[tor-commits] [tor/master] Remove is_router_version_good_for_possible_guard()

Thu Oct 9 19:17:39 UTC 2014

commit cd678ae790b3bd7d5b278405e7690ea0f6f27346
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu Oct 9 15:12:36 2014 -0400

    Remove is_router_version_good_for_possible_guard()
    
    The versions which this function would keep from getting the guard
    flag are already blocked by the minimum version check.
    
    Closes 13152.
---
 changes/bug13152 |    5 ++++
 src/or/dirserv.c |   72 +-----------------------------------------------------
 2 files changed, 6 insertions(+), 71 deletions(-)

diff --git a/changes/bug13152 b/changes/bug13152
new file mode 100644
index 0000000..c6f3d61
--- /dev/null
+++ b/changes/bug13152
@@ -0,0 +1,5 @@
+  o Removed features (directory authority):
+    - Remove code that prevented authorities from listing Tor servers
+      affected by CVE-2011-2769 as guards. These servers are already
+      rejected altogether due to the minimum version requirement of
+      0.2.3.16-alpha. Closes ticket 13152.
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index c8f47e6..9bc016f 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -2028,75 +2028,6 @@ get_possible_sybil_list(const smartlist_t *routers)
   return omit_as_sybil;
 }
 
-/** Return non-zero iff a relay running the Tor version specified in
- * <b>platform</b> is suitable for use as a potential entry guard. */
-static int
-is_router_version_good_for_possible_guard(const char *platform)
-{
-  static int parsed_versions_initialized = 0;
-  static tor_version_t first_good_0_2_1_guard_version;
-  static tor_version_t first_good_0_2_2_guard_version;
-  static tor_version_t first_good_later_guard_version;
-
-  tor_version_t router_version;
-
-  /* XXX024 This block should be extracted into its own function. */
-  /* XXXX Begin code copied from tor_version_as_new_as (in routerparse.c) */
-  {
-    char *s, *s2, *start;
-    char tmp[128];
-
-    tor_assert(platform);
-
-    /* nonstandard Tor; be safe and say yes */
-    if (strcmpstart(platform,"Tor "))
-      return 1;
-
-    start = (char *)eat_whitespace(platform+3);
-    if (!*start) return 0;
-    s = (char *)find_whitespace(start); /* also finds '\0', which is fine */
-    s2 = (char*)eat_whitespace(s);
-    if (!strcmpstart(s2, "(r") || !strcmpstart(s2, "(git-"))
-      s = (char*)find_whitespace(s2);
-
-    if ((size_t)(s-start+1) >= sizeof(tmp)) /* too big, no */
-      return 0;
-    strlcpy(tmp, start, s-start+1);
-
-    if (tor_version_parse(tmp, &router_version)<0) {
-      log_info(LD_DIR,"Router version '%s' unparseable.",tmp);
-      return 1; /* be safe and say yes */
-    }
-  }
-  /* XXXX End code copied from tor_version_as_new_as (in routerparse.c) */
-
-  if (!parsed_versions_initialized) {
-    /* CVE-2011-2769 was fixed on the relay side in Tor versions
-     * 0.2.1.31, 0.2.2.34, and 0.2.3.6-alpha. */
-    tor_assert(tor_version_parse("0.2.1.31",
-                                 &first_good_0_2_1_guard_version)>=0);
-    tor_assert(tor_version_parse("0.2.2.34",
-                                 &first_good_0_2_2_guard_version)>=0);
-    tor_assert(tor_version_parse("0.2.3.6-alpha",
-                                 &first_good_later_guard_version)>=0);
-
-    /* Don't parse these constant version strings once for every relay
-     * for every vote. */
-    parsed_versions_initialized = 1;
-  }
-
-  return ((tor_version_same_series(&first_good_0_2_1_guard_version,
-                                   &router_version) &&
-           tor_version_compare(&first_good_0_2_1_guard_version,
-                               &router_version) <= 0) ||
-          (tor_version_same_series(&first_good_0_2_2_guard_version,
-                                   &router_version) &&
-           tor_version_compare(&first_good_0_2_2_guard_version,
-                               &router_version) <= 0) ||
-          (tor_version_compare(&first_good_later_guard_version,
-                               &router_version) <= 0));
-}
-
 /** Extract status information from <b>ri</b> and from other authority
  * functions and store it in <b>rs</b>>.
  *
@@ -2135,8 +2066,7 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
       ((options->AuthDirGuardBWGuarantee &&
         routerbw_kb >= options->AuthDirGuardBWGuarantee/1000) ||
        routerbw_kb >= MIN(guard_bandwidth_including_exits_kb,
-                       guard_bandwidth_excluding_exits_kb)) &&
-      is_router_version_good_for_possible_guard(ri->platform)) {
+                          guard_bandwidth_excluding_exits_kb))) {
     long tk = rep_hist_get_weighted_time_known(
                                       node->identity, now);
     double wfu = rep_hist_get_weighted_fractional_uptime(

