nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-20 21:16:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

Authorities reject insecure Tors.

Browse Source 
This patch should make us reject every Tor that was vulnerable to
CVE-2011-0427.  Additionally, it makes us reject every Tor that couldn't
handle RELAY_EARLY cells, which helps with proposal 110 (#4339).
This commit is contained in:
Nick Mathewson 2011-12-27 21:47:04 -05:00
parent da876aec63
commit 9bcb187387
2 changed files with 18 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
changes/bug4788 Normal file
View File

@ -0,0 +1,6 @@
o Minor features (directory server):
- Directory servers now reject versions of Tor older than 0.2.1.30,
and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
(inclusive). These versions accounted for only a small fraction of
the Tor network, and have numerous known security issues. Resolves
issue #4788.

23
src/or/dirserv.c
View File

@ -388,19 +388,20 @@ dirserv_get_status_impl(const char *id_digest, const char *nickname,
strmap_size(fingerprint_list->fp_by_name), strmap_size(fingerprint_list->fp_by_name),
digestmap_size(fingerprint_list->status_by_digest)); digestmap_size(fingerprint_list->status_by_digest));
/* Tor 0.2.0.26-rc is the oldest version that currently caches the right /* Versions before Tor 0.2.1.30 have known security issues that
* directory information. Once more of them die off, we should raise this * make them unsuitable for the current network. */
* minimum. */ if (platform && !tor_version_as_new_as(platform,"0.2.1.30")) {
if (platform && !tor_version_as_new_as(platform,"0.2.0.26-rc")) {
if (msg) if (msg)
*msg = "Tor version is far too old to work."; *msg = "Tor version is insecure. Please upgrade!";
return FP_REJECT;
} else if (platform && tor_version_as_new_as(platform,"0.2.1.3-alpha")
&& !tor_version_as_new_as(platform, "0.2.1.19")) {
/* These versions mishandled RELAY_EARLY cells on rend circuits. */
if (msg)
*msg = "Tor version is too buggy to work.";
return FP_REJECT; return FP_REJECT;
} else if (platform && tor_version_as_new_as(platform,"0.2.2.1-alpha")) {
/* Versions from 0.2.2.1-alpha...0.2.2.20-alpha have known security
* issues that make them unusable for the current network */
if (!tor_version_as_new_as(platform, "0.2.2.21-alpha")) {
if (msg)
*msg = "Tor version is insecure. Please upgrade!";
return FP_REJECT;
}
} }
result = dirserv_get_name_status(id_digest, nickname); result = dirserv_get_name_status(id_digest, nickname);