Merge branch 'maint-0.4.5' into maint-0.4.6

5 files changed, 117 insertions, 70 deletions

diff --git a/src/core/or/protover.c b/src/core/or/protover.c
index 87348e0e7d..04df8aeeb8 100644
--- a/src/core/or/protover.c
+++ b/src/core/or/protover.c
@@ -384,8 +384,13 @@ protocol_list_supports_protocol_or_later(const char *list,
   return contains;
 }
 
+/*
+ * XXX START OF HAZARDOUS ZONE XXX
+ */
+
 /** Return the canonical string containing the list of protocols
- * that we support. */
+ * that we support.
+ **/
 /// C_RUST_COUPLED: src/rust/protover/protover.rs `SUPPORTED_PROTOCOLS`
 const char *
 protover_get_supported_protocols(void)
@@ -395,6 +400,38 @@ protover_get_supported_protocols(void)
    * Remember to edit the SUPPORTED_PROTOCOLS list in protover.rs if you
    * are editing this list.
    */
+
+  /*
+   * XXX: WARNING!
+   *
+   * Be EXTREMELY CAREFUL when *removing* versions from this list.  If you
+   * remove an entry while it still appears as "recommended" in the consensus,
+   * you'll cause all the instances without it to warn.
+   *
+   * If you remove an entry while it still appears as "required" in the
+   * consensus, you'll cause all the instances without it to refuse to connect
+   * to the network, and shut down.
+   *
+   * If you need to remove a version from this list, you need to make sure that
+   * it is not listed in the _current consensuses_: just removing it from the
+   * required list below is NOT ENOUGH.  You need to remove it from the
+   * required list, and THEN let the authorities upgrade and vote on new
+   * consensuses without it. Only once those consensuses are out is it safe to
+   * remove from this list.
+   *
+   * One concrete example of a very dangerous race that could occur:
+   *
+   * Suppose that the client supports protocols "HsDir=1-2" and the consensus
+   * requires protocols "HsDir=1-2.  If the client supported protocol list is
+   * then changed to "HSDir=2", while the consensus stills lists "HSDir=1-2",
+   * then these clients, even very recent ones, will shut down because they
+   * don't support "HSDir=1".
+   *
+   * And so, changes need to be done in strict sequence as described above.
+   *
+   * XXX: WARNING!
+   */
+
   return
     "Cons=1-2 "
     "Desc=1-2 "
@@ -414,6 +451,72 @@ protover_get_supported_protocols(void)
     "Relay=1-3";
 }
 
+/*
+ * XXX: WARNING!
+ *
+ * The recommended and required values are hardwired, to avoid disaster. Voting
+ * on the wrong subprotocols here has the potential to take down the network.
+ *
+ * In particular, you need to be EXTREMELY CAREFUL before adding new versions
+ * to the required protocol list.  Doing so will cause every relay or client
+ * that doesn't support those versions to refuse to connect to the network and
+ * shut down.
+ *
+ * Note that this applies to versions, not just protocols!  If you say that
+ * Foobar=8-9 is required, and the client only has Foobar=9, it will shut down.
+ *
+ * It is okay to do this only for SUPER OLD relays that are not supported on
+ * the network anyway.  For clients, we really shouldn't kick them off the
+ * network unless their presence is causing serious active harm.
+ *
+ * The following required and recommended lists MUST be changed BEFORE the
+ * supported list above is changed, so that these lists appear in the
+ * consensus BEFORE clients need them.
+ *
+ * Please, see the warning in protocol_get_supported_versions().
+ *
+ * XXX: WARNING!
+ */
+
+/** Return the recommended client protocols list that directory authorities
+ * put in the consensus. */
+const char *
+protover_get_recommended_client_protocols(void)
+{
+  return "Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 "
+         "Link=4-5 Microdesc=2 Relay=2";
+}
+
+/** Return the recommended relay protocols list that directory authorities
+ * put in the consensus. */
+const char *
+protover_get_recommended_relay_protocols(void)
+{
+  return "Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 "
+         "Link=4-5 LinkAuth=3 Microdesc=2 Relay=2";
+}
+
+/** Return the required client protocols list that directory authorities
+ * put in the consensus. */
+const char *
+protover_get_required_client_protocols(void)
+{
+  return "Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2";
+}
+
+/** Return the required relay protocols list that directory authorities
+ * put in the consensus. */
+const char *
+protover_get_required_relay_protocols(void)
+{
+  return "Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 "
+         "Link=4-5 LinkAuth=3 Microdesc=2 Relay=2";
+}
+
+/*
+ * XXX END OF HAZARDOUS ZONE XXX
+ */
+
 /** The protocols from protover_get_supported_protocols(), as parsed into a
  * list of proto_entry_t values. Access this via
  * get_supported_protocol_list. */
diff --git a/src/core/or/protover.h b/src/core/or/protover.h
index 622250493d..c0739a092e 100644
--- a/src/core/or/protover.h
+++ b/src/core/or/protover.h
@@ -73,6 +73,10 @@ bool protover_list_is_invalid(const char *s);
 int protover_all_supported(const char *s, char **missing);
 int protover_is_supported_here(protocol_type_t pr, uint32_t ver);
 const char *protover_get_supported_protocols(void);
+const char *protover_get_recommended_client_protocols(void);
+const char *protover_get_recommended_relay_protocols(void);
+const char *protover_get_required_client_protocols(void);
+const char *protover_get_required_relay_protocols(void);
 
 char *protover_compute_vote(const struct smartlist_t *list_of_proto_strings,
                             int threshold);
diff --git a/src/feature/dirauth/dirvote.c b/src/feature/dirauth/dirvote.c
index ffaa78b997..fa906c0c3c 100644
--- a/src/feature/dirauth/dirvote.c
+++ b/src/feature/dirauth/dirvote.c
@@ -4800,16 +4800,14 @@ dirserv_generate_networkstatus_vote_obj(crypto_pk_t *private_key,
   v3_out->client_versions = client_versions;
   v3_out->server_versions = server_versions;
 
-  /* These are hardwired, to avoid disaster. */
   v3_out->recommended_relay_protocols =
-    tor_strdup(DIRVOTE_RECOMMEND_RELAY_PROTO);
+    tor_strdup(protover_get_recommended_relay_protocols());
   v3_out->recommended_client_protocols =
-    tor_strdup(DIRVOTE_RECOMMEND_CLIENT_PROTO);
-
-  v3_out->required_relay_protocols =
-    tor_strdup(DIRVOTE_REQUIRE_RELAY_PROTO);
+    tor_strdup(protover_get_recommended_client_protocols());
   v3_out->required_client_protocols =
-    tor_strdup(DIRVOTE_REQUIRE_CLIENT_PROTO);
+    tor_strdup(protover_get_required_client_protocols());
+  v3_out->required_relay_protocols =
+    tor_strdup(protover_get_required_relay_protocols());
 
   /* We are not allowed to vote to require anything we don't have. */
   tor_assert(protover_all_supported(v3_out->required_relay_protocols, NULL));
diff --git a/src/feature/dirauth/dirvote.h b/src/feature/dirauth/dirvote.h
index d6a2d9cc75..3420098315 100644
--- a/src/feature/dirauth/dirvote.h
+++ b/src/feature/dirauth/dirvote.h
@@ -268,64 +268,6 @@ STATIC int64_t extract_param_buggy(const char *params,
                                    const char *param_name,
                                    int64_t default_value);
 
-/** The recommended relay protocols for this authority's votes.
- * Recommending a new protocol causes old tor versions to log a warning.
- */
-#define DIRVOTE_RECOMMEND_RELAY_PROTO           \
-  "Cons=2 "                                     \
-  "Desc=2 "                                     \
-  "DirCache=2 "                                 \
-  "HSDir=2 "                                    \
-  "HSIntro=4 "                                  \
-  "HSRend=2 "                                   \
-  "Link=4-5 "                                   \
-  "LinkAuth=3 "                                 \
-  "Microdesc=2 "                                \
-  "Relay=2"
-
-/** The recommended client protocols for this authority's votes.
- * Recommending a new protocol causes old tor versions to log a warning.
- */
-#define DIRVOTE_RECOMMEND_CLIENT_PROTO          \
-  "Cons=2 "                                     \
-  "Desc=2 "                                     \
-  "DirCache=2 "                                 \
-  "HSDir=2 "                                    \
-  "HSIntro=4 "                                  \
-  "HSRend=2 "                                   \
-  "Link=4-5 "                                   \
-  "Microdesc=2 "                                \
-  "Relay=2"
-
-/** The required relay protocols for this authority's votes.
- * WARNING: Requiring a new protocol causes old tor versions to shut down.
- *          Requiring the wrong protocols can break the tor network.
- * See Proposal 303: When and how to remove support for protocol versions.
- */
-#define DIRVOTE_REQUIRE_RELAY_PROTO             \
-  "Cons=2 "                                     \
-  "Desc=2 "                                     \
-  "DirCache=2 "                                 \
-  "HSDir=2 "                                    \
-  "HSIntro=4 "                                  \
-  "HSRend=2 "                                   \
-  "Link=4-5 "                                   \
-  "LinkAuth=3 "                                 \
-  "Microdesc=2 "                                \
-  "Relay=2"
-
-/** The required relay protocols for this authority's votes.
- * WARNING: Requiring a new protocol causes old tor versions to shut down.
- *          Requiring the wrong protocols can break the tor network.
- * See Proposal 303: When and how to remove support for protocol versions.
- */
-#define DIRVOTE_REQUIRE_CLIENT_PROTO            \
-  "Cons=2 "                                     \
-  "Desc=2 "                                     \
-  "Link=4 "                                     \
-  "Microdesc=2 "                                \
-  "Relay=2"
-
 #endif /* defined(DIRVOTE_PRIVATE) */
 
 #endif /* !defined(TOR_DIRVOTE_H) */
diff --git a/src/test/test_protover.c b/src/test/test_protover.c
index 2f77db185f..4b25a86e26 100644
--- a/src/test/test_protover.c
+++ b/src/test/test_protover.c
@@ -606,10 +606,10 @@ test_protover_vote_roundtrip_ours(void *args)
   (void) args;
   const char *examples[] = {
     protover_get_supported_protocols(),
-    DIRVOTE_RECOMMEND_RELAY_PROTO,
-    DIRVOTE_RECOMMEND_CLIENT_PROTO,
-    DIRVOTE_REQUIRE_RELAY_PROTO,
-    DIRVOTE_REQUIRE_CLIENT_PROTO,
+    protover_get_recommended_client_protocols(),
+    protover_get_recommended_relay_protocols(),
+    protover_get_required_client_protocols(),
+    protover_get_required_relay_protocols(),
   };
   unsigned u;
   smartlist_t *votes = smartlist_new();