[tor-commits] [tor/master] Obsolete GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
nickm at torproject.org
nickm at torproject.org
Tue Apr 24 15:50:57 UTC 2012
commit 77e51224faf1963241e207004133a2350ad23e5c
Author: Nick Mathewson <nickm at torproject.org>
Date: Wed Apr 11 10:59:11 2012 -0400
Obsolete GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
Closes ticket 4572.
---
changes/bug4572 | 6 ++++++
doc/tor.1.txt | 4 ----
src/or/config.c | 3 +--
src/or/dirserv.c | 3 +--
src/or/or.h | 4 ----
5 files changed, 8 insertions(+), 12 deletions(-)
diff --git a/changes/bug4572 b/changes/bug4572
new file mode 100644
index 0000000..3107bf9
--- /dev/null
+++ b/changes/bug4572
@@ -0,0 +1,6 @@
+ o Removed features
+ - Remove the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays option;
+ authorities needed to use it for a while to keep the network working
+ as people upgraded to 0.2.1.31, 0.2.2.34, or 0.2.3.6-alpha, but that
+ was six months ago. As of now, it should no longer be needed or used.
+
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index e73377b..98c97e7 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1610,10 +1610,6 @@ DIRECTORY AUTHORITY SERVER OPTIONS
votes on whether to accept relays as hidden service directories.
(Default: 1)
-GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays **0**|**1**::
- When this option is set to 0, do not vote to give the Guard flag to any
- version of Tor vulnerable to CVE-2011-2769. (Default: 0)
-
HIDDEN SERVICE OPTIONS
----------------------
diff --git a/src/or/config.c b/src/or/config.c
index 696bbd0..bfed4e5 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -295,8 +295,7 @@ static config_var_t _option_vars[] = {
V(GeoIPFile, FILENAME,
SHARE_DATADIR PATH_SEPARATOR "tor" PATH_SEPARATOR "geoip"),
#endif
- V(GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays,
- BOOL, "0"),
+ OBSOLETE("GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays"),
OBSOLETE("Group"),
V(HardwareAccel, BOOL, "0"),
V(HeartbeatPeriod, INTERVAL, "6 hours"),
diff --git a/src/or/dirserv.c b/src/or/dirserv.c
index 11f235c..5b6087c 100644
--- a/src/or/dirserv.c
+++ b/src/or/dirserv.c
@@ -2417,8 +2417,7 @@ set_routerstatus_from_routerinfo(routerstatus_t *rs,
routerbw >= options->AuthDirGuardBWGuarantee) ||
routerbw >= MIN(guard_bandwidth_including_exits,
guard_bandwidth_excluding_exits)) &&
- (options->GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays ||
- is_router_version_good_for_possible_guard(ri->platform))) {
+ (is_router_version_good_for_possible_guard(ri->platform))) {
long tk = rep_hist_get_weighted_time_known(
node->identity, now);
double wfu = rep_hist_get_weighted_fractional_uptime(
diff --git a/src/or/or.h b/src/or/or.h
index c323595..a498a57 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3270,10 +3270,6 @@ typedef struct {
* number of servers per IP address shared
* with an authority. */
- /** Should we assign the Guard flag to relays which would allow
- * exploitation of CVE-2011-2768 against their clients? */
- int GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays;
-
/** If non-zero, always vote the Fast flag for any relay advertising
* this amount of capacity or more. */
uint64_t AuthDirFastGuarantee;
More information about the tor-commits
mailing list