Merge branch 'bug8240_v2_squashed' into maint-0.2.4

Conflicts:
	doc/tor.1.txt
	src/or/circuitbuild.c
	src/or/config.c
	src/or/or.h

changes/ticket8240

@@ -0,0 +1,4 @@
+  o Major security fixes:
+    - Make the default guard lifetime controllable via a new
+      GuardLifetime torrc option and a GuardLifetime consensus
+      parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha.

doc/tor.1.txt

@@ -1049,6 +1049,12 @@ The following options are useful only for clients (that is, if
     If UseEntryGuardsAsDirectoryGuards is enabled, we try to make sure we
     have at least NUM routers to use as directory guards. (Default: 3)
 
+**GuardLifetime**  __N__ **days**|**weeks**|**months**::
+    If nonzero, and UseEntryGuards is set, minimum time to keep a guard before
+    picking a new one. If zero, we use the GuardLifetime parameter from the
+    consensus directory.  No value here may  be less than 1 month or greater
+    than 5 years; out-of-range values are clamped. (Default: 0)
+
 **SafeSocks** **0**|**1**::
     When this option is enabled, Tor will reject application connections that
     use unsafe variants of the socks protocol -- ones that only provide an IP

src/common/util.h

@@ -172,6 +172,17 @@ int n_bits_set_u8(uint8_t v);
  * overflow. */
 #define CEIL_DIV(a,b) (((a)+(b)-1)/(b))
 
+/* Return <b>v</b> if it's between <b>min</b> and <b>max</b>.  Otherwise
+ * return <b>min</b> if <b>v</b> is smaller than <b>min</b>, or <b>max</b> if
+ * <b>b</b> is larger than <b>max</b>.
+ *
+ * Requires that <b>min</b> is no more than <b>max</b>. May evaluate any of
+ * its arguments more than once! */
+#define CLAMP(min,v,max)                        \
+  ( ((v) < (min)) ? (min) :                     \
+    ((v) > (max)) ? (max) :                     \
+    (v) )
+
 /* String manipulation */
 
 /** Allowable characters in a hexadecimal string. */

src/or/config.c

@@ -255,6 +255,7 @@ static config_var_t option_vars_[] = {
 #endif
   OBSOLETE("GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays"),
   OBSOLETE("Group"),
+  V(GuardLifetime,               INTERVAL, "0 minutes"),
   V(HardwareAccel,               BOOL,     "0"),
   V(HeartbeatPeriod,             INTERVAL, "6 hours"),
   V(AccelName,                   STRING,   NULL),

src/or/confparse.c

@@ -1103,6 +1103,8 @@ static struct unit_table_t time_units[] = {
   { "days",     24*60*60 },
   { "week",     7*24*60*60 },
   { "weeks",    7*24*60*60 },
+  { "month",    2629728, }, /* about 30.437 days */
+  { "months",   2629728, },
   { NULL, 0 },
 };
 

src/or/entrynodes.c

@@ -24,6 +24,7 @@
 #include "entrynodes.h"
 #include "main.h"
 #include "microdesc.h"
+#include "networkstatus.h"
 #include "nodelist.h"
 #include "policies.h"
 #include "router.h"
@@ -332,6 +333,9 @@ control_event_guard_deferred(void)
 #endif
 }
 
+/** Largest amount that we'll backdate chosen_on_date */
+#define CHOSEN_ON_DATE_SLOP (30*86400)
+
 /** Add a new (preferably stable and fast) router to our
  * entry_guards list. Return a pointer to the router if we succeed,
  * or NULL if we can't find any more suitable entries.
@@ -445,6 +449,32 @@ entry_guard_free(entry_guard_t *e)
   tor_free(e);
 }
 
+/**
+ * Return the minimum lifetime of working entry guard, in seconds,
+ * as given in the consensus networkstatus.  (Plus CHOSEN_ON_DATE_SLOP,
+ * so that we can do the chosen_on_date randomization while achieving the
+ * desired minimum lifetime.)
+ */
+static int32_t
+guards_get_lifetime(void)
+{
+  const or_options_t *options = get_options();
+#define DFLT_GUARD_LIFETIME (86400 * 30)   /* One month. */
+#define MIN_GUARD_LIFETIME  (86400 * 60)   /* Two months. */
+#define MAX_GUARD_LIFETIME  (86400 * 1826) /* Five years. */
+
+  if (options->GuardLifetime >= 1) {
+    return CLAMP(MIN_GUARD_LIFETIME,
+                 options->GuardLifetime,
+                 MAX_GUARD_LIFETIME) + CHOSEN_ON_DATE_SLOP;
+  }
+
+  return networkstatus_get_param(NULL, "GuardLifetime",
+                                 DFLT_GUARD_LIFETIME,
+                                 MIN_GUARD_LIFETIME,
+                                 MAX_GUARD_LIFETIME) + CHOSEN_ON_DATE_SLOP;
+}
+
 /** Remove any entry guard which was selected by an unknown version of Tor,
  * or which was selected by a version of Tor that's known to select
  * entry guards badly, or which was selected more 2 months ago. */
@@ -454,6 +484,7 @@ static int
 remove_obsolete_entry_guards(time_t now)
 {
   int changed = 0, i;
+  int32_t guard_lifetime = guards_get_lifetime();
 
   for (i = 0; i < smartlist_len(entry_guards); ++i) {
     entry_guard_t *entry = smartlist_get(entry_guards, i);
@@ -484,8 +515,8 @@ remove_obsolete_entry_guards(time_t now)
       }
       tor_free(tor_ver);
     }
-    if (!version_is_bad && entry->chosen_on_date + 3600*24*60 < now) {
-      /* It's been 2 months since the date listed in our state file. */
+    if (!version_is_bad && entry->chosen_on_date + guard_lifetime < now) {
+      /* It's been too long since the date listed in our state file. */
       msg = "was selected several months ago";
       date_is_bad = 1;
     }

src/or/or.h

@@ -4027,6 +4027,8 @@ typedef struct {
    * should guess a suitable value. */
   int SSLKeyLifetime;
 
+  /** How long (seconds) do we keep a guard before picking a new one? */
+  int GuardLifetime;
 } or_options_t;
 
 /** Persistent state for an onion router, as saved to disk. */