In path-spec: explain our rules (post-21242) for waiting to build
circuits.
In guard-spec:
- explain what to do about missing descriptors
- explain parallel use of multiple primary guards, based on parameters.
We use a few names for the main self-published descriptor documents...
https://trac.torproject.org/projects/tor/ticket/14987
Standardizing on the name 'server descriptor'. This change was made with a
few quick runs of sed...
% find ./* -type f -exec sed -i 's/router descriptor/server descriptor/' "{}" +;
% find ./* -type f -exec sed -i 's/Router descriptor/Server descriptor/' "{}" +;
% find ./* -type f -exec sed -i 's/Router Descriptor/Server Descriptor/' "{}" +;
... then reverting the attic changes, and scanning the rest to be sure it
doesn't include any functional impact.
If the consensus doesn't contain exits, we only build internal paths.
This is enough to allow reachability tests (which can enable exits to
bootstrap), and hidden services.
If we subsequently receive a consensus with exits, start building exit paths.
Update dir-spec and path-spec to document this.
Update control-spec to document changes in controller bootstrap messages.
Based on changes made in tor to resolve bug #13814.
We need to make sure that the worst thing that a weird consensus param
can do to us is to break our Tor (and only if the other Tors are
reliably broken in the same way) so that the majority of directory
authorities can't pull any attacks that are worse than the DoS that
they can trigger by simply shutting down.
One of these worse things was the cbtnummodes parameter, which could
lead to heap corruption on some systems if the value was sufficiently
large.
This commit fixes this particular issue and also introduces sanity
checking for all consensus parameters.
There are now four ways that CBT can be disabled:
1. Network-wide, with the cbtdisabled consensus param.
2. Via config, with "LearnCircuitBuildTimeout 0"
3. Via config, with "AuthoritativeDirectory 1"
4. Via a state file write failure.
This just got a little complicated, since old clients use "clipped
advertised bandwith" and new clients now use "consensus bandwidth" but
fall back to "clipped advertised bandwidth".
Fix several bugs in computing recommended versions. 1) refactor is-this-version-good handling and which-vesions-are-good handling to be in the same place. 2) a version is recommended if more than half of the versioning authorities like it, not >= half. 3) "NEW_IN_SERIES" should mean, "I don't know of an 0.1.1.x this recent, and there are some 0.1.2.x versions out", not "I don't know of an 0.1.1.x this recent, but I know some older ones." This should resolve bug 383.
svn:r9523
Write the entry guards section of path-spec; note a possible bug in cirbuitbuild.c; add a const; defer work on torrc.complete to be part of a bigger config documentation reorg.
svn:r9465
Change to BadExit logic: Let authorities set an "I list bad exits" flag. Consider an exit bad if it is listed as bad by more than half of *those* authorities. This gives us a better migration path.
svn:r8756
Add client support for a 'BadExit' flag, so authorities can say "Server X is a poor choise for your nytimes.com connections, as it seems to direct them to HoorayForMao.com or (more likely) WouldYouLikeToBuyTheseFineEncyclopedias.com"
svn:r8690
Disprefer exit nodes for entry, middle positions (fixes bug 200). Also, switch to using a uint64_t to hold "total bandwidth for all nodes" under consideration; crypt_rand_int would have died at 2GB/s network capacity.
svn:r8571
