove "Installing Tor on Fedora/CentOS" from sidenav
---
 docs/en/sidenav.wmi | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/docs/en/sidenav.wmi b/docs/en/sidenav.wmi
index 764c556d..c86c811d 100644
--- a/docs/en/sidenav.wmi
+++ b/docs/en/sidenav.wmi
@@ -39,9 +39,6 @@
   {'url'  => 'docs/debian',
'txt'  => 'Installing Tor on Debian/Ubuntu',
   },
-  {'url'  => 'docs/rpms',
-   'txt'  => 'Installing Tor on Fedora/CentOS',
-  },
   {'url'  => 'docs/tor-doc-unix',
'txt'  => 'Installing Tor Source',
   },



___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-openpgp-applet] Update translations for tails-openpgp-applet

[translation]

commit 3c37b71d1483a0be4096e1c5d5a596b2075210cd
Author: Translation commit bot 
Date:   Tue Jan 30 10:48:46 2018 +

Update translations for tails-openpgp-applet
---
 ru/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/openpgp-applet.pot b/ru/openpgp-applet.pot
index dbae1cd33..21db88faa 100644
--- a/ru/openpgp-applet.pot
+++ b/ru/openpgp-applet.pot
@@ -11,7 +11,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: ta...@boum.org\n"
 "POT-Creation-Date: 2017-08-05 15:07-0400\n"
-"PO-Revision-Date: 2018-01-12 22:03+\n"
+"PO-Revision-Date: 2018-01-30 10:46+\n"
 "Last-Translator: Misha Dyachuk \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

[tor-commits] [translation/tails-openpgp-applet_completed] Update translations for tails-openpgp-applet_completed

[translation]

commit 1c96a21f7e70c003946c8d6d46daa4b73b7fe9f8
Author: Translation commit bot 
Date:   Tue Jan 30 10:48:55 2018 +

Update translations for tails-openpgp-applet_completed
---
 ru/openpgp-applet.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ru/openpgp-applet.pot b/ru/openpgp-applet.pot
index dbae1cd33..21db88faa 100644
--- a/ru/openpgp-applet.pot
+++ b/ru/openpgp-applet.pot
@@ -11,7 +11,7 @@ msgstr ""
 "Project-Id-Version: The Tor Project\n"
 "Report-Msgid-Bugs-To: ta...@boum.org\n"
 "POT-Creation-Date: 2017-08-05 15:07-0400\n"
-"PO-Revision-Date: 2018-01-12 22:03+\n"
+"PO-Revision-Date: 2018-01-30 10:46+\n"
 "Last-Translator: Misha Dyachuk \n"
 "Language-Team: Russian 
(http://www.transifex.com/otf/torproject/language/ru/)\n"
 "MIME-Version: 1.0\n"

___
tor-commits mailing list
tor-commits@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits