[tor] branch main updated (ac306581af -> 16664c0017)

List overview All Threads
Download

newer

older

[tor] branch maint-0.4.7 updated...

[tor-browser] branch...

gitolite role

9 Aug 2022 9 Aug '22

3:03 p.m.

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a change to branch main in repository tor.

from ac306581af fix a few more typos in comments new 681c15a32d dirauth: Add a AuthDirVoteGuard to pin Guard flags new 8bf1a86ae1 dirauth: Make voting flag threshold tunable via torrc new b2665ad639 man: Fix typo for AuthDirMiddleOnly option new 16664c0017 Merge branch 'maint-0.4.7'

The 4 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference.

Summary of changes: changes/ticket40652 | 10 ++++++ doc/man/tor.1.txt | 26 +++++++++++++++ src/feature/dirauth/dirauth_config.c | 5 +++ src/feature/dirauth/dirauth_options.inc | 25 +++++++++++++++ src/feature/dirauth/voteflags.c | 56 +++++++++++++++++---------------- 5 files changed, 95 insertions(+), 27 deletions(-) create mode 100644 changes/ticket40652

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

Show replies by date

gitolite role

9 Aug 9 Aug

3:03 p.m.

New subject: [tor] 01/04: dirauth: Add a AuthDirVoteGuard to pin Guard flags

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit 681c15a32d7d484ba90a32ab4b29b85447e7430c Author: David Goulet dgoulet@torproject.org AuthorDate: Thu Aug 4 09:39:15 2022 -0400

dirauth: Add a AuthDirVoteGuard to pin Guard flags

Related to #40652

Signed-off-by: David Goulet dgoulet@torproject.org --- changes/ticket40652 | 5 +++++ doc/man/tor.1.txt | 5 +++++ src/feature/dirauth/dirauth_options.inc | 3 +++ src/feature/dirauth/voteflags.c | 17 +++++++++++++++++ 4 files changed, 30 insertions(+)

diff --git a/changes/ticket40652 b/changes/ticket40652 new file mode 100644 index 0000000000..2b9f2ee1cb --- /dev/null +++ b/changes/ticket40652 @@ -0,0 +1,5 @@ + o Minor features (dirauth): + - Add an AuthDirVoteGuard torrc option that can allow authorities to assign + the Guard flag to the given fingerprints/country code/IPs. This is a + needed feature mostly for defense purposes in case a DoS hits the network + and relay start losing the Guard flags too fast. Closes ticket 40652. diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index 1814801b71..ba7cdbabc8 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -3229,6 +3229,11 @@ on the public Tor network. If set to 0, we vote Running for every relay, and don't perform these tests. (Default: 1)

+[[AuthDirVoteGuard]] **AuthDirVoteGuard** __node__,__node__,__...__:: + A list of identity fingerprints or country codes or address patterns of + nodes to vote Guard for regardless of their uptime and bandwidth. See + <<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes. + [[BridgePassword]] **BridgePassword** __Password__:: If set, contains an HTTP authenticator that tells a bridge authority to serve all requested bridge information. Used by the (only partially diff --git a/src/feature/dirauth/dirauth_options.inc b/src/feature/dirauth/dirauth_options.inc index 4fd07a8859..146dc7254c 100644 --- a/src/feature/dirauth/dirauth_options.inc +++ b/src/feature/dirauth/dirauth_options.inc @@ -76,6 +76,9 @@ CONF_VAR(RecommendedClientVersions, LINELIST, 0, NULL) /** Which versions of tor should we tell users to run on relays? */ CONF_VAR(RecommendedServerVersions, LINELIST, 0, NULL)

+/** Relays which should be voted Guard regardless of uptime and bandwidth. */ +CONF_VAR(AuthDirVoteGuard, ROUTERSET, 0, NULL) + /** If an authority has been around for less than this amount of time, it * does not believe its reachability information is accurate. Only * altered on testing networks. */ diff --git a/src/feature/dirauth/voteflags.c b/src/feature/dirauth/voteflags.c index 9aefc6c5b4..52b84a9d89 100644 --- a/src/feature/dirauth/voteflags.c +++ b/src/feature/dirauth/voteflags.c @@ -573,6 +573,21 @@ should_publish_node_ipv6(const node_t *node, const routerinfo_t *ri, router_is_me(ri)); }

+/** Set routerstatus flags based on the authority options. Same as the testing + * function but for the main network. */ +static void +dirserv_set_routerstatus_flags(routerstatus_t *rs) +{ + const dirauth_options_t *options = dirauth_get_options(); + + tor_assert(rs); + + /* Assign Guard flag to relays that can get it unconditionnaly. */ + if (routerset_contains_routerstatus(options->AuthDirVoteGuard, rs, 0)) { + rs->is_possible_guard = 1; + } +} + /** * Extract status information from <b>ri</b> and from other authority * functions and store it in <b>rs</b>, as per @@ -638,6 +653,8 @@ dirauth_set_routerstatus_from_routerinfo(routerstatus_t *rs,

if (options->TestingTorNetwork) { dirserv_set_routerstatus_testing(rs); + } else { + dirserv_set_routerstatus_flags(rs); } }

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

gitolite role

3:03 p.m.

New subject: [tor] 02/04: dirauth: Make voting flag threshold tunable via torrc

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit 8bf1a86ae1f3f71fa4b8b13f6d8eef5ad5eff8ca Author: David Goulet dgoulet@torproject.org AuthorDate: Thu Aug 4 10:03:19 2022 -0400

dirauth: Make voting flag threshold tunable via torrc

Remove UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD and replace each of them with a tunnable torrc option.

Related to #40652

Signed-off-by: David Goulet dgoulet@torproject.org --- changes/ticket40652 | 13 +++++++---- doc/man/tor.1.txt | 21 ++++++++++++++++++ src/feature/dirauth/dirauth_config.c | 5 +++++ src/feature/dirauth/dirauth_options.inc | 22 +++++++++++++++++++ src/feature/dirauth/voteflags.c | 39 ++++++++++----------------------- 5 files changed, 69 insertions(+), 31 deletions(-)

diff --git a/changes/ticket40652 b/changes/ticket40652 index 2b9f2ee1cb..ff9f4d0591 100644 --- a/changes/ticket40652 +++ b/changes/ticket40652 @@ -1,5 +1,10 @@ o Minor features (dirauth): - - Add an AuthDirVoteGuard torrc option that can allow authorities to assign - the Guard flag to the given fingerprints/country code/IPs. This is a - needed feature mostly for defense purposes in case a DoS hits the network - and relay start losing the Guard flags too fast. Closes ticket 40652. + - Add an AuthDirVoteGuard torrc option that can allow authorities to + assign the Guard flag to the given fingerprints/country code/IPs. This + is a needed feature mostly for defense purposes in case a DoS hits the + network and relay start losing the Guard flags too fast. + - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, + TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable from + torrc. + - Add a torrc option to control the Guard flag bandwidth threshold + percentile. Closes ticket 40652. diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index ba7cdbabc8..641d2d597e 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -3234,6 +3234,27 @@ on the public Tor network. nodes to vote Guard for regardless of their uptime and bandwidth. See <<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes.

+[[AuthDirVoteGuardBwThresholdFraction]] **AuthDirVoteGuardBwThresholdFraction** __FRACTION__:: + The Guard flag bandwidth performance threshold fraction that is the + fraction representing who gets the Guard flag out of all measured + bandwidth. (Default: 0.75) + +[[AuthDirVoteGuardGuaranteeTimeKnown]] **AuthDirVoteGuardGuaranteeTimeKnown** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: + A relay with at least this much weighted time known can be considered + familiar enough to be a guard. (Default: 8 days) + +[[AuthDirVoteGuardGuaranteeWFU]] **AuthDirVoteGuardGuaranteeWFU** __FRACTION__:: + A level of weighted fractional uptime (WFU) is that is sufficient to be a + Guard. (Default: 0.98) + +[[AuthDirVoteStableGuaranteeMinUptime]] **AuthDirVoteStableGuaranteeMinUptime** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: + If a relay's uptime is at least this value, then it is always considered + stable, regardless of the rest of the network. (Default: 30 days) + +[[AuthDirVoteStableGuaranteeMTBF]] **AuthDirVoteStableGuaranteeMTBF** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: + If a relay's mean time between failures (MTBF) is least this value, then + it will always be considered stable. (Default: 5 days) + [[BridgePassword]] **BridgePassword** __Password__:: If set, contains an HTTP authenticator that tells a bridge authority to serve all requested bridge information. Used by the (only partially diff --git a/src/feature/dirauth/dirauth_config.c b/src/feature/dirauth/dirauth_config.c index 53c9f9f781..f98513ef75 100644 --- a/src/feature/dirauth/dirauth_config.c +++ b/src/feature/dirauth/dirauth_config.c @@ -434,6 +434,11 @@ dirauth_options_validate(const void *arg, char **msg) "Recommended*Versions."); }

+ if (options->AuthDirVoteGuardBwThresholdFraction > 1.0 || + options->AuthDirVoteGuardBwThresholdFraction < 0.0) { + REJECT("Guard bandwdith threshold fraction is invalid."); + } + char *t; /* Call these functions to produce warnings only. */ t = format_recommended_version_list(options->RecommendedClientVersions, 1); diff --git a/src/feature/dirauth/dirauth_options.inc b/src/feature/dirauth/dirauth_options.inc index 146dc7254c..7ee0201e1a 100644 --- a/src/feature/dirauth/dirauth_options.inc +++ b/src/feature/dirauth/dirauth_options.inc @@ -79,6 +79,28 @@ CONF_VAR(RecommendedServerVersions, LINELIST, 0, NULL) /** Relays which should be voted Guard regardless of uptime and bandwidth. */ CONF_VAR(AuthDirVoteGuard, ROUTERSET, 0, NULL)

+/** If a relay's uptime is at least this value, then it is always considered + * stable, regardless of the rest of the network. This way we resist attacks + * where an attacker doubles the size of the network using allegedly + * high-uptime nodes, displacing all the current guards. */ +CONF_VAR(AuthDirVoteStableGuaranteeMinUptime, INTERVAL, 0, "30 days") + +/** If a relay's MTBF is at least this value, then it is always stable. See + * above. */ +CONF_VAR(AuthDirVoteStableGuaranteeMTBF, INTERVAL, 0, "5 days") + +/** A relay with at least this much weighted time known can be considered + * familiar enough to be a guard. */ +CONF_VAR(AuthDirVoteGuardGuaranteeTimeKnown, INTERVAL, 0, "8 days") + +/** A relay with sufficient WFU is around enough to be a guard. */ +CONF_VAR(AuthDirVoteGuardGuaranteeWFU, DOUBLE, 0, "0.98") + +/** The Guard flag bandwidth performance threshold fraction that is the + * fraction representing who gets the Guard flag out of all measured + * bandwidth. */ +CONF_VAR(AuthDirVoteGuardBwThresholdFraction, DOUBLE, 0, "0.75") + /** If an authority has been around for less than this amount of time, it * does not believe its reachability information is accurate. Only * altered on testing networks. */ diff --git a/src/feature/dirauth/voteflags.c b/src/feature/dirauth/voteflags.c index 52b84a9d89..71ee03e265 100644 --- a/src/feature/dirauth/voteflags.c +++ b/src/feature/dirauth/voteflags.c @@ -36,24 +36,6 @@

#include "lib/container/order.h"

-/** If a router's uptime is at least this value, then it is always - * considered stable, regardless of the rest of the network. This - * way we resist attacks where an attacker doubles the size of the - * network using allegedly high-uptime nodes, displacing all the - * current guards. */ -#define UPTIME_TO_GUARANTEE_STABLE (3600*24*30) -/** If a router's MTBF is at least this value, then it is always stable. - * See above. (Corresponds to about 7 days for current decay rates.) */ -#define MTBF_TO_GUARANTEE_STABLE (60*60*24*5) -/** Similarly, every node with at least this much weighted time known can be - * considered familiar enough to be a guard. Corresponds to about 20 days for - * current decay rates. - */ -#define TIME_KNOWN_TO_GUARANTEE_FAMILIAR (8*24*60*60) -/** Similarly, every node with sufficient WFU is around enough to be a guard. - */ -#define WFU_TO_GUARANTEE_GUARD (0.98) - /* Thresholds for server performance: set by * dirserv_compute_performance_thresholds, and used by * generate_v2_networkstatus */ @@ -111,13 +93,13 @@ dirserv_thinks_router_is_unreliable(time_t now, */ long uptime = real_uptime(router, now); if ((unsigned)uptime < stable_uptime && - (unsigned)uptime < UPTIME_TO_GUARANTEE_STABLE) + uptime < dirauth_get_options()->AuthDirVoteStableGuaranteeMinUptime) return 1; } else { double mtbf = rep_hist_get_stability(router->cache_info.identity_digest, now); if (mtbf < stable_mtbf && - mtbf < MTBF_TO_GUARANTEE_STABLE) + mtbf < dirauth_get_options()->AuthDirVoteStableGuaranteeMTBF) return 1; } } @@ -325,13 +307,15 @@ dirserv_compute_performance_thresholds(digestmap_t *omit_as_sybil) /* (Now bandwidths is sorted.) */ if (fast_bandwidth_kb < RELAY_REQUIRED_MIN_BANDWIDTH/(2 * 1000)) fast_bandwidth_kb = bandwidths_kb[n_active/4]; + int nth = (int)(n_active * + dirauth_options->AuthDirVoteGuardBwThresholdFraction); guard_bandwidth_including_exits_kb = - third_quartile_uint32(bandwidths_kb, n_active); + find_nth_uint32(bandwidths_kb, n_active, nth); guard_tk = find_nth_long(tks, n_active, n_active/8); }

- if (guard_tk > TIME_KNOWN_TO_GUARANTEE_FAMILIAR) - guard_tk = TIME_KNOWN_TO_GUARANTEE_FAMILIAR; + if (guard_tk > dirauth_options->AuthDirVoteGuardGuaranteeTimeKnown) + guard_tk = dirauth_options->AuthDirVoteGuardGuaranteeTimeKnown;

{ /* We can vote on a parameter for the minimum and maximum. */ @@ -379,15 +363,16 @@ dirserv_compute_performance_thresholds(digestmap_t *omit_as_sybil) } SMARTLIST_FOREACH_END(node); if (n_familiar) guard_wfu = median_double(wfus, n_familiar); - if (guard_wfu > WFU_TO_GUARANTEE_GUARD) - guard_wfu = WFU_TO_GUARANTEE_GUARD; + if (guard_wfu > dirauth_options->AuthDirVoteGuardGuaranteeWFU) + guard_wfu = dirauth_options->AuthDirVoteGuardGuaranteeWFU;

enough_mtbf_info = rep_hist_have_measured_enough_stability();

if (n_active_nonexit) { + int nth = (int)(n_active_nonexit * + dirauth_options->AuthDirVoteGuardBwThresholdFraction); guard_bandwidth_excluding_exits_kb = - find_nth_uint32(bandwidths_excluding_exits_kb, - n_active_nonexit, n_active_nonexit*3/4); + find_nth_uint32(bandwidths_excluding_exits_kb, n_active_nonexit, nth); }

log_info(LD_DIRSERV,

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

gitolite role

3:03 p.m.

New subject: [tor] 03/04: man: Fix typo for AuthDirMiddleOnly option

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit b2665ad63949aa0838ef899c2b080b0addb98756 Author: David Goulet dgoulet@torproject.org AuthorDate: Mon Aug 8 14:14:37 2022 -0400

man: Fix typo for AuthDirMiddleOnly option

Signed-off-by: David Goulet dgoulet@torproject.org --- doc/man/tor.1.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index 641d2d597e..3672444c5d 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -3112,7 +3112,7 @@ on the public Tor network. is the same as for exit policies, except that you don't need to say "accept" or "reject", and ports are not needed.)

-[[AuthDirMiddleOnly]] **AuthMiddleOnly** __AddressPattern...__:: +[[AuthDirMiddleOnly]] **AuthDirMiddleOnly** __AddressPattern...__:: Authoritative directories only. A set of address patterns for servers that will be listed as middle-only in any network status document this authority publishes, if **AuthDirListMiddleOnly** is set. +

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

gitolite role

3:03 p.m.

New subject: [tor] 04/04: Merge branch 'maint-0.4.7'

This is an automated email from the git hooks/post-receive script.

dgoulet pushed a commit to branch main in repository tor.

commit 16664c00174e4766eb6bf509e79e4c43731e4365 Merge: ac306581af b2665ad639 Author: David Goulet dgoulet@torproject.org AuthorDate: Tue Aug 9 11:01:44 2022 -0400

Merge branch 'maint-0.4.7'

changes/ticket40652 | 10 ++++++ doc/man/tor.1.txt | 26 +++++++++++++++ src/feature/dirauth/dirauth_config.c | 5 +++ src/feature/dirauth/dirauth_options.inc | 25 +++++++++++++++ src/feature/dirauth/voteflags.c | 56 +++++++++++++++++---------------- 5 files changed, 95 insertions(+), 27 deletions(-)

-- To stop receiving notification emails like this one, please contact the administrator of this repository.

981

Age (days ago)

981

Last active (days ago)

tor-commits@lists.torproject.org

4 comments

1 participants

tags (0)

participants (1)

gitolite role