When the client is choosing entry guards, now it selects at most

one guard from a given relay family. Otherwise we could end up with
all of our entry points into the network run by the same operator. 
Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.

Not a backport candidate, since I think this might break for users
who only have a given /16 in their reachableaddresses, or something
like that.


svn:r17514

ChangeLog

@@ -5,6 +5,12 @@ Changes in version 0.2.1.8-alpha - 2008-12-08
       disclaimer without needing to set up a separate webserver. There's
       a sample disclaimer in contrib/tor-exit-notice.html.
 
+  o Security fixes:
+    - When the client is choosing entry guards, now it selects at most
+      one guard from a given relay family. Otherwise we could end up with
+      all of our entry points into the network run by the same operator.
+      Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
+
   o Major bugfixes:
     - Fix a DOS opportunity during the voting signature collection process
       at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.

src/or/circuitbuild.c

@@ -1658,8 +1658,10 @@ choose_good_entry_server(uint8_t purpose, cpath_build_state_t *state)
   if (options->UseEntryGuards && entry_guards) {
     SMARTLIST_FOREACH(entry_guards, entry_guard_t *, entry,
       {
-        if ((r = router_get_by_digest(entry->identity)))
+        if ((r = router_get_by_digest(entry->identity))) {
           smartlist_add(excluded, r);
+          routerlist_add_family(excluded, r);
+        }
       });
   }
 

src/or/routerlist.c

@@ -1219,7 +1219,8 @@ routerlist_add_network_family(smartlist_t *sl, routerinfo_t *router)
 }
 
 /** Add all the family of <b>router</b> to the smartlist <b>sl</b>.
- * This is used to make sure we don't pick siblings in a single path.
+ * This is used to make sure we don't pick siblings in a single path,
+ * or pick more than one relay from a family for our entry guard list.
  */
 void
 routerlist_add_family(smartlist_t *sl, routerinfo_t *router)