diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | doc/spec/dir-spec.txt | 10 | ||||
-rw-r--r-- | src/or/dirserv.c | 16 |
3 files changed, 25 insertions, 7 deletions
@@ -1,4 +1,10 @@ Changes in version 0.2.0.1-alpha - 2007-??-?? + o Security fixes: + - Directory authorities now call routers stable if they have an + uptime of at least 30 days, even if that's not the median uptime + in the network. Implements proposal 1xx, suggested by Kevin Bauer + and Damon McCoy. + o Minor features (build): - Make autoconf search for libevent and openssl consistently. - Update deprecated macros in configure.in diff --git a/doc/spec/dir-spec.txt b/doc/spec/dir-spec.txt index 9d7c399a3..727349acb 100644 --- a/doc/spec/dir-spec.txt +++ b/doc/spec/dir-spec.txt @@ -441,10 +441,12 @@ $Id$ "Running" -- A router is 'Running' if the authority managed to connect to it successfully within the last 30 minutes. - "Stable" -- A router is 'Stable' if its uptime is above median for known - running, valid routers, and it's running a version of Tor not known to - drop circuits stupidly. (0.1.1.10-alpha through 0.1.1.16-rc are stupid - this way.) + "Stable" -- A router is 'Stable' if it is running, valid, not + hibernating, and either its uptime is at least the median uptime for + known running, valid, non-hibernating routers, or its uptime is at + least 30 days. Routers are never called stable if they are running + a version of Tor known to drop circuits stupidly. (0.1.1.10-alpha + through 0.1.1.16-rc are stupid this way.) "Fast" -- A router is 'Fast' if its bandwidth is in the top 7/8ths for known running, valid routers. diff --git a/src/or/dirserv.c b/src/or/dirserv.c index d55dc8e2f..cc85d090f 100644 --- a/src/or/dirserv.c +++ b/src/or/dirserv.c @@ -1364,6 +1364,13 @@ should_generate_v2_networkstatus(void) the_v2_networkstatus_is_dirty + DIR_REGEN_SLACK_TIME < time(NULL); } +/** If a router's uptime is at least this value, then it is always + * considered stable, regardless of the rest of the network. This + * way we resist attacks where an attacker doubles the size of the + * network using allegedly high-uptime nodes, displacing all the + * current guards. */ +#define UPTIME_TO_GUARANTEE_STABLE (3600*24*30) + /* Thresholds for server performance: set by * dirserv_compute_performance_thresholds, and used by * generate_v2_networkstatus */ @@ -1395,9 +1402,12 @@ dirserv_thinks_router_is_unreliable(time_t now, routerinfo_t *router, int need_uptime, int need_capacity) { - if (need_uptime && - (unsigned)real_uptime(router, now) < stable_uptime) - return 1; + if (need_uptime) { + int uptime = real_uptime(router, now); + if ((unsigned)uptime < stable_uptime && + (unsigned)uptime < UPTIME_TO_GUARANTEE_STABLE) + return 1; + } if (need_capacity && router_get_advertised_bandwidth(router) < fast_bandwidth) return 1; |