Merge branch 'maint-0.2.4' into maint-0.2.5

changes/ticket12688

@@ -0,0 +1,6 @@
+  Major features:
+    - Make the number of entry guards configurable via a new
+      NumEntryGuards consensus parameter, and the number of directory
+      guards configurable via a new NumDirectoryGuards consensus
+      parameter. Implements ticket 12688.
+

doc/tor.1.txt

@@ -1092,12 +1092,16 @@ The following options are useful only for clients (that is, if
 
 [[NumEntryGuards]] **NumEntryGuards** __NUM__::
     If UseEntryGuards is set to 1, we will try to pick a total of NUM routers
-    as long-term entries for our circuits. (Default: 3)
+    as long-term entries for our circuits. If NUM is 0, we try to learn
+    the number from the NumEntryGuards consensus parameter, and default
+    to 3 if the consensus parameter isn't set. (Default: 0)
 
 [[NumDirectoryGuards]] **NumDirectoryGuards** __NUM__::
     If UseEntryGuardsAsDirectoryGuards is enabled, we try to make sure we
     have at least NUM routers to use as directory guards. If this option
-    is set to 0, use the value from NumEntryGuards. (Default: 0)
+    is set to 0, use the value from the NumDirectoryGuards consensus
+    parameter, falling back to the value from NumEntryGuards if the
+    consensus parameter is 0 or isn't set. (Default: 0)
 
 [[GuardLifetime]] **GuardLifetime**  __N__ **days**|**weeks**|**months**::
     If nonzero, and UseEntryGuards is set, minimum time to keep a guard before

src/or/config.c

@@ -325,7 +325,7 @@ static config_var_t option_vars_[] = {
   VAR("NodeFamily",              LINELIST, NodeFamilies,         NULL),
   V(NumCPUs,                     UINT,     "0"),
   V(NumDirectoryGuards,          UINT,     "0"),
-  V(NumEntryGuards,              UINT,     "3"),
+  V(NumEntryGuards,              UINT,     "0"),
   V(ORListenAddress,             LINELIST, NULL),
   VPORT(ORPort,                      LINELIST, NULL),
   V(OutboundBindAddress,         LINELIST,   NULL),
@@ -3251,9 +3251,6 @@ options_validate(or_options_t *old_options, or_options_t *options,
              "have it group-readable.");
   }
 
-  if (options->UseEntryGuards && ! options->NumEntryGuards)
-    REJECT("Cannot enable UseEntryGuards with NumEntryGuards set to 0");
-
   if (options->MyFamily && options->BridgeRelay) {
     log_warn(LD_CONFIG, "Listing a family for a bridge relay is not "
              "supported: it can reveal bridge fingerprints to censors. "

src/or/entrynodes.c

@@ -440,9 +440,20 @@ add_an_entry_guard(const node_t *chosen, int reset_status, int prepend,
 static int
 decide_num_guards(const or_options_t *options, int for_directory)
 {
-  if (for_directory && options->NumDirectoryGuards != 0)
-    return options->NumDirectoryGuards;
-  return options->NumEntryGuards;
+  if (for_directory) {
+    int answer;
+    if (options->NumDirectoryGuards != 0)
+      return options->NumDirectoryGuards;
+    answer = networkstatus_get_param(NULL, "NumDirectoryGuards", 0, 0, 10);
+    if (answer) /* non-zero means use the consensus value */
+      return answer;
+  }
+
+  if (options->NumEntryGuards)
+    return options->NumEntryGuards;
+
+  /* Use the value from the consensus, or 3 if no guidance. */
+  return networkstatus_get_param(NULL, "NumEntryGuards", 3, 1, 10);
 }
 
 /** If the use of entry guards is configured, choose more entry guards
@@ -841,6 +852,7 @@ entry_guards_set_from_config(const or_options_t *options)
 {
   smartlist_t *entry_nodes, *worse_entry_nodes, *entry_fps;
   smartlist_t *old_entry_guards_on_list, *old_entry_guards_not_on_list;
+  const int numentryguards = decide_num_guards(options, 0);
   tor_assert(entry_guards);
 
   should_add_entry_nodes = 0;
@@ -909,7 +921,7 @@ entry_guards_set_from_config(const or_options_t *options)
   /* Next, the rest of EntryNodes */
   SMARTLIST_FOREACH_BEGIN(entry_nodes, const node_t *, node) {
     add_an_entry_guard(node, 0, 0, 1, 0);
-    if (smartlist_len(entry_guards) > options->NumEntryGuards * 10)
+    if (smartlist_len(entry_guards) > numentryguards * 10)
       break;
   } SMARTLIST_FOREACH_END(node);
   log_notice(LD_GENERAL, "%d entries in guards", smartlist_len(entry_guards));